Are AWS-managed keys free?

Yes. Keys whose alias starts with aws/ (aws/s3, aws/dynamodb, aws/rds, aws/secretsmanager, etc.) are AWS-managed and incur no $1/month key charge. Request volume against them is still billed at $0.03 per 10K requests — the per-request charge applies regardless of whether the key is AWS-managed or customer-managed. The functional difference is access control: AWS-managed keys cannot be deleted, their key policy cannot be edited, and they cannot be shared across accounts. Customer-managed keys are required for cross-account use cases, granular IAM, and regulated environments that mandate key ownership.

How is multi-region key pricing different from same-region replication?

A multi-region key (MRK) creates a primary key in one region and replica keys in additional regions that share the same key material and key ID. Each replica is its own KMS key from a billing perspective — $1/month per replica per region. A workload replicated across 5 regions with 200 customer-managed keys per region costs $1,000/month in key charges alone. Multi-region keys are useful when applications need to encrypt in one region and decrypt in another without a re-encrypt round trip; they are wasteful when the replication footprint exceeds the actual cross-region access pattern.

Why is asymmetric KMS so much more expensive than symmetric?

Asymmetric KMS operations are billed at $0.15 per 10K requests — 5× the symmetric rate of $0.03 per 10K. The reason is computational: RSA and ECDSA operations are dramatically more expensive than AES on the underlying HSMs. The pricing reflects the hardware utilization. Use asymmetric keys only when the use case genuinely requires public-key cryptography — verifying signatures from external systems, signing JWT tokens consumed outside AWS, end-to-end encryption with external counterparties. For internal envelope encryption and at-rest data, symmetric AES-256 keys are correct and 5× cheaper.

How does S3 Bucket Keys cut my KMS bill?

S3 Bucket Keys reduce KMS request volume by up to 99% by generating a bucket-level data key once per request batch rather than per object. Without Bucket Keys, every PutObject and GetObject against an SSE-KMS bucket generates a KMS call. With Bucket Keys enabled, S3 uses a short-lived bucket-scoped data key to encrypt/decrypt many objects per KMS call. For high-volume buckets, this can move the KMS bill from thousands per month to tens. Enabling Bucket Keys on existing buckets is non-destructive — objects encrypted before the change still decrypt fine; the saving applies to new traffic. Always enable Bucket Keys on any SSE-KMS bucket above ~10K objects/month of traffic.

When should I pay for a CloudHSM cluster instead of KMS?

CloudHSM is a dedicated HSM ($1.45/hour per HSM, roughly $1,058/month per HSM, with a minimum of 2 for HA so ~$2,116/month). It makes sense when you have regulatory requirements that mandate dedicated hardware (FIPS 140-2 Level 3 with sole tenancy), need PKCS#11 access for legacy applications, or are running enough symmetric operations that the per-request KMS charge would exceed the dedicated HSM cost (typically above ~700M requests/month per region). For most workloads, KMS is dramatically cheaper because the underlying HSM cost is amortized across all KMS customers in the region.

What is the GetPublicKey free tier worth?

KMS includes 20,000 free requests per month per account against AWS-managed keys, plus the GetPublicKey, Encrypt, Decrypt, GenerateDataKey, and GenerateDataKeyPair operations on AWS-managed keys are typically inside the free tier for low-volume use. The free tier disappears on customer-managed keys — every request bills from the first one. For a low-volume application using aws/s3 with bucket keys enabled, the entire KMS bill can be free; for a customer-managed key fronting a high-volume table, the $1/month key charge is the rounding error.

Do post-quantum (ML-KEM/ML-DSA) keys bill at a different rate?

Yes — post-quantum operations are priced at the asymmetric tier ($0.15 per 10K requests) given the underlying compute cost. ML-KEM key encapsulation and ML-DSA signing operations are individually billed. For applications migrating to PQC, expect the encryption-related KMS spend to rise materially as you transition. The migration timing matters — see our [post-quantum KMS guide](/blog/aws-kms-post-quantum-cryptography-ml-kem-ml-dsa/) for the rollout pattern that keeps cost under control.

