Hope I understood it wrong, but during KMS Decryption section you mentioned that a user use KMS CMK to generate another Plaintext DEK to decrypt cypher text data. Based on my knowledge, Encrypted DEK stored with cypher text is sent to KMS to be decrypted and then used in decryption process.
Good question....for such AWS EKS managed services we have to use AWS provided architectures to use AWS secret managers using IAM & secret store CSI or so( pls have a look at my video on CSI inline volumes) There is other simple way also you can acceess secrets from EKS cluster pods using IAM roles
To Achieve this need Vault KMS Provider for kubernetes... I can see few i.e. by oracle & ondat github.com/oracle/kubernetes-vault-kms-plugin www.ondat.io/webinars/secure-all-your-k8s-secrets-with-a-kms-provider-plugin-and-hashicorp-vault Sorry i dont have much more information on this. However Once KMS v2 goes GA there will be many providers for sure