This is the same as for SSE, that is, the KMS in the IAM service is used to manage shared keys. The client can use the key ID (the ARN) to refer to a key, which is then accessed by the client for encryption and decryption purposes. Note that each object is encrypted using a dedicated key, and the KMS key is used to secure the per-object keys.