aws-sdk-kms 1.12.0 → 1.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -22,24 +22,50 @@ module Aws::KMS
22
22
  CancelKeyDeletionRequest = Shapes::StructureShape.new(name: 'CancelKeyDeletionRequest')
23
23
  CancelKeyDeletionResponse = Shapes::StructureShape.new(name: 'CancelKeyDeletionResponse')
24
24
  CiphertextType = Shapes::BlobShape.new(name: 'CiphertextType')
25
+ CloudHsmClusterIdType = Shapes::StringShape.new(name: 'CloudHsmClusterIdType')
26
+ CloudHsmClusterInUseException = Shapes::StructureShape.new(name: 'CloudHsmClusterInUseException')
27
+ CloudHsmClusterInvalidConfigurationException = Shapes::StructureShape.new(name: 'CloudHsmClusterInvalidConfigurationException')
28
+ CloudHsmClusterNotActiveException = Shapes::StructureShape.new(name: 'CloudHsmClusterNotActiveException')
29
+ CloudHsmClusterNotFoundException = Shapes::StructureShape.new(name: 'CloudHsmClusterNotFoundException')
30
+ CloudHsmClusterNotRelatedException = Shapes::StructureShape.new(name: 'CloudHsmClusterNotRelatedException')
31
+ ConnectCustomKeyStoreRequest = Shapes::StructureShape.new(name: 'ConnectCustomKeyStoreRequest')
32
+ ConnectCustomKeyStoreResponse = Shapes::StructureShape.new(name: 'ConnectCustomKeyStoreResponse')
33
+ ConnectionErrorCodeType = Shapes::StringShape.new(name: 'ConnectionErrorCodeType')
34
+ ConnectionStateType = Shapes::StringShape.new(name: 'ConnectionStateType')
25
35
  CreateAliasRequest = Shapes::StructureShape.new(name: 'CreateAliasRequest')
36
+ CreateCustomKeyStoreRequest = Shapes::StructureShape.new(name: 'CreateCustomKeyStoreRequest')
37
+ CreateCustomKeyStoreResponse = Shapes::StructureShape.new(name: 'CreateCustomKeyStoreResponse')
26
38
  CreateGrantRequest = Shapes::StructureShape.new(name: 'CreateGrantRequest')
27
39
  CreateGrantResponse = Shapes::StructureShape.new(name: 'CreateGrantResponse')
28
40
  CreateKeyRequest = Shapes::StructureShape.new(name: 'CreateKeyRequest')
29
41
  CreateKeyResponse = Shapes::StructureShape.new(name: 'CreateKeyResponse')
42
+ CustomKeyStoreHasCMKsException = Shapes::StructureShape.new(name: 'CustomKeyStoreHasCMKsException')
43
+ CustomKeyStoreIdType = Shapes::StringShape.new(name: 'CustomKeyStoreIdType')
44
+ CustomKeyStoreInvalidStateException = Shapes::StructureShape.new(name: 'CustomKeyStoreInvalidStateException')
45
+ CustomKeyStoreNameInUseException = Shapes::StructureShape.new(name: 'CustomKeyStoreNameInUseException')
46
+ CustomKeyStoreNameType = Shapes::StringShape.new(name: 'CustomKeyStoreNameType')
47
+ CustomKeyStoreNotFoundException = Shapes::StructureShape.new(name: 'CustomKeyStoreNotFoundException')
48
+ CustomKeyStoresList = Shapes::ListShape.new(name: 'CustomKeyStoresList')
49
+ CustomKeyStoresListEntry = Shapes::StructureShape.new(name: 'CustomKeyStoresListEntry')
30
50
  DataKeySpec = Shapes::StringShape.new(name: 'DataKeySpec')
31
51
  DateType = Shapes::TimestampShape.new(name: 'DateType')
32
52
  DecryptRequest = Shapes::StructureShape.new(name: 'DecryptRequest')
33
53
  DecryptResponse = Shapes::StructureShape.new(name: 'DecryptResponse')
34
54
  DeleteAliasRequest = Shapes::StructureShape.new(name: 'DeleteAliasRequest')
55
+ DeleteCustomKeyStoreRequest = Shapes::StructureShape.new(name: 'DeleteCustomKeyStoreRequest')
56
+ DeleteCustomKeyStoreResponse = Shapes::StructureShape.new(name: 'DeleteCustomKeyStoreResponse')
35
57
  DeleteImportedKeyMaterialRequest = Shapes::StructureShape.new(name: 'DeleteImportedKeyMaterialRequest')
36
58
  DependencyTimeoutException = Shapes::StructureShape.new(name: 'DependencyTimeoutException')
59
+ DescribeCustomKeyStoresRequest = Shapes::StructureShape.new(name: 'DescribeCustomKeyStoresRequest')
60
+ DescribeCustomKeyStoresResponse = Shapes::StructureShape.new(name: 'DescribeCustomKeyStoresResponse')
37
61
  DescribeKeyRequest = Shapes::StructureShape.new(name: 'DescribeKeyRequest')
38
62
  DescribeKeyResponse = Shapes::StructureShape.new(name: 'DescribeKeyResponse')
39
63
  DescriptionType = Shapes::StringShape.new(name: 'DescriptionType')
40
64
  DisableKeyRequest = Shapes::StructureShape.new(name: 'DisableKeyRequest')
41
65
  DisableKeyRotationRequest = Shapes::StructureShape.new(name: 'DisableKeyRotationRequest')
42
66
  DisabledException = Shapes::StructureShape.new(name: 'DisabledException')
67
+ DisconnectCustomKeyStoreRequest = Shapes::StructureShape.new(name: 'DisconnectCustomKeyStoreRequest')
68
+ DisconnectCustomKeyStoreResponse = Shapes::StructureShape.new(name: 'DisconnectCustomKeyStoreResponse')
43
69
  EnableKeyRequest = Shapes::StructureShape.new(name: 'EnableKeyRequest')
44
70
  EnableKeyRotationRequest = Shapes::StructureShape.new(name: 'EnableKeyRotationRequest')
45
71
  EncryptRequest = Shapes::StructureShape.new(name: 'EncryptRequest')
@@ -74,6 +100,7 @@ module Aws::KMS
74
100
  ImportKeyMaterialRequest = Shapes::StructureShape.new(name: 'ImportKeyMaterialRequest')
75
101
  ImportKeyMaterialResponse = Shapes::StructureShape.new(name: 'ImportKeyMaterialResponse')
76
102
  IncorrectKeyMaterialException = Shapes::StructureShape.new(name: 'IncorrectKeyMaterialException')
103
+ IncorrectTrustAnchorException = Shapes::StructureShape.new(name: 'IncorrectTrustAnchorException')
77
104
  InvalidAliasNameException = Shapes::StructureShape.new(name: 'InvalidAliasNameException')
78
105
  InvalidArnException = Shapes::StructureShape.new(name: 'InvalidArnException')
79
106
  InvalidCiphertextException = Shapes::StructureShape.new(name: 'InvalidCiphertextException')
@@ -90,6 +117,7 @@ module Aws::KMS
90
117
  KeyManagerType = Shapes::StringShape.new(name: 'KeyManagerType')
91
118
  KeyMetadata = Shapes::StructureShape.new(name: 'KeyMetadata')
92
119
  KeyState = Shapes::StringShape.new(name: 'KeyState')
120
+ KeyStorePasswordType = Shapes::StringShape.new(name: 'KeyStorePasswordType')
93
121
  KeyUnavailableException = Shapes::StructureShape.new(name: 'KeyUnavailableException')
94
122
  KeyUsageType = Shapes::StringShape.new(name: 'KeyUsageType')
95
123
  LimitExceededException = Shapes::StructureShape.new(name: 'LimitExceededException')
@@ -130,9 +158,12 @@ module Aws::KMS
130
158
  TagList = Shapes::ListShape.new(name: 'TagList')
131
159
  TagResourceRequest = Shapes::StructureShape.new(name: 'TagResourceRequest')
132
160
  TagValueType = Shapes::StringShape.new(name: 'TagValueType')
161
+ TrustAnchorCertificateType = Shapes::StringShape.new(name: 'TrustAnchorCertificateType')
133
162
  UnsupportedOperationException = Shapes::StructureShape.new(name: 'UnsupportedOperationException')
134
163
  UntagResourceRequest = Shapes::StructureShape.new(name: 'UntagResourceRequest')
135
164
  UpdateAliasRequest = Shapes::StructureShape.new(name: 'UpdateAliasRequest')
165
+ UpdateCustomKeyStoreRequest = Shapes::StructureShape.new(name: 'UpdateCustomKeyStoreRequest')
166
+ UpdateCustomKeyStoreResponse = Shapes::StructureShape.new(name: 'UpdateCustomKeyStoreResponse')
136
167
  UpdateKeyDescriptionRequest = Shapes::StructureShape.new(name: 'UpdateKeyDescriptionRequest')
137
168
  WrappingKeySpec = Shapes::StringShape.new(name: 'WrappingKeySpec')
138
169
 
