AWS Key Management Service endpoints and quotas
The following are the service endpoints and service quotas for this service. To connect programmatically to an AWS service, you use an endpoint. In addition to the standard AWS endpoints, some AWS services offer FIPS endpoints in selected Regions. For more information, see AWS service endpoints. Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account. For more information, see AWS service quotas.
Service endpoints
| Region Name | Region | Endpoint | Protocol |
|---|---|---|---|
| US East (Ohio) | us-east-2 |
kms.us-east-2.amazonaws.com kms-fips.us-east-2.amazonaws.com kms-fips.us-east-2.amazonaws.com |
HTTPS HTTPS HTTPS |
| US East (N. Virginia) | us-east-1 |
kms.us-east-1.amazonaws.com kms-fips.us-east-1.amazonaws.com kms-fips.us-east-1.amazonaws.com |
HTTPS HTTPS HTTPS |
| US West (N. California) | us-west-1 |
kms.us-west-1.amazonaws.com kms-fips.us-west-1.amazonaws.com kms-fips.us-west-1.amazonaws.com |
HTTPS HTTPS HTTPS |
| US West (Oregon) | us-west-2 |
kms.us-west-2.amazonaws.com kms-fips.us-west-2.amazonaws.com kms-fips.us-west-2.amazonaws.com |
HTTPS HTTPS HTTPS |
| Africa (Cape Town) | af-south-1 |
kms.af-south-1.amazonaws.com kms-fips.af-south-1.amazonaws.com kms-fips.af-south-1.amazonaws.com |
HTTPS HTTPS HTTPS |
| Asia Pacific (Hong Kong) | ap-east-1 |
kms.ap-east-1.amazonaws.com kms-fips.ap-east-1.amazonaws.com kms-fips.ap-east-1.amazonaws.com |
HTTPS HTTPS HTTPS |
| Asia Pacific (Jakarta) | ap-southeast-3 |
kms.ap-southeast-3.amazonaws.com kms-fips.ap-southeast-3.amazonaws.com kms-fips.ap-southeast-3.amazonaws.com |
HTTPS HTTPS HTTPS |
| Asia Pacific (Mumbai) | ap-south-1 |
kms.ap-south-1.amazonaws.com kms-fips.ap-south-1.amazonaws.com kms-fips.ap-south-1.amazonaws.com |
HTTPS HTTPS HTTPS |
| Asia Pacific (Osaka) | ap-northeast-3 |
kms.ap-northeast-3.amazonaws.com kms-fips.ap-northeast-3.amazonaws.com kms-fips.ap-northeast-3.amazonaws.com |
HTTPS HTTPS HTTPS |
| Asia Pacific (Seoul) | ap-northeast-2 |
kms.ap-northeast-2.amazonaws.com kms-fips.ap-northeast-2.amazonaws.com kms-fips.ap-northeast-2.amazonaws.com |
HTTPS HTTPS HTTPS |
| Asia Pacific (Singapore) | ap-southeast-1 |
kms.ap-southeast-1.amazonaws.com kms-fips.ap-southeast-1.amazonaws.com kms-fips.ap-southeast-1.amazonaws.com |
HTTPS HTTPS HTTPS |
| Asia Pacific (Sydney) | ap-southeast-2 |
kms.ap-southeast-2.amazonaws.com kms-fips.ap-southeast-2.amazonaws.com kms-fips.ap-southeast-2.amazonaws.com |
HTTPS HTTPS HTTPS |
| Asia Pacific (Tokyo) | ap-northeast-1 |
kms.ap-northeast-1.amazonaws.com kms-fips.ap-northeast-1.amazonaws.com kms-fips.ap-northeast-1.amazonaws.com |
HTTPS HTTPS HTTPS |
| Canada (Central) | ca-central-1 |
kms.ca-central-1.amazonaws.com kms-fips.ca-central-1.amazonaws.com kms-fips.ca-central-1.amazonaws.com |
HTTPS HTTPS HTTPS |
| Europe (Frankfurt) | eu-central-1 |
kms.eu-central-1.amazonaws.com kms-fips.eu-central-1.amazonaws.com kms-fips.eu-central-1.amazonaws.com |
HTTPS HTTPS HTTPS |
| Europe (Ireland) | eu-west-1 |
kms.eu-west-1.amazonaws.com kms-fips.eu-west-1.amazonaws.com kms-fips.eu-west-1.amazonaws.com |
HTTPS HTTPS HTTPS |
| Europe (London) | eu-west-2 |
kms.eu-west-2.amazonaws.com kms-fips.eu-west-2.amazonaws.com kms-fips.eu-west-2.amazonaws.com |
HTTPS HTTPS HTTPS |
| Europe (Milan) | eu-south-1 |
kms.eu-south-1.amazonaws.com kms-fips.eu-south-1.amazonaws.com kms-fips.eu-south-1.amazonaws.com |
HTTPS HTTPS HTTPS |
| Europe (Paris) | eu-west-3 |
kms.eu-west-3.amazonaws.com kms-fips.eu-west-3.amazonaws.com kms-fips.eu-west-3.amazonaws.com |
HTTPS HTTPS HTTPS |
| Europe (Stockholm) | eu-north-1 |
kms.eu-north-1.amazonaws.com kms-fips.eu-north-1.amazonaws.com kms-fips.eu-north-1.amazonaws.com |
HTTPS HTTPS HTTPS |
| Middle East (Bahrain) | me-south-1 |
kms.me-south-1.amazonaws.com kms-fips.me-south-1.amazonaws.com kms-fips.me-south-1.amazonaws.com |
HTTPS HTTPS HTTPS |
| South America (São Paulo) | sa-east-1 |
kms.sa-east-1.amazonaws.com kms-fips.sa-east-1.amazonaws.com kms-fips.sa-east-1.amazonaws.com |
