AWS Key Management Service
Developer Guide

How Key State Affects Use of a Customer Master Key

A customer master key (CMK) is always in one of the following states: Enabled, Disabled, PendingImport, or PendingDeletion. The following table shows whether AWS KMS API operations that run on a CMK in each state can be expected to succeed (✓), fail (X), or succeed only under certain conditions (?). The result often differs for CMKs with imported key material.

The CreateKey and GenerateRandom API operations have an not-applicable (N/A) result because they do not use an existing CMK.

API Enabled Disabled Pending Import Pending Deletion
CancelKeyDeletion

[4]

[4]

[4]

CreateAlias

[3]

CreateGrant

[1]

[5]

[2] or [3]

CreateKey N/A N/A N/A N/A
Decrypt

[1]

[5]

[2] or [3]

DeleteAlias
DeleteImportedKeyMaterial

[9]

[9]

(No effect)

[9]

DescribeKey
DisableKey

[5]

[3]

DisableKeyRotation

[7]

[1] or [7]

[6]

[3] or [7]

EnableKey

[5]

[3]

EnableKeyRotation

[7]

[1] or [7]

[6]

[3] or [7]

Encrypt

[1]

[5]

[2] or [3]

GenerateDataKey

[1]

[5]

[2] or [3]

GenerateDataKeyWithoutPlaintext

[1]

[5]

[2] or [3]

GenerateRandom N/A N/A N/A N/A
GetKeyPolicy
GetKeyRotationStatus

[7]

[7]

[6]

[7]

GetParametersForImport

[9]

[9]

[8] or [9]

ImportKeyMaterial

[9]

[9]

[8] or [9]

ListAliases
ListGrants
ListKeyPolicies
ListKeys
ListResourceTags
ListRetirableGrants
PutKeyPolicy
ReEncrypt

[1]

[5]

[2] or [3]

RetireGrant
RevokeGrant
ScheduleKeyDeletion

[3]

TagResource

[3]

UnTagResource

[3]

UpdateAlias

[10]

UpdateKeyDescription

[3]

Table Details

  • [1] DisabledException: <CMK ARN> is disabled.

  • [2] DisabledException: <CMK ARN> is pending deletion.

  • [3] KMSInvalidStateException: <CMK ARN> is pending deletion.

  • [4] KMSInvalidStateException: <CMK ARN> is not pending deletion.

  • [5] KMSInvalidStateException: <CMK ARN> is pending import.

  • [6] UnsupportedOperationException: <CMK ARN> origin is EXTERNAL which is not valid for this operation.

  • [7] If the CMK has imported key material: UnsupportedOperationException.

  • [8] If the CMK has imported key material: KMSInvalidStateException

  • [9] If the CMK does not have imported key material: UnsupportedOperationException.

  • [10] If the source CMK is pending deletion, the command succeeds. If the destination CMK is pending deletion, the command fails with error: KMSInvalidStateException : <CMK ARN> is pending deletion.