All Products
Search
Document Center

Key Management Service:Billing

Last Updated:Jan 10, 2025

Alibaba Cloud Key Management Service (KMS) provides server-side encryption with default keys at no additional cost. If default keys suffice for your needs, there is no need to purchase a separate KMS instance. However, for custom encryption solutions, secrets management, or key lifecycle control, purchasing a software or hardware KMS instance is necessary. This topic describes the billing methods, cycles, items, expiration details, and renewal information for KMS instances.

Note

This topic addresses subscription fees only. For information on pay-as-you-go fees, see Pay-as-you-go.

Billing description

Billing method

Subscription

Billing cycle

Billing cycles are based on UTC+8, starting immediately upon purchase or renewal of a KMS instance and concluding at midnight on the expiration date.

Billable items

Fees for KMS instances are as follows:

Software Key Management Instance

Hardware Key Management Instance

USD 500 per month

USD 1,799 per month

Default specifications for KMS instances are as follows:

Billable items

Description

Software Key Management Instance

Hardware Key Management Instance

Deployment mode

KMS instances support dual-zone or multi-zone configurations to achieve high availability, disaster recovery, and load balancing.

Note
  • Philippines (Manila) and Thailand (Bangkok) provide only a single zone, so the KMS instance can only be deployed in a single zone. In this case, the default deployment mode is single zone.

  • When you select multi-zone, you can configure up to three zones.

For the number of zones in each region, see Regions and access addresses.

Dual-zone

Dual-zone

Computing performance

The QPS for encryption and decryption operations processed by the KMS instance. For QPS data of different cryptographic operations, see Performance data.

1,000

2,000

Number of keys

The key quota for the KMS instance.

If a key supports rotation, each new version generated by the rotation also consumes quota. For example, a key with two versions consumes two quotas.

1,000

1,000

Number of secrets

The secret quota for the KMS instance.

If a secret supports rotation, each new version generated by the rotation does not consume quota. For example, a secret with two versions consumes one quota.

0

0

Access management quantity

This quota includes two parts:

  • The number of VPCs that are associated with the KMS instance.

  • The number of Alibaba Cloud accounts with which the KMS instance is shared.

For example, if you want to associate the KMS instance with three VPCs and share the instance with two Alibaba Cloud accounts, specify a value of 5 to meet your business requirements.

The default quota is one, allowing only the VPC bound to the KMS instance access to KMS resources.

1

1

Log service

Based on Alibaba Cloud Simple Log Service, it provides log query and analysis for KMS instances, and supports storing access logs for up to 180 days.

Typically, each request log occupies about 1 KB of storage. If your average request volume is 100 Queries Per Second (QPS), then the storage space required for one day's logs is about 8.2 GB (100 × 60 × 60 × 24 × 1 = 8,640,000 KB). With a default retention period of 180 days, the log storage capacity is 1,476 GB (8.2 × 180). When you enable the log service, you can choose a log storage capacity of 2,000 GB.

Disable

Disable

If the default specifications do not meet your requirements, you can purchase additional resources. These include enhanced computing performance, additional keys, secrets, access management, and log service. Additional resource fees are as follows:

Billable Items

Software Key Management Instance

Hardware Key Management Instance

Deployment Mode

  • Dual-zone: Included in the default fee.

  • Multi-zone: USD 120 per month.

  • Dual-zone: Included in the default fee.

  • Multi-zone: USD 120 per month.

Computing Performance

  • 1,000: Included in the default fee.

  • 2,000: USD 100 per month.

  • 4,000: USD 300 per month.

  • 2,000: Included in the default fee.

  • 4,000: USD 200 per month.

  • 6,000: USD 400 per month.

Number of Keys

Every 10 keys: USD 9 per month.

Incremental purchase: 10.

Maximum quota: 100,000.

Not available.

Number of Secrets

Every 100 secrets: USD 50 per month.

Incremental purchase: 100.

Maximum quota: 100,000.

Every 100 secrets: USD 50 per month.

Incremental purchase: 100.

Maximum quota: 100,000.

Access Management

Each multi-account: USD 5 per month.

Incremental purchase: 1.

Maximum quota: 1,000.

Each multi-account: USD 125 per month.

Incremental purchase: 1.

Maximum quota: 1,000.

Log Service

Each 1,000 GB of storage: USD 80 per month.

Incremental purchase: 1,000.

Maximum quota: 500,000.

Each 1,000 GB of storage: USD 80 per month.

Incremental purchase: 1,000.

Maximum quota: 500,000.

Overdue payments

Since the subscription billing method involves prepaid plans, either annual or monthly, overdue payments are not applicable. Ensure your account balance is topped up in advance to facilitate operations such as purchasing new instances, upgrading configurations, or renewing existing instances.

Expiration description

Visit the Instances page to check the Remaining Subscription Period date of your KMS instance. We recommend renewing your instance before its expiration to avoid any disruption to your services.

Instance Expiration Status

Description

Before expiration

Alibaba Cloud sends you email notifications 7 days, 3 days, and 1 day before the expiration of the KMS instance. The emails serve as a reminder to renew the KMS instance.

Within 15 calendar days after expiration

The configurations of the KMS instance are retained, including keys and secrets. However, the keys and secrets can no longer be used. After you renew the KMS instance, the keys and secrets can once again be used.

16 days after expiration

The KMS instance is released. Your keys and secrets are deleted and cannot be restored.

We recommend that you back up data in advance and take note of the backup's expiration time. For more information, see Backup Management.

Warning

If you do not back up your keys and secrets, or if the backup data expires, then the keys and secrets will be permanently lost after expiration and deletion. Therefore, make sure to back up your data to avoid any impact on your business.

Refunds

Partial refunds for KMS instances are available if they are in the Disabled or Enabled state. Pending renewal orders may also be canceled.

Before canceling a KMS instance, familiarize yourself with the unsubscription rules, precautions, and cases. For more information, see Rules for unsubscribing from resources (International site).

To unsubscribe from a KMS instance, use the Expenses and Costs console or submit a ticket. For details on the unsubscription process, see Methods for unsubscribing resources. For information on the refund process after unsubscription, see Refund flow.

View billing and usage details

To review and export KMS billing and usage details, access the Expenses and Costs console. For more information, see Billing details and Usage records.

Renewal description

For instructions on renewing a resource via the Expenses and Costs console, see Renewal guide. To renew an instance in the KMS console, follow these steps:

  1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Instances.

  2. Select the Software Key Management or Hardware Key Management tab, locate the instance you want to renew, and click Actions in the Renew column.

  3. On the KMS (International) | Renew page, set the Duration, agree to the Terms of Service, and proceed.

  4. Click Buy Now and complete the payment.

FAQs