AWS Key Management Service pricing

Each AWS KMS key that you create in KMS costs $1/month. The $1/month charge is the same for symmetric keys, asymmetric keys, each multi-Region key (each primary and each replica multi-region key), keys with imported key material, and keys in custom key stores.

If you enable automatic key rotation, each newly generated backing key costs an additional $1/month. This covers the cost to AWS KMS of retaining all versions of the key material so they can be used to decrypt older ciphertexts.

You are not charged for the following:

• Creation and storage of AWS managed or AWS owned KMS keys. These keys are automatically created on your behalf when you first attempt to encrypt a resource in an AWS service that integrates with AWS KMS. You can neither manage the lifecycle or access permissions on AWS managed keys.
• There is no charge for customer managed KMS keys that are scheduled for deletion. If you cancel the deletion during the waiting period, the customer managed KMS key will incur charges as though it was never scheduled for deletion.
  
• There is no monthly charge for data keys or data key pairs that KMS generates beyond the charge for the API call.
  

You have the option of using an AWS CloudHSM cluster to generate and store your KMS keys. The use of a custom key store does not affect the charges for storing and using a KMS key. However, a custom key store does require you to maintain an AWS CloudHSM cluster that contains at least two HSMs. More HSMs can be added for improved availability and performance. The standard AWS CloudHSM charges apply. See the pricing example.

AWS Key Management Service provides a free tier of 20,000 requests/month calculated across all regions that the service is available.

*Requests to the GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext APIs and requests to APIs such as Sign, Verify, Encrypt, Decrypt, and GetPublicKey that reference asymmetric KMS keys are excluded from the free tier. 

1 KMS key used as a root key when creating 250 encrypted EBS volumes per month via the AWS KMS CLI or APIs.

Cost Dimensions:

• 1 KMS key
• 3 X 250 API requests to create and provision a unique data encryption key for each of 250 volumes

1 KMS key used to encrypt 10,000 unique files that are collectively decrypted for access 2,000,000 times per month.

Cost Dimensions:

• 1 KMS key
• 10,000 Encrypt requests (1 request x 10,000 objects)
• 2,000,000 Decrypt requests to access the objects

Monthly Cost:

1 KMS key used to encrypt 10,000 unique files that are collectively decrypted for access 2,000,000 times per month. A CloudHSM cluster containing 2 HSMs is maintained in US East (N. Virginia) for the entire month.

Cost Dimensions:

• 1 KMS key
• 10,000 Encrypt requests (1 request x 10,000 objects)
• 2,000,000 Decrypt requests to access the objects
• 2 CloudHSM instances

Monthly Cost:

1 ECC 256 KMS key used to sign 100,000 files via the AWS KMS CLI or APIs.

Cost Dimensions:

• 1 KMS key
• 100,000 signing requests
  

Monthly Cost:

If you enable AWS CloudTrail on your account, you can obtain logs of API calls made to or by AWS KMS. See the AWS CloudTrail pricing page for more information.