aws-sdk-kms 1.12.0 → 1.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 3367f71cb4b7c47fde31853cfa16e6b1ef92ea52
4
- data.tar.gz: '0978022ac3a00a99e6db77b65f467427bc238371'
3
+ metadata.gz: 4bca783774aeca06b13277e56cd794df110f6d42
4
+ data.tar.gz: 6140ef36b4f5ac42206aefe9f0370dbf512fcb59
5
5
  SHA512:
6
- metadata.gz: 164a711074f5e49b452e23151524169c79936294ccf386fcc42132018daf4ac46f9e8bc2570f7d58fac76224a41bc2fc68f4dc1c2b3e60a54d684a0d37171daf
7
- data.tar.gz: d02630297d756e5fab14c96de10c7471bfab0632605c444383200aa220ab68e1ed50c767a1e1ad76f078d5b0da7d113ba351e9d766be5c9d023c4415f1214e52
6
+ metadata.gz: c14c7d97ee060bfa2b2f510f816b6728046fa56b881ed4e292859e5ee098c6412f48fdaf60e7ec415ef72c6cf94aebb02c95ba4e9e2f5f222123eaf25daa6ba9
7
+ data.tar.gz: c8f68db24ec2731de7f7d9c3fc95a4d84ec5fa596809ef587c3726976481fa9689c484fa555a0ed888f31747d6b1e1074512aa7555da67068fb6a2d949c9d9e4
@@ -42,6 +42,6 @@ require_relative 'aws-sdk-kms/customizations'
42
42
  # @service
43
43
  module Aws::KMS
44
44
 
45
- GEM_VERSION = '1.12.0'
45
+ GEM_VERSION = '1.13.0'
46
46
 
47
47
  end
@@ -285,9 +285,79 @@ module Aws::KMS
285
285
  req.send_request(options)
286
286
  end
287
287
 
288
- # Creates a display name for a customer-managed customer master key
289
- # (CMK). You can use an alias to identify a CMK in selected operations,
290
- # such as Encrypt and GenerateDataKey.
288
+ # Connects or reconnects a [custom key store][1] to its associated AWS
289
+ # CloudHSM cluster.
290
+ #
291
+ # The custom key store must be connected before you can create customer
292
+ # master keys (CMKs) in the key store or use the CMKs it contains. You
293
+ # can disconnect and reconnect a custom key store at any time.
294
+ #
295
+ # To connect a custom key store, its associated AWS CloudHSM cluster
296
+ # must have at least one active HSM. To get the number of active HSMs in
297
+ # a cluster, use the [DescribeClusters][2] operation. To add HSMs to the
298
+ # cluster, use the [CreateHsm][3] operation.
299
+ #
300
+ # The connection process can take an extended amount of time to
301
+ # complete; up to 20 minutes. This operation starts the connection
302
+ # process, but it does not wait for it to complete. When it succeeds,
303
+ # this operation quickly returns an HTTP 200 response and a JSON object
304
+ # with no properties. However, this response does not indicate that the
305
+ # custom key store is connected. To get the connection state of the
306
+ # custom key store, use the DescribeCustomKeyStores operation.
307
+ #
308
+ # During the connection process, AWS KMS finds the AWS CloudHSM cluster
309
+ # that is associated with the custom key store, creates the connection
310
+ # infrastructure, connects to the cluster, logs into the AWS CloudHSM
311
+ # client as the [ `kmsuser` crypto user][4] (CU), and rotates its
312
+ # password.
313
+ #
314
+ # The `ConnectCustomKeyStore` operation might fail for various reasons.
315
+ # To find the reason, use the DescribeCustomKeyStores operation and see
316
+ # the `ConnectionErrorCode` in the response. For help interpreting the
317
+ # `ConnectionErrorCode`, see CustomKeyStoresListEntry.
318
+ #
319
+ # To fix the failure, use the DisconnectCustomKeyStore operation to
320
+ # disconnect the custom key store, correct the error, use the
321
+ # UpdateCustomKeyStore operation if necessary, and then use
322
+ # `ConnectCustomKeyStore` again.
323
+ #
324
+ # If you are having trouble connecting or disconnecting a custom key
325
+ # store, see [Troubleshooting a Custom Key Store][5] in the *AWS Key
326
+ # Management Service Developer Guide*.
327
+ #
328
+ #
329
+ #
330
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
331
+ # [2]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters
332
+ # [3]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm
333
+ # [4]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
334
+ # [5]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
335
+ #
336
+ # @option params [required, String] :custom_key_store_id
337
+ # Enter the key store ID of the custom key store that you want to
338
+ # connect. To find the ID of a custom key store, use the
339
+ # DescribeCustomKeyStores operation.
340
+ #
341
+ # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
342
+ #
343
+ # @example Request syntax with placeholder values
344
+ #
345
+ # resp = client.connect_custom_key_store({
346
+ # custom_key_store_id: "CustomKeyStoreIdType", # required
347
+ # })
348
+ #
349
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConnectCustomKeyStore AWS API Documentation
350
+ #
351
+ # @overload connect_custom_key_store(params = {})
352
+ # @param [Hash] params ({})
353
+ def connect_custom_key_store(params = {}, options = {})
354
+ req = build_request(:connect_custom_key_store, params)
355
+ req.send_request(options)
356
+ end
357
+
358
+ # Creates a display name for a customer master key (CMK). You can use an
359
+ # alias to identify a CMK in selected operations, such as Encrypt and
360
+ # GenerateDataKey.
291
361
  #
292
362
  # Each CMK can have multiple aliases, but each alias points to only one
293
363
  # CMK. The alias name must be unique in the AWS account and region. To
@@ -299,10 +369,11 @@ module Aws::KMS
299
369
  # appear in the response from the DescribeKey operation. To get the
300
370
  # aliases of all CMKs, use the ListAliases operation.
301
371
  #
302
- # The alias name can contain only alphanumeric characters, forward
303
- # slashes (/), underscores (\_), and dashes (-). Alias names cannot
304
- # begin with **aws/**. That alias name prefix is reserved for AWS
305
- # managed CMKs.
372
+ # An alias must start with the word `alias` followed by a forward slash
373
+ # (`alias/`). The alias name can contain only alphanumeric characters,
374
+ # forward slashes (/), underscores (\_), and dashes (-). Alias names
375
+ # cannot begin with `aws`; that alias name prefix is reserved by Amazon
376
+ # Web Services (AWS).
306
377
  #
307
378
  # The alias and the CMK it is mapped to must be in the same AWS account
308
379
  # and the same region. You cannot perform this operation on an alias in
@@ -319,10 +390,9 @@ module Aws::KMS
319
390
  # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
320
391
  #
321
392
  # @option params [required, String] :alias_name
322
- # Specifies the alias name. This value must begin with `alias/` followed
323
- # by the alias name, such as `alias/ExampleAlias`. The alias name cannot
324
- # begin with `aws/`. The `alias/aws/` prefix is reserved for AWS managed
325
- # CMKs.
393
+ # String that contains the display name. The name must start with the
394
+ # word "alias" followed by a forward slash (alias/). Aliases that
395
+ # begin with "alias/AWS" are reserved.
