aws-sdk-kms 1.101.0 → 1.106.0

data/lib/aws-sdk-kms/types.rb

@@ -301,7 +301,7 @@ module Aws::KMS
     #   A valid key ID is required. If you supply a null or empty string
     #   value, this operation returns an error.
     #
-    #   For help finding the key ID and ARN, see [Finding the Key ID and
+    #   For help finding the key ID and ARN, see [Find the key ID and key
     #   ARN][2] in the <i> <i>Key Management Service Developer Guide</i>
     #   </i>.
     #
@@ -320,7 +320,7 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/find-cmk-id-arn.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateAliasRequest AWS API Documentation
@@ -387,7 +387,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html#concept-kmsuser
     #   @return [String]
     #
     # @!attribute [rw] custom_key_store_type
@@ -494,7 +494,7 @@ module Aws::KMS
     #   `RawSecretAccessKey`, a secret key, and `AccessKeyId`, a unique
     #   identifier for the `RawSecretAccessKey`. For character requirements,
     #   see
-    #   [XksProxyAuthenticationCredentialType](kms/latest/APIReference/API_XksProxyAuthenticationCredentialType.html).
+    #   [XksProxyAuthenticationCredentialType](API_XksProxyAuthenticationCredentialType.html).
     #
     #   KMS uses this authentication credential to sign requests to the
     #   external key store proxy on your behalf. This credential is
@@ -535,7 +535,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/plan-xks-keystore.html#choose-xks-connectivity
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/choose-xks-connectivity.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStoreRequest AWS API Documentation
@@ -621,7 +621,7 @@ module Aws::KMS
     #
     #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-delete.html
     #   @return [String]
     #
     # @!attribute [rw] operations
@@ -694,7 +694,7 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
     #   @return [Array<String>]
     #
     # @!attribute [rw] name
@@ -722,12 +722,12 @@ module Aws::KMS
     #   Checks if your request will succeed. `DryRun` is an optional
     #   parameter.
     #
-    #   To learn more about how to use this parameter, see [Testing your KMS
-    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #   To learn more about how to use this parameter, see [Testing your
+    #   permissions][1] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrantRequest AWS API Documentation
@@ -756,7 +756,7 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
     #   @return [String]
     #
     # @!attribute [rw] grant_id
@@ -796,22 +796,38 @@ module Aws::KMS
     #     that I make are not always immediately visible][2] in the *Amazon
     #     Web Services Identity and Access Management User Guide*.
     #
+    #   <note markdown="1"> If either of the required `Resource` or `Action` elements are
+    #   missing from a key policy statement, the policy statement has no
+    #   effect. When a key policy statement is missing one of these
+    #   elements, the KMS console correctly reports an error, but the
+    #   `CreateKey` and `PutKeyPolicy` API requests succeed, even though the
+    #   policy statement is ineffective.
+    #
+    #    For more information on required key policy elements, see [Elements
+    #   in a key policy][3] in the *Key Management Service Developer Guide*.
+    #
+    #    </note>
+    #
     #   If you do not provide a key policy, KMS attaches a default key
     #   policy to the KMS key. For more information, see [Default key
-    #   policy][3] in the *Key Management Service Developer Guide*.
+    #   policy][4] in the *Key Management Service Developer Guide*.
     #
-    #   The key policy size quota is 32 kilobytes (32768 bytes).
+    #   <note markdown="1"> If the key policy exceeds the length constraint, KMS returns a
+    #   `LimitExceededException`.
+    #
+    #    </note>
     #
     #   For help writing and formatting a JSON policy document, see the [IAM
-    #   JSON Policy Reference][4] in the <i> <i>Identity and Access
+    #   JSON Policy Reference][5] in the <i> <i>Identity and Access
     #   Management User Guide</i> </i>.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
-    #   [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html#key-policy-elements
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html
+    #   [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
     #   @return [String]
     #
     # @!attribute [rw] description
@@ -847,7 +863,10 @@ module Aws::KMS
     #   * For asymmetric KMS keys with NIST-recommended elliptic curve key
     #     pairs, specify `SIGN_VERIFY` or `KEY_AGREEMENT`.
     #
-    #   * For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs specify
+    #   * For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs, specify
+    #     `SIGN_VERIFY`.
+    #
+    #   * For asymmetric KMS keys with ML-DSA key pairs, specify
     #     `SIGN_VERIFY`.
     #
     #   * For asymmetric KMS keys with SM2 key pairs (China Regions only),
@@ -855,7 +874,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
     #   @return [String]
     #
     # @!attribute [rw] customer_master_key_spec
@@ -872,8 +891,8 @@ module Aws::KMS
     #   `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit AES-GCM key
     #   that is used for encryption and decryption, except in China Regions,
     #   where it creates a 128-bit symmetric key that uses SM4 encryption.
-    #   For help choosing a key spec for your KMS key, see [Choosing a KMS
-    #   key type][1] in the <i> <i>Key Management Service Developer
+    #   For a detailed description of all supported key specs, see [Key spec
+    #   reference][1] in the <i> <i>Key Management Service Developer
     #   Guide</i> </i>.
     #
     #   The `KeySpec` determines whether the KMS key contains a symmetric
@@ -882,10 +901,11 @@ module Aws::KMS
     #   KMS key is created. To further restrict the algorithms that can be
     #   used with the KMS key, use a condition key in its key policy or IAM
     #   policy. For more information, see [kms:EncryptionAlgorithm][2],
-    #   [kms:MacAlgorithm][3] or [kms:Signing Algorithm][4] in the <i>
-    #   <i>Key Management Service Developer Guide</i> </i>.
+    #   [kms:MacAlgorithm][3], [kms:KeyAgreementAlgorithm][4], or
+    #   [kms:SigningAlgorithm][5] in the <i> <i>Key Management Service
+    #   Developer Guide</i> </i>.
