Alibaba Cloud Key Management Service (KMS) provides server-side encryption with default keys at no additional cost. If default keys suffice for your needs, there is no need to purchase a separate KMS instance. However, for custom encryption solutions, secrets management, or key lifecycle control, purchasing a software or hardware KMS instance is necessary. This topic describes the billing methods, cycles, items, expiration details, and renewal information for KMS instances.
This topic addresses subscription fees only. For information on pay-as-you-go fees, see Pay-as-you-go.
Billing description
Billing method
Subscription
Billing cycle
Billing cycles are based on UTC+8, starting immediately upon purchase or renewal of a KMS instance and concluding at midnight on the expiration date.
Billable items
Fees for KMS instances are as follows:
Software Key Management Instance | Hardware Key Management Instance |
USD 500 per month | USD 1,799 per month |
Default specifications for KMS instances are as follows:
Billable items | Description | Software Key Management Instance | Hardware Key Management Instance |
Deployment mode | KMS instances support dual-zone or multi-zone configurations to achieve high availability, disaster recovery, and load balancing. Note
For the number of zones in each region, see Regions and access addresses. | Dual-zone | Dual-zone |
Computing performance | The QPS for encryption and decryption operations processed by the KMS instance. For QPS data of different cryptographic operations, see Performance data. | 1,000 | 2,000 |
Number of keys | The key quota for the KMS instance. If a key supports rotation, each new version generated by the rotation also consumes quota. For example, a key with two versions consumes two quotas. | 1,000 | 1,000 |
Number of secrets | The secret quota for the KMS instance. If a secret supports rotation, each new version generated by the rotation does not consume quota. For example, a secret with two versions consumes one quota. | 0 | 0 |
Access management quantity | This quota includes two parts:
For example, if you want to associate the KMS instance with three VPCs and share the instance with two Alibaba Cloud accounts, specify a value of 5 to meet your business requirements. The default quota is one, allowing only the VPC bound to the KMS instance access to KMS resources. | 1 | 1 |
Log service | Based on Alibaba Cloud Simple Log Service, it provides log query and analysis for KMS instances, and supports storing access logs for up to 180 days. Typically, each request log occupies about 1 KB of storage. If your average request volume is 100 Queries Per Second (QPS), then the storage space required for one day's logs is about 8.2 GB (100 × 60 × 60 × 24 × 1 = 8,640,000 KB). With a default retention period of 180 days, the log storage capacity is 1,476 GB (8.2 × 180). When you enable the log service, you can choose a log storage capacity of 2,000 GB. | Disable | Disable |
If the default specifications do not meet your requirements, you can purchase additional resources. These include enhanced computing performance, additional keys, secrets, access management, and log service. Additional resource fees are as follows:
Billable Items | Software Key Management Instance | Hardware Key Management Instance |
Deployment Mode |
|
|
Computing Performance |
|
|
Number of Keys | Every 10 keys: USD 9 per month. Incremental purchase: 10. Maximum quota: 100,000. | Not available. |
Number of Secrets | Every 100 secrets: USD 50 per month. Incremental purchase: 100. Maximum quota: 100,000. | Every 100 secrets: USD 50 per month. Incremental purchase: 100. Maximum quota: 100,000. |
Access Management | Each multi-account: USD 5 per month. Incremental purchase: 1. Maximum quota: 1,000. | Each multi-account: USD 125 per month. Incremental purchase: 1. Maximum quota: 1,000. |
Log Service | Each 1,000 GB of storage: USD 80 per month. Incremental purchase: 1,000. Maximum quota: 500,000. | Each 1,000 GB of storage: USD 80 per month. Incremental purchase: 1,000. Maximum quota: 500,000. |
Overdue payments
Since the subscription billing method involves prepaid plans, either annual or monthly, overdue payments are not applicable. Ensure your account balance is topped up in advance to facilitate operations such as purchasing new instances, upgrading configurations, or renewing existing instances.
Expiration description
Visit the Instances page to check the Remaining Subscription Period date of your KMS instance. We recommend renewing your instance before its expiration to avoid any disruption to your services.
Instance Expiration Status | Description |
Before expiration | Alibaba Cloud sends you email notifications 7 days, 3 days, and 1 day before the expiration of the KMS instance. The emails serve as a reminder to renew the KMS instance. |
Within 15 calendar days after expiration | The configurations of the KMS instance are retained, including keys and secrets. However, the keys and secrets can no longer be used. After you renew the KMS instance, the keys and secrets can once again be used. |
16 days after expiration | The KMS instance is released. Your keys and secrets are deleted and cannot be restored. We recommend that you back up data in advance and take note of the backup's expiration time. For more information, see Backup Management. Warning If you do not back up your keys and secrets, or if the backup data expires, then the keys and secrets will be permanently lost after expiration and deletion. Therefore, make sure to back up your data to avoid any impact on your business. |
Refunds
Partial refunds for KMS instances are available if they are in the Disabled or Enabled state. Pending renewal orders may also be canceled.
Before canceling a KMS instance, familiarize yourself with the unsubscription rules, precautions, and cases. For more information, see Rules for unsubscribing from resources (International site).
To unsubscribe from a KMS instance, use the Expenses and Costs console or submit a ticket. For details on the unsubscription process, see Methods for unsubscribing resources. For information on the refund process after unsubscription, see Refund flow.
View billing and usage details
To review and export KMS billing and usage details, access the Expenses and Costs console. For more information, see Billing details and Usage records.
Renewal description
For instructions on renewing a resource via the Expenses and Costs console, see Renewal guide. To renew an instance in the KMS console, follow these steps:
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
Select the Software Key Management or Hardware Key Management tab, locate the instance you want to renew, and click Actions in the Renew column.
On the KMS (International) | Renew page, set the Duration, agree to the Terms of Service, and proceed.
Click Buy Now and complete the payment.