Delete AWS KMS CMK

Deleting customer master keys is a very sensitive operation. You should delete a CMK only when you are sure that you don’t need to use it anymore.

If you are not sure that you need to delete the key, you might want to disable the key only

  1. Execute the below command to disable CMK
aws kms disable-key --key-id <key ID of the CMK we want to disable>

Delete CMK 2. To check, we go to KMS Console

  • Click Customer managed keys Delete CMK
  1. Execute the below command to enable CMK to use the disabled CMK
aws kms enable-key --key-id <key ID of the CMK we want to enable>

Delete CMK 4. To check, we go to KMS Console

  • Click Customer managed keys Delete CMK

You are sure that you want to delete the CMK

Delete the CMK was not created from External Key Material

For the deletion operation, AWS KMS enforces a waiting period. To delete a CMK in AWS KMS you have to schedule a key deletion. You can set the waiting period from a minimum of 7 days up to a maximum of 30 days (default).

  1. Execute the below command to schedule to delete the CMK
aws kms schedule-key-deletion --key-id <key ID of the CMK we created in section 3.1> --pending-window-in-days 7

Delete CMK 2. To check, we go to KMS Console

  • Click Customer managed keys
  • After scheduling a key deletion, the status of the key is Pending deletion Delete CMK
Delete the CMK was created from External Key Material

Working with CMKs that have been generated with External Key Material is a bit different because you can schedule a key deletion but you can also delete key material on demand. Therefore, for deletion of key material, you can schedule a date and wait for the key material to expire or you delete it manually.

  1. Execute the below command to delete External Key Material
aws kms delete-imported-key-material --key-id  <key ID of the CMK we created in section 3.2>

Delete CMK 2. To check, we go to KMS Console

  • Click Customer managed keys
  • After deleting the External Key Material, the status of the key is Pending import Delete CMK
  1. Execute the below command to shedule to delete the External CMK
aws kms schedule-key-deletion --key-id <key ID of the CMK we created in section 3.2> --pending-window-in-days 7

Delete CMK 4. To check, we go to KMS Console

  • Click Customer managed keys
  • After scheduling the External CMK deletion, the status of the key is Pending deletion Delete CMK