326
396
  #
327
397
  # @option params [required, String] :target_key_id
328
398
  # Identifies the CMK for which you are creating the alias. This value
@@ -367,6 +437,147 @@ module Aws::KMS
367
437
  req.send_request(options)
368
438
  end
369
439
 
440
+ # Creates a [custom key store][1] that is associated with an [AWS
441
+ # CloudHSM cluster][2] that you own and manage.
442
+ #
443
+ # This operation is part of the [Custom Key Store feature][3] feature in
444
+ # AWS KMS, which combines the convenience and extensive integration of
445
+ # AWS KMS with the isolation and control of a single-tenant key store.
446
+ #
447
+ # When the operation completes successfully, it returns the ID of the
448
+ # new custom key store. Before you can use your new custom key store,
449
+ # you need to use the ConnectCustomKeyStore operation to connect the new
450
+ # key store to its AWS CloudHSM cluster.
451
+ #
452
+ # The `CreateCustomKeyStore` operation requires the following elements.
453
+ #
454
+ # * You must specify an active AWS CloudHSM cluster in the same account
455
+ # and AWS Region as the custom key store. You can use an existing
456
+ # cluster or [create and activate a new AWS CloudHSM cluster][4] for
457
+ # the key store. AWS KMS does not require exclusive use of the
458
+ # cluster.
459
+ #
460
+ # * You must include the content of the *trust anchor certificate* for
461
+ # the cluster. You created this certificate, and saved it in the
462
+ # `customerCA.crt` file, when you [initialized the cluster][5].
463
+ #
464
+ # * You must provide the password of the dedicated [ `kmsuser` crypto
465
+ # user][6] (CU) account in the cluster.
466
+ #
467
+ # Before you create the custom key store, use the [createUser][7]
468
+ # command in `cloudhsm_mgmt_util` to create [a crypto user (CU) named
469
+ # `kmsuser` ][6]in specified AWS CloudHSM cluster. AWS KMS uses the
470
+ # `kmsuser` CU account to create and manage key material on your
471
+ # behalf. For instructions, see [Create the kmsuser Crypto User][8] in
472
+ # the *AWS Key Management Service Developer Guide*.
473
+ #
474
+ # The AWS CloudHSM cluster that you specify must meet the following
475
+ # requirements.
476
+ #
477
+ # * The cluster must be active and be in the same AWS account and Region
478
+ # as the custom key store.
479
+ #
480
+ # * Each custom key store must be associated with a different AWS
481
+ # CloudHSM cluster. The cluster cannot be associated with another
482
+ # custom key store or have the same cluster certificate as a cluster
483
+ # that is associated with another custom key store. To view the
484
+ # cluster certificate, use the AWS CloudHSM [DescribeClusters][9]
485
+ # operation. Clusters that share a backup history have the same
486
+ # cluster certificate.
487
+ #
488
+ # * The cluster must be configured with subnets in at least two
489
+ # different Availability Zones in the Region. Because AWS CloudHSM is
490
+ # not supported in all Availability Zones, we recommend that the
491
+ # cluster have subnets in all Availability Zones in the Region.
492
+ #
493
+ # * The cluster must contain at least two active HSMs, each in a
494
+ # different Availability Zone.
495
+ #
496
+ # New custom key stores are not automatically connected. After you
497
+ # create your custom key store, use the ConnectCustomKeyStore operation
498
+ # to connect the custom key store to its associated AWS CloudHSM
499
+ # cluster. Even if you are not going to use your custom key store
500
+ # immediately, you might want to connect it to verify that all settings
501
+ # are correct and then disconnect it until you are ready to use it.
502
+ #
503
+ # If this operation succeeds, it returns the ID of the new custom key
504
+ # store. For help with failures, see [Troubleshoot a Custom Key
505
+ # Store][10] in the *AWS KMS Developer Guide*.
506
+ #
507
+ #
508
+ #
509
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
510
+ # [2]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html
511
+ # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
512
+ # [4]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/create-cluster.html
513
+ # [5]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr
514
+ # [6]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
515
+ # [7]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_mgmt_util-createUser.html
516
+ # [8]: http://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore
517
+ # [9]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
518
+ # [10]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
519
+ #
520
+ # @option params [required, String] :custom_key_store_name
521
+ # Specifies a friendly name for the custom key store. The name must be
522
+ # unique in your AWS account.
523
+ #
524
+ # @option params [required, String] :cloud_hsm_cluster_id
525
+ # Identifies the AWS CloudHSM cluster for the custom key store. Enter
526
+ # the cluster ID of any active AWS CloudHSM cluster that is not already
527
+ # associated with a custom key store. To find the cluster ID, use the
528
+ # [DescribeClusters][1] operation.
529
+ #
530
+ #
531
+ #
532
+ # [1]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
533
+ #
534
+ # @option params [required, String] :trust_anchor_certificate
535
+ # Enter the content of the trust anchor certificate for the cluster.
536
+ # This is the content of the `customerCA.crt` file that you created when
537
+ # you [initialized the cluster][1].
538
+ #
539
+ #
540
+ #
541
+ # [1]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html
542
+ #
543
+ # @option params [required, String] :key_store_password
544
+ # Enter the password of the [ `kmsuser` crypto user (CU) account][1] in
545
+ # the specified AWS CloudHSM cluster. AWS KMS logs into the cluster as
546
+ # this user to manage key material on your behalf.
547
+ #
548
+ # This parameter tells AWS KMS the `kmsuser` account password; it does
549
+ # not change the password in the AWS CloudHSM cluster.
550
+ #
551
+ #
552
+ #
553
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
554
+ #
555
+ # @return [Types::CreateCustomKeyStoreResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
556
+ #
557
+ # * {Types::CreateCustomKeyStoreResponse#custom_key_store_id #custom_key_store_id} => String
558
+ #
559
+ # @example Request syntax with placeholder values
560
+ #
561
+ # resp = client.create_custom_key_store({
562
+ # custom_key_store_name: "CustomKeyStoreNameType", # required
563
+ # cloud_hsm_cluster_id: "CloudHsmClusterIdType", # required
564
+ # trust_anchor_certificate: "TrustAnchorCertificateType", # required
565
+ # key_store_password: "KeyStorePasswordType", # required
566
+ # })
567
+ #
568
+ # @example Response structure
569
+ #
570
+ # resp.custom_key_store_id #=> String
571
+ #
572
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStore AWS API Documentation
573
+ #
574
+ # @overload create_custom_key_store(params = {})
575
+ # @param [Hash] params ({})
576
+ def create_custom_key_store(params = {}, options = {})
577
+ req = build_request(:create_custom_key_store, params)
578
+ req.send_request(options)
579
+ end
580
+
370
581
  # Adds a grant to a customer master key (CMK). The grant specifies who
371
582
  # can use the CMK and under what conditions. When setting permissions,
372
583
  # grants are an alternative to key policies.
@@ -458,8 +669,7 @@ module Aws::KMS
458
669
  #
459
670
  # @option params [String] :name
460
671
  # A friendly name for identifying the grant. Use this value to prevent
461
- # the unintended creation of duplicate grants when retrying this
462
- # request.
672
+ # unintended creation of duplicate grants when retrying this request.
