How cloudHSM encrypt and decrypt files?

Hi all! I would like to ask a question about cloudhsm

I am currently testing the possibility of using cloudhsm to encrypt data in S3 with my encryption keys and due to compliance reasons I chose cloudhsm

when I initialize the cloudhsm cluster, I get the CSR and sign it in the certification authority of our organization, and I get the root CA public key (CA-public-key.crt ) and the certificate signed by our CA ( cluster-certificate.crt )

then I initialize the cluster with the command

aws cloudhsmv2 initialize-cluster --cluster-id cluster-klgfnjklsng
--signed-cert file://cluster-certificate.crt
--trust-anchor file://CA-public-key.crt

then in KMS I set up an external key store ( CloudHSM ) and initialize it with CA-public-key.crt

and after that I create an S3 bucket where I choose encryption KMS and thus the data is encrypted

but I have a question, how does AWS encrypt my data in the cloud? after all, during initialization, I did not transfer the private key of our CA, but as we know, with asymmetric encryption, the file can be encrypted using the public key and decrypted using the private key! how does AWS decrypt files on the fly since I didn't pass the private key to CloudHSM when I initialized the cluster?