Throttling Amazon KMS requests
To ensure that Amazon KMS can provide fast and reliable responses to API requests from all customers, it throttles API requests that exceed certain boundaries.
Throttling occurs when Amazon KMS rejects a request that
might otherwise be valid, and returns a ThrottlingException
error like the
following one.
You have exceeded the rate at which you may call KMS. Reduce the frequency of your calls. (Service: AWSKMS; Status Code: 400; Error Code: ThrottlingException; Request ID: <ID>
Amazon KMS throttles requests for the following conditions.
-
The rate of requests per second exceeds the Amazon KMS request quota for an account and Region.
For example, if users in your account submit 1000
DescribeKey
requests in a second, Amazon KMS throttles all subsequentDescribeKey
requests in that second.To respond to throttling, use a backoff and retry strategy
. This strategy is implemented automatically for HTTP 400 errors in some Amazon SDKs. -
A burst or sustained high rate of requests to change the state of the same KMS key. This condition is often known as a "hot key."
For example, if an application in your account sends a persistent volley of
EnableKey
andDisableKey
requests for the same KMS key, Amazon KMS throttles the requests. This throttling occurs even if the requests don't exceed the request-per-second request limit for theEnableKey
andDisableKey
operations.To respond to throttling, adjust your application logic so it makes only required requests or it consolidates the requests of multiple functions.
-
Requests for operations on KMS keys in a Amazon CloudHSM key store might be throttled at a lower-than-expected rate when the Amazon CloudHSM cluster associated with the Amazon CloudHSM key store is processing numerous commands, including those unrelated to the Amazon CloudHSM key store.
(Amazon KMS no longer throttles requests for operations on KMS keys in a Amazon CloudHSM key store when there are no available PKCS #11 sessions for the Amazon CloudHSM cluster. Instead, it throws a
KMSInternalException
and recommends that you retry your request.)
To view trends in your request rates, use the Service Quotas console
All Amazon KMS quotas are adjustable, except for the on-demand rotation resource quota
and the Amazon CloudHSM key store request quota. To request a quota increase, see Requesting a quota
increase in the Service Quotas User Guide. To request a quota decrease, to change a quota that is not listed in Service Quotas, or to change a quota in an Amazon Web Services Region where Service Quotas for Amazon KMS is not available,
please visit Amazon Web Services Support Center
Note
Amazon KMS custom key store request
quotas do not appear in the Service Quotas console. You cannot view or manage these
quotas by using Service Quotas API operations. To request a change to your external key store request
quota, visit the Amazon Web Services Support Center