aws-sdk-kms 1.12.0 → 1.13.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/aws-sdk-kms.rb +1 -1
- data/lib/aws-sdk-kms/client.rb +722 -113
- data/lib/aws-sdk-kms/client_api.rb +172 -0
- data/lib/aws-sdk-kms/types.rb +493 -48
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 4bca783774aeca06b13277e56cd794df110f6d42
|
4
|
+
data.tar.gz: 6140ef36b4f5ac42206aefe9f0370dbf512fcb59
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: c14c7d97ee060bfa2b2f510f816b6728046fa56b881ed4e292859e5ee098c6412f48fdaf60e7ec415ef72c6cf94aebb02c95ba4e9e2f5f222123eaf25daa6ba9
|
7
|
+
data.tar.gz: c8f68db24ec2731de7f7d9c3fc95a4d84ec5fa596809ef587c3726976481fa9689c484fa555a0ed888f31747d6b1e1074512aa7555da67068fb6a2d949c9d9e4
|
data/lib/aws-sdk-kms.rb
CHANGED
data/lib/aws-sdk-kms/client.rb
CHANGED
@@ -285,9 +285,79 @@ module Aws::KMS
|
|
285
285
|
req.send_request(options)
|
286
286
|
end
|
287
287
|
|
288
|
-
#
|
289
|
-
#
|
290
|
-
#
|
288
|
+
# Connects or reconnects a [custom key store][1] to its associated AWS
|
289
|
+
# CloudHSM cluster.
|
290
|
+
#
|
291
|
+
# The custom key store must be connected before you can create customer
|
292
|
+
# master keys (CMKs) in the key store or use the CMKs it contains. You
|
293
|
+
# can disconnect and reconnect a custom key store at any time.
|
294
|
+
#
|
295
|
+
# To connect a custom key store, its associated AWS CloudHSM cluster
|
296
|
+
# must have at least one active HSM. To get the number of active HSMs in
|
297
|
+
# a cluster, use the [DescribeClusters][2] operation. To add HSMs to the
|
298
|
+
# cluster, use the [CreateHsm][3] operation.
|
299
|
+
#
|
300
|
+
# The connection process can take an extended amount of time to
|
301
|
+
# complete; up to 20 minutes. This operation starts the connection
|
302
|
+
# process, but it does not wait for it to complete. When it succeeds,
|
303
|
+
# this operation quickly returns an HTTP 200 response and a JSON object
|
304
|
+
# with no properties. However, this response does not indicate that the
|
305
|
+
# custom key store is connected. To get the connection state of the
|
306
|
+
# custom key store, use the DescribeCustomKeyStores operation.
|
307
|
+
#
|
308
|
+
# During the connection process, AWS KMS finds the AWS CloudHSM cluster
|
309
|
+
# that is associated with the custom key store, creates the connection
|
310
|
+
# infrastructure, connects to the cluster, logs into the AWS CloudHSM
|
311
|
+
# client as the [ `kmsuser` crypto user][4] (CU), and rotates its
|
312
|
+
# password.
|
313
|
+
#
|
314
|
+
# The `ConnectCustomKeyStore` operation might fail for various reasons.
|
315
|
+
# To find the reason, use the DescribeCustomKeyStores operation and see
|
316
|
+
# the `ConnectionErrorCode` in the response. For help interpreting the
|
317
|
+
# `ConnectionErrorCode`, see CustomKeyStoresListEntry.
|
318
|
+
#
|
319
|
+
# To fix the failure, use the DisconnectCustomKeyStore operation to
|
320
|
+
# disconnect the custom key store, correct the error, use the
|
321
|
+
# UpdateCustomKeyStore operation if necessary, and then use
|
322
|
+
# `ConnectCustomKeyStore` again.
|
323
|
+
#
|
324
|
+
# If you are having trouble connecting or disconnecting a custom key
|
325
|
+
# store, see [Troubleshooting a Custom Key Store][5] in the *AWS Key
|
326
|
+
# Management Service Developer Guide*.
|
327
|
+
#
|
328
|
+
#
|
329
|
+
#
|
330
|
+
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
331
|
+
# [2]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters
|
332
|
+
# [3]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm
|
333
|
+
# [4]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
|
334
|
+
# [5]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
|
335
|
+
#
|
336
|
+
# @option params [required, String] :custom_key_store_id
|
337
|
+
# Enter the key store ID of the custom key store that you want to
|
338
|
+
# connect. To find the ID of a custom key store, use the
|
339
|
+
# DescribeCustomKeyStores operation.
|
340
|
+
#
|
341
|
+
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
342
|
+
#
|
343
|
+
# @example Request syntax with placeholder values
|
344
|
+
#
|
345
|
+
# resp = client.connect_custom_key_store({
|
346
|
+
# custom_key_store_id: "CustomKeyStoreIdType", # required
|
347
|
+
# })
|
348
|
+
#
|
349
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConnectCustomKeyStore AWS API Documentation
|
350
|
+
#
|
351
|
+
# @overload connect_custom_key_store(params = {})
|
352
|
+
# @param [Hash] params ({})
|
353
|
+
def connect_custom_key_store(params = {}, options = {})
|
354
|
+
req = build_request(:connect_custom_key_store, params)
|
355
|
+
req.send_request(options)
|
356
|
+
end
|
357
|
+
|
358
|
+
# Creates a display name for a customer master key (CMK). You can use an
|
359
|
+
# alias to identify a CMK in selected operations, such as Encrypt and
|
360
|
+
# GenerateDataKey.
|
291
361
|
#
|
292
362
|
# Each CMK can have multiple aliases, but each alias points to only one
|
293
363
|
# CMK. The alias name must be unique in the AWS account and region. To
|
@@ -299,10 +369,11 @@ module Aws::KMS
|
|
299
369
|
# appear in the response from the DescribeKey operation. To get the
|
300
370
|
# aliases of all CMKs, use the ListAliases operation.
|
301
371
|
#
|
302
|
-
#
|
303
|
-
#
|
304
|
-
#
|
305
|
-
#
|
372
|
+
# An alias must start with the word `alias` followed by a forward slash
|
373
|
+
# (`alias/`). The alias name can contain only alphanumeric characters,
|
374
|
+
# forward slashes (/), underscores (\_), and dashes (-). Alias names
|
375
|
+
# cannot begin with `aws`; that alias name prefix is reserved by Amazon
|
376
|
+
# Web Services (AWS).
|
306
377
|
#
|
307
378
|
# The alias and the CMK it is mapped to must be in the same AWS account
|
308
379
|
# and the same region. You cannot perform this operation on an alias in
|
@@ -319,10 +390,9 @@ module Aws::KMS
|
|
319
390
|
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
320
391
|
#
|
321
392
|
# @option params [required, String] :alias_name
|
322
|
-
#
|
323
|
-
#
|
324
|
-
# begin with
|
325
|
-
# CMKs.
|
393
|
+
# String that contains the display name. The name must start with the
|
394
|
+
# word "alias" followed by a forward slash (alias/). Aliases that
|
395
|
+
# begin with "alias/AWS" are reserved.
|
326
396
|
#
|
327
397
|
# @option params [required, String] :target_key_id
|
328
398
|
# Identifies the CMK for which you are creating the alias. This value
|
@@ -367,6 +437,147 @@ module Aws::KMS
|
|
367
437
|
req.send_request(options)
