Key Storage
Each customer master key (CMK) that you create in AWS Key Management Service (KMS), regardless of whether you use it with KMS-generated key material or key material imported by you, costs $1/month until you delete it. For a CMK with key material generated by KMS, if you opt-in to have the CMK automatically rotated each year, each newly rotated version will raise the cost of the CMK by $1/month. KMS retains and manages each previous version of the CMK to ensure you can decrypt older data. You are not charged for the following:
- Creation and storage of AWS managed CMKs, which are automatically created on your behalf when you first attempt to encrypt a resource in a supported AWS service.
- CMKs that are scheduled for deletion. If you cancel the deletion during the waiting period, the CMK will incur charges as though it was never scheduled for deletion.
- Data keys, which are created by GenerateDataKey and GenerateDataKeyWithoutPlaintext API requests. You are charged for these API requests per the usage pricing discussed below whether you make these API requests directly or they are made on your behalf by an integrated AWS service. You are not charged an ongoing monthly fee for the data keys themselves as they are neither stored nor managed by KMS.
Try AWS Key Management Service
AWS Free Tier includes 20,000 free AWS Key Management Service requests each month.
Key Usage
Custom Key Store
You have the option of using a CloudHSM cluster to generate and store your AWS KMS keys. The use of a custom key store does not affect the KMS charges for storing and using a CMK. However, a custom key store does require you to maintain a CloudHSM cluster that contains at least two HSMs. More HSMs can be added for improved availability and performance. The standard CloudHSM charges apply. See the pricing example.
Free Tier
AWS Key Management Service provides a free tier of 20,000 requests/month calculated across all regions that KMS is available.
Pricing examples
Amazon EBS Example
1 CMK used as a master key when creating 250 encrypted EBS volumes per month via the AWS KMS CLI or APIs.
Cost Dimensions:
- 1 CMK
- 3 X 250 API requests to create and provision a unique data encryption key for each of 250 volumes
| $1.00 | 1 CMK |
| $0.00 | 0 requests (750 requests - 20,000 free tier requests) |
| Total: | |
| $1/month |
Amazon S3 Example
1 CMK used to encrypt 10,000 unique files that are collectively decrypted for access 2,000,000 times per month.
Cost Dimensions:
- 1 CMK
- 10,000 Encrypt requests (1 request x 10,000 objects)
- 2,000,000 Decrypt requests to access the objects
Monthly Cost:
| $1.00 | 1 CMK |
| $5.97 | 1,990,000 requests (2,010,000 total requests - 20,000 free tier requests) x $0.03 / 10,000 requests |
| Total: | |
| $6.97/month |
Amazon S3 Example - Using a Custom Key Store
1 CMK used to encrypt 10,000 unique files that are collectively decrypted for access 2,000,000 times per month. A CloudHSM cluster containing 2 HSMs is maintained in US East (N. Virginia) for the entire month.
Cost Dimensions:
- 1 CMK
- 10,000 Encrypt requests (1 request x 10,000 objects)
- 2,000,000 Decrypt requests to access the objects
- 2 CloudHSM instances
Monthly Cost:
| $1.00 | 1 CMK |
| $5.97 | 1,990,000 requests (2,010,000 total requests - 20,000 free tier requests) x $0.03 / 10,000 requests |
| $2,380.80 | 31 days for 2 HSMs x $1.60 / HSM / hour |
| Total: | |
| $2,387.77/month |
AWS CloudTrail logging
If you enable AWS CloudTrail on your account, you can obtain logs of API calls made to or by AWS KMS. See the AWS CloudTrail pricing page for more information.
Additional pricing resources
Calculate your total cost of ownership (TCO)
Easily calculate your monthly costs with AWS
Additional resources for switching to AWS
Find links to our developer's guide, helpful videos, and console guides.
Get started building with AWS Key Management Service in the AWS Console.
