The keys used by KMS are stored in an AWS-managed hardware security module (HSM) on-site and never go outside that data center. This means that even if the person had physical access to the data center, they should not be able to extract the decryption keys because HSMs are specifically designed to prevent that. If it was an Amazon employee that had super-user privileges over that HSM for management purposes...who knows.
No comments yet.