Request quotas - Amazon Key Management Service
Request quotas for each Amazon KMS API operationApplying request quotasShared quotas for cryptographic operationsAPI requests made on your behalfCross-account requestsCustom key store request quotas
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Request quotas

Amazon KMS establishes quotas for the number of API operations requested in each second. The request quotas differ with the API operation, the Amazon Web Services Region, and other factors, such as the KMS key type. When you exceed an API request quota, Amazon KMS throttles the request.

All Amazon KMS request quotas are adjustable, except for the Amazon CloudHSM key store request quota. To request a quota increase, see Requesting a quota increase in the Service Quotas User Guide. To request a quota decrease, to change a quota that is not listed in Service Quotas, or to change a quota in an Amazon Web Services Region where Service Quotas for Amazon KMS is not available, please visit Amazon Web Services Support Center and create a case.

If you are exceeding the request quota for the GenerateDataKey operation, consider using the data key caching feature of the Amazon Encryption SDK. Reusing data keys might reduce the frequency of your requests to Amazon KMS.

In addition to request quotas, Amazon KMS uses resource quotas to ensure capacity for all users. For details, see Resource quotas.

To view trends in your request rates, use the Service Quotas console. You can also create an Amazon CloudWatch alarm that alerts you when your request rate reaches a certain percentage of a quota value. For details, see Manage your Amazon KMS API request rates using Service Quotas and Amazon CloudWatch in the Amazon Security Blog.

Request quotas for each Amazon KMS API operation

This table lists the Service Quotas quota code and the default value for each Amazon KMS request quota. All Amazon KMS request quotas are adjustable, except for the Amazon CloudHSM key store request quota.

Note

You might need to scroll horizontally or vertically to see all of the data in this table.

Quota name Default value (requests per second)

Cryptographic operations (symmetric) request rate

Applies to:

  • Decrypt

  • Encrypt

  • GenerateDataKey

  • GenerateDataKeyWithoutPlaintext

  • GenerateMac

  • GenerateRandom

  • ReEncrypt

  • VerifyMac

These shared quotas vary with the Amazon Web Services Region and the type of KMS key used in the request. Each quota is calculated separately.

  • 5,500 (shared)

  • 10,000 (shared) in the following Regions:

    • US East (Ohio), us-east-2

    • Asia Pacific (Singapore), ap-southeast-1

    • Asia Pacific (Sydney), ap-southeast-2

    • Asia Pacific (Tokyo), ap-northeast-1

    • Europe (Frankfurt), eu-central-1

    • Europe (London), eu-west-2

  • 50,000 (shared) in the following Regions:

    • US East (N. Virginia), us-east-1

    • US West (Oregon), us-west-2

    • Europe (Ireland), eu-west-1

Cryptographic operations (RSA) request rate

Applies to:

  • Decrypt

  • Encrypt

  • ReEncrypt

  • Sign

  • Verify

500 (shared) for RSA KMS keys

Cryptographic operations (ECC) request rate

Applies to:

  • Sign

  • Verify

300 (shared) for elliptic curve (ECC) KMS keys

Cryptographic operations (SM) request rate

Applies to:

  • Decrypt

  • Encrypt

  • ReEncrypt

  • Sign

  • Verify

300 (shared) for SM2 (China Regions only) KMS keys

Custom key store request quotas

Applies to:

  • Decrypt

  • Encrypt

  • GenerateDataKey

  • GenerateDataKeyWithoutPlaintext

  • GenerateRandom

  • ReEncrypt

 Custom key store request quotas are calculated separately for each custom key store

  • 1,800 (shared) for each Amazon CloudHSM key store

  • 1,800 (shared) for each external key store

CancelKeyDeletion request rate

 5

ConnectCustomKeyStore request rate

 5

CreateAlias request rate

 5

CreateCustomKeyStore request rate

 5

CreateGrant request rate

 50

CreateKey request rate

 5

DeleteAlias request rate

 15

DeleteCustomKeyStore request rate

 5

DeleteImportedKeyMaterial request rate

 5

DescribeCustomKeyStores request rate

 5

DescribeKey request rate

 2000

DisableKey request rate

 5

DisableKeyRotation request rate

 5

DisconnectCustomKeyStore request rate

 5

EnableKey request rate

 5

EnableKeyRotation request rate

 15

GenerateDataKeyPair (ECC_NIST_P256) request rate

Applies to:

  • GenerateDataKeyPair

  • GenerateDataKeyPairWithoutPlaintext

100

GenerateDataKeyPair (ECC_NIST_P384) request rate

Applies to:

  • GenerateDataKeyPair

  • GenerateDataKeyPairWithoutPlaintext

100

GenerateDataKeyPair (ECC_NIST_P521) request rate

Applies to:

  • GenerateDataKeyPair

  • GenerateDataKeyPairWithoutPlaintext

100

GenerateDataKeyPair (ECC_SECG_P256K1) request rate

Applies to:

