Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

CMK creation through Terraform, can't delete it or destroy it.

0

Hello I accidentally created a CMK in another region that I'm not using with Terraform. However, when I attempt to delete the CMK using terraform destroy, it cannot be deleted. I have tried deleting it with the same user that Terraform used to authenticate and made the apply, but I am still unable to delete it through the console, CLI, or Terraform code. I also attempted to delete it as the root user in AWS, but it was not successful.

Is the only way to erase this CMK through AWS Support?

  • Behrens, Isaac EXPERT
    a year ago

    What is the specific error message when trying to delete?

Topics
Security, Identity, & Compliance
Tags
Account SupportAWS Key Management ServiceTerraform
Language
English
asked a year ago700 views
3 Answers
2

Hello.

What error do you get when you try to delete it?
Depending on the key policy settings, you may need to contact AWS Support.
https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-root-enable-iam

For example, suppose you create a key policy that gives only one user access to the KMS key. If you then delete that user, the key becomes unmanageable and you must contact AWS Support to regain access to the KMS key.

EXPERT
answered a year ago
EXPERT
reviewed a year ago
1

Cross Ref: https://repost.aws/questions/QUV7ubqz8ETRCOxHSuSH6zDQ/unable-to-delete-kms-customer-managed-key-cmk-using-administratoraccess-role-or-root-login-credentials.

AWS
EXPERT
answered a year ago
EXPERT
reviewed a year ago
  • Bolivar David Llerena Fuenmayor
    a year ago

    Right, but my question was more guided to why terraform is not able to destroy the cmk that I created through terraform, same backend same credentials, I do understand that I need to scale with aws support to get my cmk deleted, but I was wondering if someone else had this specific problem with terraform

0

KMS keys can't be deleted directly. You can only schedule one to be deleted, between 7 and 30 days in the future.

If you are getting an actual error message trying to schedule the key for deletion, you should first check what permissions are set in the key policy. If you lack the permissions even to view the key policy, you can usually find it by opening the CloudTrail console, navigating to the region where the key resides, and searching for the "Event name" of "PutKeyPolicy". The log event will contain the policy that got set. If you'd like to share the key policy here (redacting your account ID and other confidential details), we could see if there's a way for you to access it.

There's a hardwired sanity check in KMS that prevents you from setting a key policy that prevents the same principal from changing the policy subsequently. It isn't airtight, but in general, you might very well have a policy set that blocks the key from being scheduled for deletion by the principal that created it, while still allowing that principal to modify the key policy, which would allow you to grant yourself the necessary permissions.

Your other alternative is to raise a support ticket with AWS and ask them to reset the key policy for you.

EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content