aws-sdk-kms 1.104.0 → 1.106.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '078565816f5e2b8088394a3ad96087913c750455d6d152add0d12a1003a43939'
-  data.tar.gz: cc7e1460281395c5073cbaa6d3b3f3d1ad8fbeb5f3b74e28bfaefddd94eb8712
+  metadata.gz: 201524fcd7a495dca2dd60546a1056631fcd9d5d70bdcef9b46c77fc08716b19
+  data.tar.gz: 3d6c1641f2d79bbef429d71379a933451de6151f7690a829cb67ad8bce4f6ce0
 SHA512:
-  metadata.gz: 414d53c3331e7333e29e8eef5d8f3ef0c9a6c5964cd4dc2eb3d2545b2ba010d85af5450f1f8a44e0e8314bb4dc184821c6e1ea8873ac685d1f4ca36ad16c1064
-  data.tar.gz: 7c28a1ccc919555dce3593a571df81b744bee10e01552310a6f895c04bb583b791dfca939ca9255bd409ccf55fb42852927b061ea8b0bbedb61f4f24a2500ae5
+  metadata.gz: 17b3468e36b9929f90e68dc867df1368aa9ba865c45e1c78cd4cee22fd3e54cb8ffbc98330789c35bdcdd61e078db1281220e0a0362ed07b41fb0f83c69aafd2
+  data.tar.gz: e9c97588b4eb8000829bf24febd171652b39d5a3809bf0169e89aeeccdf9b93a63fb30f05085ddd2510a16e0c7900131562072351dc3046124a949f78e9fff0b

data/CHANGELOG.md

@@ -1,6 +1,16 @@
 Unreleased Changes
 ------------------
 
+1.106.0 (2025-06-26)
+------------------
+
+* Feature - This release updates AWS CLI examples for KMS APIs.
+
+1.105.0 (2025-06-12)
+------------------
+
+* Feature - AWS KMS announces the support of ML-DSA key pairs that creates post-quantum safe digital signatures.
+
 1.104.0 (2025-06-06)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.104.0
+1.106.0

