You must specify the key ID of the CMK to import the key material into. This CMK's Origin
must be EXTERNAL
. You must also send an import token and the encrypted key material. Send the import token that you received in the same GetParametersForImport response that contained the public key that you used to encrypt the key material. You must also specify whether the key material expires and if so, when. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. To use the CMK again, you can reimport the same key material. If you set an expiration date, you can change it only by reimporting the same key material and specifying a new expiration date.
When this operation is successful, the specified CMK's key state changes to Enabled
, and you can use the CMK.
After you successfully import key material into a CMK, you can reimport the same key material into that CMK, but you cannot import different key material.