What are you talking about? I have so many questions - who is uncle Bob in this scenario, an AWS employee? Who's uncle is he and why is that important? And what makes his flash drive fancy?
AWS has several encryption products you can easily look up, such as KMS. No, the employees don't have the keys. [1]
KMS is a hardware security module, kind of like the secure enclave on an iPhone. The private key doesn't leave the hardware, your process requests that KMS should encrypt or decrypt something (which is probably another disposable key used for your session to the a DB or whatever, like in a browser TLS session). All of AWS's core services are neatly integrated with KMS: EBS, EFS, RDS, DynamoDB, etc.
I'd trust the AWS datacenter security and processes over your average big-corp datacenter any day, having seen quite a few.
I had the same question as you and took a look at their FQA.
#1 You should check what "HSM" is, and will know the answer to your question :D.
#2 KMS offers client-side encryptions. So if you don't trust AWS for whatever reason, you can choose to encrypt at client-side too. :D
AWS has several encryption products you can easily look up, such as KMS. No, the employees don't have the keys. [1]
[1] https://aws.amazon.com/kms/faqs/