data/lib/aws-sdk-kms/client.rb

@@ -1555,20 +1555,21 @@ module Aws::KMS
     #   properties after the KMS key is created.
     #
     #   Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC)
-    #   key pair, or an SM2 key pair (China Regions only). The private key
-    #   in an asymmetric KMS key never leaves KMS unencrypted. However, you
-    #   can use the GetPublicKey operation to download the public key so it
-    #   can be used outside of KMS. Each KMS key can have only one key
-    #   usage. KMS keys with RSA key pairs can be used to encrypt and
-    #   decrypt data or sign and verify messages (but not both). KMS keys
-    #   with NIST-recommended ECC key pairs can be used to sign and verify
-    #   messages or derive shared secrets (but not both). KMS keys with
-    #   `ECC_SECG_P256K1` can be used only to sign and verify messages. KMS
-    #   keys with SM2 key pairs (China Regions only) can be used to either
-    #   encrypt and decrypt data, sign and verify messages, or derive shared
-    #   secrets (you must choose one key usage type). For information about
-    #   asymmetric KMS keys, see [Asymmetric KMS keys][2] in the *Key
-    #   Management Service Developer Guide*.
+    #   key pair, ML-DSA key pair or an SM2 key pair (China Regions only).
+    #   The private key in an asymmetric KMS key never leaves KMS
+    #   unencrypted. However, you can use the GetPublicKey operation to
+    #   download the public key so it can be used outside of KMS. Each KMS
+    #   key can have only one key usage. KMS keys with RSA key pairs can be
+    #   used to encrypt and decrypt data or sign and verify messages (but
+    #   not both). KMS keys with NIST-recommended ECC key pairs can be used
+    #   to sign and verify messages or derive shared secrets (but not both).
+    #   KMS keys with `ECC_SECG_P256K1` can be used only to sign and verify
+    #   messages. KMS keys with ML-DSA key pairs can be used to sign and
+    #   verify messages. KMS keys with SM2 key pairs (China Regions only)
+    #   can be used to either encrypt and decrypt data, sign and verify
+    #   messages, or derive shared secrets (you must choose one key usage
+    #   type). For information about asymmetric KMS keys, see [Asymmetric
+    #   KMS keys][2] in the *Key Management Service Developer Guide*.
     #
     #
     #
@@ -1812,7 +1813,10 @@ module Aws::KMS
     #   * For asymmetric KMS keys with NIST-recommended elliptic curve key
     #     pairs, specify `SIGN_VERIFY` or `KEY_AGREEMENT`.
     #
-    #   * For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs specify
+    #   * For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs, specify
+    #     `SIGN_VERIFY`.
+    #
+    #   * For asymmetric KMS keys with ML-DSA key pairs, specify
     #     `SIGN_VERIFY`.
     #
     #   * For asymmetric KMS keys with SM2 key pairs (China Regions only),
@@ -1889,6 +1893,13 @@ module Aws::KMS
     #     * `ECC_SECG_P256K1` (secp256k1), commonly used for cryptocurrencies.
     #
     #     ^
+    #   * Asymmetric ML-DSA key pairs (signing and verification)
+    #
+    #     * `ML_DSA_44`
+    #
+    #     * `ML_DSA_65`
+    #
+    #     * `ML_DSA_87`
     #   * SM2 key pairs (encryption and decryption -or- signing and
     #     verification -or- deriving shared secrets)
     #
@@ -2094,6 +2105,7 @@ module Aws::KMS
     #       aws_account_id: "111122223333", 
     #       arn: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", 
     #       creation_date: Time.parse("2017-07-05T14:04:55-07:00"), 
+    #       current_key_material_id: "0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6", 
     #       customer_master_key_spec: "SYMMETRIC_DEFAULT", 
     #       description: "", 
     #       enabled: true, 
@@ -2146,8 +2158,7 @@ module Aws::KMS
     # @example Example: To create an asymmetric elliptic curve KMS key for signing and verification
     #
     #   # This example creates a KMS key that contains an asymmetric elliptic curve (ECC) key pair for signing and verification.
-    #   # The key usage is required even though "SIGN_VERIFY" is the only valid value for ECC KMS keys. The key spec and key usage
-    #   # can't be changed after the key is created.
+    #   # The key spec and key usage can't be changed after the key is created.
     #
     #   resp = client.create_key({
     #     key_spec: "ECC_NIST_P521", # Describes the type of key material in the KMS key.
@@ -2208,6 +2219,38 @@ module Aws::KMS
     #     }, # Detailed information about the KMS key that this operation creates.
     #   }
     #
+    # @example Example: To create an asymmetric ML-DSA KMS key for signing and verification
+    #
+    #   # This example creates a module-lattice digital signature algorithm (ML-DSA) key for signing and verification. The
+    #   # key-usage parameter is required even though SIGN_VERIFY is the only valid value for ML-DSA keys.
+    #
+    #   resp = client.create_key({
+    #     key_spec: "ML_DSA_65", # Describes the type of key material in the KMS key.
+    #     key_usage: "SIGN_VERIFY", # The cryptographic operations for which you can use the KMS key.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     key_metadata: {
+    #       aws_account_id: "111122223333", 
+    #       arn: "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", 
+    #       creation_date: Time.parse(1748371316.734), 
+    #       customer_master_key_spec: "ML_DSA_65", 
+    #       description: "", 
+    #       enabled: true, 
+    #       key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", 
+    #       key_manager: "CUSTOMER", 
+    #       key_spec: "ML_DSA_65", 
+    #       key_state: "Enabled", 
+    #       key_usage: "SIGN_VERIFY", 
+    #       multi_region: false, 
+    #       origin: "AWS_KMS", 
+    #       signing_algorithms: [
+    #         "ML_DSA_SHAKE_256", 
+    #       ], 
+    #     }, # Detailed information about the KMS key that this operation creates.
+    #   }
+    #
     # @example Example: To create a multi-Region primary KMS key
     #
     #   # This example creates a multi-Region primary symmetric encryption key. Because the default values for all parameters
@@ -2223,6 +2266,7 @@ module Aws::KMS
     #       aws_account_id: "111122223333", 
     #       arn: "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef12345678990ab", 
     #       creation_date: Time.parse("2021-09-02T016:15:21-09:00"), 
+    #       current_key_material_id: "0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6", 
     #       customer_master_key_spec: "SYMMETRIC_DEFAULT", 
     #       description: "", 
     #       enabled: true, 
@@ -2359,7 +2403,7 @@ module Aws::KMS
     #     description: "DescriptionType",
     #     key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC, KEY_AGREEMENT
     #     customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
-    #     key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
+    #     key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2, ML_DSA_44, ML_DSA_65, ML_DSA_87
     #     origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM, EXTERNAL_KEY_STORE
     #     custom_key_store_id: "CustomKeyStoreIdType",
     #     bypass_policy_lockout_safety_check: false,
@@ -2391,11 +2435,11 @@ module Aws::KMS
     #   resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
     #   resp.key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
     #   resp.key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
-    #   resp.key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
+    #   resp.key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2", "ML_DSA_44", "ML_DSA_65", "ML_DSA_87"
