

# AWS KMS
<a name="automation-ref-kms"></a>

 AWS Systems Manager Automation provides predefined runbooks for AWS Key Management Service. For more information about runbooks, see [Working with runbooks](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html). For information about how to view runbook content, see [View runbook content](automation-runbook-reference.md#view-automation-json). 

**Topics**
+ [`AWSConfigRemediation-CancelKeyDeletion`](automation-aws-cancel-key-deletion.md)
+ [`AWSConfigRemediation-EnableKeyRotation`](automation-aws-enable-key-rotation.md)

# `AWSConfigRemediation-CancelKeyDeletion`
<a name="automation-aws-cancel-key-deletion"></a>

 **Description** 

 The `AWSConfigRemediation-CancelKeyDeletion` runbook cancels deletion of the AWS Key Management Service (AWS KMS) customer managed key that you specify. 

 [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-CancelKeyDeletion) 

**Document type**

Automation

**Owner**

Amazon

**Platforms**

Linux, macOS, Windows

**Parameters**
+ AutomationAssumeRole

  Type: String

  Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ KeyId

  Type: String

  Description: (Required) The ID of the customer managed key that you want to cancel deletion for.

**Required IAM permissions**

The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+  `ssm:StartAutomationExecution` 
+  `ssm:GetAutomationExecution` 
+  `kms:CancelKeyDeletion` 
+  `kms:DescribeKey` 

 **Document Steps** 
+  `aws:executeAwsApi` - Cancels deletion for the customer managed key you specify in the `KeyId` parameter. 
+  `aws:assertAwsResourceProperty` - Confirms key deletion is disabled on your customer managed key. 

# `AWSConfigRemediation-EnableKeyRotation`
<a name="automation-aws-enable-key-rotation"></a>

 **Description** 

 The `AWSConfigRemediation-EnableKeyRotation` runbook enables automatic key rotation for the symmetric AWS Key Management Service (AWS KMS) customer managed key. 

 [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableKeyRotation) 

**Document type**

Automation

**Owner**

Amazon

**Platforms**

Linux, macOS, Windows

**Parameters**
+ AutomationAssumeRole

  Type: String

  Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ KeyId

  Type: String

  Description: (Required) The ID of the customer managed key you want to enable automatic key rotation on.

**Required IAM permissions**

The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+  `ssm:StartAutomationExecution` 
+  `ssm:GetAutomationExecution` 
+  `kms:EnableKeyRotation` 
+  `kms:GetKeyRotationStatus` 

 **Document Steps** 
+  `aws:executeAwsApi` - Enables automatic key rotation on the customer managed key you specify in the `KeyId` parameter. 
+  `aws:assertAwsResourceProperty` - Confirms that automatic key rotation is enabled on your customer managed key.