aws-sdk-kms 1.117.0 → 1.118.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9190b06b6236c6657d8775c0e0b82387d3a287a06d941c2d6ca9ee5ab86fbe92
-  data.tar.gz: 96ac5a0f1ffa0d94902d0d85a2ae32fb9e1d90bae3b31ab3777f6da3d2a8a1f6
+  metadata.gz: 9e2a68224f5a86c92b415535c7bef7f87cf196d5dd5ffbd46a3a75724fb210fe
+  data.tar.gz: 87ba5536876bed1393d07de29b509be6684217d0397aa3981bec94cb5e573bb5
 SHA512:
-  metadata.gz: 22f84927d2c55a566453f0147279ae7f7e01d69b0cab21c0a6501414d3ecf359bbf0c800ef2bb5c246f68ee650056743f93210b67057a1969fc3f1d262036741
-  data.tar.gz: a75a199790f08b1d8623917c0b366371c7827be29b31075d4c7a9698c517cbc38c67b02c0813a621b4a6fc9bcb19d49172792b2d14b3a90de2076e5c4a65b044
+  metadata.gz: 26bfa9abee5b2cb9e02977f17a145247f4b1091d08a398864a5d84ff8b6849b026062b37a07e6c5e12dbb511f709628796200818a6e08e9e72e67197920b11ff
+  data.tar.gz: ddadc9d563a9613fa0f709ac71148ba6bf9449cf6e7848b0367484520ea6771ac6f38854ff1d230ce70455eed6706a9d05192d966d2d1e983f16fbb1c2cb5f33

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+1.118.0 (2025-11-21)
+------------------
+
+* Feature - Support for on-demand rotation of AWS KMS Multi-Region keys with imported key material
+
 1.117.0 (2025-11-07)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.117.0
+1.118.0

data/lib/aws-sdk-kms/client.rb

@@ -3006,6 +3006,16 @@ module Aws::KMS
     # operation does not change the KMS key's state. Otherwise, it changes
     # the KMS key's state to `PendingImport`.
     #
+    # **Considerations for multi-Region symmetric encryption keys**
+    #
+    # * When you delete the key material of a primary Region key that is in
+    #   `PENDING_ROTATION` or
+    #   `PENDING_MULTI_REGION_IMPORT_AND_ROTATION`state, you'll also be
+    #   deleting the key materials for the replica Region keys.
+    #
+    # * If you delete any key material of a replica Region key, the primary
+    #   Region key and other replica Region keys remain unchanged.
+    #
     # The KMS key that you use for this operation must be in a compatible
     # key state. For details, see [Key states of KMS keys][2] in the *Key
     # Management Service Developer Guide*.
@@ -6789,10 +6799,28 @@ module Aws::KMS
     # information about importing key material, see [Importing key
     # material][1].
     #
-    # For asymmetric, HMAC and multi-Region keys, you cannot change the key
-    # material after the initial import. You can import multiple key
-    # materials into single-Region, symmetric encryption keys and rotate the
-    # key material on demand using `RotateKeyOnDemand`.
+    # For asymmetric and HMAC keys, you cannot change the key material after
+    # the initial import. You can import multiple key materials into
+    # symmetric encryption keys and rotate the key material on demand using
+    # `RotateKeyOnDemand`.
+    #
+    # You can import new key materials into multi-Region symmetric
+    # encryption keys. To do so, you must import the new key material into
+    # the primary Region key. Then you can import the same key materials
+    # into the replica Region keys. You cannot directly import new key
+    # material into the replica Region keys.
+    #
+    # To import new key material for a multi-Region symmetric key, you’ll
+    # need to complete the following:
+    #
+    # 1.  Call `ImportKeyMaterial` on the primary Region key with the
+    #     `ImportType`set to `NEW_KEY_MATERIAL`.
+    #
+    # 2.  Call `ImportKeyMaterial` on the replica Region key with the
+    #     `ImportType` set to `EXISTING_KEY_MATERIAL` using the same key
+    #     material imported to the primary Region key. You must do this for
+    #     every replica Region key before you can perform the
+    #     RotateKeyOnDemand operation on the primary Region key.
     #
     # After you import key material, you can [reimport the same key
     # material][2] into that KMS key or, if the key supports on-demand
@@ -6834,10 +6862,10 @@ module Aws::KMS
     #
     # * The key ID or key ARN of the KMS key to associate with the imported
     #   key material. Its `Origin` must be `EXTERNAL` and its `KeyState`
-    #   must be `PendingImport`. You cannot perform this operation on a KMS
-    #   key in a [custom key store][5], or on a KMS key in a different
-    #   Amazon Web Services account. To get the `Origin` and `KeyState` of a
-    #   KMS key, call DescribeKey.
+    #   must be `PendingImport` or `Enabled`. You cannot perform this
+    #   operation on a KMS key in a [custom key store][5], or on a KMS key
+    #   in a different Amazon Web Services account. To get the `Origin` and
+    #   `KeyState` of a KMS key, call DescribeKey.
     #
     # * The encrypted key material.
     #
@@ -6857,13 +6885,12 @@ module Aws::KMS
     #   Each time you reimport, you can eliminate or reset the expiration
     #   time.
     #
-    # When this operation is successful, the key state of the KMS key
-    # changes from `PendingImport` to `Enabled`, and you can use the KMS key
-    # in cryptographic operations. For single-Region, symmetric encryption
-    # keys, you will need to import all of the key materials associated with
-    # the KMS key to change its state to `Enabled`. Use the
-    # `ListKeyRotations` operation to list the ID and import state of each
-    # key material associated with a KMS key.
+    # When this operation is successful, the state of the KMS key changes to
+    # `Enabled`, and you can use the KMS key in cryptographic operations.
+    # For symmetric encryption keys, you will need to import all of the key
+    # materials associated with the KMS key to change its state to
+    # `Enabled`. Use the `ListKeyRotations` operation to list the ID and
+    # import state of each key material associated with a KMS key.
     #
     # If this operation fails, use the exception to help determine the
     # problem. If the error is related to the key material, the import
@@ -6991,6 +7018,12 @@ module Aws::KMS
     #   material is imported, if this parameter is omitted then the parameter
     #   defaults to `EXISTING_KEY_MATERIAL`.
     #
+    #   For multi-Region keys, you must first import new key material into the
+    #   primary Region key. You should use the `NEW_KEY_MATERIAL` import type
+    #   when importing key material into the primary Region key. Then, you can
+    #   import the same key material into the replica Region key. The import
+    #   type for the replica Region key should be `EXISTING_KEY_MATERIAL`.
+    #
     # @option params [String] :key_material_description
     #   Description for the key material being imported. This parameter is
     #   optional and only usable with symmetric encryption keys. If you do not
@@ -7687,7 +7720,7 @@ module Aws::KMS
     #   resp.rotations[0].key_material_id #=> String
     #   resp.rotations[0].key_material_description #=> String
     #   resp.rotations[0].import_state #=> String, one of "IMPORTED", "PENDING_IMPORT"
-    #   resp.rotations[0].key_material_state #=> String, one of "NON_CURRENT", "CURRENT", "PENDING_ROTATION"
+    #   resp.rotations[0].key_material_state #=> String, one of "NON_CURRENT", "CURRENT", "PENDING_ROTATION", "PENDING_MULTI_REGION_IMPORT_AND_ROTATION"
     #   resp.rotations[0].expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
     #   resp.rotations[0].valid_to #=> Time
     #   resp.rotations[0].rotation_date #=> Time
@@ -9220,30 +9253,31 @@ module Aws::KMS
     #
     # On-demand key rotation is supported only on symmetric encryption KMS
     # keys. You cannot perform on-demand rotation of [asymmetric KMS
-    # keys][3], [HMAC KMS keys][4], multi-Region KMS keys with [imported key
-    # material][5], or KMS keys in a [custom key store][6]. When you
-    # initiate on-demand key rotation on a symmetric encryption KMS key with
-    # imported key material, you must have already imported [new key
-    # material][7] and that key material's state should be
+    # keys][3], [HMAC KMS keys][4], or KMS keys in a [custom key store][5].
+    # When you initiate on-demand key rotation on a symmetric encryption KMS
+    # key with imported key material, you must have already imported [new
+    # key material][6] and that key material's state should be
     # `PENDING_ROTATION`. Use the `ListKeyRotations` operation to check the
     # state of all key materials associated with a KMS key. To perform
-    # on-demand rotation of a set of related [multi-Region keys][8], invoke
-    # the on-demand rotation on the primary key.
+    # on-demand rotation of a set of related [multi-Region keys][7], import
+    # new key material in the primary Region key, import the same key
+    # material in each replica Region key, and invoke the on-demand rotation
+    # on the primary Region key.
     #
     # You cannot initiate on-demand rotation of [Amazon Web Services managed
-    # KMS keys][9]. KMS always rotates the key material of Amazon Web
+    # KMS keys][8]. KMS always rotates the key material of Amazon Web
     # Services managed keys every year. Rotation of [Amazon Web Services
-    # owned KMS keys][10] is managed by the Amazon Web Services service that
+    # owned KMS keys][9] is managed by the Amazon Web Services service that
     # owns the key.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key states of KMS keys][11] in the *Key
+    # key state. For details, see [Key states of KMS keys][10] in the *Key
     # Management Service Developer Guide*.
     #
     # **Cross-account use**: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
-    # **Required permissions**: [kms:RotateKeyOnDemand][12] (key policy)
+    # **Required permissions**: [kms:RotateKeyOnDemand][11] (key policy)
     #
     # **Related operations:**
     #
@@ -9258,7 +9292,7 @@ module Aws::KMS
     # * ListKeyRotations
     #
     # **Eventual consistency**: The KMS API follows an eventual consistency
-    # model. For more information, see [KMS eventual consistency][13].
+    # model. For more information, see [KMS eventual consistency][12].
     #
     #
     #
@@ -9266,15 +9300,14 @@ module Aws::KMS
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/rotating-keys-enable-disable.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
-    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
-    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-import-key-material.html
-    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#multi-region-rotate
-    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-key
-    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-key
-    # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
-    # [12]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
-    # [13]: https://docs.aws.amazon.com/kms/latest/developerguide/accessing-kms.html#programming-eventual-consistency
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-import-key-material.html
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#multi-region-rotate
+    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-key
+    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-key
+    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [12]: https://docs.aws.amazon.com/kms/latest/developerguide/accessing-kms.html#programming-eventual-consistency
     #
     # @option params [required, String] :key_id
     #   Identifies a symmetric encryption KMS key. You cannot perform
@@ -11124,7 +11157,7 @@ module Aws::KMS
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-kms'
-      context[:gem_version] = '1.117.0'
+      context[:gem_version] = '1.118.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-kms/types.rb

