# Quotas
To make AWS KMS responsive and performant for all users, AWS KMS applies two types of quotas, resource quotas and request quotas. Each quota is calculated independently for each Region of each AWS account.
All AWS KMS quotas are adjustable, except for the [on-demand rotation resource quota](resource-limits.md#on-demand-rotation-resource-quota) and the [AWS CloudHSM key store request quota](requests-per-second.md#rps-key-stores). To request a quota increase, see [Requesting a quota increase](https://docs.aws.amazon.com/servicequotas/latest/userguide/request-increase.html) in the *Service Quotas User Guide*. To request a quota decrease, to change a quota that is not listed in Service Quotas, or to change a quota in an AWS Region where Service Quotas for AWS KMS is not available, please visit [AWS Support Center](https://console.aws.amazon.com/support/home) and create a case.
**Topics**
+ [
# Resource quotas
](resource-limits.md)
+ [
# Request quotas
](requests-per-second.md)
+ [
# Throttling AWS KMS requests
](throttling.md)
# Resource quotas
AWS KMS establishes resource quotas to ensure that it can provide fast and resilient service to all of our customers. Some resource quotas apply only to resources that you create, but not to resources that AWS services create for you. Resources that you use, but that aren't in your AWS account, such as [AWS owned keys](concepts.md#aws-owned-key), do not count against these quotas.
If you have exceeded a resource limit, requests to create an additional resource of that type generate an `LimitExceededException` error message.
All AWS KMS resource quotas are adjustable, except for the [on-demand rotation resource quota](#on-demand-rotation-resource-quota). To request a quota increase, see [Requesting a quota increase](https://docs.aws.amazon.com/servicequotas/latest/userguide/request-increase.html) in the *Service Quotas User Guide*. To request a quota decrease, to change a quota that is not listed in Service Quotas, or to change a quota in an AWS Region where Service Quotas for AWS KMS is not available, please visit [AWS Support Center](https://console.aws.amazon.com/support/home) and create a case.
The following table lists and describes the AWS KMS resource quotas in each AWS account and Region.
| Quota name | Default value | Applies to | Adjustable |
| --- | --- | --- | --- |
| [AWS KMS keys](#kms-keys-limit) | 100,000 | Customer managed keys | Yes |
| [Aliases per KMS key](#aliases-per-key) | 50 | Customer created aliases | Yes |
| [Grants per KMS key](#grants-per-key) | 50,000 | Customer managed keys | Yes |
| [Custom key store resource quota](#cks-resource-quota) | 10 | AWS account and Region | Yes |
| [On-demand rotation](#on-demand-rotation-resource-quota) | 25 | Customer managed keys | No |
In addition to resource quotas, AWS KMS uses request quotas to ensure the responsiveness of the service. For details, see [Request quotas](requests-per-second.md).
## AWS KMS keys: 100,000
You can have up to 100,000 [customer managed keys](concepts.md#customer-mgn-key) in each Region of your AWS account. This quota applies to all customer managed keys in all AWS Regions regardless of their [key spec](create-keys.md#key-spec) or [key state](key-state.md). Each KMS key is considered to be one resource. [AWS managed keys](concepts.md#aws-managed-key) and [AWS owned keys](concepts.md#aws-owned-key) do not count against this quota.
## Aliases per KMS key: 50
You can associate up to 50 [aliases](kms-alias.md) with each [customer managed key](concepts.md#customer-mgn-key). Aliases that AWS associates with [AWS managed keys](concepts.md#aws-managed-key) do not count against this quota. You might encounter this quota when you [create](alias-create.md) or [update](alias-update.md) an alias.
**Note**
The [kms:ResourceAliases](conditions-kms.md#conditions-kms-resource-aliases) condition is effective only when the KMS key conforms to this quota. If a KMS key exceeds this quota, principals who are authorized to use the KMS key by the `kms:ResourceAliases` condition are denied access to the KMS key. For details, see [Access denied due to alias quota](troubleshooting-tags-aliases.md#access-denied-alias-quota).
The Aliases per KMS key quota replaces the Aliases per Region quota that limited the total number of aliases in each Region of an AWS account. AWS KMS has eliminated the Aliases per Region quota.
