Updated on 2024-05-15 GMT+08:00

Disabling One or More CMKs

This section describes how to use the KMS console to disable one or more custom keys, thereby protecting data in urgent cases.

After being disabled, a custom key cannot be used to encrypt or decrypt any data. Before using a disabled CMK to encrypt or decrypt data, you must enable it by following instructions in Enabling One or More CMKs.

Prerequisites

The CMK you want to disable is in Enabled status.

Constraints

  • Default keys created by KMS cannot be disabled.
  • A disabled CMK is still billable. It will stop incurring charges if it is deleted.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click . Choose Security & Compliance > Data Encryption Workshop.
  4. In the row containing the target CMK, click Disable.

    Figure 1 Disabling one CMK

  5. In the displayed dialog box, select I understand the impact of disabling keys, and click OK.

    To disable multiple CMKs at a time, select them and click Disable in the upper left corner of the list.