diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index c81cd1cc54..96cdb45f81 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -66,6 +66,11 @@
 #error "MBEDTLS_HAVE_TIME_DATE without MBEDTLS_HAVE_TIME does not make sense"
 #endif
 
+#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) && \
+    !defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
+#error "MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH defined, but not all prerequisites"
+#endif
+
 #if defined(MBEDTLS_CTR_DRBG_C) && !defined(MBEDTLS_AES_C)
 #error "MBEDTLS_CTR_DRBG_C defined, but not all prerequisites"
 #endif
diff --git a/scripts/config.py b/scripts/config.py
index ac5f77cebe..b6eac714f5 100755
--- a/scripts/config.py
+++ b/scripts/config.py
@@ -189,6 +189,7 @@ def realfull_adapter(_name, active, section):
 # * Options that remove features.
 EXCLUDE_FROM_FULL = frozenset([
     #pylint: disable=line-too-long
+    'MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH', # interacts with CTR_DRBG_128_BIT_KEY
     'MBEDTLS_CTR_DRBG_USE_128_BIT_KEY', # interacts with ENTROPY_FORCE_SHA256
     'MBEDTLS_DEPRECATED_REMOVED', # conflicts with deprecated options
     'MBEDTLS_DEPRECATED_WARNING', # conflicts with deprecated options