[aborsy]

AWS uses envelope encryption. Data encryption (for example bucket-level) keys are generated and managed outside KMS for some time/services to minimize calls to KMS that can be expensive.

Thus, I imagine with AWS-managed KMS keys, in some cases permission to KMS service is not needed to access data.

KMS-CMKs are better in this respect, can be controlled and audited.