aws-sdk-kms 1.112.0 → 1.118.0

data/lib/aws-sdk-kms/types.rb

@@ -485,6 +485,14 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirements
     #   @return [String]
     #
+    # @!attribute [rw] xks_proxy_vpc_endpoint_service_owner
+    #   Specifies the Amazon Web Services account ID that owns the Amazon
+    #   VPC service endpoint for the interface that is used to communicate
+    #   with your external key store proxy (XKS proxy). This parameter is
+    #   optional. If not provided, the Amazon Web Services account ID
+    #   calling the action will be used.
+    #   @return [String]
+    #
     # @!attribute [rw] xks_proxy_authentication_credential
     #   Specifies an authentication credential for the external key store
     #   proxy (XKS proxy). This parameter is required for all custom key
@@ -549,6 +557,7 @@ module Aws::KMS
       :xks_proxy_uri_endpoint,
       :xks_proxy_uri_path,
       :xks_proxy_vpc_endpoint_service_name,
+      :xks_proxy_vpc_endpoint_service_owner,
       :xks_proxy_authentication_credential,
       :xks_proxy_connectivity)
       SENSITIVE = [:key_store_password]
@@ -847,8 +856,11 @@ module Aws::KMS
     #   Determines the [cryptographic operations][1] for which you can use
     #   the KMS key. The default value is `ENCRYPT_DECRYPT`. This parameter
     #   is optional when you are creating a symmetric encryption KMS key;
-    #   otherwise, it is required. You can't change the `KeyUsage` value
-    #   after the KMS key is created.
+    #   otherwise, it is required. You can't change the [ `KeyUsage` ][2]
+    #   value after the KMS key is created. Each KMS key can have only one
+    #   key usage. This follows key usage best practices according to [NIST
+    #   SP 800-57 Recommendations for Key Management][3], section 5.2, Key
+    #   usage.
     #
     #   Select only one valid value.
     #
@@ -860,7 +872,7 @@ module Aws::KMS
     #   * For asymmetric KMS keys with RSA key pairs, specify
     #     `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
     #
-    #   * For asymmetric KMS keys with NIST-recommended elliptic curve key
+    #   * For asymmetric KMS keys with NIST-standard elliptic curve key
     #     pairs, specify `SIGN_VERIFY` or `KEY_AGREEMENT`.
     #
     #   * For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs, specify
@@ -875,6 +887,8 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#key-usage
+    #   [3]: https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final
     #   @return [String]
     #
     # @!attribute [rw] customer_master_key_spec
@@ -933,7 +947,7 @@ module Aws::KMS
     #     * `RSA_3072`
     #
     #     * `RSA_4096`
-    #   * Asymmetric NIST-recommended elliptic curve key pairs (signing and
+    #   * Asymmetric NIST-standard elliptic curve key pairs (signing and
     #     verification -or- deriving shared secrets)
     #
     #     * `ECC_NIST_P256` (secp256r1)
@@ -941,6 +955,19 @@ module Aws::KMS
     #     * `ECC_NIST_P384` (secp384r1)
     #
     #     * `ECC_NIST_P521` (secp521r1)
+    #
+    #     * `ECC_NIST_EDWARDS25519` (ed25519) - signing and verification
+    #       only
+    #
+    #       * **Note:** For ECC\_NIST\_EDWARDS25519 KMS keys, the
+    #         ED25519\_SHA\_512 signing algorithm requires [
+    #         `MessageType:RAW`
+    #         ](kms/latest/APIReference/API_Sign.html#KMS-Sign-request-MessageType),
+    #         while ED25519\_PH\_SHA\_512 requires [ `MessageType:DIGEST`
+    #         ](kms/latest/APIReference/API_Sign.html#KMS-Sign-request-MessageType).
+    #         These message types cannot be used interchangeably.
+    #
+    #       ^
     #   * Other asymmetric elliptic curve key pairs (signing and
     #     verification)
     #
@@ -1620,30 +1647,32 @@ module Aws::KMS
     #
     # @!attribute [rw] recipient
     #   A signed [attestation document][1] from an Amazon Web Services Nitro
-    #   enclave and the encryption algorithm to use with the enclave's
-    #   public key. The only valid encryption algorithm is
-    #   `RSAES_OAEP_SHA_256`.
