Change the status of an AWS KMS Key

  • リリースバージョン: Australia
  • 更新日 2026年03月12日
  • 所要時間:9分

    • Modify the status of your Amazon Web Services Key Management System (AWS KMS) key and synchronize the status with your ServiceNow instance.

    始める前に

    Roles required: admin, security_admin, and sn_kmf.cryptographic_manager

    Verify that you have:

    • Configured an External Key Management Service (EKMS) key definition in ServiceNow
    • Access to AWS Key Management Service through your Okta profile
    • Permissions to modify key status in AWS

    このタスクについて

    AWS KMS keys can have different statuses that control whether they can be used for encryption and decryption operations. Changing a key's status in AWS affects your ability to encrypt new data and decrypt existing data in External Key Management Service (EKMS). A background synchronization job updates EKMS with the current AWS key status every 30 minutes, but you can manually trigger synchronization for immediate updates.

    重要:
    Key status changes have immediate security and operational impacts. Coordinate all key status changes with your ServiceNow administrators and application teams before making changes.

    手順

    1. Access AWS Key Management Service.
      1. Log in to AWS through your Okta profile.
      2. Navigate to AWS Key Management Service (KMS).
      3. Locate the key that is configured in your ServiceNow EKMS setup.
        Reference your EKMS configuration in ServiceNow to identify the correct key by its external key identifier or key region.
    2. Review the current key status.

      AWS KMS keys can have the following statuses:

      • Enabled - Key is active and can be used for all encryption and decryption operations.
      • Disabled - Key can't be used for encryption or decryption until re-enabled.
      • Pending deletion - Key is scheduled for deletion and can't be used.
      • Deleted - Key has been permanently deleted (appears after minimum 7-day waiting period).
    3. Change the key status based on your requirements.
      • To enable a disabled key: Select the key, select Key actions, and choose Enable.
      • To disable an enabled key: Select the key, select Key actions, and choose Disable.
      • To cancel a scheduled deletion: Select the key, select Key actions, and choose Cancel key deletion.
      • To schedule a key for deletion: Select the key, select Key actions, choose Schedule key deletion, and specify the waiting period (7 to 30 days).
      警告:
      Disabling or deleting a key will prevent ServiceNow from encrypting new data and decrypting existing data. Verify that you have a plan for data migration or key recovery before disabling or scheduling deletion.
    4. Verify they key's status has updated in the AWS console and note the new status for verification in EKMS.
    5. Synchronize the key status with EKMS.
      See Manually Synchronize EKMS Key Status.
    6. Verify the key status updated in EKMS.
      See Check External Key Management Service key status.
      The AWS key status is synchronized with EKMS.
    7. Test the impact of the key status change.
      1. Navigate to a table with encrypted field configurations.
      2. Attempt to create or update a record with data in the encrypted field.
      3. Verify that the operation for enabled keys succeeds or fails appropriately for disabled keys.

    タスクの結果

    The AWS KMS key status has been changed and synchronized with ServiceNow. The new status is reflected in your EKMS configuration, and encryption and decryption operations behave according to the new key status.

    When you disable a key in AWS, ServiceNow provides multiple notifications to alert administrators:

    • The External Key Status field changes to "Disabled" on the EKMS Configuration page.
    • Banner messages appear on the External Instance KEK Key page and associated Crypto Module pages warning that the external key is disabled.
    • A high-priority security task is automatically created notifying administrators that the EKMS key was disabled.

    While the key is disabled, you can't encrypt or decrypt data in encrypted fields. You can still create records if the encrypted field isn't mandatory, and you can update non-encrypted fields in existing records. All cryptographic operations are blocked until the key is re-enabled in AWS and the health check test passes successfully in EKMS.

    次のタスク

    Important considerations after changing key status:

    • If you disabled the key: New data cannot be encrypted, and existing encrypted data cannot be decrypted until the key is re-enabled. Plan for how encrypted fields should be handled during this time.
    • If you enabled a previously disabled key: Normal encryption and decryption operations resume immediately. Run the health check test to verify the connection, then test thoroughly to confirm that all encrypted fields are accessible.
    • If you scheduled the key for deletion: You have 7 to 30 days (depending on your deletion schedule) to cancel the deletion before the key is permanently deleted. After permanent deletion, encrypted data can't be recovered.
    • If you canceled a scheduled deletion: Remember to enable the key if it was disabled. Canceling deletion does not automatically enable the key.
    重要:
    The automatic synchronization job runs every 30 minutes. EKMS automatically detects status changes within 30 minutes of when they occur in AWS. See Manually synchronize External Key Management Service key status for immediate updates.

    AWS requires a minimum 7-day waiting period for key deletion. During this period, the key status shows as "Pending deletion" in both AWS and EKMS. Keys can't be used while pending deletion. After seven days, the key is permanently deleted and can't be recovered. All data encrypted with a deleted key becomes permanently inaccessible.