Scheduling deletion of KMS keys from an external key store - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Scheduling deletion of KMS keys from an external key store

When you are certain that you will not need to use an Amazon KMS key for any cryptographic operation, you can schedule the deletion of the KMS key. Use the same procedure that you would use to schedule the deletion of any KMS key from Amazon KMS. Deleting a KMS key from an external key store has no effect on the external key that served as its key material.

You can cancel the scheduled deletion of a KMS key during its mandatory waiting period. However, a deleted KMS key not recoverable. You cannot recreate a symmetric encryption KMS key in an external key store, even you use the same external key. Because each symmetric KMS key in an external key store has unique Amazon KMS key material and metadata, only the Amazon KMS key that encrypted a symmetric ciphertext can decrypt it.

Warning

Deleting a KMS key is a destructive and potentially dangerous operation that prevents you from recovering all data encrypted under the KMS key. Before scheduling deletion of the KMS key, examine past usage of the KMS key and create a Amazon CloudWatch alarm that alerts you when someone tries to use the KMS key while it is pending deletion. Whenever possible, disable the KMS key, instead of deleting it.

When you schedule deletion of a KMS key from an external key store, its key state changes to Pending deletion. The KMS key remains in the Pending deletion state throughout the waiting period, even if the KMS key becomes unavailable because you have disconnected the external key store. This allows you to cancel the deletion of the KMS key at any time during the waiting period. When the waiting period expires, Amazon KMS deletes the KMS key from Amazon KMS.

When you schedule the deletion of a KMS key from an external key store, the KMS key becomes unusable right away (subject to eventual consistency). However, resources encrypted with data keys protected by the KMS key are not affected until the KMS key is used again, such to decrypt the data key. This issue affects Amazon Web Services, many of which use data keys to protect your resources. For details, see How unusable KMS keys affect data keys.

You can monitor the scheduling, cancellation, and deletion of the KMS key in your Amazon CloudTrail logs.