aws-sdk-kms 1.112.0 → 1.117.0

data/lib/aws-sdk-kms/client.rb

@@ -1083,6 +1083,13 @@ module Aws::KMS
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirements
     #
+    # @option params [String] :xks_proxy_vpc_endpoint_service_owner
+    #   Specifies the Amazon Web Services account ID that owns the Amazon VPC
+    #   service endpoint for the interface that is used to communicate with
+    #   your external key store proxy (XKS proxy). This parameter is optional.
+    #   If not provided, the Amazon Web Services account ID calling the action
+    #   will be used.
+    #
     # @option params [Types::XksProxyAuthenticationCredentialType] :xks_proxy_authentication_credential
     #   Specifies an authentication credential for the external key store
     #   proxy (XKS proxy). This parameter is required for all custom key
@@ -1209,6 +1216,7 @@ module Aws::KMS
     #     xks_proxy_uri_endpoint: "XksProxyUriEndpointType",
     #     xks_proxy_uri_path: "XksProxyUriPathType",
     #     xks_proxy_vpc_endpoint_service_name: "XksProxyVpcEndpointServiceNameType",
+    #     xks_proxy_vpc_endpoint_service_owner: "AccountIdType",
     #     xks_proxy_authentication_credential: {
     #       access_key_id: "XksProxyAuthenticationAccessKeyIdType", # required
     #       raw_secret_access_key: "XksProxyAuthenticationRawSecretAccessKeyType", # required
@@ -1568,8 +1576,8 @@ module Aws::KMS
     #   download the public key so it can be used outside of KMS. Each KMS
     #   key can have only one key usage. KMS keys with RSA key pairs can be
     #   used to encrypt and decrypt data or sign and verify messages (but
-    #   not both). KMS keys with NIST-recommended ECC key pairs can be used
-    #   to sign and verify messages or derive shared secrets (but not both).
+    #   not both). KMS keys with NIST-standard ECC key pairs can be used to
+    #   sign and verify messages or derive shared secrets (but not both).
     #   KMS keys with `ECC_SECG_P256K1` can be used only to sign and verify
     #   messages. KMS keys with ML-DSA key pairs can be used to sign and
     #   verify messages. KMS keys with SM2 key pairs (China Regions only)
@@ -1804,8 +1812,10 @@ module Aws::KMS
     #   Determines the [cryptographic operations][1] for which you can use the
     #   KMS key. The default value is `ENCRYPT_DECRYPT`. This parameter is
     #   optional when you are creating a symmetric encryption KMS key;
-    #   otherwise, it is required. You can't change the `KeyUsage` value
-    #   after the KMS key is created.
+    #   otherwise, it is required. You can't change the [ `KeyUsage` ][2]
+    #   value after the KMS key is created. Each KMS key can have only one key
+    #   usage. This follows key usage best practices according to [NIST SP
+    #   800-57 Recommendations for Key Management][3], section 5.2, Key usage.
     #
     #   Select only one valid value.
     #
@@ -1817,8 +1827,8 @@ module Aws::KMS
     #   * For asymmetric KMS keys with RSA key pairs, specify
     #     `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
     #
-    #   * For asymmetric KMS keys with NIST-recommended elliptic curve key
-    #     pairs, specify `SIGN_VERIFY` or `KEY_AGREEMENT`.
+    #   * For asymmetric KMS keys with NIST-standard elliptic curve key pairs,
+    #     specify `SIGN_VERIFY` or `KEY_AGREEMENT`.
     #
     #   * For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs, specify
     #     `SIGN_VERIFY`.
@@ -1832,6 +1842,8 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#key-usage
+    #   [3]: https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final
     #
     # @option params [String] :customer_master_key_spec
     #   Instead, use the `KeySpec` parameter.
@@ -1887,7 +1899,7 @@ module Aws::KMS
     #     * `RSA_3072`
     #
     #     * `RSA_4096`
-    #   * Asymmetric NIST-recommended elliptic curve key pairs (signing and
+    #   * Asymmetric NIST-standard elliptic curve key pairs (signing and
     #     verification -or- deriving shared secrets)
     #
     #     * `ECC_NIST_P256` (secp256r1)
@@ -1895,6 +1907,17 @@ module Aws::KMS
     #     * `ECC_NIST_P384` (secp384r1)
     #
     #     * `ECC_NIST_P521` (secp521r1)
+    #
+    #     * `ECC_NIST_EDWARDS25519` (ed25519) - signing and verification only
+    #
+    #       * **Note:** For ECC\_NIST\_EDWARDS25519 KMS keys, the
+    #         ED25519\_SHA\_512 signing algorithm requires [ `MessageType:RAW`
+    #         ](kms/latest/APIReference/API_Sign.html#KMS-Sign-request-MessageType),
+    #         while ED25519\_PH\_SHA\_512 requires [ `MessageType:DIGEST`
+    #         ](kms/latest/APIReference/API_Sign.html#KMS-Sign-request-MessageType).
+    #         These message types cannot be used interchangeably.
