The AWS KMS, or Key Management Service, is a way for AWS to manage your encryption and decryption keys. You have two different types to work with symmetric, where the same key is used for encryption and decryption, and asymmetric, where you have a public encryption key and a private decryption key. With symmetric encryption it is important to note that you can only access this key through KMS where with asymmetric the encryption key is fully public. The same KMS key will typically be locked to the region it is encrypted in, if you wanted to say move an encrypted EBS volume, you’d need to take a snapshot, and re-encrypt using that region’s own KMS key
In some instances you can use multi-region keys, which is one KMS key replicated across multiple regions, instead of having to use different KMS keys, or re-encrypt if certain data needs to be shared between users. Let’s say you have a global dynamoDB table and you’re using client_side encryption. A user in one region could encrypt the data and then a user in a completely different region with access to the key could decrypt the data locally.