     #   resp.key_metadata.encryption_algorithms #=> Array
     #   resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #   resp.key_metadata.signing_algorithms #=> Array
-    #   resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
+    #   resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA", "ML_DSA_SHAKE_256"
     #   resp.key_metadata.key_agreement_algorithms #=> Array
     #   resp.key_metadata.key_agreement_algorithms[0] #=> String, one of "ECDH"
     #   resp.key_metadata.multi_region #=> Boolean
@@ -2660,6 +2704,7 @@ module Aws::KMS
     #   {
     #     encryption_algorithm: "SYMMETRIC_DEFAULT", # The encryption algorithm that was used to decrypt the ciphertext. SYMMETRIC_DEFAULT is the only valid value for symmetric encryption in AWS KMS.
     #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The Amazon Resource Name (ARN) of the KMS key that was used to decrypt the data.
+    #     key_material_id: "0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6", # The identifier of the key material used to decrypt the ciphertext.
     #     plaintext: "<binary data>", # The decrypted (plaintext) data.
     #   }
     #
@@ -2993,6 +3038,7 @@ module Aws::KMS
     #
     #   resp = client.delete_imported_key_material({
     #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key whose imported key material you are deleting. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
+    #     key_material_id: "0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6", # Identifies the deleted key material.
     #   })
     #
     # @example Request syntax with placeholder values
@@ -3652,6 +3698,7 @@ module Aws::KMS
     #       aws_account_id: "111122223333", 
     #       arn: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", 
     #       creation_date: Time.parse("2017-07-05T14:04:55-07:00"), 
+    #       current_key_material_id: "0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6", 
     #       customer_master_key_spec: "SYMMETRIC_DEFAULT", 
     #       description: "", 
     #       enabled: true, 
@@ -3718,6 +3765,7 @@ module Aws::KMS
     #       aws_account_id: "111122223333", 
     #       arn: "arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", 
     #       creation_date: Time.parse(1586329200.918), 
+    #       current_key_material_id: "0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6", 
     #       customer_master_key_spec: "SYMMETRIC_DEFAULT", 
     #       description: "", 
     #       enabled: true, 
@@ -3874,11 +3922,11 @@ module Aws::KMS
     #   resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
     #   resp.key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
     #   resp.key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
-    #   resp.key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
+    #   resp.key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2", "ML_DSA_44", "ML_DSA_65", "ML_DSA_87"
     #   resp.key_metadata.encryption_algorithms #=> Array
     #   resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #   resp.key_metadata.signing_algorithms #=> Array
-    #   resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
+    #   resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA", "ML_DSA_SHAKE_256"
     #   resp.key_metadata.key_agreement_algorithms #=> Array
     #   resp.key_metadata.key_agreement_algorithms[0] #=> String, one of "ECDH"
     #   resp.key_metadata.multi_region #=> Boolean
@@ -4901,6 +4949,7 @@ module Aws::KMS
     #   {
     #     ciphertext_blob: "<binary data>", # The encrypted data key.
     #     key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the KMS key that was used to encrypt the data key.
+    #     key_material_id: "0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6", # The identifier of the key material used to encrypt the data key.
     #     plaintext: "<binary data>", # The unencrypted (plaintext) data key.
     #   }
     #
@@ -5118,10 +5167,11 @@ module Aws::KMS
     #   Determines the type of data key pair that is generated.
     #
     #   The KMS rule that restricts the use of asymmetric RSA and SM2 KMS keys
-    #   to encrypt and decrypt or to sign and verify (but not both), and the
-    #   rule that permits you to use ECC KMS keys only to sign and verify, are
-    #   not effective on data key pairs, which are used outside of KMS. The
-    #   SM2 key spec is only available in China Regions.
+    #   to encrypt and decrypt or to sign and verify (but not both), the rule
+    #   that permits you to use ECC KMS keys only to sign and verify, and the
+    #   rule that permits you to use ML-DSA key pairs to sign and verify only
+    #   are not effective on data key pairs, which are used outside of KMS.
+    #   The SM2 key spec is only available in China Regions.
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -5203,6 +5253,7 @@ module Aws::KMS
     #   resp.to_h outputs the following:
     #   {
     #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ARN of the symmetric encryption KMS key that was used to encrypt the private key.
+    #     key_material_id: "0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6", # The identifier of the key material used to encrypt the private key.
     #     key_pair_spec: "RSA_3072", # The actual key spec of the RSA data key pair.
     #     private_key_ciphertext_blob: "<binary data>", # The encrypted private key of the RSA data key pair.
     #     private_key_plaintext: "<binary data>", # The plaintext private key of the RSA data key pair.
@@ -5230,6 +5281,7 @@ module Aws::KMS
     #   {
     #     ciphertext_for_recipient: "<binary data>", # The private key of the RSA data key pair encrypted by the public key from the attestation document
     #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ARN of the symmetric encryption KMS key that was used to encrypt the PrivateKeyCiphertextBlob.
+    #     key_material_id: "0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6", # The identifier of the key material used to encrypt the private key.
     #     key_pair_spec: "RSA_3072", # The actual key spec of the RSA data key pair.
     #     private_key_ciphertext_blob: "<binary data>", # The private key of the RSA data key pair encrypted by the KMS key.
     #     private_key_plaintext: "", # This field is null or empty
@@ -5396,10 +5448,11 @@ module Aws::KMS
     #   Determines the type of data key pair that is generated.
     #
     #   The KMS rule that restricts the use of asymmetric RSA and SM2 KMS keys
-    #   to encrypt and decrypt or to sign and verify (but not both), and the
-    #   rule that permits you to use ECC KMS keys only to sign and verify, are
-    #   not effective on data key pairs, which are used outside of KMS. The
-    #   SM2 key spec is only available in China Regions.
+    #   to encrypt and decrypt or to sign and verify (but not both), the rule
+    #   that permits you to use ECC KMS keys only to sign and verify, and the
+    #   rule that permits you to use ML-DSA key pairs to sign and verify only
+    #   are not effective on data key pairs, which are used outside of KMS.
+    #   The SM2 key spec is only available in China Regions.
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -5447,6 +5500,7 @@ module Aws::KMS
     #   resp.to_h outputs the following:
     #   {
     #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ARN of the symmetric encryption KMS key that encrypted the private key in the ECC asymmetric data key pair.
+    #     key_material_id: "0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6", # The identifier of the key material used to encrypt the private key.
