Resource quotas - AWS Key Management Service

Resource quotas

AWS KMS establishes resource quotas to ensure that it can provide fast and resilient service to all of our customers. Some resource quotas apply only to resources that you create, but not to resources that AWS services create for you. Resources that you use, but that aren't in your AWS account, such as AWS owned CMKs, do not count against these quotas.

If you have reached a resource limit, requests to create an additional resource of that type generate an LimitExceededException error message.

The following table lists and describes the AWS KMS resource quotas in each AWS account and Region. If you need to exceed a quota, you can request a quota increase in Service Quotas. Use the Service Quotas console or the RequestServiceQuotaIncrease operation. For details, see Requesting a quota increase in the Service Quotas User Guide. If Service Quotas for AWS KMS are not available in the AWS Region, please visit the AWS Support Center and create a case.

For help requesting an increase in an AWS KMS quota, see Request an AWS KMS Quota Increase.

Quota name Default value Applies to
Customer master keys (CMKs) 10,000 Customer managed CMKs
Aliases per Region 10,000 Customer created aliases
Aliases per CMK 50 Customer created aliases
Grants per CMK 50,000 Customer managed CMKs
Grants for a given principal per CMK 500

Customer managed CMKs

AWS managed CMKs

Key policy document size 32 KB (32,768 bytes)

Customer managed CMKs

AWS managed CMKs

In addition to resource quotas, AWS KMS uses request quotas to ensure the responsiveness of the service. For details, see Request quotas.

Customer master keys (CMKs): 10,000

You can have up to 10,000 customer managed CMKs in each Region of your AWS account. This quota applies to all symmetric and asymmetric customer managed CMKs regardless of their key state. Each CMK — whether symmetric or asymmetric — is considered to be one resource. AWS managed CMKs and AWS owned CMKs do not count against this quota.

Aliases per Region: 10,000

You can create up to 10,000 aliases in each AWS Region of your account. Aliases that AWS creates in your account, such as aws/<service-name>, do not count against this quota.

If you increase your customer master keys quota, you might also need to request an increase in your aliases per Region quota.

Aliases per CMK: 50

You can associate up to 50 aliases with each customer managed CMK. Aliases that AWS associates with AWS managed CMKs do not count against this quota. You might encounter this quota when you create or update an alias.


The kms:ResourceAliases condition is effective only when the CMK conforms to this quota. If a CMK exceeds this quota, principals who are authorized to use the CMK by the kms:ResourceAliases condition are denied access to the CMK.

Grants per CMK: 50,000

Each customer managed CMK can have up to 50,000 grants, including the grants created by AWS services that are integrated with AWS KMS. This quota does not apply to AWS managed CMKs or AWS owned CMKs.

One effect of this quota is that you cannot perform more than 50,000 grant-authorized operations that use the same CMK at the same time. After you reach the quota, you can create new grants on the CMK only when an active grant is retired or revoked.

For example, when you attach an Amazon Elastic Block Store (Amazon EBS) volume to an Amazon Elastic Compute Cloud (Amazon EC2) instance, the volume is decrypted so you can read it. To get permission to decrypt the data, Amazon EBS creates a grant for each volume. Therefore, if all of your Amazon EBS volumes use the same CMK, you cannot attach more than 50,000 volumes at one time.

Grants for a given principal per CMK: 500

A CMK cannot have more than 500 grants for the same grantee principal. The grantee principal is the identity that gets the permissions in the grant.

This quota is calculated separately for each CMK in the account. It applies to customer managed CMKs and AWS managed CMKs, but not to AWS owned CMKs.


Be careful when using the output from the ListGrants operation to calculate the number of grants with the same grantee principal.

The GranteePrincipal field in the ListGrants response usually contains the grantee principal of the grant. However, when the grantee principal in the grant is an AWS service, the GranteePrincipal field contains the service principal, which might represent several different grantee principals.

This quota can have practical consequences for your use of AWS resources. For example, it prevents you from launching more than 500 Amazon WorkSpaces encrypted under the same CMK. When you launch a WorkSpace, Amazon WorkSpaces creates a grant that allows it to decrypt the WorkSpace so you can use it. Each WorkSpace grant is unique, but all of the grants have the same grantee principal.

Key policy document size: 32 KB

The maximum length of each key policy document is 32 KB (32,768 bytes). If you use a larger policy document to create or update the key policy for a CMK, the operation fails.

A key policy document is a collection of policy statements in JSON format. The statements in the key policy document determine who has permission to use the CMK and how they can use it. You may also use IAM policies and grants to control access to the CMK, but every CMK must have a key policy document.

You use a key policy document whenever you create or change a key policy by using the default view or policy view in the AWS Management Console, or the PutKeyPolicy operation. This quota applies to your key policy document, even if you use the default view in the AWS KMS console, where you don't edit the JSON statements directly.