AWSAWS Key Management ServiceSecurity

`aws_kms_key` cost estimation

A managed encryption key. Flat $1/month per key, plus per-request charges for cryptographic operations.

An aws_kms_key is a managed cryptographic key used by other AWS services for encryption at rest. Pricing has two parts.

First, $1 per month per customer-managed key. AWS-managed keys (the ones with aws/ prefixes like aws/s3, aws/rds, aws/ebs) are free and used automatically when you enable default encryption on those services. Customer-managed keys are required when you need control over key rotation, key policies, or grant access across accounts.

Second, $0.03 per 10,000 cryptographic operations (Encrypt, Decrypt, ReEncrypt, GenerateDataKey, etc.). For most workloads this is negligible: encrypted S3 reads use the GenerateDataKey operation once per object, so even a million-object workload costs a few dollars in KMS requests.

Asymmetric keys (RSA, ECC) cost more per operation because the math is more expensive: $0.15 per 10,000 operations on most asymmetric key specs. Right for signing and verification, not bulk encryption.

External key store keys (XKS) and HMAC keys have their own pricing tiers.

DNSSEC signing keys for Route 53 are KMS keys with the ECC_NIST_P256 spec, $1/month each.

c3x estimates the per-key flat fee from the resource. Cryptographic operations are usage-based via c3x-usage.yml.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "aws_kms_key" "data" {
  description             = "Encryption key for application data"
  deletion_window_in_days = 30
  enable_key_rotation     = true
}

resource "aws_kms_alias" "data" {
  name          = "alias/application-data"
  target_key_id = aws_kms_key.data.key_id
}

Pricing dimensions

What you actually pay for when you provision aws_kms_key.

Dimension	Unit	What's being charged
Customer-managed key	per key per month	Flat fee for the key to exist. Pending-deletion keys still bill until the deletion window expires. $1/key/month
Symmetric cryptographic operations	per 10,000 requests	Encrypt, Decrypt, ReEncrypt, GenerateDataKey on symmetric keys. First 20,000/month free at the account level. $0.03/10,000 requests
Asymmetric cryptographic operations	per 10,000 requests	Sign, Verify, Encrypt, Decrypt on asymmetric keys (RSA, ECC). Significantly more expensive than symmetric. $0.15/10,000 for RSA
Custom key store keys	per key per hour	Keys stored in a CloudHSM custom key store have additional per-hour fees beyond the standard $1/month.

Optimization tips

Common ways to reduce aws_kms_key cost without changing the workload.

Use AWS-managed keys when you don't need customer control

$1/key/month per replaced CMK

AWS-managed keys (aws/s3, aws/ebs, aws/rds, etc.) are free. They auto-rotate yearly and have predefined policies. Use them unless you specifically need custom key policies or cross-account access.

Don't enable rotation on keys you'll delete

Operational hygiene

Key rotation is free, but you can't disable it once enabled. Don't turn it on for short-lived or experimental keys.

Delete unused keys (with the 7-day window)

$1/month per deleted key, faster

Even keys scheduled for deletion bill until the window closes (default 30 days, minimum 7 days). For confirmed-unused keys, set deletion_window_in_days = 7 to stop billing sooner.

Consolidate keys by use case, not per-resource

Major in high-resource-count accounts

Creating one KMS key per S3 bucket or RDS instance creates dozens of customer-managed keys, each $1/month. Group resources by encryption boundary (e.g., one key for all production application data) and use IAM policies to restrict access.

FAQ

Why does my KMS bill have so many $1/month line items?

Common patterns that explode KMS counts: per-bucket encryption keys, per-secret in Secrets Manager (each can have its own key), per-environment keys. Audit aws_kms_key resources and consolidate where the security boundary allows.

Are AWS-managed keys really free?

Yes. Keys like aws/s3, aws/ebs, aws/rds, aws/secretsmanager are free for the key itself. You still pay $0.03/10,000 for cryptographic operations against them, same as customer-managed keys.

Does c3x include cryptographic request costs?

Only with c3x-usage.yml. Each S3 write to an encrypted bucket triggers one GenerateDataKey operation, each read triggers one Decrypt. For high-volume KMS use, populate monthly_symmetric_requests in the usage file.

What about KMS multi-Region keys?

Multi-Region keys (multi_region = true) are billed per region they're replicated to. A multi-Region key replicated to 3 regions is $3/month plus per-request costs in each region.