Raj Man
When a CMK is disabled or deleted, all operations whether encrypt or decrypt of objects associated with that key is suspended immediately. But, when a CMK is rotated its HBK/data key is still available for decryption use, as per the white paper : <<When a CMK is rotated, a new HBK is created and marked as the active key for all new requests to protect information. The current active key is moved to the deactivated state and remains available for use to decrypt any existing ciphertext values that have been encrypted using this version of the HBK>>
I hope i am understanding this correctly. This seems another subtle but significant difference, between disabling versus Rotation.
Here is the extract from the white paper: https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf When a CMK is rotated, a new HBK is created and marked as the active key for all new requests to protect information. The current active key is moved to the deactivated state and remains available for use to decrypt any existing ciphertext values that have been encrypted using this version of the HBK