+    #
+    #       ^
     #   * Other asymmetric elliptic curve key pairs (signing and verification)
     #
     #     * `ECC_SECG_P256K1` (secp256k1), commonly used for cryptocurrencies.
@@ -2410,7 +2433,7 @@ module Aws::KMS
     #     description: "DescriptionType",
     #     key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC, KEY_AGREEMENT
     #     customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
-    #     key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2, ML_DSA_44, ML_DSA_65, ML_DSA_87
+    #     key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2, ML_DSA_44, ML_DSA_65, ML_DSA_87, ECC_NIST_EDWARDS25519
     #     origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM, EXTERNAL_KEY_STORE
     #     custom_key_store_id: "CustomKeyStoreIdType",
     #     bypass_policy_lockout_safety_check: false,
@@ -2442,11 +2465,11 @@ module Aws::KMS
     #   resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
     #   resp.key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
     #   resp.key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
-    #   resp.key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2", "ML_DSA_44", "ML_DSA_65", "ML_DSA_87"
+    #   resp.key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2", "ML_DSA_44", "ML_DSA_65", "ML_DSA_87", "ECC_NIST_EDWARDS25519"
     #   resp.key_metadata.encryption_algorithms #=> Array
     #   resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #   resp.key_metadata.signing_algorithms #=> Array
-    #   resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA", "ML_DSA_SHAKE_256"
+    #   resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA", "ML_DSA_SHAKE_256", "ED25519_SHA_512", "ED25519_PH_SHA_512"
     #   resp.key_metadata.key_agreement_algorithms #=> Array
     #   resp.key_metadata.key_agreement_algorithms[0] #=> String, one of "ECDH"
     #   resp.key_metadata.multi_region #=> Boolean
@@ -2520,17 +2543,17 @@ module Aws::KMS
     # keys or particular trusted accounts. For details, see [Best practices
     # for IAM policies][4] in the *Key Management Service Developer Guide*.
     #
-    # `Decrypt` also supports [Amazon Web Services Nitro Enclaves][5], which
-    # provide an isolated compute environment in Amazon EC2. To call
-    # `Decrypt` for a Nitro enclave, use the [Amazon Web Services Nitro
-    # Enclaves SDK][6] or any Amazon Web Services SDK. Use the `Recipient`
-    # parameter to provide the attestation document for the enclave. Instead
-    # of the plaintext data, the response includes the plaintext data
-    # encrypted with the public key from the attestation document
-    # (`CiphertextForRecipient`). For information about the interaction
-    # between KMS and Amazon Web Services Nitro Enclaves, see [How Amazon
-    # Web Services Nitro Enclaves uses KMS][7] in the *Key Management
-    # Service Developer Guide*.
+    # `Decrypt` also supports [Amazon Web Services Nitro Enclaves][5] and
+    # NitroTPM, which provide attested environments in Amazon EC2. To call
+    # `Decrypt` for a Nitro enclave or NitroTPM, use the [Amazon Web
+    # Services Nitro Enclaves SDK][6] or any Amazon Web Services SDK. Use
+    # the `Recipient` parameter to provide the attestation document for the
+    # attested environment. Instead of the plaintext data, the response
+    # includes the plaintext data encrypted with the public key from the
+    # attestation document (`CiphertextForRecipient`). For information about
+    # the interaction between KMS and Amazon Web Services Nitro Enclaves or
+    # Amazon Web Services NitroTPM, see [Cryptographic attestation support
+    # in KMS][7] in the *Key Management Service Developer Guide*.
     #
     # The KMS key that you use for this operation must be in a compatible
     # key state. For details, see [Key states of KMS keys][8] in the *Key
@@ -2563,7 +2586,7 @@ module Aws::KMS
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policies-best-practices
     # [5]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html
     # [6]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
-    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/accessing-kms.html#programming-eventual-consistency
@@ -2653,29 +2676,32 @@ module Aws::KMS
     #
     # @option params [Types::RecipientInfo] :recipient
     #   A signed [attestation document][1] from an Amazon Web Services Nitro
-    #   enclave and the encryption algorithm to use with the enclave's public
-    #   key. The only valid encryption algorithm is `RSAES_OAEP_SHA_256`.
+    #   enclave or NitroTPM, and the encryption algorithm to use with the
+    #   public key in the attestation document. The only valid encryption
+    #   algorithm is `RSAES_OAEP_SHA_256`.
     #
-    #   This parameter only supports attestation documents for Amazon Web
-    #   Services Nitro Enclaves. To include this parameter, use the [Amazon
-    #   Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
+    #   This parameter supports the [Amazon Web Services Nitro Enclaves
+    #   SDK][2] or any Amazon Web Services SDK for Amazon Web Services Nitro
+    #   Enclaves. It supports any Amazon Web Services SDK for Amazon Web
+    #   Services NitroTPM.
     #
     #   When you use this parameter, instead of returning the plaintext data,
     #   KMS encrypts the plaintext data with the public key in the attestation
     #   document, and returns the resulting ciphertext in the
     #   `CiphertextForRecipient` field in the response. This ciphertext can be
-    #   decrypted only with the private key in the enclave. The `Plaintext`
-    #   field in the response is null or empty.
+    #   decrypted only with the private key in the attested environment. The
+    #   `Plaintext` field in the response is null or empty.
     #
     #   For information about the interaction between KMS and Amazon Web
-    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
-    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #   Services Nitro Enclaves or Amazon Web Services NitroTPM, see
+    #   [Cryptographic attestation support in KMS][3] in the *Key Management
+    #   Service Developer Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-concepts.html#term-attestdoc
     #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #
     # @option params [Boolean] :dry_run
     #   Checks if your request will succeed. `DryRun` is an optional
@@ -2733,11 +2759,11 @@ module Aws::KMS
     #     plaintext: "<binary data>", # The decrypted (plaintext) data.
     #   }
     #
-    # @example Example: To decrypt data for a Nitro enclave
+    # @example Example: To decrypt data for a Nitro enclave or NitroTPM
     #
     #   # The following Decrypt example includes the Recipient parameter with a signed attestation document from an AWS Nitro
-    #   # enclave. Instead of returning the decrypted data in plaintext (Plaintext), the operation returns the decrypted data
-    #   # encrypted by the public key from the attestation document (CiphertextForRecipient).
+    #   # enclave or NitroTPM. Instead of returning the decrypted data in plaintext (Plaintext), the operation returns the
+    #   # decrypted data encrypted by the public key from the attestation document (CiphertextForRecipient).
