Amazon KMS · Arazzo Workflow

Amazon KMS Disable and Schedule Key Deletion

Version 1.0.0

Disable a KMS key and then schedule it for deletion after a waiting period.

1 workflow 1 source API 1 provider
View Spec View on GitHub CryptographyData ProtectionEncryptionKey ManagementSecurityArazzoWorkflows

Provider

amazon-kms

Workflows

disable-and-schedule-deletion
Disable a key then schedule it for deletion after a waiting period.
Disables the target KMS key to stop further use and schedules its deletion with the supplied pending-window in days, capturing the resulting deletion date.
2 steps inputs: KeyId, PendingWindowInDays outputs: deletionDate, keyId, keyState
1
disableKey
DisableKey
Disable the KMS key so it can no longer be used in cryptographic operations before scheduling its deletion.
2
scheduleDeletion
ScheduleKeyDeletion
Schedule the disabled KMS key for deletion after the supplied waiting period and capture the planned deletion date.

Source API Descriptions

openapi
kmsApi https://raw.githubusercontent.com/api-evangelist/amazon-kms/refs/heads/main/openapi/amazon-kms-openapi.yml

Arazzo Workflow Specification

amazon-kms-disable-and-schedule-deletion-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: Amazon KMS Disable and Schedule Key Deletion
  summary: Disable a KMS key and then schedule it for deletion after a waiting period.
  description: >-
    Safely retires a KMS key. The workflow first disables the key so it can no
    longer be used in cryptographic operations, then schedules its deletion with
    a pending-window waiting period, returning the planned deletion date. The
    KeyId flows from input through both steps. Each step spells out its request
    inline, including the AWS JSON protocol X-Amz-Target header, so the flow can
    be read and executed without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: kmsApi
  url: ../openapi/amazon-kms-openapi.yml
  type: openapi
workflows:
- workflowId: disable-and-schedule-deletion
  summary: Disable a key then schedule it for deletion after a waiting period.
  description: >-
    Disables the target KMS key to stop further use and schedules its deletion
    with the supplied pending-window in days, capturing the resulting deletion
    date.
  inputs:
    type: object
    required:
    - KeyId
    properties:
      KeyId:
        type: string
        description: Identifies the KMS key to disable and schedule for deletion.
      PendingWindowInDays:
        type: integer
        description: The waiting period in days before the key is deleted (7-30).
  steps:
  - stepId: disableKey
    description: >-
      Disable the KMS key so it can no longer be used in cryptographic
      operations before scheduling its deletion.
    operationId: DisableKey
    parameters:
    - name: KeyId
      in: path
      value: $inputs.KeyId
    - name: X-Amz-Target
      in: header
      value: TrentService.DisableKey
    requestBody:
      contentType: application/x-amz-json-1.1
      payload:
        KeyId: $inputs.KeyId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      disableStatus: $statusCode
  - stepId: scheduleDeletion
    description: >-
      Schedule the disabled KMS key for deletion after the supplied waiting
      period and capture the planned deletion date.
    operationId: ScheduleKeyDeletion
    parameters:
    - name: KeyId
      in: path
      value: $inputs.KeyId
    - name: X-Amz-Target
      in: header
      value: TrentService.ScheduleKeyDeletion
    requestBody:
      contentType: application/x-amz-json-1.1
      payload:
        KeyId: $inputs.KeyId
        PendingWindowInDays: $inputs.PendingWindowInDays
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      keyId: $response.body#/KeyId
      deletionDate: $response.body#/DeletionDate
      keyState: $response.body#/KeyState
  outputs:
    keyId: $steps.scheduleDeletion.outputs.keyId
    deletionDate: $steps.scheduleDeletion.outputs.deletionDate
    keyState: $steps.scheduleDeletion.outputs.keyState