KMS:
- Stands for Key Management Service.
- AWS manages the encryption keys.
- Encryption automatically enabled for: CloudTrail Logs, S3 Glacier and Storage Gateway.
CloudHSM:
- HSM - Hardware Security Module - Dedicated hardware for security.
- AWS gives the encryption hardware to you, so you can generate encryption keys.