     #
-    #   [Amazon Web Services services that are integrated with KMS][5] use
+    #   [Amazon Web Services services that are integrated with KMS][6] use
     #   symmetric encryption KMS keys to protect your data. These services
     #   do not support asymmetric KMS keys or HMAC KMS keys.
     #
@@ -928,6 +948,13 @@ module Aws::KMS
     #       cryptocurrencies.
     #
     #     ^
+    #   * Asymmetric ML-DSA key pairs (signing and verification)
+    #
+    #     * `ML_DSA_44`
+    #
+    #     * `ML_DSA_65`
+    #
+    #     * `ML_DSA_87`
     #   * SM2 key pairs (encryption and decryption -or- signing and
     #     verification -or- deriving shared secrets)
     #
@@ -937,11 +964,12 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-mac-algorithm
-    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm
-    #   [5]: http://aws.amazon.com/kms/features/#AWS_Service_Integration
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose-key-spec.html
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-encryption-algorithm
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-mac-algorithm
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-key-agreement-algorithm
+    #   [5]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-signing-algorithm
+    #   [6]: http://aws.amazon.com/kms/features/#AWS_Service_Integration
     #   @return [String]
     #
     # @!attribute [rw] origin
@@ -994,7 +1022,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
     #   @return [String]
     #
     # @!attribute [rw] bypass_policy_lockout_safety_check
@@ -1045,7 +1073,7 @@ module Aws::KMS
     #   When you add tags to an Amazon Web Services resource, Amazon Web
     #   Services generates a cost allocation report with usage and costs
     #   aggregated by tags. Tags can also be used to control access to a KMS
-    #   key. For details, see [Tagging Keys][3].
+    #   key. For details, see [Tags in KMS][3].
     #
     #
     #
@@ -1118,7 +1146,7 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html
     #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-xks-proxy
-    #   [4]: https://docs.aws.amazon.com/create-xks-keys.html#xks-key-requirements
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keys.html#xks-key-requirements
     #   [5]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-double-encryption
     #   @return [String]
     #
@@ -1526,8 +1554,8 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] grant_tokens
@@ -1541,7 +1569,7 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
     #   @return [Array<String>]
     #
     # @!attribute [rw] key_id
@@ -1622,12 +1650,12 @@ module Aws::KMS
     #   Checks if your request will succeed. `DryRun` is an optional
     #   parameter.
     #
-    #   To learn more about how to use this parameter, see [Testing your KMS
-    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #   To learn more about how to use this parameter, see [Testing your
+    #   permissions][1] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptRequest AWS API Documentation
@@ -1682,13 +1710,21 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
     #   @return [String]
     #
+    # @!attribute [rw] key_material_id
+    #   The identifier of the key material used to decrypt the ciphertext.
+    #   This field is present only when the operation uses a symmetric
+    #   encryption KMS key. This field is omitted if the request includes
+    #   the `Recipient` parameter.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptResponse AWS API Documentation
     #
     class DecryptResponse < Struct.new(
       :key_id,
       :plaintext,
       :encryption_algorithm,
-      :ciphertext_for_recipient)
+      :ciphertext_for_recipient,
+      :key_material_id)
       SENSITIVE = [:plaintext]
       include Aws::Structure
     end
@@ -1740,10 +1776,43 @@ module Aws::KMS
     #   DescribeKey.
     #   @return [String]
     #
+    # @!attribute [rw] key_material_id
+    #   Identifies the imported key material you are deleting.
+    #
+    #   If no KeyMaterialId is specified, KMS deletes the current key
+    #   material.
+    #
+    #   To get the list of key material IDs associated with a KMS key, use
+    #   ListKeyRotations.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteImportedKeyMaterialRequest AWS API Documentation
     #
     class DeleteImportedKeyMaterialRequest < Struct.new(
-      :key_id)
+      :key_id,
+      :key_material_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] key_id
+    #   The Amazon Resource Name ([key ARN][1]) of the KMS key from which
+    #   the key material was deleted.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
+    #   @return [String]
+    #
+    # @!attribute [rw] key_material_id
+    #   Identifies the deleted key material.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteImportedKeyMaterialResponse AWS API Documentation
+    #
+    class DeleteImportedKeyMaterialResponse < Struct.new(
+      :key_id,
+      :key_material_id)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1831,19 +1900,19 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
     #   @return [Array<String>]
     #
     # @!attribute [rw] dry_run
     #   Checks if your request will succeed. `DryRun` is an optional
     #   parameter.
     #
-    #   To learn more about how to use this parameter, see [Testing your KMS
-    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #   To learn more about how to use this parameter, see [Testing your
+    #   permissions][1] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
     #   @return [Boolean]
     #
     # @!attribute [rw] recipient
@@ -2063,7 +2132,7 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKeyRequest AWS API Documentation
@@ -2134,7 +2203,7 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
     #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotationRequest AWS API Documentation
@@ -2237,8 +2306,8 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
     #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
-    #   [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
+    #   [5]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#multi-region-rotate
     #   @return [String]
     #
     # @!attribute [rw] rotation_period_in_days
@@ -2324,8 +2393,8 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] grant_tokens
@@ -2339,7 +2408,7 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
     #   @return [Array<String>]
     #
     # @!attribute [rw] encryption_algorithm
@@ -2359,12 +2428,12 @@ module Aws::KMS
     #   Checks if your request will succeed. `DryRun` is an optional
     #   parameter.
     #
-    #   To learn more about how to use this parameter, see [Testing your KMS
-    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #   To learn more about how to use this parameter, see [Testing your
+    #   permissions][1] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptRequest AWS API Documentation
@@ -2447,7 +2516,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] key_id
@@ -2481,9 +2550,11 @@ module Aws::KMS
     #
     #   The KMS rule that restricts the use of asymmetric RSA and SM2 KMS
     #   keys to encrypt and decrypt or to sign and verify (but not both),
-    #   and the rule that permits you to use ECC KMS keys only to sign and
-    #   verify, are not effective on data key pairs, which are used outside
-    #   of KMS. The SM2 key spec is only available in China Regions.