## Grants per KMS key: 50,000
Each [customer managed key](concepts.md#customer-mgn-key) can have up to 50,000 [grants](grants.md), including the grants created by [AWS services that are integrated with AWS KMS](https://aws.amazon.com/kms/features/#AWS_Service_Integration). This quota does not apply to [AWS managed keys](concepts.md#aws-managed-key) or [AWS owned keys](concepts.md#aws-owned-key).
One effect of this quota is that you cannot perform more than 50,000 grant-authorized operations that use the same KMS key at the same time. After you reach the quota, you can create new grants on the KMS key only when an active grant is retired or revoked.
For example, when you attach an Amazon Elastic Block Store (Amazon EBS) volume to an Amazon Elastic Compute Cloud (Amazon EC2) instance, the volume is decrypted so you can read it. To get permission to decrypt the data, Amazon EBS creates a grant for each volume. Therefore, if all of your Amazon EBS volumes use the same KMS key, you cannot attach more than 50,000 volumes at one time.
## Custom key stores resource quota: 10
You can create up to 10 [custom key stores](key-store-overview.md#custom-key-store-overview) in each AWS account and Region. If you try to create more, the [CreateCustomKeyStore](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateCustomKeyStore.html) operation fails.
This quota applies to the total number of custom key stores in each account and region, including all [AWS CloudHSM key stores](keystore-cloudhsm.md) and [external key stores](keystore-external.md), regardless of their connection state.
## On-demand rotation: 25
You can perform [on-demand key rotation](rotating-keys-on-demand.md) a maximum of 25 times per KMS key. If you try to perform more on-demand rotations, the [RotateKeyOnDemand](https://docs.aws.amazon.com/kms/latest/APIReference/API_RotateKeyOnDemand.html) operation fails.
This quota is not adjustable. You cannot increase it by using Service Quotas or by creating a case in AWS Support. To prevent reaching the on-demand rotation quota, we recommend using [automatic key rotation](rotating-keys-enable.md) whenever possible.
# Request quotas
AWS KMS establishes quotas for the number of API operations requested in each second. The request quotas differ with the API operation, the AWS Region, and other factors, such as the KMS key type. When you exceed an API request quota, AWS KMS [throttles the request](throttling.md).
All AWS KMS request quotas are adjustable, except for the [AWS CloudHSM key store request quota](#rps-key-stores). To request a quota increase, see [Requesting a quota increase](https://docs.aws.amazon.com/servicequotas/latest/userguide/request-increase.html) in the *Service Quotas User Guide*. To request a quota decrease, to change a quota that is not listed in Service Quotas, or to change a quota in an AWS Region where Service Quotas for AWS KMS is not available, please visit [AWS Support Center](https://console.aws.amazon.com/support/home) and create a case.
If you are exceeding the request quota for the [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html) operation, consider using the [data key caching](https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/data-key-caching.html) feature of the AWS Encryption SDK. Reusing data keys might reduce the frequency of your requests to AWS KMS.
In addition to request quotas, AWS KMS uses resource quotas to ensure capacity for all users. For details, see [Resource quotas](resource-limits.md).
To view trends in your request rates, use the [Service Quotas console](https://console.aws.amazon.com/servicequotas). You can also create an [Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/) alarm that alerts you when your request rate reaches a certain percentage of a quota value. For details, see [Manage your AWS KMS API request rates using Service Quotas and Amazon CloudWatch](https://aws.amazon.com/blogs/security/manage-your-aws-kms-api-request-rates-using-service-quotas-and-amazon-cloudwatch/) in the *AWS Security Blog*.
**Topics**
+ [
## Request quotas for each AWS KMS API operation
](#rps-table)
+ [
## Applying request quotas
](#about-rate-limits)
+ [
## Shared quotas for cryptographic operations
](#rps-shared-limit)
+ [
## API requests made on your behalf
](#rps-from-service)
+ [
## Cross-account requests
](#rps-cross-account)
+ [
## Custom key store request quotas
](#rps-key-stores)
## Request quotas for each AWS KMS API operation
This table lists the [Service Quotas](https://docs.aws.amazon.com/servicequotas/latest/userguide/) quota code and the default value for each AWS KMS request quota. All AWS KMS request quotas are adjustable, except for the [AWS CloudHSM key store request quota](#rps-key-stores).
