KMS billing and metering
KMS usage is metered on two dimensions: key versions and API calls. Understanding both helps you estimate cost and design rotation policies.
Metered metrics
| Metric | What is metered |
|---|---|
kms-keys (per version) | One billable unit per key version from creation until the key is permanently deleted |
kms-api-calls (monthly) | API usage counters per key |
Key versions
Each version of a KMS key is billed independently for its lifetime:
- Version 1 is created when you create the key
- Each manual or automatic rotation adds a new billable version
- Versions remain metered until the parent key is permanently deleted (after the 30-day pending deletion window)
Rotation and cost
Automatic rotation on a schedule increases version count over time. For example, a key with 90-day rotation accumulates approximately four versions per year in steady state, in addition to the initial version.
Balance rotation frequency against security requirements and budget. See Rotation.
API calls
Crypto and management API calls are counted per key on a monthly basis. High-volume applications using envelope encryption typically incur fewer API calls than workloads that encrypt large payloads directly through KMS.
Prefer envelope encryption to minimise API call volume. See Encrypt and decrypt.
Cost optimisation tips
- Use envelope encryption so API calls wrap small DEKs rather than bulk data
- Set rotation periods that match policy without unnecessary version proliferation
- Delete unused keys after the decommissioning period to stop version metering
- Use project-scoped keys to attribute usage to teams or workloads
Related documentation
- Rotation — How rotation affects version count
- Key lifecycle — Deletion and retention
- Best practices — Operational patterns that reduce API usage