Sets the state of a KMS key to disabled. This change temporarily prevents use of the KMS key for cryptographic operations .
For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS key in the * Key Management Service Developer Guide * .
The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key in the Key Management Service Developer Guide .
Cross-account use : No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
Required permissions : kms:DisableKey (key policy)
Related operations : EnableKey
See also: AWS API Documentation
See ‘aws help’ for descriptions of global parameters.
disable-key
--key-id <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
--key-id
(string)
Identifies the KMS key to disable.
Specify the key ID or key ARN of the KMS key.
For example:
Key ID:
1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN:
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey .
--cli-input-json
| --cli-input-yaml
(string)
Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton
. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml
.
--generate-cli-skeleton
(string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input
, prints a sample input JSON that can be used as an argument for --cli-input-json
. Similarly, if provided yaml-input
it will print a sample input YAML that can be used with --cli-input-yaml
. If provided with the value output
, it validates the command inputs and returns a sample output JSON for that command.
See ‘aws help’ for descriptions of global parameters.
To temporarily disable a customer master key (CMK)
The following example uses the disable-key
command to disable a customer managed CMK. You can use a command like this one to prevent the CMK from being used in cryptographic operations. Disabling is always temporary. To re-enable the CMK, use the enable-key
command.
To specify the CMK, use the key-id
parameter. This example uses an key ID value, but you can use a key ID or key ARN value in this command. Before running this command, replace the example key ID with a valid one.
aws kms enable-key \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab
This command produces no output.
For more information, see Enabling and Disabling Keys in the AWS Key Management Service Developer Guide.
None