By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

KMS Signing performance with Asymmetric ECC_NIST_P256 key is slow

0

Hello All, I'm building a lambda service where I use the python boto3 client to sign data using a customer managed key in Amazon KMS. The key as my title suggests is an Asymmetric ECC_NIST_P256 key. The signing operation works just fine, but it seems to take 160ms repeatedly. This seems awfully slow to me, but I am somewhat new to this kind of signing, so I don't know how long it should take. I do know I'm going to hammer this and it's for a time sensitive operation. 160ms is over my time budget (shooting for 50ms). I can verify that the key and the lambda service are in the same availability zone. Any help in troubleshooting this, speeding it up, or aligning my expectations to what it's supposed to do would be much appreciated.

Thanks

  • kumo-hiyori
    8 months ago

    How are you measuring the latency? It's possible that you overlooked something during measurement, or delay is coming from other part of the API call. I suggest using AWS X-Ray to trace the Lambda function call. https://docs.aws.amazon.com/lambda/latest/dg/services-xray.html

  • numeracle_brett
    8 months ago

    I have print statements tightly around the signing operation and looking at timestamps. I also removed the signing operation and watched the overall script speed increase drastically. I'm pretty sure I'm measuring it right.

    I did switch to envelope encryption to bring my keys closer to the script and used libraries to perform my signing. This has brought my latency from about 250ms total to 25ms total. Wish I could use Amazon KMS tho, not sure why it's so slow.

Topics
Security, Identity, & ComplianceServerlessCompute
Tags
AWS Key Management ServiceAWS Lambda
Language
English
numeracle_brett
asked 8 months ago415 views
1 Answer
0

Hello numeracle_brett,

To troubleshoot further and dive deeper in regards to seeing 160 ms latency, we require details that are non-public information to troubleshoot. Could you please open a support case with AWS using the following link

In the support case could you please provide the following information below?

  • KMS key ID
  • Lambda ARN
  • Is this behavior occurring in specific region or in all regions?
  • Lambda code
  • Lambda CloudWatch logs
AWS
SUPPORT ENGINEER
Calvin_K
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content