Menu
AWS Key Management Service
Developer Guide

Limits

All AWS KMS objects have limits that apply to each region and each AWS account. If you need to exceed these limits, please visit the AWS Support Center and create a case.

Resource Default Limit
Customer Master Keys (CMKs) 1000
Aliases 1100
Grants per CMK 2500
Grants for a given principal per CMK 500
Requests per second Varies by API operation; see table.
Customer Master Keys (CMKs): 1000

You can have up to 1000 CMKs per region. All CMKs count towards this limit regardless of their status (enabled, disabled, or pending deletion). You can request more CMKs in a region; however, managing a large number of CMKs from the AWS Management Console may be slower than acceptable. If you have a large number of CMKs in a region, we recommend managing them programmatically with the AWS SDKs or AWS Command Line Tools.

Aliases: 1100

An alias is an independent display name that you can map to a CMK. It is not a property of a CMK. You can map multiple aliases to a single CMK, so the limit for aliases is higher than the limit for CMKs. If you request an increase in the number of CMKs, you might also need to request an increase in the number of aliases.

Grants per CMK: 2500

Using Grants are advanced mechanisms for specifying permissions that you or an AWS service integrated with AWS KMS can use to limit how and when a CMK can be used. Grants are attached to a CMK, and each grant contains the principal who receives permission to use the CMK, the ID of the CMK, and a list of operations that can be performed. Grants are an alternative to the key policy.

Each CMK can have up to 2500 grants, including the grants created by AWS services that are integrated with AWS KMS. For a list of these services, see How AWS Services use AWS KMS. One effect of this limit is that you cannot create more than 2500 resources that use the same CMK. For example, you cannot create more than 2500 encrypted EBS volumes that use the same CMK.

Grants for a given principal per CMK: 500

For a given CMK, no more than 500 grants can specify the same grantee principal. For example, assume that you want to encrypt multiple Amazon EBS volumes and attach them to a single Amazon Elastic Compute Cloud (Amazon EC2) instance. In this case, a unique grant is created for each encrypted volume and all of these grants have the same grantee principal (an IAM assumed-role user associated with the EC2 instance). Each grant gives permission to use the specified CMK to decrypt an EBS volume's unique data encryption key. For each CMK, you can have up to 500 grants that specify the same EC2 instance as the grantee principal. This effectively means that you can have no more than 500 encrypted EBS volumes per EC2 instance for a given CMK.

Requests per second: varies

AWS KMS throttles API requests at different limits depending on the API operation. The following table lists each API operation and the point at which AWS KMS throttles requests for that operation.

When an application in one AWS account uses a CMK owned by a different account, that's known as a cross-account request. For cross-account requests, AWS KMS throttles the account that makes the requests, not the account that owns the CMK. For example, you might have applications in accounts A and B that both use a CMK in account C. In this scenario, the limit for requests per second applies separately to accounts A and B, not to account C.

The API operations in the first row share a limit of 600 requests per second. For example, when you make 300 GenerateDataKey and 200 Decrypt requests per second, AWS KMS does not throttle your requests. However, when you make 100 Encrypt and 550 GenerateDataKey requests per second, AWS KMS throttles your requests because you are making more than 600 requests per second for operations in the first row of the table.

The remaining API operations have a unique limit for requests per second, which means the limit is not shared.

Note that you can make API requests directly or by using an integrated AWS service that makes API requests to AWS KMS on your behalf. For example, you might store data in Amazon S3 using server-side encryption with AWS KMS (SSE-KMS). Each time you upload or download an S3 object that's encrypted with SSE-KMS, Amazon S3 makes a GenerateDataKey (for uploads) or Decrypt (for downloads) request to AWS KMS on your behalf. These requests count toward your limit, so AWS KMS throttles the requests if you exceed a combined total of 600 uploads or downloads per second of S3 objects encrypted with SSE-KMS.

API operation Requests-per-second limit

Encrypt

Decrypt

ReEncrypt

GenerateRandom

GenerateDataKey

GenerateDataKeyWithoutPlaintext

600 (shared)
CancelKeyDeletion 5
CreateAlias 5
CreateGrant 50
CreateKey 5
DeleteAlias 5
DeleteImportedKeyMaterial 5
DescribeKey 30
DisableKey 5
DisableKeyRotation 5
EnableKey 5
EnableKeyRotation 5
GetKeyPolicy 30
GetKeyRotationStatus 30
GetParametersForImport 0.25 (AWS KMS throttles requests when the rate is more than 1 per 4 seconds)
ImportKeyMaterial 5
ListAliases 5
ListGrants 5
ListKeyPolicies 5
ListKeys 5
ListResourceTags 5
ListRetirableGrants 5
PutKeyPolicy 5
RetireGrant 15
RevokeGrant 15
ScheduleKeyDeletion 5
TagResource 5
UntagResource 5
UpdateAlias 5
UpdateKeyDescription 5