Delete imported key material

You can delete the imported key material from a KMS key at any time. Also, when imported key material with an expiration date expires, AWS KMS deletes the key material. In either case, when the key material is deleted, the key state of the KMS key changes to pending import, and the KMS key can't be used in any cryptographic operations until you reimport the same key material. (You cannot import any other key material into the KMS key.)

Along with disabling the KMS key and withdrawing permissions, deleting key material can be used as a strategy to quickly, but temporarily, halt the use of the KMS key. In contrast, scheduling the deletion of a KMS key with imported key material also quickly halts the use of the KMS key. However, if the deletion is not canceled during the waiting period, the KMS key, the key material, and all key metadata are permanently deleted. For details, see Deleting KMS keys with imported key material.

To delete key material, you can use the AWS KMS console or the DeleteImportedKeyMaterial API operation. AWS KMS records an entry in your AWS CloudTrail log when you delete imported key material and when AWS KMS deletes expired key material.

How deleting key material affects AWS services: When you delete key material, the KMS key with no key material becomes unusable right away (subject to eventual consistency). However, resources encrypted with data keys protected by the KMS key are not affected until the KMS key is used again, such as to decrypt the data key. This issue affects AWS services, many of which use data keys to protect your resources. For details, see How unusable KMS keys affect data keys.

You can use the AWS KMS console to delete key material.

Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms.
To change the AWS Region, use the Region selector in the upper-right corner of the page.
In the navigation pane, choose Customer managed keys.
Do one of the following:
- Select the check box for a KMS key with imported key material. Choose Key actions, Delete key material.
- Choose the alias or key ID of a KMS key with imported key material. Choose the Key material tab and then choose Delete key material.
Confirm that you want to delete the key material and then choose Delete key material. The KMS key's status, which corresponds to its key state, changes to Pending import.

To use the AWS KMS API to delete key material, send a DeleteImportedKeyMaterial request. The following example shows how to do this with the AWS CLI.

Replace 1234abcd-12ab-34cd-56ef-1234567890ab with the key ID of the KMS key whose key material you want to delete. You can use the KMS key's key ID or ARN but you cannot use an alias for this operation.


$ aws kms delete-imported-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Determine past usage of a KMS key

Generate data keys