Key Storage

Each customer master key (CMK) that you create in AWS Key Management Service (KMS) costs $1/month until you delete it, regardless of where the underlying key material was generated by the service, a custom key store, or you imported it. For a CMK with key material generated by the service, if you opt-in to have it automatically rotate the key each year, each new key version raises the cost of the CMK by $1/month. AWS KMS retains and manages each previous version of the CMK to ensure you can decrypt data encrypted under previous versions. Data key pairs, which are created by GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext API requests are charged for these API requests per the usage pricing discussed below. You are not charged an ongoing monthly fee for the data key pairs themselves as they are neither stored nor managed by the service. In the month a key is created, the $1 monthly charge for key storage will be a prorated fee to the nearest full hour.

You are not charged for the following:

  • Creation and storage of AWS managed CMKs. These keys are automatically created on your behalf when you first attempt to encrypt a resource in an AWS service that integrates with AWS KMS. You can neither manage the lifecycle or access permissions on AWS managed keys.
  • Customer managed CMKs you created that are scheduled for deletion. If you cancel the deletion during the waiting period, the CMK will incur charges as though it was never scheduled for deletion.

Try AWS Key Management Service

AWS Free Tier includes 20,000 free AWS Key Management Service requests each month.

View AWS Free Tier Details »

Key Usage

Custom Key Store

You have the option of using an AWS CloudHSM cluster to generate and store your CMKs. The use of a custom key store does not affect the charges for storing and using a CMK. However, a custom key store does require you to maintain an AWS CloudHSM cluster that contains at least two HSMs. More HSMs can be added for improved availability and performance. The standard AWS CloudHSM charges apply. See the pricing example.

Free Tier

AWS Key Management Service provides a free tier of 20,000 requests/month calculated across all regions that the service is available.

*Requests to the GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext APIs and requests to APIs such as Sign, Verify, Encrypt, Decrypt, and GetPublicKey that reference asymmetric CMKs are excluded from the free tier. 

Pricing examples

Amazon EBS Example

1 CMK used as a master key when creating 250 encrypted EBS volumes per month via the AWS KMS CLI or APIs.

Cost Dimensions:

  • 1 CMK
  • 3 X 250 API requests to create and provision a unique data encryption key for each of 250 volumes
 
Monthly cost:
$1.00 1 CMK
$0.00 0 requests (750 requests - 20,000 free tier requests)
Total:  
$1/month  

Amazon S3 Example

1 CMK used to encrypt 10,000 unique files that are collectively decrypted for access 2,000,000 times per month.

Cost Dimensions:

  • 1 CMK
  • 10,000 Encrypt requests (1 request x 10,000 objects)
  • 2,000,000 Decrypt requests to access the objects

Monthly Cost:

$1.00 1 CMK
$5.97 1,990,000 requests (2,010,000 total requests - 20,000 free tier requests) x $0.03 / 10,000 requests
Total:  
$6.97/month  

Amazon S3 Example - Using a Custom Key Store

1 CMK used to encrypt 10,000 unique files that are collectively decrypted for access 2,000,000 times per month. A CloudHSM cluster containing 2 HSMs is maintained in US East (N. Virginia) for the entire month.

Cost Dimensions:

  • 1 CMK
  • 10,000 Encrypt requests (1 request x 10,000 objects)
  • 2,000,000 Decrypt requests to access the objects
  • 2 CloudHSM instances

Monthly Cost:

$1.00 1 CMK
$5.97 1,990,000 requests (2,010,000 total requests - 20,000 free tier requests) x $0.03 / 10,000 requests
$2,380.80 31 days for 2 HSMs x $1.60 / HSM / hour
Total:  
$2,387.77/month  

File signing application example

1 ECC 256 CMK used to sign 100,000 files via the AWS KMS CLI or APIs.

Cost Dimensions:

  • 1 CMK
  • 100,000 signing requests

Monthly Cost:

$1.00 1 CMK
$1.50 100,000 requests at $0.15 per 10,000 requests
Total:  
$2.50/month  

AWS CloudTrail logging

If you enable AWS CloudTrail on your account, you can obtain logs of API calls made to or by AWS KMS. See the AWS CloudTrail pricing page for more information.

Additional pricing resources

TCO Calculator

Calculate your total cost of ownership (TCO)

AWS Pricing Calculator

Easily calculate your monthly costs with AWS

Economics Resource Center

Additional resources for switching to AWS

Product-Page_Standard-Icons_01_Product-Features_SqInk
Learn how to get started

Find links to our developer's guide, helpful videos, and console guides.

Learn more 
Product-Page_Standard-Icons_02_Sign-Up_SqInk
Sign up for a free account

Instantly get access to the AWS Free Tier. 

Sign up 
Product-Page_Standard-Icons_03_Start-Building_SqInk
Start building in the console

Get started building with AWS Key Management Service in the AWS Console.

Sign in