[ aws . kms ]

disable-key

Description

Sets the state of a KMS key to disabled. This change temporarily prevents use of the KMS key for cryptographic operations .

For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS key in the * Key Management Service Developer Guide * .

The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key in the Key Management Service Developer Guide .

Cross-account use : No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.

Required permissions : kms:DisableKey (key policy)

Related operations : EnableKey

See also: AWS API Documentation

See ‘aws help’ for descriptions of global parameters.

Synopsis

  disable-key
--key-id <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]

Options

--key-id (string)

Identifies the KMS key to disable.

Specify the key ID or key ARN of the KMS key.

For example:

  • Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

  • Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey .

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See ‘aws help’ for descriptions of global parameters.

Examples

To temporarily disable a customer master key (CMK)

The following example uses the disable-key command to disable a customer managed CMK. You can use a command like this one to prevent the CMK from being used in cryptographic operations. Disabling is always temporary. To re-enable the CMK, use the enable-key command.

To specify the CMK, use the key-id parameter. This example uses an key ID value, but you can use a key ID or key ARN value in this command. Before running this command, replace the example key ID with a valid one.

aws kms enable-key \
    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab

This command produces no output.

For more information, see Enabling and Disabling Keys in the AWS Key Management Service Developer Guide.

Output

None