KMSInvalidStateException aws auth_error ai_generated partial

An error occurred (KMSInvalidStateException) when calling the Decrypt operation: request was rejected because the key state is PendingDeletion

ID: aws/kms-key-deleted-or-disabled

Also available as: JSON · Markdown · 中文
85%Fix Rate
90%Confidence
1Evidence
2023-12-01First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
KMS 2014-11-01 active
AWS CLI 2.18.0 active
AWS SDK for Python 1.34.0 active

Root Cause

The KMS key used for decryption is in 'PendingDeletion' state, meaning it has been scheduled for deletion and cannot be used for cryptographic operations.

generic

中文

用于解密的 KMS 密钥处于 'PendingDeletion' 状态,意味着它已被计划删除,无法用于加密操作。

Official Documentation

https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html

Workarounds

  1. 85% success Cancel the key deletion by scheduling key restoration if the key is in 'PendingDeletion' state and the waiting period has not expired. 
    Cancel the key deletion by scheduling key restoration if the key is in 'PendingDeletion' state and the waiting period has not expired.
  2. 75% success If the key has already been deleted, restore from a backup of the encrypted data using a different key, or use the last known plaintext if available. For critical data, ensure keys have a longer deletion window (e.g., 30 days). 
    If the key has already been deleted, restore from a backup of the encrypted data using a different key, or use the last known plaintext if available. For critical data, ensure keys have a longer deletion window (e.g., 30 days).

中文步骤

  1. 如果密钥处于 'PendingDeletion' 状态且等待期尚未到期,请通过计划密钥恢复来取消密钥删除。
  2. 如果密钥已被删除,请使用不同的密钥从加密数据的备份中恢复,或者在可用时使用最后的已知明文。对于关键数据,请确保密钥具有更长的删除窗口(例如 30 天)。

Dead Ends

Common approaches that don't work:

  1. Recreate the KMS key with the same alias and try again. 95% fail

    A new key has a different key ID, so data encrypted with the old key cannot be decrypted with the new one.

  2. Use the AWS managed key instead of a customer managed key. 80% fail

    AWS managed keys have different permissions and may not be accessible for the specific data, and the original encrypted data still references the old key.

  3. Force delete the key immediately and recreate it. 90% fail

    Force deletion destroys the key material permanently, making decryption of existing data impossible.