DeleteExpiredKeyMaterial - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


When you import key material into an Amazon KMS key (KMS key), you can set an expiration date and time for that key material. Amazon KMS records an entry in your CloudTrail log when you import the key material (with the expiration settings) and when Amazon KMS deletes the expired key material. For information about creating KMS key with imported key material, see Importing key material for Amazon KMS keys.

The following example shows an Amazon CloudTrail log entry generated when Amazon KMS deletes the expired key material.

{ "eventVersion": "1.05", "userIdentity": { "accountId": "111122223333", "invokedBy": "Amazon Internal" }, "eventTime": "2021-01-01T16:00:00Z", "eventSource": "", "eventName": "DeleteExpiredKeyMaterial", "awsRegion": "us-east-1", "sourceIPAddress": "Amazon Internal", "userAgent": "Amazon Internal", "requestParameters": null, "responseElements": null, "eventID": "cfa932fd-0d3a-4a76-a8b8-616863a2b547", "readOnly": false, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ], "eventType": "AwsServiceEvent", "recipientAccountId": "111122223333", "serviceEventDetails": { "keyId": "1234abcd-12ab-34cd-56ef-1234567890ab" } }