AWS services ask KMS to decrypt the encrypted data-key and KMS decrypts it using CMK and send back the plain text data-key. How is this key protected in transit?
Lets say S3, which is a public service requests plaintext data-key from KMS. S3 is public service with a public endpoint. How is the data-key protected? Does the traffic flow over the internet?
The KMS <-> S3 encryption/decryption interaction occurs within the AWS network. Data is encrypted at rest using AES-256 encryption supported by various key providers (Customer managed/server-side) and in transit using TLS v1.2. Regardless, if you make an object public and accessible by anyone, they will be able to access it. You must ensure that you not making buckets or objects public.
"S3 is public service with a public endpoint. How is the data-key protected?" This "public service" still utilizes Identity and Access Management to control access your objects, not just anyone can read the bucket or the blobs within it.
The documentation link posted in Amit's commit will also explain the interaction flow for you, it is not trivial: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/how-it-works.html