AWS KMS Pricing: Keys, Requests, Multi-Region, Asymmetric

AWS KMS has the cleanest-looking pricing page on the AWS console: $1/month per customer-managed key, $0.03 per 10K requests, free tier of 20,000 requests on AWS-managed keys. Three numbers, easy to estimate. The reason KMS bills routinely surprise teams in the multi-thousand-per-month range is that all the leverage lives in request volume — which is invisible until someone correlates it back to the high-fanout services (S3, DynamoDB, Secrets Manager, EBS, RDS) actually generating the calls.

This post is the bill story. For key strategy (single-region vs multi-region, key aliases, key rotation), our KMS encryption architecture guide covers the design side; for the post-quantum migration economics, see our post-quantum KMS post.

The Five KMS Billing Dimensions

KMS pricing breakdown — us-east-1, June 2026

Prices in us-east-1

Five dimensions. The first ($1/key/month) is the page-one number; the others are where bills go sideways.

Dimension	Unit price	Example workload	Monthly cost
Customer-managed key (CMK) AWS-managed keys (aws/...) are free	$1 / key / month	50 application keys	$50.00
Symmetric requests Encrypt, Decrypt, GenerateDataKey, ReEncrypt	$0.03 / 10K requests	50M Decrypt calls/month	$150.00
Asymmetric requests RSA, ECDSA — 5× symmetric rate	$0.15 / 10K requests	10M Sign/Verify calls/month	$150.00
Multi-region key replicas Each replica is its own KMS key	$1 / replica / region / month	200 keys × 5 regions	$1,000.00
Post-quantum operations Same pricing tier as classical asymmetric	$0.15 / 10K requests	ML-KEM encapsulation	Same as asymmetric

Customer-managed key (CMK)

$50.00

AWS-managed keys (aws/...) are free

Unit price: $1 / key / month
Example workload: 50 application keys

Symmetric requests

$150.00

Encrypt, Decrypt, GenerateDataKey, ReEncrypt

Unit price: $0.03 / 10K requests
Example workload: 50M Decrypt calls/month

Asymmetric requests

$150.00

RSA, ECDSA — 5× symmetric rate

Unit price: $0.15 / 10K requests
Example workload: 10M Sign/Verify calls/month

Multi-region key replicas

$1,000.00

Each replica is its own KMS key

Unit price: $1 / replica / region / month
Example workload: 200 keys × 5 regions

Post-quantum operations

Same as asymmetric

Same pricing tier as classical asymmetric

Unit price: $0.15 / 10K requests
Example workload: ML-KEM encapsulation

Free tier: 20,000 requests/month per account against AWS-managed keys. Customer-managed keys bill from request one.

Why an S3 Bucket Can Generate a Four-Figure KMS Bill

The most common high-bill pattern: an S3 bucket with SSE-KMS enabled using a customer-managed key, holding 100M+ objects, with an active read pattern. Without S3 Bucket Keys enabled, every GetObject and PutObject generates a KMS API call. At 100M reads/month on a busy bucket, the math is direct: 100,000,000 / 10,000 × $0.03 = $300/month — just for one bucket.

The compound problem is that teams often have dozens of high-volume buckets configured this way before anyone correlates the KMS line to the S3 access pattern.

The S3 SSE-KMS Worked Example

Consider a media-asset bucket: 50 TB of stored content, 100M GET requests/month, 5M PUT requests/month, SSE-KMS with a customer-managed key. The KMS bill without Bucket Keys:

100M-object SSE-KMS bucket — KMS bill with and without Bucket Keys

Prices in us-east-1

The bucket workload is unchanged. Enabling Bucket Keys is a configuration toggle.

Dimension	Unit price	Example workload	Monthly cost
Bucket Keys: disabled KMS request line; storage and S3 requests are separate	105M KMS requests / mo	100M GET + 5M PUT, 1:1 KMS call ratio	$315.00
Bucket Keys: enabled (99% reduction) Same workload; the difference is configuration	~1.05M KMS requests / mo	Same traffic, batched data-key reuse	$3.15
CMK monthly charge Same in both cases	$1 / month	One key fronting the bucket	$1.00

Bucket Keys: disabled

$315.00

KMS request line; storage and S3 requests are separate

Unit price: 105M KMS requests / mo
Example workload: 100M GET + 5M PUT, 1:1 KMS call ratio

Bucket Keys: enabled (99% reduction)

$3.15

Same workload; the difference is configuration

Unit price: ~1.05M KMS requests / mo
Example workload: Same traffic, batched data-key reuse

CMK monthly charge

$1.00

Same in both cases

Unit price: $1 / month
Example workload: One key fronting the bucket

Saving on this single bucket: $310.85/month. Multiply across a fleet of high-volume buckets to see fleet-wide impact.

