Resource quotas - AWS Key Management Service

Resource quotas

AWS KMS establishes resource quotas to ensure that it can provide fast and resilient service to all of our customers. Some resource quotas apply only to resources that you create, but not to resources that AWS services create for you. Resources that you use, but that aren't in your AWS account, such as AWS owned CMKs, do not count against these quotas.

If you have reached a resource limit, requests to create an additional resource of that type generate an LimitExceededException error message.

The following table lists and describes the AWS KMS resource quotas in each AWS account and Region. If you need to exceed a quota, you can request a quota increase in Service Quotas. Use the Service Quotas console or the RequestServiceQuotaIncrease operation. For details, see Requesting a quota increase in the Service Quotas User Guide. If Service Quotas for AWS KMS are not available in the AWS Region, please visit the AWS Support Center and create a case.

For help requesting an increase in an AWS KMS quota, see Request an AWS KMS Quota Increase.

Quota name Default value Applies to
Customer master keys (CMKs) 10,000 Customer managed CMKs
Aliases per CMK 50 Customer created aliases
Grants per CMK 50,000 Customer managed CMKs
Key policy document size 32 KB (32,768 bytes)

Customer managed CMKs

AWS managed CMKs

In addition to resource quotas, AWS KMS uses request quotas to ensure the responsiveness of the service. For details, see Request quotas.

Customer master keys (CMKs): 10,000

You can have up to 10,000 customer managed CMKs in each Region of your AWS account. This quota applies to all symmetric and asymmetric customer managed CMKs regardless of their key state. Each CMK — whether symmetric or asymmetric — is considered to be one resource. AWS managed CMKs and AWS owned CMKs do not count against this quota.

Aliases per CMK: 50

You can associate up to 50 aliases with each customer managed CMK. Aliases that AWS associates with AWS managed CMKs do not count against this quota. You might encounter this quota when you create or update an alias.

Note

The kms:ResourceAliases condition is effective only when the CMK conforms to this quota. If a CMK exceeds this quota, principals who are authorized to use the CMK by the kms:ResourceAliases condition are denied access to the CMK. For details, see Access denied due to alias quota.

The Aliases per CMK quota replaces the Aliases per Region quota that limited the total number of aliases in each Region of an AWS account. AWS KMS has eliminated the Aliases per Region quota.

Grants per CMK: 50,000

Each customer managed CMK can have up to 50,000 grants, including the grants created by AWS services that are integrated with AWS KMS. This quota does not apply to AWS managed CMKs or AWS owned CMKs.

One effect of this quota is that you cannot perform more than 50,000 grant-authorized operations that use the same CMK at the same time. After you reach the quota, you can create new grants on the CMK only when an active grant is retired or revoked. For example, when you attach an Amazon Elastic Block Store (Amazon EBS) volume to an Amazon Elastic Compute Cloud (Amazon EC2) instance, the volume is decrypted so you can read it. To get permission to decrypt the data, Amazon EBS creates a grant for each volume. Therefore, if all of your Amazon EBS volumes use the same CMK, you cannot attach more than 50,000 volumes at one time.

AWS KMS has eliminated the quota on grants per given principal per CMK.

Key policy document size: 32 KB

The maximum length of each key policy document is 32 KB (32,768 bytes). If you use a larger policy document to create or update the key policy for a CMK, the operation fails.

Unlike other AWS KMS quotas, this quota is not adjustable. You cannot increase it by using Service Quotas or by creating a case in AWS Support. If your key policy is approaching the limit, consider using grants instead of policy statements. Grants are particularly well suited to temporary or very specific permissions.

You use a key policy document whenever you create or change a key policy by using the default view or policy view in the AWS Management Console, or the PutKeyPolicy operation. This quota applies to your key policy document, even if you use the default view in the AWS KMS console, where you don't edit the JSON statements directly.