# 调用 Decrypt 操作时发生错误 (KMSInvalidStateException)：请求被拒绝，因为密钥状态为 PendingDeletion

- **ID:** `aws/kms-key-deleted-or-disabled`
- **领域:** aws
- **类别:** auth_error
- **错误码:** `KMSInvalidStateException`
- **验证级别:** ai_generated
- **修复率:** 85%

## 根因

用于解密的 KMS 密钥处于 'PendingDeletion' 状态，意味着它已被计划删除，无法用于加密操作。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| KMS 2014-11-01 | active | — | — |
| AWS CLI 2.18.0 | active | — | — |
| AWS SDK for Python 1.34.0 | active | — | — |

## 解决方案

1. ```
   如果密钥处于 'PendingDeletion' 状态且等待期尚未到期，请通过计划密钥恢复来取消密钥删除。
   ```
2. ```
   如果密钥已被删除，请使用不同的密钥从加密数据的备份中恢复，或者在可用时使用最后的已知明文。对于关键数据，请确保密钥具有更长的删除窗口（例如 30 天）。
   ```

## 无效尝试

- **Recreate the KMS key with the same alias and try again.** — A new key has a different key ID, so data encrypted with the old key cannot be decrypted with the new one. (95% 失败率)
- **Use the AWS managed key instead of a customer managed key.** — AWS managed keys have different permissions and may not be accessible for the specific data, and the original encrypted data still references the old key. (80% 失败率)
- **Force delete the key immediately and recreate it.** — Force deletion destroys the key material permanently, making decryption of existing data impossible. (90% 失败率)