KMS Limits and free-tier

Question

Hi forum;  
         
         Today I received aws email, alert about 85% of my AWS Key Menagement Service limit is near to end it's free-tier.  
  
     So, as I deploy some extra AWS Services to production environment late Dez/2019, I'm having difficulties to isolate what service is consuming extra KMS requests;  
  
      Here list of some new services started Dez/2019 examples:  
         Android AWS-SDK  (lambda calls)   
         Cognito  
          SQS sending messages and reading by lambda trigger  
          RDS Performance insight   
          Pinpoint push features  
         **Also I've created and immediately deleted one code commit repository**  
  
Searching this group , I've noticed that cod commit and kms requests, has some issues.  
  
Please; I'll appreciate some help to drive me for answer two questions  
           
          Service(s) who are consuming extra requests  
          What level of pricing (I saw,  doc for  extra 10.000 requests ) will be charged

Advanced Thanks;  
  
Edited by: mortega on Jan 24, 2020 5:24 AM

Accepted Answer

AWS KMS pricing is listed here: https://aws.amazon.com/kms/pricing/  
  
One way to know which service is using KMS is to go to CloudTrail in your account. Then click on "Event History" on the left hand side of your screen.   
In the Filter, select "Event Source" and search for "kms" in "Enter event source" and select "kms.amazonaws.com". Adjust the time range for December. This will give you a list of events. You can then look at which services might be calling KMS on your behalf.   
  
Another way is to start with the services you mentioned and look at which services have been configured to use either customer managed CMKs or AWS managed CMKs. That will also tell you if those services might be calling KMS.     
  
From your list, Amazon SQS and AWS Lambda might be the ones making KMS calls.

Answer

You Rocks;  
  
    I Realize that lambda's environment variables are been encrypted ; and as each lambda has a set of then, they are been decrypted on each invoke call;  
  
    Environment variables are been used in new deployment at Jan/2020;  
  
    As I do not set any encryption option for then, it appears that my development framework does it for me !  
  
    Thanks so much !

KMS Limits and free-tier

関連するコンテンツ