KMS key lifecycle
KMS keys move through a defined lifecycle from creation through operation, optional suspension, and eventual deletion. Key metadata is immutable after create; lifecycle operations control whether crypto is permitted.
Key states
| Status | Meaning | Crypto allowed? |
|---|---|---|
active | Normal operation | Yes |
disabled | Soft-disabled | No |
pending_deletion | Scheduled for permanent deletion | No |
Crypto operations against disabled or pending-deletion keys return 400 Bad Request.
Keys remain visible in list and get operations while pending deletion, so you can monitor and recover them during the retention window.
Lifecycle diagram
Create → Active
├─ Disable → Disabled → Enable → Active
├─ Rotate → Active (new version)
└─ Delete → Pending deletion (30 days) → Permanent deletion
└─ Cancel deletion → ActiveDisable a key
Temporarily stop all crypto operations without deleting the key:
POST /v1/kms/{region}/keys/{id}/disableUse disable when you need to suspend a key quickly—for example during an incident investigation or before decommissioning a dependent service. Disabled keys retain all versions and metadata.
Requires delete permission. See Access control.
Enable a key
Restore a disabled key to active status:
POST /v1/kms/{region}/keys/{id}/enableAfter enable, encrypt, decrypt, sign, and other supported operations resume using the latest version.
Delete a key
Schedule a key for deletion:
DELETE /v1/kms/{region}/keys/{id}Deletion is a soft delete with a 30-day retention period. The response includes deletionScheduledAt indicating when permanent deletion occurs.
During the retention window:
- The key status is
pending_deletion - Crypto operations are blocked
- The key remains listable and retrievable
After the retention period expires, the key and its versions are permanently removed.
Warning
Permanent deletion is irreversible. Ensure no services still reference the key before you delete it. Dependent services such as Secrets Manager secrets bound to the key will fail once the key is unavailable.
Cancel deletion
Recover a key before the retention period expires:
DELETE /v1/kms/{region}/keys/{id}/cancel-deletionThe key returns to active status and crypto operations resume.
Disable vs delete
| Action | Use when |
|---|---|
| Disable | Temporary suspension; you may need the key again soon |
| Delete | Permanent removal after decommissioning; 30-day recovery window |
Prefer disable for operational pauses. Use delete only when you are certain the key is no longer needed.
IAM requirements
| Action | Permission |
|---|---|
| Disable, enable, delete, cancel deletion | delete |
Users without sufficient access receive 404 Not Found rather than 403 Forbidden to avoid revealing key existence.
Related documentation
- Creating keys — Initial key creation
- Rotation — Add versions while the key is active
- Integrations — Check dependent services before deletion