|
368
438
|
end
|
369
439
|
|
440
|
+
# Creates a [custom key store][1] that is associated with an [AWS
|
441
|
+
# CloudHSM cluster][2] that you own and manage.
|
442
|
+
#
|
443
|
+
# This operation is part of the [Custom Key Store feature][3] feature in
|
444
|
+
# AWS KMS, which combines the convenience and extensive integration of
|
445
|
+
# AWS KMS with the isolation and control of a single-tenant key store.
|
446
|
+
#
|
447
|
+
# When the operation completes successfully, it returns the ID of the
|
448
|
+
# new custom key store. Before you can use your new custom key store,
|
449
|
+
# you need to use the ConnectCustomKeyStore operation to connect the new
|
450
|
+
# key store to its AWS CloudHSM cluster.
|
451
|
+
#
|
452
|
+
# The `CreateCustomKeyStore` operation requires the following elements.
|
453
|
+
#
|
454
|
+
# * You must specify an active AWS CloudHSM cluster in the same account
|
455
|
+
# and AWS Region as the custom key store. You can use an existing
|
456
|
+
# cluster or [create and activate a new AWS CloudHSM cluster][4] for
|
457
|
+
# the key store. AWS KMS does not require exclusive use of the
|
458
|
+
# cluster.
|
459
|
+
#
|
460
|
+
# * You must include the content of the *trust anchor certificate* for
|
461
|
+
# the cluster. You created this certificate, and saved it in the
|
462
|
+
# `customerCA.crt` file, when you [initialized the cluster][5].
|
463
|
+
#
|
464
|
+
# * You must provide the password of the dedicated [ `kmsuser` crypto
|
465
|
+
# user][6] (CU) account in the cluster.
|
466
|
+
#
|
467
|
+
# Before you create the custom key store, use the [createUser][7]
|
468
|
+
# command in `cloudhsm_mgmt_util` to create [a crypto user (CU) named
|
469
|
+
# `kmsuser` ][6]in specified AWS CloudHSM cluster. AWS KMS uses the
|
470
|
+
# `kmsuser` CU account to create and manage key material on your
|
471
|
+
# behalf. For instructions, see [Create the kmsuser Crypto User][8] in
|
472
|
+
# the *AWS Key Management Service Developer Guide*.
|
473
|
+
#
|
474
|
+
# The AWS CloudHSM cluster that you specify must meet the following
|
475
|
+
# requirements.
|
476
|
+
#
|
477
|
+
# * The cluster must be active and be in the same AWS account and Region
|
478
|
+
# as the custom key store.
|
479
|
+
#
|
480
|
+
# * Each custom key store must be associated with a different AWS
|
481
|
+
# CloudHSM cluster. The cluster cannot be associated with another
|
482
|
+
# custom key store or have the same cluster certificate as a cluster
|
483
|
+
# that is associated with another custom key store. To view the
|
484
|
+
# cluster certificate, use the AWS CloudHSM [DescribeClusters][9]
|
485
|
+
# operation. Clusters that share a backup history have the same
|
486
|
+
# cluster certificate.
|
487
|
+
#
|
488
|
+
# * The cluster must be configured with subnets in at least two
|
489
|
+
# different Availability Zones in the Region. Because AWS CloudHSM is
|
490
|
+
# not supported in all Availability Zones, we recommend that the
|
491
|
+
# cluster have subnets in all Availability Zones in the Region.
|
492
|
+
#
|
493
|
+
# * The cluster must contain at least two active HSMs, each in a
|
494
|
+
# different Availability Zone.
|
495
|
+
#
|
496
|
+
# New custom key stores are not automatically connected. After you
|
497
|
+
# create your custom key store, use the ConnectCustomKeyStore operation
|
498
|
+
# to connect the custom key store to its associated AWS CloudHSM
|
499
|
+
# cluster. Even if you are not going to use your custom key store
|
500
|
+
# immediately, you might want to connect it to verify that all settings
|
501
|
+
# are correct and then disconnect it until you are ready to use it.
|
502
|
+
#
|
503
|
+
# If this operation succeeds, it returns the ID of the new custom key
|
504
|
+
# store. For help with failures, see [Troubleshoot a Custom Key
|
505
|
+
# Store][10] in the *AWS KMS Developer Guide*.
|
506
|
+
#
|
507
|
+
#
|
508
|
+
#
|
509
|
+
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
510
|
+
# [2]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html
|
511
|
+
# [3]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
512
|
+
# [4]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/create-cluster.html
|
513
|
+
# [5]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr
|
514
|
+
# [6]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
|
515
|
+
# [7]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_mgmt_util-createUser.html
|
516
|
+
# [8]: http://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore
|
517
|
+
# [9]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
|
518
|
+
# [10]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
|
519
|
+
#
|
520
|
+
# @option params [required, String] :custom_key_store_name
|
521
|
+
# Specifies a friendly name for the custom key store. The name must be
|
522
|
+
# unique in your AWS account.
|
523
|
+
#
|
524
|
+
# @option params [required, String] :cloud_hsm_cluster_id
|
525
|
+
# Identifies the AWS CloudHSM cluster for the custom key store. Enter
|
526
|
+
# the cluster ID of any active AWS CloudHSM cluster that is not already
|
527
|
+
# associated with a custom key store. To find the cluster ID, use the
|
528
|
+
# [DescribeClusters][1] operation.
|
529
|
+
#
|
530
|
+
#
|
531
|
+
#
|
532
|
+
# [1]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
|
533
|
+
#
|
534
|
+
# @option params [required, String] :trust_anchor_certificate
|
535
|
+
# Enter the content of the trust anchor certificate for the cluster.
|
536
|
+
# This is the content of the `customerCA.crt` file that you created when
|
537
|
+
# you [initialized the cluster][1].
|
538
|
+
#
|
539
|
+
#
|
540
|
+
#
|
541
|
+
# [1]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html
|
542
|
+
#
|
543
|
+
# @option params [required, String] :key_store_password
|
544
|
+
# Enter the password of the [ `kmsuser` crypto user (CU) account][1] in
|
545
|
+
# the specified AWS CloudHSM cluster. AWS KMS logs into the cluster as
|
546
|
+
# this user to manage key material on your behalf.
|
547
|
+
#
|
548
|
+
# This parameter tells AWS KMS the `kmsuser` account password; it does
|
549
|
+
# not change the password in the AWS CloudHSM cluster.
|
550
|
+
#
|
551
|
+
#
|
552
|
+
#
|
553
|
+
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
|
554
|
+
#
|
555
|
+
# @return [Types::CreateCustomKeyStoreResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
556
|
+
#
|
557
|
+
# * {Types::CreateCustomKeyStoreResponse#custom_key_store_id #custom_key_store_id} => String
|
558
|
+
#
|
559
|
+
# @example Request syntax with placeholder values
|
560
|
+
#
|
561
|
+
# resp = client.create_custom_key_store({
|
562
|
+
# custom_key_store_name: "CustomKeyStoreNameType", # required
|
563
|
+
# cloud_hsm_cluster_id: "CloudHsmClusterIdType", # required
|
564
|
+
# trust_anchor_certificate: "TrustAnchorCertificateType", # required
|
565
|
+
# key_store_password: "KeyStorePasswordType", # required
|
566
|
+
# })
|
567
|
+
#
|
568
|
+
# @example Response structure
|
569
|
+
#
|
570
|
+
# resp.custom_key_store_id #=> String
|
571
|
+
#
|
572
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStore AWS API Documentation
|
573
|
+
#
|
574
|
+
# @overload create_custom_key_store(params = {})
|
575
|
+
# @param [Hash] params ({})
|
576
|
+
def create_custom_key_store(params = {}, options = {})
|
577
|
+
req = build_request(:create_custom_key_store, params)
|
578
|
+
req.send_request(options)
|
579
|
+
end
|
580
|
+
|
370
581
|
# Adds a grant to a customer master key (CMK). The grant specifies who
|
371
582
|
# can use the CMK and under what conditions. When setting permissions,
|
372
583
|
# grants are an alternative to key policies.
|
@@ -458,8 +669,7 @@ module Aws::KMS
|
|
458
669
|
#
|
459
670
|
# @option params [String] :name
|
460
671
|
# A friendly name for identifying the grant. Use this value to prevent
|
461
|
-
#
|
462
|
-
# request.
|
672
|
+
# unintended creation of duplicate grants when retrying this request.
|
463
673
|
#
|
464
674
|
# When this value is absent, all `CreateGrant` requests result in a new
|
465
675
|
# grant with a unique `GrantId` even if all the supplied parameters are
|
@@ -535,22 +745,33 @@ module Aws::KMS
|
|
535
745
|
# Creates a customer master key (CMK) in the caller's AWS account.
|
536
746
|
#
|
537
747
|
# You can use a CMK to encrypt small amounts of data (4 KiB or less)
|
538
|
-
# directly
|
539
|
-
#
|
540
|
-
#
|
541
|
-
# following:
|
748
|
+
# directly, but CMKs are more commonly used to encrypt data keys, which
|
749
|
+
# are used to encrypt raw data. For more information about data keys and
|
750
|
+
# the difference between CMKs and data keys, see the following:
|
542
751
|
#
|
543
752
|
# * The GenerateDataKey operation
|
544
753
|
#
|
545
754
|
# * [AWS Key Management Service Concepts][1] in the *AWS Key Management
|
546
755
|
# Service Developer Guide*
|
547
756
|
#
|
757
|
+
# If you plan to [import key material][2], use the `Origin` parameter
|
758
|
+
# with a value of `EXTERNAL` to create a CMK with no key material.
|
759
|
+
#
|
760
|
+
# To create a CMK in a [custom key store][3], use `CustomKeyStoreId`
|
761
|
+
# parameter to specify the custom key store. You must also use the
|
762
|
+
# `Origin` parameter with a value of `AWS_CLOUDHSM`. The AWS CloudHSM
|
763
|
+
# cluster that is associated with the custom key store must have at
|
764
|
+
# least two active HSMs, each in a different Availability Zone in the
|
765
|
+
# Region.
|
766
|
+
#
|
548
767
|
# You cannot use this operation to create a CMK in a different AWS
|
549
768
|
# account.
|
550
769
|
#
|
551
770
|
#
|
552
771
|
#
|
553
772
|
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
|
773
|
+
# [2]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
774
|
+
# [3]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
554
775
|
#
|
555
776
|
# @option params [String] :policy
|
556
777
|
# The key policy to attach to the CMK.
|
@@ -568,11 +789,10 @@ module Aws::KMS
|
|
568
789
|
# principals. The principals in the key policy must exist and be
|
569
790
|
# visible to AWS KMS. When you create a new AWS principal (for
|
570
791
|
# example, an IAM user or role), you might need to enforce a delay
|
571
|
-
# before including the new principal in a key policy
|
572
|
-
#
|
573
|
-
#
|
574
|
-
#
|
575
|
-
# Management User Guide*.
|
792
|
+
# before including the new principal in a key policy because the new
|
793
|
+
# principal might not be immediately visible to AWS KMS. For more
|
794
|
+
# information, see [Changes that I make are not always immediately
|
795
|
+
# visible][2] in the *AWS Identity and Access Management User Guide*.
|
576
796
|
#
|
577
797
|
# If you do not provide a key policy, AWS KMS attaches a default key
|
578
798
|
# policy to the CMK. For more information, see [Default Key Policy][3]
|
@@ -598,20 +818,50 @@ module Aws::KMS
|
|
598
818
|
# You can use CMKs only for symmetric encryption and decryption.
|
599
819
|
#
|
600
820
|
# @option params [String] :origin
|
601
|
-
# The source of the CMK's key material.
|
821
|
+
# The source of the CMK's key material. You cannot change the origin
|
822
|
+
# after you create the CMK.
|
823
|
+
#
|
824
|
+
# The default is `AWS_KMS`, which means AWS KMS creates the key material
|
825
|
+
# in its own key store.
|
602
826
|
#
|
603
|
-
#
|
604
|
-
# material
|
605
|
-
#
|
606
|
-
#
|
607
|
-
#
|
608
|
-
# Material][1] in the *AWS Key Management Service Developer Guide*.
|
827
|
+
# When the parameter value is `EXTERNAL`, AWS KMS creates a CMK without
|
828
|
+
# key material so that you can import key material from your existing
|
829
|
+
# key management infrastructure. For more information about importing
|
830
|
+
# key material into AWS KMS, see [Importing Key Material][1] in the *AWS
|
831
|
+
# Key Management Service Developer Guide*.
|
609
832
|
#
|
610
|
-
#
|
833
|
+
# When the parameter value is `AWS_CLOUDHSM`, AWS KMS creates the CMK in
|
834
|
+
# a AWS KMS [custom key store][2] and creates its key material in the
|
835
|
+
# associated AWS CloudHSM cluster. You must also use the
|
836
|
+
# `CustomKeyStoreId` parameter to identify the custom key store.
|
611
837
|
#
|
612
838
|
#
|
613
839
|
#
|
614
840
|
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
841
|
+
# [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
842
|
+
#
|
843
|
+
# @option params [String] :custom_key_store_id
|
844
|
+
# Creates the CMK in the specified [custom key store][1] and the key
|
845
|
+
# material in its associated AWS CloudHSM cluster. To create a CMK in a
|
846
|
+
# custom key store, you must also specify the `Origin` parameter with a
|
847
|
+
# value of `AWS_CLOUDHSM`. The AWS CloudHSM cluster that is associated
|
848
|
+
# with the custom key store must have at least two active HSMs, each in
|
849
|
+
# a different Availability Zone in the Region.
|
850
|
+
#
|
851
|
+
# To find the ID of a custom key store, use the DescribeCustomKeyStores
|
852
|
+
# operation.
|
853
|
+
#
|
854
|
+
# The response includes the custom key store ID and the ID of the AWS
|
855
|
+
# CloudHSM cluster.
|
856
|
+
#
|
857
|
+
# This operation is part of the [Custom Key Store feature][2] feature in
|
858
|
+
# AWS KMS, which combines the convenience and extensive integration of
|
859
|
+
# AWS KMS with the isolation and control of a single-tenant key store.
|
860
|
+
#
|
861
|
+
#
|
862
|
+
#
|
863
|
+
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
864
|
+
# [2]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
615
865
|
#
|
616
866
|
# @option params [Boolean] :bypass_policy_lockout_safety_check
|
617