463
673
  #
464
674
  # When this value is absent, all `CreateGrant` requests result in a new
465
675
  # grant with a unique `GrantId` even if all the supplied parameters are
@@ -535,22 +745,33 @@ module Aws::KMS
535
745
  # Creates a customer master key (CMK) in the caller's AWS account.
536
746
  #
537
747
  # You can use a CMK to encrypt small amounts of data (4 KiB or less)
538
- # directly. But CMKs are more commonly used to encrypt data encryption
539
- # keys (DEKs), which are used to encrypt raw data. For more information
540
- # about DEKs and the difference between CMKs and DEKs, see the
541
- # following:
748
+ # directly, but CMKs are more commonly used to encrypt data keys, which
749
+ # are used to encrypt raw data. For more information about data keys and
750
+ # the difference between CMKs and data keys, see the following:
542
751
  #
543
752
  # * The GenerateDataKey operation
544
753
  #
545
754
  # * [AWS Key Management Service Concepts][1] in the *AWS Key Management
546
755
  # Service Developer Guide*
547
756
  #
757
+ # If you plan to [import key material][2], use the `Origin` parameter
758
+ # with a value of `EXTERNAL` to create a CMK with no key material.
759
+ #
760
+ # To create a CMK in a [custom key store][3], use `CustomKeyStoreId`
761
+ # parameter to specify the custom key store. You must also use the
762
+ # `Origin` parameter with a value of `AWS_CLOUDHSM`. The AWS CloudHSM
763
+ # cluster that is associated with the custom key store must have at
764
+ # least two active HSMs, each in a different Availability Zone in the
765
+ # Region.
766
+ #
548
767
  # You cannot use this operation to create a CMK in a different AWS
549
768
  # account.
550
769
  #
551
770
  #
552
771
  #
553
772
  # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
773
+ # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
774
+ # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
554
775
  #
555
776
  # @option params [String] :policy
556
777
  # The key policy to attach to the CMK.
@@ -568,11 +789,10 @@ module Aws::KMS
568
789
  # principals. The principals in the key policy must exist and be
569
790
  # visible to AWS KMS. When you create a new AWS principal (for
570
791
  # example, an IAM user or role), you might need to enforce a delay
571
- # before including the new principal in a key policy. The reason for
572
- # this is that the new principal might not be immediately visible to
573
- # AWS KMS. For more information, see [Changes that I make are not
574
- # always immediately visible][2] in the *AWS Identity and Access
575
- # Management User Guide*.
792
+ # before including the new principal in a key policy because the new
793
+ # principal might not be immediately visible to AWS KMS. For more
794
+ # information, see [Changes that I make are not always immediately
795
+ # visible][2] in the *AWS Identity and Access Management User Guide*.
576
796
  #
577
797
  # If you do not provide a key policy, AWS KMS attaches a default key
578
798
  # policy to the CMK. For more information, see [Default Key Policy][3]
@@ -598,20 +818,50 @@ module Aws::KMS
598
818
  # You can use CMKs only for symmetric encryption and decryption.
599
819
  #
600
820
  # @option params [String] :origin
601
- # The source of the CMK's key material.
821
+ # The source of the CMK's key material. You cannot change the origin
822
+ # after you create the CMK.
823
+ #
824
+ # The default is `AWS_KMS`, which means AWS KMS creates the key material
825
+ # in its own key store.
602
826
  #
603
- # The default is `AWS_KMS`, which means AWS KMS creates the key
604
- # material. When this parameter is set to `EXTERNAL`, the request
605
- # creates a CMK without key material so that you can import key material
606
- # from your existing key management infrastructure. For more information
607
- # about importing key material into AWS KMS, see [Importing Key
608
- # Material][1] in the *AWS Key Management Service Developer Guide*.
827
+ # When the parameter value is `EXTERNAL`, AWS KMS creates a CMK without
828
+ # key material so that you can import key material from your existing
829
+ # key management infrastructure. For more information about importing
830
+ # key material into AWS KMS, see [Importing Key Material][1] in the *AWS
831
+ # Key Management Service Developer Guide*.
609
832
  #
610
- # The CMK's `Origin` is immutable and is set when the CMK is created.
833
+ # When the parameter value is `AWS_CLOUDHSM`, AWS KMS creates the CMK in
834
+ # a AWS KMS [custom key store][2] and creates its key material in the
835
+ # associated AWS CloudHSM cluster. You must also use the
836
+ # `CustomKeyStoreId` parameter to identify the custom key store.
611
837
  #
612
838
  #
613
839
  #
614
840
  # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
841
+ # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
842
+ #
843
+ # @option params [String] :custom_key_store_id
844
+ # Creates the CMK in the specified [custom key store][1] and the key
845
+ # material in its associated AWS CloudHSM cluster. To create a CMK in a
846
+ # custom key store, you must also specify the `Origin` parameter with a
847
+ # value of `AWS_CLOUDHSM`. The AWS CloudHSM cluster that is associated
848
+ # with the custom key store must have at least two active HSMs, each in
849
+ # a different Availability Zone in the Region.
850
+ #
851
+ # To find the ID of a custom key store, use the DescribeCustomKeyStores
852
+ # operation.
853
+ #
854
+ # The response includes the custom key store ID and the ID of the AWS
855
+ # CloudHSM cluster.
856
+ #
857
+ # This operation is part of the [Custom Key Store feature][2] feature in
858
+ # AWS KMS, which combines the convenience and extensive integration of
859
+ # AWS KMS with the isolation and control of a single-tenant key store.
860
+ #
861
+ #
862
+ #
863
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
864
+ # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
615
865
  #
616
866
  # @option params [Boolean] :bypass_policy_lockout_safety_check
617
867
  # A flag to indicate whether to bypass the key policy lockout safety
@@ -683,7 +933,8 @@ module Aws::KMS
683
933
  # policy: "PolicyType",
684
934
  # description: "DescriptionType",
685
935
  # key_usage: "ENCRYPT_DECRYPT", # accepts ENCRYPT_DECRYPT
686
- # origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL
936
+ # origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
937
+ # custom_key_store_id: "CustomKeyStoreIdType",
687
938
  # bypass_policy_lockout_safety_check: false,
688
939
  # tags: [
689
940
  # {
@@ -702,10 +953,12 @@ module Aws::KMS
702
953
  # resp.key_metadata.enabled #=> Boolean
703
954
  # resp.key_metadata.description #=> String
704
955
  # resp.key_metadata.key_usage #=> String, one of "ENCRYPT_DECRYPT"
705
- # resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport"
956
+ # resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport", "Unavailable"
706
957
  # resp.key_metadata.deletion_date #=> Time
707
958
  # resp.key_metadata.valid_to #=> Time
708
- # resp.key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL"
959
+ # resp.key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL", "AWS_CLOUDHSM"
960
+ # resp.key_metadata.custom_key_store_id #=> String
961
+ # resp.key_metadata.cloud_hsm_cluster_id #=> String
709
962
  # resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
710
963
  # resp.key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
711
964
  #
@@ -727,14 +980,15 @@ module Aws::KMS
727
980
  #
728
981
  # * Encrypt
729
982
  #
730
- # Whenever possible, use key policies to give users permission to call
731
- # the Decrypt operation on the CMK, instead of IAM policies. Otherwise,
732
- # you might create an IAM user policy that gives the user Decrypt
733
- # permission on all CMKs. This user could decrypt ciphertext that was
734
- # encrypted by CMKs in other accounts if the key policy for the
735
- # cross-account CMK permits it. If you must use an IAM policy for
736
- # `Decrypt` permissions, limit the user to particular CMKs or particular
737
- # trusted accounts.
983
+ # Note that if a caller has been granted access permissions to all keys
984
+ # (through, for example, IAM user policies that grant `Decrypt`
985
+ # permission on all resources), then ciphertext encrypted by using keys
986
+ # in other accounts where the key grants access to the caller can be
987
+ # decrypted. To remedy this, we recommend that you do not grant
988
+ # `Decrypt` access in an IAM user policy. Instead grant `Decrypt` access
989
+ # only in key policies. If you must grant `Decrypt` access in an IAM
990
+ # user policy, you should scope the resource to specific keys or to
991
+ # specific trusted accounts.
738
992
  #
739
993
  # The result of this operation varies with the key state of the CMK. For
740
994
  # details, see [How Key State Affects Use of a Customer Master Key][1]
@@ -854,6 +1108,66 @@ module Aws::KMS
854
1108
  req.send_request(options)
855
1109
  end
856
1110
 
1111
+ # Deletes a [custom key store][1]. This operation does not delete the
1112
+ # AWS CloudHSM cluster that is associated with the custom key store, or
1113
+ # affect any users or keys in the cluster.
1114
+ #
1115
+ # The custom key store that you delete cannot contain any AWS KMS
1116
+ # [customer master keys (CMKs)][2]. Before deleting the key store,
1117
+ # verify that you will never need to use any of the CMKs in the key
1118
+ # store for any cryptographic operations. Then, use ScheduleKeyDeletion
1119
+ # to delete the AWS KMS customer master keys (CMKs) from the key store.
1120
+ # When the scheduled waiting period expires, the `ScheduleKeyDeletion`
1121
+ # operation deletes the CMKs. Then it makes a best effort to delete the
1122
+ # key material from the associated cluster. However, you might need to
1123
+ # manually [delete the orphaned key material][3] from the cluster and
1124
+ # its backups.
1125
+ #
1126
+ # After all CMKs are deleted from AWS KMS, use DisconnectCustomKeyStore
1127
+ # to disconnect the key store from AWS KMS. Then, you can delete the
1128
+ # custom key store.
1129
+ #
1130
+ # Instead of deleting the custom key store, consider using
1131
+ # DisconnectCustomKeyStore to disconnect it from AWS KMS. While the key
1132
+ # store is disconnected, you cannot create or use the CMKs in the key
1133
+ # store. But, you do not need to delete CMKs and you can reconnect a
1134
+ # disconnected custom key store at any time.
1135
+ #
1136
+ # If the operation succeeds, it returns a JSON object with no
1137
+ # properties.
1138
+ #
1139
+ # This operation is part of the [Custom Key Store feature][4] feature in
1140
+ # AWS KMS, which combines the convenience and extensive integration of
1141
+ # AWS KMS with the isolation and control of a single-tenant key store.
1142
+ #
1143
+ #
1144
+ #
1145
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
1146
+ # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
1147
+ # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
1148
+ # [4]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1149
+ #
1150
+ # @option params [required, String] :custom_key_store_id
1151
+ # Enter the ID of the custom key store you want to delete. To find the
1152
+ # ID of a custom key store, use the DescribeCustomKeyStores operation.
1153
+ #
1154
+ # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
1155
+ #
1156
+ # @example Request syntax with placeholder values
1157
+ #
1158
+ # resp = client.delete_custom_key_store({
1159
+ # custom_key_store_id: "CustomKeyStoreIdType", # required
1160
+ # })
1161
+ #
1162
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteCustomKeyStore AWS API Documentation
1163
+ #
1164
+ # @overload delete_custom_key_store(params = {})
1165
+ # @param [Hash] params ({})
1166
+ def delete_custom_key_store(params = {}, options = {})
1167
+ req = build_request(:delete_custom_key_store, params)
1168
+ req.send_request(options)
1169
+ end
1170
+
857
1171
  # Deletes key material that you previously imported. This operation
858
1172
  # makes the specified customer master key (CMK) unusable. For more
859
1173
  # information about importing key material into AWS KMS, see [Importing
@@ -917,13 +1231,113 @@ module Aws::KMS
917
1231
  req.send_request(options)
918
1232
  end
919
1233
 
1234
+ # Gets information about [custom key stores][1] in the account and
1235
+ # region.
1236
+ #
1237
+ # This operation is part of the [Custom Key Store feature][2] feature in
1238
+ # AWS KMS, which combines the convenience and extensive integration of
1239
+ # AWS KMS with the isolation and control of a single-tenant key store.
1240
+ #
1241
+ # By default, this operation returns information about all custom key
1242
+ # stores in the account and region. To get only information about a
1243
+ # particular custom key store, use either the `CustomKeyStoreName` or
1244
+ # `CustomKeyStoreId` parameter (but not both).
1245
+ #
1246
+ # To determine whether the custom key store is connected to its AWS
1247
+ # CloudHSM cluster, use the `ConnectionState` element in the response.
1248
+ # If an attempt to connect the custom key store failed, the
1249
+ # `ConnectionState` value is `FAILED` and the `ConnectionErrorCode`
1250
+ # element in the response indicates the cause of the failure. For help
1251
+ # interpreting the `ConnectionErrorCode`, see CustomKeyStoresListEntry.
1252
+ #
1253
+ # Custom key stores have a `DISCONNECTED` connection state if the key
1254
+ # store has never been connected or you use the DisconnectCustomKeyStore
1255
+ # operation to disconnect it. If your custom key store state is
1256
+ # `CONNECTED` but you are having trouble using it, make sure that its
1257
+ # associated AWS CloudHSM cluster is active and contains the minimum
1258
+ # number of HSMs required for the operation, if any.
1259
+ #
1260
+ # For help repairing your custom key store, see the [Troubleshooting
1261
+ # Custom Key Stores][3] topic in the *AWS Key Management Service
1262
+ # Developer Guide*.
1263
+ #
1264
+ #
1265
+ #
1266
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
1267
+ # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1268
+ # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore-html
1269
+ #
1270
+ # @option params [String] :custom_key_store_id
1271
+ # Gets only information about the specified custom key store. Enter the
1272
+ # key store ID.
1273
+ #
1274
+ # By default, this operation gets information about all custom key
1275
+ # stores in the account and region. To limit the output to a particular
1276
+ # custom key store, you can use either the `CustomKeyStoreId` or
1277
+ # `CustomKeyStoreName` parameter, but not both.
1278
+ #
1279
+ # @option params [String] :custom_key_store_name
1280
+ # Gets only information about the specified custom key store. Enter the
1281
+ # friendly name of the custom key store.
1282
+ #
1283
+ # By default, this operation gets information about all custom key
1284
+ # stores in the account and region. To limit the output to a particular
1285
+ # custom key store, you can use either the `CustomKeyStoreId` or
1286
+ # `CustomKeyStoreName` parameter, but not both.
1287
+ #
1288
+ # @option params [Integer] :limit
1289
+ # Use this parameter to specify the maximum number of items to return.
1290
+ # When this value is present, AWS KMS does not return more than the
1291
+ # specified number of items, but it might return fewer.
