To enable cross-account S3 data sharing we decided to implement use of customer-managed KMS keys. Before we used AWS default KMS key (SSE-S3) and things worked great. We expected the switch to customer-managed keys (SSE-KMS) to be seamless, as in both cases the process is transparent for a client: keys are managed at AWS S3 API backend side somehow. We use S3 bucket keys to allow more effective caching and lower KMS costs.
After re-ecrypting all our data we noticed hundreds of dollars KMS costs per day. Why is this happening?
It was quite hard to understand why this happens, the answer does not lay on the surface.
We had to ask AWS Support and after some time received a confirmation that is a normal behavior for SSE-KMS and there is nothing we can do about it. We decided to switch back to SSE-S3.
The following is AWS Support response:
The internal team has advised that the default encryption setting when creating an S3 bucket is SSE-S3 which uses an AWS owned key. This key type is different from AWS-managed keys in the following ways:
They are completely free to use --> not billed for ownership or requests They do not exist in your account You cannot audit their activity in CloudTrail
More info on AWS-owned keys is given here: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
Therefore, the internal advised that if you transitioned from SSE-S3 to SSE-KMS, then this would explain the increase in KMS requests while maintaining your rate of S3 requests. They also mentioned that transitioning from the AWS-managed key aws/s3 to a customer-managed key should not cause your total Decrypt requests to increase, as requests from AWS-managed keys can be audited. However, you may see more requests for a single CMK if they use that key for multiple buckets.