- Newest
- Most votes
- Most comments
First of all you can check Cost Explorer and find AWS Region, where AWS charges you for KMS
You can also check what kind of API Calls to KMS you are charged for
here is a pricing details for AWS KMS https://aws.amazon.com/kms/pricing/
hi everyone, thanks very much for the detailed suggestions. Yes I'm at the top of my free tier. The region is US East(N. Virginia). No special keys, just the defaults. No recent user activity except my own user.
It's not a cost issue really, but this is my test region and I use it to understand cost anomalies like this one before going to production.
I wonder if it's just the bill reflects last month's overage and it's not up to the date it was sent (last week)? Maybe I fixed it last month but the billing doesn't reflect cost over the 2 weeks in this current month? I guess I could wait a month and see.
Thanks for your time.
In AWS Cost Explorer, you could select "Daily" for "Granularity", time range of April 1st through two days ago (the cost data takes a couple of days to show in Cost Explorer) and filter by the "Service" of "Key Management Service". That'll show if you are still getting billable calls to KMS or if you managed to stop them earlier. You don't have to wait a month to see that, only two days for Cost Explorer to update with the latest data.
You should get 20,000 KMS requests for free every month, even when your account is more than 12 months old. Are you close to breaching that limit? https://console.aws.amazon.com/billing/home#/freetier
As @OleksiiBebych advises, go into Cost Explorer and find which region(s) this KMS usage is for. Then change to that region and go to the KMS section of the AWS Console and check both AWS Managed Keys and Customer Managed Keys for anything unexpected https://console.aws.amazon.com/kms/home#
The next bit is a long-shot, but it worked for me one time in the past - check your IAM roles and sort on the Last activity column https://console.aws.amazon.com/iam/home#/roles
Is there a role that's recently active but you can't understand why? Investigate what services have got access to this role, and how frequently it's being accessed, and it may turn out that one of these is KMS-related.
As you've narrowed down the activity to it all being in us-east-1, switch to that region in AWS Console and go to Cloud Trail -> Event History https://us-east-1.console.aws.amazon.com/cloudtrailv2/home?region=us-east-1#/events
For Lookup attributes pick Event name and in the search box next to it start typing kms and then pick GetEbsDefaultKmsKeyId
Do you get any events back?
If you do, go through each Event in turn and look at the Event Record for clues of where it could have come from. Source IP address in the Details panel at the top may also be useful.
Relevant content
- asked 8 months ago
- asked a year ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
please accept the answer if it was useful for you