  • GenerateDataKeyPair

  • GenerateDataKeyPairWithoutPlaintext

100

GenerateDataKeyPair (RSA_2048) request rate

Applies to:

  • GenerateDataKeyPair

  • GenerateDataKeyPairWithoutPlaintext

1

GenerateDataKeyPair (RSA_3072) request rate

Applies to:

  • GenerateDataKeyPair

  • GenerateDataKeyPairWithoutPlaintext

0.5 (1 in each 2-second interval)

GenerateDataKeyPair (RSA_4096) request rate

Applies to:

  • GenerateDataKeyPair

  • GenerateDataKeyPairWithoutPlaintext

0.1 (1 in each 10-second interval)

GenerateDataKeyPair (SM2 — China Regions only) request rate

Applies to:

  • GenerateDataKeyPair

  • GenerateDataKeyPairWithoutPlaintext

25

GetKeyPolicy request rate

 1000

GetKeyRotationStatus request rate

 1000

GetParametersForImport request rate

 0.25 (1 in each 4-second interval)

GetPublicKey request rate

 2000

ImportKeyMaterial request rate

 5

ListAliases request rate

 500

ListGrants request rate

 100

ListKeyPolicies request rate

 100

ListKeys request rate

 500

ListKeyRotations request rate

 100

ListResourceTags request rate

 2000

ListRetirableGrants request rate

 100

PutKeyPolicy request rate

 15
ReplicateKey request rate

A ReplicateKey operation counts as one ReplicateKey request in the primary key's Region and two CreateKey requests in the replica's Region. One of the CreateKey requests is a dry run to detect potential problems before creating the key.

5

RetireGrant request rate

 30

RevokeGrant request rate

 30

RotateKeyOnDemand request rate

 5

ScheduleKeyDeletion request rate

 15

TagResource request rate

 10

UntagResource request rate

 5

UpdateAlias request rate

 5

UpdateCustomKeyStore request rate

 5

UpdateKeyDescription request rate

 5

UpdatePrimaryRegion request rate

An UpdatePrimaryRegion operation counts as two UpdatePrimaryRegion requests; one request in each of the two affected Regions.

 5

Applying request quotas

When reviewing request quotas, keep in mind the following information.

  • Request quotas apply to both customer managed keys and Amazon managed keys. The use of Amazon owned keys does not count against request quotas for your Amazon Web Services account, even when they are used to protect resources in your account.

  • Request quotas apply to requests sent to FIPS endpoints and non-FIPS endpoints. For a list of Amazon KMS service endpoints, see Amazon Key Management Service endpoints and quotas in the Amazon Web Services General Reference.

  • Throttling is based on all requests on KMS keys of all types in the Region. This total includes requests from all principals in the Amazon Web Services account, including requests from Amazon services on your behalf.

  • Each request quota is calculated independently. For example, requests for the CreateKey operation have no effect on the request quota for the CreateAlias operation. If your CreateAlias requests are throttled, your CreateKey requests can still complete successfully.

  • Although cryptographic operations share a quota, the shared quota is calculated independently of quotas for other operations. For example, calls to the Encrypt and Decrypt operations share a request quota, but that quota is independent of the quota for management operations, such as EnableKey. For example, in the Europe (London) Region, you can perform 10,000 cryptographic operations on symmetric KMS keys plus 5 EnableKey operations per second without being throttled.

Shared quotas for cryptographic operations

Amazon KMS cryptographic operations share request quotas. You can request any combination of the cryptographic operations that are supported by the KMS key, just so the total number of cryptographic operations doesn't exceed the request quota for that type of KMS key. The exceptions are GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext, which share a separate quota.

The quotas for different types of KMS keys are calculated independently. Each quota applies to all requests for these operations in the Amazon Web Services account and Region with the given key type in each one-second interval.

  • Cryptographic operations (symmetric) request rate is the shared request quota for cryptographic operations using symmetric KMS keys in an account and region. This quota applies to cryptographic operations with symmetric encryption keys and HMAC keys, which are also symmetric.

    For example, you might be using symmetric KMS keys in an Amazon Web Services Region with a shared quota of 10,000 requests per second. When you make 7,000 GenerateDataKey requests per second and 2,000 Decrypt requests per second, Amazon KMS doesn't throttle your requests. However, when you make 9,500 GenerateDataKey requests and 1,000 Encrypt and requests per second, Amazon KMS throttles your requests because they exceed the shared quota.

    Cryptographic operations on the symmetric encryption KMS keys in a custom key store count toward both the Cryptographic operations (symmetric) request rate for the account and the custom key store request quota for the custom key store.

  • Cryptographic operations (RSA) request rate is the shared request quota for cryptographic operations using RSA asymmetric KMS keys.

