diff --git a/lib/auth/keystore/aws_kms.go b/lib/auth/keystore/aws_kms.go
index 7bb0a784e378b..0e9cd135e0ede 100644
--- a/lib/auth/keystore/aws_kms.go
+++ b/lib/auth/keystore/aws_kms.go
@@ -574,8 +574,16 @@ func (a *awsKMSKeystore) applyMRKConfig(ctx context.Context, key awsKMSKeyID) ([
 	}
 
 	client := a.mrk
-	describeKeyOut, err := client.DescribeKey(ctx, &kms.DescribeKeyInput{
-		KeyId: aws.String(key.id),
+	var describeKeyOut *kms.DescribeKeyOutput
+	err := a.retryOnConsistencyError(ctx, func(ctx context.Context) error {
+		var err error
+		describeKeyOut, err = client.DescribeKey(ctx, &kms.DescribeKeyInput{
+			KeyId: aws.String(key.id),
+		})
+		if err != nil {
+			return trace.Wrap(err)
+		}
+		return nil
 	})
 	if err != nil {
 		return nil, trace.Wrap(err)