Scheduling deletion of KMS keys from an Amazon CloudHSM key store - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Scheduling deletion of KMS keys from an Amazon CloudHSM key store

When you are certain that you will not need to use an Amazon KMS key for any cryptographic operation, you can schedule the deletion of the KMS key. Use the same procedure that you would use to schedule the deletion of any KMS key from Amazon KMS. In addition, keep your Amazon CloudHSM key store connected so Amazon KMS can delete the corresponding key material from the associated Amazon CloudHSM cluster when the waiting period expires.

You can monitor the scheduling, cancellation, and deletion of the KMS key in your Amazon CloudTrail logs.

Warning

Deleting a KMS key is a destructive and potentially dangerous operation that prevents you from recovering all data encrypted under the KMS key. Before scheduling deletion of the KMS key, examine past usage of the KMS key and create a Amazon CloudWatch alarm that alerts you when someone tries to use the KMS key while it is pending deletion. Whenever possible, disable the KMS key, instead of deleting it.

When you schedule deletion of a KMS key from an Amazon CloudHSM key store, its key state changes to Pending deletion. The KMS key remains in the Pending deletion state throughout the waiting period, even if the KMS key becomes unavailable because you have disconnected the custom key store. This allows you to cancel the deletion of the KMS key at any time during the waiting period.

When the waiting period expires, Amazon KMS deletes the KMS key from Amazon KMS. Then Amazon KMS makes a best effort to delete the key material from the associated Amazon CloudHSM cluster. If Amazon KMS cannot delete the key material, such as when the key store is disconnected from Amazon KMS, you might need to manually delete the orphaned key material from the cluster.

Amazon KMS does not delete the key material from cluster backups. Even if you delete the KMS key from Amazon KMS and delete its key material from your Amazon CloudHSM cluster, clusters created from backups might contain the deleted key material. To permanently delete the key material view the creation date of the KMS key. Then delete all cluster backups that might contain the key material.

When you schedule the deletion of a KMS key from an Amazon CloudHSM key store, the KMS key becomes unusable right away (subject to eventual consistency). However, resources encrypted with data keys protected by the KMS key are not affected until the KMS key is used again, such to decrypt the data key. This issue affects Amazon Web Services, many of which use data keys to protect your resources. For details, see How unusable KMS keys affect data keys.