My client concern about data encrypted at rest using KMS CMK or HSM is visible to AWS operator? Please throw some light if anyone have any use case or POC which can be share to answer my client about AWS operator not able to visible data encrypted using KSM or HSM key?
If the customer is concerned that AWS can access keys within KMS or HSM, then there’s probably not much you can do to prove otherwise that will convince them. You can import your own key material into KMS and AWS has lots of audit records in AWS Artifact that you can show them.
But, if the client’s Security people are truly paranoid…they will always come up with cases where a bad actor rogue employee within AWS compromises KMS or Cloud HSM. I’ve had long conversations with CISOs about stuff like this and it mostly ends in either an understanding and acceptance of the risk profile or irrational thinking about how to truly manage a security profile (i.e. "we should just keep everything offline locked away in a vault").
Rouge employee scenario is HIGHLY unlikely given all the other AWS customer data and the obfuscated nature of the account and the owner of the account in relation to the actual data. The easy way around this is to have the data encrypted on-prem with keys they own.
On aggregate, most companies find that their security profile increases greatly with a move to the cloud as there is more transparency, granularity and logging available over legacy on-prem processes.