1292
+ #
1293
+ # @option params [String] :marker
1294
+ # Use this parameter in a subsequent request after you receive a
1295
+ # response with truncated results. Set it to the value of `NextMarker`
1296
+ # from the truncated response you just received.
1297
+ #
1298
+ # @return [Types::DescribeCustomKeyStoresResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1299
+ #
1300
+ # * {Types::DescribeCustomKeyStoresResponse#custom_key_stores #custom_key_stores} => Array<Types::CustomKeyStoresListEntry>
1301
+ # * {Types::DescribeCustomKeyStoresResponse#next_marker #next_marker} => String
1302
+ # * {Types::DescribeCustomKeyStoresResponse#truncated #truncated} => Boolean
1303
+ #
1304
+ # @example Request syntax with placeholder values
1305
+ #
1306
+ # resp = client.describe_custom_key_stores({
1307
+ # custom_key_store_id: "CustomKeyStoreIdType",
1308
+ # custom_key_store_name: "CustomKeyStoreNameType",
1309
+ # limit: 1,
1310
+ # marker: "MarkerType",
1311
+ # })
1312
+ #
1313
+ # @example Response structure
1314
+ #
1315
+ # resp.custom_key_stores #=> Array
1316
+ # resp.custom_key_stores[0].custom_key_store_id #=> String
1317
+ # resp.custom_key_stores[0].custom_key_store_name #=> String
1318
+ # resp.custom_key_stores[0].cloud_hsm_cluster_id #=> String
1319
+ # resp.custom_key_stores[0].trust_anchor_certificate #=> String
1320
+ # resp.custom_key_stores[0].connection_state #=> String, one of "CONNECTED", "CONNECTING", "FAILED", "DISCONNECTED", "DISCONNECTING"
1321
+ # resp.custom_key_stores[0].connection_error_code #=> String, one of "INVALID_CREDENTIALS", "CLUSTER_NOT_FOUND", "NETWORK_ERRORS", "INSUFFICIENT_CLOUDHSM_HSMS", "USER_LOCKED_OUT"
1322
+ # resp.custom_key_stores[0].creation_date #=> Time
1323
+ # resp.next_marker #=> String
1324
+ # resp.truncated #=> Boolean
1325
+ #
1326
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores AWS API Documentation
1327
+ #
1328
+ # @overload describe_custom_key_stores(params = {})
1329
+ # @param [Hash] params ({})
1330
+ def describe_custom_key_stores(params = {}, options = {})
1331
+ req = build_request(:describe_custom_key_stores, params)
1332
+ req.send_request(options)
1333
+ end
1334
+
920
1335
  # Provides detailed information about the specified customer master key
921
1336
  # (CMK).
922
1337
  #
923
- # You can use `DescribeKey` on a predefined AWS alias, that is, an AWS
924
- # alias with no key ID. When you do, AWS KMS associates the alias with
925
- # an [AWS managed CMK][1] and returns its `KeyId` and `Arn` in the
926
- # response.
1338
+ # If you use `DescribeKey` on a predefined AWS alias, that is, an AWS
1339
+ # alias with no key ID, AWS KMS associates the alias with an [AWS
1340
+ # managed CMK][1] and returns its `KeyId` and `Arn` in the response.
927
1341
  #
928
1342
  # To perform this operation on a CMK in a different AWS account, specify
929
1343
  # the key ARN or alias ARN in the value of the KeyId parameter.
@@ -941,7 +1355,7 @@ module Aws::KMS
941
1355
  #
942
1356
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
943
1357
  # name, or alias ARN. When using an alias name, prefix it with
944
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
1358
+ # "alias/". To specify a CMK in a different AWS account, you must use
945
1359
  # the key ARN or alias ARN.
946
1360
  #
947
1361
  # For example:
@@ -1017,10 +1431,12 @@ module Aws::KMS
1017
1431
  # resp.key_metadata.enabled #=> Boolean
1018
1432
  # resp.key_metadata.description #=> String
1019
1433
  # resp.key_metadata.key_usage #=> String, one of "ENCRYPT_DECRYPT"
1020
- # resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport"
1434
+ # resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport", "Unavailable"
1021
1435
  # resp.key_metadata.deletion_date #=> Time
1022
1436
  # resp.key_metadata.valid_to #=> Time
1023
- # resp.key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL"
1437
+ # resp.key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL", "AWS_CLOUDHSM"
1438
+ # resp.key_metadata.custom_key_store_id #=> String
1439
+ # resp.key_metadata.cloud_hsm_cluster_id #=> String
1024
1440
  # resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
1025
1441
  # resp.key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
1026
1442
  #
@@ -1142,9 +1558,62 @@ module Aws::KMS
1142
1558
  req.send_request(options)
1143
1559
  end
1144
1560
 
1145
- # Sets the state of a customer master key (CMK) to enabled, thereby
1146
- # permitting its use for cryptographic operations. You cannot perform
1147
- # this operation on a CMK in a different AWS account.
1561
+ # Disconnects the [custom key store][1] from its associated AWS CloudHSM
1562
+ # cluster. While a custom key store is disconnected, you can manage the
1563
+ # custom key store and its customer master keys (CMKs), but you cannot
1564
+ # create or use CMKs in the custom key store. You can reconnect the
1565
+ # custom key store at any time.
1566
+ #
1567
+ # <note markdown="1"> While a custom key store is disconnected, all attempts to create
1568
+ # customer master keys (CMKs) in the custom key store or to use existing
1569
+ # CMKs in cryptographic operations will fail. This action can prevent
1570
+ # users from storing and accessing sensitive data.
1571
+ #
1572
+ # </note>
1573
+ #
1574
+ #
1575
+ #
1576
+ # To find the connection state of a custom key store, use the
1577
+ # DescribeCustomKeyStores operation. To reconnect a custom key store,
1578
+ # use the ConnectCustomKeyStore operation.
1579
+ #
1580
+ # If the operation succeeds, it returns a JSON object with no
1581
+ # properties.
1582
+ #
1583
+ # This operation is part of the [Custom Key Store feature][2] feature in
1584
+ # AWS KMS, which combines the convenience and extensive integration of
1585
+ # AWS KMS with the isolation and control of a single-tenant key store.
1586
+ #
1587
+ #
1588
+ #
1589
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
1590
+ # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1591
+ #
1592
+ # @option params [required, String] :custom_key_store_id
1593
+ # Enter the ID of the custom key store you want to disconnect. To find
1594
+ # the ID of a custom key store, use the DescribeCustomKeyStores
1595
+ # operation.
1596
+ #
1597
+ # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
1598
+ #
1599
+ # @example Request syntax with placeholder values
1600
+ #
1601
+ # resp = client.disconnect_custom_key_store({
1602
+ # custom_key_store_id: "CustomKeyStoreIdType", # required
1603
+ # })
1604
+ #
1605
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisconnectCustomKeyStore AWS API Documentation
1606
+ #
1607
+ # @overload disconnect_custom_key_store(params = {})
1608
+ # @param [Hash] params ({})
1609
+ def disconnect_custom_key_store(params = {}, options = {})
1610
+ req = build_request(:disconnect_custom_key_store, params)
1611
+ req.send_request(options)
1612
+ end
1613
+
1614
+ # Sets the key state of a customer master key (CMK) to enabled. This
1615
+ # allows you to use the CMK for cryptographic operations. You cannot
1616
+ # perform this operation on a CMK in a different AWS account.