867
|
# A flag to indicate whether to bypass the key policy lockout safety
|
@@ -683,7 +933,8 @@ module Aws::KMS
|
|
683
933
|
# policy: "PolicyType",
|
684
934
|
# description: "DescriptionType",
|
685
935
|
# key_usage: "ENCRYPT_DECRYPT", # accepts ENCRYPT_DECRYPT
|
686
|
-
# origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL
|
936
|
+
# origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
|
937
|
+
# custom_key_store_id: "CustomKeyStoreIdType",
|
687
938
|
# bypass_policy_lockout_safety_check: false,
|
688
939
|
# tags: [
|
689
940
|
# {
|
@@ -702,10 +953,12 @@ module Aws::KMS
|
|
702
953
|
# resp.key_metadata.enabled #=> Boolean
|
703
954
|
# resp.key_metadata.description #=> String
|
704
955
|
# resp.key_metadata.key_usage #=> String, one of "ENCRYPT_DECRYPT"
|
705
|
-
# resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport"
|
956
|
+
# resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport", "Unavailable"
|
706
957
|
# resp.key_metadata.deletion_date #=> Time
|
707
958
|
# resp.key_metadata.valid_to #=> Time
|
708
|
-
# resp.key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL"
|
959
|
+
# resp.key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL", "AWS_CLOUDHSM"
|
960
|
+
# resp.key_metadata.custom_key_store_id #=> String
|
961
|
+
# resp.key_metadata.cloud_hsm_cluster_id #=> String
|
709
962
|
# resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
|
710
963
|
# resp.key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
|
711
964
|
#
|
@@ -727,14 +980,15 @@ module Aws::KMS
|
|
727
980
|
#
|
728
981
|
# * Encrypt
|
729
982
|
#
|
730
|
-
#
|
731
|
-
#
|
732
|
-
#
|
733
|
-
#
|
734
|
-
#
|
735
|
-
#
|
736
|
-
#
|
737
|
-
#
|
983
|
+
# Note that if a caller has been granted access permissions to all keys
|
984
|
+
# (through, for example, IAM user policies that grant `Decrypt`
|
985
|
+
# permission on all resources), then ciphertext encrypted by using keys
|
986
|
+
# in other accounts where the key grants access to the caller can be
|
987
|
+
# decrypted. To remedy this, we recommend that you do not grant
|
988
|
+
# `Decrypt` access in an IAM user policy. Instead grant `Decrypt` access
|
989
|
+
# only in key policies. If you must grant `Decrypt` access in an IAM
|
990
|
+
# user policy, you should scope the resource to specific keys or to
|
991
|
+
# specific trusted accounts.
|
738
992
|
#
|
739
993
|
# The result of this operation varies with the key state of the CMK. For
|
740
994
|
# details, see [How Key State Affects Use of a Customer Master Key][1]
|
@@ -854,6 +1108,66 @@ module Aws::KMS
|
|
854
1108
|
req.send_request(options)
|
855
1109
|
end
|
856
1110
|
|
1111
|
+
# Deletes a [custom key store][1]. This operation does not delete the
|
1112
|
+
# AWS CloudHSM cluster that is associated with the custom key store, or
|
1113
|
+
# affect any users or keys in the cluster.
|
1114
|
+
#
|
1115
|
+
# The custom key store that you delete cannot contain any AWS KMS
|
1116
|
+
# [customer master keys (CMKs)][2]. Before deleting the key store,
|
1117
|
+
# verify that you will never need to use any of the CMKs in the key
|
1118
|
+
# store for any cryptographic operations. Then, use ScheduleKeyDeletion
|
1119
|
+
# to delete the AWS KMS customer master keys (CMKs) from the key store.
|
1120
|
+
# When the scheduled waiting period expires, the `ScheduleKeyDeletion`
|
1121
|
+
# operation deletes the CMKs. Then it makes a best effort to delete the
|
1122
|
+
# key material from the associated cluster. However, you might need to
|
1123
|
+
# manually [delete the orphaned key material][3] from the cluster and
|
1124
|
+
# its backups.
|
1125
|
+
#
|
1126
|
+
# After all CMKs are deleted from AWS KMS, use DisconnectCustomKeyStore
|
1127
|
+
# to disconnect the key store from AWS KMS. Then, you can delete the
|
1128
|
+
# custom key store.
|
1129
|
+
#
|
1130
|
+
# Instead of deleting the custom key store, consider using
|
1131
|
+
# DisconnectCustomKeyStore to disconnect it from AWS KMS. While the key
|
1132
|
+
# store is disconnected, you cannot create or use the CMKs in the key
|
1133
|
+
# store. But, you do not need to delete CMKs and you can reconnect a
|
1134
|
+
# disconnected custom key store at any time.
|
1135
|
+
#
|
1136
|
+
# If the operation succeeds, it returns a JSON object with no
|
1137
|
+
# properties.
|
1138
|
+
#
|
1139
|
+
# This operation is part of the [Custom Key Store feature][4] feature in
|
1140
|
+
# AWS KMS, which combines the convenience and extensive integration of
|
1141
|
+
# AWS KMS with the isolation and control of a single-tenant key store.
|
1142
|
+
#
|
1143
|
+
#
|
1144
|
+
#
|
1145
|
+
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
1146
|
+
# [2]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
|
1147
|
+
# [3]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
|
1148
|
+
# [4]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
1149
|
+
#
|
1150
|
+
# @option params [required, String] :custom_key_store_id
|
1151
|
+
# Enter the ID of the custom key store you want to delete. To find the
|
1152
|
+
# ID of a custom key store, use the DescribeCustomKeyStores operation.
|
1153
|
+
#
|
1154
|
+
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
1155
|
+
#
|
1156
|
+
# @example Request syntax with placeholder values
|
1157
|
+
#
|
1158
|
+
# resp = client.delete_custom_key_store({
|
1159
|
+
# custom_key_store_id: "CustomKeyStoreIdType", # required
|
1160
|
+
# })
|
1161
|
+
#
|
1162
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteCustomKeyStore AWS API Documentation
|
1163
|
+
#
|
1164
|
+
# @overload delete_custom_key_store(params = {})
|
1165
|
+
# @param [Hash] params ({})
|
1166
|
+
def delete_custom_key_store(params = {}, options = {})
|
1167
|
+
req = build_request(:delete_custom_key_store, params)
|
1168
|
+
req.send_request(options)
|
1169
|
+
end
|
1170
|
+
|
857
1171
|
# Deletes key material that you previously imported. This operation
|
858
1172
|
# makes the specified customer master key (CMK) unusable. For more
|
859
1173
|
# information about importing key material into AWS KMS, see [Importing
|
@@ -917,13 +1231,113 @@ module Aws::KMS
|
|
917
1231
|
req.send_request(options)
|
918
1232
|
end
|
919
1233
|
|
1234
|
+
# Gets information about [custom key stores][1] in the account and
|
1235
|
+
# region.
|
1236
|
+
#
|
1237
|
+
# This operation is part of the [Custom Key Store feature][2] feature in
|
1238
|
+
# AWS KMS, which combines the convenience and extensive integration of
|
1239
|
+
# AWS KMS with the isolation and control of a single-tenant key store.
|
1240
|
+
#
|
1241
|
+
# By default, this operation returns information about all custom key
|
1242
|
+
# stores in the account and region. To get only information about a
|
1243
|
+
# particular custom key store, use either the `CustomKeyStoreName` or
|
1244
|
+
# `CustomKeyStoreId` parameter (but not both).
|
1245
|
+
#
|
1246
|
+
# To determine whether the custom key store is connected to its AWS
|
1247
|
+
# CloudHSM cluster, use the `ConnectionState` element in the response.
|
1248
|
+
# If an attempt to connect the custom key store failed, the
|
1249
|
+
# `ConnectionState` value is `FAILED` and the `ConnectionErrorCode`
|
1250
|
+
# element in the response indicates the cause of the failure. For help
|
1251
|
+
# interpreting the `ConnectionErrorCode`, see CustomKeyStoresListEntry.
|
1252
|
+
#
|
1253
|
+
# Custom key stores have a `DISCONNECTED` connection state if the key
|
1254
|
+
# store has never been connected or you use the DisconnectCustomKeyStore
|
1255
|
+
# operation to disconnect it. If your custom key store state is
|
1256
|
+
# `CONNECTED` but you are having trouble using it, make sure that its
|
1257
|
+
# associated AWS CloudHSM cluster is active and contains the minimum
|
1258
|
+
# number of HSMs required for the operation, if any.
|
1259
|
+
#
|
1260
|
+
# For help repairing your custom key store, see the [Troubleshooting
|
1261
|
+
# Custom Key Stores][3] topic in the *AWS Key Management Service
|
1262
|
+
# Developer Guide*.
|
1263
|
+
#
|
1264
|
+
#
|
1265
|
+
#
|
1266
|
+
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
1267
|
+
# [2]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
1268
|
+
# [3]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore-html
|
1269
|
+
#
|
1270
|
+
# @option params [String] :custom_key_store_id
|
1271
|
+
# Gets only information about the specified custom key store. Enter the
|
1272
|
+
# key store ID.
|
1273
|
+
#
|
1274
|
+
# By default, this operation gets information about all custom key
|
1275
|
+
# stores in the account and region. To limit the output to a particular
|
1276
|
+
# custom key store, you can use either the `CustomKeyStoreId` or
|
1277
|
+
# `CustomKeyStoreName` parameter, but not both.
|
1278
|
+
#
|
1279
|
+
# @option params [String] :custom_key_store_name
|
1280
|
+
# Gets only information about the specified custom key store. Enter the
|
1281
|
+
# friendly name of the custom key store.
|
1282
|
+
#
|
1283
|
+
# By default, this operation gets information about all custom key
|
1284
|
+
# stores in the account and region. To limit the output to a particular
|
1285
|
+
# custom key store, you can use either the `CustomKeyStoreId` or
|
1286
|
+
# `CustomKeyStoreName` parameter, but not both.
|
1287
|
+
#
|
1288
|
+
# @option params [Integer] :limit
|
1289
|
+
# Use this parameter to specify the maximum number of items to return.
|
1290
|
+
# When this value is present, AWS KMS does not return more than the
|
1291
|
+
# specified number of items, but it might return fewer.
|
1292
|
+
#
|
1293
|
+
# @option params [String] :marker
|
1294
|
+
# Use this parameter in a subsequent request after you receive a
|
1295
|
+
# response with truncated results. Set it to the value of `NextMarker`
|
1296
|
+
# from the truncated response you just received.
|
1297
|
+
#
|
1298
|
+
# @return [Types::DescribeCustomKeyStoresResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1299
|
+
#
|
1300
|
+
# * {Types::DescribeCustomKeyStoresResponse#custom_key_stores #custom_key_stores} => Array<Types::CustomKeyStoresListEntry>
|
1301
|
+
# * {Types::DescribeCustomKeyStoresResponse#next_marker #next_marker} => String
|
1302
|
+
# * {Types::DescribeCustomKeyStoresResponse#truncated #truncated} => Boolean
|
1303
|
+
#
|
1304
|
+
# @example Request syntax with placeholder values
|
1305
|
+
#
|
1306
|
+
# resp = client.describe_custom_key_stores({
|
1307
|
+
# custom_key_store_id: "CustomKeyStoreIdType",
|
1308
|
+
# custom_key_store_name: "CustomKeyStoreNameType",
|
1309
|
+
# limit: 1,
|
1310
|
+
# marker: "MarkerType",
|
1311
|
+
# })
|
1312
|
+
#
|
1313
|
+
# @example Response structure
|
1314
|
+
#
|
1315
|
+
# resp.custom_key_stores #=> Array
|
1316
|
+
# resp.custom_key_stores[0].custom_key_store_id #=> String
|
1317
|
+
# resp.custom_key_stores[0].custom_key_store_name #=> String
|
1318
|
+
# resp.custom_key_stores[0].cloud_hsm_cluster_id #=> String
|
1319
|
+
# resp.custom_key_stores[0].trust_anchor_certificate #=> String
|
1320
|
+
# resp.custom_key_stores[0].connection_state #=> String, one of "CONNECTED", "CONNECTING", "FAILED", "DISCONNECTED", "DISCONNECTING"
|
1321
|
+
# resp.custom_key_stores[0].connection_error_code #=> String, one of "INVALID_CREDENTIALS", "CLUSTER_NOT_FOUND", "NETWORK_ERRORS", "INSUFFICIENT_CLOUDHSM_HSMS", "USER_LOCKED_OUT"
|
1322
|
+
# resp.custom_key_stores[0].creation_date #=> Time
|
1323
|
+
# resp.next_marker #=> String
|
1324
|
+
# resp.truncated #=> Boolean
|
1325
|
+
#
|
1326
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores AWS API Documentation
|
1327
|
+
#
|
1328
|
+
# @overload describe_custom_key_stores(params = {})
|
1329
|
+
# @param [Hash] params ({})
|
1330
|
+
def describe_custom_key_stores(params = {}, options = {})
|
1331
|
+
req = build_request(:describe_custom_key_stores, params)
|
1332
|
+
req.send_request(options)
|
1333
|
+
end
|
1334
|
+
|
920
1335
|
# Provides detailed information about the specified customer master key
|
921
1336
|
# (CMK).
|
922
1337
|
#
|
923
|
-
#
|
924
|
-
# alias with no key ID
|
925
|
-
#
|
926
|
-
# response.
|
1338
|
+
# If you use `DescribeKey` on a predefined AWS alias, that is, an AWS
|
1339
|
+
# alias with no key ID, AWS KMS associates the alias with an [AWS
|
1340
|
+
# managed CMK][1] and returns its `KeyId` and `Arn` in the response.
|
927
1341
|
#
|
928
1342
|
# To perform this operation on a CMK in a different AWS account, specify
|
929
1343
|
# the key ARN or alias ARN in the value of the KeyId parameter.
|
@@ -941,7 +1355,7 @@ module Aws::KMS
|
|
941
1355
|
#
|
942
1356
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
943
1357
|
# name, or alias ARN. When using an alias name, prefix it with
|
944
|
-
#
|
1358
|
+
# "alias/". To specify a CMK in a different AWS account, you must use
|
945
1359
|
# the key ARN or alias ARN.
|
946
1360
|
#
|
947
1361
|
# For example:
|
@@ -1017,10 +1431,12 @@ module Aws::KMS
|
|
1017
1431
|
# resp.key_metadata.enabled #=> Boolean
|
1018
1432
|
# resp.key_metadata.description #=> String
|
1019
1433
|
# resp.key_metadata.key_usage #=> String, one of "ENCRYPT_DECRYPT"
|
1020
|
-
# resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport"
|
1434
|
+
# resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport", "Unavailable"
|
1021
1435
|
# resp.key_metadata.deletion_date #=> Time
|
1022
1436
|
# resp.key_metadata.valid_to #=> Time
|
1023
|
-
# resp.key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL"
|
1437
|
+
# resp.key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL", "AWS_CLOUDHSM"
|
1438
|
+
# resp.key_metadata.custom_key_store_id #=> String
|
1439
|
+
# resp.key_metadata.cloud_hsm_cluster_id #=> String
|
1024
1440
|
# resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
|
1025
1441
|
# resp.key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
|
1026
1442
|
#
|
@@ -1142,9 +1558,62 @@ module Aws::KMS
|
|
1142
1558
|
req.send_request(options)
|
1143
1559
|
end
|
1144
1560
|
|
1145
|
-
#
|
1146
|
-
#
|
1147
|
-
#
|
1561
|
+
# Disconnects the [custom key store][1] from its associated AWS CloudHSM
|
1562
|
+
# cluster. While a custom key store is disconnected, you can manage the
|
1563
|
+
# custom key store and its customer master keys (CMKs), but you cannot
|
1564
|
+
# create or use CMKs in the custom key store. You can reconnect the
|
1565
|
+
# custom key store at any time.
|
1566
|
+
#
|
1567
|
+
# <note markdown="1"> While a custom key store is disconnected, all attempts to create
|
1568
|
+
# customer master keys (CMKs) in the custom key store or to use existing
|
1569
|
+
# CMKs in cryptographic operations will fail. This action can prevent
|
1570
|
+
# users from storing and accessing sensitive data.
|
1571
|
+
#
|
1572
|
+
# </note>
|
1573
|
+
#
|
1574
|
+
#
|
1575
|
+
#
|
1576
|
+
# To find the connection state of a custom key store, use the
|
1577
|
+
# DescribeCustomKeyStores operation. To reconnect a custom key store,
|
1578
|
+
# use the ConnectCustomKeyStore operation.
|
1579
|
+
#
|
1580
|
+
# If the operation succeeds, it returns a JSON object with no
|
1581
|
+
# properties.
|
1582
|
+
#
|
1583
|
+
# This operation is part of the [Custom Key Store feature][2] feature in
|
1584
|
+
# AWS KMS, which combines the convenience and extensive integration of
|
1585
|
+
# AWS KMS with the isolation and control of a single-tenant key store.
|
1586
|
+
#
|
1587
|
+
#
|
1588
|
+
#
|
1589
|
+
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
1590
|
+
# [2]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
1591
|
+
#
|
1592
|
+
# @option params [required, String] :custom_key_store_id
|
1593
|
+
# Enter the ID of the custom key store you want to disconnect. To find
|
1594
|
+
# the ID of a custom key store, use the DescribeCustomKeyStores
|
1595
|
+
# operation.
|
1596
|
+
#
|
1597
|
+
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
1598
|
+
#
|
1599
|
+
# @example Request syntax with placeholder values
|
1600
|
+
#
|
1601
|
+
# resp = client.disconnect_custom_key_store({
|
1602
|
+
# custom_key_store_id: "CustomKeyStoreIdType", # required
|
1603
|
+
# })
|
1604
|
+
#
|
1605
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisconnectCustomKeyStore AWS API Documentation
|
1606
|
+
#
|
1607
|
+
# @overload disconnect_custom_key_store(params = {})
|
1608
|
+
# @param [Hash] params ({})
|
1609
|
+
def disconnect_custom_key_store(params = {}, options = {})
|
1610
|
+
req = build_request(:disconnect_custom_key_store, params)
|
1611
|
+
req.send_request(options)
