By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Delete key material is greyedout

0

I have one customer managed key, I try to delete, but can only schedule deletion for 7 days later, and the delete key material option is greyed out. how to immediately delete this key? otherwise, i have to pay for 7days for KMS usage. I also find there is one AWS managed key,"AWS/secretmanager" how to delete this one as well? thanks.

Topics
Security, Identity, & Compliance
Tags
AWS Key Management Service
Language
English
AWS-User-6667474
asked 2 years ago724 views
4 Answers
1

Hi, Good question

Because it is destructive and potentially dangerous to delete a KMS key, AWS KMS requires you to set a waiting period of 7 – 30 days. The default waiting period is 30 days.

As per https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html

About the waiting period

However, the actual waiting period might be up to 24 hours longer than the one you scheduled. To get the actual date and time when the KMS key will be deleted, use the DescribeKey operation. Or in the AWS KMS console, on detail page for the KMS key, in the General configuration section, see the Scheduled deletion date. Be sure to note the time zone.

During the waiting period, the KMS key status and key state is Pending deletion.

* A KMS key pending deletion cannot be used in any cryptographic operations.
* AWS KMS does not rotate the key material of KMS keys that are pending deletion.

After the waiting period ends, AWS KMS deletes the KMS key, its aliases, and all related AWS KMS metadata.

Use the waiting period to ensure that you don't need the KMS key now or in the future. You can configure an Amazon CloudWatch alarm to warn you if a person or application attempts to use the KMS key during the waiting period. To recover the KMS key, you can cancel key deletion before the waiting period ends. After the waiting period ends you cannot cancel key deletion, and AWS KMS deletes the KMS key.

Sri

profile picture
Sri
answered 2 years ago
0

In regards to the AWS Managed Keys, as they are managed by AWS for use with AWS services, you do not have the ability to delete them. You are not charged for them either.

AWS
Allison_P
answered 2 years ago
0

The way to think about the waiting period is as a feature. Key deletion can impact all services and data associated with that key. Therefore, the delay allows you to protect yourself from accidental or malicious deletion, and undo the deletion within the wait period. As Allison mentioned, you are not charged for keys that are scheduled for deletion.

AWS
Tushar A
answered 2 years ago
0

Thanks for your question. Just wanted to add that the "delete key material" option is available only for KMS keys with imported key material. You can't delete key material from any other type of KMS key.

AWS
junebl
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content