You can schedule the deletion of a customer master key (CMK) at any time.

You must specify a waiting period for the deletion ranging from 7 to 30 days (both included). At any time before the end of the waiting period, you can cancel the scheduled deletion.

To prevent the accidental deletion of a CMK that you may still need, you cannot immediately delete the CMK.

The following procedures are available:

Deleting a CMK Using Cockpit

Scheduling a Deletion

  1. Click Services > Customer Master Keys.


  2. Click the CMK you want to delete.

    You cannot delete the default CMK of your account.

  3. Click Delete .
    The SCHEDULE KEY DELETION dialog box appears.

  4. Specify a waiting period from 7 to 30 days (both included).

  5. Click Delete to validate.
    The state of the CMK becomes PendingDeletion and the CMK is deleted at the end of the waiting period.


Canceling a Scheduled Deletion

  1. Click Services > Customer Master Keys.


  2. Click the CMK whose scheduled deletion you want to cancel.

  3. Click Cancel Deletion .
    The CANCEL KEY DELETION dialog box appears.

  4. Click Cancel Deletion to validate.
    The scheduled deletion is canceled and the state of the CMK becomes Disabled.

    You need to enable the CMK to use it again. For more information, see Disabling or Enabling a CMK.


Deleting a CMK Using OSC CLI

Scheduling a Deletion

Before you begin: See Installing and Configuring OSC CLI to set up OSC CLI.


  • To schedule the deletion of a CMK, use the ScheduleKeyDeletion command following this syntax:

    Request sample
    $> osc-cli okms ScheduleKeyDeletion \
        --KeyId cmk-12345678 \
        --PendingWindowInDays 30

    This command contains the following attributes that you need to specify:

    • KeyId: The ID of the CMK.

      You cannot delete the default CMK of your account.

    • (optional) PendingWindowInDays: The waiting period before deletion, in days (between 7 and 30). By default, 30.


  • The ScheduleKeyDeletion command returns the following elements:

    • KeyId: The ID of the CMK.

    • DeletionDate: The date and time when the CMK will be deleted.
    Result sample
    {
        "KeyId": "cmk-12345678",
        "DeletionDate": "2019-12-22T13:00:00.000000+00:00"
    }

Canceling a Scheduled Deletion

Before you begin: See Installing and Configuring OSC CLI to set up OSC CLI.


  • To cancel the scheduled deletion of a CMK, use the CancelKeyDeletion command following this syntax:

    Request sample
    $> osc-cli okms ScheduleKeyDeletion \
        --KeyId cmk-12345678

    This command contains the following attribute that you need to specify:

    • KeyId: The ID of the CMK.


  • The ScheduleKeyDeletion command returns the following element:

    • KeyId: The ID of the CMK.

    Result sample
    {
        "KeyId": "cmk-12345678"
    }


Corresponding API Methods


AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.