     #
     #   resp = client.decrypt({
     #     ciphertext_blob: "<binary data>", # The encrypted data. This ciphertext was encrypted with the KMS key
@@ -2745,7 +2771,7 @@ module Aws::KMS
     #     recipient: {
     #       attestation_document: "<attestation document>", 
     #       key_encryption_algorithm: "RSAES_OAEP_SHA_256", 
-    #     }, # Specifies the attestation document from the Nitro enclave and the encryption algorithm to use with the public key from the attestation document
+    #     }, # Specifies the attestation document from the Nitro enclave or NitroTPM and the encryption algorithm to use with the public key from the attestation document
     #   })
     #
     #   resp.to_h outputs the following:
@@ -3071,8 +3097,8 @@ module Aws::KMS
 
     # Derives a shared secret using a key agreement algorithm.
     #
-    # <note markdown="1"> You must use an asymmetric NIST-recommended elliptic curve (ECC) or
-    # SM2 (China Regions only) KMS key pair with a `KeyUsage` value of
+    # <note markdown="1"> You must use an asymmetric NIST-standard elliptic curve (ECC) or SM2
+    # (China Regions only) KMS key pair with a `KeyUsage` value of
     # `KEY_AGREEMENT` to call DeriveSharedSecret.
     #
     #  </note>
@@ -3093,15 +3119,15 @@ module Aws::KMS
     # 1.  **Alice** calls CreateKey to create an asymmetric KMS key pair
     #     with a `KeyUsage` value of `KEY_AGREEMENT`.
     #
-    #     The asymmetric KMS key must use a NIST-recommended elliptic curve
+    #     The asymmetric KMS key must use a NIST-standard elliptic curve
     #     (ECC) or SM2 (China Regions only) key spec.
     #
     # 2.  **Bob** creates an elliptic curve key pair.
     #
     #     Bob can call CreateKey to create an asymmetric KMS key pair or
     #     generate a key pair outside of KMS. Bob's key pair must use the
-    #     same NIST-recommended elliptic curve (ECC) or SM2 (China Regions
-    #     ony) curve as Alice.
+    #     same NIST-standard elliptic curve (ECC) or SM2 (China Regions ony)
+    #     curve as Alice.
     #
     # 3.  Alice and Bob **exchange their public keys** through an insecure
     #     communication channel (like the internet).
@@ -3128,12 +3154,12 @@ module Aws::KMS
     #     his private key and Alice's public key.
     #
     # To derive a shared secret you must provide a key agreement algorithm,
-    # the private key of the caller's asymmetric NIST-recommended elliptic
+    # the private key of the caller's asymmetric NIST-standard elliptic
     # curve or SM2 (China Regions only) KMS key pair, and the public key
-    # from your peer's NIST-recommended elliptic curve or SM2 (China
-    # Regions only) key pair. The public key can be from another asymmetric
-    # KMS key pair or from a key pair generated outside of KMS, but both key
-    # pairs must be on the same elliptic curve.
+    # from your peer's NIST-standard elliptic curve or SM2 (China Regions
+    # only) key pair. The public key can be from another asymmetric KMS key
+    # pair or from a key pair generated outside of KMS, but both key pairs
+    # must be on the same elliptic curve.
     #
     # The KMS key that you use for this operation must be in a compatible
     # key state. For details, see [Key states of KMS keys][3] in the *Key
@@ -3165,9 +3191,9 @@ module Aws::KMS
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/accessing-kms.html#programming-eventual-consistency
     #
     # @option params [required, String] :key_id
-    #   Identifies an asymmetric NIST-recommended ECC or SM2 (China Regions
-    #   only) KMS key. KMS uses the private key in the specified key pair to
-    #   derive the shared secret. The key usage of the KMS key must be
+    #   Identifies an asymmetric NIST-standard ECC or SM2 (China Regions only)
+    #   KMS key. KMS uses the private key in the specified key pair to derive
+    #   the shared secret. The key usage of the KMS key must be
     #   `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS key, use the
     #   DescribeKey operation.
     #
@@ -3195,8 +3221,8 @@ module Aws::KMS
     #   secret. The only valid value is `ECDH`.
     #
     # @option params [required, String, StringIO, File] :public_key
-    #   Specifies the public key in your peer's NIST-recommended elliptic
-    #   curve (ECC) or SM2 (China Regions only) key pair.
+    #   Specifies the public key in your peer's NIST-standard elliptic curve
+    #   (ECC) or SM2 (China Regions only) key pair.
     #
     #   The public key must be a DER-encoded X.509 public key, also known as
     #   `SubjectPublicKeyInfo` (SPKI), as defined in [RFC 5280][1].
@@ -3245,35 +3271,40 @@ module Aws::KMS
     #
     # @option params [Types::RecipientInfo] :recipient
     #   A signed [attestation document][1] from an Amazon Web Services Nitro
-    #   enclave and the encryption algorithm to use with the enclave's public
-    #   key. The only valid encryption algorithm is `RSAES_OAEP_SHA_256`.
+    #   enclave or NitroTPM, and the encryption algorithm to use with the
+    #   public key in the attestation document. The only valid encryption
+    #   algorithm is `RSAES_OAEP_SHA_256`.
     #
     #   This parameter only supports attestation documents for Amazon Web
-    #   Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon Web
-    #   Services Nitro Enclaves, use the [Amazon Web Services Nitro Enclaves
-    #   SDK][2] to generate the attestation document and then use the
-    #   Recipient parameter from any Amazon Web Services SDK to provide the
-    #   attestation document for the enclave.
+    #   Services Nitro Enclaves or Amazon Web Services NitroTPM. To call
+    #   DeriveSharedSecret generate an attestation document use either [Amazon
+    #   Web Services Nitro Enclaves SDK][2] for an Amazon Web Services Nitro
+    #   Enclaves or [Amazon Web Services NitroTPM tools][3] for Amazon Web
+    #   Services NitroTPM. Then use the Recipient parameter from any Amazon
+    #   Web Services SDK to provide the attestation document for the attested
+    #   environment.
     #
     #   When you use this parameter, instead of returning a plaintext copy of
     #   the shared secret, KMS encrypts the plaintext shared secret under the
     #   public key in the attestation document, and returns the resulting
     #   ciphertext in the `CiphertextForRecipient` field in the response. This
-    #   ciphertext can be decrypted only with the private key in the enclave.
-    #   The `CiphertextBlob` field in the response contains the encrypted
-    #   shared secret derived from the KMS key specified by the `KeyId`
-    #   parameter and public key specified by the `PublicKey` parameter. The
-    #   `SharedSecret` field in the response is null or empty.