**Note**
You might need to scroll horizontally or vertically to see all of the data in this table.
| Quota name | Default value (requests per second) |
| --- | --- |
| `Cryptographic operations (symmetric) request rate` Applies to: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/kms/latest/developerguide/requests-per-second.html) | These shared quotas vary with the AWS Region and the type of KMS key used in the request. Each quota is calculated separately. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/kms/latest/developerguide/requests-per-second.html) |
| `Cryptographic operations (RSA) request rate` Applies to:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/kms/latest/developerguide/requests-per-second.html) | 1,000 (shared) for RSA KMS keys |
| `Cryptographic operations (ML-DSA) request rate` Applies to: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/kms/latest/developerguide/requests-per-second.html) | 1,000 (shared) for ML-DSA KMS keys |
| `Cryptographic operations (ECC and SM2) request rate` Applies to:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/kms/latest/developerguide/requests-per-second.html) | 1,000 (shared) for elliptic curve (ECC) and SM2 (China Regions only) KMS keys |
| `Custom key store request quotas` Applies to: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/kms/latest/developerguide/requests-per-second.html) | [Custom key store request quotas](#rps-key-stores) are calculated separately for each custom key store[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/kms/latest/developerguide/requests-per-second.html) |
| `CancelKeyDeletion request rate` | 5 |
| `ConnectCustomKeyStore request rate` | 5 |
| `CreateAlias request rate` | 5 |
| `CreateCustomKeyStore request rate` | 5 |
| `CreateGrant request rate` | 50 |
| `CreateKey request rate` | 5 |
| `DeleteAlias request rate` | 15 |
| `DeleteCustomKeyStore request rate` | 5 |
| `DeleteImportedKeyMaterial request rate` | 15 |
| `DescribeCustomKeyStores request rate` | 5 |
| `DescribeKey request rate` | 2000 |
| `DisableKey request rate` | 5 |
| `DisableKeyRotation request rate` | 5 |
| `DisconnectCustomKeyStore request rate` | 5 |
| `EnableKey request rate` | 5 |
| `EnableKeyRotation request rate` | 15 |
| `GenerateDataKeyPair (ECC_NIST_P256) request rate` Applies to: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/kms/latest/developerguide/requests-per-second.html) | 100 |
| `GenerateDataKeyPair (ECC_NIST_P384) request rate` Applies to: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/kms/latest/developerguide/requests-per-second.html) | 100 |
| `GenerateDataKeyPair (ECC_NIST_P521) request rate` Applies to: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/kms/latest/developerguide/requests-per-second.html) | 100 |
| `GenerateDataKeyPair (ECC_SECG_P256K1) request rate` Applies to: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/kms/latest/developerguide/requests-per-second.html) | 100 |
| `GenerateDataKeyPair (ECC_NIST_EDWARDS25519) request rate` Applies to: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/kms/latest/developerguide/requests-per-second.html) | 100 |
| `GenerateDataKeyPair (RSA_2048) request rate` Applies to: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/kms/latest/developerguide/requests-per-second.html) | 20 |
| `GenerateDataKeyPair (RSA_3072) request rate` Applies to: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/kms/latest/developerguide/requests-per-second.html) | 4 |
| `GenerateDataKeyPair (RSA_4096) request rate` Applies to: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/kms/latest/developerguide/requests-per-second.html) | 1 |
| `GenerateDataKeyPair (SM2 — China Regions only) request rate` Applies to: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/kms/latest/developerguide/requests-per-second.html) | 25 |
| `GetKeyPolicy request rate` | 1000 |
| `GetKeyRotationStatus request rate` | 1000 |
| `GetParametersForImport request rate` | 1 |
| `GetPublicKey request rate` | 2000 |
| `ImportKeyMaterial request rate` | 15 |
| `ListAliases request rate` | 500 |
| `ListGrants request rate` | 100 |
| `ListKeyPolicies request rate` | 100 |
| `ListKeys request rate` | 500 |
| `ListKeyRotations request rate` | 100 |
| `ListResourceTags request rate` | 2000 |
| `ListRetirableGrants request rate` | 100 |
| `PutKeyPolicy request rate` | 15 |
| ReplicateKey request rate A `ReplicateKey` operation counts as one `ReplicateKey` request in the primary key's Region and two `CreateKey` requests in the replica's Region. One of the `CreateKey` requests is a dry run to detect potential problems before creating the key. | 5 |
| `RetireGrant request rate` | 50 |
| `RevokeGrant request rate` | 50 |
| `RotateKeyOnDemand request rate` | 5 |
| `ScheduleKeyDeletion request rate` | 15 |
| `TagResource request rate` | 10 |
| `UntagResource request rate` | 5 |
| `UpdateAlias request rate` | 5 |
| `UpdateCustomKeyStore request rate` | 5 |
| `UpdateKeyDescription request rate` | 5 |
| `UpdatePrimaryRegion request rate` An `UpdatePrimaryRegion` operation counts as two `UpdatePrimaryRegion` requests; one request in each of the two affected Regions. | 5 |
## Applying request quotas
When reviewing request quotas, keep in mind the following information.
+ Request quotas apply to both [customer managed keys](concepts.md#customer-mgn-key) and [AWS managed keys](concepts.md#aws-managed-key). The use of [AWS owned keys](concepts.md#aws-owned-key) does not count against request quotas for your AWS account, even when they are used to protect resources in your account.
+ Request quotas apply to requests sent to FIPS endpoints and non-FIPS endpoints. For a list of AWS KMS service endpoints, see [AWS Key Management Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/kms.html) in the AWS General Reference.
+ Throttling is based on all requests on KMS keys of all types in the Region. This total includes requests from all principals in the AWS account, including requests from AWS services on your behalf.
+ Each request quota is calculated independently. For example, requests for the [CreateKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html) operation have no effect on the request quota for the [CreateAlias](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateAlias.html) operation. If your `CreateAlias` requests are throttled, your `CreateKey` requests can still complete successfully.
+ Although cryptographic operations share a quota, the shared quota is calculated independently of quotas for other operations. For example, calls to the [Encrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html) and [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) operations share a request quota, but that quota is independent of the quota for management operations, such as [EnableKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_EnableKey.html). For example, in the Europe (London) Region, you can perform 10,000 cryptographic operations on symmetric KMS keys *plus* 5 `EnableKey` operations per second without being throttled.
## Shared quotas for cryptographic operations
AWS KMS [cryptographic operations](kms-cryptography.md#cryptographic-operations) share request quotas. You can request any combination of the cryptographic operations that are supported by the KMS key, just so the total number of cryptographic operations doesn't exceed the request quota for that type of KMS key. The exceptions are [GenerateDataKeyPair](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair.html) and [GenerateDataKeyPairWithoutPlaintext](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPairWithoutPlaintext.html), which share a separate quota.
The quotas for different types of KMS keys are calculated independently. Each quota applies to all requests for these operations in the AWS account and Region with the given key type in each one-second interval.
+ *Cryptographic operations (symmetric) request rate* is the shared request quota for cryptographic operations using symmetric KMS keys in an account and region. This quota applies to cryptographic operations with symmetric encryption keys and HMAC keys, which are also symmetric.
For example, you might be using [symmetric KMS keys](symm-asymm-choose-key-spec.md#symmetric-cmks) in an AWS Region with a shared quota of 10,000 requests per second. When you make 7,000 [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html) requests per second and 2,000 [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) requests per second, AWS KMS doesn't throttle your requests. However, when you make 9,500 `GenerateDataKey` requests and 1,000 [Encrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html) and requests per second, AWS KMS throttles your requests because they exceed the shared quota.
Cryptographic operations on the [symmetric encryption KMS keys](symm-asymm-choose-key-spec.md#symmetric-cmks) in a [custom key store](key-store-overview.md#custom-key-store-overview) count toward both the *Cryptographic operations (symmetric) request rate* for the account and the [custom key store request quota](#rps-key-stores) for the custom key store.
+ *Cryptographic operations (RSA) request rate* is the shared request quota for cryptographic operations using [RSA asymmetric KMS keys](symm-asymm-choose-key-spec.md#key-spec-rsa).
For example, with a request quota of 1,000 operations per second, you can make 400 [Encrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html) requests and 200 [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) requests with RSA KMS keys that can encrypt and decrypt, plus 250 [Sign](https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html) requests and 150 [Verify](https://docs.aws.amazon.com/kms/latest/APIReference/API_Verify.html) requests with RSA KMS keys that can sign and verify.