HTTPS HTTPS HTTPS |
| AWS GovCloud (US-East) | us-gov-east-1 |
kms.us-gov-east-1.amazonaws.com kms-fips.us-gov-east-1.amazonaws.com kms-fips.us-gov-east-1.amazonaws.com |
HTTPS HTTPS HTTPS |
| AWS GovCloud (US-West) | us-gov-west-1 |
kms.us-gov-west-1.amazonaws.com kms-fips.us-gov-west-1.amazonaws.com kms-fips.us-gov-west-1.amazonaws.com |
HTTPS HTTPS HTTPS |
Service quotas
| Name | Default | Adjustable | Description |
|---|---|---|---|
| Aliases per CMK | Each supported Region: 50 |
Yes |
The maximum number of customer-created aliases per CMK permitted in each AWS Region of this AWS account. Aliases that AWS creates in your account with the aws/ prefix do not count against this quota. An alias is a friendly name for a customer master key (CMK). Each alias is associated with one CMK, but a CMK can have multiple aliases. |
| CancelKeyDeletion request rate | Each supported Region: 5 per second |
Yes |
Maximum CancelKeyDeletion requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| ConnectCustomKeyStore request rate | Each supported Region: 5 per second |
Yes |
Maximum ConnectCustomKeyStore requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| CreateAlias request rate | Each supported Region: 5 per second |
Yes |
Maximum CreateAlias requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| CreateCustomKeyStore request rate | Each supported Region: 5 per second |
Yes |
Maximum CreateCustomKeyStore requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| CreateGrant request rate | Each supported Region: 50 per second |
Yes |
Maximum CreateGrant requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| CreateKey request rate | Each supported Region: 5 per second |
Yes |
Maximum CreateKey requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| Cryptographic operations (ECC) request rate | Each supported Region: 300 per second |
Yes |
Maximum Sign and Verify requests with ECC CMKs per second. When you reach this quota, KMS rejects this type of request for the remainder of the interval. |
| Cryptographic operations (RSA) request rate | Each supported Region: 500 per second |
Yes |
Maximum requests for cryptographic operations with RSA CMKs per second. This shared quota applies to Encrypt, Decrypt, ReEncrypt, Sign, and Verify requests using RSA CMKs. When you reach this quota, KMS rejects this type of request for the remainder of the interval. |
| Cryptographic operations (symmetric) request rate |
us-east-1: 50,000 per second us-east-2: 10,000 per second us-west-2: 50,000 per second ap-northeast-1: 10,000 per second ap-southeast-1: 10,000 per second ap-southeast-2: 10,000 per second eu-central-1: 10,000 per second eu-west-1: 50,000 per second eu-west-2: 10,000 per second Each of the other supported Regions: 5,500 per second |
Yes |
Maximum requests for cryptographic operations with a symmetric CMK per second. This shared quota applies to Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, GenerateMac, GenerateRandom, ReEncrypt, and VerifyMac requests. When you reach this quota, KMS rejects this type of request for the remainder of the interval. |
| Customer Master Keys (CMKs) | Each supported Region: 100,000 |
Yes |
The maximum number of customer managed CMKs permitted in each AWS Region of this AWS account. This quota does not apply to AWS managed CMKs. |
| DeleteAlias request rate | Each supported Region: 15 per second |
Yes |
Maximum DeleteAlias requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| DeleteCustomKeyStore request rate | Each supported Region: 5 per second |
Yes |
Maximum DeleteCustomKeyStore requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| DeleteImportedKeyMaterial request rate | Each supported Region: 5 per second |
Yes |
Maximum DeleteImportedKeyMaterial requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| DescribeCustomKeyStores request rate | Each supported Region: 5 per second |
Yes |
