Resource quotas
AWS KMS establishes resource quotas to ensure that it can provide fast and resilient service to all of our customers. Some resource quotas apply only to resources that you create, but not to resources that AWS services create for you. Resources that you use, but that aren't in your AWS account, such as AWS owned CMKs, do not count against these quotas.
If you have reached a resource limit, requests to create an additional resource of
that type
generate an LimitExceededException
error message.
The following table lists and describes the AWS KMS resource quotas in each AWS account
and
Region. If you need to exceed a quota, you can request a quota increase in Service
Quotas. Use the
Service Quotas console
For help requesting an increase in an AWS KMS quota, see Request an AWS KMS Quota Increase.
Quota name | Default value | Applies to |
---|---|---|
Customer master keys (CMKs) | 10,000 | Customer managed CMKs |
Aliases per Region | 10,000 | Customer created aliases |
Aliases per CMK | 50 | Customer created aliases |
Grants per CMK | 50,000 | Customer managed CMKs |
Grants for a given principal per CMK | 500 |
Customer managed CMKs AWS managed CMKs |
Key policy document size | 32 KB (32,768 bytes) |
Customer managed CMKs AWS managed CMKs |
In addition to resource quotas, AWS KMS uses request quotas to ensure the responsiveness of the service. For details, see Request quotas.
Customer master keys (CMKs): 10,000
You can have up to 10,000 customer managed CMKs in each Region of your AWS account. This quota applies to all symmetric and asymmetric customer managed CMKs regardless of their key state. Each CMK — whether symmetric or asymmetric — is considered to be one resource. AWS managed CMKs and AWS owned CMKs do not count against this quota.
Aliases per Region: 10,000
You can create up to 10,000 aliases in each AWS Region
of your account. Aliases that AWS creates in your account, such as
aws/<service-name>
, do not count against this quota.
If you increase your customer master keys quota, you might also need to request an increase in your aliases per Region quota.
Aliases per CMK: 50
You can associate up to 50 aliases with each customer managed CMK. Aliases that AWS associates with AWS managed CMKs do not count against this quota. You might encounter this quota when you create or update an alias.
The kms:ResourceAliases condition
is effective only when the CMK conforms to this quota. If a CMK exceeds this quota,
principals who are authorized to use the CMK by the kms:ResourceAliases
condition are denied access to the CMK.
Grants per CMK: 50,000
Each customer managed CMK can have up to 50,000
grants, including the grants created by AWS services that are integrated with AWS KMS
One effect of this quota is that you cannot perform more than 50,000 grant-authorized operations that use the same CMK at the same time. After you reach the quota, you can create new grants on the CMK only when an active grant is retired or revoked.
For example, when you attach an Amazon Elastic Block Store (Amazon EBS) volume to an Amazon Elastic Compute Cloud (Amazon EC2) instance, the volume is decrypted so you can read it. To get permission to decrypt the data, Amazon EBS creates a grant for each volume. Therefore, if all of your Amazon EBS volumes use the same CMK, you cannot attach more than 50,000 volumes at one time.
Grants for a given principal per CMK: 500
A CMK cannot have more than 500 grants for the same grantee principal. The grantee principal is the identity that gets the permissions in the grant.
This quota is calculated separately for each CMK in the account. It applies to customer managed CMKs and AWS managed CMKs, but not to AWS owned CMKs.
Be careful when using the output from the ListGrants operation to calculate the number of grants with the same grantee principal.
The GranteePrincipal
field in the ListGrants
response usually
contains the grantee principal of the grant. However, when the grantee principal in
the
grant is an AWS service, the GranteePrincipal
field contains the service
principal, which might represent several different grantee principals.
This quota can have practical consequences for your use of AWS resources. For example, it prevents you from launching more than 500 Amazon WorkSpaces encrypted under the same CMK. When you launch a WorkSpace, Amazon WorkSpaces creates a grant that allows it to decrypt the WorkSpace so you can use it. Each WorkSpace grant is unique, but all of the grants have the same grantee principal.
Key policy document size: 32 KB
The maximum length of each key policy document is 32 KB (32,768 bytes). If you use a larger policy document to create or update the key policy for a CMK, the operation fails.
A key policy document is a collection of policy statements in JSON format. The statements in the key policy document determine who has permission to use the CMK and how they can use it. You may also use IAM policies and grants to control access to the CMK, but every CMK must have a key policy document.
You use a key policy document whenever you create or change a key policy by using the default view or policy view in the AWS Management Console, or the PutKeyPolicy operation. This quota applies to your key policy document, even if you use the default view in the AWS KMS console, where you don't edit the JSON statements directly.