Impact of CMK status on API operations - Key Management Service

In KMS, a CMK may be in the Enabled, Disabled, or PendingDeletion state.

A BYOK-based CMK may also be in the PendingImport state. To check whether a CMK is a BYOK-based CMK, you can call the DescribeKey operation. For a BYOK-based CMK, the value of Origin is EXTERNAL.

In most cases, a newly created CMK is in the Enabled state. A newly created BYOK-based CMK is in the PendingImport state.

Only CMKs in the Enabled state can be used to encrypt or decrypt data or data keys. In other API operations, different results are returned depending on CMK states.

A CMK in the PendingDeletion state is deleted permanently after the scheduled waiting period elapses.

The following table lists the relationship between CMK states and expected results of API operations.


Expected result	HTTP Status Code
Success	200
Rejected.Enabled	409
Rejected.Disabled	409
Rejected.PendingDeletion	409
Rejected.PendingImport	409
Rejected.StateModifiedFailed	409

Common API operations


API operation	Enabled	Disabled	PendingDeletion	PendingImport
CreateKey	Success	Success	Success	Success
GenerateDataKey	Success	Rejected.Disabled	Rejected.PendingDeletion	Rejected.PendingImport
GenerateDataKeyWithoutPlaintext	Success	Rejected.Disabled	Rejected.PendingDeletion	Rejected.PendingImport
Encrypt	Success	Rejected.Disabled	Rejected.PendingDeletion	Rejected.PendingImport
Decrypt	Success	Rejected.Disabled	Rejected.PendingDeletion	Rejected.PendingImport
ListKeys	Success	Success	Success	Success
DescribeKey	Success	Success	Success	Success
UpdateKeyDescription	Success	Success	Rejected.PendingDeletion	Success
EnableKey	Success	Success	Rejected.StateModifiedFailed	Rejected.StateModifiedFailed
DisableKey	Success	Success	Rejected.StateModifiedFailed	Rejected.StateModifiedFailed
ScheduleKeyDeletion	Success	Success	Rejected.StateModifiedFailed	Success
CancelKeyDeletion	Rejected.StateModifiedFailed	Rejected.StateModifiedFailed	Success	Rejected.StateModifiedFailed
CreateAlias	Success	Success	Rejected.StateModifiedFailed	Success
DeleteAlias	Success	Success	Success	Success
ListAliases	Success	Success	Success	Success
TagResource	Success	Success	Rejected.PendingDeletion	Success
UntagResource	Success	Success	Rejected.PendingDeletion	Success
ListResourceTags	Success	Success	Success	Success
DescribeKeyVersion	Success	Success	Success	Success
ListKeyVersions	Success	Success	Success	Success
UpdateRotationPolicy	Success	Rejected.Disabled	Rejected.PendingDeletion	Rejected.PendingImport

Special API operations

UpdateAlias:

This operation is affected only by the state of the destination CMK.
When the destination CMK is in the PendingDeletion state, Rejected.PendingDeletion is returned. Otherwise, Success is returned.

BYOK-specific API operations


API operation	Enabled	Disabled	PendingDeletion	PendingImport
GetParametersForImport	Success	Success	Success	Success
ImportKeyMaterial	Success	Success	Rejected.StateModifiedFailed	Success
DeleteKeyMaterial	Success	Success	Success	Success