After you delete a customer master key (CMK), you cannot recover the CMK or decrypt the data and ciphertext data keys that are encrypted by using the CMK. To prevent CMKs from being accidentally deleted, KMS allows you to only schedule key deletion tasks. You cannot immediately delete CMKs. This topic describes how to schedule a key deletion task.
Background information
After a scheduled deletion period is specified for a CMK, the CMK enters the Pending Deletion state and you are no longer charged for the CMK.
The Schedule Key Deletion button for service-managed keys is dimmed. You cannot schedule a key deletion task for a service-managed key. The alias of a service-managed key is in the acs/Service name format.
Prerequisites
Before you schedule a key deletion task for a CMK, you must disable deletion protection for the CMK. To disable deletion protection for a CMK, you can click Disable Deletion Protection in the Key Details section of the CMK. In the message that appears, click OK.
Procedure
Log on to the KMS console.
In the top navigation bar, select the region in which you want to schedule a key deletion task for a CMK.
In the left-side navigation pane, choose Resource > Keys.
Find the CMK for which you want to schedule a deletion task, and choose in the Actions column.
In the Schedule Key Deletion dialog box, configure Schedule Deletion Period (7 to 366 Days).
Valid values of Schedule Deletion Period (7 to 366 Days): 7 to 366. Unit: days. Default value: 366.
Click OK.
NoteThe status of the CMK changes from Enabled to Pending Deletion. You cannot use a CMK in the Pending Deletion state to encrypt data, decrypt data, or generate data keys.
You can choose in the Actions column to cancel the scheduled key deletion task.