Schedule key deletion
The following procedures describe how to schedule key deletion and cancel key deletion of Amazon KMS keys (KMS keys) in Amazon KMS using the Amazon Web Services Management Console and the Amazon KMS API.
Warning
Deleting a KMS key is destructive and potentially dangerous. You should proceed only when you are sure that you don't need to use the KMS key anymore and won't need to use it in the future. If you are not sure, you should disable the KMS key instead of deleting it.
Before you can delete a KMS key, you must have permission to do so. For information about giving these permissions to key administrators, see Control access to key deletion. You can also use the kms:ScheduleKeyDeletionPendingWindowInDays condition key to further constrain the waiting period, such as enforcing a minimum waiting period.
Amazon KMS records an entry in your Amazon CloudTrail log when you schedule deletion of the KMS key and when the KMS key is actually deleted.
In the Amazon Web Services Management Console, you can schedule and cancel the deletion of multiple KMS keys at one time.
To schedule key deletion
-
Sign in to the Amazon Web Services Management Console and open the Amazon Key Management Service (Amazon KMS) console at https://console.amazonaws.cn/kms
. -
To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.
-
In the navigation pane, choose Customer managed keys.
You cannot schedule the deletion of Amazon managed keys or Amazon owned keys.
-
Choose the check box next to the KMS key that you want to delete.
-
Choose Key actions, Schedule key deletion.
-
Read and consider the warning, and the information about canceling the deletion during the waiting period. If you decide to cancel the deletion, at the bottom of the page, choose Cancel.
-
For Waiting period (in days), enter a number of days between 7 and 30.
-
Review the KMS keys that you are deleting.
-
Choose the check box next to Confirm you want to schedule this key for deletion in
<number of days>
days.. -
Choose Schedule deletion.
The KMS key status changes to Pending deletion.
Use the aws kms
schedule-key-deletion
command to schedule key deletion of a customer managed key, as shown in the following example.
You cannot schedule the deletion of an Amazon managed key or Amazon owned key.
$ aws kms schedule-key-deletion --key-id
1234abcd-12ab-34cd-56ef-1234567890ab
--pending-window-in-days 10
When used successfully, the Amazon CLI returns output like the output shown in the following example:
{ "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "DeletionDate": 1598304792.0, "KeyState": "PendingDeletion", "PendingWindowInDays": 10 }