S3 buckets configured with SSE-KMS but without Bucket Keys generate a separate KMS request for each object operation. This behavior results in disproportionately high KMS request costs for data-intensive workloads such as analytics, backups, or frequently accessed objects. Bucket Keys allow S3 to cache KMS data keys at the bucket level, reducing the volume of KMS calls and cutting encryption costs—often with no impact on security or performance.
Detection
• Identify S3 buckets with SSE-KMS encryption enabled
• Check if Bucket Keys are disabled or not configured
• Analyze object access frequency and KMS request volume
• Estimate potential cost savings by enabling Bucket Keys
• Prioritize buckets with high object counts or frequent read/write operations
Remediation
• Enable S3 Bucket Keys for eligible buckets using SSE-KMS
• Document any security exceptions or requirements that prevent Bucket Key use
• Note: Enabling Bucket Keys applies only to newly encrypted objects; existing objects must be re-encrypted or re-uploaded to benefit
• Track KMS request metrics before and after rollout to validate cost impact
When using SSE-KMS, each encryption or decryption request results in a paid call to AWS KMS. Without S3 Bucket Keys, every object operation triggers a KMS request. Bucket Keys reduce cost by allowing S3 to cache data keys and minimize KMS calls, especially beneficial for high-throughput workloads.
