AWS Key Management Service endpoints and quotas - AWS General Reference

AWS Key Management Service endpoints and quotas

The following are the service endpoints and service quotas for this service. To connect programmatically to an AWS service, you use an endpoint. In addition to the standard AWS endpoints, some AWS services offer FIPS endpoints in selected Regions. For more information, see AWS service endpoints. Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account. For more information, see AWS service quotas.

Service endpoints

Region Name Region Endpoint Protocol
US East (Ohio) us-east-2

kms.us-east-2.amazonaws.com

kms-fips.us-east-2.amazonaws.com

HTTPS

HTTPS

US East (N. Virginia) us-east-1

kms.us-east-1.amazonaws.com

kms-fips.us-east-1.amazonaws.com

HTTPS

HTTPS

US West (N. California) us-west-1

kms.us-west-1.amazonaws.com

kms-fips.us-west-1.amazonaws.com

HTTPS

HTTPS

US West (Oregon) us-west-2

kms.us-west-2.amazonaws.com

kms-fips.us-west-2.amazonaws.com

HTTPS

HTTPS

Africa (Cape Town) af-south-1

kms.af-south-1.amazonaws.com

kms-fips.af-south-1.amazonaws.com

HTTPS

HTTPS

Asia Pacific (Hong Kong) ap-east-1

kms.ap-east-1.amazonaws.com

kms-fips.ap-east-1.amazonaws.com

HTTPS

HTTPS

Asia Pacific (Hyderabad) ap-south-2

kms.ap-south-2.amazonaws.com

kms-fips.ap-south-2.amazonaws.com

HTTPS

HTTPS

Asia Pacific (Jakarta) ap-southeast-3

kms.ap-southeast-3.amazonaws.com

kms-fips.ap-southeast-3.amazonaws.com

HTTPS

HTTPS

Asia Pacific (Malaysia) ap-southeast-5

kms.ap-southeast-5.amazonaws.com

kms-fips.ap-southeast-5.amazonaws.com

HTTPS

HTTPS

Asia Pacific (Melbourne) ap-southeast-4

kms.ap-southeast-4.amazonaws.com

kms-fips.ap-southeast-4.amazonaws.com

HTTPS

HTTPS

Asia Pacific (Mumbai) ap-south-1

kms.ap-south-1.amazonaws.com

kms-fips.ap-south-1.amazonaws.com

HTTPS

HTTPS

Asia Pacific (Osaka) ap-northeast-3

kms.ap-northeast-3.amazonaws.com

kms-fips.ap-northeast-3.amazonaws.com

HTTPS

HTTPS

Asia Pacific (Seoul) ap-northeast-2

kms.ap-northeast-2.amazonaws.com

kms-fips.ap-northeast-2.amazonaws.com

HTTPS

HTTPS

Asia Pacific (Singapore) ap-southeast-1

kms.ap-southeast-1.amazonaws.com

kms-fips.ap-southeast-1.amazonaws.com

HTTPS

HTTPS

Asia Pacific (Sydney) ap-southeast-2

kms.ap-southeast-2.amazonaws.com

kms-fips.ap-southeast-2.amazonaws.com

HTTPS

HTTPS

Asia Pacific (Tokyo) ap-northeast-1

kms.ap-northeast-1.amazonaws.com

kms-fips.ap-northeast-1.amazonaws.com

HTTPS

HTTPS

Canada (Central) ca-central-1

kms.ca-central-1.amazonaws.com

kms-fips.ca-central-1.amazonaws.com

HTTPS

HTTPS

Canada West (Calgary) ca-west-1

kms.ca-west-1.amazonaws.com

kms-fips.ca-west-1.amazonaws.com

HTTPS

HTTPS

Europe (Frankfurt) eu-central-1

kms.eu-central-1.amazonaws.com

kms-fips.eu-central-1.amazonaws.com

HTTPS

HTTPS

Europe (Ireland) eu-west-1

kms.eu-west-1.amazonaws.com

kms-fips.eu-west-1.amazonaws.com

HTTPS

HTTPS

Europe (London) eu-west-2

kms.eu-west-2.amazonaws.com

kms-fips.eu-west-2.amazonaws.com

HTTPS

HTTPS

Europe (Milan) eu-south-1

kms.eu-south-1.amazonaws.com

kms-fips.eu-south-1.amazonaws.com

HTTPS

HTTPS

Europe (Paris) eu-west-3

kms.eu-west-3.amazonaws.com

