Key state: Effect on your CMK

Customer master keys (CMKs) are always in one of the following states: Enabled, Disabled, PendingImport, PendingDeletion, or Unavailable.

The following table shows whether AWS KMS API operations that run on a CMK in each state can be expected to succeed (✓), fail (X), or succeed only under certain conditions (?). The result often differs for CMKs with imported key material.

Symmetric CMKs can be in the Enabled, Disabled, PendingImport, PendingDeletion, or Unavailable states. Asymmetric CMKs can be in the Enabled, Disabled, or PendingDeletion key state.

The Unavailable state applies only to a CMK in a custom key store. A CMK in a custom key store is Unavailable when the custom key store is intentionally disconnected from its AWS CloudHSM cluster. You can view and manage unavailable CMKs, but you cannot use them in cryptographic operations.

The following API operations do not appear in the table because they do not use an existing CMK.

ConnectCustomKeyStore
CreateCustomKeyStore
CreateKey
DeleteCustomKeyStore
DescribeCustomKeyStores
DisconnectCustomKeyStore
GenerateRandom
UpdateCustomKeyStore

API	Enabled	Disabled	Pending import	Pending deletion	Unavailable
CancelKeyDeletion	[4]	[4]	[4]		[4], [13]
CreateAlias				[3]
CreateGrant		[1]	[5]	[2] or [3]
Decrypt		[1]	[5]	[2] or [3]	[11]
DeleteAlias
DeleteImportedKeyMaterial	[9]	[9]	(No effect)	[9]	[9]
DescribeKey
DisableKey			[5]	[3]	[12]
DisableKeyRotation	[7]	[1] or [7]	[6]	[3] or [7]	[7]
EnableKey			[5]	[3]	[12]
EnableKeyRotation	[7]	[1] or [7]	[6]	[3] or [7]	[7]
Encrypt		[1]	[5]	[2] or [3]	[11]
GenerateDataKey		[1]	[5]	[2] or [3]	[11]
GenerateDataKeyPair		[1]	[5]	[2] or [3]	[11]
GenerateDataKeyPairWithoutPlaintext		[1]	[5]	[2] or [3]	[11]
GenerateDataKeyWithoutPlaintext		[1]	[5]	[2] or [3]	[11]
GetKeyPolicy
GetKeyRotationStatus	[7]	[7]	[6]	[7]	[7]
GetParametersForImport	[9]	[9]		[8] or [9]	[9]
GetPublicKey		[1]	N/A	[2] or [3]	N/A
ImportKeyMaterial	[9]	[9]		[8] or [9]	[9]
ListAliases
ListGrants
ListKeyPolicies
ListKeys
ListResourceTags
ListRetirableGrants
PutKeyPolicy
ReEncrypt		[1]	[5]	[2] or [3]	[11]
RetireGrant
RevokeGrant
ScheduleKeyDeletion				[3]
Sign		[1]	N/A	[2] or [3]	N/A
TagResource				[3]
UnTagResource				[3]
UpdateAlias				[10]
UpdateKeyDescription				[3]
Verify		[1]	N/A	[2] or [3]	N/A

Table Details

[1] DisabledException: <CMK ARN> is disabled.
[2] DisabledException: <CMK ARN> is pending deletion.
[3] KMSInvalidStateException: <CMK ARN> is pending deletion.
[4] KMSInvalidStateException: <CMK ARN> is not pending deletion.
[5] KMSInvalidStateException: <CMK ARN> is pending import.
[6] UnsupportedOperationException: <CMK ARN> origin is EXTERNAL which is not valid for this operation.
[7] If the CMK has imported key material or is in a custom key store: UnsupportedOperationException.
[8] If the CMK has imported key material: KMSInvalidStateException
[9] If the CMK cannot or does not have imported key material: UnsupportedOperationException.
[10] If the source CMK is pending deletion, the command succeeds. If the destination CMK is pending deletion, the command fails with error: KMSInvalidStateException : <CMK ARN> is pending deletion.
[11] KMSInvalidStateException: <CMK ARN> is unavailable. You cannot perform this operation on an unavailable CMK.
[12] The operation succeeds, but the key state of the CMK does not change until it becomes available.
[13] While a CMK in a custom key store is pending deletion, its key state remains PendingDeletion even if the CMK becomes unavailable. This allows you to cancel deletion of the CMK at any time during the waiting period.

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Using hybrid post-quantum TLS

How AWS services use AWS KMS