Cancels the deletion of a KMS key. When this operation succeeds, the key state of the KMS key is Disabled
. To enable the KMS key, use EnableKey .
For more information about scheduling and canceling deletion of a KMS key, see Deleting KMS keys in the Key Management Service Developer Guide .
The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key in the Key Management Service Developer Guide .
Cross-account use : No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
Required permissions : kms:CancelKeyDeletion (key policy)
Related operations : ScheduleKeyDeletion
See also: AWS API Documentation
See ‘aws help’ for descriptions of global parameters.
cancel-key-deletion
--key-id <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
--key-id
(string)
Identifies the KMS key whose deletion is being canceled.
Specify the key ID or key ARN of the KMS key.
For example:
Key ID:
1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN:
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey .
--cli-input-json
| --cli-input-yaml
(string)
Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton
. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml
.
--generate-cli-skeleton
(string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input
, prints a sample input JSON that can be used as an argument for --cli-input-json
. Similarly, if provided yaml-input
it will print a sample input YAML that can be used with --cli-input-yaml
. If provided with the value output
, it validates the command inputs and returns a sample output JSON for that command.
See ‘aws help’ for descriptions of global parameters.
To cancel the scheduled deletion of a customer managed CMK
The following cancel-key-deletion
example cancels the scheduled deletion of a customer managed CMK and re-enables the CMK so you can use it in cryptographic operations.
The first command in the example uses the cancel-key-deletion
command to cancel the scheduled deletion of the CMK. It uses the --key-id
parameter to identify the CMK. This example uses a key ID value, but you can use either the key ID or the key ARN of the CMK.
To re-enable the CMK, use the enable-key
command. To identify the CMK, use the --key-id
parameter. This example uses a key ID value, but you can use either the key ID or the key ARN of the CMK.
aws kms cancel-key-deletion \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab
The cancel-key-deletion
response returns the key ARN of the CMK whose deletion was canceled.
{
"KeyId": "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
When the cancel-key-deletion
command succeeds, the scheduled deletion is canceled. However, the key state of the CMK is Disabled
, so you can’t use the CMK in cryptographic operations. To restore its functionality, you must re-enable the CMK.
aws kms enable-key \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab
The enable-key
operation does not return a response. To verify that the CMK is re-enabled and there is no deletion date associated with the CMK, use the describe-key
operation.
For more information, see Scheduling and Canceling Key Deletion in the AWS Key Management Service Developer Guide.