+    #   enclave or NitroTPM, and the encryption algorithm to use with the
+    #   public key in the attestation document. The only valid encryption
+    #   algorithm is `RSAES_OAEP_SHA_256`.
     #
-    #   This parameter only supports attestation documents for Amazon Web
-    #   Services Nitro Enclaves. To include this parameter, use the [Amazon
-    #   Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
+    #   This parameter supports the [Amazon Web Services Nitro Enclaves
+    #   SDK][2] or any Amazon Web Services SDK for Amazon Web Services Nitro
+    #   Enclaves. It supports any Amazon Web Services SDK for Amazon Web
+    #   Services NitroTPM.
     #
     #   When you use this parameter, instead of returning the plaintext
     #   data, KMS encrypts the plaintext data with the public key in the
     #   attestation document, and returns the resulting ciphertext in the
     #   `CiphertextForRecipient` field in the response. This ciphertext can
-    #   be decrypted only with the private key in the enclave. The
-    #   `Plaintext` field in the response is null or empty.
+    #   be decrypted only with the private key in the attested environment.
+    #   The `Plaintext` field in the response is null or empty.
     #
     #   For information about the interaction between KMS and Amazon Web
-    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
-    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #   Services Nitro Enclaves or Amazon Web Services NitroTPM, see
+    #   [Cryptographic attestation support in KMS][3] in the *Key Management
+    #   Service Developer Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-concepts.html#term-attestdoc
     #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #   @return [Types::RecipientInfo]
     #
     # @!attribute [rw] dry_run
@@ -1695,19 +1724,21 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] ciphertext_for_recipient
-    #   The plaintext data encrypted with the public key in the attestation
-    #   document.
+    #   The plaintext data encrypted with the public key from the
+    #   attestation document. This ciphertext can be decrypted only by using
+    #   a private key from the attested environment.
     #
     #   This field is included in the response only when the `Recipient`
     #   parameter in the request includes a valid attestation document from
-    #   an Amazon Web Services Nitro enclave. For information about the
-    #   interaction between KMS and Amazon Web Services Nitro Enclaves, see
-    #   [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
-    #   Management Service Developer Guide*.
+    #   an Amazon Web Services Nitro enclave or NitroTPM. For information
+    #   about the interaction between KMS and Amazon Web Services Nitro
+    #   Enclaves or Amazon Web Services NitroTPM, see [Cryptographic
+    #   attestation support in KMS][1] in the *Key Management Service
+    #   Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #   @return [String]
     #
     # @!attribute [rw] key_material_id
@@ -1832,7 +1863,7 @@ module Aws::KMS
     end
 
     # @!attribute [rw] key_id
-    #   Identifies an asymmetric NIST-recommended ECC or SM2 (China Regions
+    #   Identifies an asymmetric NIST-standard ECC or SM2 (China Regions
     #   only) KMS key. KMS uses the private key in the specified key pair to
     #   derive the shared secret. The key usage of the KMS key must be
     #   `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS key, use the
@@ -1864,7 +1895,7 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] public_key
-    #   Specifies the public key in your peer's NIST-recommended elliptic
+    #   Specifies the public key in your peer's NIST-standard elliptic
     #   curve (ECC) or SM2 (China Regions only) key pair.
     #
     #   The public key must be a DER-encoded X.509 public key, also known as
@@ -1917,37 +1948,41 @@ module Aws::KMS
     #
     # @!attribute [rw] recipient
     #   A signed [attestation document][1] from an Amazon Web Services Nitro
-    #   enclave and the encryption algorithm to use with the enclave's
-    #   public key. The only valid encryption algorithm is
-    #   `RSAES_OAEP_SHA_256`.
+    #   enclave or NitroTPM, and the encryption algorithm to use with the
+    #   public key in the attestation document. The only valid encryption
+    #   algorithm is `RSAES_OAEP_SHA_256`.
     #
     #   This parameter only supports attestation documents for Amazon Web
-    #   Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon
-    #   Web Services Nitro Enclaves, use the [Amazon Web Services Nitro
-    #   Enclaves SDK][2] to generate the attestation document and then use
-    #   the Recipient parameter from any Amazon Web Services SDK to provide
-    #   the attestation document for the enclave.