+    #   the rule that permits you to use ECC KMS keys only to sign and
+    #   verify, and the rule that permits you to use ML-DSA key pairs to
+    #   sign and verify only are not effective on data key pairs, which are
+    #   used outside of KMS. The SM2 key spec is only available in China
+    #   Regions.
     #   @return [String]
     #
     # @!attribute [rw] grant_tokens
@@ -2497,7 +2568,7 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
     #   @return [Array<String>]
     #
     # @!attribute [rw] recipient
@@ -2538,12 +2609,12 @@ module Aws::KMS
     #   Checks if your request will succeed. `DryRun` is an optional
     #   parameter.
     #
-    #   To learn more about how to use this parameter, see [Testing your KMS
-    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #   To learn more about how to use this parameter, see [Testing your
+    #   permissions][1] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairRequest AWS API Documentation
@@ -2610,6 +2681,10 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
     #   @return [String]
     #
+    # @!attribute [rw] key_material_id
+    #   The identifier of the key material used to encrypt the private key.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairResponse AWS API Documentation
     #
     class GenerateDataKeyPairResponse < Struct.new(
@@ -2618,7 +2693,8 @@ module Aws::KMS
       :public_key,
       :key_id,
       :key_pair_spec,
-      :ciphertext_for_recipient)
+      :ciphertext_for_recipient,
+      :key_material_id)
       SENSITIVE = [:private_key_plaintext]
       include Aws::Structure
     end
@@ -2645,7 +2721,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] key_id
@@ -2679,9 +2755,11 @@ module Aws::KMS
     #
     #   The KMS rule that restricts the use of asymmetric RSA and SM2 KMS
     #   keys to encrypt and decrypt or to sign and verify (but not both),
-    #   and the rule that permits you to use ECC KMS keys only to sign and
-    #   verify, are not effective on data key pairs, which are used outside
-    #   of KMS. The SM2 key spec is only available in China Regions.
+    #   the rule that permits you to use ECC KMS keys only to sign and
+    #   verify, and the rule that permits you to use ML-DSA key pairs to
+    #   sign and verify only are not effective on data key pairs, which are
+    #   used outside of KMS. The SM2 key spec is only available in China
+    #   Regions.
     #   @return [String]
     #
     # @!attribute [rw] grant_tokens
@@ -2695,19 +2773,19 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
     #   @return [Array<String>]
     #
     # @!attribute [rw] dry_run
     #   Checks if your request will succeed. `DryRun` is an optional
     #   parameter.
     #
-    #   To learn more about how to use this parameter, see [Testing your KMS
-    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #   To learn more about how to use this parameter, see [Testing your
+    #   permissions][1] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintextRequest AWS API Documentation
@@ -2747,13 +2825,18 @@ module Aws::KMS
     #   The type of data key pair that was generated.
     #   @return [String]
     #
+    # @!attribute [rw] key_material_id
+    #   The identifier of the key material used to encrypt the private key.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintextResponse AWS API Documentation
     #
     class GenerateDataKeyPairWithoutPlaintextResponse < Struct.new(
       :private_key_ciphertext_blob,
       :public_key,
       :key_id,
-      :key_pair_spec)
+      :key_pair_spec,
+      :key_material_id)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2806,7 +2889,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] number_of_bytes
@@ -2839,7 +2922,7 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
     #   @return [Array<String>]
     #
     # @!attribute [rw] recipient
@@ -2876,12 +2959,12 @@ module Aws::KMS
     #   Checks if your request will succeed. `DryRun` is an optional
     #   parameter.
     #
-    #   To learn more about how to use this parameter, see [Testing your KMS
-    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #   To learn more about how to use this parameter, see [Testing your
+    #   permissions][1] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyRequest AWS API Documentation
@@ -2940,13 +3023,20 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
     #   @return [String]
     #
+    # @!attribute [rw] key_material_id
+    #   The identifier of the key material used to encrypt the data key.
+    #   This field is omitted if the request includes the `Recipient`
+    #   parameter.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyResponse AWS API Documentation
     #
     class GenerateDataKeyResponse < Struct.new(
       :ciphertext_blob,
       :plaintext,
       :key_id,
-      :ciphertext_for_recipient)
+      :ciphertext_for_recipient,
+      :key_material_id)
       SENSITIVE = [:plaintext]
       include Aws::Structure
     end
@@ -2999,7 +3089,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] key_spec
@@ -3025,19 +3115,19 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
     #   @return [Array<String>]
     #
     # @!attribute [rw] dry_run
     #   Checks if your request will succeed. `DryRun` is an optional
     #   parameter.
     #
-    #   To learn more about how to use this parameter, see [Testing your KMS
-    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #   To learn more about how to use this parameter, see [Testing your
+    #   permissions][1] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextRequest AWS API Documentation
@@ -3068,11 +3158,16 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
+    # @!attribute [rw] key_material_id
+    #   The identifier of the key material used to encrypt the data key.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextResponse AWS API Documentation
     #
     class GenerateDataKeyWithoutPlaintextResponse < Struct.new(
       :ciphertext_blob,
-      :key_id)
+      :key_id,
+      :key_material_id)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3117,19 +3212,19 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
     #   @return [Array<String>]
     #
     # @!attribute [rw] dry_run
     #   Checks if your request will succeed. `DryRun` is an optional
     #   parameter.
     #
-    #   To learn more about how to use this parameter, see [Testing your KMS
-    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #   To learn more about how to use this parameter, see [Testing your
+    #   permissions][1] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMacRequest AWS API Documentation
@@ -3355,15 +3450,12 @@ module Aws::KMS
     #   Identifies the date and time that an in progress on-demand rotation
     #   was initiated.
     #
-    #   The KMS API follows an [eventual consistency][1] model due to the
-    #   distributed nature of the system. As a result, there might be a
-    #   slight delay between initiating on-demand key rotation and the
-    #   rotation's completion. Once the on-demand rotation is complete, use
-    #   ListKeyRotations to view the details of the on-demand rotation.
