Deleting customer master keys is a very sensitive operation. You should delete a CMK only when you are sure that you don’t need to use it anymore.
aws kms disable-key --key-id <key ID of the CMK we want to disable>
2. To check, we go to KMS Console
aws kms enable-key --key-id <key ID of the CMK we want to enable>
4. To check, we go to KMS Console
For the deletion operation, AWS KMS enforces a waiting period. To delete a CMK in AWS KMS you have to schedule a key deletion. You can set the waiting period from a minimum of 7 days up to a maximum of 30 days (default).
aws kms schedule-key-deletion --key-id <key ID of the CMK we created in section 3.1> --pending-window-in-days 7
2. To check, we go to KMS Console
Working with CMKs that have been generated with External Key Material is a bit different because you can schedule a key deletion but you can also delete key material on demand. Therefore, for deletion of key material, you can schedule a date and wait for the key material to expire or you delete it manually.
aws kms delete-imported-key-material --key-id <key ID of the CMK we created in section 3.2>
2. To check, we go to KMS Console
aws kms schedule-key-deletion --key-id <key ID of the CMK we created in section 3.2> --pending-window-in-days 7
4. To check, we go to KMS Console