Each customer master key (CMK) that you create in Amazon Key Management Service (KMS) costs ¥6.88/month until you delete it, regardless of where the underlying key material was generated by the service, a custom key store, or you imported it. For a CMK with key material generated by the service, if you opt-in to have it automatically rotate the key each year, each new key version raises the cost of the CMK by ¥6.88/month Amazon KMS retains and manages each previous version of the CMK to ensure you can decrypt data encrypted under previous versions. Data key pairs, which are created by GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext API requests are charged for these API requests per the usage pricing discussed below. You are not charged an ongoing monthly fee for the data key pairs themselves as they are neither stored nor managed by the service. In the month a key is created, the ¥6.88 monthly charge for key storage will be a prorated fee to the nearest full hour.
You are not charged for the following:
- Creation and storage of Amazon Web Services managed CMKs. These keys are automatically created on your behalf when you first attempt to encrypt a resource in an Amazon Web Services service that integrates with Amazon KMS. You can neither manage the lifecycle or access permissions on Amazon Web Services managed keys.
- Customer managed CMKs you created that are scheduled for deletion. If you cancel the deletion during the waiting period, the CMK will incur charges as though it was never scheduled for deletion.
Each API request to the Amazon Key Management Service costs:
All China Regions:
- ¥0.20 per 10,000 requests (All APIs except Asymmetric API)
- ¥0.20 per 10,000 requests for RSA 2048 keys
- ¥0.60 per 10,000 ECC GenerateDataKeyPair requests
- ¥1.00 per 10,000 asymmetric requests except RSA 2048
- ¥72.00 per 10,000 RSA GenerateDataKeyPair requests
Amazon EBS Example
1 CMK used as a customer managed KMS key when creating 2500 encrypted EBS volumes per month via the Amazon KMS CLI or APIs.
- 1 CMK
- 3 X 2500 API requests to create and provision a unique data encryption key for each of 2500 volumes
|¥0.15||(¥0.2 Per 10,000 API calls) * 7500 calls|
Amazon S3 Example
1 CMK used to encrypt 10,000 unique files that are collectively decrypted for access 2,000,000 times per month.
- 1 CMK
- 10,000 Encrypt requests (1 request * 10,000 objects)
- 2,000,000 Decrypt requests to access the objects
|¥40.2||2,010,000 total requests * ¥0.2 / 10,000 requests|
File signing application example
1 ECC 256 CMK used to sign 100,000 files via the Amazon KMS CLI or APIs.
- 1 CMK
- 100,000 signing requests
|¥10.0||100,000 requests at ¥1.0 per 10,000 asymmetric requests|
Amazon CloudTrail logging
If you enable Amazon CloudTrail on your account, you can obtain logs of API calls made to or by Amazon KMS. See the Amazon CloudTrail pricing page for more information.
Find links to our developer's guide, helpful videos, and console guides.
Instantly get access to the Amazon Free Tier.
Get started building with Amazon Key Management Service in the Amazon Web Services Console.