-    #
-    #
-    #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
+    #   KMS uses a background process to perform rotations. As a result,
+    #   there might be a slight delay between initiating on-demand key
+    #   rotation and the rotation's completion. Once the on-demand rotation
+    #   is complete, KMS removes this field from the response. You can use
+    #   ListKeyRotations to view the details of the completed on-demand
+    #   rotation.
     #   @return [Time]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyRotationStatusResponse AWS API Documentation
@@ -3403,9 +3495,8 @@ module Aws::KMS
     # @!attribute [rw] wrapping_algorithm
     #   The algorithm you will use with the RSA public key (`PublicKey`) in
     #   the response to protect your key material during import. For more
-    #   information, see [Select a wrapping
-    #   algorithm](kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
-    #   in the *Key Management Service Developer Guide*.
+    #   information, see [Select a wrapping algorithm][1] in the *Key
+    #   Management Service Developer Guide*.
     #
     #   For RSA\_AES wrapping algorithms, you encrypt your key material with
     #   an AES key that you generate, then encrypt your AES key with the RSA
@@ -3437,6 +3528,10 @@ module Aws::KMS
     #
     #   * **RSAES\_PKCS1\_V1\_5** (Deprecated) — As of October 10, 2023, KMS
     #     does not support the RSAES\_PKCS1\_V1\_5 wrapping algorithm.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm
     #   @return [String]
     #
     # @!attribute [rw] wrapping_key_spec
@@ -3532,7 +3627,7 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKeyRequest AWS API Documentation
@@ -3634,9 +3729,9 @@ module Aws::KMS
     #
     # KMS applies the grant constraints only to cryptographic operations
     # that support an encryption context, that is, all cryptographic
-    # operations with a [symmetric KMS key][3]. Grant constraints are not
-    # applied to operations that do not support an encryption context, such
-    # as cryptographic operations with asymmetric KMS keys and management
+    # operations with a symmetric KMS key. Grant constraints are not applied
+    # to operations that do not support an encryption context, such as
+    # cryptographic operations with asymmetric KMS keys and management
     # operations, such as DescribeKey or RetireGrant.
     #
     # In a cryptographic operation, the encryption context in the decryption
@@ -3651,15 +3746,14 @@ module Aws::KMS
     # differ only by case. To require a fully case-sensitive encryption
     # context, use the `kms:EncryptionContext:` and
     # `kms:EncryptionContextKeys` conditions in an IAM or key policy. For
-    # details, see [kms:EncryptionContext:][4] in the <i> <i>Key Management
-    # Service Developer Guide</i> </i>.
+    # details, see [kms:EncryptionContext:context-key][3] in the <i> <i>Key
+    # Management Service Developer Guide</i> </i>.
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
-    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
-    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks
-    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-encryption-context
     #
     # @!attribute [rw] encryption_context_subset
     #   A list of key-value pairs that must be included in the encryption
@@ -3670,7 +3764,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] encryption_context_equals
@@ -3681,7 +3775,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
     #   @return [Hash<String,String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GrantConstraints AWS API Documentation
@@ -3770,11 +3864,9 @@ module Aws::KMS
     #
     #   The KMS key can be a symmetric encryption KMS key, HMAC KMS key,
     #   asymmetric encryption KMS key, or asymmetric signing KMS key,
-    #   including a [multi-Region
-    #   key](kms/latest/developerguide/multi-region-keys-overview.html) of
-    #   any supported type. You cannot perform this operation on a KMS key
-    #   in a custom key store, or on a KMS key in a different Amazon Web
-    #   Services account.
+    #   including a [multi-Region key][1] of any supported type. You cannot
+    #   perform this operation on a KMS key in a custom key store, or on a
+    #   KMS key in a different Amazon Web Services account.
     #
     #   Specify the key ID or key ARN of the KMS key.
     #
@@ -3787,6 +3879,10 @@ module Aws::KMS
     #
     #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
     #   @return [String]
     #
     # @!attribute [rw] import_token
@@ -3838,7 +3934,46 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-import-key-material.html#importing-keys-expiration
+    #   @return [String]
+    #
+    # @!attribute [rw] import_type
+    #   Indicates whether the key material being imported is previously
+    #   associated with this KMS key or not. This parameter is optional and
+    #   only usable with symmetric encryption keys. If no key material has
+    #   ever been imported into the KMS key, and this parameter is omitted,
+    #   the parameter defaults to `NEW_KEY_MATERIAL`. After the first key
+    #   material is imported, if this parameter is omitted then the
+    #   parameter defaults to `EXISTING_KEY_MATERIAL`.
+    #   @return [String]
+    #
+    # @!attribute [rw] key_material_description
+    #   Description for the key material being imported. This parameter is
+    #   optional and only usable with symmetric encryption keys. If you do
+    #   not specify a key material description, KMS retains the value you
+    #   specified when you last imported the same key material into this KMS
+    #   key.
