AWS KMS eventual consistency - AWS Key Management Service

AWS KMS eventual consistency

The AWS KMS API follows an eventual consistency model due to the distributed nature of the system. As a result, changes to AWS KMS resources might not be immediately visible to the subsequent commands you run.

When you perform AWS KMS API calls, there might be a brief delay before the change is available throughout AWS KMS. It typically takes less than a few seconds for the change to propagate throughout the system, but in some cases it can take several minutes. You might get unexpected errors, such as a NotFoundException or an InvalidStateException, during this time. For example, AWS KMS might return a NotFoundException if you call GetParametersForImport immediately after calling CreateKey.

We recommend that you configure a retry strategy on your AWS KMS clients to automatically retry operations after a brief waiting period. For more information, see Retry behavior in the AWS SDKs and Tools Reference Guide.

For grant related API calls, you can use a grant token to avoid any potential delay and use the permissions in a grant immediately. For more information, see Eventual consistency (for grants).