+    #   Services Nitro Enclaves or Amazon Web Services NitroTPM. To call
+    #   DeriveSharedSecret generate an attestation document use either
+    #   [Amazon Web Services Nitro Enclaves SDK][2] for an Amazon Web
+    #   Services Nitro Enclaves or [Amazon Web Services NitroTPM tools][3]
+    #   for Amazon Web Services NitroTPM. Then use the Recipient parameter
+    #   from any Amazon Web Services SDK to provide the attestation document
+    #   for the attested environment.
     #
     #   When you use this parameter, instead of returning a plaintext copy
     #   of the shared secret, KMS encrypts the plaintext shared secret under
     #   the public key in the attestation document, and returns the
     #   resulting ciphertext in the `CiphertextForRecipient` field in the
     #   response. This ciphertext can be decrypted only with the private key
-    #   in the enclave. The `CiphertextBlob` field in the response contains
-    #   the encrypted shared secret derived from the KMS key specified by
-    #   the `KeyId` parameter and public key specified by the `PublicKey`
-    #   parameter. The `SharedSecret` field in the response is null or
-    #   empty.
+    #   in the attested environment. The `CiphertextBlob` field in the
+    #   response contains the encrypted shared secret derived from the KMS
+    #   key specified by the `KeyId` parameter and public key specified by
+    #   the `PublicKey` parameter. The `SharedSecret` field in the response
+    #   is null or empty.
     #
     #   For information about the interaction between KMS and Amazon Web
-    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
-    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #   Services Nitro Enclaves or Amazon Web Services NitroTPM, see
+    #   [Cryptographic attestation support in KMS][4] in the *Key Management
+    #   Service Developer Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
     #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   [3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/attestation-get-doc.html
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #   @return [Types::RecipientInfo]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecretRequest AWS API Documentation
@@ -1976,19 +2011,21 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] ciphertext_for_recipient
-    #   The plaintext shared secret encrypted with the public key in the
-    #   attestation document.
+    #   The plaintext shared secret encrypted with the public key from the
+    #   attestation document. This ciphertext can be decrypted only by using
+    #   a private key from the attested environment.
     #
     #   This field is included in the response only when the `Recipient`
     #   parameter in the request includes a valid attestation document from
-    #   an Amazon Web Services Nitro enclave. For information about the
-    #   interaction between KMS and Amazon Web Services Nitro Enclaves, see
-    #   [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
-    #   Management Service Developer Guide*.
+    #   an Amazon Web Services Nitro enclave or NitroTPM. For information
+    #   about the interaction between KMS and Amazon Web Services Nitro
+    #   Enclaves or Amazon Web Services NitroTPM, see [Cryptographic
+    #   attestation support in KMS][1] in the *Key Management Service
+    #   Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #   @return [String]
     #
     # @!attribute [rw] key_agreement_algorithm
@@ -2573,36 +2610,40 @@ module Aws::KMS
     #
     # @!attribute [rw] recipient
     #   A signed [attestation document][1] from an Amazon Web Services Nitro
-    #   enclave and the encryption algorithm to use with the enclave's
-    #   public key. The only valid encryption algorithm is
-    #   `RSAES_OAEP_SHA_256`.
+    #   enclave or NitroTPM, and the encryption algorithm to use with the
+    #   public key in the attestation document. The only valid encryption
+    #   algorithm is `RSAES_OAEP_SHA_256`.
     #
     #   This parameter only supports attestation documents for Amazon Web
-    #   Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon
-    #   Web Services Nitro Enclaves, use the [Amazon Web Services Nitro
-    #   Enclaves SDK][2] to generate the attestation document and then use
-    #   the Recipient parameter from any Amazon Web Services SDK to provide
-    #   the attestation document for the enclave.
+    #   Services Nitro Enclaves or Amazon Web Services NitroTPM. To call
+    #   GenerateDataKeyPair generate an attestation document use either
+    #   [Amazon Web Services Nitro Enclaves SDK][2] for an Amazon Web
+    #   Services Nitro Enclaves or [Amazon Web Services NitroTPM tools][3]
+    #   for Amazon Web Services NitroTPM. Then use the Recipient parameter
+    #   from any Amazon Web Services SDK to provide the attestation document
+    #   for the attested environment.
