After you delete a customer master key (CMK), you cannot recover the CMK or decrypt the data and ciphertext data keys that are encrypted by using the CMK. To prevent CMKs from being accidentally deleted, KMS allows you to only schedule key deletion tasks. You cannot immediately delete CMKs. This topic describes how to schedule a key deletion task.
After a scheduled deletion period is specified for a CMK, the CMK enters the Pending Deletion state and you are no longer charged for the CMK.
The Schedule Key Deletion button for service-managed keys is dimmed. You cannot schedule a key deletion task for a service-managed key. The alias of a service-managed key is in the acs/Service name format.
Before you schedule a key deletion task for a CMK, you must disable deletion protection for the CMK. To disable deletion protection for a CMK, you can click Disable Deletion Protection in the Key Details section of the CMK. In the message that appears, click OK.
The system deletes a key when the scheduled deletion period of the key elapses. After the key is deleted, you cannot decrypt the data that is encrypted by using the key or related data keys. Before you delete a key, make sure that the key is no longer in use. If you delete a key that is in use, your services may become unavailable.
Log on to the KMS console.
In the top navigation bar, select the region in which you want to schedule a key deletion task for a CMK.
In the left-side navigation pane, click Keys.
Find the CMK for which you want to schedule a deletion task, and choose in the Actions column.
In the Schedule Key Deletion dialog box, configure Schedule Deletion Period (7 to 366 Days).
Valid values of Schedule Deletion Period (7 to 366 Days): 7 to 366. Unit: days. Default value: 366.
The status of the CMK changes from Enabled to Pending Deletion. You cannot use a CMK in the Pending Deletion state to encrypt data, decrypt data, or generate data keys.
You can choosein the Actions column to cancel the scheduled key deletion task.