Resource quotas - AWS Key Management Service

Resource quotas

AWS KMS establishes resource quotas to ensure that it can provide fast and resilient service to all of our customers. Some resource quotas apply only to resources that you create, but not to resources that AWS services create for you. Resources that you use, but that aren't in your AWS account, such as AWS owned CMKs, do not count against these quotas.

If you have reached a resource limit, requests to create an additional resource of that type generate an LimitExceededException error message.

The following table lists and describes the AWS KMS resource quotas in each AWS account and Region. If you need to exceed a quota, you can request a quota increase in Service Quotas. Use the Service Quotas console or the RequestServiceQuotaIncrease operation. For details, see Requesting a quota increase in the Service Quotas User Guide. If Service Quotas for AWS KMS are not available in the AWS Region, please visit the AWS Support Center and create a case.

For help requesting an increase in an AWS KMS quota, see Request an AWS KMS Quota Increase.

Quota name Default value Applies to
Customer Master Keys (CMKs) 10,000 Customer managed CMKs
Aliases 10,000 Customer created aliases
Grants per CMK 10,000 Customer managed CMKs
Grants for a given principal per CMK 500

Customer managed CMKs

AWS managed CMKs

Key policy document size 32 KB (32,768 bytes)

Customer managed CMKs

AWS managed CMKs

In addition to resource quotas, AWS KMS uses request quotas to ensure the responsiveness of the service. For details, see Request quotas.

Customer master keys (CMKs): 10,000

You can have up to 10,000 customer managed CMKs in each Region of your AWS account. This quota applies to all symmetric and asymmetric customer managed CMKs regardless of their key state. Each CMK — whether symmetric or asymmetric — is considered to be one resource. AWS managed CMKs and AWS owned CMKs do not count against this quota.

If you need to exceed this quota, request a quota increase in Service Quotas. However, managing a large number of CMKs from the AWS Management Console may be slower than acceptable. If you have a large number of CMKs in an AWS Region, manage them programmatically with the AWS SDKs or AWS Command Line Tools.

Aliases: 10,000

You can create up to 10,000 aliases in each Region of your account. Aliases that AWS creates in your account, such as aws/<service-name>, do not count against this quota.

An alias is a display name that you can map to a CMK. Each alias is mapped to exactly one CMK and multiple aliases can map to the same CMK.

If you increase your CMK resource quota, you might also need to increase your aliases resource quota. For help with requesting a quota increase, see Requesting a Quota Increase in the Service Quotas User Guide.

Grants per CMK: 10,000

Each customer managed CMK can have up to 10,000 grants, including the grants created by AWS services that are integrated with AWS KMS. This quota does not apply to AWS managed CMKs or AWS owned CMKs.

One effect of this quota is that you cannot perform more than 10,000 grant-authorized operations that use the same CMK at the same time. After you reach the quota, you can create new grants on the CMK only when an active grant is retired or revoked.

For example, when you attach an Amazon Elastic Block Store (Amazon EBS) volume to an Amazon Elastic Compute Cloud (Amazon EC2) instance, the volume is decrypted so you can read it. To get permission to decrypt the data, Amazon EBS creates a grant for each volume. However, you cannot have more than 10,000 grants on each CMK. Therefore, if all of your Amazon EBS volumes use the same CMK, you cannot attach more than 10,000 volumes at one time.

Grants are an alternative to key policy. Like a key policy, a grant is attached to a CMK. You (or an AWS service integrated with AWS KMS) can use a grant to allow a principal to use or manage the CMK. Each grant includes the principal who receives permission to use the CMK, the ID of the CMK, and a list of operations that the grantee can perform.

Grants for a given principal per CMK: 500

A CMK cannot have more than 500 grants for the same grantee principal. The grantee principal is the identity that gets the permissions in the grant.

This quota is calculated separately for each CMK in the account. It applies to customer managed CMKs and AWS managed CMKs, but not to AWS owned CMKs.

Note

Be careful when using the output from the ListGrants operation to calculate the number of grants with the same grantee principal.

The GranteePrincipal field in the ListGrants response usually contains the grantee principal of the grant. However, when the grantee principal in the grant is an AWS service, the GranteePrincipal field contains the service principal, which might represent several different grantee principals.

This quota can have practical consequences for your use of AWS resources. For example, it prevents you from launching more than 500 Amazon WorkSpaces encrypted under the same CMK. When you launch a WorkSpace, Amazon WorkSpaces creates a grant that allows it to decrypt the WorkSpace so you can use it. Each WorkSpace grant is unique, but all of the grants have the same grantee principal.

Key policy document size: 32 KB

The maximum length of each key policy document is 32 KB (32,768 bytes). If you use a larger policy document to create or update the key policy for a CMK, the operation fails.

If you must exceed this quota, request a quota increase in Service Quotas. For details, see Requesting a Quota Increase in the Service Quotas User Guide.

A key policy document is a collection of policy statements in JSON format. The statements in the key policy document determine who has permission to use the CMK and how they can use it. You may also use IAM policies and grants to control access to the CMK, but every CMK must have a key policy document.

You use a key policy document whenever you create or change a key policy by using the default view or policy view in the AWS Management Console, or the PutKeyPolicy operation. This quota applies to your key policy document, even if you use the default view in the AWS KMS console, where you don't edit the JSON statements directly.