In KMS, a CMK may be in the Enabled, Disabled, or PendingDeletion state.

A BYOK-based CMK may also be in the PendingImport state. To check whether a CMK is a BYOK-based CMK, you can call the DescribeKey operation. For a BYOK-based CMK, the value of Origin is EXTERNAL.

In most cases, a newly created CMK is in the Enabled state. A newly created BYOK-based CMK is in the PendingImport state.

Only CMKs in the Enabled state can be used to encrypt or decrypt data or data keys. In other API operations, different results are returned depending on CMK states.

A CMK in the PendingDeletion state is deleted permanently after the scheduled waiting period elapses.

The following table lists the relationship between CMK states and expected results of API operations.
Expected resultHTTP Status Code
Expected resultHTTP Status Code
Success200
Rejected.Enabled409
Rejected.Disabled409
Rejected.PendingDeletion409
Rejected.PendingImport409
Rejected.StateModifiedFailed409

Common API operations

API operationEnabledDisabledPendingDeletionPendingImport
API operationEnabledDisabledPendingDeletionPendingImport
CreateKeySuccessSuccessSuccessSuccess
GenerateDataKeySuccessRejected.DisabledRejected.PendingDeletionRejected.PendingImport
GenerateDataKeyWithoutPlaintextSuccessRejected.DisabledRejected.PendingDeletionRejected.PendingImport
EncryptSuccessRejected.DisabledRejected.PendingDeletionRejected.PendingImport
DecryptSuccessRejected.DisabledRejected.PendingDeletionRejected.PendingImport
ListKeysSuccessSuccessSuccessSuccess
DescribeKeySuccessSuccessSuccessSuccess
UpdateKeyDescriptionSuccessSuccessRejected.PendingDeletionSuccess
EnableKeySuccessSuccessRejected.StateModifiedFailedRejected.StateModifiedFailed
DisableKeySuccessSuccessRejected.StateModifiedFailedRejected.StateModifiedFailed
ScheduleKeyDeletionSuccessSuccessRejected.StateModifiedFailedSuccess
CancelKeyDeletionRejected.StateModifiedFailedRejected.StateModifiedFailedSuccessRejected.StateModifiedFailed
CreateAliasSuccessSuccessRejected.StateModifiedFailedSuccess
DeleteAliasSuccessSuccessSuccessSuccess
ListAliasesSuccessSuccessSuccessSuccess
TagResourceSuccessSuccessRejected.PendingDeletionSuccess
UntagResourceSuccessSuccessRejected.PendingDeletionSuccess
ListResourceTagsSuccessSuccessSuccessSuccess
DescribeKeyVersionSuccessSuccessSuccessSuccess
ListKeyVersionsSuccessSuccessSuccessSuccess
UpdateRotationPolicySuccessRejected.DisabledRejected.PendingDeletionRejected.PendingImport

Special API operations

UpdateAlias:
  • This operation is affected only by the state of the destination CMK.
  • When the destination CMK is in the PendingDeletion state, Rejected.PendingDeletion is returned. Otherwise, Success is returned.
BYOK-specific API operations
API operationEnabledDisabledPendingDeletionPendingImport
API operationEnabledDisabledPendingDeletionPendingImport
GetParametersForImportSuccessSuccessSuccessSuccess
ImportKeyMaterialSuccessSuccessRejected.StateModifiedFailedSuccess
DeleteKeyMaterialSuccessSuccessSuccessSuccess