Enabling and disabling keys - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Enabling and disabling keys

You can disable and reenable the Amazon KMS keys that you manage. You cannot enable or disable Amazon managed keys.

When you create a KMS key, it is enabled by default. If you disable a KMS key, it cannot be used to encrypt or decrypt data until you re-enable it. Amazon managed keys are permanently enabled for use by services that use Amazon KMS. You cannot disable them.

You can also delete KMS keys. For more information, see Deleting Amazon KMS keys.

Note

Amazon KMS does not rotate the key material of customer managed keys while they are disabled. For more information, see How automatic key rotation works.

Enabling and disabling KMS keys (console)

You can use the Amazon KMS console to enable and disable customer managed keys.

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Key Management Service (Amazon KMS) console at https://console.amazonaws.cn/kms.

  2. To change the Amazon Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Customer managed keys.

  4. Select the check box for the KMS keys that you want to enable or disable.

  5. To enable a KMS key, choose Key actions, Enable. To disable a KMS key, choose Key actions, Disable.

Enabling and disabling KMS keys (Amazon KMS API)

The EnableKey operation enables a disabled Amazon KMS key. These examples use the Amazon Command Line Interface (Amazon CLI), but you can use any supported programming language. The key-id parameter is required.

This operation does not return any output. To see the key status, use the DescribeKey operation.

$ aws kms enable-key --key-id 1234abcd-12ab-34cd-56ef-1234567890ab

The DisableKey operation disables an enabled KMS key. The key-id parameter is required.

$ aws kms disable-key --key-id 1234abcd-12ab-34cd-56ef-1234567890ab

This operation does not return any output. To see the key status, use the DescribeKey operation, and see the Enabled field.

$ aws kms describe-key --key-id 1234abcd-12ab-34cd-56ef-1234567890ab { "KeyMetadata": { "Origin": "AWS_KMS", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "Description": "", "KeyManager": "CUSTOMER", "MultiRegion": false, "Enabled": false, "KeyState": "Disabled", "KeyUsage": "ENCRYPT_DECRYPT", "CreationDate": 1502910355.475, "Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "AWSAccountId": "111122223333" "KeySpec": "SYMMETRIC_DEFAULT", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ] } }