Deleting an Amazon CloudHSM key store - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Deleting an Amazon CloudHSM key store

When you delete an Amazon CloudHSM key store, Amazon KMS deletes all metadata about the Amazon CloudHSM key store from KMS, including information about its association with an Amazon CloudHSM cluster. This operation does not affect the Amazon CloudHSM cluster, its HSMs, or its users. You can create a new Amazon CloudHSM key store that is associated with the same Amazon CloudHSM cluster, but you cannot undo the delete operation.

You can only delete an Amazon CloudHSM key store that is disconnected from its Amazon CloudHSM cluster and does not contain any Amazon KMS keys. Before you delete a custom key store, do the following.

Instead of deleting the Amazon CloudHSM key store, consider disconnecting it from its associated Amazon CloudHSM cluster. While an Amazon CloudHSM key store is disconnected, you can manage the Amazon CloudHSM key store and its Amazon KMS keys. But you cannot create or use KMS keys in the Amazon CloudHSM key store. You can reconnect the Amazon CloudHSM key store at any time.

Delete an Amazon CloudHSM key store (console)

To delete an Amazon CloudHSM key store in the Amazon Web Services Management Console, begin by selecting the Amazon CloudHSM key store from the Custom key stores page.

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Key Management Service (Amazon KMS) console at https://console.amazonaws.cn/kms.

  2. To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Custom key stores, Amazon CloudHSM key stores.

  4. Find the row that represents the Amazon CloudHSM key store that you want to delete. If the Connection state of the Amazon CloudHSM key store is not DISCONNECTED, you must disconnect the Amazon CloudHSM key store before you delete it.

  5. From the Key store actions menu, choose Delete.

When the operation completes, a success message appears and the Amazon CloudHSM key store no longer appears in the key stores list. If the operation is unsuccessful, an error message appears that describes the problem and provides help on how to fix it. If you need more help, see Troubleshooting a custom key store.

Delete an Amazon CloudHSM key store (API)

To delete an Amazon CloudHSM key store, use the DeleteCustomKeyStore operation. If the operation is successful, Amazon KMS returns an HTTP 200 response and a JSON object with no properties.

To begin, verify that the Amazon CloudHSM key store does not contain any Amazon KMS keys. You cannot delete a custom key store that contains KMS keys. The first example command uses ListKeys and DescribeKey to search for Amazon KMS keys in the Amazon CloudHSM key store with the example cks-1234567890abcdef0 custom key store ID. In this case, the command does not return any KMS keys. If it does, use the ScheduleKeyDeletion operation to schedule deletion of each of the KMS keys.

Bash
for key in $(aws kms list-keys --query 'Keys[*].KeyId' --output text) ; do aws kms describe-key --key-id $key | grep '"CustomKeyStoreId": "cks-1234567890abcdef0"' --context 100; done
PowerShell
PS C:\> Get-KMSKeyList | Get-KMSKey | where CustomKeyStoreId -eq 'cks-1234567890abcdef0'

Next, disconnect the Amazon CloudHSM key store. This example command uses the DisconnectCustomKeyStore operation to disconnect an Amazon CloudHSM key store from its Amazon CloudHSM cluster. Before running this command, replace the example custom key store ID with a valid one.

Bash
$ aws kms disconnect-custom-key-store --custom-key-store-id cks-1234567890abcdef0
PowerShell
PS C:\> Disconnect-KMSCustomKeyStore -CustomKeyStoreId cks-1234567890abcdef0

After the custom key store is disconnected, you can use the DeleteCustomKeyStore operation to delete it.

Bash
$ aws kms delete-custom-key-store --custom-key-store-id cks-1234567890abcdef0
PowerShell
PS C:\> Remove-KMSCustomKeyStore -CustomKeyStoreId cks-1234567890abcdef0