@@ -149,10 +180,24 @@ module Aws::KMS
149
180
  CancelKeyDeletionResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
150
181
  CancelKeyDeletionResponse.struct_class = Types::CancelKeyDeletionResponse
151
182
 
183
+ ConnectCustomKeyStoreRequest.add_member(:custom_key_store_id, Shapes::ShapeRef.new(shape: CustomKeyStoreIdType, required: true, location_name: "CustomKeyStoreId"))
184
+ ConnectCustomKeyStoreRequest.struct_class = Types::ConnectCustomKeyStoreRequest
185
+
186
+ ConnectCustomKeyStoreResponse.struct_class = Types::ConnectCustomKeyStoreResponse
187
+
152
188
  CreateAliasRequest.add_member(:alias_name, Shapes::ShapeRef.new(shape: AliasNameType, required: true, location_name: "AliasName"))
153
189
  CreateAliasRequest.add_member(:target_key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "TargetKeyId"))
154
190
  CreateAliasRequest.struct_class = Types::CreateAliasRequest
155
191
 
192
+ CreateCustomKeyStoreRequest.add_member(:custom_key_store_name, Shapes::ShapeRef.new(shape: CustomKeyStoreNameType, required: true, location_name: "CustomKeyStoreName"))
193
+ CreateCustomKeyStoreRequest.add_member(:cloud_hsm_cluster_id, Shapes::ShapeRef.new(shape: CloudHsmClusterIdType, required: true, location_name: "CloudHsmClusterId"))
194
+ CreateCustomKeyStoreRequest.add_member(:trust_anchor_certificate, Shapes::ShapeRef.new(shape: TrustAnchorCertificateType, required: true, location_name: "TrustAnchorCertificate"))
195
+ CreateCustomKeyStoreRequest.add_member(:key_store_password, Shapes::ShapeRef.new(shape: KeyStorePasswordType, required: true, location_name: "KeyStorePassword"))
196
+ CreateCustomKeyStoreRequest.struct_class = Types::CreateCustomKeyStoreRequest
197
+
198
+ CreateCustomKeyStoreResponse.add_member(:custom_key_store_id, Shapes::ShapeRef.new(shape: CustomKeyStoreIdType, location_name: "CustomKeyStoreId"))
199
+ CreateCustomKeyStoreResponse.struct_class = Types::CreateCustomKeyStoreResponse
200
+
156
201
  CreateGrantRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
157
202
  CreateGrantRequest.add_member(:grantee_principal, Shapes::ShapeRef.new(shape: PrincipalIdType, required: true, location_name: "GranteePrincipal"))
158
203
  CreateGrantRequest.add_member(:retiring_principal, Shapes::ShapeRef.new(shape: PrincipalIdType, location_name: "RetiringPrincipal"))
@@ -170,6 +215,7 @@ module Aws::KMS
170
215
  CreateKeyRequest.add_member(:description, Shapes::ShapeRef.new(shape: DescriptionType, location_name: "Description"))
171
216
  CreateKeyRequest.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsageType, location_name: "KeyUsage"))
172
217
  CreateKeyRequest.add_member(:origin, Shapes::ShapeRef.new(shape: OriginType, location_name: "Origin"))
218
+ CreateKeyRequest.add_member(:custom_key_store_id, Shapes::ShapeRef.new(shape: CustomKeyStoreIdType, location_name: "CustomKeyStoreId"))
173
219
  CreateKeyRequest.add_member(:bypass_policy_lockout_safety_check, Shapes::ShapeRef.new(shape: BooleanType, location_name: "BypassPolicyLockoutSafetyCheck"))
174
220
  CreateKeyRequest.add_member(:tags, Shapes::ShapeRef.new(shape: TagList, location_name: "Tags"))
175
221
  CreateKeyRequest.struct_class = Types::CreateKeyRequest
@@ -177,6 +223,17 @@ module Aws::KMS
177
223
  CreateKeyResponse.add_member(:key_metadata, Shapes::ShapeRef.new(shape: KeyMetadata, location_name: "KeyMetadata"))
178
224
  CreateKeyResponse.struct_class = Types::CreateKeyResponse
179
225
 
226
+ CustomKeyStoresList.member = Shapes::ShapeRef.new(shape: CustomKeyStoresListEntry)
227
+
228
+ CustomKeyStoresListEntry.add_member(:custom_key_store_id, Shapes::ShapeRef.new(shape: CustomKeyStoreIdType, location_name: "CustomKeyStoreId"))
229
+ CustomKeyStoresListEntry.add_member(:custom_key_store_name, Shapes::ShapeRef.new(shape: CustomKeyStoreNameType, location_name: "CustomKeyStoreName"))
230
+ CustomKeyStoresListEntry.add_member(:cloud_hsm_cluster_id, Shapes::ShapeRef.new(shape: CloudHsmClusterIdType, location_name: "CloudHsmClusterId"))
231
+ CustomKeyStoresListEntry.add_member(:trust_anchor_certificate, Shapes::ShapeRef.new(shape: TrustAnchorCertificateType, location_name: "TrustAnchorCertificate"))
232
+ CustomKeyStoresListEntry.add_member(:connection_state, Shapes::ShapeRef.new(shape: ConnectionStateType, location_name: "ConnectionState"))
233
+ CustomKeyStoresListEntry.add_member(:connection_error_code, Shapes::ShapeRef.new(shape: ConnectionErrorCodeType, location_name: "ConnectionErrorCode"))
234
+ CustomKeyStoresListEntry.add_member(:creation_date, Shapes::ShapeRef.new(shape: DateType, location_name: "CreationDate"))
235
+ CustomKeyStoresListEntry.struct_class = Types::CustomKeyStoresListEntry
236
+
180
237
  DecryptRequest.add_member(:ciphertext_blob, Shapes::ShapeRef.new(shape: CiphertextType, required: true, location_name: "CiphertextBlob"))
181
238
  DecryptRequest.add_member(:encryption_context, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContext"))
182
239
  DecryptRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
@@ -189,9 +246,25 @@ module Aws::KMS
189
246
  DeleteAliasRequest.add_member(:alias_name, Shapes::ShapeRef.new(shape: AliasNameType, required: true, location_name: "AliasName"))
190
247
  DeleteAliasRequest.struct_class = Types::DeleteAliasRequest
191
248
 
249
+ DeleteCustomKeyStoreRequest.add_member(:custom_key_store_id, Shapes::ShapeRef.new(shape: CustomKeyStoreIdType, required: true, location_name: "CustomKeyStoreId"))
250
+ DeleteCustomKeyStoreRequest.struct_class = Types::DeleteCustomKeyStoreRequest
251
+
252
+ DeleteCustomKeyStoreResponse.struct_class = Types::DeleteCustomKeyStoreResponse
253
+
192
254
  DeleteImportedKeyMaterialRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
193
255
  DeleteImportedKeyMaterialRequest.struct_class = Types::DeleteImportedKeyMaterialRequest
194
256
 