+ *Cryptographic operations (ECC) request rate* is the shared request quota for cryptographic operations using [elliptic curve (ECC) asymmetric KMS keys](symm-asymm-choose-key-spec.md#key-spec-ecc) and [SM asymmetric KMS keys](symm-asymm-choose-key-spec.md#key-spec-sm).
For example, with a request quota of 1,000 operations per second, you can make 400 Sign requests and 200 Verify requests with ECC KMS keys that can sign and verify, plus 250 [Sign](https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html) requests and 150 [Verify](https://docs.aws.amazon.com/kms/latest/APIReference/API_Verify.html) requests with SM2 KMS keys that can sign and verify.
+ *Custom key store request quota* is the shared request quota for cryptographic operations on KMS keys in a custom key store. This quota is calculated separately for each custom key store.
Cryptographic operations on the [symmetric encryption KMS keys](symm-asymm-choose-key-spec.md#symmetric-cmks) in a [custom key store](key-store-overview.md#custom-key-store-overview) count toward both the *Cryptographic operations (symmetric) request rate* for the account and the [custom key store request quota](#rps-key-stores) for the custom key store.
The quotas for different key types are also calculated independently. For example, in the Asia Pacific (Singapore) Region, if you use both symmetric and asymmetric KMS keys, you can make up to 10,000 calls per second with symmetric KMS keys (including HMAC keys) *plus* up to 500 additional calls per second with your RSA asymmetric KMS keys, *plus* up to 300 additional requests per second with your ECC-based KMS keys.
## API requests made on your behalf
You can make API requests directly or by using an integrated AWS service that makes API requests to AWS KMS on your behalf. The quota applies to both kinds of requests.
For example, you might store data in Amazon S3 using server-side encryption with a KMS key (SSE-KMS). Each time you upload or download an S3 object that's encrypted with SSE-KMS, Amazon S3 makes a `GenerateDataKey` (for uploads) or `Decrypt` (for downloads) request to AWS KMS on your behalf. These requests count toward your quota, so AWS KMS throttles the requests if you exceed a combined total of 5,500 (or 10,000 or 50,000 depending upon your AWS Region) uploads or downloads per second of S3 objects encrypted with SSE-KMS.
## Cross-account requests
When an application in one AWS account uses a KMS key owned by a different account, it's known as a *cross-account request*. For cross-account requests, AWS KMS throttles the account that makes the requests, not the account that owns the KMS key. For example, if an application in account A uses a KMS key in account B, the KMS key use applies only to the quotas in account A.
## Custom key store request quotas
AWS KMS maintains request quotas for [cryptographic operations](kms-cryptography.md#cryptographic-operations) on the KMS keys in a [custom key store](key-store-overview.md#custom-key-store-overview). These request quotas are calculated separately for each custom key store.
| Custom key store request quota | Default value (requests per second) for each custom key store | Adjustable |
| --- | --- | --- |
| [AWS CloudHSM key store](keystore-cloudhsm.md) request quota | 1800 | No |
| [External key store](keystore-external.md) request quota | 1800 | No |
**Note**
AWS KMS [custom key store request quotas](#rps-key-stores) do not appear in the Service Quotas console. You cannot view or manage these quotas by using Service Quotas API operations.
If the AWS CloudHSM cluster associated with an AWS CloudHSM key store is processing numerous commands, including those unrelated to the custom key store, you might get an AWS KMS `ThrottlingException` at a lower-than-expected rate. If this occurs, lower your request rate to AWS KMS, reduce the unrelated load, or use a dedicated AWS CloudHSM cluster for your AWS CloudHSM key store.
AWS KMS reports throttling of external key store requests in the [`ExternalKeyStoreThrottle`](monitoring-cloudwatch.md#metric-throttling) CloudWatch metric. You can use this metric to view throttling patterns, create alarms, and adjust your external key store request quota.
A request for a [cryptographic operation](kms-cryptography.md#cryptographic-operations) on a KMS key in a custom key store counts toward two quotas:
+ Cryptographic operations (symmetric) request rate quota (per account)
Requests for cryptographic operations on KMS keys in a custom key store count toward the `Cryptographic operations (symmetric) request rate` quota for each AWS account and Region. For example, in US East (N. Virginia) (us-east-1), each AWS account can have up to 100,000 requests per second on symmetric encryption KMS keys, including requests that use a KMS key in a custom key store.
