Key Storage

Each customer master key (CMK) that you create in Amazon Key Management Service (KMS) costs ¥6.88/month until you delete it, regardless of where the underlying key material was generated by the service, a custom key store, or you imported it. For a CMK with key material generated by the service, if you opt-in to have it automatically rotate the key each year, each new key version raises the cost of the CMK by ¥6.88/month Amazon KMS retains and manages each previous version of the CMK to ensure you can decrypt data encrypted under previous versions. Data key pairs, which are created by GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext API requests are charged for these API requests per the usage pricing discussed below. You are not charged an ongoing monthly fee for the data key pairs themselves as they are neither stored nor managed by the service. In the month a key is created, the ¥6.88 monthly charge for key storage will be a prorated fee to the nearest full hour.

You are not charged for the following:

  • Creation and storage of Amazon Web Services managed CMKs. These keys are automatically created on your behalf when you first attempt to encrypt a resource in an Amazon Web Services service that integrates with Amazon KMS. You can neither manage the lifecycle or access permissions on Amazon Web Services managed keys.
  • Customer managed CMKs you created that are scheduled for deletion. If you cancel the deletion during the waiting period, the CMK will incur charges as though it was never scheduled for deletion.
     

Key Usage

Each API request to the Amazon Key Management Service costs:

All China Regions:

  • ¥0.20 per 10,000 requests (All APIs except Asymmetric API)
  • ¥0.20 per 10,000 requests for RSA 2048 keys
  • ¥0.60 per 10,000 ECC GenerateDataKeyPair requests
  • ¥1.00 per 10,000 asymmetric requests except RSA 2048
  • ¥72.00 per 10,000 RSA GenerateDataKeyPair requests

Pricing examples

Amazon EBS Example

1 CMK used as a customer managed KMS key when creating 2500 encrypted EBS volumes per month via the Amazon KMS CLI or APIs.

Cost Dimensions:

  • 1 CMK
  • 3 X 2500 API requests to create and provision a unique data encryption key for each of 2500 volumes

Monthly cost:

¥6.88  1 CMK
¥0.15 (¥0.2 Per 10,000 API calls) * 7500 calls                                                  
Total:  
¥7.03 /month  

Amazon S3 Example

1 CMK used to encrypt 10,000 unique files that are collectively decrypted for access 2,000,000 times per month.

Cost Dimensions:

  • 1 CMK
  • 10,000 Encrypt requests (1 request * 10,000 objects)
  • 2,000,000 Decrypt requests to access the objects

Monthly cost:

¥6.88  1 CMK
¥40.2  2,010,000 total requests * ¥0.2 / 10,000 requests
Total:  
¥47.08 /month  

File signing application example

1 ECC 256 CMK used to sign 100,000 files via the Amazon KMS CLI or APIs.

Cost Dimensions:

  • 1 CMK
  • 100,000 signing requests

Monthly cost:

¥6.88  1 CMK
¥10.0  100,000 requests at ¥1.0 per 10,000 asymmetric requests
Total:  
¥16.88 /month  

Amazon CloudTrail logging

If you enable Amazon CloudTrail on your account, you can obtain logs of API calls made to or by Amazon KMS. See the Amazon CloudTrail pricing page for more information.

Standard Product Icons (Features) Squid Ink
Learn how to get started

Find links to our developer's guide, helpful videos, and console guides.

Learn more 
Sign up for a free account
Sign up for a free account

Instantly get access to the Amazon Free Tier. 

Sign up 
Standard Product Icons (Start Building) Squid Ink
Start building in the console

Get started building with Amazon Key Management Service in the Amazon Web Services Console.

Sign in