By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

charges for kms but I'm not using kms

0

Hi there,

I'm getting email notifications about KMS usage, but I have nothing enabled for KMS. The ONLY thing I have are 2 hosted DNS entries in Route53.

Suggestions?

  • Oleksii Bebych EXPERT
    24 days ago

    please accept the answer if it was useful for you

Topics
Security, Identity, & Compliance
Tags
AWS Key Management Service
Language
English
bob
asked 24 days ago134 views
4 Answers
1

First of all you can check Cost Explorer and find AWS Region, where AWS charges you for KMS Enter image description here

You can also check what kind of API Calls to KMS you are charged for Enter image description here

here is a pricing details for AWS KMS https://aws.amazon.com/kms/pricing/

profile picture
EXPERT
Oleksii Bebych
answered 24 days ago
profile pictureAWS
EXPERT
AWS-User-alantam
reviewed 24 days ago
0

hi everyone, thanks very much for the detailed suggestions. Yes I'm at the top of my free tier. The region is US East(N. Virginia). No special keys, just the defaults. No recent user activity except my own user.

It's not a cost issue really, but this is my test region and I use it to understand cost anomalies like this one before going to production.

I wonder if it's just the bill reflects last month's overage and it's not up to the date it was sent (last week)? Maybe I fixed it last month but the billing doesn't reflect cost over the 2 weeks in this current month? I guess I could wait a month and see.

Thanks for your time. screenshots below

bob
answered 24 days ago
  • Leo K EXPERT
    19 days ago

    In AWS Cost Explorer, you could select "Daily" for "Granularity", time range of April 1st through two days ago (the cost data takes a couple of days to show in Cost Explorer) and filter by the "Service" of "Key Management Service". That'll show if you are still getting billable calls to KMS or if you managed to stop them earlier. You don't have to wait a month to see that, only two days for Cost Explorer to update with the latest data.

0

You should get 20,000 KMS requests for free every month, even when your account is more than 12 months old. Are you close to breaching that limit? https://console.aws.amazon.com/billing/home#/freetier

As @OleksiiBebych advises, go into Cost Explorer and find which region(s) this KMS usage is for. Then change to that region and go to the KMS section of the AWS Console and check both AWS Managed Keys and Customer Managed Keys for anything unexpected https://console.aws.amazon.com/kms/home#

The next bit is a long-shot, but it worked for me one time in the past - check your IAM roles and sort on the Last activity column https://console.aws.amazon.com/iam/home#/roles

Is there a role that's recently active but you can't understand why? Investigate what services have got access to this role, and how frequently it's being accessed, and it may turn out that one of these is KMS-related.

profile picture
EXPERT
Steve_M
answered 24 days ago
0

As you've narrowed down the activity to it all being in us-east-1, switch to that region in AWS Console and go to Cloud Trail -> Event History https://us-east-1.console.aws.amazon.com/cloudtrailv2/home?region=us-east-1#/events

For Lookup attributes pick Event name and in the search box next to it start typing kms and then pick GetEbsDefaultKmsKeyId

Do you get any events back?

Enter image description here

If you do, go through each Event in turn and look at the Event Record for clues of where it could have come from. Source IP address in the Details panel at the top may also be useful.

profile picture
EXPERT
Steve_M
answered 23 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content