A customer master key (CMK) in Key Management Service (KMS) can be in one of the following states: Enabled, Disabled, or PendingDeletion. Bring Your Own Key (BYOK) CMKs have an additional state: PendingImport.
Only CMKs in the Enabled state support cryptographic operations such as encrypting and decrypting data or data keys. For all other API operations, the result depends on the CMK state, as shown in the tables below.
State overview
| State | Applies to | When a CMK enters this state |
|---|---|---|
| Enabled | All CMKs | Default state when a CMK is created |
| Disabled | All CMKs | After you call DisableKey |
| PendingDeletion | All CMKs | After you call ScheduleKeyDeletion; the CMK is permanently deleted after the waiting period |
| PendingImport | BYOK CMKs only | Default state when a BYOK CMK is created |
To check whether a CMK is BYOK-based, call DescribeKey and check whether the Origin field value is EXTERNAL.
Result codes
All rejected results return HTTP status code 409. A successful operation returns 200.
| Result | HTTP status code |
|---|---|
| Success | 200 |
| Rejected.Enabled | 409 |
| Rejected.Disabled | 409 |
| Rejected.PendingDeletion | 409 |
| Rejected.PendingImport | 409 |
| Rejected.StateModifiedFailed | 409 |
Common API operations
The following table shows the expected result for each API operation based on CMK state.
| API operation | Enabled | Disabled | PendingDeletion | PendingImport |
|---|---|---|---|---|
| GenerateDataKey | Success | Rejected.Disabled | Rejected.PendingDeletion | Rejected.PendingImport |
| GenerateDataKeyWithoutPlaintext | Success | Rejected.Disabled | Rejected.PendingDeletion | Rejected.PendingImport |
| Encrypt | Success | Rejected.Disabled | Rejected.PendingDeletion | Rejected.PendingImport |
| Decrypt | Success | Rejected.Disabled | Rejected.PendingDeletion | Rejected.PendingImport |
| UpdateRotationPolicy | Success | Rejected.Disabled | Rejected.PendingDeletion | Rejected.PendingImport |
| UpdateKeyDescription | Success | Success | Rejected.PendingDeletion | Success |
| TagResource | Success | Success | Rejected.PendingDeletion | Success |
| UntagResource | Success | Success | Rejected.PendingDeletion | Success |
| EnableKey | Success | Success | Rejected.StateModifiedFailed | Rejected.StateModifiedFailed |
| DisableKey | Success | Success | Rejected.StateModifiedFailed | Rejected.StateModifiedFailed |
| ScheduleKeyDeletion | Success | Success | Rejected.StateModifiedFailed | Success |
| CancelKeyDeletion | Rejected.StateModifiedFailed | Rejected.StateModifiedFailed | Success | Rejected.StateModifiedFailed |
| CreateAlias | Success | Success | Rejected.StateModifiedFailed | Success |
| DeleteAlias | Success | Success | Success | Success |
| ListAliases | Success | Success | Success | Success |
| ListKeys | Success | Success | Success | Success |
| DescribeKey | Success | Success | Success | Success |
| ListResourceTags | Success | Success | Success | Success |
| DescribeKeyVersion | Success | Success | Success | Success |
| ListKeyVersions | Success | Success | Success | Success |
| CreateKey | Success | Success | Success | Success |
Special cases
UpdateAlias — The result depends only on the state of the destination CMK, not the source CMK.
If the destination CMK is in the PendingDeletion state:
Rejected.PendingDeletionAll other destination CMK states:
Success
BYOK-specific API operations
| API operation | Enabled | Disabled | PendingDeletion | PendingImport |
|---|---|---|---|---|
| GetParametersForImport | Success | Success | Success | Success |
| ImportKeyMaterial | Success | Success | Rejected.StateModifiedFailed | Success |
| DeleteKeyMaterial | Success | Success | Success | Success |