• Encryption: 

1. 1. The client will use an AWS SDK, and in this example, the Java client, which will create a randomly generated plaintext data key, which is then used to encrypt the object data
   2. A CMK created by the customer then encrypts this plaintext data key
   3. At this point, the encrypted data key and the encrypted object data is sent from the client to S3 for storage
   4. S3 then takes the encrypted data key and associates it with the encrypted object and stores both on S3

• Decryption: 

1. 1. A user requests access to the encrypted object on S3.
   2. S3 responds by sending the requested object data, along with the associated encrypted data key, back to the client
   3. Using the AWS SDK, the customer's CMK is then used with the encrypted data key to generate a plaintext version of that same data key
   4. The encrypted object can then be decrypted using the plaintext data key, and its contents can be accessed

As with CSE-KMS, you can see here that all encryption/decryption operations are handled by the client itself. The server (S3) is not involved with this process other than storing the encrypted data which is sent to it.