# An error occurred (KMSInvalidStateException) when calling the Decrypt operation: request was rejected because the key state is PendingDeletion - **ID:** `aws/kms-key-deleted-or-disabled` - **Domain:** aws - **Category:** auth_error - **Error Code:** `KMSInvalidStateException` - **Verification:** ai_generated - **Fix Rate:** 85% ## Root Cause The KMS key used for decryption is in 'PendingDeletion' state, meaning it has been scheduled for deletion and cannot be used for cryptographic operations. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | KMS 2014-11-01 | active | — | — | | AWS CLI 2.18.0 | active | — | — | | AWS SDK for Python 1.34.0 | active | — | — | ## Workarounds 1. **Cancel the key deletion by scheduling key restoration if the key is in 'PendingDeletion' state and the waiting period has not expired.** (85% success) ``` Cancel the key deletion by scheduling key restoration if the key is in 'PendingDeletion' state and the waiting period has not expired. ``` 2. **If the key has already been deleted, restore from a backup of the encrypted data using a different key, or use the last known plaintext if available. For critical data, ensure keys have a longer deletion window (e.g., 30 days).** (75% success) ``` If the key has already been deleted, restore from a backup of the encrypted data using a different key, or use the last known plaintext if available. For critical data, ensure keys have a longer deletion window (e.g., 30 days). ``` ## Dead Ends - **Recreate the KMS key with the same alias and try again.** — A new key has a different key ID, so data encrypted with the old key cannot be decrypted with the new one. (95% fail) - **Use the AWS managed key instead of a customer managed key.** — AWS managed keys have different permissions and may not be accessible for the specific data, and the original encrypted data still references the old key. (80% fail) - **Force delete the key immediately and recreate it.** — Force deletion destroys the key material permanently, making decryption of existing data impossible. (90% fail)