Help Center/ Data Encryption Workshop/ User Guide (Kuala Lumpur Region)/ Key Management Service/ Managing CMKs/ Deleting a Key
Updated on 2025-12-02 GMT+08:00
View PDF
Share

Deleting a Key

Before deleting the key, confirm that it is not in use and will not be used. You can check the key usage in either of the following ways:

  • Check the CMK permission to determine its possible usage scope. For details, see Querying a Grant.
  • Check audit logs to determine the actual usage.

Prerequisites

The key to be deleted is in Enabled, Disabled, or Pending import status.

Constraints

  • A key will not be deleted until its scheduled deletion period expires. You can set the period to a value within the range 7 to 1096 days.

    Before the specified deletion date, you can cancel the deletion if you want to use the CMK. Once the scheduled deletion has taken effect, the CMK will be deleted permanently and you will not be able to decrypt data encrypted by the CMK. Exercise caution when performing this operation.

  • Default keys created by KMS cannot be scheduled for deletion.
  • A CMK in pending deletion status does not incur charges. If you cancel deletion, the charging resumes from the time when the CMK was scheduled to be deleted.

Procedure

To schedule the deletion of multiple CMKs at a time, select them and click Delete in the upper left corner of the list. The following describes how to delete a single key.

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click on the left and choose Security > Data Encryption Workshop.
  4. Locate the target key and click Delete in the Operation column.
  5. On the key deletion dialog box, enter the deletion delay time.
  6. Select I understand the impact of deleting keys and click YesOK.
  7. Enter DELETE in the confirmation dialog box and click OK.
Parent topic: Managing CMKs