Deleting an AWS CloudHSM key store
When you delete an AWS CloudHSM key store, AWS KMS deletes all metadata about the AWS CloudHSM key store from KMS, including information about its association with an AWS CloudHSM cluster. This operation does not affect the AWS CloudHSM cluster, its HSMs, or its users. You can create a new AWS CloudHSM key store that is associated with the same AWS CloudHSM cluster, but you cannot undo the delete operation.
You can only delete an AWS CloudHSM key store that is disconnected from its AWS CloudHSM cluster and does not contain any AWS KMS keys. Before you delete a custom key store, do the following.
-
Verify that you will never need to use any of the KMS keys in the key store for any cryptographic operations. Then schedule deletion of all of the KMS keys from the key store. For help finding the KMS keys in an AWS CloudHSM key store, see Find the KMS keys in an AWS CloudHSM key store.
-
Confirm that all KMS keys have been deleted. To view the KMS keys in an AWS CloudHSM key store, see Viewing KMS keys in an AWS CloudHSM key store.
-
Disconnect the AWS CloudHSM key store from its AWS CloudHSM cluster.
Instead of deleting the AWS CloudHSM key store, consider disconnecting it from its associated AWS CloudHSM cluster. While an AWS CloudHSM key store is disconnected, you can manage the AWS CloudHSM key store and its AWS KMS keys. But you cannot create or use KMS keys in the AWS CloudHSM key store. You can reconnect the AWS CloudHSM key store at any time.
Delete an AWS CloudHSM key store (console)
To delete an AWS CloudHSM key store in the AWS Management Console, begin by selecting the AWS CloudHSM key store from the Custom key stores page.
-
Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms
. -
To change the AWS Region, use the Region selector in the upper-right corner of the page.
-
In the navigation pane, choose Custom key stores, AWS CloudHSM key stores.
-
Find the row that represents the AWS CloudHSM key store that you want to delete. If the Connection state of the AWS CloudHSM key store is not DISCONNECTED, you must disconnect the AWS CloudHSM key store before you delete it.
-
From the Key store actions menu, choose Delete.
When the operation completes, a success message appears and the AWS CloudHSM key store no longer appears in the key stores list. If the operation is unsuccessful, an error message appears that describes the problem and provides help on how to fix it. If you need more help, see Troubleshooting a custom key store.
Delete an AWS CloudHSM key store (API)
To delete an AWS CloudHSM key store, use the DeleteCustomKeyStore operation. If the operation is successful, AWS KMS returns an HTTP 200 response and a JSON object with no properties.
To begin, verify that the AWS CloudHSM key store does not contain any AWS KMS keys. You cannot
delete a custom key store that contains KMS keys. The first example command uses ListKeys and DescribeKey to search for AWS KMS keys in
the AWS CloudHSM key store with the example cks-1234567890abcdef0
custom key store ID. In this case, the command does not return any KMS keys. If it does, use
the ScheduleKeyDeletion
operation to schedule deletion of each of the KMS keys.
Next, disconnect the AWS CloudHSM key store. This example command uses the DisconnectCustomKeyStore operation to disconnect an AWS CloudHSM key store from its AWS CloudHSM cluster. Before running this command, replace the example custom key store ID with a valid one.
After the custom key store is disconnected, you can use the DeleteCustomKeyStore operation to delete it.