+    #   ciphertext can be decrypted only with the private key in the attested
+    #   environment. The `CiphertextBlob` field in the response contains the
+    #   encrypted shared secret derived from the KMS key specified by the
+    #   `KeyId` parameter and public key specified by the `PublicKey`
+    #   parameter. The `SharedSecret` field in the response is null or empty.
     #
     #   For information about the interaction between KMS and Amazon Web
-    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
-    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #   Services Nitro Enclaves or Amazon Web Services NitroTPM, see
+    #   [Cryptographic attestation support in KMS][4] in the *Key Management
+    #   Service Developer Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
     #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   [3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/attestation-get-doc.html
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #
     # @return [Types::DeriveSharedSecretResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -3302,6 +3333,31 @@ module Aws::KMS
     #     shared_secret: "MEYCIQCKZLWyTk5runarx6XiAkU9gv3lbwPO/pHa+DXFehzdDwIhANwpsIV2g/9SPWLLsF6p/hiSskuIXMTRwqrMdVKWTMHG", # The raw secret derived from the specified key agreement algorithm, private key in the asymmetric KMS key, and your peer's public key.
     #   }
     #
+    # @example Example: To derive a shared secret for a Nitro enclave or NitroTPM
+    #
+    #   # The following example includes the Recipient parameter with a signed attestation document from an AWS Nitro enclave or
+    #   # NitroTPM. Instead of returning a plaintext shared secret, DeriveSharedSecret returns the shared secret encrypted by the
+    #   # public key from the attestation document.
+    #
+    #   resp = client.derive_shared_secret({
+    #     key_agreement_algorithm: "ECDH", # The key agreement algorithm used to derive the shared secret. The only valid value is ECDH.
+    #     key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key identifier for an asymmetric KMS key pair. The private key in the specified key pair is used to derive the shared secret.
+    #     public_key: "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvH3Yj0wbkLEpUl95Cv1cJVjsVNSjwGq3tCLnzXfhVwVvmzGN8pYj3U8nKwgouaHbBWNJYjP5VutbbkKS4Kv4GojwZBJyHN17kmxo8yTjRmjR15SKIQ8cqRA2uaERMLnpztIXdZp232PQPbWGxDyXYJ0aJ5EFSag", # The public key in your peer's asymmetric key pair.
+    #     recipient: {
+    #       attestation_document: "<attestation document>", 
+    #       key_encryption_algorithm: "RSAES_OAEP_SHA_256", 
+    #     }, # Specifies the attestation document from the Nitro enclave or NitroTPM and the encryption algorithm to use with the public key from the attestation document
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     ciphertext_for_recipient: "<binary data>", # The shared secret encrypted by the public key from the attestation document
+    #     key_agreement_algorithm: "ECDH", # The key agreement algorithm used to derive the shared secret.
+    #     key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The asymmetric KMS key pair used to derive the shared secret.
+    #     key_origin: "AWS_KMS", # The source of the key material for the specified KMS key.
+    #     shared_secret: "", # This field is null or empty
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.derive_shared_secret({
@@ -3556,6 +3612,7 @@ module Aws::KMS
     #   resp.custom_key_stores[0].xks_proxy_configuration.uri_endpoint #=> String
     #   resp.custom_key_stores[0].xks_proxy_configuration.uri_path #=> String
     #   resp.custom_key_stores[0].xks_proxy_configuration.vpc_endpoint_service_name #=> String
+    #   resp.custom_key_stores[0].xks_proxy_configuration.vpc_endpoint_service_owner #=> String
     #   resp.next_marker #=> String
     #   resp.truncated #=> Boolean
     #
@@ -3929,11 +3986,11 @@ module Aws::KMS
     #   resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
     #   resp.key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
     #   resp.key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
-    #   resp.key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2", "ML_DSA_44", "ML_DSA_65", "ML_DSA_87"
+    #   resp.key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2", "ML_DSA_44", "ML_DSA_65", "ML_DSA_87", "ECC_NIST_EDWARDS25519"
     #   resp.key_metadata.encryption_algorithms #=> Array
     #   resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #   resp.key_metadata.signing_algorithms #=> Array
-    #   resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA", "ML_DSA_SHAKE_256"
+    #   resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA", "ML_DSA_SHAKE_256", "ED25519_SHA_512", "ED25519_PH_SHA_512"
     #   resp.key_metadata.key_agreement_algorithms #=> Array
     #   resp.key_metadata.key_agreement_algorithms[0] #=> String, one of "ECDH"
     #   resp.key_metadata.multi_region #=> Boolean
@@ -4740,16 +4797,17 @@ module Aws::KMS
     # `GenerateDataKey` also supports [Amazon Web Services Nitro
     # Enclaves][2], which provide an isolated compute environment in Amazon
     # EC2. To call `GenerateDataKey` for an Amazon Web Services Nitro
-    # enclave, use the [Amazon Web Services Nitro Enclaves SDK][3] or any
-    # Amazon Web Services SDK. Use the `Recipient` parameter to provide the
-    # attestation document for the enclave. `GenerateDataKey` returns a copy
-    # of the data key encrypted under the specified KMS key, as usual. But
-    # instead of a plaintext copy of the data key, the response includes a
-    # copy of the data key encrypted under the public key from the
-    # attestation document (`CiphertextForRecipient`). For information about
-    # the interaction between KMS and Amazon Web Services Nitro Enclaves,
-    # see [How Amazon Web Services Nitro Enclaves uses KMS][4] in the *Key
-    # Management Service Developer Guide*..
+    # enclave or NitroTPM, use the [Amazon Web Services Nitro Enclaves
+    # SDK][3] or any Amazon Web Services SDK. Use the `Recipient` parameter
+    # to provide the attestation document for the attested environment.
