Deleting a Customer Master Key (CMK) is an irreversible action. Once a key is deleted, any data encrypted under it becomes permanently unrecoverable. As a safety precaution, KMS does not allow for immediate deletion; instead, you must first schedule a key for deletion. This topic explains the process.
Background information
After you schedule a CMK for deletion, its status changes to Pending Deletion. Keys in the Pending Deletion state do not incur charges.
You cannot delete service keys managed by cloud services. Schedule Key Deletion is disabled for these keys. A service key typically has an alias in the format acs/<cloud_service>. If you no longer use a service key, you do not need to perform any operations. You can retain the service key because it does not incur any fees.
Prerequisites
Before scheduling a key for deletion, ensure Deletion Protection is disabled for the CMK. On the key details page, click Disable Deletion Protection and then click OK.
Procedure
After the scheduled deletion period expires, the system permanently deletes the key. All content encrypted with this key, including the data keys derived from it, will become permanently undecryptable. Before scheduling the key for deletion, ensure it is no longer in use. Otherwise, your services may become unavailable.
Log on to the KMS console.
In the upper-left corner, select the region where the key is located.
In the left navigation pane, click Keys.
Find your target key. In the Actions column, choose .
In the Schedule Key Deletion dialog box, set the Schedule Key Period.
You can set the Scheduled Deletion Period to a value from 7 to 366 days. The default value is 366 days.
Click OK.
NoteThe key status changes from Enabled to Pending Deletion. A key in the Pending Deletion state cannot be used to encrypt, decrypt, or generate data keys.
To cancel the deletion request, choose .