Maximum DescribeCustomKeyStores requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| DescribeKey request rate | Each supported Region: 2,000 per second |
Yes |
Maximum DescribeKey requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| DisableKey request rate | Each supported Region: 5 per second |
Yes |
Maximum DisableKey requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| DisableKeyRotation request rate | Each supported Region: 5 per second |
Yes |
Maximum DisableKeyRotation requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| DisconnectCustomKeyStore request rate | Each supported Region: 5 per second |
Yes |
Maximum DisconnectCustomKeyStore requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| EnableKey request rate | Each supported Region: 5 per second |
Yes |
Maximum EnableKey requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| EnableKeyRotation request rate | Each supported Region: 15 per second |
Yes |
Maximum EnableKeyRotation requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| GenerateDataKeyPair (ECC_NIST_P256) request rate | Each supported Region: 25 per second |
Yes |
Maximum requests per second to generate ECC_NIST_P256 data key pairs. This shared quota applies to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext requests for ECC_NIST_P256 data key pairs. When you reach this quota, KMS rejects this type of request for the remainder of the interval. |
| GenerateDataKeyPair (ECC_NIST_P384) request rate | Each supported Region: 10 per second |
Yes |
Maximum requests per second to generate ECC_NIST_P384 data key pairs. This shared quota applies to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext requests for ECC_NIST_P384 data key pairs. When you reach this quota, KMS rejects this type of request for the remainder of the interval. |
| GenerateDataKeyPair (ECC_NIST_P521) request rate | Each supported Region: 5 per second |
Yes |
Maximum requests per second to generate ECC_NIST_P521 data key pairs. This shared quota applies to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext requests for ECC_NIST_P521 data key pairs. When you reach this quota, KMS rejects this type of request for the remainder of the interval. |
| GenerateDataKeyPair (ECC_SECG_P256K1) request rate | Each supported Region: 25 per second |
Yes |
Maximum requests per second to generate ECC_SECG_P256K1 data key pairs. This shared quota applies to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext requests for ECC_SECG_P256K1 data key pairs. When you reach this quota, KMS rejects this type of request for the remainder of the interval. |
| GenerateDataKeyPair (RSA_2048) request rate | Each supported Region: 1 per second |
Yes |
Maximum requests per second to generate RSA_2048 data key pairs. This shared quota applies to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext requests for RSA_2048 data key pairs. When you reach this quota, KMS rejects this type of request for the remainder of the interval. |
| GenerateDataKeyPair (RSA_3072) request rate | Each supported Region: 0.5 per second |
Yes |
Maximum requests per second to generate RSA_3072 data key pairs. This shared quota applies to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext requests for RSA_3072 data key pairs. By default, KMS allows one request in each 2-second interval. When you reach this quota, KMS rejects this type of request for the remainder of the interval. |
| GenerateDataKeyPair (RSA_4096) request rate | Each supported Region: 0.1 per second |
Yes |
Maximum requests per second to generate RSA_4096 data key pairs. This shared quota applies to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext requests for RSA_4096 data key pairs. By default, KMS allows one request in each 10-second interval. When you reach this quota, KMS rejects this type of request for the remainder of the interval. |
| GetKeyPolicy request rate | Each supported Region: 1,000 per second |
Yes |
Maximum GetKeyPolicy requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| GetKeyRotationStatus request rate | Each supported Region: 1,000 per second |