The pattern repeats across DynamoDB, EBS snapshot encryption, and Secrets Manager. Anywhere a high-fanout service is encrypting many small operations, the per-request KMS line dwarfs the key charge.

Multi-Region Key Sprawl

Multi-region keys (MRKs) are useful when an application encrypts in one region and decrypts in another — disaster recovery patterns, multi-region active-active, cross-region data replication. They are expensive when teams enable MRK replication “just in case” across regions that never actually serve traffic.

Each MRK replica is billed at $1/month per region as an independent key. A 200-key fleet replicated to 5 regions is $1,000/month in key charges alone — before any request volume. Add the request volume in each region (every region’s KMS endpoint bills independently) and the MRK pattern becomes one of the most expensive KMS configurations.

Asymmetric Operations — 5× the Symmetric Rate

KMS bills asymmetric operations at $0.15 per 10K — five times the symmetric rate. The pricing reflects underlying compute: RSA and ECDSA operations are dramatically more expensive than AES on the HSMs. The pricing also includes post-quantum operations (ML-KEM key encapsulation, ML-DSA signing) at the same tier.

The waste pattern: using asymmetric keys for use cases that don’t actually need public-key cryptography. JWT signing for tokens consumed inside AWS, internal service-to-service auth, envelope encryption of at-rest data — all of these are correctly handled with symmetric keys at 1/5th the request cost. Asymmetric keys belong only on the boundary where you genuinely interact with external counterparties or need public-key verification.

What Each AWS Service Costs You in KMS Requests

Most teams discover the KMS bill by working backwards from a Cost Explorer line they cannot explain. The mapping from AWS service to KMS request behavior:

KMS request behavior by AWS service

Prices in any

How each service generates KMS API calls when configured with SSE-KMS (or equivalent CMK encryption).

Dimension	Unit price	Example workload	Monthly cost
S3 — without Bucket Keys	1 KMS call per object operation	100M reads/month → 100M KMS calls	Up to $300/bucket
S3 — with Bucket Keys	~99% reduction	100M reads → ~1M KMS calls	~$3/bucket
DynamoDB — CMK encryption	1 KMS call per request	50M GetItem/PutItem/mo	$150/mo per table
DynamoDB — DAX caching	Cache hits skip KMS	High cache hit ratio	Significantly reduced
Secrets Manager	1 KMS call per GetSecretValue	10M secret retrievals/mo	$30/mo
EBS volume encryption	Per-volume init + per-snapshot init	Rare at steady state	Low (init-only)
RDS / Aurora	Per-snapshot, per-instance launch	Steady-state ops are cached	Low (init-only)
Lambda environment variables (encrypted)	1 KMS call per cold start	High cold-start rate	Adds up at scale
CloudWatch Logs (CMK)	Per log-group write batch	High-volume logging	Can be material

S3 — without Bucket Keys

Up to $300/bucket

Unit price: 1 KMS call per object operation
Example workload: 100M reads/month → 100M KMS calls

S3 — with Bucket Keys

~$3/bucket

Unit price: ~99% reduction
Example workload: 100M reads → ~1M KMS calls

DynamoDB — CMK encryption

$150/mo per table

Unit price: 1 KMS call per request
Example workload: 50M GetItem/PutItem/mo

DynamoDB — DAX caching

Significantly reduced

Unit price: Cache hits skip KMS
Example workload: High cache hit ratio

Secrets Manager

$30/mo

Unit price: 1 KMS call per GetSecretValue
Example workload: 10M secret retrievals/mo

EBS volume encryption

Low (init-only)

Unit price: Per-volume init + per-snapshot init
Example workload: Rare at steady state

RDS / Aurora

Low (init-only)

Unit price: Per-snapshot, per-instance launch
Example workload: Steady-state ops are cached

Lambda environment variables (encrypted)

Adds up at scale

Unit price: 1 KMS call per cold start
Example workload: High cold-start rate

CloudWatch Logs (CMK)

Can be material

Unit price: Per log-group write batch
Example workload: High-volume logging

Use CloudTrail to attribute KMS requests to the originating service — the EventSource field shows whether s3.amazonaws.com, dynamodb.amazonaws.com, etc. generated the call.

