Key storage

Each AWS KMS key that you create in AWS KMS costs $1/month (prorated hourly). The $1/month charge is the same for symmetric keys, asymmetric keys, HMAC keys, multi-Region keys (each primary and each replica multi-Region key), keys with imported key material, and KMS keys with a key origin of either AWS CloudHSM or an external key store (XKS).

If you enable automatic key rotation, each newly generated backing key costs an additional $1/month (prorated hourly). This covers the cost to AWS KMS for retaining all versions of the key material so they can be used to decrypt older ciphertexts.

You are not charged for the following:

  • Creation and storage of AWS managed or AWS owned KMS keys. These keys are automatically created on your behalf when you first attempt to encrypt a resource in an AWS service that integrates with AWS KMS. You can neither manage the lifecycle nor access permissions on AWS managed keys.
  • There is no charge for customer managed KMS keys that you manage and are scheduled for deletion. If you cancel the deletion during the waiting period, the customer managed KMS key will incur charges as though it was never scheduled for deletion.
  • There is no monthly charge for data keys or data key pairs that AWS KMS generates beyond the charge for the API call.

Try AWS KMS

AWS Free Tier includes 20,000 free AWS KMS requests each month.

View AWS Free Tier Details »

Key usage

Note 1: While you are not charged for creation and storage of AWS-managed keys, you will be charged on any API request made to AWS-managed keys.
Note 2: When you use a KMS key in a different AWS account, the AWS account that makes the API request is charged for the key use.

Using CloudHSM or external key store (XKS)

You have the option of using an AWS CloudHSM cluster or an external key manager to generate and store your KMS keys. These keys will also cost $1/month (prorated hourly). If using AWS CloudHSM, standard AWS CloudHSM charges apply. See this pricing example.

Free tier

AWS KMS provides a free tier of 20,000 requests/month calculated across all Regions that the service is available.

*Requests to the GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext API operations and requests to API operations such as Sign, Verify, Encrypt, Decrypt, and GetPublicKey that reference asymmetric KMS keys are excluded from the free tier. 

Pricing examples

Amazon EBS example

1 KMS key used as a root key when creating 250 encrypted EBS volumes per month through the AWS KMS CLI or API operations.

Cost Dimensions:

  • 1 KMS key
  • 3 X 250 API requests to create and provision a unique data encryption key for each of 250 volumes
 
Monthly cost:
$1.00 1 KMS key
$0.00 0 requests (750 requests - 20,000 free tier requests)
Total:  
$1/month  

Amazon S3 example

1 KMS key used to encrypt 10,000 unique files that are collectively decrypted for access 2,000,000 times per month.

Cost Dimensions:

  • 1 KMS key
  • 10,000 encrypt requests (1 request x 10,000 objects)
  • 2,000,000 decrypt requests to access the objects

Monthly Cost:

$1.00 1 KMS key
$5.97 1,990,000 requests (2,010,000 total requests - 20,000 free tier requests) x $0.03 / 10,000 requests
Total:  
$6.97/month  

Amazon S3 example: Using a custom key store with CloudHSM

1 KMS key used to encrypt 10,000 unique files that are collectively decrypted for access 2,000,000 times per month. A CloudHSM cluster containing 2 HSMs is maintained in US East (N. Virginia) for the entire month.

Cost Dimensions:

  • 1 KMS key
  • 10,000 encrypt requests (1 request x 10,000 objects)
  • 2,000,000 decrypt requests to access the objects
  • 2 CloudHSM instances

Monthly Cost:

$1.00 1 KMS key
$5.97 1,990,000 requests (2,010,000 total requests - 20,000 free tier requests) x $0.03 / 10,000 requests
$2,380.80 31 days for 2 HSMs x $1.60 / HSM / hour
Total:  
$2,387.77/month  

File signing application example

1 ECC 256 KMS key used to sign 100,000 files through the AWS KMS CLI or APIs operations.

Cost Dimensions:

  • 1 KMS key
  • 100,000 signing requests

Monthly Cost:

$1.00 1 KMS key
$1.50 100,000 requests at $0.15 per 10,000 requests
Total:  
$2.50/month  

AWS CloudTrail logging

If you enable AWS CloudTrail on your account, you can obtain logs of API calls made to or by AWS KMS. See the AWS CloudTrail pricing page for more information.

Additional pricing resources

AWS Pricing Calculator

Easily calculate your monthly costs with AWS.

Get pricing assistance

Contact AWS specialists to get a personalized quote.

Learn how to get started

Find links to our developer's guide, helpful videos, and console guides.

Learn more 
Sign up for a free account

Instantly get access to the AWS Free Tier. 

Sign up 
Start building in the console

Get started building with AWS Key Management Service in the AWS Console.

Sign in