Scheduling and canceling key deletion - Amazon Key Management Service
Using the Amazon Web Services Management ConsoleUsing the Amazon CLIUsing the Amazon SDK for Java
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Scheduling and canceling key deletion

The following procedures describe how to schedule key deletion and cancel key deletion of single-Region Amazon KMS keys (KMS keys) in Amazon KMS using the Amazon Web Services Management Console, the Amazon CLI, and the Amazon SDK for Java.

For information about scheduling the deletion of multi-Region keys, see Deleting multi-Region keys.

Warning

Deleting a KMS key is destructive and potentially dangerous. You should proceed only when you are sure that you don't need to use the KMS key anymore and won't need to use it in the future. If you are not sure, you should disable the KMS key instead of deleting it.

Before you can delete a KMS key, you must have permission to do so. For information about giving these permissions to key administrators, see Controlling access to key deletion. You can also use the kms:ScheduleKeyDeletionPendingWindowInDays condition key to further constrain the waiting period, such as enforcing a minimum waiting period.

Amazon KMS records an entry in your Amazon CloudTrail log when you schedule deletion of the KMS key and when the KMS key is actually deleted.

Scheduling and canceling key deletion (console)

In the Amazon Web Services Management Console, you can schedule and cancel the deletion of multiple KMS keys at one time.

To schedule key deletion

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Key Management Service (Amazon KMS) console at https://console.amazonaws.cn/kms.

  2. To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Customer managed keys.

    You cannot schedule the deletion of Amazon managed keys or Amazon owned keys.

  4. Choose the check box next to the KMS key that you want to delete.

  5. Choose Key actions, Schedule key deletion.

  6. Read and consider the warning, and the information about canceling the deletion during the waiting period. If you decide to cancel the deletion, at the bottom of the page, choose Cancel.

  7. For Waiting period (in days), enter a number of days between 7 and 30.

  8. Review the KMS keys that you are deleting.

  9. Choose the check box next to Confirm you want to schedule this key for deletion in <number of days> days..

  10. Choose Schedule deletion.

The KMS key status changes to Pending deletion.

To cancel key deletion

  1. Open the Amazon KMS console at https://console.amazonaws.cn/kms.

  2. To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Customer managed keys.

  4. Choose the check box next to the KMS key that you want to recover.

  5. Choose Key actions, Cancel key deletion.

The KMS key status changes from Pending deletion to Disabled. To use the KMS key, you must enable it.

Scheduling and canceling key deletion (Amazon CLI)

Use the aws kms schedule-key-deletion command to schedule key deletion of a customer managed key, as shown in the following example.

You cannot schedule the deletion of an Amazon managed key or Amazon owned key.

$ aws kms schedule-key-deletion --key-id 1234abcd-12ab-34cd-56ef-1234567890ab --pending-window-in-days 10

When used successfully, the Amazon CLI returns output like the output shown in the following example:

{
    "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
    "DeletionDate": 1598304792.0,
    "KeyState": "PendingDeletion",
    "PendingWindowInDays": 10
}

Use the aws kms cancel-key-deletion command to cancel key deletion from the Amazon CLI as shown in the following example.

$ aws kms cancel-key-deletion --key-id 1234abcd-12ab-34cd-56ef-1234567890ab

When used successfully, the Amazon CLI returns output like the output shown in the following example:

{
    "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}

The status of the KMS key changes from Pending Deletion to Disabled. To use the KMS key, you must enable it.

Scheduling and canceling key deletion (Amazon SDK for Java)

The following example demonstrates how to schedule the deletion of a customer managed key with the Amazon SDK for Java. This example requires that you previously instantiated an AWSKMSClient as kms.

String KeyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";

int PendingWindowInDays = 10;

ScheduleKeyDeletionRequest scheduleKeyDeletionRequest =
new ScheduleKeyDeletionRequest().withKeyId(KeyId).withPendingWindowInDays(PendingWindowInDays);
kms.scheduleKeyDeletion(scheduleKeyDeletionRequest);

The following example demonstrates how to cancel key deletion with the Amazon SDK for Java. This example requires that you previously instantiated an AWSKMSClient as kms.

String KeyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";

CancelKeyDeletionRequest cancelKeyDeletionRequest =
new CancelKeyDeletionRequest().withKeyId(KeyId);
kms.cancelKeyDeletion(cancelKeyDeletionRequest);

The status of the KMS key changes from Pending Deletion to Disabled. To use the KMS key, you must enable it.