To try to explain, when a website uses SSL/TLS for transmitting encrypted data over the transport layer is first establishes the identity of the server (an/or client depending on the certificates used). Together, using Asymmetric crypto (for example RSA) the two sides (client and server) establish connection and using public and private keys, they figure out a symmetric key that they both can use for transmitting data for the remainder of the session. The actual symmetric key is never transmitted.

Once they have done that, they switch to using symmetric crypto (AES, RC4, etc) for the rest of the session using the key that they determined during the previous steps. Symmetric crypto is much, much faster then asymmetric, hence the reason for switching, but since they can’t just pass a symmetric key back and forth the first step is needed to figure out what key to use.

This is a very simplistic explanation of the extremely complex tasks that are really going on, but since you said you’re a beginner, I’ll keep it simple.

Symmetric encryption (AES and others) are also commonly used strictly within the application (not for transmitting data) for storing encrypted data in a database or on a file system. So in that way AES (or others) can be used for website security.

AES Reference

NIST FIPS 197 doc