@@ -3993,6 +3993,13 @@ module Aws::KMS
     #   the parameter defaults to `NEW_KEY_MATERIAL`. After the first key
     #   material is imported, if this parameter is omitted then the
     #   parameter defaults to `EXISTING_KEY_MATERIAL`.
+    #
+    #   For multi-Region keys, you must first import new key material into
+    #   the primary Region key. You should use the `NEW_KEY_MATERIAL` import
+    #   type when importing key material into the primary Region key. Then,
+    #   you can import the same key material into the replica Region key.
+    #   The import type for the replica Region key should be
+    #   `EXISTING_KEY_MATERIAL`.
     #   @return [String]
     #
     # @!attribute [rw] key_material_description
@@ -4576,12 +4583,11 @@ module Aws::KMS
     #
     # @!attribute [rw] current_key_material_id
     #   Identifies the current key material. This value is present for
-    #   symmetric encryption keys with `AWS_KMS` origin and single-Region,
-    #   symmetric encryption keys with `EXTERNAL` origin. These KMS keys
-    #   support automatic or on-demand key rotation and can have multiple
-    #   key materials associated with them. KMS uses the current key
-    #   material for both encryption and decryption, and the non-current key
-    #   material for decryption operations only.
+    #   symmetric encryption keys with `AWS_KMS` or `EXTERNAL` origin. These
+    #   KMS keys support automatic or on-demand key rotation and can have
+    #   multiple key materials associated with them. KMS uses the current
+    #   key material for both encryption and decryption, and the non-current
+    #   key material for decryption operations only.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
@@ -6001,15 +6007,24 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_material_state
-    #   There are three possible values for this field: `CURRENT`,
-    #   `NON_CURRENT` and `PENDING_ROTATION`. KMS uses `CURRENT` key
-    #   material for both encryption and decryption and `NON_CURRENT` key
-    #   material only for decryption. `PENDING_ROTATION` identifies key
-    #   material that has been imported for on-demand key rotation but the
-    #   rotation hasn't completed. Key material in `PENDING_ROTATION` is
-    #   not permanently associated with the KMS key. You can delete this key
-    #   material and import different key material in its place. The
-    #   `PENDING_ROTATION` value is only used in symmetric encryption keys
+    #   There are four possible values for this field: `CURRENT`,
+    #   `NON_CURRENT`, `PENDING_MULTI_REGION_IMPORT_AND_ROTATION` and
+    #   `PENDING_ROTATION`. KMS uses `CURRENT` key material for both
+    #   encryption and decryption and `NON_CURRENT` key material only for
+    #   decryption. `PENDING_ROTATION` identifies key material that has been
+    #   imported for on-demand key rotation but the rotation hasn't
+    #   completed. The key material state
+    #   `PENDING_MULTI_REGION_IMPORT_AND_ROTATION` is unique to
+    #   multi-region, symmetric encryption keys with imported key material.
+    #   It indicates key material that has been imported into the primary
+    #   Region key but not all of the replica Region keys. When this key
+    #   material is imported in to all of the replica Region keys, the key
+    #   material state will change to `PENDING_ROTATION`. Key material in
+    #   `PENDING_MULTI_REGION_IMPORT_AND_ROTATION` or `PENDING_ROTATION`
+    #   state is not permanently associated with the KMS key. You can delete
+    #   this key material and import different key material in its place.
+    #   The `PENDING_MULTI_REGION_IMPORT_AND_ROTATION` and
+    #   `PENDING_ROTATION` values are only used in symmetric encryption keys
     #   with imported key material. The other values, `CURRENT` and
     #   `NON_CURRENT`, are used for all KMS keys that support automatic or
     #   on-demand key rotation.

