Destroy and Recreate KMS key in Cloudformation?


If I have a KMS key created in a cloudformation and I have used that KMS key for encryption on a few things but wanted to make a new cloudformation, is it possible to destroy that original cloudformation and make a new cloudformation that generates the same KMS key that was destroyed? Will the new key still work on my encrypted items?

2 Answers
Accepted Answer

Not exactly. If you do what you describe, your current KMS key will be scheduled for deletion, immediately stopping all cryptographic operations on it and, if you don't cancel the deletion, the key and everything encrypted with it will be lost forever.

However, what you can do is update your CloudFormation template such that you add the DeletionPolicy: Retain attribute on the current KMS key resource ( Update your stack with the revised template, and make sure no unintended changes get included in the update.

Once this is done, you can delete the current CloudFormation stack. It will leave the KMS key in place, due to the DeletionPolicy property having the "Retain" value. At this point, the KMS key will no longer be managed by CloudFormation.

You can then create a new stack with the CFN template that you'd like, but using the "Import existing resources" stack creation option. There are certain limitations to how the existing resource, KMS key in this case, has to be declared in the template during an import operation. For example, every resource must have a DeletionPolicy property specified (which value they have is not relevant, but the attribute must be defined), and the stack cannot declare Outputs or Exports. However, after you've created the stack as an import operation, you can update it as usual, including adding the Outputs section and modifying or removing the DeletionPolicy property, if you so wish.

Leo K
answered 5 days ago
profile picture
reviewed 5 days ago

No it is not possible to recreate same KMS Key. Once deleted, it cannot be recovered. when you delete KMS Key from cloudformation, it will be marked for delete for period like 7-30 days. During pending deletion period, it cannot be used for operations.

If you create new cloudformation satck with KMS, new Key gets created with different key material. It is always better to disable key than delete. you can reenable key in cased needed. During key in disable state cannot be used for operations.

profile pictureAWS
answered 5 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions