Question 283891 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – Why did my AWS KMS bill grow so much after a switch to customer-managed key?

To enable cross-account S3 data sharing we decided to implement use of customer-managed KMS keys. Before we used AWS default KMS key (SSE-S3) and things worked great. We expected the switch to customer-managed keys (SSE-KMS) to be seamless, as in both cases the process is transparent for a client: keys are managed at AWS S3 API backend side somehow.
We use S3 bucket keys to allow more effective caching and lower KMS costs.

After re-ecrypting all our data we noticed hundreds of dollars KMS costs per day. Why is this happening?

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    It was quite hard to understand why this happens, the answer does not lay on the surface.

    We had to ask AWS Support and after some time received a confirmation that is a normal behavior for SSE-KMS and there is nothing we can do about it. We decided to switch back to SSE-S3.

    The following is AWS Support response:

    The internal team has advised that the default encryption setting when creating an S3 bucket is SSE-S3 which uses an AWS owned key. This key type is different from AWS-managed keys in the following ways:

    They are completely free to use --> not billed for ownership or requests They do not exist in your account You cannot audit their activity in CloudTrail

    More info on AWS-owned keys is given here: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk

    Therefore, the internal advised that if you transitioned from SSE-S3 to SSE-KMS, then this would explain the increase in KMS requests while maintaining your rate of S3 requests. They also mentioned that transitioning from the AWS-managed key aws/s3 to a customer-managed key should not cause your total Decrypt requests to increase, as requests from AWS-managed keys can be audited. However, you may see more requests for a single CMK if they use that key for multiple buckets.


  2. 0

    With reading pattern for data in hundreds of thousands of files read daily, costs of KMS can be like you observe.

    Check KMS pricing model.
    It’s $1 per key and $0.03 per 10k requests to use this key.

    For cross account acces you have to use KMS key as you have to adjust key policy to allow access to encryption key from different accounts.

    There is a feature called Storage Leans in S3 service. You can use it to investigate operations patterns. In most cases expected usage is far away from reality.

    I’d start from investigation of access patterns and apply optimization when possible.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search