     #     key_pair_spec: "ECC_NIST_P521", # The actual key spec of the ECC asymmetric data key pair.
     #     private_key_ciphertext_blob: "<binary data>", # The encrypted private key of the asymmetric ECC data key pair.
     #     public_key: "<binary data>", # The public key (plaintext).
@@ -5668,6 +5722,7 @@ module Aws::KMS
     #   {
     #     ciphertext_blob: "<binary data>", # The encrypted data key.
     #     key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the KMS key that was used to encrypt the data key.
+    #     key_material_id: "0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6", # The identifier of the key material used to encrypt the data key.
     #   }
     #
     # @example Request syntax with placeholder values
@@ -6629,12 +6684,12 @@ module Aws::KMS
     #   resp.key_id #=> String
     #   resp.public_key #=> String
     #   resp.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
-    #   resp.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
+    #   resp.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2", "ML_DSA_44", "ML_DSA_65", "ML_DSA_87"
     #   resp.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC", "KEY_AGREEMENT"
     #   resp.encryption_algorithms #=> Array
     #   resp.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #   resp.signing_algorithms #=> Array
-    #   resp.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
+    #   resp.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA", "ML_DSA_SHAKE_256"
     #   resp.key_agreement_algorithms #=> Array
     #   resp.key_agreement_algorithms[0] #=> String, one of "ECDH"
     #
@@ -6853,10 +6908,11 @@ module Aws::KMS
     # @option params [String] :import_type
     #   Indicates whether the key material being imported is previously
     #   associated with this KMS key or not. This parameter is optional and
-    #   only usable with symmetric encryption keys. The default is
-    #   `EXISTING_KEY_MATERIAL`. If no key material has ever been imported
-    #   into the KMS key, and this parameter is omitted, the parameter
-    #   defaults to `NEW_KEY_MATERIAL`.
+    #   only usable with symmetric encryption keys. If no key material has
+    #   ever been imported into the KMS key, and this parameter is omitted,
+    #   the parameter defaults to `NEW_KEY_MATERIAL`. After the first key
+    #   material is imported, if this parameter is omitted then the parameter
+    #   defaults to `EXISTING_KEY_MATERIAL`.
     #
     # @option params [String] :key_material_description
     #   Description for the key material being imported. This parameter is
@@ -6902,6 +6958,12 @@ module Aws::KMS
     #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key to import the key material into. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
     #   })
     #
+    #   resp.to_h outputs the following:
+    #   {
+    #     key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The Amazon Resource Name (ARN) of the KMS key into which key material was imported.
+    #     key_material_id: "0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6", # Identifies the imported key material.
+    #   }
+    #
     # @example Example: To import key material into a KMS key
     #
     #   # The following example imports key material that expires in 3 days. It might be part of an application that frequently
@@ -6915,6 +6977,12 @@ module Aws::KMS
     #     valid_to: Time.parse("2023-09-30T00:00:00-00:00"), # Specifies the date and time when the imported key material expires.
     #   })
     #
+    #   resp.to_h outputs the following:
+    #   {
+    #     key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The Amazon Resource Name (ARN) of the KMS key into which key material was imported.
+    #     key_material_id: "0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6", # Identifies the imported key material.
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.import_key_material({
@@ -8397,8 +8465,12 @@ module Aws::KMS
     #   resp.to_h outputs the following:
     #   {
     #     ciphertext_blob: "<binary data>", # The reencrypted data.
+    #     destination_encryption_algorithm: "SYMMETRIC_DEFAULT", # The encryption algorithm that was used to reencrypt the data.
+    #     destination_key_material_id: "0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6", # The identifier of the key material used to reencrypt the data.
     #     key_id: "arn:aws:kms:us-east-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", # The ARN of the KMS key that was used to reencrypt the data.
+    #     source_encryption_algorithm: "SYMMETRIC_DEFAULT", # The encryption algorithm that was used to decrypt the ciphertext before it was reencrypted.
     #     source_key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the KMS key that was originally used to encrypt the data.
+    #     source_key_material_id: "1c6be7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6", # The identifier of the key material used to originally encrypt the data.
     #   }
     #
     # @example Request syntax with placeholder values
@@ -8790,11 +8862,11 @@ module Aws::KMS
     #   resp.replica_key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
     #   resp.replica_key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
     #   resp.replica_key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
-    #   resp.replica_key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
+    #   resp.replica_key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2", "ML_DSA_44", "ML_DSA_65", "ML_DSA_87"
     #   resp.replica_key_metadata.encryption_algorithms #=> Array
     #   resp.replica_key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #   resp.replica_key_metadata.signing_algorithms #=> Array
-    #   resp.replica_key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
+    #   resp.replica_key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA", "ML_DSA_SHAKE_256"
     #   resp.replica_key_metadata.key_agreement_algorithms #=> Array
     #   resp.replica_key_metadata.key_agreement_algorithms[0] #=> String, one of "ECDH"
     #   resp.replica_key_metadata.multi_region #=> Boolean
@@ -9354,11 +9426,11 @@ module Aws::KMS
     # Developer Guide*.
     #
     # Digital signatures are generated and verified by using asymmetric key
-    # pair, such as an RSA or ECC pair that is represented by an asymmetric
-    # KMS key. The key owner (or an authorized user) uses their private key
-    # to sign a message. Anyone with the public key can verify that the
-    # message was signed with that particular private key and that the
-    # message hasn't changed since it was signed.
+    # pair, such as an RSA, ECC, or ML-DSA pair that is represented by an
+    # asymmetric KMS key. The key owner (or an authorized user) uses their
+    # private key to sign a message. Anyone with the public key can verify
+    # that the message was signed with that particular private key and that
+    # the message hasn't changed since it was signed.
     #
     # To use the `Sign` operation, provide the following information:
     #
@@ -9371,8 +9443,8 @@ module Aws::KMS
     #   to sign. You can submit messages of up to 4096 bytes. To sign a
     #   larger message, generate a hash digest of the message, and then
     #   provide the hash digest in the `Message` parameter. To indicate
-    #   whether the message is a full message or a digest, use the
-    #   `MessageType` parameter.
+    #   whether the message is a full message, a digest, or an ML-DSA
+    #   EXTERNAL\_MU, use the `MessageType` parameter.
     #
     # * Choose a signing algorithm that is compatible with the KMS key.
     #
@@ -9452,26 +9524,34 @@ module Aws::KMS
     # @option params [String] :message_type
     #   Tells KMS whether the value of the `Message` parameter should be
     #   hashed as part of the signing algorithm. Use `RAW` for unhashed
-    #   messages; use `DIGEST` for message digests, which are already hashed.
+    #   messages; use `DIGEST` for message digests, which are already hashed;
+    #   use `EXTERNAL_MU` for 64-byte representative μ used in ML-DSA signing
+    #   as defined in NIST FIPS 204 Section 6.2.
     #
     #   When the value of `MessageType` is `RAW`, KMS uses the standard
     #   signing algorithm, which begins with a hash function. When the value
-    #   is `DIGEST`, KMS skips the hashing step in the signing algorithm.
+    #   is `DIGEST`, KMS skips the hashing step in the signing algorithm. When
+    #   the value is `EXTERNAL_MU` KMS skips the concatenated hashing of the
+    #   public key hash and the message done in the ML-DSA signing algorithm.
     #
-    #   Use the `DIGEST` value only when the value of the `Message` parameter
-    #   is a message digest. If you use the `DIGEST` value with an unhashed
-    #   message, the security of the signing operation can be compromised.
+    #   Use the `DIGEST` or `EXTERNAL_MU` value only when the value of the
+    #   `Message` parameter is a message digest. If you use the `DIGEST` value
+    #   with an unhashed message, the security of the signing operation can be
+    #   compromised.
     #
-    #   When the value of `MessageType`is `DIGEST`, the length of the
+    #   When the value of `MessageType` is `DIGEST`, the length of the
     #   `Message` value must match the length of hashed messages for the
     #   specified signing algorithm.
     #
+    #   When the value of `MessageType` is `EXTERNAL_MU` the length of the
+    #   `Message` value must be 64 bytes.
+    #
     #   You can submit a message digest and omit the `MessageType` or specify
     #   `RAW` so the digest is hashed again while signing. However, this can
     #   cause verification failures when verifying with a system that assumes
     #   a single hash.
     #
-    #   The hashing algorithm in that `Sign` uses is based on the
+    #   The hashing algorithm that `Sign` uses is based on the
     #   `SigningAlgorithm` value.
     #
     #   * Signing algorithms that end in SHA\_256 use the SHA\_256 hashing
@@ -9483,6 +9563,9 @@ module Aws::KMS
     #   * Signing algorithms that end in SHA\_512 use the SHA\_512 hashing
     #     algorithm.
     #
+    #   * Signing algorithms that end in SHAKE\_256 use the SHAKE\_256 hashing
+    #     algorithm.
+    #
     #   * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
     #     verification with SM2 key pairs][1].
     #
@@ -9573,9 +9656,9 @@ module Aws::KMS
     #   resp = client.sign({
     #     key_id: "KeyIdType", # required
     #     message: "data", # required
-    #     message_type: "RAW", # accepts RAW, DIGEST
+    #     message_type: "RAW", # accepts RAW, DIGEST, EXTERNAL_MU
     #     grant_tokens: ["GrantTokenType"],
-    #     signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA
+    #     signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA, ML_DSA_SHAKE_256
     #     dry_run: false,
     #   })
     #
@@ -9583,7 +9666,7 @@ module Aws::KMS
     #
     #   resp.key_id #=> String
     #   resp.signature #=> String
-    #   resp.signing_algorithm #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
+    #   resp.signing_algorithm #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA", "ML_DSA_SHAKE_256"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Sign AWS API Documentation
     #
@@ -10627,27 +10710,34 @@ module Aws::KMS
     # @option params [String] :message_type
     #   Tells KMS whether the value of the `Message` parameter should be
     #   hashed as part of the signing algorithm. Use `RAW` for unhashed
-    #   messages; use `DIGEST` for message digests, which are already hashed.
+    #   messages; use `DIGEST` for message digests, which are already hashed;
+    #   use `EXTERNAL_MU` for 64-byte representative μ used in ML-DSA signing
+    #   as defined in NIST FIPS 204 Section 6.2.
     #
     #   When the value of `MessageType` is `RAW`, KMS uses the standard
     #   signing algorithm, which begins with a hash function. When the value
-    #   is `DIGEST`, KMS skips the hashing step in the signing algorithm.
+    #   is `DIGEST`, KMS skips the hashing step in the signing algorithm. When
+    #   the value is `EXTERNAL_MU` KMS skips the concatenated hashing of the
+    #   public key hash and the message done in the ML-DSA signing algorithm.
     #
-    #   Use the `DIGEST` value only when the value of the `Message` parameter
-    #   is a message digest. If you use the `DIGEST` value with an unhashed
-    #   message, the security of the verification operation can be
+    #   Use the `DIGEST` or `EXTERNAL_MU` value only when the value of the
+    #   `Message` parameter is a message digest. If you use the `DIGEST` value
+    #   with an unhashed message, the security of the signing operation can be
     #   compromised.
     #
-    #   When the value of `MessageType`is `DIGEST`, the length of the
+    #   When the value of `MessageType` is `DIGEST`, the length of the
     #   `Message` value must match the length of hashed messages for the
     #   specified signing algorithm.
     #
+    #   When the value of `MessageType` is `EXTERNAL_MU` the length of the
+    #   `Message` value must be 64 bytes.
+    #
     #   You can submit a message digest and omit the `MessageType` or specify
     #   `RAW` so the digest is hashed again while signing. However, if the
     #   signed message is hashed once while signing, but twice while
     #   verifying, verification fails, even when the message hasn't changed.
     #
-    #   The hashing algorithm in that `Verify` uses is based on the
+    #   The hashing algorithm that `Verify` uses is based on the
     #   `SigningAlgorithm` value.
     #
     #   * Signing algorithms that end in SHA\_256 use the SHA\_256 hashing
@@ -10659,6 +10749,9 @@ module Aws::KMS
     #   * Signing algorithms that end in SHA\_512 use the SHA\_512 hashing
     #     algorithm.
     #
+    #   * Signing algorithms that end in SHAKE\_256 use the SHAKE\_256 hashing
+    #     algorithm.
+    #
     #   * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
     #     verification with SM2 key pairs][1].
     #
@@ -10750,9 +10843,9 @@ module Aws::KMS
     #   resp = client.verify({
     #     key_id: "KeyIdType", # required
     #     message: "data", # required
-    #     message_type: "RAW", # accepts RAW, DIGEST
+    #     message_type: "RAW", # accepts RAW, DIGEST, EXTERNAL_MU
     #     signature: "data", # required
-    #     signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA
+    #     signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA, ML_DSA_SHAKE_256
     #     grant_tokens: ["GrantTokenType"],
     #     dry_run: false,
     #   })
@@ -10761,7 +10854,7 @@ module Aws::KMS
     #
     #   resp.key_id #=> String
     #   resp.signature_valid #=> Boolean
-    #   resp.signing_algorithm #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
+    #   resp.signing_algorithm #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA", "ML_DSA_SHAKE_256"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Verify AWS API Documentation
     #
@@ -10930,7 +11023,7 @@ module Aws::KMS
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-kms'
-      context[:gem_version] = '1.104.0'
+      context[:gem_version] = '1.106.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-kms/types.rb

@@ -863,7 +863,10 @@ module Aws::KMS
     #   * For asymmetric KMS keys with NIST-recommended elliptic curve key
     #     pairs, specify `SIGN_VERIFY` or `KEY_AGREEMENT`.
     #
-    #   * For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs specify
+    #   * For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs, specify
+    #     `SIGN_VERIFY`.
+    #
+    #   * For asymmetric KMS keys with ML-DSA key pairs, specify
     #     `SIGN_VERIFY`.
     #
     #   * For asymmetric KMS keys with SM2 key pairs (China Regions only),
@@ -945,6 +948,13 @@ module Aws::KMS
     #       cryptocurrencies.
     #
     #     ^
+    #   * Asymmetric ML-DSA key pairs (signing and verification)
+    #
+    #     * `ML_DSA_44`
+    #
+    #     * `ML_DSA_65`
+    #
+    #     * `ML_DSA_87`
     #   * SM2 key pairs (encryption and decryption -or- signing and
     #     verification -or- deriving shared secrets)
     #
@@ -2540,9 +2550,11 @@ module Aws::KMS
     #
     #   The KMS rule that restricts the use of asymmetric RSA and SM2 KMS
     #   keys to encrypt and decrypt or to sign and verify (but not both),
-    #   and the rule that permits you to use ECC KMS keys only to sign and
-    #   verify, are not effective on data key pairs, which are used outside
-    #   of KMS. The SM2 key spec is only available in China Regions.
+    #   the rule that permits you to use ECC KMS keys only to sign and
+    #   verify, and the rule that permits you to use ML-DSA key pairs to
+    #   sign and verify only are not effective on data key pairs, which are
+    #   used outside of KMS. The SM2 key spec is only available in China
+    #   Regions.
     #   @return [String]
     #
     # @!attribute [rw] grant_tokens
@@ -2671,8 +2683,6 @@ module Aws::KMS
     #
     # @!attribute [rw] key_material_id
     #   The identifier of the key material used to encrypt the private key.
-    #   This field is omitted if the request includes the `Recipient`
-    #   parameter.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairResponse AWS API Documentation
@@ -2745,9 +2755,11 @@ module Aws::KMS
     #
     #   The KMS rule that restricts the use of asymmetric RSA and SM2 KMS
     #   keys to encrypt and decrypt or to sign and verify (but not both),
-    #   and the rule that permits you to use ECC KMS keys only to sign and
-    #   verify, are not effective on data key pairs, which are used outside
-    #   of KMS. The SM2 key spec is only available in China Regions.
+    #   the rule that permits you to use ECC KMS keys only to sign and
+    #   verify, and the rule that permits you to use ML-DSA key pairs to
+    #   sign and verify only are not effective on data key pairs, which are
+    #   used outside of KMS. The SM2 key spec is only available in China
+    #   Regions.
     #   @return [String]
     #
     # @!attribute [rw] grant_tokens
@@ -3928,10 +3940,11 @@ module Aws::KMS
     # @!attribute [rw] import_type
     #   Indicates whether the key material being imported is previously
     #   associated with this KMS key or not. This parameter is optional and
-    #   only usable with symmetric encryption keys. The default is
-    #   `EXISTING_KEY_MATERIAL`. If no key material has ever been imported
-    #   into the KMS key, and this parameter is omitted, the parameter
-    #   defaults to `NEW_KEY_MATERIAL`.
+    #   only usable with symmetric encryption keys. If no key material has
+    #   ever been imported into the KMS key, and this parameter is omitted,
+    #   the parameter defaults to `NEW_KEY_MATERIAL`. After the first key
+    #   material is imported, if this parameter is omitted then the
+    #   parameter defaults to `EXISTING_KEY_MATERIAL`.
     #   @return [String]
     #
     # @!attribute [rw] key_material_description
@@ -6133,27 +6146,34 @@ module Aws::KMS
     #   Tells KMS whether the value of the `Message` parameter should be
     #   hashed as part of the signing algorithm. Use `RAW` for unhashed
     #   messages; use `DIGEST` for message digests, which are already
-    #   hashed.
+    #   hashed; use `EXTERNAL_MU` for 64-byte representative μ used in
+    #   ML-DSA signing as defined in NIST FIPS 204 Section 6.2.
     #
     #   When the value of `MessageType` is `RAW`, KMS uses the standard
     #   signing algorithm, which begins with a hash function. When the value
     #   is `DIGEST`, KMS skips the hashing step in the signing algorithm.
+    #   When the value is `EXTERNAL_MU` KMS skips the concatenated hashing
+    #   of the public key hash and the message done in the ML-DSA signing
+    #   algorithm.
     #
-    #   Use the `DIGEST` value only when the value of the `Message`
-    #   parameter is a message digest. If you use the `DIGEST` value with an
-    #   unhashed message, the security of the signing operation can be
-    #   compromised.
+    #   Use the `DIGEST` or `EXTERNAL_MU` value only when the value of the
+    #   `Message` parameter is a message digest. If you use the `DIGEST`
+    #   value with an unhashed message, the security of the signing
+    #   operation can be compromised.
     #
-    #   When the value of `MessageType`is `DIGEST`, the length of the
+    #   When the value of `MessageType` is `DIGEST`, the length of the
     #   `Message` value must match the length of hashed messages for the
     #   specified signing algorithm.
     #
+    #   When the value of `MessageType` is `EXTERNAL_MU` the length of the
+    #   `Message` value must be 64 bytes.
+    #
     #   You can submit a message digest and omit the `MessageType` or
     #   specify `RAW` so the digest is hashed again while signing. However,
     #   this can cause verification failures when verifying with a system
     #   that assumes a single hash.
     #
-    #   The hashing algorithm in that `Sign` uses is based on the
+    #   The hashing algorithm that `Sign` uses is based on the
     #   `SigningAlgorithm` value.
     #
     #   * Signing algorithms that end in SHA\_256 use the SHA\_256 hashing
@@ -6165,6 +6185,9 @@ module Aws::KMS
     #   * Signing algorithms that end in SHA\_512 use the SHA\_512 hashing
     #     algorithm.
     #
+    #   * Signing algorithms that end in SHAKE\_256 use the SHAKE\_256
+    #     hashing algorithm.
+    #
     #   * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
     #     verification with SM2 key pairs][1].
     #
@@ -6806,28 +6829,35 @@ module Aws::KMS
     #   Tells KMS whether the value of the `Message` parameter should be
     #   hashed as part of the signing algorithm. Use `RAW` for unhashed
     #   messages; use `DIGEST` for message digests, which are already
-    #   hashed.
+    #   hashed; use `EXTERNAL_MU` for 64-byte representative μ used in
+    #   ML-DSA signing as defined in NIST FIPS 204 Section 6.2.
     #
     #   When the value of `MessageType` is `RAW`, KMS uses the standard
     #   signing algorithm, which begins with a hash function. When the value
     #   is `DIGEST`, KMS skips the hashing step in the signing algorithm.
+    #   When the value is `EXTERNAL_MU` KMS skips the concatenated hashing
+    #   of the public key hash and the message done in the ML-DSA signing
+    #   algorithm.
     #
-    #   Use the `DIGEST` value only when the value of the `Message`
-    #   parameter is a message digest. If you use the `DIGEST` value with an
-    #   unhashed message, the security of the verification operation can be
-    #   compromised.
+    #   Use the `DIGEST` or `EXTERNAL_MU` value only when the value of the
+    #   `Message` parameter is a message digest. If you use the `DIGEST`
+    #   value with an unhashed message, the security of the signing
+    #   operation can be compromised.
     #
-    #   When the value of `MessageType`is `DIGEST`, the length of the
+    #   When the value of `MessageType` is `DIGEST`, the length of the
     #   `Message` value must match the length of hashed messages for the
     #   specified signing algorithm.
     #
+    #   When the value of `MessageType` is `EXTERNAL_MU` the length of the
+    #   `Message` value must be 64 bytes.
+    #
     #   You can submit a message digest and omit the `MessageType` or
     #   specify `RAW` so the digest is hashed again while signing. However,
     #   if the signed message is hashed once while signing, but twice while
     #   verifying, verification fails, even when the message hasn't
     #   changed.
     #
-    #   The hashing algorithm in that `Verify` uses is based on the
+    #   The hashing algorithm that `Verify` uses is based on the
     #   `SigningAlgorithm` value.
     #
     #   * Signing algorithms that end in SHA\_256 use the SHA\_256 hashing
@@ -6839,6 +6869,9 @@ module Aws::KMS
     #   * Signing algorithms that end in SHA\_512 use the SHA\_512 hashing
     #     algorithm.
     #
+    #   * Signing algorithms that end in SHAKE\_256 use the SHAKE\_256
+    #     hashing algorithm.
+    #
     #   * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
     #     verification with SM2 key pairs][1].
     #

data/lib/aws-sdk-kms.rb

@@ -54,7 +54,7 @@ module Aws::KMS
   autoload :EndpointProvider, 'aws-sdk-kms/endpoint_provider'
   autoload :Endpoints, 'aws-sdk-kms/endpoints'
 
-  GEM_VERSION = '1.104.0'
+  GEM_VERSION = '1.106.0'
 
 end
 

data/sig/client.rbs

@@ -157,7 +157,7 @@ module Aws
                         ?description: ::String,
                         ?key_usage: ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC" | "KEY_AGREEMENT"),
                         ?customer_master_key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2"),
-                        ?key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2"),
+                        ?key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2" | "ML_DSA_44" | "ML_DSA_65" | "ML_DSA_87"),
                         ?origin: ("AWS_KMS" | "EXTERNAL" | "AWS_CLOUDHSM" | "EXTERNAL_KEY_STORE"),
                         ?custom_key_store_id: ::String,
                         ?bypass_policy_lockout_safety_check: bool,
@@ -481,10 +481,10 @@ module Aws
         def key_id: () -> ::String
         def public_key: () -> ::String
         def customer_master_key_spec: () -> ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2")
-        def key_spec: () -> ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2")
+        def key_spec: () -> ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2" | "ML_DSA_44" | "ML_DSA_65" | "ML_DSA_87")
         def key_usage: () -> ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC" | "KEY_AGREEMENT")
         def encryption_algorithms: () -> ::Array[("SYMMETRIC_DEFAULT" | "RSAES_OAEP_SHA_1" | "RSAES_OAEP_SHA_256" | "SM2PKE")]
-        def signing_algorithms: () -> ::Array[("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA")]
+        def signing_algorithms: () -> ::Array[("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA" | "ML_DSA_SHAKE_256")]
         def key_agreement_algorithms: () -> ::Array[("ECDH")]
       end
       # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#get_public_key-instance_method
@@ -712,15 +712,15 @@ module Aws
         include ::Seahorse::Client::_ResponseSuccess[Types::SignResponse]
         def key_id: () -> ::String
         def signature: () -> ::String
-        def signing_algorithm: () -> ("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA")
+        def signing_algorithm: () -> ("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA" | "ML_DSA_SHAKE_256")
       end
       # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#sign-instance_method
       def sign: (
                   key_id: ::String,
                   message: ::String,
-                  ?message_type: ("RAW" | "DIGEST"),
+                  ?message_type: ("RAW" | "DIGEST" | "EXTERNAL_MU"),
                   ?grant_tokens: Array[::String],
-                  signing_algorithm: ("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA"),
+                  signing_algorithm: ("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA" | "ML_DSA_SHAKE_256"),
                   ?dry_run: bool
                 ) -> _SignResponseSuccess
               | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _SignResponseSuccess
@@ -789,15 +789,15 @@ module Aws
         include ::Seahorse::Client::_ResponseSuccess[Types::VerifyResponse]
         def key_id: () -> ::String
         def signature_valid: () -> bool
-        def signing_algorithm: () -> ("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA")
+        def signing_algorithm: () -> ("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA" | "ML_DSA_SHAKE_256")
       end
       # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#verify-instance_method
       def verify: (
                     key_id: ::String,
                     message: ::String,
-                    ?message_type: ("RAW" | "DIGEST"),
+                    ?message_type: ("RAW" | "DIGEST" | "EXTERNAL_MU"),
                     signature: ::String,
-                    signing_algorithm: ("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA"),
+                    signing_algorithm: ("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA" | "ML_DSA_SHAKE_256"),
                     ?grant_tokens: Array[::String],
                     ?dry_run: bool
                   ) -> _VerifyResponseSuccess