257
+ DescribeCustomKeyStoresRequest.add_member(:custom_key_store_id, Shapes::ShapeRef.new(shape: CustomKeyStoreIdType, location_name: "CustomKeyStoreId"))
258
+ DescribeCustomKeyStoresRequest.add_member(:custom_key_store_name, Shapes::ShapeRef.new(shape: CustomKeyStoreNameType, location_name: "CustomKeyStoreName"))
259
+ DescribeCustomKeyStoresRequest.add_member(:limit, Shapes::ShapeRef.new(shape: LimitType, location_name: "Limit"))
260
+ DescribeCustomKeyStoresRequest.add_member(:marker, Shapes::ShapeRef.new(shape: MarkerType, location_name: "Marker"))
261
+ DescribeCustomKeyStoresRequest.struct_class = Types::DescribeCustomKeyStoresRequest
262
+
263
+ DescribeCustomKeyStoresResponse.add_member(:custom_key_stores, Shapes::ShapeRef.new(shape: CustomKeyStoresList, location_name: "CustomKeyStores"))
264
+ DescribeCustomKeyStoresResponse.add_member(:next_marker, Shapes::ShapeRef.new(shape: MarkerType, location_name: "NextMarker"))
265
+ DescribeCustomKeyStoresResponse.add_member(:truncated, Shapes::ShapeRef.new(shape: BooleanType, location_name: "Truncated"))
266
+ DescribeCustomKeyStoresResponse.struct_class = Types::DescribeCustomKeyStoresResponse
267
+
195
268
  DescribeKeyRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
196
269
  DescribeKeyRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
197
270
  DescribeKeyRequest.struct_class = Types::DescribeKeyRequest
@@ -205,6 +278,11 @@ module Aws::KMS
205
278
  DisableKeyRotationRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
206
279
  DisableKeyRotationRequest.struct_class = Types::DisableKeyRotationRequest
207
280
 
281
+ DisconnectCustomKeyStoreRequest.add_member(:custom_key_store_id, Shapes::ShapeRef.new(shape: CustomKeyStoreIdType, required: true, location_name: "CustomKeyStoreId"))
282
+ DisconnectCustomKeyStoreRequest.struct_class = Types::DisconnectCustomKeyStoreRequest
283
+
284
+ DisconnectCustomKeyStoreResponse.struct_class = Types::DisconnectCustomKeyStoreResponse
285
+
208
286
  EnableKeyRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
209
287
  EnableKeyRequest.struct_class = Types::EnableKeyRequest
210
288
 
@@ -248,6 +326,7 @@ module Aws::KMS
248
326
  GenerateDataKeyWithoutPlaintextResponse.struct_class = Types::GenerateDataKeyWithoutPlaintextResponse
249
327
 
250
328
  GenerateRandomRequest.add_member(:number_of_bytes, Shapes::ShapeRef.new(shape: NumberOfBytesType, location_name: "NumberOfBytes"))
329
+ GenerateRandomRequest.add_member(:custom_key_store_id, Shapes::ShapeRef.new(shape: CustomKeyStoreIdType, location_name: "CustomKeyStoreId"))
251
330
  GenerateRandomRequest.struct_class = Types::GenerateRandomRequest
252
331
 
253
332
  GenerateRandomResponse.add_member(:plaintext, Shapes::ShapeRef.new(shape: PlaintextType, location_name: "Plaintext"))
@@ -324,6 +403,8 @@ module Aws::KMS
324
403
  KeyMetadata.add_member(:deletion_date, Shapes::ShapeRef.new(shape: DateType, location_name: "DeletionDate"))
325
404
  KeyMetadata.add_member(:valid_to, Shapes::ShapeRef.new(shape: DateType, location_name: "ValidTo"))
326
405
  KeyMetadata.add_member(:origin, Shapes::ShapeRef.new(shape: OriginType, location_name: "Origin"))
406
+ KeyMetadata.add_member(:custom_key_store_id, Shapes::ShapeRef.new(shape: CustomKeyStoreIdType, location_name: "CustomKeyStoreId"))
407
+ KeyMetadata.add_member(:cloud_hsm_cluster_id, Shapes::ShapeRef.new(shape: CloudHsmClusterIdType, location_name: "CloudHsmClusterId"))
327
408
  KeyMetadata.add_member(:expiration_model, Shapes::ShapeRef.new(shape: ExpirationModelType, location_name: "ExpirationModel"))
328
409
  KeyMetadata.add_member(:key_manager, Shapes::ShapeRef.new(shape: KeyManagerType, location_name: "KeyManager"))
329
410
  KeyMetadata.struct_class = Types::KeyMetadata
@@ -439,6 +520,14 @@ module Aws::KMS
439
520
  UpdateAliasRequest.add_member(:target_key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "TargetKeyId"))
440
521
  UpdateAliasRequest.struct_class = Types::UpdateAliasRequest
441
522
 
523
+ UpdateCustomKeyStoreRequest.add_member(:custom_key_store_id, Shapes::ShapeRef.new(shape: CustomKeyStoreIdType, required: true, location_name: "CustomKeyStoreId"))
524
+ UpdateCustomKeyStoreRequest.add_member(:new_custom_key_store_name, Shapes::ShapeRef.new(shape: CustomKeyStoreNameType, location_name: "NewCustomKeyStoreName"))
525
+ UpdateCustomKeyStoreRequest.add_member(:key_store_password, Shapes::ShapeRef.new(shape: KeyStorePasswordType, location_name: "KeyStorePassword"))
526
+ UpdateCustomKeyStoreRequest.add_member(:cloud_hsm_cluster_id, Shapes::ShapeRef.new(shape: CloudHsmClusterIdType, location_name: "CloudHsmClusterId"))
527
+ UpdateCustomKeyStoreRequest.struct_class = Types::UpdateCustomKeyStoreRequest
528
+
529
+ UpdateCustomKeyStoreResponse.struct_class = Types::UpdateCustomKeyStoreResponse
530
+
442
531
  UpdateKeyDescriptionRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
443
532
  UpdateKeyDescriptionRequest.add_member(:description, Shapes::ShapeRef.new(shape: DescriptionType, required: true, location_name: "Description"))
444
533
  UpdateKeyDescriptionRequest.struct_class = Types::UpdateKeyDescriptionRequest
@@ -475,6 +564,19 @@ module Aws::KMS
475
564
  o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
476
565
  end)
477
566
 
567
+ api.add_operation(:connect_custom_key_store, Seahorse::Model::Operation.new.tap do |o|
568
+ o.name = "ConnectCustomKeyStore"
569
+ o.http_method = "POST"
570
+ o.http_request_uri = "/"
571
+ o.input = Shapes::ShapeRef.new(shape: ConnectCustomKeyStoreRequest)
572
+ o.output = Shapes::ShapeRef.new(shape: ConnectCustomKeyStoreResponse)
573
+ o.errors << Shapes::ShapeRef.new(shape: CloudHsmClusterNotActiveException)
574
+ o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreInvalidStateException)
575
+ o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreNotFoundException)
576
+ o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
577
+ o.errors << Shapes::ShapeRef.new(shape: CloudHsmClusterInvalidConfigurationException)
578
+ end)
579
+
478
580
  api.add_operation(:create_alias, Seahorse::Model::Operation.new.tap do |o|
479
581
  o.name = "CreateAlias"
480
582
  o.http_method = "POST"
@@ -490,6 +592,21 @@ module Aws::KMS
490
592
  o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
491
593
  end)
492
594
 
595
+ api.add_operation(:create_custom_key_store, Seahorse::Model::Operation.new.tap do |o|
596
+ o.name = "CreateCustomKeyStore"
597
+ o.http_method = "POST"
598
+ o.http_request_uri = "/"
599
+ o.input = Shapes::ShapeRef.new(shape: CreateCustomKeyStoreRequest)
600
+ o.output = Shapes::ShapeRef.new(shape: CreateCustomKeyStoreResponse)
601
+ o.errors << Shapes::ShapeRef.new(shape: CloudHsmClusterInUseException)
602
+ o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreNameInUseException)
603
+ o.errors << Shapes::ShapeRef.new(shape: CloudHsmClusterNotFoundException)
604
+ o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
605
+ o.errors << Shapes::ShapeRef.new(shape: CloudHsmClusterNotActiveException)
606
+ o.errors << Shapes::ShapeRef.new(shape: IncorrectTrustAnchorException)
607
+ o.errors << Shapes::ShapeRef.new(shape: CloudHsmClusterInvalidConfigurationException)
608
+ end)
609
+
493
610
  api.add_operation(:create_grant, Seahorse::Model::Operation.new.tap do |o|
494
611
  o.name = "CreateGrant"
495
612
  o.http_method = "POST"
@@ -519,6 +636,9 @@ module Aws::KMS
519
636
  o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
520
637
  o.errors << Shapes::ShapeRef.new(shape: LimitExceededException)
521
638
  o.errors << Shapes::ShapeRef.new(shape: TagException)
639
+ o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreNotFoundException)
640
+ o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreInvalidStateException)
641
+ o.errors << Shapes::ShapeRef.new(shape: CloudHsmClusterInvalidConfigurationException)
522
642
  end)
523
643
 