+    #   @return [String]
+    #
+    # @!attribute [rw] key_material_id
+    #   Identifies the key material being imported. This parameter is
+    #   optional and only usable with symmetric encryption keys. You cannot
+    #   specify a key material ID with `ImportType` set to
+    #   `NEW_KEY_MATERIAL`. Whenever you import key material into a
+    #   symmetric encryption key, KMS assigns a unique identifier to the key
+    #   material based on the KMS key ID and the imported key material. When
+    #   you re-import key material with a specified key material ID, KMS:
+    #
+    #   * Computes the identifier for the key material
+    #
+    #   * Matches the computed identifier against the specified key material
+    #     ID
+    #
+    #   * Verifies that the key material ID is already associated with the
+    #     KMS key
+    #
+    #   To get the list of key material IDs associated with a KMS key, use
+    #   ListKeyRotations.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterialRequest AWS API Documentation
@@ -3848,14 +3983,35 @@ module Aws::KMS
       :import_token,
       :encrypted_key_material,
       :valid_to,
-      :expiration_model)
+      :expiration_model,
+      :import_type,
+      :key_material_description,
+      :key_material_id)
       SENSITIVE = []
       include Aws::Structure
     end
 
+    # @!attribute [rw] key_id
+    #   The Amazon Resource Name ([key ARN][1]) of the KMS key into which
+    #   key material was imported.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
+    #   @return [String]
+    #
+    # @!attribute [rw] key_material_id
+    #   Identifies the imported key material.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterialResponse AWS API Documentation
     #
-    class ImportKeyMaterialResponse < Aws::EmptyStructure; end
+    class ImportKeyMaterialResponse < Struct.new(
+      :key_id,
+      :key_material_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
 
     # The request was rejected because the specified KMS key cannot decrypt
     # the data. The `KeyId` in a Decrypt request and the `SourceKeyId` in a
@@ -3874,8 +4030,10 @@ module Aws::KMS
     end
 
     # The request was rejected because the key material in the request is,
-    # expired, invalid, or is not the same key material that was previously
-    # imported into this KMS key.
+    # expired, invalid, or does not meet expectations. For example, it is
+    # not the same key material that was previously imported or KMS expected
+    # new key material but the key material being imported is already
+    # associated with the KMS key.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -4182,7 +4340,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
     #   @return [String]
     #
     # @!attribute [rw] key_state
@@ -4209,11 +4367,12 @@ module Aws::KMS
     #   @return [Time]
     #
     # @!attribute [rw] valid_to
-    #   The time at which the imported key material expires. When the key
-    #   material expires, KMS deletes the key material and the KMS key
-    #   becomes unusable. This value is present only for KMS keys whose
-    #   `Origin` is `EXTERNAL` and whose `ExpirationModel` is
-    #   `KEY_MATERIAL_EXPIRES`, otherwise this value is omitted.
+    #   The earliest time at which any imported key material permanently
+    #   associated with this KMS key expires. When a key material expires,
+    #   KMS deletes the key material and the KMS key becomes unusable. This
+    #   value is present only for KMS keys whose `Origin` is `EXTERNAL` and
+    #   the `ExpirationModel` is `KEY_MATERIAL_EXPIRES`, otherwise this
+    #   value is omitted.
     #   @return [Time]
     #
     # @!attribute [rw] origin
@@ -4232,7 +4391,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
     #   @return [String]
     #
     # @!attribute [rw] cloud_hsm_cluster_id
@@ -4244,7 +4403,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
     #   @return [String]
     #
     # @!attribute [rw] expiration_model
@@ -4367,6 +4526,16 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
     #   @return [Types::XksKeyConfigurationType]
     #
+    # @!attribute [rw] current_key_material_id
+    #   Identifies the current key material. This value is present for
+    #   symmetric encryption keys with `AWS_KMS` origin and single-Region,
+    #   symmetric encryption keys with `EXTERNAL` origin. These KMS keys
+    #   support automatic or on-demand key rotation and can have multiple
+    #   key materials associated with them. KMS uses the current key
+    #   material for both encryption and decryption, and the non-current key
+    #   material for decryption operations only.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
     #
     class KeyMetadata < Struct.new(
@@ -4394,7 +4563,8 @@ module Aws::KMS
       :multi_region_configuration,
       :pending_deletion_window_in_days,
       :mac_algorithms,
-      :xks_key_configuration)
+      :xks_key_configuration,
+      :current_key_material_id)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -4413,9 +4583,9 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # The request was rejected because a quota was exceeded. For more
-    # information, see [Quotas][1] in the *Key Management Service Developer
-    # Guide*.
+    # The request was rejected because a length constraint or quota was
+    # exceeded. For more information, see [Quotas][1] in the *Key Management
+    # Service Developer Guide*.
     #
     #
     #
@@ -4673,6 +4843,18 @@ module Aws::KMS
     #   DescribeKey.
     #   @return [String]
     #
+    # @!attribute [rw] include_key_material
+    #   Use this optional parameter to control which key materials
+    #   associated with this key are listed in the response. The default
+    #   value of this parameter is `ROTATIONS_ONLY`. If you omit this
+    #   parameter, KMS returns information on the key materials created by
+    #   automatic or on-demand key rotation. When you specify a value of
+    #   `ALL_KEY_MATERIAL`, KMS adds the first key material and any imported
+    #   key material pending rotation to the response. This parameter can
+    #   only be used with KMS keys that support automatic or on-demand key
+    #   rotation.
+    #   @return [String]
+    #
     # @!attribute [rw] limit
     #   Use this parameter to specify the maximum number of items to return.
     #   When this value is present, KMS does not return more than the
@@ -4693,6 +4875,7 @@ module Aws::KMS
     #
     class ListKeyRotationsRequest < Struct.new(
       :key_id,
+      :include_key_material,
       :limit,
       :marker)
       SENSITIVE = []
@@ -4700,7 +4883,10 @@ module Aws::KMS
     end
 
     # @!attribute [rw] rotations
-    #   A list of completed key material rotations.
+    #   A list of completed key material rotations. When the optional input
+    #   parameter `IncludeKeyMaterial` is specified with a value of
+    #   `ALL_KEY_MATERIAL`, this list includes the first key material and
+    #   any imported key material pending rotation.
