As a user I am required to change my KMS once in a while and I am charged twice once for the new key and once for the old key till it is deleted.
Many keys are not being deleted even when they are no longer used since no one knows about them.
As long as the old key is not deleted the charges continue.
Disabled key are still being charged.
Invoice CUE file does not include any details on KMS which makes it more difficult.
Finally, KMS record does not include usage details, so cannot tell when was the key last used.
Although the cost of a KMS key is about 1$ a month as with any cloud costs the totals could get quite large as your business grows.
We offer two kind of recommendations for KMS:
1. Listing all disabled keys and suggesting their deletion.
2. Listing all Keys that were created over a year ago (subject to preferences).
To enable KMS recommendations , make sure to add the following permissions to each of the linked account:
"kms:ListKeys", "kms:DescribeKey", "kms:ListResourceTags"