524
644
  api.add_operation(:decrypt, Seahorse::Model::Operation.new.tap do |o|
@@ -549,6 +669,18 @@ module Aws::KMS
549
669
  o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
550
670
  end)
551
671
 
672
+ api.add_operation(:delete_custom_key_store, Seahorse::Model::Operation.new.tap do |o|
673
+ o.name = "DeleteCustomKeyStore"
674
+ o.http_method = "POST"
675
+ o.http_request_uri = "/"
676
+ o.input = Shapes::ShapeRef.new(shape: DeleteCustomKeyStoreRequest)
677
+ o.output = Shapes::ShapeRef.new(shape: DeleteCustomKeyStoreResponse)
678
+ o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreHasCMKsException)
679
+ o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreInvalidStateException)
680
+ o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreNotFoundException)
681
+ o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
682
+ end)
683
+
552
684
  api.add_operation(:delete_imported_key_material, Seahorse::Model::Operation.new.tap do |o|
553
685
  o.name = "DeleteImportedKeyMaterial"
554
686
  o.http_method = "POST"
@@ -563,6 +695,16 @@ module Aws::KMS
563
695
  o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
564
696
  end)
565
697
 
698
+ api.add_operation(:describe_custom_key_stores, Seahorse::Model::Operation.new.tap do |o|
699
+ o.name = "DescribeCustomKeyStores"
700
+ o.http_method = "POST"
701
+ o.http_request_uri = "/"
702
+ o.input = Shapes::ShapeRef.new(shape: DescribeCustomKeyStoresRequest)
703
+ o.output = Shapes::ShapeRef.new(shape: DescribeCustomKeyStoresResponse)
704
+ o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreNotFoundException)
705
+ o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
706
+ end)
707
+
566
708
  api.add_operation(:describe_key, Seahorse::Model::Operation.new.tap do |o|
567
709
  o.name = "DescribeKey"
568
710
  o.http_method = "POST"
@@ -603,6 +745,17 @@ module Aws::KMS
603
745
  o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
604
746
  end)
605
747
 
748
+ api.add_operation(:disconnect_custom_key_store, Seahorse::Model::Operation.new.tap do |o|
749
+ o.name = "DisconnectCustomKeyStore"
750
+ o.http_method = "POST"
751
+ o.http_request_uri = "/"
752
+ o.input = Shapes::ShapeRef.new(shape: DisconnectCustomKeyStoreRequest)
753
+ o.output = Shapes::ShapeRef.new(shape: DisconnectCustomKeyStoreResponse)
754
+ o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreInvalidStateException)
755
+ o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreNotFoundException)
756
+ o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
757
+ end)
758
+
606
759
  api.add_operation(:enable_key, Seahorse::Model::Operation.new.tap do |o|
607
760
  o.name = "EnableKey"
608
761
  o.http_method = "POST"
@@ -688,6 +841,8 @@ module Aws::KMS
688
841
  o.output = Shapes::ShapeRef.new(shape: GenerateRandomResponse)
689
842
  o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
690
843
  o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
844
+ o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreNotFoundException)
845
+ o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreInvalidStateException)
691
846
  end)
692
847
 
693
848
  api.add_operation(:get_key_policy, Seahorse::Model::Operation.new.tap do |o|
@@ -758,6 +913,8 @@ module Aws::KMS
758
913
  o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
759
914
  o.errors << Shapes::ShapeRef.new(shape: InvalidMarkerException)
760
915
  o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
916
+ o.errors << Shapes::ShapeRef.new(shape: InvalidArnException)
917
+ o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
761
918
  o[:pager] = Aws::Pager.new(
762
919
  more_results: "truncated",
763
920
  limit_key: "limit",
@@ -965,6 +1122,21 @@ module Aws::KMS
965
1122
  o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
966
1123
  end)
967
1124
 
1125
+ api.add_operation(:update_custom_key_store, Seahorse::Model::Operation.new.tap do |o|
1126
+ o.name = "UpdateCustomKeyStore"
1127
+ o.http_method = "POST"
1128
+ o.http_request_uri = "/"
1129
+ o.input = Shapes::ShapeRef.new(shape: UpdateCustomKeyStoreRequest)
1130
+ o.output = Shapes::ShapeRef.new(shape: UpdateCustomKeyStoreResponse)
1131
+ o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreNotFoundException)
1132
+ o.errors << Shapes::ShapeRef.new(shape: CloudHsmClusterNotFoundException)
1133
+ o.errors << Shapes::ShapeRef.new(shape: CloudHsmClusterNotRelatedException)
1134
+ o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreInvalidStateException)
1135
+ o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
1136
+ o.errors << Shapes::ShapeRef.new(shape: CloudHsmClusterNotActiveException)
1137
+ o.errors << Shapes::ShapeRef.new(shape: CloudHsmClusterInvalidConfigurationException)
1138
+ end)
1139
+
968
1140
  api.add_operation(:update_key_description, Seahorse::Model::Operation.new.tap do |o|
969
1141
  o.name = "UpdateKeyDescription"
970
1142
  o.http_method = "POST"
@@ -74,6 +74,30 @@ module Aws::KMS
74
74
  include Aws::Structure
75
75
  end
76
76
 
77
+ # @note When making an API call, you may pass ConnectCustomKeyStoreRequest
78
+ # data as a hash:
79
+ #
80
+ # {
81
+ # custom_key_store_id: "CustomKeyStoreIdType", # required
82
+ # }
83
+ #
84
+ # @!attribute [rw] custom_key_store_id
85
+ # Enter the key store ID of the custom key store that you want to
86
+ # connect. To find the ID of a custom key store, use the
87
+ # DescribeCustomKeyStores operation.
88
+ # @return [String]
89
+ #
90
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConnectCustomKeyStoreRequest AWS API Documentation
91
+ #
92
+ class ConnectCustomKeyStoreRequest < Struct.new(
93
+ :custom_key_store_id)
94
+ include Aws::Structure
95
+ end
96
+
97
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConnectCustomKeyStoreResponse AWS API Documentation
98
+ #
99
+ class ConnectCustomKeyStoreResponse < Aws::EmptyStructure; end
100
+
77
101
  # @note When making an API call, you may pass CreateAliasRequest
78
102
  # data as a hash:
79
103
  #
@@ -83,10 +107,9 @@ module Aws::KMS
83
107
  # }
84
108
  #
85
109
  # @!attribute [rw] alias_name
86
- # Specifies the alias name. This value must begin with `alias/`
87
- # followed by the alias name, such as `alias/ExampleAlias`. The alias
88
- # name cannot begin with `aws/`. The `alias/aws/` prefix is reserved
89
- # for AWS managed CMKs.
110
+ # String that contains the display name. The name must start with the
111
+ # word "alias" followed by a forward slash (alias/). Aliases that
112
+ # begin with "alias/AWS" are reserved.
90
113
  # @return [String]
91
114
  #
92
115
  # @!attribute [rw] target_key_id
@@ -114,6 +137,76 @@ module Aws::KMS
114
137
  include Aws::Structure
115
138
  end
116
139
 
