Encryption ultimately reduces to key management. AES-256 encryption algorithms are solved since 1990s and never broken. Incidents stem from keys, not algorithms. Hardcoded in code pushed to GitHub, stored plaintext in S3, no tracking who used keys when, departed employee's laptop holding key copies. Overwhelmingly, security breaches are "where did we put the key" problems.
KMS's core design philosophy is simple: users must never see raw key material. You can create, rotate, schedule deletion of keys, but no API exists to download plaintext master key bytes