Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Destroy and Recreate KMS key in Cloudformation?

0

If I have a KMS key created in a cloudformation and I have used that KMS key for encryption on a few things but wanted to make a new cloudformation, is it possible to destroy that original cloudformation and make a new cloudformation that generates the same KMS key that was destroyed? Will the new key still work on my encrypted items?

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
EncryptionAWS Key Management ServiceAWS CloudFormation
Language
English
asked a year ago1.2K views
2 Answers
1
Accepted Answer

Not exactly. If you do what you describe, your current KMS key will be scheduled for deletion, immediately stopping all cryptographic operations on it and, if you don't cancel the deletion, the key and everything encrypted with it will be lost forever.

However, what you can do is update your CloudFormation template such that you add the DeletionPolicy: Retain attribute on the current KMS key resource (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html). Update your stack with the revised template, and make sure no unintended changes get included in the update.

Once this is done, you can delete the current CloudFormation stack. It will leave the KMS key in place, due to the DeletionPolicy property having the "Retain" value. At this point, the KMS key will no longer be managed by CloudFormation.

You can then create a new stack with the CFN template that you'd like, but using the "Import existing resources" stack creation option. There are certain limitations to how the existing resource, KMS key in this case, has to be declared in the template during an import operation. For example, every resource must have a DeletionPolicy property specified (which value they have is not relevant, but the attribute must be defined), and the stack cannot declare Outputs or Exports. However, after you've created the stack as an import operation, you can update it as usual, including adding the Outputs section and modifying or removing the DeletionPolicy property, if you so wish.

EXPERT
answered a year ago
EXPERT
reviewed a year ago
0

No it is not possible to recreate same KMS Key. Once deleted, it cannot be recovered. https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html when you delete KMS Key from cloudformation, it will be marked for delete for period like 7-30 days. During pending deletion period, it cannot be used for operations.

If you create new cloudformation satck with KMS, new Key gets created with different key material. It is always better to disable key than delete. you can reenable key in cased needed. During key in disable state cannot be used for operations.

AWS
EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content