+    # `GenerateDataKey` returns a copy of the data key encrypted under the
+    # specified KMS key, as usual. But instead of a plaintext copy of the
+    # data key, the response includes a copy of the data key encrypted under
+    # the public key from the attestation document
+    # (`CiphertextForRecipient`). For information about the interaction
+    # between KMS and Amazon Web Services Nitro Enclaves or Amazon Web
+    # Services NitroTPM, see [Cryptographic attestation support in KMS][4]
+    # in the *Key Management Service Developer Guide*.
     #
     # The KMS key that you use for this operation must be in a compatible
     # key state. For details, see [Key states of KMS keys][5] in the *Key
@@ -4808,7 +4866,7 @@ module Aws::KMS
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
     # [2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html
     # [3]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
-    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [6]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
     # [7]: https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/
@@ -4896,12 +4954,14 @@ module Aws::KMS
     #
     # @option params [Types::RecipientInfo] :recipient
     #   A signed [attestation document][1] from an Amazon Web Services Nitro
-    #   enclave and the encryption algorithm to use with the enclave's public
-    #   key. The only valid encryption algorithm is `RSAES_OAEP_SHA_256`.
+    #   enclave or NitroTPM, and the encryption algorithm to use with the
+    #   public key in the attestation document. The only valid encryption
+    #   algorithm is `RSAES_OAEP_SHA_256`.
     #
-    #   This parameter only supports attestation documents for Amazon Web
-    #   Services Nitro Enclaves. To include this parameter, use the [Amazon
-    #   Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
+    #   This parameter supports the [Amazon Web Services Nitro Enclaves
+    #   SDK][2] or any Amazon Web Services SDK for Amazon Web Services Nitro
+    #   Enclaves. It supports any Amazon Web Services SDK for Amazon Web
+    #   Services NitroTPM.
     #
     #   When you use this parameter, instead of returning the plaintext data
     #   key, KMS encrypts the plaintext data key under the public key in the
@@ -4913,14 +4973,15 @@ module Aws::KMS
     #   `Plaintext` field in the response is null or empty.
     #
     #   For information about the interaction between KMS and Amazon Web
-    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
-    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #   Services Nitro Enclaves or Amazon Web Services NitroTPM, see
+    #   [Cryptographic attestation support in KMS][3] in the *Key Management
+    #   Service Developer Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
     #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #
     # @option params [Boolean] :dry_run
     #   Checks if your request will succeed. `DryRun` is an optional
@@ -4960,10 +5021,10 @@ module Aws::KMS
     #     plaintext: "<binary data>", # The unencrypted (plaintext) data key.
     #   }
     #
-    # @example Example: To generate a data key pair for a Nitro enclave
+    # @example Example: To generate a data key for a Nitro enclave or NitroTPM
     #
-    #   # The following example includes the Recipient parameter with a signed attestation document from an AWS Nitro enclave.
-    #   # Instead of returning a copy of the data key encrypted by the KMS key and a plaintext copy of the data key,
+    #   # The following example includes the Recipient parameter with a signed attestation document from an AWS Nitro enclave or
+    #   # NitroTPM. Instead of returning a copy of the data key encrypted by the KMS key and a plaintext copy of the data key,
     #   # GenerateDataKey returns one copy of the data key encrypted by the KMS key (CiphertextBlob) and one copy of the data key
     #   # encrypted by the public key from the attestation document (CiphertextForRecipient). The operation doesn't return a
     #   # plaintext data key. 
@@ -4974,7 +5035,7 @@ module Aws::KMS
     #     recipient: {
     #       attestation_document: "<attestation document>", 
     #       key_encryption_algorithm: "RSAES_OAEP_SHA_256", 
-    #     }, # Specifies the attestation document from the Nitro enclave and the encryption algorithm to use with the public key from the attestation document
+    #     }, # Specifies the attestation document from the Nitro enclave or NitroTPM and the encryption algorithm to use with the public key from the attestation document
     #   })
     #
     #   resp.to_h outputs the following:
@@ -5065,17 +5126,18 @@ module Aws::KMS
     # `GenerateDataKeyPair` also supports [Amazon Web Services Nitro
     # Enclaves][3], which provide an isolated compute environment in Amazon
     # EC2. To call `GenerateDataKeyPair` for an Amazon Web Services Nitro
-    # enclave, use the [Amazon Web Services Nitro Enclaves SDK][4] or any
-    # Amazon Web Services SDK. Use the `Recipient` parameter to provide the
-    # attestation document for the enclave. `GenerateDataKeyPair` returns
-    # the public data key and a copy of the private data key encrypted under
-    # the specified KMS key, as usual. But instead of a plaintext copy of
-    # the private data key (`PrivateKeyPlaintext`), the response includes a
-    # copy of the private data key encrypted under the public key from the
-    # attestation document (`CiphertextForRecipient`). For information about
-    # the interaction between KMS and Amazon Web Services Nitro Enclaves,
-    # see [How Amazon Web Services Nitro Enclaves uses KMS][5] in the *Key
-    # Management Service Developer Guide*..
+    # enclave or NitroTPM, use the [Amazon Web Services Nitro Enclaves
+    # SDK][4] or any Amazon Web Services SDK. Use the `Recipient` parameter
+    # to provide the attestation document for the attested environment.
+    # `GenerateDataKeyPair` returns the public data key and a copy of the
+    # private data key encrypted under the specified KMS key, as usual. But
+    # instead of a plaintext copy of the private data key
+    # (`PrivateKeyPlaintext`), the response includes a copy of the private
+    # data key encrypted under the public key from the attestation document
+    # (`CiphertextForRecipient`). For information about the interaction
+    # between KMS and Amazon Web Services Nitro Enclaves or Amazon Web
+    # Services NitroTPM, see [Cryptographic attestation support in KMS][5]
+    # in the *Key Management Service Developer Guide*.
     #
     # You can use an optional encryption context to add additional security
     # to the encryption operation. If you specify an `EncryptionContext`,
@@ -5116,7 +5178,7 @@ module Aws::KMS
     # [2]: https://tools.ietf.org/html/rfc5958
     # [3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html
     # [4]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
-    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
     # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
@@ -5195,35 +5257,40 @@ module Aws::KMS
     #
     # @option params [Types::RecipientInfo] :recipient
     #   A signed [attestation document][1] from an Amazon Web Services Nitro
-    #   enclave and the encryption algorithm to use with the enclave's public
-    #   key. The only valid encryption algorithm is `RSAES_OAEP_SHA_256`.
