KMSInvalidStateException
aws
auth_error
ai_generated
true
调用 Encrypt 操作时出错 (KMSInvalidStateException):请求被拒绝,因为密钥状态为 PendingDeletion。
An error occurred (KMSInvalidStateException) when calling the Encrypt operation: request was rejected because the key state is PendingDeletion.
ID: aws/kms-key-deletion-pending
95%修复率
90%置信度
1证据数
2024-04-22首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| aws-kms-2024 | active | — | — | — |
| boto3-1.34.0 | active | — | — | — |
| aws-sdk-java-2.25.0 | active | — | — | — |
根因分析
KMS 密钥已计划删除,在取消删除前无法用于加密操作。
English
The KMS key is scheduled for deletion and cannot be used for cryptographic operations until canceled.
官方文档
https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html解决方案
-
取消密钥删除:`aws kms cancel-key-deletion --key-id 1234abcd-12ab-34cd-56ef-1234567890ab` 并等待密钥状态恢复为 'Enabled'。
-
如果密钥不可恢复,创建新的 KMS 密钥并使用数据密钥重新加密过程重新加密所有数据。
无效尝试
常见但无效的做法:
-
70% 失败
Re-creating a new key with the same alias but different ID breaks existing encrypted data; old data can't be decrypted.
-
100% 失败
Waiting for the deletion to complete is irreversible; the key becomes permanently unusable.