     #   @return [Array<Types::RotationsListEntry>]
     #
     # @!attribute [rw] next_marker
@@ -5023,6 +5209,18 @@ module Aws::KMS
     #     that I make are not always immediately visible][2] in the *Amazon
     #     Web Services Identity and Access Management User Guide*.
     #
+    #   <note markdown="1"> If either of the required `Resource` or `Action` elements are
+    #   missing from a key policy statement, the policy statement has no
+    #   effect. When a key policy statement is missing one of these
+    #   elements, the KMS console correctly reports an error, but the
+    #   `PutKeyPolicy` API request succeeds, even though the policy
+    #   statement is ineffective.
+    #
+    #    For more information on required key policy elements, see [Elements
+    #   in a key policy][3] in the *Key Management Service Developer Guide*.
+    #
+    #    </note>
+    #
     #   A key policy document can include only the following characters:
     #
     #   * Printable ASCII characters from the space character (`\u0020`)
@@ -5034,18 +5232,24 @@ module Aws::KMS
     #   * The tab (`\u0009`), line feed (`\u000A`), and carriage return
     #     (`\u000D`) special characters
     #
-    #   For information about key policies, see [Key policies in KMS][3] in
+    #   <note markdown="1"> If the key policy exceeds the length constraint, KMS returns a
+    #   `LimitExceededException`.
+    #
+    #    </note>
+    #
+    #   For information about key policies, see [Key policies in KMS][4] in
     #   the *Key Management Service Developer Guide*.For help writing and
     #   formatting a JSON policy document, see the [IAM JSON Policy
-    #   Reference][4] in the <i> <i>Identity and Access Management User
+    #   Reference][5] in the <i> <i>Identity and Access Management User
     #   Guide</i> </i>.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
-    #   [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html#key-policy-elements
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
+    #   [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
     #   @return [String]
     #
     # @!attribute [rw] bypass_policy_lockout_safety_check
@@ -5103,7 +5307,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] source_key_id
@@ -5193,7 +5397,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] source_encryption_algorithm
@@ -5230,19 +5434,19 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
     #   @return [Array<String>]
     #
     # @!attribute [rw] dry_run
     #   Checks if your request will succeed. `DryRun` is an optional
     #   parameter.
     #
-    #   To learn more about how to use this parameter, see [Testing your KMS
-    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #   To learn more about how to use this parameter, see [Testing your
+    #   permissions][1] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncryptRequest AWS API Documentation
@@ -5290,6 +5494,18 @@ module Aws::KMS
     #   The encryption algorithm that was used to reencrypt the data.
     #   @return [String]
     #
+    # @!attribute [rw] source_key_material_id
+    #   The identifier of the key material used to originally encrypt the
+    #   data. This field is present only when the original encryption used a
+    #   symmetric encryption KMS key.
+    #   @return [String]
+    #
+    # @!attribute [rw] destination_key_material_id
+    #   The identifier of the key material used to reencrypt the data. This
+    #   field is present only when data is reencrypted using a symmetric
+    #   encryption KMS key.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncryptResponse AWS API Documentation
     #
     class ReEncryptResponse < Struct.new(
@@ -5297,7 +5513,9 @@ module Aws::KMS
       :source_key_id,
       :key_id,
       :source_encryption_algorithm,
-      :destination_encryption_algorithm)
+      :destination_encryption_algorithm,
+      :source_key_material_id,
+      :destination_key_material_id)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -5363,33 +5581,23 @@ module Aws::KMS
     #   [KMS service endpoints][1] in the *Amazon Web Services General
     #   Reference*.
     #
-    #   <note markdown="1"> HMAC KMS keys are not supported in all Amazon Web Services Regions.
-    #   If you try to replicate an HMAC KMS key in an Amazon Web Services
-    #   Region in which HMAC keys are not supported, the `ReplicateKey`
-    #   operation returns an `UnsupportedOperationException`. For a list of
-    #   Regions in which HMAC KMS keys are supported, see [HMAC keys in
-    #   KMS][2] in the *Key Management Service Developer Guide*.
-    #
-    #    </note>
-    #
     #   The replica must be in a different Amazon Web Services Region than
     #   its primary key and other replicas of that primary key, but in the
     #   same Amazon Web Services partition. KMS must be available in the
     #   replica Region. If the Region is not enabled by default, the Amazon
     #   Web Services account must be enabled in the Region. For information
     #   about Amazon Web Services partitions, see [Amazon Resource Names
-    #   (ARNs)][3] in the *Amazon Web Services General Reference*. For
+    #   (ARNs)][2] in the *Amazon Web Services General Reference*. For
     #   information about enabling and disabling Regions, see [Enabling a
-    #   Region][4] and [Disabling a Region][5] in the *Amazon Web Services
+    #   Region][3] and [Disabling a Region][4] in the *Amazon Web Services
     #   General Reference*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
-    #   [3]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
-    #   [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
-    #   [5]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
+    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    #   [3]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
+    #   [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
     #   @return [String]
     #
     # @!attribute [rw] policy
@@ -5439,7 +5647,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
     #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
@@ -5512,7 +5720,7 @@ module Aws::KMS
     #   When you add tags to an Amazon Web Services resource, Amazon Web
     #   Services generates a cost allocation report with usage and costs
     #   aggregated by tags. Tags can also be used to control access to a KMS
-    #   key. For details, see [Tagging Keys][3].
+    #   key. For details, see [Tags in KMS][3].
