Deleting imported key material - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Deleting imported key material

When you import key material, you can specify an expiration date. When the key material expires, Amazon KMS deletes the key material and the Amazon KMS key becomes unusable. You can also delete key material on demand. Whether you wait for the key material to expire or you delete it manually, the effect is the same. Amazon KMS deletes the key material, the KMS key's key state changes to pending import, and the KMS key is unusable. To use the KMS key again, you must reimport the same key material.

Deleting key material affects the KMS key immediately, but you can reverse the deletion of key material by reimporting the same key material into the KMS key. In contrast, deleting a KMS key is irreversible. If you schedule key deletion and the required waiting period expires, Amazon KMS deletes the key material and all metadata associated with the KMS key.

To delete key material, you can use the Amazon Web Services Management Console or the Amazon KMS API. You can use the API directly by making HTTP requests, or by using anAmazon SDK, the Amazon Command Line Interface (Amazon CLI), or Amazon Tools for PowerShell.

Amazon KMS records an entry in your Amazon CloudTrail log when you delete imported key material and when Amazon KMS deletes expired key material.

How deleting key material affects Amazon services integrated with Amazon KMS

When you delete key material, the KMS key becomes unusable right away. However, any data keys that Amazon services are using are not immediately affected. This means that deleting key material might not immediately affect all of the data and Amazon resources that are protected under the KMS key, though they are affected eventually.

Several Amazon services integrate with Amazon KMS to protect your data. Some of these services, such as Amazon EBS and Amazon Redshift, use a Amazon KMS key (KMS key) in Amazon KMS to generate a data key, and then use the data key to encrypt your data. These plaintext data keys persist in memory as long as the data they are protecting is actively in use.

For example, consider this scenario:

  1. You create an encrypted EBS volume and specify a KMS key with imported key material. Amazon EBS asks Amazon KMS to use your KMS key to generate an encrypted data key for the volume. Amazon EBS stores the encrypted data key with the volume.

  2. When you attach the EBS volume to an EC2 instance, Amazon EC2 asks Amazon KMS to use your KMS key to decrypt the EBS volume's encrypted data key. Amazon EC2 stores the plaintext data key in hypervisor memory and uses it to encrypt disk I/O to the EBS volume. The data key persists in memory as long as the EBS volume is attached to the EC2 instance.

  3. You delete the imported key material from the KMS key, which makes it unusable. This has no immediate effect on the EC2 instance or the EBS volume. The reason is that Amazon EC2 is using the plaintext data key—not the KMS key—to encrypt all disk I/O while the volume is attached to the instance.

  4. However, when the encrypted EBS volume is detached from the EC2 instance, Amazon EBS removes the plaintext key from memory. The next time the encrypted EBS volume is attached to an EC2 instance, the attachment fails, because Amazon EBS cannot use the KMS key to decrypt the volume's encrypted data key. To use the EBS volume again, you must reimport the same key material into the KMS key.

Delete key material (console)

You can use the Amazon Web Services Management Console to delete key material.

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Key Management Service (Amazon KMS) console at https://console.amazonaws.cn/kms.

  2. To change the Amazon Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Customer managed keys.

  4. Do one of the following:

    • Select the check box for a KMS key with imported key material. Choose Key actions, Delete key material.

    • Choose the alias or key ID of a KMS key with imported key material. Choose the Key material tab and then choose Delete key material.

  5. Confirm that you want to delete the key material and then choose Delete key material. The KMS key's status, which corresponds to its key state, changes to Pending import.

Delete key material (Amazon KMS API)

To use the Amazon KMS API to delete key material, send a DeleteImportedKeyMaterial request. The following example shows how to do this with the Amazon CLI.

Replace 1234abcd-12ab-34cd-56ef-1234567890ab with the key ID of the KMS key whose key material you want to delete. You can use the KMS key's key ID or ARN but you cannot use an alias for this operation.

$ aws kms delete-imported-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab