aws-sdk-kms 1.12.0 → 1.13.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/aws-sdk-kms.rb +1 -1
- data/lib/aws-sdk-kms/client.rb +722 -113
- data/lib/aws-sdk-kms/client_api.rb +172 -0
- data/lib/aws-sdk-kms/types.rb +493 -48
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 4bca783774aeca06b13277e56cd794df110f6d42
|
4
|
+
data.tar.gz: 6140ef36b4f5ac42206aefe9f0370dbf512fcb59
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: c14c7d97ee060bfa2b2f510f816b6728046fa56b881ed4e292859e5ee098c6412f48fdaf60e7ec415ef72c6cf94aebb02c95ba4e9e2f5f222123eaf25daa6ba9
|
7
|
+
data.tar.gz: c8f68db24ec2731de7f7d9c3fc95a4d84ec5fa596809ef587c3726976481fa9689c484fa555a0ed888f31747d6b1e1074512aa7555da67068fb6a2d949c9d9e4
|
data/lib/aws-sdk-kms.rb
CHANGED
data/lib/aws-sdk-kms/client.rb
CHANGED
@@ -285,9 +285,79 @@ module Aws::KMS
|
|
285
285
|
req.send_request(options)
|
286
286
|
end
|
287
287
|
|
288
|
-
#
|
289
|
-
#
|
290
|
-
#
|
288
|
+
# Connects or reconnects a [custom key store][1] to its associated AWS
|
289
|
+
# CloudHSM cluster.
|
290
|
+
#
|
291
|
+
# The custom key store must be connected before you can create customer
|
292
|
+
# master keys (CMKs) in the key store or use the CMKs it contains. You
|
293
|
+
# can disconnect and reconnect a custom key store at any time.
|
294
|
+
#
|
295
|
+
# To connect a custom key store, its associated AWS CloudHSM cluster
|
296
|
+
# must have at least one active HSM. To get the number of active HSMs in
|
297
|
+
# a cluster, use the [DescribeClusters][2] operation. To add HSMs to the
|
298
|
+
# cluster, use the [CreateHsm][3] operation.
|
299
|
+
#
|
300
|
+
# The connection process can take an extended amount of time to
|
301
|
+
# complete; up to 20 minutes. This operation starts the connection
|
302
|
+
# process, but it does not wait for it to complete. When it succeeds,
|
303
|
+
# this operation quickly returns an HTTP 200 response and a JSON object
|
304
|
+
# with no properties. However, this response does not indicate that the
|
305
|
+
# custom key store is connected. To get the connection state of the
|
306
|
+
# custom key store, use the DescribeCustomKeyStores operation.
|
307
|
+
#
|
308
|
+
# During the connection process, AWS KMS finds the AWS CloudHSM cluster
|
309
|
+
# that is associated with the custom key store, creates the connection
|
310
|
+
# infrastructure, connects to the cluster, logs into the AWS CloudHSM
|
311
|
+
# client as the [ `kmsuser` crypto user][4] (CU), and rotates its
|
312
|
+
# password.
|
313
|
+
#
|
314
|
+
# The `ConnectCustomKeyStore` operation might fail for various reasons.
|
315
|
+
# To find the reason, use the DescribeCustomKeyStores operation and see
|
316
|
+
# the `ConnectionErrorCode` in the response. For help interpreting the
|
317
|
+
# `ConnectionErrorCode`, see CustomKeyStoresListEntry.
|
318
|
+
#
|
319
|
+
# To fix the failure, use the DisconnectCustomKeyStore operation to
|
320
|
+
# disconnect the custom key store, correct the error, use the
|
321
|
+
# UpdateCustomKeyStore operation if necessary, and then use
|
322
|
+
# `ConnectCustomKeyStore` again.
|
323
|
+
#
|
324
|
+
# If you are having trouble connecting or disconnecting a custom key
|
325
|
+
# store, see [Troubleshooting a Custom Key Store][5] in the *AWS Key
|
326
|
+
# Management Service Developer Guide*.
|
327
|
+
#
|
328
|
+
#
|
329
|
+
#
|
330
|
+
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
331
|
+
# [2]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters
|
332
|
+
# [3]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm
|
333
|
+
# [4]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
|
334
|
+
# [5]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
|
335
|
+
#
|
336
|
+
# @option params [required, String] :custom_key_store_id
|
337
|
+
# Enter the key store ID of the custom key store that you want to
|
338
|
+
# connect. To find the ID of a custom key store, use the
|
339
|
+
# DescribeCustomKeyStores operation.
|
340
|
+
#
|
341
|
+
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
342
|
+
#
|
343
|
+
# @example Request syntax with placeholder values
|
344
|
+
#
|
345
|
+
# resp = client.connect_custom_key_store({
|
346
|
+
# custom_key_store_id: "CustomKeyStoreIdType", # required
|
347
|
+
# })
|
348
|
+
#
|
349
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConnectCustomKeyStore AWS API Documentation
|
350
|
+
#
|
351
|
+
# @overload connect_custom_key_store(params = {})
|
352
|
+
# @param [Hash] params ({})
|
353
|
+
def connect_custom_key_store(params = {}, options = {})
|
354
|
+
req = build_request(:connect_custom_key_store, params)
|
355
|
+
req.send_request(options)
|
356
|
+
end
|
357
|
+
|
358
|
+
# Creates a display name for a customer master key (CMK). You can use an
|
359
|
+
# alias to identify a CMK in selected operations, such as Encrypt and
|
360
|
+
# GenerateDataKey.
|
291
361
|
#
|
292
362
|
# Each CMK can have multiple aliases, but each alias points to only one
|
293
363
|
# CMK. The alias name must be unique in the AWS account and region. To
|
@@ -299,10 +369,11 @@ module Aws::KMS
|
|
299
369
|
# appear in the response from the DescribeKey operation. To get the
|
300
370
|
# aliases of all CMKs, use the ListAliases operation.
|
301
371
|
#
|
302
|
-
#
|
303
|
-
#
|
304
|
-
#
|
305
|
-
#
|
372
|
+
# An alias must start with the word `alias` followed by a forward slash
|
373
|
+
# (`alias/`). The alias name can contain only alphanumeric characters,
|
374
|
+
# forward slashes (/), underscores (\_), and dashes (-). Alias names
|
375
|
+
# cannot begin with `aws`; that alias name prefix is reserved by Amazon
|
376
|
+
# Web Services (AWS).
|
306
377
|
#
|
307
378
|
# The alias and the CMK it is mapped to must be in the same AWS account
|
308
379
|
# and the same region. You cannot perform this operation on an alias in
|
@@ -319,10 +390,9 @@ module Aws::KMS
|
|
319
390
|
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
320
391
|
#
|
321
392
|
# @option params [required, String] :alias_name
|
322
|
-
#
|
323
|
-
#
|
324
|
-
# begin with
|
325
|
-
# CMKs.
|
393
|
+
# String that contains the display name. The name must start with the
|
394
|
+
# word "alias" followed by a forward slash (alias/). Aliases that
|
395
|
+
# begin with "alias/AWS" are reserved.
|
326
396
|
#
|
327
397
|
# @option params [required, String] :target_key_id
|
328
398
|
# Identifies the CMK for which you are creating the alias. This value
|
@@ -367,6 +437,147 @@ module Aws::KMS
|
|
367
437
|
req.send_request(options)
