Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
customer managed key and AWS managed key pricing
Hi everyone, I use AWS managed key (AMK) in Glue catalog, I would like to change KMS key in Glue catalog setting to customer managed key (CMK) , and also change the encryption type of s3 to customer managed key. apart of 1$ a month per key, does it make difference in terms of price? for ingesting new data I guess it dose not make a difference. since the aws doc mentioned that: While you are not charged for creation and storage of AWS-managed keys, you will be charged on any API request made to AWS-managed. keys. so we can say:
- With AMKs, we only pay for the API requests made for encryption/decryption operations.
- With CMKs, we pay for both the API requests and an additional monthly key storage fee of $1 per CMK. Am I correct? [https://aws.amazon.com/kms/pricing/]
- Language
- English
- Newest
- Most votes
- Most comments
Yes, your understanding is correct, with the addition that if you rotate the customer-managed KMS key or set it to be rotated automatically by AWS once a year, the cost will increase by another USD 1/mo for the first and again for the second rotation. Rotations after that no longer increase the cost. This is mentioned on the pricing page https://aws.amazon.com/kms/pricing/:
For KMS keys that you rotate automatically or on demand, the first and second rotation of the key adds $1/month (prorated hourly) in cost. This price increase is capped at the second rotation, and any subsequent rotations will not be billed.
Yes, aside from the one-time re-encryption costs and the $1/mo per key + $1/mo/rotation for the first 2 rotations, if any, there is no cost difference between using your customer-managed KMS key and using the AWS-managed default key.
so can we say: if the rotate automatically is enabled, for each key we will be charged maximum 2$ (for rotation ) + 1$ in a month?
Yes, that's right: a total of $3/mo will be the added cost of a customer-managed KMS key compared to an AWS-managed key.
Relevant content
- asked 2 years ago
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
So for my project, apart from the re-encryption that will happen once and 1 dollar a month per key, there is no cost difference. right?