     #
     #
     #
@@ -5603,12 +5811,12 @@ module Aws::KMS
     #   Checks if your request will succeed. `DryRun` is an optional
     #   parameter.
     #
-    #   To learn more about how to use this parameter, see [Testing your KMS
-    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #   To learn more about how to use this parameter, see [Testing your
+    #   permissions][1] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrantRequest AWS API Documentation
@@ -5651,12 +5859,12 @@ module Aws::KMS
     #   Checks if your request will succeed. `DryRun` is an optional
     #   parameter.
     #
-    #   To learn more about how to use this parameter, see [Testing your KMS
-    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #   To learn more about how to use this parameter, see [Testing your
+    #   permissions][1] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrantRequest AWS API Documentation
@@ -5672,10 +5880,10 @@ module Aws::KMS
     # @!attribute [rw] key_id
     #   Identifies a symmetric encryption KMS key. You cannot perform
     #   on-demand rotation of [asymmetric KMS keys][1], [HMAC KMS keys][2],
-    #   KMS keys with [imported key material][3], or KMS keys in a [custom
-    #   key store][4]. To perform on-demand rotation of a set of related
-    #   [multi-Region keys][5], invoke the on-demand rotation on the primary
-    #   key.
+    #   multi-Region KMS keys with [imported key material][3], or KMS keys
+    #   in a [custom key store][4]. To perform on-demand rotation of a set
+    #   of related [multi-Region keys][5], invoke the on-demand rotation on
+    #   the primary key.
     #
     #   Specify the key ID or key ARN of the KMS key.
     #
@@ -5694,8 +5902,8 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
     #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
-    #   [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
+    #   [5]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#multi-region-rotate
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RotateKeyOnDemandRequest AWS API Documentation
@@ -5719,31 +5927,88 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # Contains information about completed key material rotations.
+    # Each entry contains information about one of the key materials
+    # associated with a KMS key.
     #
     # @!attribute [rw] key_id
     #   Unique identifier of the key.
     #   @return [String]
     #
+    # @!attribute [rw] key_material_id
+    #   Unique identifier of the key material.
+    #   @return [String]
+    #
+    # @!attribute [rw] key_material_description
+    #   User-specified description of the key material. This field is only
+    #   present for symmetric encryption KMS keys with `EXTERNAL` origin.
+    #   @return [String]
+    #
+    # @!attribute [rw] import_state
+    #   Indicates if the key material is currently imported into KMS. It has
+    #   two possible values: `IMPORTED` or `PENDING_IMPORT`. This field is
+    #   only present for symmetric encryption KMS keys with `EXTERNAL`
+    #   origin.
+    #   @return [String]
+    #
+    # @!attribute [rw] key_material_state
+    #   There are three possible values for this field: `CURRENT`,
+    #   `NON_CURRENT` and `PENDING_ROTATION`. KMS uses `CURRENT` key
+    #   material for both encryption and decryption and `NON_CURRENT` key
+    #   material only for decryption. `PENDING_ROTATION` identifies key
+    #   material that has been imported for on-demand key rotation but the
+    #   rotation hasn't completed. Key material in `PENDING_ROTATION` is
+    #   not permanently associated with the KMS key. You can delete this key
+    #   material and import different key material in its place. The
+    #   `PENDING_ROTATION` value is only used in symmetric encryption keys
+    #   with imported key material. The other values, `CURRENT` and
+    #   `NON_CURRENT`, are used for all KMS keys that support automatic or
+    #   on-demand key rotation.
+    #   @return [String]
+    #
+    # @!attribute [rw] expiration_model
+    #   Indicates if the key material is configured to automatically expire.
+    #   There are two possible values for this field: `KEY_MATERIAL_EXPIRES`
+    #   and `KEY_MATERIAL_DOES_NOT_EXPIRE`. For any key material that
+    #   expires, the expiration date and time is indicated in `ValidTo`.
+    #   This field is only present for symmetric encryption KMS keys with
+    #   `EXTERNAL` origin.
+    #   @return [String]
+    #
+    # @!attribute [rw] valid_to
+    #   Date and time at which the key material expires. This field is only
+    #   present for symmetric encryption KMS keys with `EXTERNAL` origin in
+    #   rotation list entries with an `ExpirationModel` value of
+    #   `KEY_MATERIAL_EXPIRES`.
+    #   @return [Time]
+    #
     # @!attribute [rw] rotation_date
     #   Date and time that the key material rotation completed. Formatted as
-    #   Unix time.
+    #   Unix time. This field is not present for the first key material or
+    #   an imported key material in `PENDING_ROTATION` state.
     #   @return [Time]
     #
     # @!attribute [rw] rotation_type
     #   Identifies whether the key material rotation was a scheduled
-    #   [automatic rotation][1] or an [on-demand rotation][2].
+    #   [automatic rotation][1] or an [on-demand rotation][2]. This field is
+    #   not present for the first key material or an imported key material
+    #   in `PENDING_ROTATION` state.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotating-keys-enable-disable
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotating-keys-on-demand
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotating-keys-enable-disable.html
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/rotating-keys-on-demand.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RotationsListEntry AWS API Documentation
     #
     class RotationsListEntry < Struct.new(
       :key_id,
+      :key_material_id,
+      :key_material_description,
+      :import_state,
+      :key_material_state,
+      :expiration_model,
+      :valid_to,
       :rotation_date,
       :rotation_type)
       SENSITIVE = []
@@ -5881,27 +6146,34 @@ module Aws::KMS
     #   Tells KMS whether the value of the `Message` parameter should be
     #   hashed as part of the signing algorithm. Use `RAW` for unhashed
     #   messages; use `DIGEST` for message digests, which are already
-    #   hashed.
+    #   hashed; use `EXTERNAL_MU` for 64-byte representative μ used in
+    #   ML-DSA signing as defined in NIST FIPS 204 Section 6.2.
     #
     #   When the value of `MessageType` is `RAW`, KMS uses the standard
     #   signing algorithm, which begins with a hash function. When the value
     #   is `DIGEST`, KMS skips the hashing step in the signing algorithm.
+    #   When the value is `EXTERNAL_MU` KMS skips the concatenated hashing
+    #   of the public key hash and the message done in the ML-DSA signing
+    #   algorithm.
