[tptacek]

"Encryption" in cloud data stores (like KMS) is really just an expression of permissions; it's systems security, not cryptographic security. If you don't have permission to access a resource on another server, yes, you've protected that resource --- but you don't need cryptography to express that.

[zBard]

Since you mentioned KMS, S3 has ACL mechanisms, along with separate mechanisms to encrypt at rest using KMS, or any client based key. On cloud based stores, you can't basically guarantee systems security against the cloud provider or intrusions in their system, and for sensitive data need to encrypt it from your side.

In general I am not sure if we wish to conflate systems security and cryptographic security - cryptographic security ideally should guard against system security failures. Although in practice I grant you that broad system failures which expose crypto secrets (code execution would fall into that) would lead to crypto failures as well.