Delete an AWS KMS keys - AWS Key Management Service

Delete an AWS KMS keys

Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, you can no longer decrypt the data that was encrypted under that KMS key, which means that data becomes unrecoverable. (The only exceptions are multi-Region replica keys and asymmetric and HMAC KMS keys with imported key material.) This risk is significant for asymmetric KMS keys used for encryption where, without warning or error, users can continue to generate ciphertexts with the public key that cannot be decrypted after the private key is deleted from AWS KMS.

You should delete a KMS key only when you are sure that you don't need to use it anymore. If you are not sure, consider disabling the KMS key instead of deleting it. You can re-enable a disabled KMS key and cancel the scheduled deletion of a KMS key, but you cannot recover a deleted KMS key.

You can only schedule the deletion of a customer managed key. You cannot delete AWS managed keys or AWS owned keys.

Before deleting a KMS key, you might want to know how many ciphertexts were encrypted under that KMS key. AWS KMS does not store this information and does not store any of the ciphertexts. To get this information, you must determine past usage of a KMS key. For help, go to Determine past usage of a KMS key.

AWS KMS never deletes your KMS keys unless you explicitly schedule them for deletion and the mandatory waiting period expires.

However, you might choose to delete a KMS key for one or more of the following reasons:

  • To complete the key lifecycle for KMS keys that you no longer need

  • To avoid the management overhead and costs associated with maintaining unused KMS keys

  • To reduce the number of KMS keys that count against your KMS key resource quota

Note

If you close your AWS account, your KMS keys become inaccessible and you are no longer billed for them.

AWS KMS records an entry in your AWS CloudTrail log when you schedule deletion of the KMS key and when the KMS key is actually deleted.

About the waiting period

Because it is destructive and potentially dangerous to delete a KMS key, AWS KMS requires you to set a waiting period of 7 – 30 days. The default waiting period is 30 days.

However, the actual waiting period might be up to 24 hours longer than the one you scheduled. To get the actual date and time when the KMS key will be deleted, use the DescribeKey operation. Or in the AWS KMS console, on detail page for the KMS key, in the General configuration section, see the Scheduled deletion date. Be sure to note the time zone.

During the waiting period, the KMS key status and key state is Pending deletion.

After the waiting period ends, AWS KMS deletes the KMS key, its aliases, and all related AWS KMS metadata.

Scheduling the deletion of a KMS key might not immediately affect data keys encrypted by the KMS key. For details, see How unusable KMS keys affect data keys.

Use the waiting period to ensure that you don't need the KMS key now or in the future. You can configure an Amazon CloudWatch alarm to warn you if a person or application attempts to use the KMS key during the waiting period. To recover the KMS key, you can cancel key deletion before the waiting period ends. After the waiting period ends you cannot cancel key deletion, and AWS KMS deletes the KMS key.

Special considerations

Before you schedule your keys for deletion, review the following special considerations for deleting special purpose KMS keys.

Deleting asymmetric KMS keys

Users who are authorized can delete symmetric or asymmetric KMS keys. The procedure to schedule the deletion of these KMS keys is the same for both types of keys. However, because the public key of an asymmetric KMS key can be downloaded and used outside of AWS KMS, the operation poses significant additional risks, especially for asymmetric KMS keys used for encryption (the key usage is ENCRYPT_DECRYPT).

  • When you schedule the deletion of a KMS key, the key state of KMS key changes to Pending deletion, and the KMS key cannot be used in cryptographic operations. However, scheduling deletion has no effect on public keys outside of AWS KMS. Users who have the public key can continue to use them to encrypt messages. They do not receive any notification that the key state is changed. Unless the deletion is canceled, ciphertext created with the public key cannot be decrypted.

  • Alarms, logs, and other strategies that detect attempted use of KMS key that is pending deletion cannot detect use of the public key outside of AWS KMS.

  • When the KMS key is deleted, all AWS KMS actions involving that KMS key fail. However, users who have the public key can continue to use them to encrypt messages. These ciphertexts cannot be decrypted.

If you must delete an asymmetric KMS key with a key usage of ENCRYPT_DECRYPT, use your CloudTrail Log entries to determine whether the public key has been downloaded and shared. If it has, verify that the public key is not being used outside of AWS KMS. Then, consider disabling the KMS key instead of deleting it.

