Simple Math of Aws KMS Key Rotation Costs
AWS Key Management Services is a fully managed service that lets you “create, manage, and control cryptographic keys across your applications and AWS services”. It seamlessly integrates with most AWS services and has a very nice and convenient feature to let you automatically rotate a customer managed KMS key. Once this future is enabled on a KMS key, this KMS key will be automatically rotated every 365 days, without needing you to lift a finger. This auto key-rotation feature greatly relieves your key management burden and makes auditors, regulators and compliance specialists happy.
However, it also comes with a cost that can compound and rise quickly. When a KMS key rotates, AWS generates a copy of new key material but still keeps all previous old key materials in KMS so that existing data encrypted by the old key materials can be decrypted. If you have one KMS key, and has key auto-rotation enabled on day one, after 9 years (rotates 9 times), you will have in total 10 key materials associated with it.
This wouldn’t be an issue if AWS did not charge KMS storage. As of today (September 01, 2023), according to AWS pricing page, AWS charges (in US-East Ohio region):
- “Each AWS KMS key that you create in AWS KMS costs $1/month”
- “If you enable automatic key rotation, each newly generated backing key costs an additional $1/month”
So for the above example, in first year you pay $1/month. After 9 years, you will start paying $10/month, that is tenfold the original cost.
Now let’s do some simple math calculation. Assuming that you have 100 KMS keys at day one and they are auto-rotating, and you do not need to create more KMS keys in the future, the total cost to store those keys and their rotated key materials will cost you $66K for key storage, assuming AWS never increases its price. Other usage charges are extra. See the table below :
| Year | # Key Materials | Monthly Cost | Yearly Cost |
|---|---|---|---|
| 1 | 100 | $100 | $1,200 |
| 2 | 200 | $200 | $2,400 |
| 3 | 300 | $300 | $3,600 |
| 4 | 400 | $400 | $4,800 |
| 5 | 500 | $500 | $6,000 |
| 6 | 600 | $600 | $7,200 |
| 7 | 700 | $700 | $8,400 |
| 8 | 800 | $800 | $9,600 |
| 9 | 900 | $900 | $10,800 |
| 10 | 1000 | $1000 | $12,000 |
| 10 Year Total Cost | $66,000.00 |
The following table calculates the cumulative storage cost for up to 50 years of operation on those 100 KMS keys, assuming AWS never increases its price:
| Year | Cumulative Cost |
|---|---|
| 1 | $1,200 |
| 5 | $18,000 |
| 10 | $66,000 |
| 15 | $144,000 |
| 20 | $252,000 |
| 25 | $390,000 |
| 30 | $558,000 |
| 35 | $756,000 |
| 40 | $984,000 |
| 45 | $1,242,000 |
| 50 | $1,530,000 |
From the table above, the cumulative cost of just keeping 100 auto-rotating KMS keys, is 252K if running for 20 years, or 1.5M if running for 50 years. And during that operating period, AWS will not increase the price at all and you will not expand your business to use more KMS keys.
To put the significant compounding effect into context, for the same 100 KMS keys, if used without key auto-rotation for 50 years, it would only cost 60K, vs the 1.5M cost if used with key auto-rotation. The cost increases 25 times just for using the key auto-rotation feature, and will only accelerate when time passes due to the compounding effect. Also, imagine the large enterprises that use thousands of KMS keys, what would be the cost?
The results of the calculation has shocked me. I didn’t realize the true impact until I crunched all the numbers. I hope someone could point out that my calculation was wrong. Compounding interest is the 8th wonder of the world. But compounding KMS cost on the other hand can be very prohibitive to any business.
I think AWS should change its pricing model on KMS storage for its customers.
For chart lovers, the chart below reflects the 50-year numbers:
