aws-sdk-kms 1.112.0 → 1.116.0

data/lib/aws-sdk-kms/client_api.rb

@@ -15,6 +15,7 @@ module Aws::KMS
     include Seahorse::Model
 
     AWSAccountIdType = Shapes::StringShape.new(name: 'AWSAccountIdType')
+    AccountIdType = Shapes::StringShape.new(name: 'AccountIdType')
     AlgorithmSpec = Shapes::StringShape.new(name: 'AlgorithmSpec')
     AliasList = Shapes::ListShape.new(name: 'AliasList')
     AliasListEntry = Shapes::StructureShape.new(name: 'AliasListEntry')
@@ -308,6 +309,7 @@ module Aws::KMS
     CreateCustomKeyStoreRequest.add_member(:xks_proxy_uri_endpoint, Shapes::ShapeRef.new(shape: XksProxyUriEndpointType, location_name: "XksProxyUriEndpoint"))
     CreateCustomKeyStoreRequest.add_member(:xks_proxy_uri_path, Shapes::ShapeRef.new(shape: XksProxyUriPathType, location_name: "XksProxyUriPath"))
     CreateCustomKeyStoreRequest.add_member(:xks_proxy_vpc_endpoint_service_name, Shapes::ShapeRef.new(shape: XksProxyVpcEndpointServiceNameType, location_name: "XksProxyVpcEndpointServiceName"))
+    CreateCustomKeyStoreRequest.add_member(:xks_proxy_vpc_endpoint_service_owner, Shapes::ShapeRef.new(shape: AccountIdType, location_name: "XksProxyVpcEndpointServiceOwner"))
     CreateCustomKeyStoreRequest.add_member(:xks_proxy_authentication_credential, Shapes::ShapeRef.new(shape: XksProxyAuthenticationCredentialType, location_name: "XksProxyAuthenticationCredential"))
     CreateCustomKeyStoreRequest.add_member(:xks_proxy_connectivity, Shapes::ShapeRef.new(shape: XksProxyConnectivityType, location_name: "XksProxyConnectivity"))
     CreateCustomKeyStoreRequest.struct_class = Types::CreateCustomKeyStoreRequest
@@ -948,6 +950,7 @@ module Aws::KMS
     UpdateCustomKeyStoreRequest.add_member(:xks_proxy_uri_endpoint, Shapes::ShapeRef.new(shape: XksProxyUriEndpointType, location_name: "XksProxyUriEndpoint"))
     UpdateCustomKeyStoreRequest.add_member(:xks_proxy_uri_path, Shapes::ShapeRef.new(shape: XksProxyUriPathType, location_name: "XksProxyUriPath"))
     UpdateCustomKeyStoreRequest.add_member(:xks_proxy_vpc_endpoint_service_name, Shapes::ShapeRef.new(shape: XksProxyVpcEndpointServiceNameType, location_name: "XksProxyVpcEndpointServiceName"))
+    UpdateCustomKeyStoreRequest.add_member(:xks_proxy_vpc_endpoint_service_owner, Shapes::ShapeRef.new(shape: AccountIdType, location_name: "XksProxyVpcEndpointServiceOwner"))
     UpdateCustomKeyStoreRequest.add_member(:xks_proxy_authentication_credential, Shapes::ShapeRef.new(shape: XksProxyAuthenticationCredentialType, location_name: "XksProxyAuthenticationCredential"))
     UpdateCustomKeyStoreRequest.add_member(:xks_proxy_connectivity, Shapes::ShapeRef.new(shape: XksProxyConnectivityType, location_name: "XksProxyConnectivity"))
     UpdateCustomKeyStoreRequest.struct_class = Types::UpdateCustomKeyStoreRequest
@@ -1010,6 +1013,7 @@ module Aws::KMS
     XksProxyConfigurationType.add_member(:uri_endpoint, Shapes::ShapeRef.new(shape: XksProxyUriEndpointType, location_name: "UriEndpoint"))
     XksProxyConfigurationType.add_member(:uri_path, Shapes::ShapeRef.new(shape: XksProxyUriPathType, location_name: "UriPath"))
     XksProxyConfigurationType.add_member(:vpc_endpoint_service_name, Shapes::ShapeRef.new(shape: XksProxyVpcEndpointServiceNameType, location_name: "VpcEndpointServiceName"))
+    XksProxyConfigurationType.add_member(:vpc_endpoint_service_owner, Shapes::ShapeRef.new(shape: AccountIdType, location_name: "VpcEndpointServiceOwner"))
     XksProxyConfigurationType.struct_class = Types::XksProxyConfigurationType
 
     XksProxyIncorrectAuthenticationCredentialException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))

data/lib/aws-sdk-kms/customizations.rb

@@ -1,8 +0,0 @@
-# frozen_string_literal: true
-# WARNING ABOUT GENERATED CODE
-#
-# This file is generated. See the contributing for info on making contributions:
-# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
-#
-# WARNING ABOUT GENERATED CODE
-

data/lib/aws-sdk-kms/endpoint_parameters.rb

@@ -13,22 +13,22 @@ module Aws::KMS
   # @!attribute region
   #   The AWS region used to dispatch the request.
   #
-  #   @return [String]
+  #   @return [string]
   #
   # @!attribute use_dual_stack
   #   When true, use the dual-stack endpoint. If the configured endpoint does not support dual-stack, dispatching the request MAY return an error.
   #
-  #   @return [Boolean]
+  #   @return [boolean]
   #
   # @!attribute use_fips
   #   When true, send this request to the FIPS-compliant regional endpoint. If the configured endpoint does not have a FIPS compliant endpoint, dispatching the request will return an error.
   #
-  #   @return [Boolean]
+  #   @return [boolean]
   #
   # @!attribute endpoint
   #   Override the endpoint used to send this request
   #
-  #   @return [String]
+  #   @return [string]
   #
   EndpointParameters = Struct.new(
     :region,

data/lib/aws-sdk-kms/types.rb

@@ -485,6 +485,14 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirements
     #   @return [String]
     #
+    # @!attribute [rw] xks_proxy_vpc_endpoint_service_owner
+    #   Specifies the Amazon Web Services account ID that owns the Amazon
+    #   VPC service endpoint for the interface that is used to communicate
+    #   with your external key store proxy (XKS proxy). This parameter is
+    #   optional. If not provided, the Amazon Web Services account ID
+    #   calling the action will be used.
+    #   @return [String]
+    #
     # @!attribute [rw] xks_proxy_authentication_credential
     #   Specifies an authentication credential for the external key store
     #   proxy (XKS proxy). This parameter is required for all custom key
@@ -549,6 +557,7 @@ module Aws::KMS
       :xks_proxy_uri_endpoint,
       :xks_proxy_uri_path,
       :xks_proxy_vpc_endpoint_service_name,
+      :xks_proxy_vpc_endpoint_service_owner,
       :xks_proxy_authentication_credential,
       :xks_proxy_connectivity)
       SENSITIVE = [:key_store_password]
@@ -847,8 +856,11 @@ module Aws::KMS
     #   Determines the [cryptographic operations][1] for which you can use
     #   the KMS key. The default value is `ENCRYPT_DECRYPT`. This parameter
     #   is optional when you are creating a symmetric encryption KMS key;
-    #   otherwise, it is required. You can't change the `KeyUsage` value
-    #   after the KMS key is created.
+    #   otherwise, it is required. You can't change the [ `KeyUsage` ][2]
+    #   value after the KMS key is created. Each KMS key can have only one
+    #   key usage. This follows key usage best practices according to [NIST
+    #   SP 800-57 Recommendations for Key Management][3], section 5.2, Key
+    #   usage.
     #
     #   Select only one valid value.
     #
@@ -875,6 +887,8 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#key-usage
+    #   [3]: https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final
     #   @return [String]
     #
     # @!attribute [rw] customer_master_key_spec
@@ -1620,30 +1634,32 @@ module Aws::KMS
     #
     # @!attribute [rw] recipient
     #   A signed [attestation document][1] from an Amazon Web Services Nitro
-    #   enclave and the encryption algorithm to use with the enclave's
-    #   public key. The only valid encryption algorithm is
-    #   `RSAES_OAEP_SHA_256`.
+    #   enclave or NitroTPM, and the encryption algorithm to use with the
+    #   public key in the attestation document. The only valid encryption
+    #   algorithm is `RSAES_OAEP_SHA_256`.
     #
-    #   This parameter only supports attestation documents for Amazon Web
-    #   Services Nitro Enclaves. To include this parameter, use the [Amazon
-    #   Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
+    #   This parameter supports the [Amazon Web Services Nitro Enclaves
+    #   SDK][2] or any Amazon Web Services SDK for Amazon Web Services Nitro
+    #   Enclaves. It supports any Amazon Web Services SDK for Amazon Web
+    #   Services NitroTPM.
     #
     #   When you use this parameter, instead of returning the plaintext
     #   data, KMS encrypts the plaintext data with the public key in the
     #   attestation document, and returns the resulting ciphertext in the
     #   `CiphertextForRecipient` field in the response. This ciphertext can
-    #   be decrypted only with the private key in the enclave. The
-    #   `Plaintext` field in the response is null or empty.
+    #   be decrypted only with the private key in the attested environment.
+    #   The `Plaintext` field in the response is null or empty.
     #
     #   For information about the interaction between KMS and Amazon Web
-    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
-    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #   Services Nitro Enclaves or Amazon Web Services NitroTPM, see
+    #   [Cryptographic attestation support in KMS][3] in the *Key Management
+    #   Service Developer Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-concepts.html#term-attestdoc
     #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #   @return [Types::RecipientInfo]
     #
     # @!attribute [rw] dry_run
@@ -1695,19 +1711,21 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] ciphertext_for_recipient
-    #   The plaintext data encrypted with the public key in the attestation
-    #   document.
+    #   The plaintext data encrypted with the public key from the
+    #   attestation document. This ciphertext can be decrypted only by using
+    #   a private key from the attested environment.
     #
     #   This field is included in the response only when the `Recipient`
     #   parameter in the request includes a valid attestation document from
-    #   an Amazon Web Services Nitro enclave. For information about the
-    #   interaction between KMS and Amazon Web Services Nitro Enclaves, see
-    #   [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
-    #   Management Service Developer Guide*.
+    #   an Amazon Web Services Nitro enclave or NitroTPM. For information
+    #   about the interaction between KMS and Amazon Web Services Nitro
+    #   Enclaves or Amazon Web Services NitroTPM, see [Cryptographic
+    #   attestation support in KMS][1] in the *Key Management Service
+    #   Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #   @return [String]
     #
     # @!attribute [rw] key_material_id
@@ -1917,37 +1935,41 @@ module Aws::KMS
     #
     # @!attribute [rw] recipient
     #   A signed [attestation document][1] from an Amazon Web Services Nitro
-    #   enclave and the encryption algorithm to use with the enclave's
-    #   public key. The only valid encryption algorithm is
-    #   `RSAES_OAEP_SHA_256`.
+    #   enclave or NitroTPM, and the encryption algorithm to use with the
+    #   public key in the attestation document. The only valid encryption
+    #   algorithm is `RSAES_OAEP_SHA_256`.
     #
     #   This parameter only supports attestation documents for Amazon Web
-    #   Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon
-    #   Web Services Nitro Enclaves, use the [Amazon Web Services Nitro
-    #   Enclaves SDK][2] to generate the attestation document and then use
-    #   the Recipient parameter from any Amazon Web Services SDK to provide
-    #   the attestation document for the enclave.
+    #   Services Nitro Enclaves or Amazon Web Services NitroTPM. To call
+    #   DeriveSharedSecret generate an attestation document use either
+    #   [Amazon Web Services Nitro Enclaves SDK][2] for an Amazon Web
+    #   Services Nitro Enclaves or [Amazon Web Services NitroTPM tools][3]
+    #   for Amazon Web Services NitroTPM. Then use the Recipient parameter
+    #   from any Amazon Web Services SDK to provide the attestation document
+    #   for the attested environment.
     #
     #   When you use this parameter, instead of returning a plaintext copy
     #   of the shared secret, KMS encrypts the plaintext shared secret under
     #   the public key in the attestation document, and returns the
     #   resulting ciphertext in the `CiphertextForRecipient` field in the
     #   response. This ciphertext can be decrypted only with the private key
-    #   in the enclave. The `CiphertextBlob` field in the response contains
-    #   the encrypted shared secret derived from the KMS key specified by
-    #   the `KeyId` parameter and public key specified by the `PublicKey`
-    #   parameter. The `SharedSecret` field in the response is null or
-    #   empty.
+    #   in the attested environment. The `CiphertextBlob` field in the
+    #   response contains the encrypted shared secret derived from the KMS
+    #   key specified by the `KeyId` parameter and public key specified by
+    #   the `PublicKey` parameter. The `SharedSecret` field in the response
+    #   is null or empty.
     #
     #   For information about the interaction between KMS and Amazon Web
-    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
-    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #   Services Nitro Enclaves or Amazon Web Services NitroTPM, see
+    #   [Cryptographic attestation support in KMS][4] in the *Key Management
+    #   Service Developer Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
     #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   [3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/attestation-get-doc.html
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #   @return [Types::RecipientInfo]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecretRequest AWS API Documentation
@@ -1976,19 +1998,21 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] ciphertext_for_recipient
-    #   The plaintext shared secret encrypted with the public key in the
-    #   attestation document.
+    #   The plaintext shared secret encrypted with the public key from the
+    #   attestation document. This ciphertext can be decrypted only by using
+    #   a private key from the attested environment.
     #
     #   This field is included in the response only when the `Recipient`
     #   parameter in the request includes a valid attestation document from
-    #   an Amazon Web Services Nitro enclave. For information about the
-    #   interaction between KMS and Amazon Web Services Nitro Enclaves, see
-    #   [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
-    #   Management Service Developer Guide*.
+    #   an Amazon Web Services Nitro enclave or NitroTPM. For information
+    #   about the interaction between KMS and Amazon Web Services Nitro
+    #   Enclaves or Amazon Web Services NitroTPM, see [Cryptographic
+    #   attestation support in KMS][1] in the *Key Management Service
+    #   Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #   @return [String]
     #
     # @!attribute [rw] key_agreement_algorithm
@@ -2573,36 +2597,40 @@ module Aws::KMS
     #
     # @!attribute [rw] recipient
     #   A signed [attestation document][1] from an Amazon Web Services Nitro
-    #   enclave and the encryption algorithm to use with the enclave's
-    #   public key. The only valid encryption algorithm is
-    #   `RSAES_OAEP_SHA_256`.
+    #   enclave or NitroTPM, and the encryption algorithm to use with the
+    #   public key in the attestation document. The only valid encryption
+    #   algorithm is `RSAES_OAEP_SHA_256`.
     #
     #   This parameter only supports attestation documents for Amazon Web
-    #   Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon
-    #   Web Services Nitro Enclaves, use the [Amazon Web Services Nitro
-    #   Enclaves SDK][2] to generate the attestation document and then use
-    #   the Recipient parameter from any Amazon Web Services SDK to provide
-    #   the attestation document for the enclave.
+    #   Services Nitro Enclaves or Amazon Web Services NitroTPM. To call
+    #   GenerateDataKeyPair generate an attestation document use either
+    #   [Amazon Web Services Nitro Enclaves SDK][2] for an Amazon Web
+    #   Services Nitro Enclaves or [Amazon Web Services NitroTPM tools][3]
+    #   for Amazon Web Services NitroTPM. Then use the Recipient parameter
+    #   from any Amazon Web Services SDK to provide the attestation document
+    #   for the attested environment.
     #
     #   When you use this parameter, instead of returning a plaintext copy
     #   of the private data key, KMS encrypts the plaintext private data key
     #   under the public key in the attestation document, and returns the
     #   resulting ciphertext in the `CiphertextForRecipient` field in the
     #   response. This ciphertext can be decrypted only with the private key
-    #   in the enclave. The `CiphertextBlob` field in the response contains
-    #   a copy of the private data key encrypted under the KMS key specified
-    #   by the `KeyId` parameter. The `PrivateKeyPlaintext` field in the
-    #   response is null or empty.
+    #   in the attested environment. The `CiphertextBlob` field in the
+    #   response contains a copy of the private data key encrypted under the
+    #   KMS key specified by the `KeyId` parameter. The
+    #   `PrivateKeyPlaintext` field in the response is null or empty.
     #
     #   For information about the interaction between KMS and Amazon Web
-    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
-    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #   Services Nitro Enclaves or Amazon Web Services NitroTPM, see
+    #   [Cryptographic attestation support in KMS][4] in the *Key Management
+    #   Service Developer Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
     #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   [3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/attestation-get-doc.html
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #   @return [Types::RecipientInfo]
     #
     # @!attribute [rw] dry_run
@@ -2666,19 +2694,20 @@ module Aws::KMS
     #
     # @!attribute [rw] ciphertext_for_recipient
     #   The plaintext private data key encrypted with the public key from
-    #   the Nitro enclave. This ciphertext can be decrypted only by using a
-    #   private key in the Nitro enclave.
+    #   the attestation document. This ciphertext can be decrypted only by
+    #   using a private key from the attested environment.
     #
     #   This field is included in the response only when the `Recipient`
     #   parameter in the request includes a valid attestation document from
-    #   an Amazon Web Services Nitro enclave. For information about the
-    #   interaction between KMS and Amazon Web Services Nitro Enclaves, see
-    #   [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
-    #   Management Service Developer Guide*.
+    #   an Amazon Web Services Nitro enclave or NitroTPM. For information
+    #   about the interaction between KMS and Amazon Web Services Nitro
+    #   Enclaves or Amazon Web Services NitroTPM, see [Cryptographic
+    #   attestation support in KMS][1] in the *Key Management Service
+    #   Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #   @return [String]
     #
     # @!attribute [rw] key_material_id
@@ -2927,13 +2956,14 @@ module Aws::KMS
     #
     # @!attribute [rw] recipient
     #   A signed [attestation document][1] from an Amazon Web Services Nitro
-    #   enclave and the encryption algorithm to use with the enclave's
-    #   public key. The only valid encryption algorithm is
-    #   `RSAES_OAEP_SHA_256`.
+    #   enclave or NitroTPM, and the encryption algorithm to use with the
+    #   public key in the attestation document. The only valid encryption
+    #   algorithm is `RSAES_OAEP_SHA_256`.
     #
-    #   This parameter only supports attestation documents for Amazon Web
-    #   Services Nitro Enclaves. To include this parameter, use the [Amazon
-    #   Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
+    #   This parameter supports the [Amazon Web Services Nitro Enclaves
+    #   SDK][2] or any Amazon Web Services SDK for Amazon Web Services Nitro
+    #   Enclaves. It supports any Amazon Web Services SDK for Amazon Web
+    #   Services NitroTPM.
     #
     #   When you use this parameter, instead of returning the plaintext data
     #   key, KMS encrypts the plaintext data key under the public key in the
@@ -2945,14 +2975,15 @@ module Aws::KMS
     #   The `Plaintext` field in the response is null or empty.
     #
     #   For information about the interaction between KMS and Amazon Web
-    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
-    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #   Services Nitro Enclaves or Amazon Web Services NitroTPM, see
+    #   [Cryptographic attestation support in KMS][3] in the *Key Management
+    #   Service Developer Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
     #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #   @return [Types::RecipientInfo]
     #
     # @!attribute [rw] dry_run
@@ -3007,20 +3038,21 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] ciphertext_for_recipient
-    #   The plaintext data key encrypted with the public key from the Nitro
-    #   enclave. This ciphertext can be decrypted only by using a private
-    #   key in the Nitro enclave.
+    #   The plaintext data key encrypted with the public key from the
+    #   attestation document. This ciphertext can be decrypted only by using
+    #   a private key from the attested environment.
     #
     #   This field is included in the response only when the `Recipient`
     #   parameter in the request includes a valid attestation document from
-    #   an Amazon Web Services Nitro enclave. For information about the
-    #   interaction between KMS and Amazon Web Services Nitro Enclaves, see
-    #   [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
-    #   Management Service Developer Guide*.
+    #   an Amazon Web Services Nitro enclave or NitroTPM. For information
+    #   about the interaction between KMS and Amazon Web Services Nitro
+    #   Enclaves or Amazon Web Services NitroTPM, see [Cryptographic
+    #   attestation support in KMS][1] in the *Key Management Service
+    #   Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #   @return [String]
     #
     # @!attribute [rw] key_material_id
@@ -3284,30 +3316,32 @@ module Aws::KMS
     #
     # @!attribute [rw] recipient
     #   A signed [attestation document][1] from an Amazon Web Services Nitro
-    #   enclave and the encryption algorithm to use with the enclave's
-    #   public key. The only valid encryption algorithm is
-    #   `RSAES_OAEP_SHA_256`.
+    #   enclave or NitroTPM, and the encryption algorithm to use with the
+    #   public key in the attestation document. The only valid encryption
+    #   algorithm is `RSAES_OAEP_SHA_256`.
     #
-    #   This parameter only supports attestation documents for Amazon Web
-    #   Services Nitro Enclaves. To include this parameter, use the [Amazon
-    #   Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
+    #   This parameter supports the [Amazon Web Services Nitro Enclaves
+    #   SDK][2] or any Amazon Web Services SDK for Amazon Web Services Nitro
+    #   Enclaves. It supports any Amazon Web Services SDK for Amazon Web
+    #   Services NitroTPM.
     #
     #   When you use this parameter, instead of returning plaintext bytes,
     #   KMS encrypts the plaintext bytes under the public key in the
     #   attestation document, and returns the resulting ciphertext in the
     #   `CiphertextForRecipient` field in the response. This ciphertext can
-    #   be decrypted only with the private key in the enclave. The
-    #   `Plaintext` field in the response is null or empty.
+    #   be decrypted only with the private key in the attested environment.
+    #   The `Plaintext` field in the response is null or empty.
     #
     #   For information about the interaction between KMS and Amazon Web
-    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
-    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #   Services Nitro Enclaves or Amazon Web Services NitroTPM, see
+    #   [Cryptographic attestation support in KMS][3] in the *Key Management
+    #   Service Developer Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
     #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #   @return [Types::RecipientInfo]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomRequest AWS API Documentation
@@ -3331,19 +3365,20 @@ module Aws::KMS
     #
     # @!attribute [rw] ciphertext_for_recipient
     #   The plaintext random bytes encrypted with the public key from the
-    #   Nitro enclave. This ciphertext can be decrypted only by using a
-    #   private key in the Nitro enclave.
+    #   attestation document. This ciphertext can be decrypted only by using
+    #   a private key from the attested environment.
     #
     #   This field is included in the response only when the `Recipient`
     #   parameter in the request includes a valid attestation document from
-    #   an Amazon Web Services Nitro enclave. For information about the
-    #   interaction between KMS and Amazon Web Services Nitro Enclaves, see
-    #   [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
-    #   Management Service Developer Guide*.
+    #   an Amazon Web Services Nitro enclave or NitroTPM. For information
+    #   about the interaction between KMS and Amazon Web Services Nitro
+    #   Enclaves or Amazon Web Services NitroTPM, see [Cryptographic
+    #   attestation support in KMS][1] in the *Key Management Service
+    #   Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomResponse AWS API Documentation
@@ -5524,24 +5559,26 @@ module Aws::KMS
     # the API operation.
     #
     # This data type is designed to support Amazon Web Services Nitro
-    # Enclaves, which lets you create an isolated compute environment in
-    # Amazon EC2. For information about the interaction between KMS and
-    # Amazon Web Services Nitro Enclaves, see [How Amazon Web Services Nitro
-    # Enclaves uses KMS][1] in the *Key Management Service Developer Guide*.
+    # Enclaves and Amazon Web Services NitroTPM, which lets you create an
+    # attested environment in Amazon EC2. For information about the
+    # interaction between KMS and Amazon Web Services Nitro Enclaves or
+    # Amazon Web Services NitroTPM, see [Cryptographic attestation support
+    # in KMS][1] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #
     # @!attribute [rw] key_encryption_algorithm
     #   The encryption algorithm that KMS should use with the public key for
-    #   an Amazon Web Services Nitro Enclave to encrypt plaintext values for
-    #   the response. The only valid value is `RSAES_OAEP_SHA_256`.
+    #   an Amazon Web Services Nitro Enclave or NitroTPM to encrypt
+    #   plaintext values for the response. The only valid value is
+    #   `RSAES_OAEP_SHA_256`.
     #   @return [String]
     #
     # @!attribute [rw] attestation_document
-    #   The attestation document for an Amazon Web Services Nitro Enclave.
-    #   This document includes the enclave's public key.
+    #   The attestation document for an Amazon Web Services Nitro Enclave or
+    #   a NitroTPM. This document includes the enclave's public key.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RecipientInfo AWS API Documentation
@@ -6568,6 +6605,16 @@ module Aws::KMS
     #   To change this value, the external key store must be disconnected.
     #   @return [String]
     #
+    # @!attribute [rw] xks_proxy_vpc_endpoint_service_owner
+    #   Changes the Amazon Web Services account ID that KMS uses to identify
+    #   the Amazon VPC endpoint service for your external key store proxy
+    #   (XKS proxy). This parameter is optional. If not specified, the
+    #   current Amazon Web Services account ID for the VPC endpoint service
+    #   will not be updated.
+    #
+    #   To change this value, the external key store must be disconnected.
+    #   @return [String]
+    #
     # @!attribute [rw] xks_proxy_authentication_credential
     #   Changes the credentials that KMS uses to sign requests to the
     #   external key store proxy (XKS proxy). This parameter is valid only
@@ -6615,6 +6662,7 @@ module Aws::KMS
       :xks_proxy_uri_endpoint,
       :xks_proxy_uri_path,
       :xks_proxy_vpc_endpoint_service_name,
+      :xks_proxy_vpc_endpoint_service_owner,
       :xks_proxy_authentication_credential,
       :xks_proxy_connectivity)
       SENSITIVE = [:key_store_password]
@@ -7113,6 +7161,13 @@ module Aws::KMS
     #   with KMS.
     #   @return [String]
     #
+    # @!attribute [rw] vpc_endpoint_service_owner
+    #   The Amazon Web Services account ID that owns the Amazon VPC endpoint
+    #   service used to communicate with the external key store proxy (XKS).
+    #   This field appears only when the XKS uses an VPC endpoint service to
+    #   communicate with KMS.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyConfigurationType AWS API Documentation
     #
     class XksProxyConfigurationType < Struct.new(
@@ -7120,7 +7175,8 @@ module Aws::KMS
       :access_key_id,
       :uri_endpoint,
       :uri_path,
-      :vpc_endpoint_service_name)
+      :vpc_endpoint_service_name,
+      :vpc_endpoint_service_owner)
       SENSITIVE = [:access_key_id]
       include Aws::Structure
     end

data/lib/aws-sdk-kms.rb

@@ -54,7 +54,7 @@ module Aws::KMS
   autoload :EndpointProvider, 'aws-sdk-kms/endpoint_provider'
   autoload :Endpoints, 'aws-sdk-kms/endpoints'
 
-  GEM_VERSION = '1.112.0'
+  GEM_VERSION = '1.116.0'
 
 end
 

data/sig/client.rbs

@@ -119,6 +119,7 @@ module Aws
                                      ?xks_proxy_uri_endpoint: ::String,
                                      ?xks_proxy_uri_path: ::String,
                                      ?xks_proxy_vpc_endpoint_service_name: ::String,
+                                     ?xks_proxy_vpc_endpoint_service_owner: ::String,
                                      ?xks_proxy_authentication_credential: {
                                        access_key_id: ::String,
                                        raw_secret_access_key: ::String
@@ -764,6 +765,7 @@ module Aws
                                      ?xks_proxy_uri_endpoint: ::String,
                                      ?xks_proxy_uri_path: ::String,
                                      ?xks_proxy_vpc_endpoint_service_name: ::String,
+                                     ?xks_proxy_vpc_endpoint_service_owner: ::String,
                                      ?xks_proxy_authentication_credential: {
                                        access_key_id: ::String,
                                        raw_secret_access_key: ::String

data/sig/types.rbs

@@ -85,6 +85,7 @@ module Aws::KMS
       attr_accessor xks_proxy_uri_endpoint: ::String
       attr_accessor xks_proxy_uri_path: ::String
       attr_accessor xks_proxy_vpc_endpoint_service_name: ::String
+      attr_accessor xks_proxy_vpc_endpoint_service_owner: ::String
       attr_accessor xks_proxy_authentication_credential: Types::XksProxyAuthenticationCredentialType
       attr_accessor xks_proxy_connectivity: ("PUBLIC_ENDPOINT" | "VPC_ENDPOINT_SERVICE")
       SENSITIVE: [:key_store_password]
@@ -926,6 +927,7 @@ module Aws::KMS
       attr_accessor xks_proxy_uri_endpoint: ::String
       attr_accessor xks_proxy_uri_path: ::String
       attr_accessor xks_proxy_vpc_endpoint_service_name: ::String
+      attr_accessor xks_proxy_vpc_endpoint_service_owner: ::String
       attr_accessor xks_proxy_authentication_credential: Types::XksProxyAuthenticationCredentialType
       attr_accessor xks_proxy_connectivity: ("PUBLIC_ENDPOINT" | "VPC_ENDPOINT_SERVICE")
       SENSITIVE: [:key_store_password]
@@ -1013,6 +1015,7 @@ module Aws::KMS
       attr_accessor uri_endpoint: ::String
       attr_accessor uri_path: ::String
       attr_accessor vpc_endpoint_service_name: ::String
+      attr_accessor vpc_endpoint_service_owner: ::String
       SENSITIVE: [:access_key_id]
     end