140
+ # @note When making an API call, you may pass CreateCustomKeyStoreRequest
141
+ # data as a hash:
142
+ #
143
+ # {
144
+ # custom_key_store_name: "CustomKeyStoreNameType", # required
145
+ # cloud_hsm_cluster_id: "CloudHsmClusterIdType", # required
146
+ # trust_anchor_certificate: "TrustAnchorCertificateType", # required
147
+ # key_store_password: "KeyStorePasswordType", # required
148
+ # }
149
+ #
150
+ # @!attribute [rw] custom_key_store_name
151
+ # Specifies a friendly name for the custom key store. The name must be
152
+ # unique in your AWS account.
153
+ # @return [String]
154
+ #
155
+ # @!attribute [rw] cloud_hsm_cluster_id
156
+ # Identifies the AWS CloudHSM cluster for the custom key store. Enter
157
+ # the cluster ID of any active AWS CloudHSM cluster that is not
158
+ # already associated with a custom key store. To find the cluster ID,
159
+ # use the [DescribeClusters][1] operation.
160
+ #
161
+ #
162
+ #
163
+ # [1]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
164
+ # @return [String]
165
+ #
166
+ # @!attribute [rw] trust_anchor_certificate
167
+ # Enter the content of the trust anchor certificate for the cluster.
168
+ # This is the content of the `customerCA.crt` file that you created
169
+ # when you [initialized the cluster][1].
170
+ #
171
+ #
172
+ #
173
+ # [1]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html
174
+ # @return [String]
175
+ #
176
+ # @!attribute [rw] key_store_password
177
+ # Enter the password of the [ `kmsuser` crypto user (CU) account][1]
178
+ # in the specified AWS CloudHSM cluster. AWS KMS logs into the cluster
179
+ # as this user to manage key material on your behalf.
180
+ #
181
+ # This parameter tells AWS KMS the `kmsuser` account password; it does
182
+ # not change the password in the AWS CloudHSM cluster.
183
+ #
184
+ #
185
+ #
186
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
187
+ # @return [String]
188
+ #
189
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStoreRequest AWS API Documentation
190
+ #
191
+ class CreateCustomKeyStoreRequest < Struct.new(
192
+ :custom_key_store_name,
193
+ :cloud_hsm_cluster_id,
194
+ :trust_anchor_certificate,
195
+ :key_store_password)
196
+ include Aws::Structure
197
+ end
198
+
199
+ # @!attribute [rw] custom_key_store_id
200
+ # A unique identifier for the new custom key store.
201
+ # @return [String]
202
+ #
203
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStoreResponse AWS API Documentation
204
+ #
205
+ class CreateCustomKeyStoreResponse < Struct.new(
206
+ :custom_key_store_id)
207
+ include Aws::Structure
208
+ end
209
+
117
210
  # @note When making an API call, you may pass CreateGrantRequest
118
211
  # data as a hash:
119
212
  #
@@ -214,8 +307,7 @@ module Aws::KMS
214
307
  #
215
308
  # @!attribute [rw] name
216
309
  # A friendly name for identifying the grant. Use this value to prevent
217
- # the unintended creation of duplicate grants when retrying this
218
- # request.
310
+ # unintended creation of duplicate grants when retrying this request.
219
311
  #
220
312
  # When this value is absent, all `CreateGrant` requests result in a
221
313
  # new grant with a unique `GrantId` even if all the supplied
@@ -276,7 +368,8 @@ module Aws::KMS
276
368
  # policy: "PolicyType",
277
369
  # description: "DescriptionType",
278
370
  # key_usage: "ENCRYPT_DECRYPT", # accepts ENCRYPT_DECRYPT
279
- # origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL
371
+ # origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
372
+ # custom_key_store_id: "CustomKeyStoreIdType",
280
373
  # bypass_policy_lockout_safety_check: false,
281
374
  # tags: [
282
375
  # {
@@ -302,11 +395,11 @@ module Aws::KMS
302
395
  # principals. The principals in the key policy must exist and be
303
396
  # visible to AWS KMS. When you create a new AWS principal (for
304
397
  # example, an IAM user or role), you might need to enforce a delay
305
- # before including the new principal in a key policy. The reason for
306
- # this is that the new principal might not be immediately visible to
307
- # AWS KMS. For more information, see [Changes that I make are not
308
- # always immediately visible][2] in the *AWS Identity and Access
309
- # Management User Guide*.
398
+ # before including the new principal in a key policy because the new
399
+ # principal might not be immediately visible to AWS KMS. For more
400
+ # information, see [Changes that I make are not always immediately
401
+ # visible][2] in the *AWS Identity and Access Management User
402
+ # Guide*.
310
403
  #
311
404
  # If you do not provide a key policy, AWS KMS attaches a default key
312
405
  # policy to the CMK. For more information, see [Default Key Policy][3]
@@ -335,21 +428,52 @@ module Aws::KMS
335
428
  # @return [String]
336
429
  #
337
430
  # @!attribute [rw] origin
338
- # The source of the CMK's key material.
431
+ # The source of the CMK's key material. You cannot change the origin
432
+ # after you create the CMK.
339
433
  #
340
434
  # The default is `AWS_KMS`, which means AWS KMS creates the key
341
- # material. When this parameter is set to `EXTERNAL`, the request
342
- # creates a CMK without key material so that you can import key
343
- # material from your existing key management infrastructure. For more
344
- # information about importing key material into AWS KMS, see
345
- # [Importing Key Material][1] in the *AWS Key Management Service
346
- # Developer Guide*.
435
+ # material in its own key store.
347
436
  #
348
- # The CMK's `Origin` is immutable and is set when the CMK is created.
437
+ # When the parameter value is `EXTERNAL`, AWS KMS creates a CMK
438
+ # without key material so that you can import key material from your
439
+ # existing key management infrastructure. For more information about
440
+ # importing key material into AWS KMS, see [Importing Key Material][1]
441
+ # in the *AWS Key Management Service Developer Guide*.
442
+ #
443
+ # When the parameter value is `AWS_CLOUDHSM`, AWS KMS creates the CMK
444
+ # in a AWS KMS [custom key store][2] and creates its key material in
445
+ # the associated AWS CloudHSM cluster. You must also use the
446
+ # `CustomKeyStoreId` parameter to identify the custom key store.
349
447
  #
350
448
  #
351
449
  #
352
450
  # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
451
+ # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
452
+ # @return [String]
453
+ #
454
+ # @!attribute [rw] custom_key_store_id
455
+ # Creates the CMK in the specified [custom key store][1] and the key
456
+ # material in its associated AWS CloudHSM cluster. To create a CMK in
457
+ # a custom key store, you must also specify the `Origin` parameter
458
+ # with a value of `AWS_CLOUDHSM`. The AWS CloudHSM cluster that is
459
+ # associated with the custom key store must have at least two active
460
+ # HSMs, each in a different Availability Zone in the Region.
461
+ #
462
+ # To find the ID of a custom key store, use the
463
+ # DescribeCustomKeyStores operation.
464
+ #
465
+ # The response includes the custom key store ID and the ID of the AWS
466
+ # CloudHSM cluster.
467
+ #
468
+ # This operation is part of the [Custom Key Store feature][2] feature
469
+ # in AWS KMS, which combines the convenience and extensive integration
470
+ # of AWS KMS with the isolation and control of a single-tenant key
471
+ # store.
472
+ #
473
+ #
474
+ #
475
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
476
+ # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
353
477
  # @return [String]
354
478
  #
355
479
  # @!attribute [rw] bypass_policy_lockout_safety_check
@@ -391,6 +515,7 @@ module Aws::KMS
391
515
  :description,
392
516
  :key_usage,
393
517
  :origin,
518
+ :custom_key_store_id,
394
519
  :bypass_policy_lockout_safety_check,
395
520
  :tags)
396
521
  include Aws::Structure
@@ -407,6 +532,103 @@ module Aws::KMS
407
532
  include Aws::Structure
408
533
  end
409
534
 
