It is a fully managed service that allows creation and management of (symmetric and asymmetric ) cryptographic keys ( used for Encryption at Rest).
Customer Master Key (CMKs) are the primary resources in KMS -
they contain the key material to encrypt and decrypt data.
CMK can encrypt data up to 4KB but can also generate, encrypt and decrypt Data Encryption Keys - in case of larger amount of data.
AWS Managed CMKs
they are created managed, and used on your behalf by any AWS Service integrated with KMS.
you don't have to manage them ( you can't rotate or change them, AWS does that for you)
Data Encryption Keys
are used to encrypt large amount of data or other data encryption keys.
KMS does not store DEK and you have to manage them outside of AWS KMS