After you create a key for a dedicated Key Management Service (KMS) instance of the Standard edition, you can disable the key, enable deletion protection, or schedule key deletion tasks based on your business requirements.
Disable a key
After you create a key, it is in the Enabled state by default. You can disable the key. A disabled key cannot be used to encrypt or decrypt data. A disabled key cannot also be used to generate or verify a digital signature.
Log on to the KMS console.
In the top navigation bar, select the region where your dedicated KMS instance of the Standard edition resides.
In the left-side navigation pane, click Dedicated KMS.
Find the dedicated KMS instance of the Standard edition that you want to manage and click Manage in the Actions column.
On the User master key tab, find the key that you want to disable and click Disable in the Actions column.
In the Disable Key message, click OK.
After the key is disabled, the status of the key changes from Enabled to Disabled. You can also click Enable to enable the key again.
Enable deletion protection
After you enable deletion protection for a key, the key cannot be deleted. This prevents the key from being accidentally deleted.
You cannot enable deletion protection for the keys that are in the Pending Deletion state.
Log on to the KMS console.
In the top navigation bar, select the region where your dedicated KMS instance of the Standard edition resides.
In the left-side navigation pane, click Dedicated KMS.
Find the dedicated KMS instance of the Standard edition that you want to manage and click Manage in the Actions column.
On the User master key tab, click the name of the key for which you want to enable deletion protection.
In the Key Details section, click Enable Deletion Protection.
In the Enable message, click OK.
After deletion protection is enabled, the status of Deletion Protection changes from Disabled to Enabled. You can click Disable Deletion Protection to disable deletion protection for the key. This way, the key can be deleted.
Schedule a key deletion task
The system deletes a key when the scheduled deletion period of the key elapses. After the key is deleted, you cannot decrypt the data that is encrypted by using the key or related data keys. Before you delete a key, make sure that the key is no longer in use. If you delete a key that is in use, your services may become unavailable.
After a key is deleted, it cannot be recovered. Data that is encrypted and data keys that are generated by using this key cannot be decrypted. To prevent misoperations, KMS does not allow you to directly delete a key. You can only schedule the deletion task of a key. If you want to delete a key, we recommend that you disable the key.
Make sure that deletion protection is disabled for a key before you can schedule a deletion task for the key.
Log on to the KMS console.
In the top navigation bar, select the region where your dedicated KMS instance of the Standard edition resides.
In the left-side navigation pane, click Dedicated KMS.
Find the dedicated KMS instance of the Standard edition that you want to manage and click Manage in the Actions column.
On the User master key tab, find the key for which you want to schedule a deletion task and choose
> Schedule Key Deletion in the Actions column. In the Schedule Key Deletion dialog box, configure Schedule Deletion Period (7 to 366 Days). Then, the system deletes the key after the schedule deletion period that you specify ends.
Valid values of Schedule Deletion Period (7 to 366 Days): 7 to 366. Unit: days. Default value: 366.
Click OK.
After the deletion task of the key is scheduled, the status of the key changes to Pending Deletion. A key that is in the Pending Deletion state cannot be used for data encryption, data decryption, digital signature generation, or digital signature verification. You can also choose
> Cancel Key Deletion to cancel the scheduled key deletion task.