+    #   enclave or NitroTPM, and the encryption algorithm to use with the
+    #   public key in the attestation document. The only valid encryption
+    #   algorithm is `RSAES_OAEP_SHA_256`.
     #
     #   This parameter only supports attestation documents for Amazon Web
-    #   Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon Web
-    #   Services Nitro Enclaves, use the [Amazon Web Services Nitro Enclaves
-    #   SDK][2] to generate the attestation document and then use the
-    #   Recipient parameter from any Amazon Web Services SDK to provide the
-    #   attestation document for the enclave.
+    #   Services Nitro Enclaves or Amazon Web Services NitroTPM. To call
+    #   GenerateDataKeyPair generate an attestation document use either
+    #   [Amazon Web Services Nitro Enclaves SDK][2] for an Amazon Web Services
+    #   Nitro Enclaves or [Amazon Web Services NitroTPM tools][3] for Amazon
+    #   Web Services NitroTPM. Then use the Recipient parameter from any
+    #   Amazon Web Services SDK to provide the attestation document for the
+    #   attested environment.
     #
     #   When you use this parameter, instead of returning a plaintext copy of
     #   the private data key, KMS encrypts the plaintext private data key
     #   under the public key in the attestation document, and returns the
     #   resulting ciphertext in the `CiphertextForRecipient` field in the
     #   response. This ciphertext can be decrypted only with the private key
-    #   in the enclave. The `CiphertextBlob` field in the response contains a
-    #   copy of the private data key encrypted under the KMS key specified by
-    #   the `KeyId` parameter. The `PrivateKeyPlaintext` field in the response
-    #   is null or empty.
+    #   in the attested environment. The `CiphertextBlob` field in the
+    #   response contains a copy of the private data key encrypted under the
+    #   KMS key specified by the `KeyId` parameter. The `PrivateKeyPlaintext`
+    #   field in the response is null or empty.
     #
     #   For information about the interaction between KMS and Amazon Web
-    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
-    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #   Services Nitro Enclaves or Amazon Web Services NitroTPM, see
+    #   [Cryptographic attestation support in KMS][4] in the *Key Management
+    #   Service Developer Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
     #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   [3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/attestation-get-doc.html
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #
     # @option params [Boolean] :dry_run
     #   Checks if your request will succeed. `DryRun` is an optional
@@ -5267,13 +5334,13 @@ module Aws::KMS
     #     public_key: "<binary data>", # The public key (plaintext) of the RSA data key pair.
     #   }
     #
-    # @example Example: To generate a data key pair for a Nitro enclave
+    # @example Example: To generate a data key pair for a Nitro enclave or NitroTPM
     #
-    #   # The following example includes the Recipient parameter with a signed attestation document from an AWS Nitro enclave.
-    #   # Instead of returning a plaintext copy of the private data key, GenerateDataKeyPair returns a copy of the private data
-    #   # key encrypted by the public key from the attestation document (CiphertextForRecipient). It returns the public data key
-    #   # (PublicKey) and a copy of private data key encrypted under the specified KMS key (PrivateKeyCiphertextBlob), as usual,
-    #   # but plaintext private data key field (PrivateKeyPlaintext) is null or empty. 
+    #   # The following example includes the Recipient parameter with a signed attestation document from an AWS Nitro enclave or
+    #   # NitroTPM. Instead of returning a plaintext copy of the private data key, GenerateDataKeyPair returns a copy of the
+    #   # private data key encrypted by the public key from the attestation document (CiphertextForRecipient). It returns the
+    #   # public data key (PublicKey) and a copy of private data key encrypted under the specified KMS key
+    #   # (PrivateKeyCiphertextBlob), as usual, but plaintext private data key field (PrivateKeyPlaintext) is null or empty. 
     #
     #   resp = client.generate_data_key_pair({
     #     key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ID of the symmetric encryption KMS key that encrypts the private RSA key in the data key pair.
@@ -5281,7 +5348,7 @@ module Aws::KMS
     #     recipient: {
     #       attestation_document: "<attestation document>", 
     #       key_encryption_algorithm: "RSAES_OAEP_SHA_256", 
-    #     }, # Specifies the attestation document from the Nitro enclave and the encryption algorithm to use with the public key from the attestation document.
+    #     }, # Specifies the attestation document from the Nitro enclave or NitroTPM and the encryption algorithm to use with the public key from the attestation document.
     #   })
     #
     #   resp.to_h outputs the following:
@@ -5302,7 +5369,7 @@ module Aws::KMS
     #       "EncryptionContextKey" => "EncryptionContextValue",
     #     },
     #     key_id: "KeyIdType", # required
-    #     key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SM2
+    #     key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SM2, ECC_NIST_EDWARDS25519
     #     grant_tokens: ["GrantTokenType"],
     #     recipient: {
     #       key_encryption_algorithm: "RSAES_OAEP_SHA_256", # accepts RSAES_OAEP_SHA_256
@@ -5317,7 +5384,7 @@ module Aws::KMS
     #   resp.private_key_plaintext #=> String
     #   resp.public_key #=> String
     #   resp.key_id #=> String
-    #   resp.key_pair_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SM2"
+    #   resp.key_pair_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SM2", "ECC_NIST_EDWARDS25519"
     #   resp.ciphertext_for_recipient #=> String
     #   resp.key_material_id #=> String
     #
@@ -5520,7 +5587,7 @@ module Aws::KMS
     #       "EncryptionContextKey" => "EncryptionContextValue",
     #     },
     #     key_id: "KeyIdType", # required
-    #     key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SM2
+    #     key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SM2, ECC_NIST_EDWARDS25519
     #     grant_tokens: ["GrantTokenType"],
     #     dry_run: false,
     #   })
@@ -5530,7 +5597,7 @@ module Aws::KMS
     #   resp.private_key_ciphertext_blob #=> String
     #   resp.public_key #=> String
     #   resp.key_id #=> String
-    #   resp.key_pair_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SM2"
+    #   resp.key_pair_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SM2", "ECC_NIST_EDWARDS25519"
     #   resp.key_material_id #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintext AWS API Documentation
@@ -5917,15 +5984,15 @@ module Aws::KMS
     #
     # `GenerateRandom` also supports [Amazon Web Services Nitro
     # Enclaves][1], which provide an isolated compute environment in Amazon
-    # EC2. To call `GenerateRandom` for a Nitro enclave, use the [Amazon Web
-    # Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK. Use
-    # the `Recipient` parameter to provide the attestation document for the
-    # enclave. Instead of plaintext bytes, the response includes the
-    # plaintext bytes encrypted under the public key from the attestation
-    # document (`CiphertextForRecipient`).For information about the
-    # interaction between KMS and Amazon Web Services Nitro Enclaves, see
-    # [How Amazon Web Services Nitro Enclaves uses KMS][3] in the *Key
-    # Management Service Developer Guide*.
