# KMS 解密异常：无法使用 KMS 密钥解密环境变量

- **ID:** `cloud/aws-lambda-kms-decryption-failure`
- **领域:** cloud
- **类别:** auth_error
- **错误码:** `KMS.DecryptionException`
- **验证级别:** ai_generated
- **修复率:** 92%

## 根因

AWS Lambda 函数使用 KMS 密钥加密了环境变量，但 Lambda 执行角色缺少对该特定密钥的 `kms:Decrypt` 权限，或者密钥已被删除或禁用。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| AWS Lambda | active | — | — |
| AWS KMS | active | — | — |
| boto3 1.34.0 | active | — | — |

## 解决方案

1. ```
   Attach a policy to the Lambda execution role granting `kms:Decrypt` on the specific KMS key ARN. Example IAM policy: `{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"kms:Decrypt","Resource":"arn:aws:kms:us-east-1:123456789012:key/abc123-..."}]}`. Update the role via AWS Console or CLI.
   ```
2. ```
   If the KMS key was deleted, restore it within the 30-day waiting period via `aws kms restore-key --key-id <key-id>`. If the key is disabled, re-enable it: `aws kms enable-key --key-id <key-id>`. Then retry the Lambda invocation.
   ```

## 无效尝试

- **** — The error is about permission, not encryption itself; unencrypted env vars bypass the KMS check but expose secrets in plaintext in the Lambda console and logs. (60% 失败率)
- **** — While it resolves the decryption issue, it violates least-privilege principles and could allow unintended KMS operations like key deletion. (20% 失败率)