Looks like this change is more to protect against Insider threats, ie Amazon employees or their infrastructure is compromised, and to make it easier to comply with some security policies that require EAR.
This doesn't protect against insider threats at all since the insider would likely have access to the key as well unless you mean someone taking a disk out of the datacenter which is pretty far fetched as an attack. Dunno if you have been in a serious DC before but the last one I was in had a retina scanner to enter and was under constant surveillance.
I 100% agree there are security policies specified by regulations that make very little sense and this might satisfy them.
Former AWS employee, this is very much not true. It doesn’t protect against every possible insider threat but does protect against a very large class of them. It is extremely not the case that you can assume an attacker who has access to the disk also has access to the key material, those are two very different things.
I 100% agree there are security policies specified by regulations that make very little sense and this might satisfy them.