Scheduling deletion of KMS keys from an external key store

When you are certain that you will not need to use an AWS KMS key for any cryptographic operation, you can schedule the deletion of the KMS key. Use the same procedure that you would use to schedule the deletion of any KMS key from AWS KMS. Deleting a KMS key from an external key store has no effect on the external key that served as its key material.

You can cancel the scheduled deletion of a KMS key during its mandatory waiting period. However, a deleted KMS key not recoverable. You cannot recreate a symmetric encryption KMS key in an external key store, even you use the same external key. Because each symmetric KMS key in an external key store has unique AWS KMS key material and metadata, only the AWS KMS key that encrypted a symmetric ciphertext can decrypt it.

Warning

Deleting a KMS key is a destructive and potentially dangerous operation that prevents you from recovering all data encrypted under the KMS key. Before scheduling deletion of the KMS key, examine past usage of the KMS key and create a Amazon CloudWatch alarm that alerts you when someone tries to use the KMS key while it is pending deletion. Whenever possible, disable the KMS key, instead of deleting it.

When you schedule deletion of a KMS key from an external key store, its key state changes to Pending deletion. The KMS key remains in the Pending deletion state throughout the waiting period, even if the KMS key becomes unavailable because you have disconnected the external key store. This allows you to cancel the deletion of the KMS key at any time during the waiting period. When the waiting period expires, AWS KMS deletes the KMS key from AWS KMS.

When you schedule the deletion of a KMS key from an external key store, the KMS key becomes unusable right away (subject to eventual consistency). However, resources encrypted with data keys protected by the KMS key are not affected until the KMS key is used again, such to decrypt the data key. This issue affects AWS services, many of which use data keys to protect your resources. For details, see How unusable KMS keys affect data keys.

You can monitor the scheduling, cancellation, and deletion of the KMS key in your AWS CloudTrail logs.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Using KMS keys in an external key store

Troubleshooting external key stores