|
1612
|
+
end
|
1613
|
+
|
1614
|
+
# Sets the key state of a customer master key (CMK) to enabled. This
|
1615
|
+
# allows you to use the CMK for cryptographic operations. You cannot
|
1616
|
+
# perform this operation on a CMK in a different AWS account.
|
1148
1617
|
#
|
1149
1618
|
# The result of this operation varies with the key state of the CMK. For
|
1150
1619
|
# details, see [How Key State Affects Use of a Customer Master Key][1]
|
@@ -1198,14 +1667,18 @@ module Aws::KMS
|
|
1198
1667
|
# customer master key (CMK). You cannot perform this operation on a CMK
|
1199
1668
|
# in a different AWS account.
|
1200
1669
|
#
|
1670
|
+
# You cannot enable automatic rotation of CMKs with imported key
|
1671
|
+
# material or CMKs in a [custom key store][2].
|
1672
|
+
#
|
1201
1673
|
# The result of this operation varies with the key state of the CMK. For
|
1202
|
-
# details, see [How Key State Affects Use of a Customer Master Key][
|
1674
|
+
# details, see [How Key State Affects Use of a Customer Master Key][3]
|
1203
1675
|
# in the *AWS Key Management Service Developer Guide*.
|
1204
1676
|
#
|
1205
1677
|
#
|
1206
1678
|
#
|
1207
1679
|
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
1208
|
-
# [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-
|
1680
|
+
# [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
1681
|
+
# [3]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
1209
1682
|
#
|
1210
1683
|
# @option params [required, String] :key_id
|
1211
1684
|
# A unique identifier for the customer master key (CMK).
|
@@ -1254,28 +1727,30 @@ module Aws::KMS
|
|
1254
1727
|
# such as an RSA key, a database password, or other sensitive
|
1255
1728
|
# information.
|
1256
1729
|
#
|
1257
|
-
# *
|
1258
|
-
#
|
1259
|
-
#
|
1260
|
-
#
|
1261
|
-
#
|
1262
|
-
#
|
1730
|
+
# * To move encrypted data from one AWS region to another, you can use
|
1731
|
+
# this operation to encrypt in the new region the plaintext data key
|
1732
|
+
# that was used to encrypt the data in the original region. This
|
1733
|
+
# provides you with an encrypted copy of the data key that can be
|
1734
|
+
# decrypted in the new region and used there to decrypt the encrypted
|
1735
|
+
# data.
|
1736
|
+
#
|
1737
|
+
# To perform this operation on a CMK in a different AWS account, specify
|
1738
|
+
# the key ARN or alias ARN in the value of the KeyId parameter.
|
1263
1739
|
#
|
1264
|
-
#
|
1265
|
-
#
|
1266
|
-
#
|
1740
|
+
# Unless you are moving encrypted data from one region to another, you
|
1741
|
+
# don't use this operation to encrypt a generated data key within a
|
1742
|
+
# region. To get data keys that are already encrypted, call the
|
1743
|
+
# GenerateDataKey or GenerateDataKeyWithoutPlaintext operation. Data
|
1744
|
+
# keys don't need to be encrypted again by calling `Encrypt`.
|
1267
1745
|
#
|
1268
|
-
#
|
1269
|
-
#
|
1270
|
-
# the
|
1746
|
+
# To encrypt data locally in your application, use the GenerateDataKey
|
1747
|
+
# operation to return a plaintext data encryption key and a copy of the
|
1748
|
+
# key encrypted under the CMK of your choosing.
|
1271
1749
|
#
|
1272
1750
|
# The result of this operation varies with the key state of the CMK. For
|
1273
1751
|
# details, see [How Key State Affects Use of a Customer Master Key][1]
|
1274
1752
|
# in the *AWS Key Management Service Developer Guide*.
|
1275
1753
|
#
|
1276
|
-
# To perform this operation on a CMK in a different AWS account, specify
|
1277
|
-
# the key ARN or alias ARN in the value of the KeyId parameter.
|
1278
|
-
#
|
1279
1754
|
#
|
1280
1755
|
#
|
1281
1756
|
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
@@ -1285,7 +1760,7 @@ module Aws::KMS
|
|
1285
1760
|
#
|
1286
1761
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
1287
1762
|
# name, or alias ARN. When using an alias name, prefix it with
|
1288
|
-
#
|
1763
|
+
# "alias/". To specify a CMK in a different AWS account, you must use
|
1289
1764
|
# the key ARN or alias ARN.
|
1290
1765
|
#
|
1291
1766
|
# For example:
|
@@ -1435,7 +1910,7 @@ module Aws::KMS
|
|
1435
1910
|
#
|
1436
1911
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
1437
1912
|
# name, or alias ARN. When using an alias name, prefix it with
|
1438
|
-
#
|
1913
|
+
# "alias/". To specify a CMK in a different AWS account, you must use
|
1439
1914
|
# the key ARN or alias ARN.
|
1440
1915
|
#
|
1441
1916
|
# For example:
|
@@ -1552,8 +2027,8 @@ module Aws::KMS
|
|
1552
2027
|
# then stores it in the container. Later, a different component of the
|
1553
2028
|
# system, called the *data plane*, puts encrypted data into the
|
1554
2029
|
# containers. To do this, it passes the encrypted data key to the
|
1555
|
-
# Decrypt operation
|
1556
|
-
# encrypt data and finally stores the encrypted data in the container.
|
2030
|
+
# Decrypt operation, then uses the returned plaintext data key to
|
2031
|
+
# encrypt data, and finally stores the encrypted data in the container.
|
1557
2032
|
# In this system, the control plane never sees the plaintext data key.
|
1558
2033
|
#
|
1559
2034
|
# The result of this operation varies with the key state of the CMK. For
|
@@ -1570,7 +2045,7 @@ module Aws::KMS
|
|
1570
2045
|
#
|
1571
2046
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
1572
2047
|
# name, or alias ARN. When using an alias name, prefix it with
|
1573
|
-
#
|
2048
|
+
# "alias/". To specify a CMK in a different AWS account, you must use
|
1574
2049
|
# the key ARN or alias ARN.
|
1575
2050
|
#
|
1576
2051
|
# For example:
|
@@ -1669,16 +2144,31 @@ module Aws::KMS
|
|
1669
2144
|
|
1670
2145
|
# Returns a random byte string that is cryptographically secure.
|
1671
2146
|
#
|
2147
|
+
# By default, the random byte string is generated in AWS KMS. To
|
2148
|
+
# generate the byte string in the AWS CloudHSM cluster that is
|
2149
|
+
# associated with a [custom key store][1], specify the custom key store
|
2150
|
+
# ID.
|
2151
|
+
#
|
1672
2152
|
# For more information about entropy and random number generation, see
|
1673
|
-
# the [AWS Key Management Service Cryptographic Details][
|
2153
|
+
# the [AWS Key Management Service Cryptographic Details][2] whitepaper.
|
1674
2154
|
#
|
1675
2155
|
#
|
1676
2156
|
#
|
1677
|
-
# [1]:
|
2157
|
+
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
2158
|
+
# [2]: https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
|
1678
2159
|
#
|
1679
2160
|
# @option params [Integer] :number_of_bytes
|
1680
2161
|
# The length of the byte string.
|
1681
2162
|
#
|
2163
|
+
# @option params [String] :custom_key_store_id
|
2164
|
+
# Generates the random byte string in the AWS CloudHSM cluster that is
|
2165
|
+
# associated with the specified [custom key store][1]. To find the ID of
|
2166
|
+
# a custom key store, use the DescribeCustomKeyStores operation.
|
2167
|
+
#
|
2168
|
+
#
|
2169
|
+
#
|
2170
|
+
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
2171
|
+
#
|
1682
2172
|
# @return [Types::GenerateRandomResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1683
2173
|
#
|
1684
2174
|
# * {Types::GenerateRandomResponse#plaintext #plaintext} => String
|
@@ -1701,6 +2191,7 @@ module Aws::KMS
|
|
1701
2191
|
#
|
1702
2192
|
# resp = client.generate_random({
|
1703
2193
|
# number_of_bytes: 1,
|
2194
|
+
# custom_key_store_id: "CustomKeyStoreIdType",
|
1704
2195
|
# })
|
1705
2196
|
#
|
1706
2197
|
# @example Response structure
|
@@ -1898,9 +2389,10 @@ module Aws::KMS
|
|
1898
2389
|
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
1899
2390
|
#
|
1900
2391
|
# @option params [required, String] :wrapping_algorithm
|
1901
|
-
# The algorithm you use to encrypt the key material before
|
1902
|
-
# with ImportKeyMaterial. For more information, see
|
1903
|
-
# Material][1] in the *AWS Key Management Service
|
2392
|
+
# The algorithm you will use to encrypt the key material before
|
2393
|
+
# importing it with ImportKeyMaterial. For more information, see
|
2394
|
+
# [Encrypt the Key Material][1] in the *AWS Key Management Service
|
2395
|
+
# Developer Guide*.
|
1904
2396
|
#
|
1905
2397
|
#
|
1906
2398
|
#
|
@@ -1995,8 +2487,8 @@ module Aws::KMS
|
|
1995
2487
|
# unusable. To use the CMK again, you must reimport the same key
|
1996
2488
|
# material.
|
1997
2489
|
#
|
1998
|
-
# When this operation is successful, the
|
1999
|
-
# `PendingImport` to `Enabled`, and you can use the CMK. After you
|
2490
|
+
# When this operation is successful, the key state of the CMK changes
|
2491
|
+
# from `PendingImport` to `Enabled`, and you can use the CMK. After you
|
2000
2492
|
# successfully import key material into a CMK, you can reimport the same
|
2001
2493
|
# key material into that CMK, but you cannot import different key
|
2002
2494
|
# material.
|
@@ -2082,25 +2574,19 @@ module Aws::KMS
|
|
2082
2574
|
req.send_request(options)