1148
1617
  #
1149
1618
  # The result of this operation varies with the key state of the CMK. For
1150
1619
  # details, see [How Key State Affects Use of a Customer Master Key][1]
@@ -1198,14 +1667,18 @@ module Aws::KMS
1198
1667
  # customer master key (CMK). You cannot perform this operation on a CMK
1199
1668
  # in a different AWS account.
1200
1669
  #
1670
+ # You cannot enable automatic rotation of CMKs with imported key
1671
+ # material or CMKs in a [custom key store][2].
1672
+ #
1201
1673
  # The result of this operation varies with the key state of the CMK. For
1202
- # details, see [How Key State Affects Use of a Customer Master Key][2]
1674
+ # details, see [How Key State Affects Use of a Customer Master Key][3]
1203
1675
  # in the *AWS Key Management Service Developer Guide*.
1204
1676
  #
1205
1677
  #
1206
1678
  #
1207
1679
  # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
1208
- # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1680
+ # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
1681
+ # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1209
1682
  #
1210
1683
  # @option params [required, String] :key_id
1211
1684
  # A unique identifier for the customer master key (CMK).
@@ -1254,28 +1727,30 @@ module Aws::KMS
1254
1727
  # such as an RSA key, a database password, or other sensitive
1255
1728
  # information.
1256
1729
  #
1257
- # * You can use the `Encrypt` operation to move encrypted data from one
1258
- # AWS region to another. In the first region, generate a data key and
1259
- # use the plaintext key to encrypt the data. Then, in the new region,
1260
- # call the `Encrypt` method on same plaintext data key. Now, you can
1261
- # safely move the encrypted data and encrypted data key to the new
1262
- # region, and decrypt in the new region when necessary.
1730
+ # * To move encrypted data from one AWS region to another, you can use
1731
+ # this operation to encrypt in the new region the plaintext data key
1732
+ # that was used to encrypt the data in the original region. This
1733
+ # provides you with an encrypted copy of the data key that can be
1734
+ # decrypted in the new region and used there to decrypt the encrypted
1735
+ # data.
1736
+ #
1737
+ # To perform this operation on a CMK in a different AWS account, specify
1738
+ # the key ARN or alias ARN in the value of the KeyId parameter.
1263
1739
  #
1264
- # You don't need use this operation to encrypt a data key within a
1265
- # region. The GenerateDataKey and GenerateDataKeyWithoutPlaintext
1266
- # operations return an encrypted data key.
1740
+ # Unless you are moving encrypted data from one region to another, you
1741
+ # don't use this operation to encrypt a generated data key within a
1742
+ # region. To get data keys that are already encrypted, call the
1743
+ # GenerateDataKey or GenerateDataKeyWithoutPlaintext operation. Data
1744
+ # keys don't need to be encrypted again by calling `Encrypt`.
1267
1745
  #
1268
- # Also, you don't need to use this operation to encrypt data in your
1269
- # application. You can use the plaintext and encrypted data keys that
1270
- # the `GenerateDataKey` operation returns.
1746
+ # To encrypt data locally in your application, use the GenerateDataKey
1747
+ # operation to return a plaintext data encryption key and a copy of the
1748
+ # key encrypted under the CMK of your choosing.
1271
1749
  #
1272
1750
  # The result of this operation varies with the key state of the CMK. For
1273
1751
  # details, see [How Key State Affects Use of a Customer Master Key][1]
1274
1752
  # in the *AWS Key Management Service Developer Guide*.
1275
1753
  #
1276
- # To perform this operation on a CMK in a different AWS account, specify
1277
- # the key ARN or alias ARN in the value of the KeyId parameter.
1278
- #
1279
1754
  #
1280
1755
  #
1281
1756
  # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
@@ -1285,7 +1760,7 @@ module Aws::KMS
1285
1760
  #
1286
1761
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1287
1762
  # name, or alias ARN. When using an alias name, prefix it with
1288
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
1763
+ # "alias/". To specify a CMK in a different AWS account, you must use
1289
1764
  # the key ARN or alias ARN.
1290
1765
  #
1291
1766
  # For example:
@@ -1435,7 +1910,7 @@ module Aws::KMS
1435
1910
  #
1436
1911
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1437
1912
  # name, or alias ARN. When using an alias name, prefix it with
1438
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
1913
+ # "alias/". To specify a CMK in a different AWS account, you must use
1439
1914
  # the key ARN or alias ARN.
1440
1915
  #
1441
1916
  # For example:
@@ -1552,8 +2027,8 @@ module Aws::KMS
1552
2027
  # then stores it in the container. Later, a different component of the
1553
2028
  # system, called the *data plane*, puts encrypted data into the
1554
2029
  # containers. To do this, it passes the encrypted data key to the
1555
- # Decrypt operation. It then uses the returned plaintext data key to
1556
- # encrypt data and finally stores the encrypted data in the container.
2030
+ # Decrypt operation, then uses the returned plaintext data key to
2031
+ # encrypt data, and finally stores the encrypted data in the container.
1557
2032
  # In this system, the control plane never sees the plaintext data key.
1558
2033
  #
1559
2034
  # The result of this operation varies with the key state of the CMK. For
@@ -1570,7 +2045,7 @@ module Aws::KMS
1570
2045
  #
1571
2046
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1572
2047
  # name, or alias ARN. When using an alias name, prefix it with
1573
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
2048
+ # "alias/". To specify a CMK in a different AWS account, you must use
1574
2049
  # the key ARN or alias ARN.
1575
2050
  #
1576
2051
  # For example:
@@ -1669,16 +2144,31 @@ module Aws::KMS
1669
2144
 
1670
2145
  # Returns a random byte string that is cryptographically secure.
1671
2146
  #
2147
+ # By default, the random byte string is generated in AWS KMS. To
2148
+ # generate the byte string in the AWS CloudHSM cluster that is
2149
+ # associated with a [custom key store][1], specify the custom key store
2150
+ # ID.
2151
+ #
1672
2152
  # For more information about entropy and random number generation, see
1673
- # the [AWS Key Management Service Cryptographic Details][1] whitepaper.
2153
+ # the [AWS Key Management Service Cryptographic Details][2] whitepaper.
1674
2154
  #
1675
2155
  #
1676
2156
  #
1677
- # [1]: https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
2157
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
2158
+ # [2]: https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
1678
2159
  #
1679
2160
  # @option params [Integer] :number_of_bytes
1680
2161
  # The length of the byte string.
1681
2162
  #
2163
+ # @option params [String] :custom_key_store_id
2164
+ # Generates the random byte string in the AWS CloudHSM cluster that is
2165
+ # associated with the specified [custom key store][1]. To find the ID of
2166
+ # a custom key store, use the DescribeCustomKeyStores operation.
