Requesting an Amazon KMS quota change - Amazon Key Management Service
Using the Service Quotas consoleUsing the Service Quotas API
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Requesting an Amazon KMS quota change

All Amazon KMS quotas are adjustable, except for the key policy document size resource quota, the custom key store resource quota, and the Amazon CloudHSM key store request quota. You can request an increase or decrease from your current quota.

You might request an increase if you get frequent throttling exceptions, especially if you notice prolonged periods of throttling, and not just spikes. You might request a quota decrease if you have a known bottleneck, such as a custom key store associated with a backing key store that cannot handle the current request rate.

To request a quota increase, see Requesting a quota increase in the Service Quotas User Guide. To request a quota decrease, to change a quota that is not listed in Service Quotas, or to change a quota in an Amazon Web Services Region where Service Quotas for Amazon KMS is not available, please visit Amazon Web Services Support Center and create a case.

Note

Amazon KMS custom key store request quotas do not appear in the Service Quotas console. You cannot view or manage these quotas by using Service Quotas API operations. To request a change to your external key store request quota, visit the Amazon Web Services Support Center and create a case.

Using the Service Quotas console

To request an increase in an Amazon KMS quota, you can use the Service Quotas console. For instructions, see Requesting a quota increase in the Service Quotas User Guide.

You cannot use the Service Quotas console to request a quota decrease. Instead, contact Amazon Web Services Support Center and create a case.

  1. For service name, choose Amazon Key Management Service (Amazon KMS).

  2. Choose the quota name of the quota you want to change. Use the detailed information about the quota to confirm that you have chosen the correct quota.

    You can search for the quota name in the Service Quotas console. There are several pages of Amazon KMS quotas. You can also find the quota names and descriptions of Amazon KMS quotas in the resource quota and request quota tables.

    For example, to request an increase to the Cryptographic operations (symmetric) request rate quota for cryptographic operations on symmetric encryption KMS keys and HMAC KMS keys, choose Cryptographic operations (symmetric) request rate.

  3. Choose Request quota increase.

  4. In the Change quota value box, type your desired quota value. It must be greater than the Applied quota value.

  5. Choose Request.

Using the Service Quotas API

To request an increase in an Amazon KMS quota, you can use the Service Quotas API. You cannot use the Service Quotas console to request a quota decrease. Instead, contact Amazon Web Services Support Center and create a case.

The RequestServiceQuotaIncrease operation, which submits the request, requires the quota code for the quota. So begin by getting the quota code.

  1. Find the quota name of the quota you want to increase. You can find the quota names and descriptions of Amazon KMS quotas in the resource quota and request quota tables.

  2. To get the quota code for an Amazon KMS quota, use the ListServiceQuotas operation.

    Set ServiceCode to kms.

    The response includes the QuotaName and QuotaCode for each quota.

    For example, to get only the quota information for the Cryptographic operations (RSA) request rate quota, use a command like the following one. It uses the query parameter in the Amazon Command Line Interface (Amazon CLI) to get only the quota with the specified quota name.

    $ aws service-quotas list-service-quotas \
        --service-code kms \
        --query 'Quotas[?QuotaName==`Cryptographic operations (RSA) request rate`]'

{
    "Quotas": [
        {
            "ServiceCode": "kms",
            "ServiceName": "Amazon Key Management Service (Amazon KMS)",
            "QuotaArn": "arn:aws:servicequotas:us-east-2:111122223333:kms/L-2AC98190",
            "QuotaCode": "L-2AC98190",
            "QuotaName": "Cryptographic operations (RSA) request rate",
            "Value": 500,
            "Unit": "None",
            "Adjustable": true,
            "GlobalQuota": false
        }
    ]
}

  3. To request an increase for an Amazon KMS quota, use the RequestServiceQuotaIncrease operation. To identify the quota, use the quota code.

    For example, the following command requests an increase in the Cryptographic operations (RSA) request rate quota to 700 requests per second. It uses the required quota code, L-2AC98190, to identify the quota.

    If the command completes successfully, the Status field displays the current status of the request. To get the updated status of the request, use the GetRequestedServiceQuotaChange, ListRequestedServiceQuotaChangeHistory or ListRequestedServiceQuotaChangeHistoryByQuota operations.

    $ aws service-quotas request-service-quota-increase \
        --service-code kms \
        --quota-code L-2AC98190 \
        --desired-value 700

{
    "RequestedQuota": {
        "Id": "a12345",
        "ServiceCode": "kms",
        "ServiceName": "Amazon Key Management Service (Amazon KMS)",
        "QuotaCode": "L-2AC98190",
        "QuotaName": "Cryptographic operations (RSA) request rate",
        "DesiredValue": 700,
        "Status": "PENDING",
        "Created": 1580446904.067,
        "Requester": "{\"accountId\":\"111122223333\",\"callerArn\":\"arn:aws:iam::111122223333:root\"}",
        "QuotaArn": "arn:aws:servicequotas:us-east-2:111122223333:kms/L-2AC98190",
        "GlobalQuota": false,
        "Unit": "None"
    }
}