Menu
AWS Key Management Service
Developer Guide

How Key State Affects Use of a Customer Master Key

Each customer master key (CMK) in AWS KMS exists in one of three states: enabled, disabled, or pending deletion. Enabled CMKs are available for use. CMKs in the disabled or pending deletion state are available for some APIs, but are unavailable for others. CMKs in the disabled or pending deletion state cannot be used for cryptographic operations.

Consult the following table to learn the result of each AWS KMS API on existing CMKs in each state. The CreateKey and GenerateRandom APIs do not affect existing CMKs, so they are not applicable. The results in this table assume that the API caller is authorized to use the CMK.

Legend

– Succeeds.

– Results in DisabledException with the message "Key ARN is disabled."

– Results in DisabledException with the message "Key ARN is pending deletion."

– Results in KMSInvalidStateException with the message "Key ARN is pending deletion."

– Results in KMSInvalidStateException with the message "Key ARN is not pending deletion."

– Applies only to the UpdateAlias API request. When a CMK that is pending deletion is the "source" key, the request succeeds. When a CMK that is pending deletion is the target key, the request results in KMSInvalidStateException with the message "Key ARN is pending deletion."

N/A – Not applicable

API Enabled Disabled Pending Deletion
CancelKeyDeletion
CreateAlias
CreateGrant
CreateKey N/A N/A N/A
Decrypt
DeleteAlias
DescribeKey
DisableKey
DisableKeyRotation
EnableKey
EnableKeyRotation
Encrypt
GenerateDataKey
GenerateDataKeyWithoutPlaintext
GenerateRandom N/A N/A N/A
GetKeyPolicy
GetKeyRotationStatus
ListAliases
ListGrants
ListKeyPolicies
ListKeys
ListRetirableGrants
PutKeyPolicy
ReEncrypt
RetireGrant
RevokeGrant
ScheduleKeyDeletion
UpdateAlias
UpdateKeyDescription