{
  "id": "aws/kms-key-deleted-or-disabled",
  "signature": "An error occurred (KMSInvalidStateException) when calling the Decrypt operation: request was rejected because the key state is PendingDeletion",
  "signature_zh": "调用 Decrypt 操作时发生错误 (KMSInvalidStateException)：请求被拒绝，因为密钥状态为 PendingDeletion",
  "regex": "KMSInvalidStateException.*Decrypt.*key state is PendingDeletion",
  "domain": "aws",
  "category": "auth_error",
  "subcategory": null,
  "root_cause": "The KMS key used for decryption is in 'PendingDeletion' state, meaning it has been scheduled for deletion and cannot be used for cryptographic operations.",
  "root_cause_type": "generic",
  "root_cause_zh": "用于解密的 KMS 密钥处于 'PendingDeletion' 状态，意味着它已被计划删除，无法用于加密操作。",
  "versions": [
    {
      "version": "KMS 2014-11-01",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "AWS CLI 2.18.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "AWS SDK for Python 1.34.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "Recreate the KMS key with the same alias and try again.",
      "why_fails": "A new key has a different key ID, so data encrypted with the old key cannot be decrypted with the new one.",
      "fail_rate": 0.95,
      "condition": "",
      "sources": []
    },
    {
      "action": "Use the AWS managed key instead of a customer managed key.",
      "why_fails": "AWS managed keys have different permissions and may not be accessible for the specific data, and the original encrypted data still references the old key.",
      "fail_rate": 0.8,
      "condition": "",
      "sources": []
    },
    {
      "action": "Force delete the key immediately and recreate it.",
      "why_fails": "Force deletion destroys the key material permanently, making decryption of existing data impossible.",
      "fail_rate": 0.9,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Cancel the key deletion by scheduling key restoration if the key is in 'PendingDeletion' state and the waiting period has not expired.",
      "success_rate": 0.85,
      "how": "Cancel the key deletion by scheduling key restoration if the key is in 'PendingDeletion' state and the waiting period has not expired.",
      "condition": "",
      "sources": []
    },
    {
      "action": "If the key has already been deleted, restore from a backup of the encrypted data using a different key, or use the last known plaintext if available. For critical data, ensure keys have a longer deletion window (e.g., 30 days).",
      "success_rate": 0.75,
      "how": "If the key has already been deleted, restore from a backup of the encrypted data using a different key, or use the last known plaintext if available. For critical data, ensure keys have a longer deletion window (e.g., 30 days).",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "如果密钥处于 'PendingDeletion' 状态且等待期尚未到期，请通过计划密钥恢复来取消密钥删除。",
    "如果密钥已被删除，请使用不同的密钥从加密数据的备份中恢复，或者在可用时使用最后的已知明文。对于关键数据，请确保密钥具有更长的删除窗口（例如 30 天）。"
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html",
  "official_doc_section": null,
  "error_code": "KMSInvalidStateException",
  "verification_tier": "ai_generated",
  "confidence": 0.9,
  "fix_success_rate": 0.85,
  "resolvable": "partial",
  "first_seen": "2023-12-01",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}