     #
-    #   Use the `DIGEST` value only when the value of the `Message`
-    #   parameter is a message digest. If you use the `DIGEST` value with an
-    #   unhashed message, the security of the signing operation can be
-    #   compromised.
+    #   Use the `DIGEST` or `EXTERNAL_MU` value only when the value of the
+    #   `Message` parameter is a message digest. If you use the `DIGEST`
+    #   value with an unhashed message, the security of the signing
+    #   operation can be compromised.
     #
-    #   When the value of `MessageType`is `DIGEST`, the length of the
+    #   When the value of `MessageType` is `DIGEST`, the length of the
     #   `Message` value must match the length of hashed messages for the
     #   specified signing algorithm.
     #
+    #   When the value of `MessageType` is `EXTERNAL_MU` the length of the
+    #   `Message` value must be 64 bytes.
+    #
     #   You can submit a message digest and omit the `MessageType` or
     #   specify `RAW` so the digest is hashed again while signing. However,
     #   this can cause verification failures when verifying with a system
     #   that assumes a single hash.
     #
-    #   The hashing algorithm in that `Sign` uses is based on the
+    #   The hashing algorithm that `Sign` uses is based on the
     #   `SigningAlgorithm` value.
     #
     #   * Signing algorithms that end in SHA\_256 use the SHA\_256 hashing
@@ -5913,12 +6185,15 @@ module Aws::KMS
     #   * Signing algorithms that end in SHA\_512 use the SHA\_512 hashing
     #     algorithm.
     #
+    #   * Signing algorithms that end in SHAKE\_256 use the SHAKE\_256
+    #     hashing algorithm.
+    #
     #   * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
     #     verification with SM2 key pairs][1].
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/offline-operations.html#key-spec-sm-offline-verification
     #   @return [String]
     #
     # @!attribute [rw] grant_tokens
@@ -5932,7 +6207,7 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
     #   @return [Array<String>]
     #
     # @!attribute [rw] signing_algorithm
@@ -5948,12 +6223,12 @@ module Aws::KMS
     #   Checks if your request will succeed. `DryRun` is an optional
     #   parameter.
     #
-    #   To learn more about how to use this parameter, see [Testing your KMS
-    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #   To learn more about how to use this parameter, see [Testing your
+    #   permissions][1] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/SignRequest AWS API Documentation
@@ -6458,19 +6733,19 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
     #   @return [Array<String>]
     #
     # @!attribute [rw] dry_run
     #   Checks if your request will succeed. `DryRun` is an optional
     #   parameter.
     #
-    #   To learn more about how to use this parameter, see [Testing your KMS
-    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #   To learn more about how to use this parameter, see [Testing your
+    #   permissions][1] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMacRequest AWS API Documentation
@@ -6554,28 +6829,35 @@ module Aws::KMS
     #   Tells KMS whether the value of the `Message` parameter should be
     #   hashed as part of the signing algorithm. Use `RAW` for unhashed
     #   messages; use `DIGEST` for message digests, which are already
-    #   hashed.
+    #   hashed; use `EXTERNAL_MU` for 64-byte representative μ used in
+    #   ML-DSA signing as defined in NIST FIPS 204 Section 6.2.
     #
     #   When the value of `MessageType` is `RAW`, KMS uses the standard
     #   signing algorithm, which begins with a hash function. When the value
     #   is `DIGEST`, KMS skips the hashing step in the signing algorithm.
+    #   When the value is `EXTERNAL_MU` KMS skips the concatenated hashing
+    #   of the public key hash and the message done in the ML-DSA signing
+    #   algorithm.
     #
-    #   Use the `DIGEST` value only when the value of the `Message`
-    #   parameter is a message digest. If you use the `DIGEST` value with an
-    #   unhashed message, the security of the verification operation can be
-    #   compromised.
+    #   Use the `DIGEST` or `EXTERNAL_MU` value only when the value of the
+    #   `Message` parameter is a message digest. If you use the `DIGEST`
+    #   value with an unhashed message, the security of the signing
+    #   operation can be compromised.
     #
-    #   When the value of `MessageType`is `DIGEST`, the length of the
+    #   When the value of `MessageType` is `DIGEST`, the length of the
     #   `Message` value must match the length of hashed messages for the
     #   specified signing algorithm.
     #
+    #   When the value of `MessageType` is `EXTERNAL_MU` the length of the
+    #   `Message` value must be 64 bytes.
+    #
     #   You can submit a message digest and omit the `MessageType` or
     #   specify `RAW` so the digest is hashed again while signing. However,
     #   if the signed message is hashed once while signing, but twice while
     #   verifying, verification fails, even when the message hasn't
     #   changed.
     #
-    #   The hashing algorithm in that `Verify` uses is based on the
+    #   The hashing algorithm that `Verify` uses is based on the
     #   `SigningAlgorithm` value.
     #
     #   * Signing algorithms that end in SHA\_256 use the SHA\_256 hashing
@@ -6587,12 +6869,15 @@ module Aws::KMS
     #   * Signing algorithms that end in SHA\_512 use the SHA\_512 hashing
     #     algorithm.
     #
+    #   * Signing algorithms that end in SHAKE\_256 use the SHAKE\_256
+    #     hashing algorithm.
+    #
     #   * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
     #     verification with SM2 key pairs][1].
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/offline-operations.html#key-spec-sm-offline-verification
     #   @return [String]
     #
     # @!attribute [rw] signature
@@ -6615,19 +6900,19 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
     #   @return [Array<String>]
     #
     # @!attribute [rw] dry_run
     #   Checks if your request will succeed. `DryRun` is an optional
     #   parameter.
     #
-    #   To learn more about how to use this parameter, see [Testing your KMS
-    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #   To learn more about how to use this parameter, see [Testing your
+    #   permissions][1] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyRequest AWS API Documentation