I think your latter pattern is referred to as “envelope encryption” or “data key encryption.” This allows you to store ciphertext and decrypt on demand. Bonus points is using a different datakey per customer/logical container/etc while still using one (or more) KMS keys. An example https://encryption-ws.workshop.aws/keymanagement-kms/envelop...
