Deleting imported key material - AWS Key Management Service

Deleting imported key material

You can delete the imported key material from a KMS key at any time. Also, when imported key material with an expiration date expires, AWS KMS deletes the key material. In either case, AWS KMS deletes the key material immediately, the key state of the KMS key changes to pending import, and the KMS key can't be used in any cryptographic operations.

However, these actions do not delete the KMS key. To use the KMS key again, you must reimport the same key material into the KMS key. In contrast, deleting a KMS key is irreversible. If you schedule key deletion and the required waiting period expires, AWS KMS deletes the key material and all metadata associated with the KMS key.

To delete key material, you can use the AWS Management Console or the AWS KMS API. You can use the API directly by making HTTP requests, or by using anAWS SDK, the AWS Command Line Interface (AWS CLI), or AWS Tools for PowerShell.

AWS KMS records an entry in your AWS CloudTrail log when you delete imported key material and when AWS KMS deletes expired key material.

How deleting key material affects AWS services integrated with AWS KMS

When you delete key material, the KMS key becomes unusable right away. However, any data keys that AWS services are using are not immediately affected. This means that deleting key material might not immediately affect all of the data and AWS resources that are protected under the KMS key, though they are affected eventually.

Several AWS services integrate with AWS KMS to protect your data. Some of these services, such as Amazon EBS and Amazon Redshift, use a AWS KMS key (KMS key) in AWS KMS to generate a data key, and then use the data key to encrypt your data. These plaintext data keys persist in memory as long as the data they are protecting is actively in use.

For example, consider this scenario:

  1. You create an encrypted EBS volume and specify a KMS key with imported key material. Amazon EBS asks AWS KMS to use your KMS key to generate an encrypted data key for the volume. Amazon EBS stores the encrypted data key with the volume.

  2. When you attach the EBS volume to an EC2 instance, Amazon EC2 asks AWS KMS to use your KMS key to decrypt the EBS volume's encrypted data key. Amazon EC2 stores the plaintext data key in hypervisor memory and uses it to encrypt disk I/O to the EBS volume. The data key persists in memory as long as the EBS volume is attached to the EC2 instance.

  3. You delete the imported key material from the KMS key, which makes it unusable. This has no immediate effect on the EC2 instance or the EBS volume. The reason is that Amazon EC2 is using the plaintext data key—not the KMS key—to encrypt all disk I/O while the volume is attached to the instance.

  4. However, when the encrypted EBS volume is detached from the EC2 instance, Amazon EBS removes the plaintext key from memory. The next time the encrypted EBS volume is attached to an EC2 instance, the attachment fails, because Amazon EBS cannot use the KMS key to decrypt the volume's encrypted data key. To use the EBS volume again, you must reimport the same key material into the KMS key.

Delete key material (console)

You can use the AWS Management Console to delete key material.

  1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms.

  2. To change the AWS Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Customer managed keys.

  4. Do one of the following:

    • Select the check box for a KMS key with imported key material. Choose Key actions, Delete key material.

    • Choose the alias or key ID of a KMS key with imported key material. Choose the Key material tab and then choose Delete key material.

  5. Confirm that you want to delete the key material and then choose Delete key material. The KMS key's status, which corresponds to its key state, changes to Pending import.

Delete key material (AWS KMS API)

To use the AWS KMS API to delete key material, send a DeleteImportedKeyMaterial request. The following example shows how to do this with the AWS CLI.

Replace 1234abcd-12ab-34cd-56ef-1234567890ab with the key ID of the KMS key whose key material you want to delete. You can use the KMS key's key ID or ARN but you cannot use an alias for this operation.

$ aws kms delete-imported-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab