Deleting a custom key store
When you delete a custom key store, AWS KMS deletes all metadata about the custom key store from KMS, including information about its association with an AWS CloudHSM cluster. This operation does not affect the AWS CloudHSM cluster, its HSMs, or its users. You can create a new custom key store that is associated with the specified cluster, but you cannot undo the delete operation.
You can only delete a custom key store that is disconnected from AWS KMS and does not contain any AWS KMS keys. Before you delete a custom key store, do the following.
-
Verify that you will never need to use any of the KMS keys in the key store for any cryptographic operations. Then schedule deletion of all of the KMS keys from the key store. For help finding the KMS keys in a custom key store, see Find the KMS keys in a custom key store.
-
Confirm that all KMS keys have been deleted. To view the KMS keys in a custom key store, see Viewing KMS keys in a custom key store.
-
Disconnect the custom key store from AWS KMS.
Instead of deleting the custom key store, consider disconnecting it from its associated AWS CloudHSM cluster. While a custom key store is disconnected, you can manage the custom key store and its AWS KMS keys. But you cannot create or use KMS keys in the custom key store. You can reconnect the custom key store at any time.
If you have deleted all custom key stores from all Regions of your AWS account and you do not plan to create any more, you should delete the service-linked role that AWS KMS uses for custom key stores.
Delete a custom key store (console)
To delete a custom key store in the AWS Management Console, begin by selecting the custom key store from the Custom key stores page.
-
Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms
. -
To change the AWS Region, use the Region selector in the upper-right corner of the page.
-
In the navigation pane, choose Custom key stores.
-
Find the row that represents the custom key store that you want to remove. If the status of the custom key store is not DISCONNECTED, you must disconnect the custom key store before you delete the custom key store.
-
From the Key store actions menu, select Delete custom key store.
When the operation completes, a success message appears and the custom key store no longer appears in the custom key store list. If the operation is unsuccessful, an error message appears that describes the problem and provides help on how to fix it. If you need more help, see Troubleshooting a custom key store.
Delete a custom key store (API)
To delete a custom key store, use the DeleteCustomKeyStore operation. If the operation is successful, AWS KMS returns an HTTP 200 response and a JSON object with no properties.
To begin, verify that the custom key store does not contain any AWS KMS keys. You
cannot delete a custom key store that contains KMS keys. The first example
command uses ListKeys and DescribeKey to search for AWS KMS keys in the custom key store with the
cks-1234567890abcdef0 fictitious key store ID. In this case,
the command does not return any KMS keys. If it does, use the ScheduleKeyDeletion operation to
schedule deletion of each of the KMS keys.
Next, disconnect the custom key store. This example command uses the DisconnectCustomKeyStore operation to disconnect the custom key store from its AWS CloudHSM cluster. Before running this command, replace the example custom key store ID with a valid one.
After the custom key store is disconnected, you can use the DeleteCustomKeyStore operation to delete it.
