AWS KMS (Key Management Service) provides centralized encryption key management for securing data across AWS services. With pricing that includes free AWS managed keys and a generous free tier of 20,000 API requests per month, KMS is a cost-effective foundation for encryption at any scale.
TL;DR: AWS managed keys are free. Customer managed symmetric and asymmetric keys cost $1.00 per key per month. API requests are $0.03 per 10,000 after the 20,000 free monthly requests. Use AWS managed keys wherever possible to minimize costs.
Key Storage Pricing
| Key Type | Monthly Cost per Key |
|---|---|
| AWS managed keys | Free |
| Customer managed symmetric keys | $1.00 |
| Customer managed asymmetric keys | $1.00 |
| Customer managed HMAC keys | $1.00 |
| Custom key store keys (CloudHSM-backed) | $1.00 (plus CloudHSM costs) |
| Imported key material | $1.00 |
AWS managed keys are automatically created when you enable encryption on services like S3, EBS, or RDS. They are fully managed by AWS, require no configuration, and cost nothing for storage. The trade-off is reduced control over key policies, rotation schedules, and cross-account access.
Customer managed keys provide full control over key policies, automatic rotation configuration, and the ability to share keys across accounts. At $1.00 per key per month, each key costs $12.00 annually.
API Request Pricing
| Request Type | Free Tier | Price per 10,000 Requests |
|---|---|---|
| Symmetric key requests | 20,000/month | $0.03 |
| Asymmetric RSA requests | 20,000/month | $0.03 |
| Asymmetric ECC requests | 20,000/month | $0.03 |
| GenerateDataKeyPair (RSA) | 20,000/month | $0.10 |
The 20,000 free requests per month apply account-wide across all key types. This free tier covers most development and small production workloads. Common API operations include Encrypt, Decrypt, GenerateDataKey, and ReEncrypt.
How Requests Add Up
Every encryption and decryption operation calls KMS. When you write an encrypted object to S3, that is one GenerateDataKey call. When you read it back, that is one Decrypt call. Services like EBS generate requests for each volume attachment and each I/O operation that crosses a chunk boundary.
For an S3 bucket with 10 million encrypted objects accessed once per month, expect approximately 20 million KMS API calls costing around $60.
Custom Key Store Pricing
| Component | Cost |
|---|---|
| Key storage | $1.00 per key/month |
| CloudHSM cluster | $1.45 per HSM/hour (approximately $1,044/month) |
| API requests | Standard KMS request pricing |
Custom key stores let you store KMS keys in an AWS CloudHSM cluster that you control. This meets regulatory requirements for dedicated hardware security modules. The primary cost driver is the CloudHSM cluster, which requires a minimum of two HSMs for high availability, bringing the baseline to approximately $2,088 per month before key and request charges.
Free Tier Details
| Component | Free Allowance |
|---|---|
| AWS managed key storage | Unlimited (always free) |
| API requests | 20,000 per month (ongoing) |
| Automatic key rotation | Free for AWS managed keys |
The KMS free tier does not expire. The 20,000 free API requests per month are perpetual and apply across all key types. AWS managed keys are always free for storage and automatic annual rotation.
Real-World Cost Examples
| Scenario | Keys | Monthly Requests | Monthly Cost |
|---|---|---|---|
| Small app with S3 encryption | 0 (AWS managed) | 15,000 | $0.00 |
| SaaS with per-tenant keys (20 tenants) | 20 | 500,000 | $21.44 |
| Enterprise with 100 CMKs | 100 | 5,000,000 | $114.94 |
| Compliance-heavy with custom key store | 50 | 2,000,000 | $2,143.94 |
KMS vs Self-Managed Encryption
| Approach | Monthly Cost (100 keys, 1M requests) | Operational Overhead |
|---|---|---|
| KMS with AWS managed keys | $2.94 (requests only) | Minimal |
| KMS with customer managed keys | $102.94 | Low |
| KMS with custom key store | $2,148.94 | Medium |
| Self-managed HSM (on-premises) | $5,000+ | High |
KMS eliminates the operational burden of managing encryption infrastructure while providing audit trails through CloudTrail integration.
Cost Optimization Tips
1. Use AWS Managed Keys Where Possible
AWS managed keys are free for storage and handle automatic rotation. Unless you need custom key policies, cross-account access, or specific compliance requirements, AWS managed keys are the most cost-effective option for services like S3, EBS, and RDS.
2. Consolidate Customer Managed Keys
Rather than creating a unique key for every resource, use a single customer managed key per service per environment. For example, one key for all S3 buckets in production and another for staging. This reduces the $1.00/month per-key charge significantly.
3. Monitor API Request Volume
Use CloudWatch metrics to track KMS API usage. Services like EBS and Lambda can generate unexpectedly high request volumes. Enable envelope encryption and cache data keys to reduce the number of KMS API calls.
4. Cache Data Keys for Envelope Encryption
Instead of calling KMS for every encrypt/decrypt operation, use envelope encryption with cached data keys. Generate a data key once, use it for multiple operations, and only call KMS when rotating. The AWS Encryption SDK handles this automatically.
5. Avoid Custom Key Stores Unless Required
Custom key stores add over $2,000 per month in CloudHSM costs. Only use them when regulatory requirements explicitly mandate dedicated hardware key storage. Standard KMS keys already meet most compliance frameworks including SOC 2, HIPAA, and PCI DSS.
Related Guides
FAQ
Are AWS managed keys truly free?
Yes. AWS managed keys have no storage charge, no rotation charge, and no per-key fee. You only pay for API requests beyond the 20,000 free monthly requests. These keys are created automatically when you enable encryption on supported AWS services.
How does key rotation affect pricing?
Automatic annual rotation for customer managed symmetric keys is included at no extra charge. KMS retains all previous key versions to decrypt older data, but you only pay the single $1.00/month per-key fee regardless of how many rotated versions exist.
Can I share KMS keys across AWS accounts?
Yes. Customer managed keys support key policies and grants that allow cross-account access. This lets you use a single key across multiple accounts without creating duplicate keys, saving $1.00/month per account that would otherwise need its own key.
Lower Your KMS Costs with Wring
Wring helps you access AWS credits and volume discounts to lower your KMS encryption costs. Through group buying power, Wring negotiates better rates so you pay less per key and API request.
