diff --git a/internal/kms/storage/awss3/awss3.go b/internal/kms/storage/awss3/awss3.go
index ee7d5d9a7..7b078a8bc 100644
--- a/internal/kms/storage/awss3/awss3.go
+++ b/internal/kms/storage/awss3/awss3.go
@@ -27,6 +27,7 @@ type awsS3ClientAPI interface {
 	GetObject(ctx context.Context, params *s3.GetObjectInput, optFns ...func(*s3.Options)) (*s3.GetObjectOutput, error)
 	PutObject(ctx context.Context, params *s3.PutObjectInput, optFns ...func(*s3.Options)) (*s3.PutObjectOutput, error)
 	CreateBucket(ctx context.Context, params *s3.CreateBucketInput, optFns ...func(*s3.Options)) (*s3.CreateBucketOutput, error)
+	DeleteObject(ctx context.Context, params *s3.DeleteObjectInput, optFns ...func(*s3.Options)) (*s3.DeleteObjectOutput, error)
 }
 
 // Storage is an implementation of the Storage interface, storing keys in AWS S3 buckets.
@@ -76,6 +77,17 @@ func (s *Storage) Get(ctx context.Context, keyID string) ([]byte, error) {
 	return io.ReadAll(output.Body)
 }
 
+func (s *Storage) Delete(ctx context.Context, keyID string) error {
+	deleteObjectInput := &s3.DeleteObjectInput{
+		Bucket: &s.bucketID,
+		Key:    &keyID,
+	}
+	if _, err := s.client.DeleteObject(ctx, deleteObjectInput); err != nil {
+		return fmt.Errorf("deleting DEK from storage: %w", err)
+	}
+	return nil
+}
+
 // Put saves a DEK to AWS S3 Storage by key ID.
 func (s *Storage) Put(ctx context.Context, keyID string, data []byte) error {
 	putObjectInput := &s3.PutObjectInput{
diff --git a/internal/kms/storage/awss3/awss3_test.go b/internal/kms/storage/awss3/awss3_test.go
index e6fbf4f94..4e07ab84d 100644
--- a/internal/kms/storage/awss3/awss3_test.go
+++ b/internal/kms/storage/awss3/awss3_test.go
@@ -43,6 +43,10 @@ func (s *stubAWSS3StorageClient) PutObject(_ context.Context, params *s3.PutObje
 	return &s3.PutObjectOutput{}, s.putObjectErr
 }
 
+func (s *stubAWSS3StorageClient) DeleteObject(_ context.Context, _ *s3.DeleteObjectInput, _ ...func(*s3.Options)) (*s3.DeleteObjectOutput, error) {
+	return &s3.DeleteObjectOutput{}, nil
+}
+
 func (s *stubAWSS3StorageClient) CreateBucket(_ context.Context, _ *s3.CreateBucketInput, _ ...func(*s3.Options)) (*s3.CreateBucketOutput, error) {
 	s.createBucketCalled = true
 	return &s3.CreateBucketOutput{}, s.createBucketErr