AWS KMS Pricing Calculator - Keys, Requests & CloudHSM

AWS KMS pricing calculator for customer-managed keys, API requests, and CloudHSM instances. Estimate monthly costs for symmetric encryption, asymmetric operations, key storage, and free tier usage across all AWS regions.

+4 more

Frequently Asked Questions

What are the different KMS request types and their costs?

KMS has five pricing tiers for API requests (per 10,000 requests): Symmetric operations ($0.03) for Encrypt, Decrypt, GenerateDataKey; RSA 2048 operations ($0.03); Other asymmetric ($0.15) for Sign, Verify with non-RSA 2048 keys; ECC GenerateDataKeyPair ($0.10); and RSA GenerateDataKeyPair ($12.00) which is significantly more expensive.

How much does KMS key storage cost?

Customer-managed keys (CMKs) cost $1.00/month each, prorated hourly. AWS-managed keys (automatically created by AWS services) are free. If you store keys in CloudHSM or External Key Store (XKS), there's an additional $1.00/key/month charge on top of the base key storage cost.

What's included in the KMS Free Tier?

The AWS Free Tier includes 20,000 requests/month calculated across all regions. However, this only applies to symmetric operations. Asymmetric operations (Sign, Verify, Encrypt/Decrypt with asymmetric keys) and GenerateDataKeyPair operations are excluded from the free tier.

When should I use CloudHSM with KMS?

Use CloudHSM custom key stores when you need dedicated, single-tenant HSMs for regulatory compliance (FIPS 140-2 Level 3). Each CloudHSM instance costs $1.60/hour (~$1,168/month for 24/7). AWS recommends at least 2 HSMs for high availability. For most workloads, standard KMS with AWS-managed HSMs is sufficient and more cost-effective.

Should I use symmetric or asymmetric keys?

Symmetric keys (AES-256) are cheaper ($0.03/10K) and faster for encryption/decryption. Use them for envelope encryption and most data protection. Asymmetric keys (RSA, ECC) are needed for digital signatures, code signing, or when you need to share the public key externally. Note that asymmetric operations cost 5x more ($0.15/10K) than symmetric.

Why is RSA GenerateDataKeyPair so expensive?

RSA GenerateDataKeyPair costs $12.00/10K requests (400x more than symmetric operations) because generating RSA key pairs is computationally intensive. Consider alternatives: use ECC GenerateDataKeyPair ($0.10/10K) for similar asymmetric capabilities, or use symmetric envelope encryption with GenerateDataKey for most data protection needs.

Does key rotation cost extra?

Automatic key rotation adds $1.00/month for the first two rotations (each creating new key material). Subsequent rotations have no additional charge. This is in addition to the base $1.00/month key storage cost. Keys pending deletion are not charged.

Related tools you might like

SNS Pricing Calculator - Standard & FIFO Topics

SNS cost calculator for Standard and FIFO topics. Estimate AWS SNS monthly costs with notification deliveries, data transfer, and free tier support.

API Gateway Pricing Calculator - HTTP, REST, WebSocket APIs

API Gateway cost calculator for HTTP, REST, and WebSocket APIs. Estimate AWS API Gateway monthly costs with caching and data transfer.

Tip

Stop AWS bill surprises from happening.

Most infrastructure changes look harmless until you see next month's AWS bill. CloudBurn prevents this by analyzing the cost impact of your AWS CDK changes directly in GitHub pull requests, catching expensive mistakes during code review when fixes are quick, not weeks later when they're costly and risky.

Install CloudBurnShow Features

See the setup guide to get started.

← Back to tools