"...never storing plaintext master keys on disk, not persisting them in memory, and limiting which systems can connect to the device..." Translation: We promise to not look at your keys. Granted, this is most likely…
"KMS provides access to master encryption keys,... but doesn’t provide direct access to the master key itself, so it can’t be stolen." Doesn't Amazon KMS have access to the master key? And therefore, it can be stolen…
"...never storing plaintext master keys on disk, not persisting them in memory, and limiting which systems can connect to the device..." Translation: We promise to not look at your keys. Granted, this is most likely…
"KMS provides access to master encryption keys,... but doesn’t provide direct access to the master key itself, so it can’t be stolen." Doesn't Amazon KMS have access to the master key? And therefore, it can be stolen…