    For example, with a request quota of 500 operations per second, you can make 200 Encrypt requests and 100 Decrypt requests with RSA KMS keys that can encrypt and decrypt, plus 50 Sign requests and 150 Verify requests with RSA KMS keys that can sign and verify.

  • Cryptographic operations (ECC) request rate is the shared request quota for cryptographic operations using elliptic curve (ECC) asymmetric KMS keys.

    For example, with a request quota of 300 operations per second, you can make 100 Sign requests and 200 Verify requests with RSA KMS keys that can sign and verify.

  • Cryptographic operations (SM — China Regions only) request rate is the shared request quota for cryptographic operations using SM asymmetric KMS keys.

    For example, with a request quota of 300 operations per second, you can make 100 Encrypt requests and 100 Decrypt requests with SM2 KMS keys that can encrypt and decrypt, plus 50 Sign requests and 50 Verify requests with SM2 KMS keys that can sign and verify.

  • Custom key store request quota is the shared request quota for cryptographic operations on KMS keys in a custom key store. This quota is calculated separately for each custom key store.

    Cryptographic operations on the symmetric encryption KMS keys in a custom key store count toward both the Cryptographic operations (symmetric) request rate for the account and the custom key store request quota for the custom key store.

The quotas for different key types are also calculated independently. For example, in the Asia Pacific (Singapore) Region, if you use both symmetric and asymmetric KMS keys, you can make up to 10,000 calls per second with symmetric KMS keys (including HMAC keys) plus up to 500 additional calls per second with your RSA asymmetric KMS keys, plus up to 300 additional requests per second with your ECC-based KMS keys.

API requests made on your behalf

You can make API requests directly or by using an integrated Amazon service that makes API requests to Amazon KMS on your behalf. The quota applies to both kinds of requests.

For example, you might store data in Amazon S3 using server-side encryption with a KMS key (SSE-KMS). Each time you upload or download an S3 object that's encrypted with SSE-KMS, Amazon S3 makes a GenerateDataKey (for uploads) or Decrypt (for downloads) request to Amazon KMS on your behalf. These requests count toward your quota, so Amazon KMS throttles the requests if you exceed a combined total of 5,500 (or 10,000 or 50,000 depending upon your Amazon Web Services Region) uploads or downloads per second of S3 objects encrypted with SSE-KMS.

Cross-account requests

When an application in one Amazon Web Services account uses a KMS key owned by a different account, it's known as a cross-account request. For cross-account requests, Amazon KMS throttles the account that makes the requests, not the account that owns the KMS key. For example, if an application in account A uses a KMS key in account B, the KMS key use applies only to the quotas in account A.

Custom key store request quotas

Amazon KMS maintains request quotas for cryptographic operations on the KMS keys in a custom key store. These request quotas are calculated separately for each custom key store.

Custom key store request quota Default value (requests per second) for each custom key store Adjustable
Amazon CloudHSM key store request quota 1800 No
External key store request quota 1800 Yes
Note

Amazon KMS custom key store request quotas do not appear in the Service Quotas console. You cannot view or manage these quotas by using Service Quotas API operations. To request a change to your external key store request quota, visit the Amazon Web Services Support Center and create a case.

If the Amazon CloudHSM cluster associated with an Amazon CloudHSM key store is processing numerous commands, including those unrelated to the custom key store, you might get an Amazon KMS ThrottlingException at a lower-than-expected rate. If this occurs, lower your request rate to Amazon KMS, reduce the unrelated load, or use a dedicated Amazon CloudHSM cluster for your Amazon CloudHSM key store.

Amazon KMS reports throttling of external key store requests in the ExternalKeyStoreThrottle CloudWatch metric. You can use this metric to view throttling patterns, create alarms, and adjust your external key store request quota.

A request for a cryptographic operation on a KMS key in a custom key store counts toward two quotas:

  • Cryptographic operations (symmetric) request rate quota (per account)

    Requests for cryptographic operations on KMS keys in a custom key store count toward the Cryptographic operations (symmetric) request rate quota for each Amazon Web Services account and Region. For example, in US East (N. Virginia) (us-east-1), each Amazon Web Services account can have up to 50,000 requests per second on symmetric encryption KMS keys, including requests that use a KMS key in a custom key store.

  • Custom key store request quota (per custom key store)

    Requests for cryptographic operations on KMS keys in a custom key store also count toward a Custom key store request quota of 1,800 operations per second. These quotas are calculated separately for each custom key store. They might include requests from multiple Amazon Web Services accounts that use KMS keys in the custom key store.

For example, an Encrypt operation on a KMS key in a custom key store (either type) in the US East (N. Virginia) (us-east-1) Region counts toward the Cryptographic operations (symmetric) request rate account-level quota (50,000 requests per second) for its account and Region, and toward a Custom key store request quota (1,800 requests per second) for its custom key store. However, a request for a management operation, such as PutKeyPolicy, on a KMS key in a custom key store applies only to its account-level quota (15 requests per second).