2167
+ #
2168
+ #
2169
+ #
2170
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
2171
+ #
1682
2172
  # @return [Types::GenerateRandomResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1683
2173
  #
1684
2174
  # * {Types::GenerateRandomResponse#plaintext #plaintext} => String
@@ -1701,6 +2191,7 @@ module Aws::KMS
1701
2191
  #
1702
2192
  # resp = client.generate_random({
1703
2193
  # number_of_bytes: 1,
2194
+ # custom_key_store_id: "CustomKeyStoreIdType",
1704
2195
  # })
1705
2196
  #
1706
2197
  # @example Response structure
@@ -1898,9 +2389,10 @@ module Aws::KMS
1898
2389
  # To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
1899
2390
  #
1900
2391
  # @option params [required, String] :wrapping_algorithm
1901
- # The algorithm you use to encrypt the key material before importing it
1902
- # with ImportKeyMaterial. For more information, see [Encrypt the Key
1903
- # Material][1] in the *AWS Key Management Service Developer Guide*.
2392
+ # The algorithm you will use to encrypt the key material before
2393
+ # importing it with ImportKeyMaterial. For more information, see
2394
+ # [Encrypt the Key Material][1] in the *AWS Key Management Service
2395
+ # Developer Guide*.
1904
2396
  #
1905
2397
  #
1906
2398
  #
@@ -1995,8 +2487,8 @@ module Aws::KMS
1995
2487
  # unusable. To use the CMK again, you must reimport the same key
1996
2488
  # material.
1997
2489
  #
1998
- # When this operation is successful, the CMK's key state changes from
1999
- # `PendingImport` to `Enabled`, and you can use the CMK. After you
2490
+ # When this operation is successful, the key state of the CMK changes
2491
+ # from `PendingImport` to `Enabled`, and you can use the CMK. After you
2000
2492
  # successfully import key material into a CMK, you can reimport the same
2001
2493
  # key material into that CMK, but you cannot import different key
2002
2494
  # material.
@@ -2082,25 +2574,19 @@ module Aws::KMS
2082
2574
  req.send_request(options)
2083
2575
  end
2084
2576
 
2085
- # Gets a list of aliases in the caller's AWS account and region. You
2086
- # cannot list aliases in other accounts. For more information about
2577
+ # Gets a list of all aliases in the caller's AWS account and region.
2578
+ # You cannot list aliases in other accounts. For more information about
2087
2579
  # aliases, see CreateAlias.
2088
2580
  #
2089
- # By default, the ListAliases command returns all aliases in the account
2090
- # and region. To get only the aliases that point to a particular
2581
+ # By default, the `ListAliases` command returns all aliases in the
2582
+ # account and region. To get only the aliases that point to a particular
2091
2583
  # customer master key (CMK), use the `KeyId` parameter.
2092
2584
  #
2093
- # The `ListAliases` response can include aliases that you created and
2094
- # associated with your customer managed CMKs, and aliases that AWS
2095
- # created and associated with AWS managed CMKs in your account. You can
2096
- # recognize AWS aliases because their names have the format
2097
- # `aws/<service-name>`, such as `aws/dynamodb`.
2098
- #
2099
- # The response might also include aliases that have no `TargetKeyId`
2100
- # field. These are predefined aliases that AWS has created but has not
2101
- # yet associated with a CMK. Aliases that AWS creates in your account,
2102
- # including predefined aliases, do not count against your [AWS KMS
2103
- # aliases limit][1].
2585
+ # The `ListAliases` response might include several aliases have no
2586
+ # `TargetKeyId` field. These are predefined aliases that AWS has created
2587
+ # but has not yet associated with a CMK. Aliases that AWS creates in
2588
+ # your account, including predefined aliases, do not count against your
2589
+ # [AWS KMS aliases limit][1].
2104
2590
  #
2105
2591
  #
2106
2592
  #
@@ -2771,11 +3257,10 @@ module Aws::KMS
2771
3257
  # principals. The principals in the key policy must exist and be
2772
3258
  # visible to AWS KMS. When you create a new AWS principal (for
2773
3259
  # example, an IAM user or role), you might need to enforce a delay
2774
- # before including the new principal in a key policy. The reason for
2775
- # this is that the new principal might not be immediately visible to
2776
- # AWS KMS. For more information, see [Changes that I make are not
2777
- # always immediately visible][2] in the *AWS Identity and Access
2778
- # Management User Guide*.
3260
+ # before including the new principal in a key policy because the new
3261
+ # principal might not be immediately visible to AWS KMS. For more
3262
+ # information, see [Changes that I make are not always immediately
3263
+ # visible][2] in the *AWS Identity and Access Management User Guide*.
2779
3264
  #
2780
3265
  # The key policy size limit is 32 kilobytes (32768 bytes).
2781
3266
  #
@@ -2848,7 +3333,7 @@ module Aws::KMS
2848
3333
  # destination CMK. We recommend that you include the `"kms:ReEncrypt*"`
2849
3334
  # permission in your [key policies][1] to permit reencryption from or to
2850
3335
  # the CMK. This permission is automatically included in the key policy
2851
- # when you create a CMK through the console. But you must include it
3336
+ # when you create a CMK through the console, but you must include it
2852
3337
  # manually when you create a CMK programmatically or when you set a key
2853
3338
  # policy with the PutKeyPolicy operation.
2854
3339
  #
@@ -2873,7 +3358,7 @@ module Aws::KMS
2873
3358
  #
2874
3359
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2875
3360
  # name, or alias ARN. When using an alias name, prefix it with
2876
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
3361
+ # "alias/". To specify a CMK in a different AWS account, you must use
2877
3362
  # the key ARN or alias ARN.
2878
3363
  #
2879
3364
  # For example:
@@ -3077,31 +3562,40 @@ module Aws::KMS
3077
3562
  # Schedules the deletion of a customer master key (CMK). You may provide
3078
3563
  # a waiting period, specified in days, before deletion occurs. If you do
3079
3564
  # not provide a waiting period, the default period of 30 days is used.
3080
- # When this operation is successful, the state of the CMK changes to
3565
+ # When this operation is successful, the key state of the CMK changes to
3081
3566
  # `PendingDeletion`. Before the waiting period ends, you can use
3082
3567
  # CancelKeyDeletion to cancel the deletion of the CMK. After the waiting
3083
3568
  # period ends, AWS KMS deletes the CMK and all AWS KMS data associated
3084
3569
  # with it, including all aliases that refer to it.
3085
3570
  #
3086
- # You cannot perform this operation on a CMK in a different AWS account.
3087
- #
3088
3571
  # Deleting a CMK is a destructive and potentially dangerous operation.
3089
3572
  # When a CMK is deleted, all data that was encrypted under the CMK is
3090
- # rendered unrecoverable. To restrict the use of a CMK without deleting
3091
- # it, use DisableKey.
3573
+ # unrecoverable. To prevent the use of a CMK without deleting it, use
3574
+ # DisableKey.
3575
+ #
3576
+ # If you schedule deletion of a CMK from a [custom key store][1], when
3577
+ # the waiting period expires, `ScheduleKeyDeletion` deletes the CMK from
3578
+ # AWS KMS. Then AWS KMS makes a best effort to delete the key material
3579
+ # from the associated AWS CloudHSM cluster. However, you might need to
3580
+ # manually [delete the orphaned key material][2] from the cluster and
3581
+ # its backups.
3582
+ #
3583
+ # You cannot perform this operation on a CMK in a different AWS account.
