Find answers to common questions about Key Management Service (KMS).
Can I delete a key from KMS?
What do I do if I can't delete a key?
What do I do if I can't manage CMKs in the KMS 3.0 console?
Can data encrypted by a deleted key still be decrypted?
How does KMS protect key security?
Can I import key material into a key?
Why is a key status Unavailable, or why does an API call return "Rejected.Unavailable"?
How does KMS protect secret security?
How is a secret encrypted?
What do I do if I see "Your secret is being rotated, please try again later" when setting a rotation policy or triggering immediate rotation?
What do I do if a secret status is Unavailable or an API call returns "Rejected.Unavailable"?
What do I do if secrets I created don't appear in the KMS 3.0 console?
What do I do if RDS secret account verification fails?
What do I do if I see "You are not authorized to do this action" when creating a RAM secret and granting KMS access to AccessKey permissions?
What permission policies are required to retrieve a key-encrypted secret value via the API?
Why does a KMS instance stay in the Enabling state?
Instance management FAQs
Troubleshooting errors when enabling a software key management instance
Troubleshooting errors when enabling a hardware key management instance
How do I configure an HSM cluster for a hardware key management instance?
How do I release a KMS instance?
Why does a "Forbidden.KeyNotFound" error appear when accessing or using a key?
Application access FAQ
Is KMS secret management supported on Android?
Why can't I reach the endpoint of my KMS instance?
Does KMS offer a free trial?
Does billing stop after a KMS instance expires?
Can I unsubscribe from a KMS instance?