Doesn't Amazon KMS have access to the master key? And therefore, it can be stolen from them?
"AWS KMS is designed so that no one has access to your master keys."
Translation: We promise to not look at your keys.
Granted, this is most likely better than nothing, especially if you trust AWS, but ideally, you want only the client to have the key material.
There surely is some amount of trust there, though.
Not to diminish your point -- the how/where/when really does matter. Locking your house key in your car is still better than leaving it on your front step, but also not as good as in your pocket.