data/sig/types.rbs

@@ -118,7 +118,7 @@ module Aws::KMS
       attr_accessor description: ::String
       attr_accessor key_usage: ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC" | "KEY_AGREEMENT")
       attr_accessor customer_master_key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2")
-      attr_accessor key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2")
+      attr_accessor key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2" | "ML_DSA_44" | "ML_DSA_65" | "ML_DSA_87")
       attr_accessor origin: ("AWS_KMS" | "EXTERNAL" | "AWS_CLOUDHSM" | "EXTERNAL_KEY_STORE")
       attr_accessor custom_key_store_id: ::String
       attr_accessor bypass_policy_lockout_safety_check: bool
@@ -478,10 +478,10 @@ module Aws::KMS
       attr_accessor key_id: ::String
       attr_accessor public_key: ::String
       attr_accessor customer_master_key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2")
-      attr_accessor key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2")
+      attr_accessor key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2" | "ML_DSA_44" | "ML_DSA_65" | "ML_DSA_87")
       attr_accessor key_usage: ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC" | "KEY_AGREEMENT")
       attr_accessor encryption_algorithms: ::Array[("SYMMETRIC_DEFAULT" | "RSAES_OAEP_SHA_1" | "RSAES_OAEP_SHA_256" | "SM2PKE")]
-      attr_accessor signing_algorithms: ::Array[("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA")]
+      attr_accessor signing_algorithms: ::Array[("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA" | "ML_DSA_SHAKE_256")]
       attr_accessor key_agreement_algorithms: ::Array[("ECDH")]
       SENSITIVE: []
     end
@@ -621,9 +621,9 @@ module Aws::KMS
       attr_accessor expiration_model: ("KEY_MATERIAL_EXPIRES" | "KEY_MATERIAL_DOES_NOT_EXPIRE")
       attr_accessor key_manager: ("AWS" | "CUSTOMER")
       attr_accessor customer_master_key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2")
-      attr_accessor key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2")
+      attr_accessor key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2" | "ML_DSA_44" | "ML_DSA_65" | "ML_DSA_87")
       attr_accessor encryption_algorithms: ::Array[("SYMMETRIC_DEFAULT" | "RSAES_OAEP_SHA_1" | "RSAES_OAEP_SHA_256" | "SM2PKE")]
-      attr_accessor signing_algorithms: ::Array[("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA")]
+      attr_accessor signing_algorithms: ::Array[("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA" | "ML_DSA_SHAKE_256")]
       attr_accessor key_agreement_algorithms: ::Array[("ECDH")]
       attr_accessor multi_region: bool
       attr_accessor multi_region_configuration: Types::MultiRegionConfiguration
@@ -870,9 +870,9 @@ module Aws::KMS
     class SignRequest
       attr_accessor key_id: ::String
       attr_accessor message: ::String
-      attr_accessor message_type: ("RAW" | "DIGEST")
+      attr_accessor message_type: ("RAW" | "DIGEST" | "EXTERNAL_MU")
       attr_accessor grant_tokens: ::Array[::String]
-      attr_accessor signing_algorithm: ("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA")
+      attr_accessor signing_algorithm: ("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA" | "ML_DSA_SHAKE_256")
       attr_accessor dry_run: bool
       SENSITIVE: [:message]
     end
@@ -880,7 +880,7 @@ module Aws::KMS
     class SignResponse
       attr_accessor key_id: ::String
       attr_accessor signature: ::String
-      attr_accessor signing_algorithm: ("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA")
+      attr_accessor signing_algorithm: ("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA" | "ML_DSA_SHAKE_256")
       SENSITIVE: []
     end
 
@@ -966,9 +966,9 @@ module Aws::KMS
     class VerifyRequest
       attr_accessor key_id: ::String
       attr_accessor message: ::String
-      attr_accessor message_type: ("RAW" | "DIGEST")
+      attr_accessor message_type: ("RAW" | "DIGEST" | "EXTERNAL_MU")
       attr_accessor signature: ::String
-      attr_accessor signing_algorithm: ("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA")
+      attr_accessor signing_algorithm: ("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA" | "ML_DSA_SHAKE_256")
       attr_accessor grant_tokens: ::Array[::String]
       attr_accessor dry_run: bool
       SENSITIVE: [:message]
@@ -977,7 +977,7 @@ module Aws::KMS
     class VerifyResponse
       attr_accessor key_id: ::String
       attr_accessor signature_valid: bool
-      attr_accessor signing_algorithm: ("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA")
+      attr_accessor signing_algorithm: ("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA" | "ML_DSA_SHAKE_256")
       SENSITIVE: []
     end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-kms
 version: !ruby/object:Gem::Version
-  version: 1.104.0
+  version: 1.106.0
 platform: ruby
 authors:
 - Amazon Web Services