Prevention of client side aws client credentials and CMK exposure

  1. I encrypted some data on server-side with a CMK of AWS KMS. So an encrypted data key is created, and cyphertext blob will be send to client-side
  2. On client-side, for decryption, I need to provide aws access key and secret key and CMK to implement the decrypt method.

My question is : How do we securely store this key without exposing the keys to the client-side?

Source: AngularJS