|
368
438
|
end
|
369
439
|
|
440
|
+
# Creates a [custom key store][1] that is associated with an [AWS
|
441
|
+
# CloudHSM cluster][2] that you own and manage.
|
442
|
+
#
|
443
|
+
# This operation is part of the [Custom Key Store feature][3] feature in
|
444
|
+
# AWS KMS, which combines the convenience and extensive integration of
|
445
|
+
# AWS KMS with the isolation and control of a single-tenant key store.
|
446
|
+
#
|
447
|
+
# When the operation completes successfully, it returns the ID of the
|
448
|
+
# new custom key store. Before you can use your new custom key store,
|
449
|
+
# you need to use the ConnectCustomKeyStore operation to connect the new
|
450
|
+
# key store to its AWS CloudHSM cluster.
|
451
|
+
#
|
452
|
+
# The `CreateCustomKeyStore` operation requires the following elements.
|
453
|
+
#
|
454
|
+
# * You must specify an active AWS CloudHSM cluster in the same account
|
455
|
+
# and AWS Region as the custom key store. You can use an existing
|
456
|
+
# cluster or [create and activate a new AWS CloudHSM cluster][4] for
|
457
|
+
# the key store. AWS KMS does not require exclusive use of the
|
458
|
+
# cluster.
|
459
|
+
#
|
460
|
+
# * You must include the content of the *trust anchor certificate* for
|
461
|
+
# the cluster. You created this certificate, and saved it in the
|
462
|
+
# `customerCA.crt` file, when you [initialized the cluster][5].
|
463
|
+
#
|
464
|
+
# * You must provide the password of the dedicated [ `kmsuser` crypto
|
465
|
+
# user][6] (CU) account in the cluster.
|
466
|
+
#
|
467
|
+
# Before you create the custom key store, use the [createUser][7]
|
468
|
+
# command in `cloudhsm_mgmt_util` to create [a crypto user (CU) named
|
469
|
+
# `kmsuser` ][6]in specified AWS CloudHSM cluster. AWS KMS uses the
|
470
|
+
# `kmsuser` CU account to create and manage key material on your
|
471
|
+
# behalf. For instructions, see [Create the kmsuser Crypto User][8] in
|
472
|
+
# the *AWS Key Management Service Developer Guide*.
|
473
|
+
#
|
474
|
+
# The AWS CloudHSM cluster that you specify must meet the following
|
475
|
+
# requirements.
|
476
|
+
#
|
477
|
+
# * The cluster must be active and be in the same AWS account and Region
|
478
|
+
# as the custom key store.
|
479
|
+
#
|
480
|
+
# * Each custom key store must be associated with a different AWS
|
481
|
+
# CloudHSM cluster. The cluster cannot be associated with another
|
482
|
+
# custom key store or have the same cluster certificate as a cluster
|
483
|
+
# that is associated with another custom key store. To view the
|
484
|
+
# cluster certificate, use the AWS CloudHSM [DescribeClusters][9]
|
485
|
+
# operation. Clusters that share a backup history have the same
|
486
|
+
# cluster certificate.
|
487
|
+
#
|
488
|
+
# * The cluster must be configured with subnets in at least two
|
489
|
+
# different Availability Zones in the Region. Because AWS CloudHSM is
|
490
|
+
# not supported in all Availability Zones, we recommend that the
|
491
|
+
# cluster have subnets in all Availability Zones in the Region.
|
492
|
+
#
|
493
|
+
# * The cluster must contain at least two active HSMs, each in a
|
494
|
+
# different Availability Zone.
|
495
|
+
#
|
496
|
+
# New custom key stores are not automatically connected. After you
|
497
|
+
# create your custom key store, use the ConnectCustomKeyStore operation
|
498
|
+
# to connect the custom key store to its associated AWS CloudHSM
|
499
|
+
# cluster. Even if you are not going to use your custom key store
|
500
|
+
# immediately, you might want to connect it to verify that all settings
|
501
|
+
# are correct and then disconnect it until you are ready to use it.
|
502
|
+
#
|
503
|
+
# If this operation succeeds, it returns the ID of the new custom key
|
504
|
+
# store. For help with failures, see [Troubleshoot a Custom Key
|
505
|
+
# Store][10] in the *AWS KMS Developer Guide*.
|
506
|
+
#
|
507
|
+
#
|
508
|
+
#
|
509
|
+
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
510
|
+
# [2]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html
|
511
|
+
# [3]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
512
|
+
# [4]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/create-cluster.html
|
513
|
+
# [5]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr
|
514
|
+
# [6]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
|
515
|
+
# [7]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_mgmt_util-createUser.html
|
516
|
+
# [8]: http://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore
|
517
|
+
# [9]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
|
518
|
+
# [10]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
|
519
|
+
#
|
520
|
+
# @option params [required, String] :custom_key_store_name
|
521
|
+
# Specifies a friendly name for the custom key store. The name must be
|
522
|
+
# unique in your AWS account.
|
523
|
+
#
|
524
|
+
# @option params [required, String] :cloud_hsm_cluster_id
|
525
|
+
# Identifies the AWS CloudHSM cluster for the custom key store. Enter
|
526
|
+
# the cluster ID of any active AWS CloudHSM cluster that is not already
|
527
|
+
# associated with a custom key store. To find the cluster ID, use the
|
528
|
+
# [DescribeClusters][1] operation.
|
529
|
+
#
|
530
|
+
#
|
531
|
+
#
|
532
|
+
# [1]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
|
533
|
+
#
|
534
|
+
# @option params [required, String] :trust_anchor_certificate
|
535
|
+
# Enter the content of the trust anchor certificate for the cluster.
|
536
|
+
# This is the content of the `customerCA.crt` file that you created when
|
537
|
+
# you [initialized the cluster][1].
|
538
|
+
#
|
539
|
+
#
|
540
|
+
#
|
541
|
+
# [1]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html
|
542
|
+
#
|
543
|
+
# @option params [required, String] :key_store_password
|
544
|
+
# Enter the password of the [ `kmsuser` crypto user (CU) account][1] in
|
545
|
+
# the specified AWS CloudHSM cluster. AWS KMS logs into the cluster as
|
546
|
+
# this user to manage key material on your behalf.
|
547
|
+
#
|
548
|
+
# This parameter tells AWS KMS the `kmsuser` account password; it does
|
549
|
+
# not change the password in the AWS CloudHSM cluster.
|
550
|
+
#
|
551
|
+
#
|
552
|
+
#
|
553
|
+
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
|
554
|
+
#
|
555
|
+
# @return [Types::CreateCustomKeyStoreResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
556
|
+
#
|
557
|
+
# * {Types::CreateCustomKeyStoreResponse#custom_key_store_id #custom_key_store_id} => String
|
558
|
+
#
|
559
|
+
# @example Request syntax with placeholder values
|
560
|
+
#
|
561
|
+
# resp = client.create_custom_key_store({
|
562
|
+
# custom_key_store_name: "CustomKeyStoreNameType", # required
|
563
|
+
# cloud_hsm_cluster_id: "CloudHsmClusterIdType", # required
|
564
|
+
# trust_anchor_certificate: "TrustAnchorCertificateType", # required
|
565
|
+
# key_store_password: "KeyStorePasswordType", # required
|
566
|
+
# })
|
567
|
+
#
|
568
|
+
# @example Response structure
|
569
|
+
#
|
570
|
+
# resp.custom_key_store_id #=> String
|
571
|
+
#
|
572
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStore AWS API Documentation
|
573
|
+
#
|
574
|
+
# @overload create_custom_key_store(params = {})
|
575
|
+
# @param [Hash] params ({})
|
576
|
+
def create_custom_key_store(params = {}, options = {})
|
577
|
+
req = build_request(:create_custom_key_store, params)
|
578
|
+
req.send_request(options)
|
579
|
+
end
|
580
|
+
|
370
581
|
# Adds a grant to a customer master key (CMK). The grant specifies who
|
371
582
|
# can use the CMK and under what conditions. When setting permissions,
|
372
583
|
# grants are an alternative to key policies.
|
@@ -458,8 +669,7 @@ module Aws::KMS
|
|
458
669
|
#
|
459
670
|
# @option params [String] :name
|
460
671
|
# A friendly name for identifying the grant. Use this value to prevent
|
461
|
-
#
|
462
|
-
# request.
|
672
|
+
# unintended creation of duplicate grants when retrying this request.
|
463
673
|
#
|
464
674
|
# When this value is absent, all `CreateGrant` requests result in a new
|
465
675
|
# grant with a unique `GrantId` even if all the supplied parameters are
|
@@ -535,22 +745,33 @@ module Aws::KMS
|
|
535
745
|
# Creates a customer master key (CMK) in the caller's AWS account.
|
536
746
|
#
|
537
747
|
# You can use a CMK to encrypt small amounts of data (4 KiB or less)
|
538
|
-
# directly
|
539
|
-
#
|
540
|
-
#
|
541
|
-
# following:
|
748
|
+
# directly, but CMKs are more commonly used to encrypt data keys, which
|
749
|
+
# are used to encrypt raw data. For more information about data keys and
|
750
|
+
# the difference between CMKs and data keys, see the following:
|
542
751
|
#
|
543
752
|
# * The GenerateDataKey operation
|
544
753
|
#
|
545
754
|
# * [AWS Key Management Service Concepts][1] in the *AWS Key Management
|
546
755
|
# Service Developer Guide*
|
547
756
|
#
|
757
|
+
# If you plan to [import key material][2], use the `Origin` parameter
|
758
|
+
# with a value of `EXTERNAL` to create a CMK with no key material.
|
759
|
+
#
|
760
|
+
# To create a CMK in a [custom key store][3], use `CustomKeyStoreId`
|
761
|
+
# parameter to specify the custom key store. You must also use the
|
762
|
+
# `Origin` parameter with a value of `AWS_CLOUDHSM`. The AWS CloudHSM
|
763
|
+
# cluster that is associated with the custom key store must have at
|
764
|
+
# least two active HSMs, each in a different Availability Zone in the
|
765
|
+
# Region.
|
766
|
+
#
|
548
767
|
# You cannot use this operation to create a CMK in a different AWS
|
549
768
|
# account.
|
550
769
|
#
|
551
770
|
#
|
552
771
|
#
|
553
772
|
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
|
773
|
+
# [2]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
774
|
+
# [3]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
554
775
|
#
|
555
776
|
# @option params [String] :policy
|
556
777
|
# The key policy to attach to the CMK.
|
@@ -568,11 +789,10 @@ module Aws::KMS
|
|
568
789
|
# principals. The principals in the key policy must exist and be
|
569
790
|
# visible to AWS KMS. When you create a new AWS principal (for
|
570
791
|
# example, an IAM user or role), you might need to enforce a delay
|
571
|
-
# before including the new principal in a key policy
|
572
|
-
#
|
573
|
-
#
|
574
|
-
#
|
575
|
-
# Management User Guide*.
|
792
|
+
# before including the new principal in a key policy because the new
|
793
|
+
# principal might not be immediately visible to AWS KMS. For more
|
794
|
+
# information, see [Changes that I make are not always immediately
|
795
|
+
# visible][2] in the *AWS Identity and Access Management User Guide*.
|
576
796
|
#
|
577
797
|
# If you do not provide a key policy, AWS KMS attaches a default key
|
578
798
|
# policy to the CMK. For more information, see [Default Key Policy][3]
|
@@ -598,20 +818,50 @@ module Aws::KMS
|
|
598
818
|
# You can use CMKs only for symmetric encryption and decryption.
|
599
819
|
#
|
600
820
|
# @option params [String] :origin
|
601
|
-
# The source of the CMK's key material.
|
821
|
+
# The source of the CMK's key material. You cannot change the origin
|
822
|
+
# after you create the CMK.
|
823
|
+
#
|
824
|
+
# The default is `AWS_KMS`, which means AWS KMS creates the key material
|
825
|
+
# in its own key store.
|
602
826
|
#
|
603
|
-
#
|
604
|
-
# material
|
605
|
-
#
|
606
|
-
#
|
607
|
-
#
|
608
|
-
# Material][1] in the *AWS Key Management Service Developer Guide*.
|
827
|
+
# When the parameter value is `EXTERNAL`, AWS KMS creates a CMK without
|
828
|
+
# key material so that you can import key material from your existing
|
829
|
+
# key management infrastructure. For more information about importing
|
830
|
+
# key material into AWS KMS, see [Importing Key Material][1] in the *AWS
|
831
|
+
# Key Management Service Developer Guide*.
|
609
832
|
#
|
610
|
-
#
|
833
|
+
# When the parameter value is `AWS_CLOUDHSM`, AWS KMS creates the CMK in
|
834
|
+
# a AWS KMS [custom key store][2] and creates its key material in the
|
835
|
+
# associated AWS CloudHSM cluster. You must also use the
|
836
|
+
# `CustomKeyStoreId` parameter to identify the custom key store.
|
611
837
|
#
|
612
838
|
#
|
613
839
|
#
|
614
840
|
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
841
|
+
# [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
842
|
+
#
|
843
|
+
# @option params [String] :custom_key_store_id
|
844
|
+
# Creates the CMK in the specified [custom key store][1] and the key
|
845
|
+
# material in its associated AWS CloudHSM cluster. To create a CMK in a
|
846
|
+
# custom key store, you must also specify the `Origin` parameter with a
|
847
|
+
# value of `AWS_CLOUDHSM`. The AWS CloudHSM cluster that is associated
|
848
|
+
# with the custom key store must have at least two active HSMs, each in
|
849
|
+
# a different Availability Zone in the Region.
|
850
|
+
#
|
851
|
+
# To find the ID of a custom key store, use the DescribeCustomKeyStores
|
852
|
+
# operation.
|
853
|
+
#
|
854
|
+
# The response includes the custom key store ID and the ID of the AWS
|
855
|
+
# CloudHSM cluster.
|
856
|
+
#
|
857
|
+
# This operation is part of the [Custom Key Store feature][2] feature in
|
858
|
+
# AWS KMS, which combines the convenience and extensive integration of
|
859
|
+
# AWS KMS with the isolation and control of a single-tenant key store.
|
860
|
+
#
|
861
|
+
#
|
862
|
+
#
|
863
|
+
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
864
|
+
# [2]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
615
865
|
#
|
616
866
|
# @option params [Boolean] :bypass_policy_lockout_safety_check
|
617
867
|
# A flag to indicate whether to bypass the key policy lockout safety
|
@@ -683,7 +933,8 @@ module Aws::KMS
|
|
683
933
|
# policy: "PolicyType",
|
684
934
|
# description: "DescriptionType",
|
685
935
|
# key_usage: "ENCRYPT_DECRYPT", # accepts ENCRYPT_DECRYPT
|
686
|
-
# origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL
|
936
|
+
# origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
|
937
|
+
# custom_key_store_id: "CustomKeyStoreIdType",
|
687
938
|
# bypass_policy_lockout_safety_check: false,
|
688
939
|
# tags: [
|
689
940
|
# {
|
@@ -702,10 +953,12 @@ module Aws::KMS
|
|
702
953
|
# resp.key_metadata.enabled #=> Boolean
|
703
954
|
# resp.key_metadata.description #=> String
|
704
955
|
# resp.key_metadata.key_usage #=> String, one of "ENCRYPT_DECRYPT"
|
705
|
-
# resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport"
|
956
|
+
# resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport", "Unavailable"
|
706
957
|
# resp.key_metadata.deletion_date #=> Time
|
707
958
|
# resp.key_metadata.valid_to #=> Time
|
708
|
-
# resp.key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL"
|
959
|
+
# resp.key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL", "AWS_CLOUDHSM"
|
960
|
+
# resp.key_metadata.custom_key_store_id #=> String
|
961
|
+
# resp.key_metadata.cloud_hsm_cluster_id #=> String
|
709
962
|
# resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
|
710
963
|
# resp.key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
|
711
964
|
#
|
@@ -727,14 +980,15 @@ module Aws::KMS
|
|
727
980
|
#
|
728
981
|
# * Encrypt
|
729
982
|
#
|
730
|
-
#
|
731
|
-
#
|
732
|
-
#
|
733
|
-
#
|
734
|
-
#
|
735
|
-
#
|
736
|
-
#
|
737
|
-
#
|
983
|
+
# Note that if a caller has been granted access permissions to all keys
|
984
|
+
# (through, for example, IAM user policies that grant `Decrypt`
|
985
|
+
# permission on all resources), then ciphertext encrypted by using keys
|
986
|
+
# in other accounts where the key grants access to the caller can be
|
987
|
+
# decrypted. To remedy this, we recommend that you do not grant
|
988
|
+
# `Decrypt` access in an IAM user policy. Instead grant `Decrypt` access
|
989
|
+
# only in key policies. If you must grant `Decrypt` access in an IAM
|
990
|
+
# user policy, you should scope the resource to specific keys or to
|
991
|
+
# specific trusted accounts.
|
738
992
|
#
|
739
993
|
# The result of this operation varies with the key state of the CMK. For
|
740
994
|
# details, see [How Key State Affects Use of a Customer Master Key][1]
|
@@ -854,6 +1108,66 @@ module Aws::KMS
|
|
854
1108
|
req.send_request(options)
|
855
1109
|
end
|
856
1110
|
|
1111
|
+
# Deletes a [custom key store][1]. This operation does not delete the
|
1112
|
+
# AWS CloudHSM cluster that is associated with the custom key store, or
|
1113
|
+
# affect any users or keys in the cluster.
|
1114
|
+
#
|
1115
|
+
# The custom key store that you delete cannot contain any AWS KMS
|
1116
|
+
# [customer master keys (CMKs)][2]. Before deleting the key store,
|
1117
|
+
# verify that you will never need to use any of the CMKs in the key
|
1118
|
+
# store for any cryptographic operations. Then, use ScheduleKeyDeletion
|
1119
|
+
# to delete the AWS KMS customer master keys (CMKs) from the key store.
|
1120
|
+
# When the scheduled waiting period expires, the `ScheduleKeyDeletion`
|
1121
|
+
# operation deletes the CMKs. Then it makes a best effort to delete the
|
1122
|
+
# key material from the associated cluster. However, you might need to
|
1123
|
+
# manually [delete the orphaned key material][3] from the cluster and
|
1124
|
+
# its backups.
|
1125
|
+
#
|
1126
|
+
# After all CMKs are deleted from AWS KMS, use DisconnectCustomKeyStore
|
1127
|
+
# to disconnect the key store from AWS KMS. Then, you can delete the
|
1128
|
+
# custom key store.
|
1129
|
+
#
|
1130
|
+
# Instead of deleting the custom key store, consider using
|
1131
|
+
# DisconnectCustomKeyStore to disconnect it from AWS KMS. While the key
|
1132
|
+
# store is disconnected, you cannot create or use the CMKs in the key
|
1133
|
+
# store. But, you do not need to delete CMKs and you can reconnect a
|
1134
|
+
# disconnected custom key store at any time.
|
1135
|
+
#
|
1136
|
+
# If the operation succeeds, it returns a JSON object with no
|
1137
|
+
# properties.
|
1138
|
+
#
|
1139
|
+
# This operation is part of the [Custom Key Store feature][4] feature in
|
1140
|
+
# AWS KMS, which combines the convenience and extensive integration of
|
1141
|
+
# AWS KMS with the isolation and control of a single-tenant key store.
|
1142
|
+
#
|
1143
|
+
#
|
1144
|
+
#
|
1145
|
+
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
1146
|
+
# [2]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
|
1147
|
+
# [3]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
|
1148
|
+
# [4]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
1149
|
+
#
|
1150
|
+
# @option params [required, String] :custom_key_store_id
|
1151
|
+
# Enter the ID of the custom key store you want to delete. To find the
|
1152
|
+
# ID of a custom key store, use the DescribeCustomKeyStores operation.
|
1153
|
+
#
|
1154
|
+
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
1155
|
+
#
|
1156
|
+
# @example Request syntax with placeholder values
|
1157
|
+
#
|
1158
|
+
# resp = client.delete_custom_key_store({
|
1159
|
+
# custom_key_store_id: "CustomKeyStoreIdType", # required
|
1160
|
+
# })
|
1161
|
+
#
|
1162
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteCustomKeyStore AWS API Documentation
|
1163
|
+
#
|
1164
|
+
# @overload delete_custom_key_store(params = {})
|
1165
|
+
# @param [Hash] params ({})
|
1166
|
+
def delete_custom_key_store(params = {}, options = {})
|
1167
|
+
req = build_request(:delete_custom_key_store, params)
|
1168
|
+
req.send_request(options)
|
1169
|
+
end
|
1170
|
+
|
857
1171
|
# Deletes key material that you previously imported. This operation
|
858
1172
|
# makes the specified customer master key (CMK) unusable. For more
|
859
1173
|
# information about importing key material into AWS KMS, see [Importing
|
@@ -917,13 +1231,113 @@ module Aws::KMS
|
|
917
1231
|
req.send_request(options)
|
918
1232
|
end
|
919
1233
|
|
1234
|
+
# Gets information about [custom key stores][1] in the account and
|
1235
|
+
# region.
|
1236
|
+
#
|
1237
|
+
# This operation is part of the [Custom Key Store feature][2] feature in
|
1238
|
+
# AWS KMS, which combines the convenience and extensive integration of
|
1239
|
+
# AWS KMS with the isolation and control of a single-tenant key store.
|
1240
|
+
#
|
1241
|
+
# By default, this operation returns information about all custom key
|
1242
|
+
# stores in the account and region. To get only information about a
|
1243
|
+
# particular custom key store, use either the `CustomKeyStoreName` or
|
1244
|
+
# `CustomKeyStoreId` parameter (but not both).
|
1245
|
+
#
|
1246
|
+
# To determine whether the custom key store is connected to its AWS
|
1247
|
+
# CloudHSM cluster, use the `ConnectionState` element in the response.
|
1248
|
+
# If an attempt to connect the custom key store failed, the
|
1249
|
+
# `ConnectionState` value is `FAILED` and the `ConnectionErrorCode`
|
1250
|
+
# element in the response indicates the cause of the failure. For help
|
1251
|
+
# interpreting the `ConnectionErrorCode`, see CustomKeyStoresListEntry.
|
1252
|
+
#
|
1253
|
+
# Custom key stores have a `DISCONNECTED` connection state if the key
|
1254
|
+
# store has never been connected or you use the DisconnectCustomKeyStore
|
1255
|
+
# operation to disconnect it. If your custom key store state is
|
1256
|
+
# `CONNECTED` but you are having trouble using it, make sure that its
|
1257
|
+
# associated AWS CloudHSM cluster is active and contains the minimum
|
1258
|
+
# number of HSMs required for the operation, if any.
|
1259
|
+
#
|
1260
|
+
# For help repairing your custom key store, see the [Troubleshooting
|
1261
|
+
# Custom Key Stores][3] topic in the *AWS Key Management Service
|
1262
|
+
# Developer Guide*.
|
1263
|
+
#
|
1264
|
+
#
|
1265
|
+
#
|
1266
|
+
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
1267
|
+
# [2]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
1268
|
+
# [3]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore-html
|
1269
|
+
#
|
1270
|
+
# @option params [String] :custom_key_store_id
|
1271
|
+
# Gets only information about the specified custom key store. Enter the
|
1272
|
+
# key store ID.
|
1273
|
+
#
|
1274
|
+
# By default, this operation gets information about all custom key
|
1275
|
+
# stores in the account and region. To limit the output to a particular
|
1276
|
+
# custom key store, you can use either the `CustomKeyStoreId` or
|
1277
|
+
# `CustomKeyStoreName` parameter, but not both.
|
1278
|
+
#
|
1279
|
+
# @option params [String] :custom_key_store_name
|
1280
|
+
# Gets only information about the specified custom key store. Enter the
|
1281
|
+
# friendly name of the custom key store.
|
1282
|
+
#
|
1283
|
+
# By default, this operation gets information about all custom key
|
1284
|
+
# stores in the account and region. To limit the output to a particular
|
1285
|
+
# custom key store, you can use either the `CustomKeyStoreId` or
|
1286
|
+
# `CustomKeyStoreName` parameter, but not both.
|
1287
|
+
#
|
1288
|
+
# @option params [Integer] :limit
|
1289
|
+
# Use this parameter to specify the maximum number of items to return.
|
1290
|
+
# When this value is present, AWS KMS does not return more than the
|
1291
|
+
# specified number of items, but it might return fewer.
|
1292
|
+
#
|
1293
|
+
# @option params [String] :marker
|
1294
|
+
# Use this parameter in a subsequent request after you receive a
|
1295
|
+
# response with truncated results. Set it to the value of `NextMarker`
|
1296
|
+
# from the truncated response you just received.
|
1297
|
+
#
|
1298
|
+
# @return [Types::DescribeCustomKeyStoresResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1299
|
+
#
|
1300
|
+
# * {Types::DescribeCustomKeyStoresResponse#custom_key_stores #custom_key_stores} => Array<Types::CustomKeyStoresListEntry>
|
1301
|
+
# * {Types::DescribeCustomKeyStoresResponse#next_marker #next_marker} => String
|
1302
|
+
# * {Types::DescribeCustomKeyStoresResponse#truncated #truncated} => Boolean
|
1303
|
+
#
|
1304
|
+
# @example Request syntax with placeholder values
|
1305
|
+
#
|
1306
|
+
# resp = client.describe_custom_key_stores({
|
1307
|
+
# custom_key_store_id: "CustomKeyStoreIdType",
|
1308
|
+
# custom_key_store_name: "CustomKeyStoreNameType",
|
1309
|
+
# limit: 1,
|
1310
|
+
# marker: "MarkerType",
|
1311
|
+
# })
|
1312
|
+
#
|
1313
|
+
# @example Response structure
|
1314
|
+
#
|
1315
|
+
# resp.custom_key_stores #=> Array
|
1316
|
+
# resp.custom_key_stores[0].custom_key_store_id #=> String
|
1317
|
+
# resp.custom_key_stores[0].custom_key_store_name #=> String
|
1318
|
+
# resp.custom_key_stores[0].cloud_hsm_cluster_id #=> String
|
1319
|
+
# resp.custom_key_stores[0].trust_anchor_certificate #=> String
|
1320
|
+
# resp.custom_key_stores[0].connection_state #=> String, one of "CONNECTED", "CONNECTING", "FAILED", "DISCONNECTED", "DISCONNECTING"
|
1321
|
+
# resp.custom_key_stores[0].connection_error_code #=> String, one of "INVALID_CREDENTIALS", "CLUSTER_NOT_FOUND", "NETWORK_ERRORS", "INSUFFICIENT_CLOUDHSM_HSMS", "USER_LOCKED_OUT"
|
1322
|
+
# resp.custom_key_stores[0].creation_date #=> Time
|
1323
|
+
# resp.next_marker #=> String
|
1324
|
+
# resp.truncated #=> Boolean
|
1325
|
+
#
|
1326
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores AWS API Documentation
|
1327
|
+
#
|
1328
|
+
# @overload describe_custom_key_stores(params = {})
|
1329
|
+
# @param [Hash] params ({})
|
1330
|
+
def describe_custom_key_stores(params = {}, options = {})
|
1331
|
+
req = build_request(:describe_custom_key_stores, params)
|
1332
|
+
req.send_request(options)
|
1333
|
+
end
|
1334
|
+
|
920
1335
|
# Provides detailed information about the specified customer master key
|
921
1336
|
# (CMK).
|
922
1337
|
#
|
923
|
-
#
|
924
|
-
# alias with no key ID
|
925
|
-
#
|
926
|
-
# response.
|
1338
|
+
# If you use `DescribeKey` on a predefined AWS alias, that is, an AWS
|
1339
|
+
# alias with no key ID, AWS KMS associates the alias with an [AWS
|
1340
|
+
# managed CMK][1] and returns its `KeyId` and `Arn` in the response.
|
927
1341
|
#
|
928
1342
|
# To perform this operation on a CMK in a different AWS account, specify
|
929
1343
|
# the key ARN or alias ARN in the value of the KeyId parameter.
|
@@ -941,7 +1355,7 @@ module Aws::KMS
|
|
941
1355
|
#
|
942
1356
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
943
1357
|
# name, or alias ARN. When using an alias name, prefix it with
|
944
|
-
#
|
1358
|
+
# "alias/". To specify a CMK in a different AWS account, you must use
|
945
1359
|
# the key ARN or alias ARN.
|
946
1360
|
#
|
947
1361
|
# For example:
|
@@ -1017,10 +1431,12 @@ module Aws::KMS
|
|
1017
1431
|
# resp.key_metadata.enabled #=> Boolean
|
1018
1432
|
# resp.key_metadata.description #=> String
|
1019
1433
|
# resp.key_metadata.key_usage #=> String, one of "ENCRYPT_DECRYPT"
|
1020
|
-
# resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport"
|
1434
|
+
# resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport", "Unavailable"
|
1021
1435
|
# resp.key_metadata.deletion_date #=> Time
|
1022
1436
|
# resp.key_metadata.valid_to #=> Time
|
1023
|
-
# resp.key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL"
|
1437
|
+
# resp.key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL", "AWS_CLOUDHSM"
|
1438
|
+
# resp.key_metadata.custom_key_store_id #=> String
|
1439
|
+
# resp.key_metadata.cloud_hsm_cluster_id #=> String
|
1024
1440
|
# resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
|
1025
1441
|
# resp.key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
|
1026
1442
|
#
|
@@ -1142,9 +1558,62 @@ module Aws::KMS
|
|
1142
1558
|
req.send_request(options)
|
1143
1559
|
end
|
1144
1560
|
|
1145
|
-
#
|
1146
|
-
#
|
1147
|
-
#
|
1561
|
+
# Disconnects the [custom key store][1] from its associated AWS CloudHSM
|
1562
|
+
# cluster. While a custom key store is disconnected, you can manage the
|
1563
|
+
# custom key store and its customer master keys (CMKs), but you cannot
|
1564
|
+
# create or use CMKs in the custom key store. You can reconnect the
|
1565
|
+
# custom key store at any time.
|
1566
|
+
#
|
1567
|
+
# <note markdown="1"> While a custom key store is disconnected, all attempts to create
|
1568
|
+
# customer master keys (CMKs) in the custom key store or to use existing
|
1569
|
+
# CMKs in cryptographic operations will fail. This action can prevent
|
1570
|
+
# users from storing and accessing sensitive data.
|
1571
|
+
#
|
1572
|
+
# </note>
|
1573
|
+
#
|
1574
|
+
#
|
1575
|
+
#
|
1576
|
+
# To find the connection state of a custom key store, use the
|
1577
|
+
# DescribeCustomKeyStores operation. To reconnect a custom key store,
|
1578
|
+
# use the ConnectCustomKeyStore operation.
|
1579
|
+
#
|
1580
|
+
# If the operation succeeds, it returns a JSON object with no
|
1581
|
+
# properties.
|
1582
|
+
#
|
1583
|
+
# This operation is part of the [Custom Key Store feature][2] feature in
|
1584
|
+
# AWS KMS, which combines the convenience and extensive integration of
|
1585
|
+
# AWS KMS with the isolation and control of a single-tenant key store.
|
1586
|
+
#
|
1587
|
+
#
|
1588
|
+
#
|
1589
|
+
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
1590
|
+
# [2]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
1591
|
+
#
|
1592
|
+
# @option params [required, String] :custom_key_store_id
|
1593
|
+
# Enter the ID of the custom key store you want to disconnect. To find
|
1594
|
+
# the ID of a custom key store, use the DescribeCustomKeyStores
|
1595
|
+
# operation.
|
1596
|
+
#
|
1597
|
+
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
1598
|
+
#
|
1599
|
+
# @example Request syntax with placeholder values
|
1600
|
+
#
|
1601
|
+
# resp = client.disconnect_custom_key_store({
|
1602
|
+
# custom_key_store_id: "CustomKeyStoreIdType", # required
|
1603
|
+
# })
|
1604
|
+
#
|
1605
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisconnectCustomKeyStore AWS API Documentation
|
1606
|
+
#
|
1607
|
+
# @overload disconnect_custom_key_store(params = {})
|
1608
|
+
# @param [Hash] params ({})
|
1609
|
+
def disconnect_custom_key_store(params = {}, options = {})
|
1610
|
+
req = build_request(:disconnect_custom_key_store, params)
|
1611
|
+
req.send_request(options)
|
1612
|
+
end
|
1613
|
+
|
1614
|
+
# Sets the key state of a customer master key (CMK) to enabled. This
|
1615
|
+
# allows you to use the CMK for cryptographic operations. You cannot
|
1616
|
+
# perform this operation on a CMK in a different AWS account.
|
1148
1617
|
#
|
1149
1618
|
# The result of this operation varies with the key state of the CMK. For
|
1150
1619
|
# details, see [How Key State Affects Use of a Customer Master Key][1]
|
@@ -1198,14 +1667,18 @@ module Aws::KMS
|
|
1198
1667
|
# customer master key (CMK). You cannot perform this operation on a CMK
|
1199
1668
|
# in a different AWS account.
|
1200
1669
|
#
|
1670
|
+
# You cannot enable automatic rotation of CMKs with imported key
|
1671
|
+
# material or CMKs in a [custom key store][2].
|
1672
|
+
#
|
1201
1673
|
# The result of this operation varies with the key state of the CMK. For
|
1202
|
-
# details, see [How Key State Affects Use of a Customer Master Key][
|
1674
|
+
# details, see [How Key State Affects Use of a Customer Master Key][3]
|
1203
1675
|
# in the *AWS Key Management Service Developer Guide*.
|
1204
1676
|
#
|
1205
1677
|
#
|
1206
1678
|
#
|
1207
1679
|
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
1208
|
-
# [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-
|
1680
|
+
# [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
1681
|
+
# [3]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
1209
1682
|
#
|
1210
1683
|
# @option params [required, String] :key_id
|
1211
1684
|
# A unique identifier for the customer master key (CMK).
|
@@ -1254,28 +1727,30 @@ module Aws::KMS
|
|
1254
1727
|
# such as an RSA key, a database password, or other sensitive
|
1255
1728
|
# information.
|
1256
1729
|
#
|
1257
|
-
# *
|
1258
|
-
#
|
1259
|
-
#
|
1260
|
-
#
|
1261
|
-
#
|
1262
|
-
#
|
1730
|
+
# * To move encrypted data from one AWS region to another, you can use
|
1731
|
+
# this operation to encrypt in the new region the plaintext data key
|
1732
|
+
# that was used to encrypt the data in the original region. This
|
1733
|
+
# provides you with an encrypted copy of the data key that can be
|
1734
|
+
# decrypted in the new region and used there to decrypt the encrypted
|
1735
|
+
# data.
|
1736
|
+
#
|
1737
|
+
# To perform this operation on a CMK in a different AWS account, specify
|
1738
|
+
# the key ARN or alias ARN in the value of the KeyId parameter.
|
1263
1739
|
#
|
1264
|
-
#
|
1265
|
-
#
|
1266
|
-
#
|
1740
|
+
# Unless you are moving encrypted data from one region to another, you
|
1741
|
+
# don't use this operation to encrypt a generated data key within a
|
1742
|
+
# region. To get data keys that are already encrypted, call the
|
1743
|
+
# GenerateDataKey or GenerateDataKeyWithoutPlaintext operation. Data
|
1744
|
+
# keys don't need to be encrypted again by calling `Encrypt`.
|
1267
1745
|
#
|
1268
|
-
#
|
1269
|
-
#
|
1270
|
-
# the
|
1746
|
+
# To encrypt data locally in your application, use the GenerateDataKey
|
1747
|
+
# operation to return a plaintext data encryption key and a copy of the
|
1748
|
+
# key encrypted under the CMK of your choosing.
|
1271
1749
|
#
|
1272
1750
|
# The result of this operation varies with the key state of the CMK. For
|
1273
1751
|
# details, see [How Key State Affects Use of a Customer Master Key][1]
|
1274
1752
|
# in the *AWS Key Management Service Developer Guide*.
|
1275
1753
|
#
|
1276
|
-
# To perform this operation on a CMK in a different AWS account, specify
|
1277
|
-
# the key ARN or alias ARN in the value of the KeyId parameter.
|
1278
|
-
#
|
1279
1754
|
#
|
1280
1755
|
#
|
1281
1756
|
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
@@ -1285,7 +1760,7 @@ module Aws::KMS
|
|
1285
1760
|
#
|
1286
1761
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
1287
1762
|
# name, or alias ARN. When using an alias name, prefix it with
|
1288
|
-
#
|
1763
|
+
# "alias/". To specify a CMK in a different AWS account, you must use
|
1289
1764
|
# the key ARN or alias ARN.
|
1290
1765
|
#
|
1291
1766
|
# For example:
|
@@ -1435,7 +1910,7 @@ module Aws::KMS
|
|
1435
1910
|
#
|
1436
1911
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
1437
1912
|
# name, or alias ARN. When using an alias name, prefix it with
|
1438
|
-
#
|
1913
|
+
# "alias/". To specify a CMK in a different AWS account, you must use
|
1439
1914
|
# the key ARN or alias ARN.
|
1440
1915
|
#
|
1441
1916
|
# For example:
|
@@ -1552,8 +2027,8 @@ module Aws::KMS
|
|
1552
2027
|
# then stores it in the container. Later, a different component of the
|
1553
2028
|
# system, called the *data plane*, puts encrypted data into the
|
1554
2029
|
# containers. To do this, it passes the encrypted data key to the
|
1555
|
-
# Decrypt operation
|
1556
|
-
# encrypt data and finally stores the encrypted data in the container.
|
2030
|
+
# Decrypt operation, then uses the returned plaintext data key to
|
2031
|
+
# encrypt data, and finally stores the encrypted data in the container.
|
1557
2032
|
# In this system, the control plane never sees the plaintext data key.
|
1558
2033
|
#
|
1559
2034
|
# The result of this operation varies with the key state of the CMK. For
|
@@ -1570,7 +2045,7 @@ module Aws::KMS
|
|
1570
2045
|
#
|
1571
2046
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
1572
2047
|
# name, or alias ARN. When using an alias name, prefix it with
|
1573
|
-
#
|
2048
|
+
# "alias/". To specify a CMK in a different AWS account, you must use
|
1574
2049
|
# the key ARN or alias ARN.
|
1575
2050
|
#
|
1576
2051
|
# For example:
|
@@ -1669,16 +2144,31 @@ module Aws::KMS
|
|
1669
2144
|
|
1670
2145
|
# Returns a random byte string that is cryptographically secure.
|
1671
2146
|
#
|
2147
|
+
# By default, the random byte string is generated in AWS KMS. To
|
2148
|
+
# generate the byte string in the AWS CloudHSM cluster that is
|
2149
|
+
# associated with a [custom key store][1], specify the custom key store
|
2150
|
+
# ID.
|
2151
|
+
#
|
1672
2152
|
# For more information about entropy and random number generation, see
|
1673
|
-
# the [AWS Key Management Service Cryptographic Details][
|
2153
|
+
# the [AWS Key Management Service Cryptographic Details][2] whitepaper.
|
1674
2154
|
#
|
1675
2155
|
#
|
1676
2156
|
#
|
1677
|
-
# [1]:
|
2157
|
+
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
2158
|
+
# [2]: https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
|
1678
2159
|
#
|
1679
2160
|
# @option params [Integer] :number_of_bytes
|
1680
2161
|
# The length of the byte string.
|
1681
2162
|
#
|
2163
|
+
# @option params [String] :custom_key_store_id
|
2164
|
+
# Generates the random byte string in the AWS CloudHSM cluster that is
|
2165
|
+
# associated with the specified [custom key store][1]. To find the ID of
|
2166
|
+
# a custom key store, use the DescribeCustomKeyStores operation.
|
2167
|
+
#
|
2168
|
+
#
|
2169
|
+
#
|
2170
|
+
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
2171
|
+
#
|
1682
2172
|
# @return [Types::GenerateRandomResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1683
2173
|
#
|
1684
2174
|
# * {Types::GenerateRandomResponse#plaintext #plaintext} => String
|
@@ -1701,6 +2191,7 @@ module Aws::KMS
|
|
1701
2191
|
#
|
1702
2192
|
# resp = client.generate_random({
|
1703
2193
|
# number_of_bytes: 1,
|
2194
|
+
# custom_key_store_id: "CustomKeyStoreIdType",
|
1704
2195
|
# })
|
1705
2196
|
#
|
1706
2197
|
# @example Response structure
|
@@ -1898,9 +2389,10 @@ module Aws::KMS
|
|
1898
2389
|
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
1899
2390
|
#
|
1900
2391
|
# @option params [required, String] :wrapping_algorithm
|
1901
|
-
# The algorithm you use to encrypt the key material before
|
1902
|
-
# with ImportKeyMaterial. For more information, see
|
1903
|
-
# Material][1] in the *AWS Key Management Service
|
2392
|
+
# The algorithm you will use to encrypt the key material before
|
2393
|
+
# importing it with ImportKeyMaterial. For more information, see
|
2394
|
+
# [Encrypt the Key Material][1] in the *AWS Key Management Service
|
2395
|
+
# Developer Guide*.
|
1904
2396
|
#
|
1905
2397
|
#
|
1906
2398
|
#
|
@@ -1995,8 +2487,8 @@ module Aws::KMS
|
|
1995
2487
|
# unusable. To use the CMK again, you must reimport the same key
|
1996
2488
|
# material.
|
1997
2489
|
#
|
1998
|
-
# When this operation is successful, the
|
1999
|
-
# `PendingImport` to `Enabled`, and you can use the CMK. After you
|
2490
|
+
# When this operation is successful, the key state of the CMK changes
|
2491
|
+
# from `PendingImport` to `Enabled`, and you can use the CMK. After you
|
2000
2492
|
# successfully import key material into a CMK, you can reimport the same
|
2001
2493
|
# key material into that CMK, but you cannot import different key
|
2002
2494
|
# material.
|
@@ -2082,25 +2574,19 @@ module Aws::KMS
|
|
2082
2574
|
req.send_request(options)
|
2083
2575
|
end
|
2084
2576
|
|
2085
|
-
# Gets a list of aliases in the caller's AWS account and region.
|
2086
|
-
# cannot list aliases in other accounts. For more information about
|
2577
|
+
# Gets a list of all aliases in the caller's AWS account and region.
|
2578
|
+
# You cannot list aliases in other accounts. For more information about
|
2087
2579
|
# aliases, see CreateAlias.
|
2088
2580
|
#
|
2089
|
-
# By default, the ListAliases command returns all aliases in the
|
2090
|
-
# and region. To get only the aliases that point to a particular
|
2581
|
+
# By default, the `ListAliases` command returns all aliases in the
|
2582
|
+
# account and region. To get only the aliases that point to a particular
|
2091
2583
|
# customer master key (CMK), use the `KeyId` parameter.
|
2092
2584
|
#
|
2093
|
-
# The `ListAliases` response
|
2094
|
-
#
|
2095
|
-
#
|
2096
|
-
#
|
2097
|
-
#
|
2098
|
-
#
|
2099
|
-
# The response might also include aliases that have no `TargetKeyId`
|
2100
|
-
# field. These are predefined aliases that AWS has created but has not
|
2101
|
-
# yet associated with a CMK. Aliases that AWS creates in your account,
|
2102
|
-
# including predefined aliases, do not count against your [AWS KMS
|
2103
|
-
# aliases limit][1].
|
2585
|
+
# The `ListAliases` response might include several aliases have no
|
2586
|
+
# `TargetKeyId` field. These are predefined aliases that AWS has created
|
2587
|
+
# but has not yet associated with a CMK. Aliases that AWS creates in
|
2588
|
+
# your account, including predefined aliases, do not count against your
|
2589
|
+
# [AWS KMS aliases limit][1].
|
2104
2590
|
#
|
2105
2591
|
#
|
2106
2592
|
#
|
@@ -2771,11 +3257,10 @@ module Aws::KMS
|
|
2771
3257
|
# principals. The principals in the key policy must exist and be
|
2772
3258
|
# visible to AWS KMS. When you create a new AWS principal (for
|
2773
3259
|
# example, an IAM user or role), you might need to enforce a delay
|
2774
|
-
# before including the new principal in a key policy
|
2775
|
-
#
|
2776
|
-
#
|
2777
|
-
#
|
2778
|
-
# Management User Guide*.
|
3260
|
+
# before including the new principal in a key policy because the new
|
3261
|
+
# principal might not be immediately visible to AWS KMS. For more
|
3262
|
+
# information, see [Changes that I make are not always immediately
|
3263
|
+
# visible][2] in the *AWS Identity and Access Management User Guide*.
|
2779
3264
|
#
|
2780
3265
|
# The key policy size limit is 32 kilobytes (32768 bytes).
|
2781
3266
|
#
|
@@ -2848,7 +3333,7 @@ module Aws::KMS
|
|
2848
3333
|
# destination CMK. We recommend that you include the `"kms:ReEncrypt*"`
|
2849
3334
|
# permission in your [key policies][1] to permit reencryption from or to
|
2850
3335
|
# the CMK. This permission is automatically included in the key policy
|
2851
|
-
# when you create a CMK through the console
|
3336
|
+
# when you create a CMK through the console, but you must include it
|
2852
3337
|
# manually when you create a CMK programmatically or when you set a key
|
2853
3338
|
# policy with the PutKeyPolicy operation.
|
2854
3339
|
#
|
@@ -2873,7 +3358,7 @@ module Aws::KMS
|
|
2873
3358
|
#
|
2874
3359
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
2875
3360
|
# name, or alias ARN. When using an alias name, prefix it with
|
2876
|
-
#
|
3361
|
+
# "alias/". To specify a CMK in a different AWS account, you must use
|
2877
3362
|
# the key ARN or alias ARN.
|
2878
3363
|
#
|
2879
3364
|
# For example:
|
@@ -3077,31 +3562,40 @@ module Aws::KMS
|
|
3077
3562
|
# Schedules the deletion of a customer master key (CMK). You may provide
|
3078
3563
|
# a waiting period, specified in days, before deletion occurs. If you do
|
3079
3564
|
# not provide a waiting period, the default period of 30 days is used.
|
3080
|
-
# When this operation is successful, the state of the CMK changes to
|
3565
|
+
# When this operation is successful, the key state of the CMK changes to
|
3081
3566
|
# `PendingDeletion`. Before the waiting period ends, you can use
|
3082
3567
|
# CancelKeyDeletion to cancel the deletion of the CMK. After the waiting
|
3083
3568
|
# period ends, AWS KMS deletes the CMK and all AWS KMS data associated
|
3084
3569
|
# with it, including all aliases that refer to it.
|
3085
3570
|
#
|
3086
|
-
# You cannot perform this operation on a CMK in a different AWS account.
|
3087
|
-
#
|
3088
3571
|
# Deleting a CMK is a destructive and potentially dangerous operation.
|
3089
3572
|
# When a CMK is deleted, all data that was encrypted under the CMK is
|
3090
|
-
#
|
3091
|
-
#
|
3573
|
+
# unrecoverable. To prevent the use of a CMK without deleting it, use
|
3574
|
+
# DisableKey.
|
3575
|
+
#
|
3576
|
+
# If you schedule deletion of a CMK from a [custom key store][1], when
|
3577
|
+
# the waiting period expires, `ScheduleKeyDeletion` deletes the CMK from
|
3578
|
+
# AWS KMS. Then AWS KMS makes a best effort to delete the key material
|
3579
|
+
# from the associated AWS CloudHSM cluster. However, you might need to
|
3580
|
+
# manually [delete the orphaned key material][2] from the cluster and
|
3581
|
+
# its backups.
|
3582
|
+
#
|
3583
|
+
# You cannot perform this operation on a CMK in a different AWS account.
|
3092
3584
|
#
|
3093
3585
|
# For more information about scheduling a CMK for deletion, see
|
3094
|
-
# [Deleting Customer Master Keys][
|
3586
|
+
# [Deleting Customer Master Keys][3] in the *AWS Key Management Service
|
3095
3587
|
# Developer Guide*.
|
3096
3588
|
#
|
3097
3589
|
# The result of this operation varies with the key state of the CMK. For
|
3098
|
-
# details, see [How Key State Affects Use of a Customer Master Key][
|
3590
|
+
# details, see [How Key State Affects Use of a Customer Master Key][4]
|
3099
3591
|
# in the *AWS Key Management Service Developer Guide*.
|
3100
3592
|
#
|
3101
3593
|
#
|
3102
3594
|
#
|
3103
|
-
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/
|
3104
|
-
# [2]: http://docs.aws.amazon.com/kms/latest/developerguide/
|
3595
|
+
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
3596
|
+
# [2]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
|
3597
|
+
# [3]: http://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
|
3598
|
+
# [4]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
3105
3599
|
#
|
3106
3600
|
# @option params [required, String] :key_id
|
3107
3601
|
# The unique identifier of the customer master key (CMK) to delete.
|
@@ -3389,8 +3883,123 @@ module Aws::KMS
|
|
3389
3883
|
req.send_request(options)
|
3390
3884
|
end
|
3391
3885
|
|
3886
|
+
# Changes the properties of a custom key store. Use the
|
3887
|
+