kms-fips.eu-west-3.amazonaws.com

HTTPS

HTTPS

Europe (Spain) eu-south-2

kms.eu-south-2.amazonaws.com

kms-fips.eu-south-2.amazonaws.com

HTTPS

HTTPS

Europe (Stockholm) eu-north-1

kms.eu-north-1.amazonaws.com

kms-fips.eu-north-1.amazonaws.com

HTTPS

HTTPS

Europe (Zurich) eu-central-2

kms.eu-central-2.amazonaws.com

kms-fips.eu-central-2.amazonaws.com

HTTPS

HTTPS

Israel (Tel Aviv) il-central-1

kms.il-central-1.amazonaws.com

kms-fips.il-central-1.amazonaws.com

HTTPS

HTTPS

Middle East (Bahrain) me-south-1

kms.me-south-1.amazonaws.com

kms-fips.me-south-1.amazonaws.com

HTTPS

HTTPS

Middle East (UAE) me-central-1

kms.me-central-1.amazonaws.com

kms-fips.me-central-1.amazonaws.com

HTTPS

HTTPS

South America (São Paulo) sa-east-1

kms.sa-east-1.amazonaws.com

kms-fips.sa-east-1.amazonaws.com

HTTPS

HTTPS

AWS GovCloud (US-East) us-gov-east-1

kms.us-gov-east-1.amazonaws.com

kms-fips.us-gov-east-1.amazonaws.com

HTTPS

HTTPS

AWS GovCloud (US-West) us-gov-west-1

kms.us-gov-west-1.amazonaws.com

kms-fips.us-gov-west-1.amazonaws.com

HTTPS

HTTPS

Service quotas

Name Default Adjustable Description
Aliases per CMK Each supported Region: 50 Yes The maximum number of customer-created aliases per CMK permitted in each AWS Region of this AWS account. Aliases that AWS creates in your account with the aws/ prefix do not count against this quota. An alias is a friendly name for a customer master key (CMK). Each alias is associated with one CMK, but a CMK can have multiple aliases.
CancelKeyDeletion request rate Each supported Region: 5 per second Yes Maximum CancelKeyDeletion requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
ConnectCustomKeyStore request rate Each supported Region: 5 per second Yes Maximum ConnectCustomKeyStore requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
CreateAlias request rate Each supported Region: 5 per second Yes Maximum CreateAlias requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
CreateCustomKeyStore request rate Each supported Region: 5 per second Yes Maximum CreateCustomKeyStore requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
CreateGrant request rate Each supported Region: 50 per second Yes Maximum CreateGrant requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
CreateKey request rate Each supported Region: 5 per second Yes Maximum CreateKey requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
Cryptographic operations (ECC & SM2) request rate Each supported Region: 1,000 per second Yes Maximum DeriveSharedSecret, Sign, and Verify requests with ECC KMS keys and Decrypt, DeriveSharedSecret, Encrypt, Sign, and Verify requests with SM2 (China Regions only) KMS keys per second. When you reach this quota, KMS rejects this type of request for the remainder of the interval.
Cryptographic operations (RSA) request rate Each supported Region: 1,000 per second Yes Maximum requests for cryptographic operations with RSA CMKs per second. This shared quota applies to Encrypt, Decrypt, ReEncrypt, Sign, and Verify requests using RSA CMKs. When you reach this quota, KMS rejects this type of request for the remainder of the interval.
Cryptographic operations (symmetric) request rate

