DocsAWS 101Blog
← Back to Blog

KMS Decrypt error code parity

May 16, 2026 · v1.3.41

One parity fix this release: KMS Decrypt now returns the AWS-correct error code when called with a malformed ciphertext and no explicit KeyId.

What changed

When the caller omitted KeyId and the CiphertextBlob was too short or otherwise unparseable, MiniStack returned NotFoundException ("Unable to find the key for decryption"). Real AWS returns InvalidCiphertextException in that case — the request never even reaches key lookup because the ciphertext can't be parsed.

Why it matters: AWS-SDK consumers commonly catch encryption faults separately from key-lookup faults. Wrapper libraries retry on NotFoundException (assuming an eventually-consistent key resolution), and surface InvalidCiphertextException immediately as a permanent fault. Returning the wrong code locally meant tests passed against MiniStack but failed against real AWS — exactly the divergence MiniStack is supposed to eliminate.

The exact rule, matching AWS

kms.decrypt(CiphertextBlob=b"\x00\x01\x02")
# Before: NotFoundException (400)
# Now:    InvalidCiphertextException (400)   ← matches real AWS

kms.decrypt(
    CiphertextBlob=b"\x00\x01\x02",
    KeyId="arn:aws:kms:us-east-1:000000000000:key/00000000-0000-0000-0000-000000000000",
)
# Before: NotFoundException (400)
# Now:    NotFoundException (400)            ← unchanged, also matches real AWS

The split is the same one AWS draws: if the caller named a specific KeyId, the API can attempt key lookup, and "no such key" is a NotFoundException. If the caller didn't name a key, the API has to extract one from the ciphertext envelope first — and if that fails, the ciphertext is structurally invalid, regardless of what keys exist.

Encrypt / Decrypt round-trips are untouched. Asymmetric key paths (RSAES_OAEP_SHA_256 and friends) are untouched. The only behaviour change is the error code on this specific failure shape.

Upgrade

docker pull ministackorg/ministack:1.3.41
docker run -d -p 4566:4566 ministackorg/ministack:1.3.41

Or pin in compose.yaml:

services:
  ministack:
    image: ministackorg/ministack:1.3.41
    ports:
      - "4566:4566"

Stay in sync

Issues and PRs welcome on GitHub. Discussion on r/ministack.