Common KMS Bill Surprises

When to Use CMKs vs AWS-Managed Keys vs CloudHSM

AWS-managed keys are the default for low-sensitivity workloads; CMKs for granular control; CloudHSM only when dedicated hardware is mandated.

Use when

AWS-managed keys (aws/s3, aws/rds, aws/secretsmanager): low-sensitivity internal workloads where granular IAM and cross-account sharing are not needed
Customer-managed keys: production data, regulated workloads, cross-account sharing, granular IAM at the key-policy level, customer-required key ownership
Multi-region CMKs: applications that genuinely encrypt in one region and decrypt in another — match the replica set to actual access pattern
CloudHSM: regulatory requirements mandating FIPS 140-2 Level 3 with sole tenancy, PKCS#11 legacy applications, or workloads above ~700M KMS requests/month per region
Asymmetric CMKs: external-counterparty PKI use cases — JWT signing for tokens consumed outside AWS, document signing, end-to-end encryption with external parties

Avoid when

CMKs for low-sensitivity internal workloads where the $1/month per key compounds across hundreds of keys
MRKs replicated to regions with no actual traffic — pure waste
Asymmetric keys for internal use cases where symmetric keys would work — 5× the request cost
CloudHSM for workloads below 700M KMS requests/month where KMS itself is dramatically cheaper
SSE-KMS on S3 buckets without Bucket Keys enabled — the request volume becomes the bill

Default to AWS-managed keys; promote to CMKs only when the use case justifies it. Reverse decisions cost $1/key/month forever.

A 30-Day KMS Bill Cleanup Plan

The KMS line typically responds well to a focused cleanup. Three weeks is enough on most accounts.

Week 1 — Find the request-volume drivers. Use CloudTrail and CloudWatch metrics for KMS to identify which service generates the most KMS requests. The EventSource field on KMS CloudTrail events shows the originating service. Cross-reference against the Cost Explorer KMS line filtered by service tag.

Week 2 — Enable S3 Bucket Keys on every SSE-KMS bucket. Audit with aws s3api get-bucket-encryption --bucket <name> and look for "BucketKeyEnabled": false. Enable Bucket Keys on every bucket — the change is non-destructive and is non-controversial enough to ship across the fleet without per-bucket approval.

Week 3 — Audit MRK replicas and asymmetric usage. Find MRKs with aws kms list-keys filtered for MultiRegion=true in each region. Delete replicas in regions with no KMS data events in CloudTrail over the last 60 days. Audit asymmetric keys and downgrade to symmetric where the use case doesn’t require public-key crypto.

For workloads encrypting via S3, run the S3 storage and request math against our S3 pricing calculator — the S3 and KMS lines compound and are easier to optimize together.

What This Post Doesn’t Cover

CloudHSM cluster sizing and break-even modeling beyond the rough 700M-requests/month threshold — covered in a future post when the comparative math is more nuanced.
External Key Stores (XKS) pricing — XKS pricing tracks symmetric KMS for now; if you need XKS, the request volume math is identical.
Key rotation costs — automatic key rotation is free; manual key rotation involves creating a new CMK ($1/month extra until the old one is deleted) and re-encrypting data.
Post-quantum migration economics in depth — covered in the post-quantum KMS post.

If You Only Do One Thing This Week

Enable S3 Bucket Keys on every SSE-KMS bucket in your account. The change is non-destructive, applies only to new traffic, and on high-volume buckets it can cut the KMS line for that bucket by 99%. The single command aws s3api put-bucket-encryption --bucket <name> --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms","KMSMasterKeyID":"<key-arn>"},"BucketKeyEnabled":true}]}' ships in any tooling — Terraform, CDK, CloudFormation, console. Pair with a Service Control Policy that requires Bucket Keys on new buckets and the fleet stays compliant going forward.

For the broader KMS strategy beyond the bill, the KMS encryption architecture guide covers single-region vs multi-region trade-offs and key-policy patterns for cross-account use.

AWS KMS Pricing: Why a $1/Month Key Can Generate a $4,000/Month Bill

The Five KMS Billing Dimensions