us-east-1: 100,000 per second

us-east-2: 20,000 per second

us-west-2: 100,000 per second

ap-northeast-1: 20,000 per second

ap-southeast-1: 20,000 per second

ap-southeast-2: 20,000 per second

eu-central-1: 20,000 per second

eu-west-1: 100,000 per second

eu-west-2: 20,000 per second

Each of the other supported Regions: 10,000 per second

Yes Maximum requests for cryptographic operations with a symmetric CMK per second. This shared quota applies to Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, GenerateMac, GenerateRandom, ReEncrypt, and VerifyMac requests. When you reach this quota, KMS rejects this type of request for the remainder of the interval.
Custom Key Stores Each supported Region: 10 Yes The maximum number of custom key stores permitted in each AWS Region of this AWS account. This quota applies to the total number of custom key stores, including AWS CloudHSM key stores and external key stores, regardless of their connection state.
Customer Master Keys (CMKs) Each supported Region: 100,000 Yes The maximum number of customer managed CMKs permitted in each AWS Region of this AWS account. This quota does not apply to AWS managed CMKs.
DeleteAlias request rate Each supported Region: 15 per second Yes Maximum DeleteAlias requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
DeleteCustomKeyStore request rate Each supported Region: 5 per second Yes Maximum DeleteCustomKeyStore requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
DeleteImportedKeyMaterial request rate Each supported Region: 15 per second Yes Maximum DeleteImportedKeyMaterial requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
DescribeCustomKeyStores request rate Each supported Region: 5 per second Yes Maximum DescribeCustomKeyStores requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
DescribeKey request rate Each supported Region: 2,000 per second Yes Maximum DescribeKey requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
DisableKey request rate Each supported Region: 5 per second Yes Maximum DisableKey requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
DisableKeyRotation request rate Each supported Region: 5 per second Yes Maximum DisableKeyRotation requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
DisconnectCustomKeyStore request rate Each supported Region: 5 per second Yes Maximum DisconnectCustomKeyStore requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
EnableKey request rate Each supported Region: 5 per second Yes Maximum EnableKey requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
EnableKeyRotation request rate Each supported Region: 15 per second Yes Maximum EnableKeyRotation requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
GenerateDataKeyPair (ECC_NIST_P256) request rate Each supported Region: 100 per second Yes Maximum requests per second to generate ECC_NIST_P256 data key pairs. This shared quota applies to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext requests for ECC_NIST_P256 data key pairs. When you reach this quota, KMS rejects this type of request for the remainder of the interval.
GenerateDataKeyPair (ECC_NIST_P384) request rate Each supported Region: 100 per second Yes Maximum requests per second to generate ECC_NIST_P384 data key pairs. This shared quota applies to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext requests for ECC_NIST_P384 data key pairs. When you reach this quota, KMS rejects this type of request for the remainder of the interval.
GenerateDataKeyPair (ECC_NIST_P521) request rate Each supported Region: 100 per second Yes Maximum requests per second to generate ECC_NIST_P521 data key pairs. This shared quota applies to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext requests for ECC_NIST_P521 data key pairs. When you reach this quota, KMS rejects this type of request for the remainder of the interval.
GenerateDataKeyPair (ECC_SECG_P256K1) request rate Each supported Region: 100 per second Yes Maximum requests per second to generate ECC_SECG_P256K1 data key pairs. This shared quota applies to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext requests for ECC_SECG_P256K1 data key pairs. When you reach this quota, KMS rejects this type of request for the remainder of the interval.
GenerateDataKeyPair (RSA_2048) request rate Each supported Region: 1 per second Yes Maximum requests per second to generate RSA_2048 data key pairs. This shared quota applies to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext requests for RSA_2048 data key pairs. When you reach this quota, KMS rejects this type of request for the remainder of the interval.
GenerateDataKeyPair (RSA_3072) request rate Each supported Region: 0.5 per second Yes Maximum requests per second to generate RSA_3072 data key pairs. This shared quota applies to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext requests for RSA_3072 data key pairs. By default, KMS allows one request in each 2-second interval. When you reach this quota, KMS rejects this type of request for the remainder of the interval.