Yes |
Maximum GetKeyRotationStatus requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| GetParametersForImport request rate | Each supported Region: 0.25 per second |
Yes |
Maximum GetParametersForImport requests per second. KMS allows one GetParametersForImport request in each 4-second interval. It rejects any additional requests for this operation during the interval. |
| GetPublicKey request rate | Each supported Region: 2,000 per second |
Yes |
Maximum GetPublicKey requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| Grants per CMK | Each supported Region: 50,000 |
Yes |
The maximum number of grants permitted for each customer managed CMK. This quota includes grants created by AWS services, but it does not apply to AWS managed CMKs. |
| ImportKeyMaterial request rate | Each supported Region: 5 per second |
Yes |
Maximum ImportKeyMaterial requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| Key policy document size | Each supported Region: 32,768 Bytes | No | The maximum number of bytes in each key policy document. If a key policy document exceeds this length, operations that use the key policy document to set or change the key policy fail. |
| ListAliases request rate | Each supported Region: 500 per second |
Yes |
Maximum ListAliases requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| ListGrants request rate | Each supported Region: 100 per second |
Yes |
Maximum ListGrants requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| ListKeyPolicies request rate | Each supported Region: 100 per second |
Yes |
Maximum ListKeyPolicies requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| ListKeys request rate | Each supported Region: 500 per second |
Yes |
Maximum ListKeys requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| ListResourceTags request rate | Each supported Region: 2,000 per second |
Yes |
Maximum ListResourceTags requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| ListRetirableGrants request rate | Each supported Region: 100 per second |
Yes |
Maximum ListRetirableGrants requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| PutKeyPolicy request rate | Each supported Region: 15 per second |
Yes |
Maximum PutKeyPolicy requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| ReplicateKey request rate | Each supported Region: 5 per second |
Yes |
Maximum ReplicateKey requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| RetireGrant request rate | Each supported Region: 30 per second |
Yes |
Maximum RetireGrant requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| RevokeGrant request rate | Each supported Region: 30 per second |
Yes |
Maximum RevokeGrant requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| ScheduleKeyDeletion request rate | Each supported Region: 15 per second |
Yes |
Maximum ScheduleKeyDeletion requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| TagResource request rate | Each supported Region: 10 per second |
Yes |
Maximum TagResource requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| UntagResource request rate | Each supported Region: 5 per second |
Yes |
Maximum UntagResource requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| UpdateAlias request rate | Each supported Region: 5 per second |
Yes |
Maximum UpdateAlias requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| UpdateCustomKeyStore request rate | Each supported Region: 5 per second |
Yes |
Maximum UpdateCustomKeyStore requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| UpdateKeyDescription request rate | Each supported Region: 5 per second |
Yes |
Maximum UpdateKeyDescription requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
| UpdatePrimaryRegion request rate | Each supported Region: 5 per second |
Yes |
Maximum UpdatePrimaryRegion requests per second. When you reach this quota, KMS rejects requests for this operation for the remainder of the interval. |
