Scheduling deletion of KMS keys from an AWS CloudHSM key store - AWS Key Management Service

Scheduling deletion of KMS keys from an AWS CloudHSM key store

When you are certain that you will not need to use an AWS KMS key for any cryptographic operation, you can schedule the deletion of the KMS key. Use the same procedure that you would use to schedule the deletion of any KMS key from AWS KMS. In addition, keep your AWS CloudHSM key store connected so AWS KMS can delete the corresponding key material from the associated AWS CloudHSM cluster when the waiting period expires.

You can monitor the scheduling, cancellation, and deletion of the KMS key in your AWS CloudTrail logs.

Warning

Deleting a KMS key is a destructive and potentially dangerous operation that prevents you from recovering all data encrypted under the KMS key. Before scheduling deletion of the KMS key, examine past usage of the KMS key and create a Amazon CloudWatch alarm that alerts you when someone tries to use the KMS key while it is pending deletion. Whenever possible, disable the KMS key, instead of deleting it.

When you schedule deletion of a KMS key from an AWS CloudHSM key store, its key state changes to Pending deletion. The KMS key remains in the Pending deletion state throughout the waiting period, even if the KMS key becomes unavailable because you have disconnected the custom key store. This allows you to cancel the deletion of the KMS key at any time during the waiting period.

When the waiting period expires, AWS KMS deletes the KMS key from AWS KMS. Then AWS KMS makes a best effort to delete the key material from the associated AWS CloudHSM cluster. If AWS KMS cannot delete the key material, such as when the key store is disconnected from AWS KMS, you might need to manually delete the orphaned key material from the cluster.

AWS KMS does not delete the key material from cluster backups. Even if you delete the KMS key from AWS KMS and delete its key material from your AWS CloudHSM cluster, clusters created from backups might contain the deleted key material. To permanently delete the key material view the creation date of the KMS key. Then delete all cluster backups that might contain the key material.

When you schedule the deletion of a KMS key from an AWS CloudHSM key store, the KMS key becomes unusable right away (subject to eventual consistency). However, resources encrypted with data keys protected by the KMS key are not affected until the KMS key is used again, such to decrypt the data key. This issue affects AWS services, many of which use data keys to protect your resources. For details, see How unusable KMS keys affect data keys.