+    # EC2. To call `GenerateRandom` for a Nitro enclave or NitroTPM, use the
+    # [Amazon Web Services Nitro Enclaves SDK][2] or any Amazon Web Services
+    # SDK. Use the `Recipient` parameter to provide the attestation document
+    # for the attested environment. Instead of plaintext bytes, the response
+    # includes the plaintext bytes encrypted under the public key from the
+    # attestation document (`CiphertextForRecipient`). For information about
+    # the interaction between KMS and Amazon Web Services Nitro Enclaves or
+    # Amazon Web Services NitroTPM, see [Cryptographic attestation support
+    # in KMS][3] in the *Key Management Service Developer Guide*.
     #
     # For more information about entropy and random number generation, see
     # [Entropy and random number generation][4] in the *Key Management
@@ -5943,7 +6010,7 @@ module Aws::KMS
     #
     # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html
     # [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
-    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#entropy-and-random-numbers
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/accessing-kms.html#programming-eventual-consistency
@@ -5962,29 +6029,32 @@ module Aws::KMS
     #
     # @option params [Types::RecipientInfo] :recipient
     #   A signed [attestation document][1] from an Amazon Web Services Nitro
-    #   enclave and the encryption algorithm to use with the enclave's public
-    #   key. The only valid encryption algorithm is `RSAES_OAEP_SHA_256`.
+    #   enclave or NitroTPM, and the encryption algorithm to use with the
+    #   public key in the attestation document. The only valid encryption
+    #   algorithm is `RSAES_OAEP_SHA_256`.
     #
-    #   This parameter only supports attestation documents for Amazon Web
-    #   Services Nitro Enclaves. To include this parameter, use the [Amazon
-    #   Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
+    #   This parameter supports the [Amazon Web Services Nitro Enclaves
+    #   SDK][2] or any Amazon Web Services SDK for Amazon Web Services Nitro
+    #   Enclaves. It supports any Amazon Web Services SDK for Amazon Web
+    #   Services NitroTPM.
     #
     #   When you use this parameter, instead of returning plaintext bytes, KMS
     #   encrypts the plaintext bytes under the public key in the attestation
     #   document, and returns the resulting ciphertext in the
     #   `CiphertextForRecipient` field in the response. This ciphertext can be
-    #   decrypted only with the private key in the enclave. The `Plaintext`
-    #   field in the response is null or empty.
+    #   decrypted only with the private key in the attested environment. The
+    #   `Plaintext` field in the response is null or empty.
     #
     #   For information about the interaction between KMS and Amazon Web
-    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
-    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #   Services Nitro Enclaves or Amazon Web Services NitroTPM, see
+    #   [Cryptographic attestation support in KMS][3] in the *Key Management
+    #   Service Developer Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
     #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #
     # @return [Types::GenerateRandomResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -6005,18 +6075,18 @@ module Aws::KMS
     #     plaintext: "<binary data>", # The random data.
     #   }
     #
-    # @example Example: To generate random data
+    # @example Example: To generate random data for a Nitro enclave or NitroTPM
     #
-    #   # The following example includes the Recipient parameter with a signed attestation document from an AWS Nitro enclave.
-    #   # Instead of returning a plaintext (unencrypted) byte string, GenerateRandom returns the byte string encrypted by the
-    #   # public key from the enclave's attestation document.
+    #   # The following example includes the Recipient parameter with a signed attestation document from an AWS Nitro enclave or
+    #   # NitroTPM. Instead of returning a plaintext (unencrypted) byte string, GenerateRandom returns the byte string encrypted
+    #   # by the public key from the attestation document.
     #
     #   resp = client.generate_random({
     #     number_of_bytes: 1024, # The length of the random byte string
     #     recipient: {
     #       attestation_document: "<attestation document>", 
     #       key_encryption_algorithm: "RSAES_OAEP_SHA_256", 
-    #     }, # Specifies the attestation document from the Nitro enclave and the encryption algorithm to use with the public key from the attestation document
+    #     }, # Specifies the attestation document from the Nitro enclave or NitroTPM and the encryption algorithm to use with the public key from the attestation document
     #   })
     #
     #   resp.to_h outputs the following:
@@ -6691,12 +6761,12 @@ module Aws::KMS
     #   resp.key_id #=> String
     #   resp.public_key #=> String
     #   resp.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
-    #   resp.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2", "ML_DSA_44", "ML_DSA_65", "ML_DSA_87"
+    #   resp.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2", "ML_DSA_44", "ML_DSA_65", "ML_DSA_87", "ECC_NIST_EDWARDS25519"
     #   resp.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC", "KEY_AGREEMENT"
     #   resp.encryption_algorithms #=> Array
     #   resp.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #   resp.signing_algorithms #=> Array
-    #   resp.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA", "ML_DSA_SHAKE_256"
+    #   resp.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA", "ML_DSA_SHAKE_256", "ED25519_SHA_512", "ED25519_PH_SHA_512"
     #   resp.key_agreement_algorithms #=> Array
     #   resp.key_agreement_algorithms[0] #=> String, one of "ECDH"
     #
@@ -8869,11 +8939,11 @@ module Aws::KMS
     #   resp.replica_key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
     #   resp.replica_key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
     #   resp.replica_key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
-    #   resp.replica_key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2", "ML_DSA_44", "ML_DSA_65", "ML_DSA_87"
+    #   resp.replica_key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2", "ML_DSA_44", "ML_DSA_65", "ML_DSA_87", "ECC_NIST_EDWARDS25519"
     #   resp.replica_key_metadata.encryption_algorithms #=> Array
     #   resp.replica_key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #   resp.replica_key_metadata.signing_algorithms #=> Array
-    #   resp.replica_key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA", "ML_DSA_SHAKE_256"
+    #   resp.replica_key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA", "ML_DSA_SHAKE_256", "ED25519_SHA_512", "ED25519_PH_SHA_512"