GenerateDataKeyPair (RSA_4096) request rate Each supported Region: 0.1 per second Yes Maximum requests per second to generate RSA_4096 data key pairs. This shared quota applies to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext requests for RSA_4096 data key pairs. By default, KMS allows one request in each 10-second interval. When you reach this quota, KMS rejects this type of request for the remainder of the interval.
GetKeyPolicy request rate Each supported Region: 1,000 per second Yes Maximum number of GetKeyPolicy requests per second. When this limit is reached, KMS rejects requests for this operation for the remainder of the interval. This limit applies to all request types, including cross-account requests and requests AWS makes on your behalf.
GetKeyRotationStatus request rate Each supported Region: 1,000 per second Yes Maximum GetKeyRotationStatus requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
GetParametersForImport request rate Each supported Region: 0.25 per second Yes Maximum GetParametersForImport requests per second. KMS allows one GetParametersForImport request in each 4-second interval. It rejects any additional requests for this operation during the interval.
GetPublicKey request rate Each supported Region: 2,000 per second Yes Maximum GetPublicKey requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
Grants per CMK Each supported Region: 50,000 Yes The maximum number of grants permitted for each customer managed CMK. This quota includes grants created by AWS services, but it does not apply to AWS managed CMKs.
ImportKeyMaterial request rate Each supported Region: 15 per second Yes Maximum ImportKeyMaterial requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
ListAliases request rate Each supported Region: 500 per second Yes Maximum number of ListAliases requests per second. When this limit is reached, KMS rejects requests for this operation for the remainder of the interval. This limit applies to all request types, including cross-account requests and requests AWS makes on your behalf.
ListGrants request rate Each supported Region: 100 per second Yes Maximum ListGrants requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
ListKeyPolicies request rate Each supported Region: 100 per second Yes Maximum ListKeyPolicies requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
ListKeyRotations request rate Each supported Region: 100 per second Yes Maximum ListKeyRotations requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
ListKeys request rate Each supported Region: 500 per second Yes Maximum ListKeys requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
ListResourceTags request rate Each supported Region: 2,000 per second Yes Maximum ListResourceTags requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
ListRetirableGrants request rate Each supported Region: 100 per second Yes Maximum number of ListRetirableGrants requests per second. When this limit is reached, KMS rejects requests for this operation for the remainder of the interval. This limit applies to all request types, including cross-account requests and requests AWS makes on your behalf.
PutKeyPolicy request rate Each supported Region: 15 per second Yes Maximum number of PutKeyPolicy requests per second. When this limit is reached, KMS rejects requests for this operation for the remainder of the interval. This limit applies to all request types, including cross-account requests and requests AWS makes on your behalf.
ReplicateKey request rate Each supported Region: 5 per second Yes Maximum ReplicateKey requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
RetireGrant request rate Each supported Region: 50 per second Yes Maximum RetireGrant requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
RevokeGrant request rate Each supported Region: 50 per second Yes Maximum RevokeGrant requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
RotateKeyOnDemand request rate Each supported Region: 5 per second No Maximum RotateKeyOnDemand requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
ScheduleKeyDeletion request rate Each supported Region: 15 per second Yes Maximum ScheduleKeyDeletion requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
TagResource request rate Each supported Region: 10 per second Yes Maximum TagResource requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
UntagResource request rate Each supported Region: 5 per second Yes Maximum UntagResource requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
UpdateAlias request rate Each supported Region: 5 per second Yes Maximum UpdateAlias requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
UpdateCustomKeyStore request rate Each supported Region: 5 per second Yes Maximum UpdateCustomKeyStore requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
UpdateKeyDescription request rate Each supported Region: 5 per second Yes Maximum UpdateKeyDescription requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
UpdatePrimaryRegion request rate Each supported Region: 5 per second Yes Maximum UpdatePrimaryRegion requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval.
on-demand rotations per CMK Each supported Region: 10 No The maximum number of on-demand rotations permitted for each customer managed key. This quota does not apply to AWS managed keys.