The risk posed by deleting an asymmetric KMS key is mitigated for asymmetric KMS keys with imported key material. For details, see Deleting KMS keys with imported key material.

Deleting multi-Region keys

To delete a primary key, you must schedule the deletion all of its replica keys, and then wait for the replica keys to be deleted. The required waiting period for deleting a primary key begins when the last of its replica keys is deleted. If you must delete a primary key from a particular Region without deleting its replica keys, change the primary key to a replica key by updating the primary Region.

You can delete a replica key at any time. It doesn't depend on the key state of any other KMS key. If you mistakenly delete a replica key, you can recreate it by replicating the same primary key in the same Region. The new replica key you create will have the same shared properties as the original replica key.

Deleting KMS keys with imported key material

Deleting the key material of a KMS key with imported key material is temporary and reversible. To restore the key, reimport its key material.

In contrast, deleting a KMS key is irreversible. If you schedule key deletion and the required waiting period expires, AWS KMS permanently and irreversibly deletes the KMS key, its key material, and all metadata associated with the KMS key.

However, the risk and consequence of deleting a KMS key with imported key material depends on the type ("key spec") of the KMS key.

  • Symmetric encryption keys — If you delete a symmetric encryption KMS key, all remaining ciphertexts encrypted by that key are unrecoverable. You cannot create a new symmetric encryption KMS key that can decrypt the ciphertexts of a deleted symmetric encryption KMS key, even if you have the same key material. Metadata unique to each KMS key is cryptographically bound to each symmetric ciphertext. This security feature guarantees that only the KMS key that encrypted the symmetric ciphertext can decrypt it, but it prevents you from recreating an equivalent KMS key.

  • Asymmetric and HMAC keys — If you have the original key material, you can create a new KMS key with the same cryptographic properties as an asymmetric or HMAC KMS key that was deleted. AWS KMS generates standard RSA ciphertexts and signatures, ECC signatures, and HMAC tags, which do not include any unique security features. Also, you can use an HMAC key or the private key of an asymmetric key pair outside of AWS.

    A new KMS key that you create with the same asymmetric or HMAC key material will have a different key identifier. You will have to create a new key policy, recreate any aliases, and update existing IAM policies and grants to refer to the new key.

Deleting KMS keys from an AWS CloudHSM key stores

When you schedule deletion of a KMS key from an AWS CloudHSM key store, its key state changes to Pending deletion. The KMS key remains in the Pending deletion state throughout the waiting period, even if the KMS key becomes unavailable because you have disconnected the custom key store. This allows you to cancel the deletion of the KMS key at any time during the waiting period.

When the waiting period expires, AWS KMS deletes the KMS key from AWS KMS. Then AWS KMS makes a best effort to delete the key material from the associated AWS CloudHSM cluster. If AWS KMS cannot delete the key material, such as when the key store is disconnected from AWS KMS, you might need to manually delete the orphaned key material from the cluster.

AWS KMS does not delete the key material from cluster backups. Even if you delete the KMS key from AWS KMS and delete its key material from your AWS CloudHSM cluster, clusters created from backups might contain the deleted key material. To permanently delete the key material, use the DescribeKey operation to identify the creation date of the KMS key. Then delete all cluster backups that might contain the key material.

When you schedule the deletion of a KMS key from an AWS CloudHSM key store, the KMS key becomes unusable right away (subject to eventual consistency). However, resources encrypted with data keys protected by the KMS key are not affected until the KMS key is used again, such to decrypt the data key. This issue affects AWS services, many of which use data keys to protect your resources. For details, see How unusable KMS keys affect data keys.

Deleting KMS keys from an external key store

Deleting a KMS key from an external key store has no effect on the external key that served as its key material.

When you schedule deletion of a KMS key from an external key store, its key state changes to Pending deletion. The KMS key remains in the Pending deletion state throughout the waiting period, even if the KMS key becomes unavailable because you have disconnected the external key store. This allows you to cancel the deletion of the KMS key at any time during the waiting period. When the waiting period expires, AWS KMS deletes the KMS key from AWS KMS.

When you schedule the deletion of a KMS key from an external key store, the KMS key becomes unusable right away (subject to eventual consistency). However, resources encrypted with data keys protected by the KMS key are not affected until the KMS key is used again, such to decrypt the data key. This issue affects AWS services, many of which use data keys to protect your resources. For details, see How unusable KMS keys affect data keys.