Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Use ScheduleKeyDeletion
with an Amazon SDK or CLI
The following code examples show how to use ScheduleKeyDeletion
.
Action examples are code excerpts from larger programs and must be run in context. You can see this action in
context in the following code examples:
- CLI
-
- Amazon CLI
-
To schedule the deletion of a customer managed KMS key.
The following schedule-key-deletion
example schedules the specified customer managed KMS key to be deleted in 15 days.
The --key-id
parameter identifies the KMS key. This example uses a key ARN value, but you can use either the key ID or the ARN of the KMS key.The --pending-window-in-days
parameter specifies the length of the 7-30 day waiting period. By default, the waiting period is 30 days. This example specifies a value of 15, which tells Amazon to permanently delete the KMS key 15 days after the command completes.
aws kms schedule-key-deletion \
--key-id arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab \
--pending-window-in-days 15
The response includes the key ARN, key state, waiting period (PendingWindowInDays
), and the deletion date in Unix time. To view the deletion date in local time, use the Amazon KMS console.
KMS keys in the PendingDeletion
key state cannot be used in cryptographic operations.
{
"KeyId": "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"DeletionDate": "2022-06-18T23:43:51.272000+00:00",
"KeyState": "PendingDeletion",
"PendingWindowInDays": 15
}
For more information, see Deleting keys in the Amazon Key Management Service Developer Guide.
- Java
-
- SDK for Java 2.x
-
/**
* Deletes a KMS key asynchronously.
*
* <p><strong>Warning:</strong> Deleting a KMS key is a destructive and potentially dangerous operation.
* When a KMS key is deleted, all data that was encrypted under the KMS key becomes unrecoverable.
* This means that any files, databases, or other data that were encrypted using the deleted KMS key
* will become permanently inaccessible. Exercise extreme caution when deleting KMS keys.</p>
*
* @param keyId the ID of the KMS key to delete
* @return a {@link CompletableFuture} that completes when the key deletion is scheduled
*/
public CompletableFuture<Void> deleteKeyAsync(String keyId) {
ScheduleKeyDeletionRequest deletionRequest = ScheduleKeyDeletionRequest.builder()
.keyId(keyId)
.pendingWindowInDays(7)
.build();
return getAsyncClient().scheduleKeyDeletion(deletionRequest)
.thenRun(() -> {
logger.info("Key {} will be deleted in 7 days", keyId);
})
.exceptionally(throwable -> {
throw new RuntimeException("Failed to schedule key deletion for key ID: " + keyId, throwable);
});
}
- Python
-
- SDK for Python (Boto3)
-
class KeyManager:
def __init__(self, kms_client):
self.kms_client = kms_client
self.created_keys = []
def delete_keys(self, keys):
"""
Deletes a list of keys.
Warning:
Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted,
all data that was encrypted under the KMS key is unrecoverable.
:param keys: The list of keys to delete.
"""
print("""
Warning:
Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted,
all data that was encrypted under the KMS key is unrecoverable.
""")
answer = input("Do you want to delete these keys (y/n)? ")
if answer.lower() == "y":
window = 7
for key in keys:
try:
self.kms_client.schedule_key_deletion(
KeyId=key["KeyId"], PendingWindowInDays=window
)
except ClientError as err:
logging.error(
"Couldn't delete key %s. Here's why: %s",
key["KeyId"],
err.response["Error"]["Message"],
)
else:
print(
f"Key {key['KeyId']} scheduled for deletion in {window} days."
)
For a complete list of Amazon SDK developer guides and code examples, see
Using Amazon KMS with an Amazon SDK.
This topic also includes information about getting started and details about previous SDK versions.