I disagree that encryption at rest with AWS is actually the proper way. If someone can get to the actual hardware and steal disks, I can't trust that AWS hasn't also lost control of the encryption keys.
Just because something isn't 100% perfect in every scenario doesn't mean it shouldn't be done at all.
But I agree with your point, if you're really worried about data to the point where you don't trust AWS with encryption keys, you should self-manage your keys and manually encrypt/decrypt data without AWS KMS.
https://en.wikipedia.org/wiki/Swiss_cheese_model
AKA defense-in-depth
Relying on one control is a recipe for failure, which is why security measures work best when layered.
You don’t trust in one control, you trust that you stack enough controls that one of them works.