1
00:00:00,180 --> 00:00:02,520
‫So, KMS is an inner service

2
00:00:02,520 --> 00:00:04,740
‫and therefore there are some request quotas.

3
00:00:04,740 --> 00:00:06,145
‫But KMS is extremely important.

4
00:00:06,145 --> 00:00:09,640
‫So in case you will exceed a request quota of KMS

5
00:00:09,640 --> 00:00:11,620
‫for encryption or decryption, for example,

6
00:00:11,620 --> 00:00:13,429
‫you will get a ThrottlingException.

7
00:00:13,429 --> 00:00:14,750
‫That will look something like this.

8
00:00:14,750 --> 00:00:17,120
‫It will say, "Status Code: 400; Error Code:

9
00:00:17,120 --> 00:00:19,710
‫ThrottlingException;" you are exceeding the right

10
00:00:19,710 --> 00:00:21,009
‫at which you can call KMS.

11
00:00:21,009 --> 00:00:23,164
‫So to respond to such and exception,

12
00:00:23,164 --> 00:00:24,380
‫we already know this,

13
00:00:24,380 --> 00:00:25,963
‫we can use exponential backoff,

14
00:00:25,963 --> 00:00:28,590
‫which means you can backoff and retry with an

15
00:00:28,590 --> 00:00:30,930
‫exponential time in between each calls.

16
00:00:30,930 --> 00:00:33,920
‫But KMS has something very specific to it.

17
00:00:33,920 --> 00:00:35,640
‫Each cryptographic operation,

18
00:00:35,640 --> 00:00:38,101
‫so all of them decrypt and crypt and so on,

19
00:00:38,101 --> 00:00:40,389
‫they all share a quota.

20
00:00:40,389 --> 00:00:43,760
‫That means that any service that makes request

21
00:00:43,760 --> 00:00:44,857
‫on our behalf, for example,

22
00:00:44,857 --> 00:00:48,103
‫AWS S3 that uses SSE-KMS data encryption.

23
00:00:48,103 --> 00:00:52,057
‫Every time AWS will use that key for us,

24
00:00:52,057 --> 00:00:54,315
‫then it will be part of that quota.

25
00:00:54,315 --> 00:00:57,220
‫So we share a quota across our account for each

26
00:00:57,220 --> 00:01:00,960
‫region across all cryptographic operations.

27
00:01:00,960 --> 00:01:03,434
‫So that means that if we use our key too much,

28
00:01:03,434 --> 00:01:05,698
‫then we will get a ThrottlingException.

29
00:01:05,698 --> 00:01:07,428
‫So what can we do to solve it?

30
00:01:07,428 --> 00:01:10,380
‫Well, number one, if we're using the GenerateDataKey

31
00:01:10,380 --> 00:01:12,861
‫API then we can use DEK cachings.

32
00:01:12,861 --> 00:01:16,280
‫So cache the data encryption key locally

33
00:01:16,280 --> 00:01:18,680
‫so that we reduce the number of API calls done

34
00:01:18,680 --> 00:01:21,450
‫onto AWS and that is a feature

35
00:01:21,450 --> 00:01:23,850
‫of the encryption ID kit itself.

36
00:01:23,850 --> 00:01:26,850
‫The other thing we can do is to generate a request quota

37
00:01:26,850 --> 00:01:29,950
‫increase in case we are indeed going over that limit

38
00:01:29,950 --> 00:01:31,250
‫way too many times.

39
00:01:31,250 --> 00:01:34,660
‫And so, for this, we can request a quota increase through

40
00:01:34,660 --> 00:01:38,400
‫either an API call or by opening a ticket

41
00:01:38,400 --> 00:01:40,475
‫with the AWS support.

42
00:01:40,475 --> 00:01:42,100
‫So what you want to remember here,

43
00:01:42,100 --> 00:01:43,820
‫is that there's two ways to go with that quota.

44
00:01:43,820 --> 00:01:46,650
‫So as I said, all these operations will share

45
00:01:46,650 --> 00:01:49,497
‫the same quota so should you decrypt, encrypt,

46
00:01:49,497 --> 00:01:52,950
‫GenerateDataKey, GenerateRandom, etc., etc.

47
00:01:52,950 --> 00:01:55,311
‫All these things are called cryptographic operations

48
00:01:55,311 --> 00:01:57,730
‫and they share the same quota.

49
00:01:57,730 --> 00:01:59,190
‫So depends on the region you're in to know

50
00:01:59,190 --> 00:02:01,050
‫what the quota value is.

51
00:02:01,050 --> 00:02:02,957
‫But so for the symmetric CMK quota

52
00:02:02,957 --> 00:02:07,150
‫you have 5,500 shared but in some regions you have

53
00:02:07,150 --> 00:02:09,913
‫up to 10,000, so shared across all this API called.

54
00:02:09,913 --> 00:02:13,006
‫And in other regions you have 30,000 per second,

55
00:02:13,006 --> 00:02:16,320
‫again, across all these API calls.

56
00:02:16,320 --> 00:02:18,290
‫So if you somehow reach that limit,

57
00:02:18,290 --> 00:02:20,415
‫then you need to make a service limit increase

58
00:02:20,415 --> 00:02:22,782
‫to increase that shared quota

59
00:02:22,782 --> 00:02:24,890
‫for all the cryptographic operations.

60
00:02:24,890 --> 00:02:25,730
‫So that's it.

61
00:02:25,730 --> 00:02:28,530
‫So the three ways to deal with a KMS Throttling

62
00:02:28,530 --> 00:02:30,380
‫is number one, exponential backoff

63
00:02:30,380 --> 00:02:32,410
‫that is, if it's transient.

64
00:02:32,410 --> 00:02:35,386
‫Number two, to reduce the API calls into KMS is to use

65
00:02:35,386 --> 00:02:38,870
‫the envelope encryption SDK on top of

66
00:02:38,870 --> 00:02:42,290
‫the data encryption key caching feature.

67
00:02:42,290 --> 00:02:43,670
‫And finally, number three,

68
00:02:43,670 --> 00:02:46,762
‫is to simply request a limit increase from AWS.

69
00:02:46,762 --> 00:02:47,830
‫So that's it.

70
00:02:47,830 --> 00:02:49,580
‫I will see you in the next lecture.