data/lib/aws-sdk-kms.rb

@@ -54,7 +54,7 @@ module Aws::KMS
   autoload :EndpointProvider, 'aws-sdk-kms/endpoint_provider'
   autoload :Endpoints, 'aws-sdk-kms/endpoints'
 
-  GEM_VERSION = '1.117.0'
+  GEM_VERSION = '1.118.0'
 
 end
 

data/sig/types.rbs

@@ -846,7 +846,7 @@ module Aws::KMS
       attr_accessor key_material_id: ::String
       attr_accessor key_material_description: ::String
       attr_accessor import_state: ("IMPORTED" | "PENDING_IMPORT")
-      attr_accessor key_material_state: ("NON_CURRENT" | "CURRENT" | "PENDING_ROTATION")
+      attr_accessor key_material_state: ("NON_CURRENT" | "CURRENT" | "PENDING_ROTATION" | "PENDING_MULTI_REGION_IMPORT_AND_ROTATION")
       attr_accessor expiration_model: ("KEY_MATERIAL_EXPIRES" | "KEY_MATERIAL_DOES_NOT_EXPIRE")
       attr_accessor valid_to: ::Time
       attr_accessor rotation_date: ::Time

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-kms
 version: !ruby/object:Gem::Version
-  version: 1.117.0
+  version: 1.118.0
 platform: ruby
 authors:
 - Amazon Web Services
@@ -18,7 +18,7 @@ dependencies:
         version: '3'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.234.0
+        version: 3.239.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -28,7 +28,7 @@ dependencies:
         version: '3'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.234.0
+        version: 3.239.1
 - !ruby/object:Gem::Dependency
   name: aws-sigv4
   requirement: !ruby/object:Gem::Requirement