AWS KMS Pricing Calculator - Keys, Requests & CloudHSM

AWS KMS pricing calculator for customer-managed keys, API requests, and CloudHSM instances. Estimate monthly costs for symmetric encryption, asymmetric operations, key storage, and free tier usage across all AWS regions.

Frequently Asked Questions

What are the different KMS request types and their costs?

KMS has five pricing tiers for API requests (per 10,000 requests): Symmetric operations ($0.03) for Encrypt, Decrypt, GenerateDataKey; RSA 2048 operations ($0.03); Other asymmetric ($0.15); ECC GenerateDataKeyPair ($0.10); and RSA GenerateDataKeyPair ($12.00).

How much does KMS key storage cost?

Customer-managed keys (CMKs) cost $1.00/month each, prorated hourly. AWS-managed keys are free. If you store keys in CloudHSM or External Key Store (XKS), there's an additional $1.00/key/month charge on top of the base key storage cost.

What's included in the KMS Free Tier?

The AWS Free Tier includes 20,000 requests/month calculated across all regions. However, this only applies to symmetric operations. Asymmetric operations and GenerateDataKeyPair operations are excluded from the free tier.

When should I use CloudHSM with KMS?

Use CloudHSM custom key stores when you need dedicated, single-tenant HSMs for regulatory compliance. Each CloudHSM instance costs $1.60/hour (~$1,168/month for 24/7). AWS recommends at least 2 HSMs for high availability.

Should I use symmetric or asymmetric keys?

Symmetric keys (AES-256) are cheaper ($0.03/10K) and faster for encryption/decryption. Asymmetric keys (RSA, ECC) are needed for digital signatures, code signing, or when you need to share the public key externally.

Why is RSA GenerateDataKeyPair so expensive?

RSA GenerateDataKeyPair costs $12.00/10K requests because generating RSA key pairs is computationally intensive. Consider alternatives like ECC GenerateDataKeyPair ($0.10/10K) or symmetric envelope encryption when possible.

Does key rotation cost extra?

Automatic key rotation adds $1.00/month for the first two rotations. This is in addition to the base $1.00/month key storage cost.

Related tools

CloudTrail Pricing Calculator - Trails, Lake & Insights Costs

CloudTrail pricing calculator for Trails and Lake. Estimate audit logging costs for management events, data events, Insights, and Lake storage.

Amazon SES Pricing Calculator - Outbound, Inbound, Mail Manager & VDM

Amazon SES pricing calculator for sending, receiving, Mail Manager, dedicated IPs, and VDM. Estimate monthly SES costs with free tier support and full add-on modeling.

GuardDuty Pricing Calculator - Threat Detection & Protection Plans

GuardDuty pricing calculator for threat detection and malware protection. Estimate security monitoring costs for VPC Flow Logs, CloudTrail, DNS logs, and S3.

CloudBurn

Catch AWS cost mistakes before they ship.

Use the calculator for quick estimates, then use CloudBurn when you need a deterministic cost review workflow. Run scan against Terraform and CloudFormation before deploy, then run discover against live AWS to find the waste that is already burning.

Get CloudBurn Show Features

Read the docs to learn how it works.

← Back to tools