     #
     #   When you use this parameter, instead of returning a plaintext copy
     #   of the private data key, KMS encrypts the plaintext private data key
     #   under the public key in the attestation document, and returns the
     #   resulting ciphertext in the `CiphertextForRecipient` field in the
     #   response. This ciphertext can be decrypted only with the private key
-    #   in the enclave. The `CiphertextBlob` field in the response contains
-    #   a copy of the private data key encrypted under the KMS key specified
-    #   by the `KeyId` parameter. The `PrivateKeyPlaintext` field in the
-    #   response is null or empty.
+    #   in the attested environment. The `CiphertextBlob` field in the
+    #   response contains a copy of the private data key encrypted under the
+    #   KMS key specified by the `KeyId` parameter. The
+    #   `PrivateKeyPlaintext` field in the response is null or empty.
     #
     #   For information about the interaction between KMS and Amazon Web
-    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
-    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #   Services Nitro Enclaves or Amazon Web Services NitroTPM, see
+    #   [Cryptographic attestation support in KMS][4] in the *Key Management
+    #   Service Developer Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
     #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   [3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/attestation-get-doc.html
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #   @return [Types::RecipientInfo]
     #
     # @!attribute [rw] dry_run
@@ -2666,19 +2707,20 @@ module Aws::KMS
     #
     # @!attribute [rw] ciphertext_for_recipient
     #   The plaintext private data key encrypted with the public key from
-    #   the Nitro enclave. This ciphertext can be decrypted only by using a
-    #   private key in the Nitro enclave.
+    #   the attestation document. This ciphertext can be decrypted only by
+    #   using a private key from the attested environment.
     #
     #   This field is included in the response only when the `Recipient`
     #   parameter in the request includes a valid attestation document from
-    #   an Amazon Web Services Nitro enclave. For information about the
-    #   interaction between KMS and Amazon Web Services Nitro Enclaves, see
-    #   [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
-    #   Management Service Developer Guide*.
+    #   an Amazon Web Services Nitro enclave or NitroTPM. For information
+    #   about the interaction between KMS and Amazon Web Services Nitro
+    #   Enclaves or Amazon Web Services NitroTPM, see [Cryptographic
+    #   attestation support in KMS][1] in the *Key Management Service
+    #   Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #   @return [String]
     #
     # @!attribute [rw] key_material_id
@@ -2927,13 +2969,14 @@ module Aws::KMS
     #
     # @!attribute [rw] recipient
     #   A signed [attestation document][1] from an Amazon Web Services Nitro
-    #   enclave and the encryption algorithm to use with the enclave's
-    #   public key. The only valid encryption algorithm is
-    #   `RSAES_OAEP_SHA_256`.
+    #   enclave or NitroTPM, and the encryption algorithm to use with the
+    #   public key in the attestation document. The only valid encryption
+    #   algorithm is `RSAES_OAEP_SHA_256`.
     #
-    #   This parameter only supports attestation documents for Amazon Web
-    #   Services Nitro Enclaves. To include this parameter, use the [Amazon
-    #   Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
+    #   This parameter supports the [Amazon Web Services Nitro Enclaves
+    #   SDK][2] or any Amazon Web Services SDK for Amazon Web Services Nitro
+    #   Enclaves. It supports any Amazon Web Services SDK for Amazon Web
+    #   Services NitroTPM.
     #
     #   When you use this parameter, instead of returning the plaintext data
     #   key, KMS encrypts the plaintext data key under the public key in the
@@ -2945,14 +2988,15 @@ module Aws::KMS
     #   The `Plaintext` field in the response is null or empty.
     #
     #   For information about the interaction between KMS and Amazon Web
-    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
-    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #   Services Nitro Enclaves or Amazon Web Services NitroTPM, see
+    #   [Cryptographic attestation support in KMS][3] in the *Key Management
+    #   Service Developer Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
     #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #   @return [Types::RecipientInfo]
     #
     # @!attribute [rw] dry_run
@@ -3007,20 +3051,21 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] ciphertext_for_recipient
-    #   The plaintext data key encrypted with the public key from the Nitro
-    #   enclave. This ciphertext can be decrypted only by using a private
-    #   key in the Nitro enclave.
+    #   The plaintext data key encrypted with the public key from the
+    #   attestation document. This ciphertext can be decrypted only by using
+    #   a private key from the attested environment.
     #
     #   This field is included in the response only when the `Recipient`
     #   parameter in the request includes a valid attestation document from
-    #   an Amazon Web Services Nitro enclave. For information about the
-    #   interaction between KMS and Amazon Web Services Nitro Enclaves, see
-    #   [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
-    #   Management Service Developer Guide*.
+    #   an Amazon Web Services Nitro enclave or NitroTPM. For information
+    #   about the interaction between KMS and Amazon Web Services Nitro
+    #   Enclaves or Amazon Web Services NitroTPM, see [Cryptographic
+    #   attestation support in KMS][1] in the *Key Management Service
+    #   Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #   @return [String]
     #
     # @!attribute [rw] key_material_id
@@ -3284,30 +3329,32 @@ module Aws::KMS
     #
     # @!attribute [rw] recipient
     #   A signed [attestation document][1] from an Amazon Web Services Nitro
-    #   enclave and the encryption algorithm to use with the enclave's
-    #   public key. The only valid encryption algorithm is
-    #   `RSAES_OAEP_SHA_256`.
+    #   enclave or NitroTPM, and the encryption algorithm to use with the
+    #   public key in the attestation document. The only valid encryption
+    #   algorithm is `RSAES_OAEP_SHA_256`.
     #
-    #   This parameter only supports attestation documents for Amazon Web
-    #   Services Nitro Enclaves. To include this parameter, use the [Amazon
-    #   Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
+    #   This parameter supports the [Amazon Web Services Nitro Enclaves
+    #   SDK][2] or any Amazon Web Services SDK for Amazon Web Services Nitro
+    #   Enclaves. It supports any Amazon Web Services SDK for Amazon Web
+    #   Services NitroTPM.
     #
     #   When you use this parameter, instead of returning plaintext bytes,
     #   KMS encrypts the plaintext bytes under the public key in the
     #   attestation document, and returns the resulting ciphertext in the
     #   `CiphertextForRecipient` field in the response. This ciphertext can
-    #   be decrypted only with the private key in the enclave. The
-    #   `Plaintext` field in the response is null or empty.
+    #   be decrypted only with the private key in the attested environment.
+    #   The `Plaintext` field in the response is null or empty.
     #
     #   For information about the interaction between KMS and Amazon Web
-    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
-    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #   Services Nitro Enclaves or Amazon Web Services NitroTPM, see
+    #   [Cryptographic attestation support in KMS][3] in the *Key Management
+    #   Service Developer Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
     #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #   @return [Types::RecipientInfo]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomRequest AWS API Documentation
@@ -3331,19 +3378,20 @@ module Aws::KMS
     #
     # @!attribute [rw] ciphertext_for_recipient
     #   The plaintext random bytes encrypted with the public key from the
-    #   Nitro enclave. This ciphertext can be decrypted only by using a
-    #   private key in the Nitro enclave.
+    #   attestation document. This ciphertext can be decrypted only by using
+    #   a private key from the attested environment.
     #
     #   This field is included in the response only when the `Recipient`
     #   parameter in the request includes a valid attestation document from
-    #   an Amazon Web Services Nitro enclave. For information about the
-    #   interaction between KMS and Amazon Web Services Nitro Enclaves, see
-    #   [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
-    #   Management Service Developer Guide*.
+    #   an Amazon Web Services Nitro enclave or NitroTPM. For information
+    #   about the interaction between KMS and Amazon Web Services Nitro
+    #   Enclaves or Amazon Web Services NitroTPM, see [Cryptographic
+    #   attestation support in KMS][1] in the *Key Management Service
+    #   Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomResponse AWS API Documentation
@@ -3945,6 +3993,13 @@ module Aws::KMS
     #   the parameter defaults to `NEW_KEY_MATERIAL`. After the first key
     #   material is imported, if this parameter is omitted then the
     #   parameter defaults to `EXISTING_KEY_MATERIAL`.
+    #
+    #   For multi-Region keys, you must first import new key material into
+    #   the primary Region key. You should use the `NEW_KEY_MATERIAL` import
+    #   type when importing key material into the primary Region key. Then,
+    #   you can import the same key material into the replica Region key.
