How Key State Affects Use of a Customer Master Key
A customer master key (CMK) is always in one of the following states: Enabled, Disabled, Pending import, or Pending deletion. In the AWS Management Console, the key state appears in the Status field. To find the key state of a CMK by using the AWS KMS API, use the DescribeKey operation.
The following table shows whether AWS KMS API operations that run on a CMK in each state can be expected to succeed (✓), fail (X), or succeed only under certain conditions (?). The result often differs for CMKs with imported key material.
The CreateKey and GenerateRandom API operations have an
not-applicable (N/A) result because they do not use an existing CMK.
| API | Enabled | Disabled | Pending import | Pending deletion |
|---|---|---|---|---|
| CancelKeyDeletion |  [4] |
[4] |
[4] |
 |
| CreateAlias | |
|
|
[3] |
| CreateGrant | |
[1] |
[5] |
[2] or [3] |
| CreateKey | N/A | N/A | N/A | N/A |
| Decrypt | |
[1] |
[5] |
[2] or [3] |
| DeleteAlias | |
|
|
|
| DeleteImportedKeyMaterial |  [9] |
[9] |
(No effect) |
[9] |
| DescribeKey | |
|
|
|
| DisableKey | |
|
[5] |
[3] |
| DisableKeyRotation | [7] |
[1] or [7] |
[6] |
[3] or [7] |
| EnableKey | |
|
[5] |
[3] |
| EnableKeyRotation | [7] |
[1] or [7] |
[6] |
[3] or [7] |
| Encrypt | |
[1] |
[5] |
[2] or [3] |
| GenerateDataKey | |
[1] |
[5] |
[2] or [3] |
| GenerateDataKeyWithoutPlaintext | |
[1] |
[5] |
[2] or [3] |
| GenerateRandom | N/A | N/A | N/A | N/A |
| GetKeyPolicy | |
|
|
|
| GetKeyRotationStatus |
[7] |
[7] |
[6] |
[7] |
| GetParametersForImport | [9] |
[9] |
|
[8] or [9] |
| ImportKeyMaterial | [9] |
[9] |
|
[8] or [9] |
| ListAliases | |
|
|
|
| ListGrants | |
|
|
|
| ListKeyPolicies | |
|
|
|
| ListKeys | |
|
|
|
| ListResourceTags | |
|
|
|
| ListRetirableGrants | |
|
|
|
| PutKeyPolicy | |
|
|
|
| ReEncrypt | |
[1] |
[5] |
[2] or [3] |
| RetireGrant | |
|
|
|
| RevokeGrant | |
|
|
|
| ScheduleKeyDeletion | |
|
|
[3] |
| TagResource | |
|
|
[3] |
| UnTagResource | |
|
|
[3] |
| UpdateAlias | |
|
|
[10] |
| UpdateKeyDescription | |
|
|
[3] |
Table Details
-
[1]
DisabledException:<CMK ARN>is disabled. -
[2]
DisabledException:<CMK ARN>is pending deletion. -
[3]
KMSInvalidStateException:<CMK ARN>is pending deletion. -
[4]
KMSInvalidStateException:<CMK ARN>is not pending deletion. -
[5]
KMSInvalidStateException:<CMK ARN>is pending import. -
[6]
UnsupportedOperationException:<CMK ARN>origin is EXTERNAL which is not valid for this operation. -
[7] If the CMK has imported key material:
UnsupportedOperationException. -
[8] If the CMK has imported key material:
KMSInvalidStateException -
[9] If the CMK does not have imported key material:
UnsupportedOperationException. -
[10] If the source CMK is pending deletion, the command succeeds. If the destination CMK is pending deletion, the command fails with error:
KMSInvalidStateException :<CMK ARN>is pending deletion.
