Very high KMS usage in a region in which nothing is running

Billing dashboard shows:

Enter image description here

Account has no customer-managed keys in this region, only one AWS-managed key for aws/ebs (Elastic Block Store, not Beanstalk). There are no EBS volumes in this region, nor snapshots, nor running EC2/Lightsail/RDS/anything else instances that could be using EBS.

At the exact date & time the AWS-managed key was created, CloudTrail shows events happening in AWS Application Migration Service. And yes, I was poking around that service that day, to get a feel for what it's like to use and how it all fits together, and yes I did all this in the region in question so that I could keep it all separate from things running elsewhere in other regions. But never did a migration, never even got close setting things up to do a migration.

Setup CloudTrail logging and there are regularly entries like:

{"sessionIssuer":{"type":"Role","principalId":"[principal_id]","arn":"arn:aws:iam::[acct_num]:role/aws-service-role/mgn.amazonaws.com/AWSServiceRoleForApplicationMigrationService","accountId":"[acct_num]","userName":"AWSServiceRoleForApplicationMigrationService"},"webIdFederationData":{},"attributes":{"creationDate":"2023-08-20T23:51:07Z","mfaAuthenticated":"false"}},"invokedBy":"mgn.amazonaws.com"},"eventTime":"2023-08-20T23:51:08Z","eventSource":"ec2.amazonaws.com","eventName":"GetEbsDefaultKmsKeyId"

So it's definitely Migration Service calling KMS to get the key for an EBS volume. About 4500 times per month (pro rata) it would appear. I know I get 20000 KMS requests per month for free so this isn't costing me anything, but I'd still like it to stop.

The service role in that extract (and six others) were created in IAM at the same time as the KMS key was, which was the same time as initialising Application Migration Service. So it all fits together from that point of view.

Question (after all that): is there a way of stopping this Migration Service which is doing nothing of value? it was setup in AWS Console but there is no option to stop it, though there is an API command, which I may end up having to use, but I thought would post here first and get some better suggestions. The KMS key can't be deleted, and while the IAM roles could be modified or deleted that doesn't really solve the underlying problem.

Also interesting to note that Application Migration Service isn't a line item in the Billing Dashboard.

Topics

Security, Identity, & Compliance Migration & Modernization

Relevant content

AWS Free Tier section in Billing Dashboard is empty.
Accepted Answer
AhmedSabry74
asked a year ago
KMS key High Usage
Accepted Answer
Jo-Harrison
asked 2 years ago
OpenSearch Billing - Billed when nothing is running
Accepted Answer
rePost-User-6052361
asked a year ago
High bill and bandwith usage
Kemal
asked 7 months ago
Why is my Storage Gateway bill high or increasing?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot high CPU usage in Amazon Redshift?
AWS OFFICIALUpdated 2 years ago
Which log group is causing a sudden increase in my CloudWatch Logs bill?
AWS OFFICIALUpdated 10 months ago
How do I list KMS key grants and principals by Region in AWS KMS?
AWS OFFICIALUpdated 6 months ago
How to customize audit logs in OpenSearch to see which queries were run by users?
EXPERT
Cathy W
published 2 months ago
How to easily replicate individual asset dashboards in AWS IoT SiteWise Monitor
EXPERT
Tim Wilson
published a year ago