535
+ # Contains information about each custom key store in the custom key
536
+ # store list.
537
+ #
538
+ # @!attribute [rw] custom_key_store_id
539
+ # A unique identifier for the custom key store.
540
+ # @return [String]
541
+ #
542
+ # @!attribute [rw] custom_key_store_name
543
+ # The user-specified friendly name for the custom key store.
544
+ # @return [String]
545
+ #
546
+ # @!attribute [rw] cloud_hsm_cluster_id
547
+ # A unique identifier for the AWS CloudHSM cluster that is associated
548
+ # with the custom key store.
549
+ # @return [String]
550
+ #
551
+ # @!attribute [rw] trust_anchor_certificate
552
+ # The trust anchor certificate of the associated AWS CloudHSM cluster.
553
+ # When you [initialize the cluster][1], you create this certificate
554
+ # and save it in the `customerCA.crt` file.
555
+ #
556
+ #
557
+ #
558
+ # [1]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr
559
+ # @return [String]
560
+ #
561
+ # @!attribute [rw] connection_state
562
+ # Indicates whether the custom key store is connected to its AWS
563
+ # CloudHSM cluster.
564
+ #
565
+ # You can create and use CMKs in your custom key stores only when its
566
+ # connection state is `CONNECTED`.
567
+ #
568
+ # The value is `DISCONNECTED` if the key store has never been
569
+ # connected or you use the DisconnectCustomKeyStore operation to
570
+ # disconnect it. If the value is `CONNECTED` but you are having
571
+ # trouble using the custom key store, make sure that its associated
572
+ # AWS CloudHSM cluster is active and contains at least one active HSM.
573
+ #
574
+ # A value of `FAILED` indicates that an attempt to connect was
575
+ # unsuccessful. For help resolving a connection failure, see
576
+ # [Troubleshooting a Custom Key Store][1] in the *AWS Key Management
577
+ # Service Developer Guide*.
578
+ #
579
+ #
580
+ #
581
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
582
+ # @return [String]
583
+ #
584
+ # @!attribute [rw] connection_error_code
585
+ # Describes the connection error. Valid values are:
586
+ #
587
+ # * `CLUSTER_NOT_FOUND` - AWS KMS cannot find the AWS CloudHSM cluster
588
+ # with the specified cluster ID.
589
+ #
590
+ # * `INSUFFICIENT_CLOUDHSM_HSMS` - The associated AWS CloudHSM cluster
591
+ # does not contain any active HSMs. To connect a custom key store to
592
+ # its AWS CloudHSM cluster, the cluster must contain at least one
593
+ # active HSM.
594
+ #
595
+ # * `INVALID_CREDENTIALS` - AWS KMS does not have the correct password
596
+ # for the `kmsuser` crypto user in the AWS CloudHSM cluster.
597
+ #
598
+ # * `NETWORK_ERRORS` - Network errors are preventing AWS KMS from
599
+ # connecting to the custom key store.
600
+ #
601
+ # * `USER_LOCKED_OUT` - The `kmsuser` CU account is locked out of the
602
+ # associated AWS CloudHSM cluster due to too many failed password
603
+ # attempts. Before you can connect your custom key store to its AWS
604
+ # CloudHSM cluster, you must change the `kmsuser` account password
605
+ # and update the password value for the custom key store.
606
+ #
607
+ # For help with connection failures, see [Troubleshooting Custom Key
608
+ # Stores][1] in the *AWS Key Management Service Developer Guide*.
609
+ #
610
+ #
611
+ #
612
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
613
+ # @return [String]
614
+ #
615
+ # @!attribute [rw] creation_date
616
+ # The date and time when the custom key store was created.
617
+ # @return [Time]
618
+ #
619
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CustomKeyStoresListEntry AWS API Documentation
620
+ #
621
+ class CustomKeyStoresListEntry < Struct.new(
622
+ :custom_key_store_id,
623
+ :custom_key_store_name,
624
+ :cloud_hsm_cluster_id,
625
+ :trust_anchor_certificate,
626
+ :connection_state,
627
+ :connection_error_code,
628
+ :creation_date)
629
+ include Aws::Structure
630
+ end
631
+
410
632
  # @note When making an API call, you may pass DecryptRequest
411
633
  # data as a hash:
412
634
  #
@@ -459,7 +681,7 @@ module Aws::KMS
459
681
  #
460
682
  # @!attribute [rw] plaintext
461
683
  # Decrypted plaintext data. When you use the HTTP API or the AWS CLI,
462
- # the value is Base64-encoded. Otherwise, it is not encoded.
684
+ # the value is Base64-encdoded. Otherwise, it is not encoded.
463
685
  # @return [String]
464
686
  #
465
687
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptResponse AWS API Documentation
@@ -490,6 +712,29 @@ module Aws::KMS
490
712
  include Aws::Structure
491
713
  end
492
714
 
715
+ # @note When making an API call, you may pass DeleteCustomKeyStoreRequest
716
+ # data as a hash:
717
+ #
718
+ # {
719
+ # custom_key_store_id: "CustomKeyStoreIdType", # required
720
+ # }
721
+ #
722
+ # @!attribute [rw] custom_key_store_id
723
+ # Enter the ID of the custom key store you want to delete. To find the
724
+ # ID of a custom key store, use the DescribeCustomKeyStores operation.
725
+ # @return [String]
726
+ #
727
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteCustomKeyStoreRequest AWS API Documentation
728
+ #
729
+ class DeleteCustomKeyStoreRequest < Struct.new(
730
+ :custom_key_store_id)
731
+ include Aws::Structure
732
+ end
733
+
734
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteCustomKeyStoreResponse AWS API Documentation
735
+ #
736
+ class DeleteCustomKeyStoreResponse < Aws::EmptyStructure; end
737
+
493
738
  # @note When making an API call, you may pass DeleteImportedKeyMaterialRequest
494
739
  # data as a hash:
495
740
  #
@@ -521,6 +766,83 @@ module Aws::KMS
521
766
  include Aws::Structure
522
767
  end
523
768
 
769
+ # @note When making an API call, you may pass DescribeCustomKeyStoresRequest
770
+ # data as a hash:
771
+ #
772
+ # {
773
+ # custom_key_store_id: "CustomKeyStoreIdType",
774
+ # custom_key_store_name: "CustomKeyStoreNameType",
775
+ # limit: 1,
776
+ # marker: "MarkerType",
777
+ # }
778
+ #
779
+ # @!attribute [rw] custom_key_store_id
780
+ # Gets only information about the specified custom key store. Enter
781
+ # the key store ID.
782
+ #
783
+ # By default, this operation gets information about all custom key
784
+ # stores in the account and region. To limit the output to a
785
+ # particular custom key store, you can use either the
786
+ # `CustomKeyStoreId` or `CustomKeyStoreName` parameter, but not both.
787
+ # @return [String]
788
+ #
789
+ # @!attribute [rw] custom_key_store_name
790
+ # Gets only information about the specified custom key store. Enter
791
+ # the friendly name of the custom key store.
792
+ #
793
+ # By default, this operation gets information about all custom key
794
+ # stores in the account and region. To limit the output to a
795
+ # particular custom key store, you can use either the
796
+ # `CustomKeyStoreId` or `CustomKeyStoreName` parameter, but not both.
797
+ # @return [String]
798
+ #
799
+ # @!attribute [rw] limit
800
+ # Use this parameter to specify the maximum number of items to return.
801
+ # When this value is present, AWS KMS does not return more than the
802
+ # specified number of items, but it might return fewer.
803
+ # @return [Integer]
804
+ #
805
+ # @!attribute [rw] marker
806
+ # Use this parameter in a subsequent request after you receive a
807
+ # response with truncated results. Set it to the value of `NextMarker`
808
+ # from the truncated response you just received.
809
+ # @return [String]
810
+ #
811
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStoresRequest AWS API Documentation
812
+ #
813
+ class DescribeCustomKeyStoresRequest < Struct.new(
814
+ :custom_key_store_id,
815
+ :custom_key_store_name,
816
+ :limit,
817
+ :marker)
818
+ include Aws::Structure
819
+ end
820
+
821
+ # @!attribute [rw] custom_key_stores
822
+ # Contains metadata about each custom key store.
823
+ # @return [Array<Types::CustomKeyStoresListEntry>]
824
+ #
825
+ # @!attribute [rw] next_marker
826
+ # When `Truncated` is true, this element is present and contains the
827
+ # value to use for the `Marker` parameter in a subsequent request.
828
+ # @return [String]
829
+ #
830
+ # @!attribute [rw] truncated
831
+ # A flag that indicates whether there are more items in the list. When
832
+ # this value is true, the list in this response is truncated. To get
833
+ # more items, pass the value of the `NextMarker` element in this
834
+ # response to the `Marker` parameter in a subsequent request.
835
+ # @return [Boolean]
836
+ #
837
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStoresResponse AWS API Documentation
838
+ #
839
+ class DescribeCustomKeyStoresResponse < Struct.new(
840
+ :custom_key_stores,
841
+ :next_marker,
842
+ :truncated)
843
+ include Aws::Structure
844
+ end
845
+
524
846
  # @note When making an API call, you may pass DescribeKeyRequest
525
847
  # data as a hash:
526
848
  #
@@ -538,7 +860,7 @@ module Aws::KMS
538
860
  #
539
861
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
540
862
  # name, or alias ARN. When using an alias name, prefix it with
541
- # `"alias/"`. To specify a CMK in a different AWS account, you must
863
+ # "alias/". To specify a CMK in a different AWS account, you must
542
864
  # use the key ARN or alias ARN.
543
865
  #
544
866
  # For example:
@@ -650,6 +972,30 @@ module Aws::KMS
650
972
  include Aws::Structure
651
973
  end
652
974
 
