Alibaba Cloud Key Management Service (KMS) provides free server-side encryption with default keys. For advanced needs, such as custom encryption policies, key lifecycle controls, or centralized secrets management, you need to purchase dedicated software or hardware KMS instances. This topic details how you are billed for KMS.
This topic only covers the subscription billing method. For information on pay-as-you-go fees, see Pay-as-you-go.
Billing description
Billing method
Subscription
Billing cycle
Billing cycles are based on UTC+8, starting immediately upon purchase or renewal of a KMS instance and concluding at midnight on the expiration date.
Billable items
The fees for KMS instances are as follows:
Software Key Management Instance | Hardware Key Management Instance |
USD 500 per month | USD 1,799 per month |
Default specifications for KMS instances are as follows:
Billable item | Description | Software Key Management Instance | Hardware Key Management Instance |
Deployment Mode | KMS instances support dual-zone and multi-zone configurations, offering high availability, disaster recovery, and load balancing. Note
| Dual-Zone | Dual-Zone |
Computing Performance | The QPS for encryption and decryption operations processed by the KMS instance. For QPS data of different cryptographic operations, see Performance data. | 1,000 | 2,000 |
Number of Keys | The key quota for the KMS instance. If a key supports rotation, each version generated by the rotation also consumes quota. For example, a key with two versions consumes two quotas. | 1,000 | 1,000 |
Number of Secrets | The secret quota for the KMS instance. If a secret supports rotation, each version generated by the rotation does not consume quota. For example, a secret with two versions consumes one quota. | 0 | 0 |
Access Management Quantity | This quota includes two parts:
For example, if you want to associate the KMS instance with three VPCs and share the instance with two Alibaba Cloud accounts, specify a value of 5 to meet your business requirements. The default quota is one, allowing only the VPC bound to the KMS instance access to KMS resources. | 1 | 1 |
Log Analysis | Based on Alibaba Cloud Simple Log Service, the KMS log analysis provides log query and analysis for KMS instances, and supports storing access logs for up to 180 days. Warning Once Log Analysis is enabled, it can't be turned off. Typically, each request log occupies about 1 KB of storage. So, for example, if your average request volume is 100 QPS, then the storage space required for one day's logs is about 8.2 GB (100 × 60 × 60 × 24 × 1 = 8,640,000 KB). With a default retention period of 180 days, the log storage capacity would be 1,476 GB (8.2 × 180). When you enable the log service, you can choose a log storage capacity of up to 2,000 GB. | Disable | Disable |
If the default specifications do not meet your requirements, you can purchase additional resources. These include enhanced computing performance, additional keys, secrets, access management, and log analysis. Additional resource fees are as follows:
Billable Item | Software Key Management Instance | Hardware Key Management Instance |
Deployment Mode |
|
|
Computing Performance (QPS) |
|
|
Number of Keys | Every 10 keys: USD 9 per month. Incremental purchase: 10. Maximum quota: 100,000. | Not available. |
Number of Secrets | Every 100 secrets: USD 50 per month. Incremental purchase: 100. Maximum quota: 100,000. | Every 100 secrets: USD 50 per month. Incremental purchase: 100. Maximum quota: 100,000. |
Access Management | Each multi-account: USD 125 per month. Incremental purchase: 1. Maximum quota: 1,000. | Each multi-account: USD 125 per month. Incremental purchase: 1. Maximum quota: 1,000. |
Log Analysis | Each 1,000 GB of storage: USD 80 per month. Incremental purchase: 1,000. Maximum quota: 500,000. | Each 1,000 GB of storage: USD 80 per month. Incremental purchase: 1,000. Maximum quota: 500,000. |
Overdue payments
Since the subscription billing method involves prepaid plans, either annual or monthly, overdue payments do not apply. Ensure your account balance is topped up in advance to facilitate operations such as purchasing new instances, upgrading configurations, or renewing existing instances.
Ensure your account balance is topped so that you can purchase, renew instances or upgrade configurations.
Expiration description
Visit the Instances page to check the Billing Method information of your KMS instance. We recommend renewing your instance before its expiration to avoid any disruption to your services.
Lifecycle stage | Description |
Before expiration | Alibaba Cloud will send you renewal reminders for your KMS instance via SMS and email 7 days, 3 days, and 1 day prior to its expiration date. |
Within 15 calendar days after expiration | The instance's keys and secrets are retained. Renew the service within this period to resume usage. The instance will be suspended 15 days after the expiration date if the service is not renewed. |
Within 15 days after suspension | The KMS instance is unavailable, but its keys and secrets are still retained. You can reactivate the instance by renewing the service. |
On the 16th day after suspension | The KMS instance is released. All keys and secrets are permanently deleted and are irrecoverable. We recommend that you back up your data in advance and monitor the expiration dates of your backups. For instructions, see Backup management. Warning If you do not back up your keys and secrets, or if your existing backups have expired, they will be permanently irrecoverable after deletion. It is critical to maintain valid backups to prevent business disruptions caused by the inability to decrypt your data. |
Refunds
Partial refunds are available for KMS instances if they are in the Disabled or Enabled state.
Before canceling a KMS instance, familiarize yourself with the unsubscription rules, precautions, and cases. For more information, see Rules for unsubscribing from resources (International site).
To unsubscribe from a KMS instance, use the Expenses and Costs console. For details on the unsubscription process, see Methods for unsubscribing resources. For information on the refund process after unsubscription, see Refund flow.
View billing and usage details
To review and export KMS billing and usage details, access the Expenses and Costs console. For more information, see Billing details and Usage records.
Renewal description
For instructions on renewing a resource via the Expenses and Costs console, see Renewal guide. To renew an instance in the KMS console, follow these steps:
Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose .
Select the Software Key Management or Hardware Key Management tab, locate the instance you want to renew, and click Actions in the Renew column.
On the KMS (International) | Renew page, set the Duration, agree to the Terms of Service, and proceed.
Click Buy Now and complete the purchase.