Resource quotas
AWS KMS establishes resource quotas to ensure that it can provide fast and resilient service to all of our customers. Some resource quotas apply only to resources that you create, but not to resources that AWS services create for you. Resources that you use, but that aren't in your AWS account, such as AWS owned keys, do not count against these quotas.
If you have exceeded a resource limit, requests to create an additional resource of that
type generate an LimitExceededException error message.
All AWS KMS resource quotas are adjustable, except for the on-demand rotation resource quota. To request a quota increase, see Requesting a quota
increase in the Service Quotas User Guide. To request a quota decrease, to change a quota that is not listed in Service Quotas, or to change a quota in an AWS Region where Service Quotas for AWS KMS is not available,
please visit AWS Support Center
The following table lists and describes the AWS KMS resource quotas in each AWS account and Region.
| Quota name | Default value | Applies to | Adjustable |
|---|---|---|---|
| AWS KMS keys | 100,000 | Customer managed keys | Yes |
| Aliases per KMS key | 50 | Customer created aliases | Yes |
| Custom key store resource quota | 10 | AWS account and Region | Yes |
| On-demand rotation | 10 | Customer managed keys | No |
In addition to resource quotas, AWS KMS uses request quotas to ensure the responsiveness of the service. For details, see Request quotas.
AWS KMS keys: 100,000
You can have up to 100,000 customer managed keys in each Region of your AWS account. This quota applies to all customer managed keys in all AWS Regions regardless of their key spec or key state. Each KMS key is considered to be one resource. AWS managed keys and AWS owned keys do not count against this quota.
Aliases per KMS key: 50
You can associate up to 50 aliases with each customer managed key. Aliases that AWS associates with AWS managed keys do not count against this quota. You might encounter this quota when you create or update an alias.
Note
The kms:ResourceAliases condition
is effective only when the KMS key conforms to this quota. If a KMS key exceeds this quota,
principals who are authorized to use the KMS key by the kms:ResourceAliases
condition are denied access to the KMS key. For details, see Access denied due to alias quota.
The Aliases per KMS key quota replaces the Aliases per Region quota that limited the total number of aliases in each Region of an AWS account. AWS KMS has eliminated the Aliases per Region quota.
Custom key stores resource quota: 10
You can create up to 10 custom key stores in each AWS account and Region. If you try to create more, the CreateCustomKeyStore operation fails.
This quota applies to the total number of custom key stores in each account and region, including all AWS CloudHSM key stores and external key stores, regardless of their connection state.
On-demand rotation: 10
You can perform on-demand key rotation a maximum of 10 times per KMS key. If you try to perform more on-demand rotations, the RotateKeyOnDemand operation fails.
This quota is not adjustable. You cannot increase it by using Service Quotas or by creating a case in AWS Support. To prevent reaching the on-demand rotation quota, we recommend using automatic key rotation whenever possible.