{
  "id": "aws/kms-key-deletion-pending",
  "signature": "An error occurred (KMSInvalidStateException) when calling the Encrypt operation: request was rejected because the key state is PendingDeletion.",
  "signature_zh": "调用 Encrypt 操作时出错 (KMSInvalidStateException)：请求被拒绝，因为密钥状态为 PendingDeletion。",
  "regex": "KMSInvalidStateException.*key state is PendingDeletion",
  "domain": "aws",
  "category": "auth_error",
  "subcategory": null,
  "root_cause": "The KMS key is scheduled for deletion and cannot be used for cryptographic operations until canceled.",
  "root_cause_type": "generic",
  "root_cause_zh": "KMS 密钥已计划删除，在取消删除前无法用于加密操作。",
  "versions": [
    {
      "version": "aws-kms-2024",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "boto3-1.34.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "aws-sdk-java-2.25.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "Re-creating a new key with the same alias but different ID breaks existing encrypted data; old data can't be decrypted.",
      "fail_rate": 0.7,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "Waiting for the deletion to complete is irreversible; the key becomes permanently unusable.",
      "fail_rate": 1.0,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Cancel the key deletion: `aws kms cancel-key-deletion --key-id 1234abcd-12ab-34cd-56ef-1234567890ab` and wait for the key state to return to 'Enabled'.",
      "success_rate": 0.95,
      "how": "Cancel the key deletion: `aws kms cancel-key-deletion --key-id 1234abcd-12ab-34cd-56ef-1234567890ab` and wait for the key state to return to 'Enabled'.",
      "condition": "",
      "sources": []
    },
    {
      "action": "If the key is irrecoverable, create a new KMS key and re-encrypt all data using the new key with a data key re-encryption process.",
      "success_rate": 0.8,
      "how": "If the key is irrecoverable, create a new KMS key and re-encrypt all data using the new key with a data key re-encryption process.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "取消密钥删除：`aws kms cancel-key-deletion --key-id 1234abcd-12ab-34cd-56ef-1234567890ab` 并等待密钥状态恢复为 'Enabled'。",
    "如果密钥不可恢复，创建新的 KMS 密钥并使用数据密钥重新加密过程重新加密所有数据。"
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html",
  "official_doc_section": null,
  "error_code": "KMSInvalidStateException",
  "verification_tier": "ai_generated",
  "confidence": 0.9,
  "fix_success_rate": 0.95,
  "resolvable": "true",
  "first_seen": "2024-04-22",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}