+ Custom key store request quota (per custom key store)
Requests for cryptographic operations on KMS keys in a custom key store also count toward a `Custom key store request quota` of 1,800 operations per second. These quotas are calculated separately for each custom key store. They might include requests from multiple AWS accounts that use KMS keys in the custom key store.
For example, an [Encrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html) operation on a KMS key in a custom key store (either type) in the US East (N. Virginia) (us-east-1) Region counts toward the `Cryptographic operations (symmetric) request rate` account-level quota (100,000 requests per second) for its account and Region, and toward a `Custom key store request quota` (1,800 requests per second) for its custom key store. However, a request for a management operation, such as [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html), on a KMS key in a custom key store applies only to its account-level quota (15 requests per second).
# Throttling AWS KMS requests
To ensure that AWS KMS can provide fast and reliable responses to API requests from all customers, it throttles API requests that exceed certain boundaries.
*Throttling* occurs when AWS KMS rejects a request that might otherwise be valid, and returns a `ThrottlingException` error like the following one.
```
You have exceeded the rate at which you may call KMS. Reduce the frequency of your calls.
(Service: AWSKMS; Status Code: 400; Error Code: ThrottlingException; Request ID:
```
AWS KMS throttles requests for the following conditions.
+ The rate of requests per second exceeds the AWS KMS [request quota](requests-per-second.md) for an account and Region.
For example, if users in your account submit 1000 `DescribeKey` requests in a second, AWS KMS throttles all subsequent `DescribeKey` requests in that second.
To respond to throttling, use a [backoff and retry strategy](https://docs.aws.amazon.com/general/latest/gr/api-retries.html). This strategy is implemented automatically for HTTP 400 errors in some AWS SDKs.
+ A burst or sustained high rate of requests to change the state of the same KMS key. This condition is often known as a "hot key."
For example, if an application in your account sends a persistent volley of `EnableKey` and `DisableKey` requests for the same KMS key, AWS KMS throttles the requests. This throttling occurs even if the requests don't exceed the request-per-second request limit for the `EnableKey` and `DisableKey` operations.
To respond to throttling, adjust your application logic so it makes only required requests or it consolidates the requests of multiple functions.
+ Requests for operations on KMS keys in a [AWS CloudHSM key store](requests-per-second.md#rps-key-stores) might be throttled at a lower-than-expected rate when the AWS CloudHSM cluster associated with the AWS CloudHSM key store is processing numerous commands, including those unrelated to the AWS CloudHSM key store.
(AWS KMS no longer throttles requests for operations on KMS keys in a AWS CloudHSM key store when there are no available PKCS \$111 sessions for the AWS CloudHSM cluster. Instead, it throws a `KMSInternalException` and recommends that you retry your request.)
To view trends in your request rates, use the [Service Quotas console](https://console.aws.amazon.com/servicequotas). You can also create an [Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/) alarm that alerts you when your request rate reaches a certain percentage of a quota value. For details, see [Manage your AWS KMS API request rates using Service Quotas and Amazon CloudWatch](https://aws.amazon.com/blogs/security/manage-your-aws-kms-api-request-rates-using-service-quotas-and-amazon-cloudwatch/) in the *AWS Security Blog*.
All AWS KMS quotas are adjustable, except for the [on-demand rotation resource quota](resource-limits.md#on-demand-rotation-resource-quota) and the [AWS CloudHSM key store request quota](requests-per-second.md#rps-key-stores). To request a quota increase, see [Requesting a quota increase](https://docs.aws.amazon.com/servicequotas/latest/userguide/request-increase.html) in the *Service Quotas User Guide*. To request a quota decrease, to change a quota that is not listed in Service Quotas, or to change a quota in an AWS Region where Service Quotas for AWS KMS is not available, please visit [AWS Support Center](https://console.aws.amazon.com/support/home) and create a case.
**Note**
AWS KMS [custom key store request quotas](requests-per-second.md#rps-key-stores) do not appear in the Service Quotas console. You cannot view or manage these quotas by using Service Quotas API operations.