     #   resp.replica_key_metadata.key_agreement_algorithms #=> Array
     #   resp.replica_key_metadata.key_agreement_algorithms[0] #=> String, one of "ECDH"
     #   resp.replica_key_metadata.multi_region #=> Boolean
@@ -9546,6 +9616,13 @@ module Aws::KMS
     #   with an unhashed message, the security of the signing operation can be
     #   compromised.
     #
+    #   When using ECC\_NIST\_EDWARDS25519 KMS keys:
+    #
+    #   * ED25519\_SHA\_512 signing algorithm requires KMS `MessageType:RAW`
+    #
+    #   * ED25519\_PH\_SHA\_512 signing algorithm requires KMS
+    #     `MessageType:DIGEST`
+    #
     #   When the value of `MessageType` is `DIGEST`, the length of the
     #   `Message` value must match the length of hashed messages for the
     #   specified signing algorithm.
@@ -9665,7 +9742,7 @@ module Aws::KMS
     #     message: "data", # required
     #     message_type: "RAW", # accepts RAW, DIGEST, EXTERNAL_MU
     #     grant_tokens: ["GrantTokenType"],
-    #     signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA, ML_DSA_SHAKE_256
+    #     signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA, ML_DSA_SHAKE_256, ED25519_SHA_512, ED25519_PH_SHA_512
     #     dry_run: false,
     #   })
     #
@@ -9673,7 +9750,7 @@ module Aws::KMS
     #
     #   resp.key_id #=> String
     #   resp.signature #=> String
-    #   resp.signing_algorithm #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA", "ML_DSA_SHAKE_256"
+    #   resp.signing_algorithm #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA", "ML_DSA_SHAKE_256", "ED25519_SHA_512", "ED25519_PH_SHA_512"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Sign AWS API Documentation
     #
@@ -10240,6 +10317,15 @@ module Aws::KMS
     #
     #   To change this value, the external key store must be disconnected.
     #
+    # @option params [String] :xks_proxy_vpc_endpoint_service_owner
+    #   Changes the Amazon Web Services account ID that KMS uses to identify
+    #   the Amazon VPC endpoint service for your external key store proxy (XKS
+    #   proxy). This parameter is optional. If not specified, the current
+    #   Amazon Web Services account ID for the VPC endpoint service will not
+    #   be updated.
+    #
+    #   To change this value, the external key store must be disconnected.
+    #
     # @option params [Types::XksProxyAuthenticationCredentialType] :xks_proxy_authentication_credential
     #   Changes the credentials that KMS uses to sign requests to the external
     #   key store proxy (XKS proxy). This parameter is valid only for custom
@@ -10381,6 +10467,7 @@ module Aws::KMS
     #     xks_proxy_uri_endpoint: "XksProxyUriEndpointType",
     #     xks_proxy_uri_path: "XksProxyUriPathType",
     #     xks_proxy_vpc_endpoint_service_name: "XksProxyVpcEndpointServiceNameType",
+    #     xks_proxy_vpc_endpoint_service_owner: "AccountIdType",
     #     xks_proxy_authentication_credential: {
     #       access_key_id: "XksProxyAuthenticationAccessKeyIdType", # required
     #       raw_secret_access_key: "XksProxyAuthenticationRawSecretAccessKeyType", # required
@@ -10732,6 +10819,13 @@ module Aws::KMS
     #   with an unhashed message, the security of the signing operation can be
     #   compromised.
     #
+    #   When using ECC\_NIST\_EDWARDS25519 KMS keys:
+    #
+    #   * ED25519\_SHA\_512 signing algorithm requires KMS `MessageType:RAW`
+    #
+    #   * ED25519\_PH\_SHA\_512 signing algorithm requires KMS
+    #     `MessageType:DIGEST`
+    #
     #   When the value of `MessageType` is `DIGEST`, the length of the
     #   `Message` value must match the length of hashed messages for the
     #   specified signing algorithm.
@@ -10852,7 +10946,7 @@ module Aws::KMS
     #     message: "data", # required
     #     message_type: "RAW", # accepts RAW, DIGEST, EXTERNAL_MU
     #     signature: "data", # required
-    #     signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA, ML_DSA_SHAKE_256
+    #     signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA, ML_DSA_SHAKE_256, ED25519_SHA_512, ED25519_PH_SHA_512
     #     grant_tokens: ["GrantTokenType"],
     #     dry_run: false,
     #   })
@@ -10861,7 +10955,7 @@ module Aws::KMS
     #
     #   resp.key_id #=> String
     #   resp.signature_valid #=> Boolean
-    #   resp.signing_algorithm #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA", "ML_DSA_SHAKE_256"
+    #   resp.signing_algorithm #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA", "ML_DSA_SHAKE_256", "ED25519_SHA_512", "ED25519_PH_SHA_512"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Verify AWS API Documentation
     #
@@ -11030,7 +11124,7 @@ module Aws::KMS
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-kms'
-      context[:gem_version] = '1.112.0'
+      context[:gem_version] = '1.117.0'
       Seahorse::Client::Request.new(handlers, context)
     end