975
+ # @note When making an API call, you may pass DisconnectCustomKeyStoreRequest
976
+ # data as a hash:
977
+ #
978
+ # {
979
+ # custom_key_store_id: "CustomKeyStoreIdType", # required
980
+ # }
981
+ #
982
+ # @!attribute [rw] custom_key_store_id
983
+ # Enter the ID of the custom key store you want to disconnect. To find
984
+ # the ID of a custom key store, use the DescribeCustomKeyStores
985
+ # operation.
986
+ # @return [String]
987
+ #
988
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisconnectCustomKeyStoreRequest AWS API Documentation
989
+ #
990
+ class DisconnectCustomKeyStoreRequest < Struct.new(
991
+ :custom_key_store_id)
992
+ include Aws::Structure
993
+ end
994
+
995
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisconnectCustomKeyStoreResponse AWS API Documentation
996
+ #
997
+ class DisconnectCustomKeyStoreResponse < Aws::EmptyStructure; end
998
+
653
999
  # @note When making an API call, you may pass EnableKeyRequest
654
1000
  # data as a hash:
655
1001
  #
@@ -727,7 +1073,7 @@ module Aws::KMS
727
1073
  #
728
1074
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
729
1075
  # name, or alias ARN. When using an alias name, prefix it with
730
- # `"alias/"`. To specify a CMK in a different AWS account, you must
1076
+ # "alias/". To specify a CMK in a different AWS account, you must
731
1077
  # use the key ARN or alias ARN.
732
1078
  #
733
1079
  # For example:
@@ -783,7 +1129,7 @@ module Aws::KMS
783
1129
 
784
1130
  # @!attribute [rw] ciphertext_blob
785
1131
  # The encrypted plaintext. When you use the HTTP API or the AWS CLI,
786
- # the value is Base64-encoded. Otherwise, it is not encoded.
1132
+ # the value is Base64-encdoded. Otherwise, it is not encoded.
787
1133
  # @return [String]
788
1134
  #
789
1135
  # @!attribute [rw] key_id
@@ -817,7 +1163,7 @@ module Aws::KMS
817
1163
  #
818
1164
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
819
1165
  # name, or alias ARN. When using an alias name, prefix it with
820
- # `"alias/"`. To specify a CMK in a different AWS account, you must
1166
+ # "alias/". To specify a CMK in a different AWS account, you must
821
1167
  # use the key ARN or alias ARN.
822
1168
  #
823
1169
  # For example:
@@ -884,12 +1230,12 @@ module Aws::KMS
884
1230
 
885
1231
  # @!attribute [rw] ciphertext_blob
886
1232
  # The encrypted data encryption key. When you use the HTTP API or the
887
- # AWS CLI, the value is Base64-encoded. Otherwise, it is not encoded.
1233
+ # AWS CLI, the value is Base64-encdoded. Otherwise, it is not encoded.
888
1234
  # @return [String]
889
1235
  #
890
1236
  # @!attribute [rw] plaintext
891
1237
  # The data encryption key. When you use the HTTP API or the AWS CLI,
892
- # the value is Base64-encoded. Otherwise, it is not encoded. Use this
1238
+ # the value is Base64-encdoded. Otherwise, it is not encoded. Use this
893
1239
  # data key for local encryption and decryption, then remove it from
894
1240
  # memory as soon as possible.
895
1241
  # @return [String]
@@ -927,7 +1273,7 @@ module Aws::KMS
927
1273
  #
928
1274
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
929
1275
  # name, or alias ARN. When using an alias name, prefix it with
930
- # `"alias/"`. To specify a CMK in a different AWS account, you must
1276
+ # "alias/". To specify a CMK in a different AWS account, you must
931
1277
  # use the key ARN or alias ARN.
932
1278
  #
933
1279
  # For example:
@@ -994,7 +1340,7 @@ module Aws::KMS
994
1340
 
995
1341
  # @!attribute [rw] ciphertext_blob
996
1342
  # The encrypted data encryption key. When you use the HTTP API or the
997
- # AWS CLI, the value is Base64-encoded. Otherwise, it is not encoded.
1343
+ # AWS CLI, the value is Base64-encdoded. Otherwise, it is not encoded.
998
1344
  # @return [String]
999
1345
  #
1000
1346
  # @!attribute [rw] key_id
@@ -1015,22 +1361,34 @@ module Aws::KMS
1015
1361
  #
1016
1362
  # {
1017
1363
  # number_of_bytes: 1,
1364
+ # custom_key_store_id: "CustomKeyStoreIdType",
1018
1365
  # }
1019
1366
  #
1020
1367
  # @!attribute [rw] number_of_bytes
1021
1368
  # The length of the byte string.
1022
1369
  # @return [Integer]
1023
1370
  #
1371
+ # @!attribute [rw] custom_key_store_id
1372
+ # Generates the random byte string in the AWS CloudHSM cluster that is
1373
+ # associated with the specified [custom key store][1]. To find the ID
1374
+ # of a custom key store, use the DescribeCustomKeyStores operation.
1375
+ #
1376
+ #
1377
+ #
1378
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
1379
+ # @return [String]
1380
+ #
1024
1381
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomRequest AWS API Documentation
1025
1382
  #
1026
1383
  class GenerateRandomRequest < Struct.new(
1027
- :number_of_bytes)
1384
+ :number_of_bytes,
1385
+ :custom_key_store_id)
1028
1386
  include Aws::Structure
1029
1387
  end
1030
1388
 
1031
1389
  # @!attribute [rw] plaintext
1032
1390
  # The random byte string. When you use the HTTP API or the AWS CLI,
1033
- # the value is Base64-encoded. Otherwise, it is not encoded.
1391
+ # the value is Base64-encdoded. Otherwise, it is not encoded.
1034
1392
  # @return [String]
1035
1393
  #
1036
1394
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomResponse AWS API Documentation
@@ -1157,10 +1515,10 @@ module Aws::KMS
1157
1515
  # @return [String]
1158
1516
  #
1159
1517
  # @!attribute [rw] wrapping_algorithm
1160
- # The algorithm you use to encrypt the key material before importing
1161
- # it with ImportKeyMaterial. For more information, see [Encrypt the
1162
- # Key Material][1] in the *AWS Key Management Service Developer
1163
- # Guide*.
1518
+ # The algorithm you will use to encrypt the key material before
1519
+ # importing it with ImportKeyMaterial. For more information, see
1520
+ # [Encrypt the Key Material][1] in the *AWS Key Management Service
1521
+ # Developer Guide*.
1164
1522
  #
1165
1523
  #
1166
1524
  #
@@ -1214,7 +1572,7 @@ module Aws::KMS
1214
1572
  end
1215
1573
 
