Class KmsException

The request was rejected because it attempted to create a resource that already exists.

The request was rejected because the specified CloudHSM cluster is already associated with a custom key store or it shares a backup history with a cluster that is associated with a custom key store. Each custom key store must be associated with a different CloudHSM cluster.

Clusters that share a backup history have the same cluster certificate. To view the cluster certificate of a cluster, use the DescribeClusters operation.

The request was rejected because the associated CloudHSM cluster did not meet the configuration requirements for a custom key store.

• The cluster must be configured with private subnets in at least two different Availability Zones in the Region.

• The security group for the cluster (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound rules that allow TCP traffic on ports 2223-2225. The Source in the inbound rules and the Destination in the outbound rules must match the security group ID. These rules are set by default when you create the cluster. Do not delete or change them. To get information about a particular security group, use the DescribeSecurityGroups operation.

• The cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the CloudHSM CreateHsm operation.

  For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, the CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the ConnectCustomKeyStore operation, the CloudHSM must contain at least one active HSM.

For information about the requirements for an CloudHSM cluster that is associated with a custom key store, see Assemble the Prerequisites in the Key Management Service Developer Guide. For information about creating a private subnet for an CloudHSM cluster, see Create a Private Subnet in the CloudHSM User Guide. For information about cluster security groups, see Configure a Default Security Group in the CloudHSM User Guide .

The request was rejected because the CloudHSM cluster that is associated with the custom key store is not active. Initialize and activate the cluster and try the command again. For detailed instructions, see Getting Started in the CloudHSM User Guide.

The request was rejected because KMS cannot find the CloudHSM cluster with the specified cluster ID. Retry the request with a different cluster ID.

The request was rejected because the specified CloudHSM cluster has a different cluster certificate than the original cluster. You cannot use the operation to specify an unrelated cluster.

Specify a cluster that shares a backup history with the original cluster. This includes clusters that were created from a backup of the current cluster, and clusters that were created from the same backup that produced the current cluster.

Clusters that share a backup history have the same cluster certificate. To view the cluster certificate of a cluster, use the DescribeClusters operation.

The request was rejected because the custom key store contains KMS keys. After verifying that you do not need to use the KMS keys, use the ScheduleKeyDeletion operation to delete the KMS keys. After they are deleted, you can delete the custom key store.

The request was rejected because of the ConnectionState of the custom key store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores operation.

This exception is thrown under the following conditions:

• You requested the CreateKey or GenerateRandom operation in a custom key store that is not connected. These operations are valid only when the custom key store ConnectionState is CONNECTED.

• You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key store that is not disconnected. This operation is valid only when the custom key store ConnectionState is DISCONNECTED.

• You requested the ConnectCustomKeyStore operation on a custom key store with a ConnectionState of DISCONNECTING or FAILED. This operation is valid for all other ConnectionState values.

The request was rejected because the specified custom key store name is already assigned to another custom key store in the account. Try again with a custom key store name that is unique in the account.

The request was rejected because KMS cannot find a custom key store with the specified key store name or ID.

The system timed out while trying to fulfill the request. The request can be retried.

The request was rejected because the specified KMS key is not enabled.

The request was rejected because the specified import token is expired. Use GetParametersForImport to get a new import token and public key, use the new public key to encrypt the key material, and then try the request again.

The request was rejected because the specified KMS key cannot decrypt the data. The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request must identify the same KMS key that was used to encrypt the ciphertext.

The request was rejected because the key material in the request is, expired, invalid, or is not the same key material that was previously imported into this KMS key.

The request was rejected because the trust anchor certificate in the request is not the trust anchor certificate for the specified CloudHSM cluster.

When you initialize the cluster, you create the trust anchor certificate and save it in the customerCA.crt file.

The request was rejected because the specified alias name is not valid.

The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.

From the Decrypt or ReEncrypt operation, the request was rejected because the specified ciphertext, or additional authenticated data incorporated into the ciphertext, such as the encryption context, is corrupted, missing, or otherwise invalid.

From the ImportKeyMaterial operation, the request was rejected because KMS could not decrypt the encrypted (wrapped) key material.

The request was rejected because the specified GrantId is not valid.

The request was rejected because the specified grant token is not valid.

The request was rejected because the provided import token is invalid or is associated with a different KMS key.

The request was rejected for one of the following reasons:

• The KeyUsage value of the KMS key is incompatible with the API operation.

• The encryption algorithm or signing algorithm specified for the operation is incompatible with the type of key material in the KMS key (KeySpec).

For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage of a KMS key, use the DescribeKey operation.

To find the encryption or signing algorithms supported for a particular KMS key, use the DescribeKey operation.

The request was rejected because the marker that specifies where pagination should next begin is not valid.

The request was rejected because an internal exception occurred. The request can be retried.

The request was rejected because the HMAC verification failed. HMAC verification fails when the HMAC computed by using the specified message, HMAC KMS key, and MAC algorithm does not match the HMAC specified in the request.

The request was rejected because the signature verification failed. Signature verification fails when it cannot confirm that signature was produced by signing the specified message with the specified KMS key and signing algorithm.

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a KMS key, see Key states of KMS keys in the Key Management Service Developer Guide .

The request was rejected because the specified KMS key was not available. You can retry the request.

The request was rejected because a quota was exceeded. For more information, see Quotas in the Key Management Service Developer Guide.

The request was rejected because the specified policy is not syntactically or semantically correct.

The request was rejected because the specified entity or resource could not be found.

The request was rejected because one or more tags are not valid.

The request was rejected because a specified parameter is not supported or a specified resource is not valid for this operation.