+    #   The import type for the replica Region key should be
+    #   `EXISTING_KEY_MATERIAL`.
     #   @return [String]
     #
     # @!attribute [rw] key_material_description
@@ -4528,12 +4583,11 @@ module Aws::KMS
     #
     # @!attribute [rw] current_key_material_id
     #   Identifies the current key material. This value is present for
-    #   symmetric encryption keys with `AWS_KMS` origin and single-Region,
-    #   symmetric encryption keys with `EXTERNAL` origin. These KMS keys
-    #   support automatic or on-demand key rotation and can have multiple
-    #   key materials associated with them. KMS uses the current key
-    #   material for both encryption and decryption, and the non-current key
-    #   material for decryption operations only.
+    #   symmetric encryption keys with `AWS_KMS` or `EXTERNAL` origin. These
+    #   KMS keys support automatic or on-demand key rotation and can have
+    #   multiple key materials associated with them. KMS uses the current
+    #   key material for both encryption and decryption, and the non-current
+    #   key material for decryption operations only.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
@@ -5524,24 +5578,26 @@ module Aws::KMS
     # the API operation.
     #
     # This data type is designed to support Amazon Web Services Nitro
-    # Enclaves, which lets you create an isolated compute environment in
-    # Amazon EC2. For information about the interaction between KMS and
-    # Amazon Web Services Nitro Enclaves, see [How Amazon Web Services Nitro
-    # Enclaves uses KMS][1] in the *Key Management Service Developer Guide*.
+    # Enclaves and Amazon Web Services NitroTPM, which lets you create an
+    # attested environment in Amazon EC2. For information about the
+    # interaction between KMS and Amazon Web Services Nitro Enclaves or
+    # Amazon Web Services NitroTPM, see [Cryptographic attestation support
+    # in KMS][1] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     #
     # @!attribute [rw] key_encryption_algorithm
     #   The encryption algorithm that KMS should use with the public key for
-    #   an Amazon Web Services Nitro Enclave to encrypt plaintext values for
-    #   the response. The only valid value is `RSAES_OAEP_SHA_256`.
+    #   an Amazon Web Services Nitro Enclave or NitroTPM to encrypt
+    #   plaintext values for the response. The only valid value is
+    #   `RSAES_OAEP_SHA_256`.
     #   @return [String]
     #
     # @!attribute [rw] attestation_document
-    #   The attestation document for an Amazon Web Services Nitro Enclave.
-    #   This document includes the enclave's public key.
+    #   The attestation document for an Amazon Web Services Nitro Enclave or
+    #   a NitroTPM. This document includes the enclave's public key.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RecipientInfo AWS API Documentation
@@ -5951,15 +6007,24 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_material_state
-    #   There are three possible values for this field: `CURRENT`,
-    #   `NON_CURRENT` and `PENDING_ROTATION`. KMS uses `CURRENT` key
-    #   material for both encryption and decryption and `NON_CURRENT` key
-    #   material only for decryption. `PENDING_ROTATION` identifies key
-    #   material that has been imported for on-demand key rotation but the
-    #   rotation hasn't completed. Key material in `PENDING_ROTATION` is
-    #   not permanently associated with the KMS key. You can delete this key
-    #   material and import different key material in its place. The
-    #   `PENDING_ROTATION` value is only used in symmetric encryption keys
+    #   There are four possible values for this field: `CURRENT`,
+    #   `NON_CURRENT`, `PENDING_MULTI_REGION_IMPORT_AND_ROTATION` and
+    #   `PENDING_ROTATION`. KMS uses `CURRENT` key material for both
+    #   encryption and decryption and `NON_CURRENT` key material only for
+    #   decryption. `PENDING_ROTATION` identifies key material that has been
+    #   imported for on-demand key rotation but the rotation hasn't
+    #   completed. The key material state
+    #   `PENDING_MULTI_REGION_IMPORT_AND_ROTATION` is unique to
+    #   multi-region, symmetric encryption keys with imported key material.