1216
1574
  # A structure that you can use to allow certain operations in the grant
1217
- # only when the preferred encryption context is present. For more
1575
+ # only when the desired encryption context is present. For more
1218
1576
  # information about encryption context, see [Encryption Context][1] in
1219
1577
  # the *AWS Key Management Service Developer Guide*.
1220
1578
  #
@@ -1222,7 +1580,7 @@ module Aws::KMS
1222
1580
  # context as input. For example, the ` DescribeKey ` operation does not
1223
1581
  # accept encryption context as input. A grant that allows the
1224
1582
  # `DescribeKey` operation does so regardless of the grant constraints.
1225
- # In contrast, the ` Encrypt ` operation accepts encryption context as
1583
+ # In constrast, the ` Encrypt ` operation accepts encryption context as
1226
1584
  # input. A grant that allows the `Encrypt` operation does so only when
1227
1585
  # the encryption context of the `Encrypt` operation satisfies the grant
1228
1586
  # constraints.
@@ -1472,8 +1830,7 @@ module Aws::KMS
1472
1830
  #
1473
1831
  # @!attribute [rw] deletion_date
1474
1832
  # The date and time after which AWS KMS deletes the CMK. This value is
1475
- # present only when `KeyState` is `PendingDeletion`, otherwise this
1476
- # value is omitted.
1833
+ # present only when `KeyState` is `PendingDeletion`.
1477
1834
  # @return [Time]
1478
1835
  #
1479
1836
  # @!attribute [rw] valid_to
@@ -1488,7 +1845,31 @@ module Aws::KMS
1488
1845
  # The source of the CMK's key material. When this value is `AWS_KMS`,
1489
1846
  # AWS KMS created the key material. When this value is `EXTERNAL`, the
1490
1847
  # key material was imported from your existing key management
1491
- # infrastructure or the CMK lacks key material.
1848
+ # infrastructure or the CMK lacks key material. When this value is
1849
+ # `AWS_CLOUDHSM`, the key material was created in the AWS CloudHSM
1850
+ # cluster associated with a custom key store.
1851
+ # @return [String]
1852
+ #
1853
+ # @!attribute [rw] custom_key_store_id
1854
+ # A unique identifier for the [custom key store][1] that contains the
1855
+ # CMK. This value is present only when the CMK is created in a custom
1856
+ # key store.
1857
+ #
1858
+ #
1859
+ #
1860
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
1861
+ # @return [String]
1862
+ #
1863
+ # @!attribute [rw] cloud_hsm_cluster_id
1864
+ # The cluster ID of the AWS CloudHSM cluster that contains the key
1865
+ # material for the CMK. When you create a CMK in a [custom key
1866
+ # store][1], AWS KMS creates the key material for the CMK in the
1867
+ # associated AWS CloudHSM cluster. This value is present only when the
1868
+ # CMK is created in a custom key store.
1869
+ #
1870
+ #
1871
+ #
1872
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
1492
1873
  # @return [String]
1493
1874
  #
1494
1875
  # @!attribute [rw] expiration_model
@@ -1498,7 +1879,7 @@ module Aws::KMS
1498
1879
  # @return [String]
1499
1880
  #
1500
1881
  # @!attribute [rw] key_manager
1501
- # The CMK's manager. CMKs are either customer managed or AWS managed.
1882
+ # The CMK's manager. CMKs are either customer-managed or AWS-managed.
1502
1883
  # For more information about the difference, see [Customer Master
1503
1884
  # Keys][1] in the *AWS Key Management Service Developer Guide*.
1504
1885
  #
@@ -1521,6 +1902,8 @@ module Aws::KMS
1521
1902
  :deletion_date,
1522
1903
  :valid_to,
1523
1904
  :origin,
1905
+ :custom_key_store_id,
1906
+ :cloud_hsm_cluster_id,
1524
1907
  :expiration_model,
1525
1908
  :key_manager)
1526
1909
  include Aws::Structure
@@ -1982,11 +2365,11 @@ module Aws::KMS
1982
2365
  # principals. The principals in the key policy must exist and be
1983
2366
  # visible to AWS KMS. When you create a new AWS principal (for
1984
2367
  # example, an IAM user or role), you might need to enforce a delay
1985
- # before including the new principal in a key policy. The reason for
1986
- # this is that the new principal might not be immediately visible to
1987
- # AWS KMS. For more information, see [Changes that I make are not
1988
- # always immediately visible][2] in the *AWS Identity and Access
1989
- # Management User Guide*.
2368
+ # before including the new principal in a key policy because the new
2369
+ # principal might not be immediately visible to AWS KMS. For more
2370
+ # information, see [Changes that I make are not always immediately
2371
+ # visible][2] in the *AWS Identity and Access Management User
2372
+ # Guide*.
1990
2373
  #
1991
2374
  # The key policy size limit is 32 kilobytes (32768 bytes).
1992
2375
  #
@@ -2057,7 +2440,7 @@ module Aws::KMS
2057
2440
  #
2058
2441
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2059
2442
  # name, or alias ARN. When using an alias name, prefix it with
2060
- # `"alias/"`. To specify a CMK in a different AWS account, you must
2443
+ # "alias/". To specify a CMK in a different AWS account, you must
2061
2444
  # use the key ARN or alias ARN.
2062
2445
  #
2063
2446
  # For example:
@@ -2103,7 +2486,7 @@ module Aws::KMS
2103
2486
 
2104
2487
  # @!attribute [rw] ciphertext_blob
2105
2488
  # The reencrypted data. When you use the HTTP API or the AWS CLI, the
2106
- # value is Base64-encoded. Otherwise, it is not encoded.
2489
+ # value is Base64-encdoded. Otherwise, it is not encoded.
2107
2490
  # @return [String]
2108
2491
  #
2109
2492
  # @!attribute [rw] source_key_id
@@ -2413,6 +2796,68 @@ module Aws::KMS
2413
2796
  include Aws::Structure
2414
2797
  end
2415
2798
 
2799
+ # @note When making an API call, you may pass UpdateCustomKeyStoreRequest
2800
+ # data as a hash:
2801
+ #
2802
+ # {
2803
+ # custom_key_store_id: "CustomKeyStoreIdType", # required
2804
+ # new_custom_key_store_name: "CustomKeyStoreNameType",
2805
+ # key_store_password: "KeyStorePasswordType",
2806
+ # cloud_hsm_cluster_id: "CloudHsmClusterIdType",
2807
+ # }
2808
+ #
2809
+ # @!attribute [rw] custom_key_store_id
2810
+ # Identifies the custom key store that you want to update. Enter the
2811
+ # ID of the custom key store. To find the ID of a custom key store,
2812
+ # use the DescribeCustomKeyStores operation.
2813
+ # @return [String]
2814
+ #
2815
+ # @!attribute [rw] new_custom_key_store_name
2816
+ # Changes the friendly name of the custom key store to the value that
2817
+ # you specify. The custom key store name must be unique in the AWS
2818
+ # account.
2819
+ # @return [String]
2820
+ #
2821
+ # @!attribute [rw] key_store_password
2822
+ # Enter the current password of the `kmsuser` crypto user (CU) in the
2823
+ # AWS CloudHSM cluster that is associated with the custom key store.
2824
+ #
2825
+ # This parameter tells AWS KMS the current password of the `kmsuser`
2826
+ # crypto user (CU). It does not set or change the password of any
2827
+ # users in the AWS CloudHSM cluster.
2828
+ # @return [String]
2829
+ #
2830
+ # @!attribute [rw] cloud_hsm_cluster_id
2831
+ # Associates the custom key store with a related AWS CloudHSM cluster.
2832
+ #
2833
+ # Enter the cluster ID of the cluster that you used to create the
2834
+ # custom key store or a cluster that shares a backup history with the
2835
+ # original cluster. You cannot use this parameter to associate a
2836
+ # custom key store with a different cluster.
2837
+ #
2838
+ # Clusters that share a backup history have the same cluster
2839
+ # certificate. To view the cluster certificate of a cluster, use the
2840
+ # [DescribeClusters][1] operation.
2841
+ #
2842
+ #
2843
+ #
2844
+ # [1]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
2845
+ # @return [String]
2846
+ #
2847
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStoreRequest AWS API Documentation
2848
+ #
2849
+ class UpdateCustomKeyStoreRequest < Struct.new(
2850
+ :custom_key_store_id,
2851
+ :new_custom_key_store_name,
2852
+ :key_store_password,
2853
+ :cloud_hsm_cluster_id)
2854
+ include Aws::Structure
2855
+ end
2856
+
2857
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStoreResponse AWS API Documentation
2858
+ #
2859
+ class UpdateCustomKeyStoreResponse < Aws::EmptyStructure; end
2860
+
2416
2861
  # @note When making an API call, you may pass UpdateKeyDescriptionRequest
2417
2862
  # data as a hash:
2418
2863
  #