# An error occurred (KMSInvalidStateException) when calling the Encrypt operation: request was rejected because the key state is PendingDeletion.

- **ID:** `aws/kms-key-deletion-pending`
- **Domain:** aws
- **Category:** auth_error
- **Error Code:** `KMSInvalidStateException`
- **Verification:** ai_generated
- **Fix Rate:** 95%

## Root Cause

The KMS key is scheduled for deletion and cannot be used for cryptographic operations until canceled.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| aws-kms-2024 | active | — | — |
| boto3-1.34.0 | active | — | — |
| aws-sdk-java-2.25.0 | active | — | — |

## Workarounds

1. **Cancel the key deletion: `aws kms cancel-key-deletion --key-id 1234abcd-12ab-34cd-56ef-1234567890ab` and wait for the key state to return to 'Enabled'.** (95% success)
   ```
   Cancel the key deletion: `aws kms cancel-key-deletion --key-id 1234abcd-12ab-34cd-56ef-1234567890ab` and wait for the key state to return to 'Enabled'.
   ```
2. **If the key is irrecoverable, create a new KMS key and re-encrypt all data using the new key with a data key re-encryption process.** (80% success)
   ```
   If the key is irrecoverable, create a new KMS key and re-encrypt all data using the new key with a data key re-encryption process.
   ```

## Dead Ends

- **** — Re-creating a new key with the same alias but different ID breaks existing encrypted data; old data can't be decrypted. (70% fail)
- **** — Waiting for the deletion to complete is irreversible; the key becomes permanently unusable. (100% fail)