There are two ways where S3 can encrypt data at rest
Data are send and store as encrypted. During retrieval, encrypted data are retrieved and descrypt at the client side. This can be achieve with the use of AWS SDK and KMS or self managed secret
Data are send unencrypted to AWS via TLS, AWS ia responsible for encrypting and storing on disk. During retrieval, AWS retrieves encrypted data from disks decrypt it and send raw data back via TLS.