3092
3584
  #
3093
3585
  # For more information about scheduling a CMK for deletion, see
3094
- # [Deleting Customer Master Keys][1] in the *AWS Key Management Service
3586
+ # [Deleting Customer Master Keys][3] in the *AWS Key Management Service
3095
3587
  # Developer Guide*.
3096
3588
  #
3097
3589
  # The result of this operation varies with the key state of the CMK. For
3098
- # details, see [How Key State Affects Use of a Customer Master Key][2]
3590
+ # details, see [How Key State Affects Use of a Customer Master Key][4]
3099
3591
  # in the *AWS Key Management Service Developer Guide*.
3100
3592
  #
3101
3593
  #
3102
3594
  #
3103
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
3104
- # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3595
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
3596
+ # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
3597
+ # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
3598
+ # [4]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3105
3599
  #
3106
3600
  # @option params [required, String] :key_id
3107
3601
  # The unique identifier of the customer master key (CMK) to delete.
@@ -3389,8 +3883,123 @@ module Aws::KMS
3389
3883
  req.send_request(options)
3390
3884
  end
3391
3885
 
3886
+ # Changes the properties of a custom key store. Use the
3887
+ # `CustomKeyStoreId` parameter to identify the custom key store you want
3888
+ # to edit. Use the remaining parameters to change the properties of the
3889
+ # custom key store.
3890
+ #
3891
+ # You can only update a custom key store that is disconnected. To
3892
+ # disconnect the custom key store, use DisconnectCustomKeyStore. To
3893
+ # reconnect the custom key store after the update completes, use
3894
+ # ConnectCustomKeyStore. To find the connection state of a custom key
3895
+ # store, use the DescribeCustomKeyStores operation.
3896
+ #
3897
+ # Use the `NewCustomKeyStoreName` parameter to change the friendly name
3898
+ # of the custom key store to the value that you specify.
3899
+ #
3900
+ # Use the `KeyStorePassword` parameter tell AWS KMS the current password
3901
+ # of the [ `kmsuser` crypto user (CU)][1] in the associated AWS CloudHSM
3902
+ # cluster. You can use this parameter to fix connection failures that
3903
+ # occur when AWS KMS cannot log into the associated cluster because the
3904
+ # `kmsuser` password has changed. This value does not change the
3905
+ # password in the AWS CloudHSM cluster.
3906
+ #
3907
+ # Use the `CloudHsmClusterId` parameter to associate the custom key
3908
+ # store with a related AWS CloudHSM cluster, that is, a cluster that
3909
+ # shares a backup history with the original cluster. You can use this
3910
+ # parameter to repair a custom key store if its AWS CloudHSM cluster
3911
+ # becomes corrupted or is deleted, or when you need to create or restore
3912
+ # a cluster from a backup.
3913
+ #
3914
+ # The cluster ID must identify a AWS CloudHSM cluster with the following
3915
+ # requirements.
3916
+ #
3917
+ # * The cluster must be active and be in the same AWS account and Region
3918
+ # as the custom key store.
3919
+ #
3920
+ # * The cluster must have the same cluster certificate as the original
3921
+ # cluster. You cannot use this parameter to associate the custom key
3922
+ # store with an unrelated cluster. To view the cluster certificate,
3923
+ # use the AWS CloudHSM [DescribeClusters][2] operation. Clusters that
3924
+ # share a backup history have the same cluster certificate.
3925
+ #
3926
+ # * The cluster must be configured with subnets in at least two
3927
+ # different Availability Zones in the Region. Because AWS CloudHSM is
3928
+ # not supported in all Availability Zones, we recommend that the
3929
+ # cluster have subnets in all Availability Zones in the Region.
3930
+ #
3931
+ # * The cluster must contain at least two active HSMs, each in a
3932
+ # different Availability Zone.
3933
+ #
3934
+ # If the operation succeeds, it returns a JSON object with no
3935
+ # properties.
3936
+ #
3937
+ # This operation is part of the [Custom Key Store feature][3] feature in
3938
+ # AWS KMS, which combines the convenience and extensive integration of
3939
+ # AWS KMS with the isolation and control of a single-tenant key store.
3940
+ #
3941
+ #
3942
+ #
3943
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
3944
+ # [2]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
3945
+ # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
3946
+ #
3947
+ # @option params [required, String] :custom_key_store_id
3948
+ # Identifies the custom key store that you want to update. Enter the ID
3949
+ # of the custom key store. To find the ID of a custom key store, use the
3950
+ # DescribeCustomKeyStores operation.
3951
+ #
3952
+ # @option params [String] :new_custom_key_store_name
3953
+ # Changes the friendly name of the custom key store to the value that
3954
+ # you specify. The custom key store name must be unique in the AWS
3955
+ # account.
3956
+ #
3957
+ # @option params [String] :key_store_password
3958
+ # Enter the current password of the `kmsuser` crypto user (CU) in the
3959
+ # AWS CloudHSM cluster that is associated with the custom key store.
3960
+ #
3961
+ # This parameter tells AWS KMS the current password of the `kmsuser`
3962
+ # crypto user (CU). It does not set or change the password of any users
3963
+ # in the AWS CloudHSM cluster.
3964
+ #
3965
+ # @option params [String] :cloud_hsm_cluster_id
3966
+ # Associates the custom key store with a related AWS CloudHSM cluster.
3967
+ #
3968
+ # Enter the cluster ID of the cluster that you used to create the custom
3969
+ # key store or a cluster that shares a backup history with the original
3970
+ # cluster. You cannot use this parameter to associate a custom key store
3971
+ # with a different cluster.
3972
+ #
3973
+ # Clusters that share a backup history have the same cluster
3974
+ # certificate. To view the cluster certificate of a cluster, use the
3975
+ # [DescribeClusters][1] operation.
3976
+ #
3977
+ #
3978
+ #
3979
+ # [1]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
3980
+ #
3981
+ # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
3982
+ #
3983
+ # @example Request syntax with placeholder values
3984
+ #
3985
+ # resp = client.update_custom_key_store({
3986
+ # custom_key_store_id: "CustomKeyStoreIdType", # required
3987
+ # new_custom_key_store_name: "CustomKeyStoreNameType",
3988
+ # key_store_password: "KeyStorePasswordType",
3989
+ # cloud_hsm_cluster_id: "CloudHsmClusterIdType",
3990
+ # })
3991
+ #
3992
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStore AWS API Documentation
3993
+ #
3994
+ # @overload update_custom_key_store(params = {})
3995
+ # @param [Hash] params ({})
3996
+ def update_custom_key_store(params = {}, options = {})
3997
+ req = build_request(:update_custom_key_store, params)
3998
+ req.send_request(options)
3999
+ end
4000
+
3392
4001
  # Updates the description of a customer master key (CMK). To see the
3393
- # description of a CMK, use DescribeKey.
4002
+ # decription of a CMK, use DescribeKey.
3394
4003
  #
3395
4004
  # You cannot perform this operation on a CMK in a different AWS account.
3396
4005
  #
@@ -3460,7 +4069,7 @@ module Aws::KMS
3460
4069
  params: params,
3461
4070
  config: config)
3462
4071
  context[:gem_name] = 'aws-sdk-kms'
3463
- context[:gem_version] = '1.12.0'
4072
+ context[:gem_version] = '1.13.0'
3464
4073
  Seahorse::Client::Request.new(handlers, context)
3465
4074
  end
3466
4075