+    #   It indicates key material that has been imported into the primary
+    #   Region key but not all of the replica Region keys. When this key
+    #   material is imported in to all of the replica Region keys, the key
+    #   material state will change to `PENDING_ROTATION`. Key material in
+    #   `PENDING_MULTI_REGION_IMPORT_AND_ROTATION` or `PENDING_ROTATION`
+    #   state is not permanently associated with the KMS key. You can delete
+    #   this key material and import different key material in its place.
+    #   The `PENDING_MULTI_REGION_IMPORT_AND_ROTATION` and
+    #   `PENDING_ROTATION` values are only used in symmetric encryption keys
     #   with imported key material. The other values, `CURRENT` and
     #   `NON_CURRENT`, are used for all KMS keys that support automatic or
     #   on-demand key rotation.
@@ -6161,6 +6226,13 @@ module Aws::KMS
     #   value with an unhashed message, the security of the signing
     #   operation can be compromised.
     #
+    #   When using ECC\_NIST\_EDWARDS25519 KMS keys:
+    #
+    #   * ED25519\_SHA\_512 signing algorithm requires KMS `MessageType:RAW`
+    #
+    #   * ED25519\_PH\_SHA\_512 signing algorithm requires KMS
+    #     `MessageType:DIGEST`
+    #
     #   When the value of `MessageType` is `DIGEST`, the length of the
     #   `Message` value must match the length of hashed messages for the
     #   specified signing algorithm.
@@ -6568,6 +6640,16 @@ module Aws::KMS
     #   To change this value, the external key store must be disconnected.
     #   @return [String]
     #
+    # @!attribute [rw] xks_proxy_vpc_endpoint_service_owner
+    #   Changes the Amazon Web Services account ID that KMS uses to identify
+    #   the Amazon VPC endpoint service for your external key store proxy
+    #   (XKS proxy). This parameter is optional. If not specified, the
+    #   current Amazon Web Services account ID for the VPC endpoint service
+    #   will not be updated.
+    #
+    #   To change this value, the external key store must be disconnected.
+    #   @return [String]
+    #
     # @!attribute [rw] xks_proxy_authentication_credential
     #   Changes the credentials that KMS uses to sign requests to the
     #   external key store proxy (XKS proxy). This parameter is valid only
@@ -6615,6 +6697,7 @@ module Aws::KMS
       :xks_proxy_uri_endpoint,
       :xks_proxy_uri_path,
       :xks_proxy_vpc_endpoint_service_name,
+      :xks_proxy_vpc_endpoint_service_owner,
       :xks_proxy_authentication_credential,
       :xks_proxy_connectivity)
       SENSITIVE = [:key_store_password]
@@ -6844,6 +6927,13 @@ module Aws::KMS
     #   value with an unhashed message, the security of the signing
     #   operation can be compromised.
     #
+    #   When using ECC\_NIST\_EDWARDS25519 KMS keys:
+    #
+    #   * ED25519\_SHA\_512 signing algorithm requires KMS `MessageType:RAW`
+    #
+    #   * ED25519\_PH\_SHA\_512 signing algorithm requires KMS
+    #     `MessageType:DIGEST`
+    #
     #   When the value of `MessageType` is `DIGEST`, the length of the
     #   `Message` value must match the length of hashed messages for the
     #   specified signing algorithm.
@@ -7113,6 +7203,13 @@ module Aws::KMS
     #   with KMS.
     #   @return [String]
     #
+    # @!attribute [rw] vpc_endpoint_service_owner
+    #   The Amazon Web Services account ID that owns the Amazon VPC endpoint
+    #   service used to communicate with the external key store proxy (XKS).
+    #   This field appears only when the XKS uses an VPC endpoint service to
+    #   communicate with KMS.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyConfigurationType AWS API Documentation
     #
     class XksProxyConfigurationType < Struct.new(
@@ -7120,7 +7217,8 @@ module Aws::KMS
       :access_key_id,
       :uri_endpoint,
       :uri_path,
-      :vpc_endpoint_service_name)
+      :vpc_endpoint_service_name,
+      :vpc_endpoint_service_owner)
       SENSITIVE = [:access_key_id]
       include Aws::Structure
     end