|
2083
2575
|
end
|
2084
2576
|
|
2085
|
-
# Gets a list of aliases in the caller's AWS account and region.
|
2086
|
-
# cannot list aliases in other accounts. For more information about
|
2577
|
+
# Gets a list of all aliases in the caller's AWS account and region.
|
2578
|
+
# You cannot list aliases in other accounts. For more information about
|
2087
2579
|
# aliases, see CreateAlias.
|
2088
2580
|
#
|
2089
|
-
# By default, the ListAliases command returns all aliases in the
|
2090
|
-
# and region. To get only the aliases that point to a particular
|
2581
|
+
# By default, the `ListAliases` command returns all aliases in the
|
2582
|
+
# account and region. To get only the aliases that point to a particular
|
2091
2583
|
# customer master key (CMK), use the `KeyId` parameter.
|
2092
2584
|
#
|
2093
|
-
# The `ListAliases` response
|
2094
|
-
#
|
2095
|
-
#
|
2096
|
-
#
|
2097
|
-
#
|
2098
|
-
#
|
2099
|
-
# The response might also include aliases that have no `TargetKeyId`
|
2100
|
-
# field. These are predefined aliases that AWS has created but has not
|
2101
|
-
# yet associated with a CMK. Aliases that AWS creates in your account,
|
2102
|
-
# including predefined aliases, do not count against your [AWS KMS
|
2103
|
-
# aliases limit][1].
|
2585
|
+
# The `ListAliases` response might include several aliases have no
|
2586
|
+
# `TargetKeyId` field. These are predefined aliases that AWS has created
|
2587
|
+
# but has not yet associated with a CMK. Aliases that AWS creates in
|
2588
|
+
# your account, including predefined aliases, do not count against your
|
2589
|
+
# [AWS KMS aliases limit][1].
|
2104
2590
|
#
|
2105
2591
|
#
|
2106
2592
|
#
|
@@ -2771,11 +3257,10 @@ module Aws::KMS
|
|
2771
3257
|
# principals. The principals in the key policy must exist and be
|
2772
3258
|
# visible to AWS KMS. When you create a new AWS principal (for
|
2773
3259
|
# example, an IAM user or role), you might need to enforce a delay
|
2774
|
-
# before including the new principal in a key policy
|
2775
|
-
#
|
2776
|
-
#
|
2777
|
-
#
|
2778
|
-
# Management User Guide*.
|
3260
|
+
# before including the new principal in a key policy because the new
|
3261
|
+
# principal might not be immediately visible to AWS KMS. For more
|
3262
|
+
# information, see [Changes that I make are not always immediately
|
3263
|
+
# visible][2] in the *AWS Identity and Access Management User Guide*.
|
2779
3264
|
#
|
2780
3265
|
# The key policy size limit is 32 kilobytes (32768 bytes).
|
2781
3266
|
#
|
@@ -2848,7 +3333,7 @@ module Aws::KMS
|
|
2848
3333
|
# destination CMK. We recommend that you include the `"kms:ReEncrypt*"`
|
2849
3334
|
# permission in your [key policies][1] to permit reencryption from or to
|
2850
3335
|
# the CMK. This permission is automatically included in the key policy
|
2851
|
-
# when you create a CMK through the console
|
3336
|
+
# when you create a CMK through the console, but you must include it
|
2852
3337
|
# manually when you create a CMK programmatically or when you set a key
|
2853
3338
|
# policy with the PutKeyPolicy operation.
|
2854
3339
|
#
|
@@ -2873,7 +3358,7 @@ module Aws::KMS
|
|
2873
3358
|
#
|
2874
3359
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
2875
3360
|
# name, or alias ARN. When using an alias name, prefix it with
|
2876
|
-
#
|
3361
|
+
# "alias/". To specify a CMK in a different AWS account, you must use
|
2877
3362
|
# the key ARN or alias ARN.
|
2878
3363
|
#
|
2879
3364
|
# For example:
|
@@ -3077,31 +3562,40 @@ module Aws::KMS
|
|
3077
3562
|
# Schedules the deletion of a customer master key (CMK). You may provide
|
3078
3563
|
# a waiting period, specified in days, before deletion occurs. If you do
|
3079
3564
|
# not provide a waiting period, the default period of 30 days is used.
|
3080
|
-
# When this operation is successful, the state of the CMK changes to
|
3565
|
+
# When this operation is successful, the key state of the CMK changes to
|
3081
3566
|
# `PendingDeletion`. Before the waiting period ends, you can use
|
3082
3567
|
# CancelKeyDeletion to cancel the deletion of the CMK. After the waiting
|
3083
3568
|
# period ends, AWS KMS deletes the CMK and all AWS KMS data associated
|
3084
3569
|
# with it, including all aliases that refer to it.
|
3085
3570
|
#
|
3086
|
-
# You cannot perform this operation on a CMK in a different AWS account.
|
3087
|
-
#
|
3088
3571
|
# Deleting a CMK is a destructive and potentially dangerous operation.
|
3089
3572
|
# When a CMK is deleted, all data that was encrypted under the CMK is
|
3090
|
-
#
|
3091
|
-
#
|
3573
|
+
# unrecoverable. To prevent the use of a CMK without deleting it, use
|
3574
|
+
# DisableKey.
|
3575
|
+
#
|
3576
|
+
# If you schedule deletion of a CMK from a [custom key store][1], when
|
3577
|
+
# the waiting period expires, `ScheduleKeyDeletion` deletes the CMK from
|
3578
|
+
# AWS KMS. Then AWS KMS makes a best effort to delete the key material
|
3579
|
+
# from the associated AWS CloudHSM cluster. However, you might need to
|
3580
|
+
# manually [delete the orphaned key material][2] from the cluster and
|
3581
|
+
# its backups.
|
3582
|
+
#
|
3583
|
+
# You cannot perform this operation on a CMK in a different AWS account.
|
3092
3584
|
#
|
3093
3585
|
# For more information about scheduling a CMK for deletion, see
|
3094
|
-
# [Deleting Customer Master Keys][
|
3586
|
+
# [Deleting Customer Master Keys][3] in the *AWS Key Management Service
|
3095
3587
|
# Developer Guide*.
|
3096
3588
|
#
|
3097
3589
|
# The result of this operation varies with the key state of the CMK. For
|
3098
|
-
# details, see [How Key State Affects Use of a Customer Master Key][
|
3590
|
+
# details, see [How Key State Affects Use of a Customer Master Key][4]
|
3099
3591
|
# in the *AWS Key Management Service Developer Guide*.
|
3100
3592
|
#
|
3101
3593
|
#
|
3102
3594
|
#
|
3103
|
-
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/
|
3104
|
-
# [2]: http://docs.aws.amazon.com/kms/latest/developerguide/
|
3595
|
+
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
3596
|
+
# [2]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
|
3597
|
+
# [3]: http://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
|
3598
|
+
# [4]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
3105
3599
|
#
|
3106
3600
|
# @option params [required, String] :key_id
|
3107
3601
|
# The unique identifier of the customer master key (CMK) to delete.
|
@@ -3389,8 +3883,123 @@ module Aws::KMS
|
|
3389
3883
|
req.send_request(options)
|
3390
3884
|
end
|
3391
3885
|
|
3886
|
+
# Changes the properties of a custom key store. Use the
|
3887
|
+
# `CustomKeyStoreId` parameter to identify the custom key store you want
|
3888
|
+
# to edit. Use the remaining parameters to change the properties of the
|
3889
|
+
# custom key store.
|
3890
|
+
#
|
3891
|
+
# You can only update a custom key store that is disconnected. To
|
3892
|
+
# disconnect the custom key store, use DisconnectCustomKeyStore. To
|
3893
|
+
# reconnect the custom key store after the update completes, use
|
3894
|
+
# ConnectCustomKeyStore. To find the connection state of a custom key
|
3895
|
+
# store, use the DescribeCustomKeyStores operation.
|
3896
|
+
#
|
3897
|
+
# Use the `NewCustomKeyStoreName` parameter to change the friendly name
|
3898
|
+
# of the custom key store to the value that you specify.
|
3899
|
+
#
|
3900
|
+
# Use the `KeyStorePassword` parameter tell AWS KMS the current password
|
3901
|
+
# of the [ `kmsuser` crypto user (CU)][1] in the associated AWS CloudHSM
|
3902
|
+
# cluster. You can use this parameter to fix connection failures that
|
3903
|
+
# occur when AWS KMS cannot log into the associated cluster because the
|
3904
|
+
# `kmsuser` password has changed. This value does not change the
|
3905
|
+
# password in the AWS CloudHSM cluster.
|
3906
|
+
#
|
3907
|
+
# Use the `CloudHsmClusterId` parameter to associate the custom key
|
3908
|
+
# store with a related AWS CloudHSM cluster, that is, a cluster that
|
3909
|
+
# shares a backup history with the original cluster. You can use this
|
3910
|
+
# parameter to repair a custom key store if its AWS CloudHSM cluster
|
3911
|
+
# becomes corrupted or is deleted, or when you need to create or restore
|
3912
|
+
# a cluster from a backup.
|
3913
|
+
#
|
3914
|
+
# The cluster ID must identify a AWS CloudHSM cluster with the following
|
3915
|
+
# requirements.
|
3916
|
+
#
|
3917
|
+
# * The cluster must be active and be in the same AWS account and Region
|
3918
|
+
# as the custom key store.
|
3919
|
+
#
|
3920
|
+
# * The cluster must have the same cluster certificate as the original
|
3921
|
+
# cluster. You cannot use this parameter to associate the custom key
|
3922
|
+
# store with an unrelated cluster. To view the cluster certificate,
|
3923
|
+
# use the AWS CloudHSM [DescribeClusters][2] operation. Clusters that
|
3924
|
+
# share a backup history have the same cluster certificate.
|
3925
|
+
#
|
3926
|
+
# * The cluster must be configured with subnets in at least two
|
3927
|
+
# different Availability Zones in the Region. Because AWS CloudHSM is
|
3928
|
+
# not supported in all Availability Zones, we recommend that the
|
3929
|
+
# cluster have subnets in all Availability Zones in the Region.
|
3930
|
+
#
|
3931
|
+
# * The cluster must contain at least two active HSMs, each in a
|
3932
|
+
# different Availability Zone.
|
3933
|
+
#
|
3934
|
+
# If the operation succeeds, it returns a JSON object with no
|
3935
|
+
# properties.
|
3936
|
+
#
|
3937
|
+
# This operation is part of the [Custom Key Store feature][3] feature in
|
3938
|
+
# AWS KMS, which combines the convenience and extensive integration of
|
3939
|
+
# AWS KMS with the isolation and control of a single-tenant key store.
|
3940
|
+
#
|
3941
|
+
#
|
3942
|
+
#
|
3943
|
+
# [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
|
3944
|
+
# [2]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
|
3945
|
+
# [3]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
3946
|
+
#
|
3947
|
+
# @option params [required, String] :custom_key_store_id
|
3948
|
+
# Identifies the custom key store that you want to update. Enter the ID
|
3949
|
+
# of the custom key store. To find the ID of a custom key store, use the
|
3950
|
+
# DescribeCustomKeyStores operation.
|
3951
|
+
#
|
3952
|
+
# @option params [String] :new_custom_key_store_name
|
3953
|
+
# Changes the friendly name of the custom key store to the value that
|
3954
|
+
# you specify. The custom key store name must be unique in the AWS
|
3955
|
+
# account.
|
3956
|
+
#
|
3957
|
+
# @option params [String] :key_store_password
|
3958
|
+
# Enter the current password of the `kmsuser` crypto user (CU) in the
|
3959
|
+
# AWS CloudHSM cluster that is associated with the custom key store.
|
3960
|
+
#
|
3961
|
+
# This parameter tells AWS KMS the current password of the `kmsuser`
|
3962
|
+
# crypto user (CU). It does not set or change the password of any users
|
3963
|
+
# in the AWS CloudHSM cluster.
|
3964
|
+
#
|
3965
|
+
# @option params [String] :cloud_hsm_cluster_id
|
3966
|
+
# Associates the custom key store with a related AWS CloudHSM cluster.
|
3967
|
+
#
|
3968
|
+
# Enter the cluster ID of the cluster that you used to create the custom
|
3969
|
+
# key store or a cluster that shares a backup history with the original
|
3970
|
+
# cluster. You cannot use this parameter to associate a custom key store
|
3971
|
+
# with a different cluster.
|
3972
|
+
#
|
3973
|
+
# Clusters that share a backup history have the same cluster
|
3974
|
+
# certificate. To view the cluster certificate of a cluster, use the
|
3975
|
+
# [DescribeClusters][1] operation.
|
3976
|
+
#
|
3977
|
+
#
|
3978
|
+
#
|
3979
|
+
# [1]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
|
3980
|
+
#
|
3981
|
+
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
3982
|
+
#
|
3983
|
+
# @example Request syntax with placeholder values
|
3984
|
+
#
|
3985
|
+
# resp = client.update_custom_key_store({
|
3986
|
+
# custom_key_store_id: "CustomKeyStoreIdType", # required
|
3987
|
+
# new_custom_key_store_name: "CustomKeyStoreNameType",
|
3988
|
+
# key_store_password: "KeyStorePasswordType",
|
3989
|
+
# cloud_hsm_cluster_id: "CloudHsmClusterIdType",
|
3990
|
+
# })
|
3991
|
+
#
|
3992
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStore AWS API Documentation
|
3993
|
+
#
|
3994
|
+
# @overload update_custom_key_store(params = {})
|
3995
|
+
# @param [Hash] params ({})
|
3996
|
+
def update_custom_key_store(params = {}, options = {})
|
3997
|
+
req = build_request(:update_custom_key_store, params)
|
3998
|
+
req.send_request(options)
|
3999
|
+
end
|
4000
|
+
|
3392
4001
|
# Updates the description of a customer master key (CMK). To see the
|
3393
|
-
#
|
4002
|
+
# decription of a CMK, use DescribeKey.
|
3394
4003
|
#
|
3395
4004
|
# You cannot perform this operation on a CMK in a different AWS account.
|
3396
4005
|
#
|
@@ -3460,7 +4069,7 @@ module Aws::KMS
|
|
3460
4069
|
params: params,
|
3461
4070
|
config: config)
|
3462
4071
|
context[:gem_name] = 'aws-sdk-kms'
|
3463
|
-
context[:gem_version] = '1.
|
4072
|
+
context[:gem_version] = '1.13.0'
|
3464
4073
|
Seahorse::Client::Request.new(handlers, context)
|
3465
4074
|
end
|
3466
4075
|
|