# `CustomKeyStoreId` parameter to identify the custom key store you want
|
3888
|
+
# to edit. Use the remaining parameters to change the properties of the
|
3889
|
+
# custom key store.
|
3890
|
+
#
|
3891
|
+
# You can only update a custom key store that is disconnected. To
|
3892
|
+
# disconnect the custom key store, use DisconnectCustomKeyStore. To
|
3893
|
+
# reconnect the custom key store after the update completes, use
|
3894
|
+
# ConnectCustomKeyStore. To find the connection state of a custom key
|
3895
|
+
# store, use the DescribeCustomKeyStores operation.
|
3896
|
+
#
|
3897
|
+
# Use the `NewCustomKeyStoreName` parameter to change the friendly name
|
3898
|
+
# of the custom key store to the value that you specify.
|
3899
|
+
#
|
3900
|
+
# Use the `KeyStorePassword` parameter tell AWS KMS the current password
|
3901
|
+
# of the [ `kmsuser` crypto user (CU)][1] in the associated AWS CloudHSM
|
3902
|
+
# cluster. You can use this parameter to fix connection failures that
|
3903
|
+
# occur when AWS KMS cannot log into the associated cluster because the
|
3904
|
+
# `kmsuser` password has changed. This value does not change the
|
3905
|
+
# password in the AWS CloudHSM cluster.
|
3906
|
+
#
|
3907
|
+
# Use the `CloudHsmClusterId` parameter to associate the custom key
|
3908
|
+
# store with a related AWS CloudHSM cluster, that is, a cluster that
|
3909
|
+
# shares a backup history with the original cluster. You can use this
|
3910
|
+
# parameter to repair a custom key store if its AWS CloudHSM cluster
|
3911
|
+
# becomes corrupted or is deleted, or when you need to create or restore
|
3912
|
+
# a cluster from a backup.
|
3913
|
+
#
|
3914
|
+
# The cluster ID must identify a AWS CloudHSM cluster with the following
|
3915
|
+
# requirements.
|
3916
|
+
#
|
3917
|
+
# * The cluster must be active and be in the same AWS account and Region
|
3918
|
+
# as the custom key store.
|
3919
|
+
#
|
3920
|
+
# * The cluster must have the same cluster certificate as the original
|
3921
|
+
# cluster. You cannot use this parameter to associate the custom key
|
3922
|
+
# store with an unrelated cluster. To view the cluster certificate,
|
3923
|
+
# use the AWS CloudHSM [DescribeClusters][2] operation. Clusters that
|
3924
|
+
# share a backup history have the same cluster certificate.
|
3925
|
+
#
|
3926
|
+
# * The cluster must be configured with subnets in at least two
|
3927
|
+
# different Availability Zones in the Region. Because AWS CloudHSM is
|
3928
|
+
# not supported in all Availability Zones, we recommend that the
|
3929
|
+
# cluster have subnets in all Availability Zones in the Region.
|
3930
|
+
#
|
3931
|
+
# * The cluster must contain at least two active HSMs, each in a
|
3932
|
+
# different Availability Zone.
|
3933
|
+
#
|
3934
|
+
# If the operation succeeds, it returns a JSON object with no
|
3935
|
+
# properties.
|
3936
|
+
#
|
3937
|
+
# This operation is part of the [Custom Key Store feature][3] feature in
|
3938
|
+
# AWS KMS, which combines the convenience and extensive integration of
|
3939
|
+
# AWS KMS with the isolation and control of a single-tenant key store.
|
3940
|
+
#
|
3941
|
+
#
|
3942
|
+
#
|
3943
|
+
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
|
3944
|
+
# [2]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
|
3945
|
+
# [3]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
3946
|
+
#
|
3947
|
+
# @option params [required, String] :custom_key_store_id
|
3948
|
+
# Identifies the custom key store that you want to update. Enter the ID
|
3949
|
+
# of the custom key store. To find the ID of a custom key store, use the
|
3950
|
+
# DescribeCustomKeyStores operation.
|
3951
|
+
#
|
3952
|
+
# @option params [String] :new_custom_key_store_name
|
3953
|
+
# Changes the friendly name of the custom key store to the value that
|
3954
|
+
# you specify. The custom key store name must be unique in the AWS
|
3955
|
+
# account.
|
3956
|
+
#
|
3957
|
+
# @option params [String] :key_store_password
|
3958
|
+
# Enter the current password of the `kmsuser` crypto user (CU) in the
|
3959
|
+
# AWS CloudHSM cluster that is associated with the custom key store.
|
3960
|
+
#
|
3961
|
+
# This parameter tells AWS KMS the current password of the `kmsuser`
|
3962
|
+
# crypto user (CU). It does not set or change the password of any users
|
3963
|
+
# in the AWS CloudHSM cluster.
|
3964
|
+
#
|
3965
|
+
# @option params [String] :cloud_hsm_cluster_id
|
3966
|
+
# Associates the custom key store with a related AWS CloudHSM cluster.
|
3967
|
+
#
|
3968
|
+
# Enter the cluster ID of the cluster that you used to create the custom
|
3969
|
+
# key store or a cluster that shares a backup history with the original
|
3970
|
+
# cluster. You cannot use this parameter to associate a custom key store
|
3971
|
+
# with a different cluster.
|
3972
|
+
#
|
3973
|
+
# Clusters that share a backup history have the same cluster
|
3974
|
+
# certificate. To view the cluster certificate of a cluster, use the
|
3975
|
+
# [DescribeClusters][1] operation.
|
3976
|
+
#
|
3977
|
+
#
|
3978
|
+
#
|
3979
|
+
# [1]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
|
3980
|
+
#
|
3981
|
+
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
3982
|
+
#
|
3983
|
+
# @example Request syntax with placeholder values
|
3984
|
+
#
|
3985
|
+
# resp = client.update_custom_key_store({
|
3986
|
+
# custom_key_store_id: "CustomKeyStoreIdType", # required
|
3987
|
+
# new_custom_key_store_name: "CustomKeyStoreNameType",
|
3988
|
+
# key_store_password: "KeyStorePasswordType",
|
3989
|
+
# cloud_hsm_cluster_id: "CloudHsmClusterIdType",
|
3990
|
+
# })
|
3991
|
+
#
|
3992
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStore AWS API Documentation
|
3993
|
+
#
|
3994
|
+
# @overload update_custom_key_store(params = {})
|
3995
|
+
# @param [Hash] params ({})
|
3996
|
+
def update_custom_key_store(params = {}, options = {})
|
3997
|
+
req = build_request(:update_custom_key_store, params)
|
3998
|
+
req.send_request(options)
|
3999
|
+
end
|
4000
|
+
|
3392
4001
|
# Updates the description of a customer master key (CMK). To see the
|
3393
|
-
#
|
4002
|
+
# decription of a CMK, use DescribeKey.
|
3394
4003
|
#
|
3395
4004
|
# You cannot perform this operation on a CMK in a different AWS account.
|
3396
4005
|
#
|
@@ -3460,7 +4069,7 @@ module Aws::KMS
|
|
3460
4069
|
params: params,
|
3461
4070
|
config: config)
|
3462
4071
|
context[:gem_name] = 'aws-sdk-kms'
|
3463
|
-
context[:gem_version] = '1.
|
4072
|
+
context[:gem_version] = '1.13.0'
|
3464
4073
|
Seahorse::Client::Request.new(handlers, context)
|
3465
4074
|
end
|
3466
4075
|
|