# Schedule key deletion
<a name="deleting-keys-scheduling-key-deletion"></a>

The following procedures describe how to schedule key deletion and cancel key deletion of Amazon KMS keys (KMS keys) in Amazon KMS using the Amazon Web Services Management Console and the Amazon KMS API.

**Warning**  
Deleting a KMS key is destructive and potentially dangerous. You should proceed only when you are sure that you don't need to use the KMS key anymore and won't need to use it in the future. If you are not sure, you should [disable the KMS key](enabling-keys.md) instead of deleting it.

Before you can delete a KMS key, you must have permission to do so. For information about giving these permissions to key administrators, see [Control access to key deletion](deleting-keys-adding-permission.md). You can also use the [`kms:ScheduleKeyDeletionPendingWindowInDays`](conditions-kms.md#conditions-kms-schedule-key-deletion-pending-window-in-days) condition key to further constrain the waiting period, such as enforcing a minimum waiting period.

Amazon KMS records an entry in your Amazon CloudTrail log when you [schedule deletion](ct-schedule-key-deletion.md) of the KMS key and when the [KMS key is actually deleted](ct-delete-key.md).

## Using the Amazon KMS console
<a name="deleting-keys-scheduling-key-deletion-console"></a>

In the Amazon Web Services Management Console, you can schedule and cancel the deletion of multiple KMS keys at one time.

**To schedule key deletion**

1. Sign in to the Amazon Web Services Management Console and open the Amazon Key Management Service (Amazon KMS) console at [https://console.amazonaws.cn/kms](https://console.amazonaws.cn/kms).

1. To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.

1. In the navigation pane, choose **Customer managed keys**.

   You cannot schedule the deletion of [Amazon managed keys](concepts.md#aws-managed-key) or [Amazon owned keys](concepts.md#aws-owned-key).

1. Choose the checkbox next to the KMS key that you want to delete.

1. Choose **Key actions**, **Schedule key deletion**.

1. Read and consider the warning, and the information about canceling the deletion during the waiting period. The warning includes the number of selected keys that were recently used in cryptographic operations. The table displays a **Last used** column that shows when each KMS key was last used. If you decide to cancel the deletion, at the bottom of the page, choose **Cancel**.

1. For **Waiting period (in days)**, enter a number of days between 7 and 30. 

1. Review the KMS keys that you are deleting.

1. Choose the check box next to **I confirm that I want to schedule these keys for deletion. The keys will become immediately unusable for cryptographic operations. After the *<number of days>* day waiting period, the keys will be permanently deleted.**

1. Choose **Schedule deletion**.

The KMS key status changes to **Pending deletion**.

## Using the Amazon KMS API
<a name="deleting-keys-scheduling-key-deletion-cli"></a>

Use the [https://docs.amazonaws.cn/cli/latest/reference/kms/schedule-key-deletion.html](https://docs.amazonaws.cn/cli/latest/reference/kms/schedule-key-deletion.html) command to schedule key deletion of a [customer managed key](concepts.md#customer-mgn-key), as shown in the following example.

You cannot schedule the deletion of an Amazon managed key or Amazon owned key.

```
$ aws kms schedule-key-deletion --key-id 1234abcd-12ab-34cd-56ef-1234567890ab --pending-window-in-days 10
```

When used successfully, the Amazon CLI returns output like the output shown in the following example:

```
{
    "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
    "DeletionDate": 1598304792.0,
    "KeyState": "PendingDeletion",
    "PendingWindowInDays": 10
}
```