KMS is a hardware security module, kind of like the secure enclave on an iPhone. The private key doesn't leave the hardware, your process requests that KMS should encrypt or decrypt something (which is probably another disposable key used for your session to the a DB or whatever, like in a browser TLS session). All of AWS's core services are neatly integrated with KMS: EBS, EFS, RDS, DynamoDB, etc.
I'd trust the AWS datacenter security and processes over your average big-corp datacenter any day, having seen quite a few.
I had the same question as you and took a look at their FQA.
#1 You should check what "HSM" is, and will know the answer to your question :D.
#2 KMS offers client-side encryptions. So if you don't trust AWS for whatever reason, you can choose to encrypt at client-side too. :D
I'd trust the AWS datacenter security and processes over your average big-corp datacenter any day, having seen quite a few.