In KMS, each CMK has three states: Enabled, Disabled, and PendingDeletion.

For a BYOK with its Origin value set to External in KeyMetadata parameters, it also may be in the PendingImport state.

A newly created CMK is usually in the Enabled state. A BYOK is in the PendingImport state when it is created.

Only CMKs in the Enabled state can be used in the Encrypt and Decrypt API operations. Different results may be returned for other API operations depending on CMK states.

A CMK in the PendingDeletion state will be deleted permanently after scheduled period for CMK deletion expires.

The following table lists the relationship between CMK states and expected results of API operations.
Expected result HTTP status code
Success 200
Rejected.Enabled 409
Rejected.Disabled 409
Rejected.PendingDeletion 409
Rejected.PendingImport 409
Rejected.StateModifiedFailed 409

Common API operations

API operation Enabled Disabled PendingDeletion PendingImport
CreateKey Success Success Success Success
GenerateDataKey Success Rejected.Disabled Rejected.PendingDeletion Rejected.PendingImport
GenerateDataKeyWithoutPlaintext Success Rejected.Disabled Rejected.PendingDeletion Rejected.PendingImport
Encrypt Success Rejected.Disabled Rejected.PendingDeletion Rejected.PendingImport
Decrypt Success Rejected.Disabled Rejected.PendingDeletion Rejected.PendingImport
ListKeys Success Success Success Success
DescribeKey Success Success Success Success
UpdateKeyDescription Success Success Rejected.PendingDeletion Success
EnableKey Success Success Rejected.StateModifiedFailed Rejected.StateModifiedFailed
DisableKey Success Success Rejected.StateModifiedFailed Rejected.StateModifiedFailed
ScheduleKeyDeletion Success Success Rejected.StateModifiedFailed Success
CancelKeyDeletion Rejected.StateModifiedFailed Rejected.StateModifiedFailed Success Rejected.StateModifiedFailed
CreateAlias Success Success Rejected.StateModifiedFailed Success
DeleteAlias Success Success Success Success
ListAliases Success Success Success Success
TagResource Success Success Rejected.PendingDeletion Success
UntagResource Success Success Rejected.PendingDeletion Success
ListResourceTags Success Success Success Success
DescribeKeyVersion Success Success Success Success
ListKeyVersions Success Success Success Success
UpdateRotationPolicy Success Rejected.Disabled Rejected.PendingDeletion Rejected.PendingImport

Special API operations

UpdateAlias:
  • Is affected only by the states of the destination CMK, but not the states of the source CMK.
  • When the destination CMK is in the PendingDeletion state, Rejected.PendingDeletion is returned. Otherwise, Success is returned.
BYOK-specific API operations
API operation Enabled Disabled PendingDeletion PendingImport
GetParametersForImport Success Success Success Success
ImportKeyMaterial Success Success Rejected.StateModifiedFailed Success
DeleteKeyMaterial Success Success Success Success