aws-sdk-kms 1.121.0 → 1.129.0

data/lib/aws-sdk-kms/client.rb

@@ -199,7 +199,7 @@ module Aws::KMS
     #     the required types.
     #
     #   @option options [Boolean] :correct_clock_skew (true)
-    #     Used only in `standard` and adaptive retry modes. Specifies whether to apply
+    #     Used only in `standard` and `adaptive` retry modes. Specifies whether to apply
     #     a clock skew correction and retry requests with skewed client clocks.
     #
     #   @option options [String] :defaults_mode ("legacy")
@@ -323,17 +323,15 @@ module Aws::KMS
     #   @option options [String] :retry_mode ("legacy")
     #     Specifies which retry algorithm to use. Values are:
     #
-    #     * `legacy` - The pre-existing retry behavior.  This is default value if
-    #       no retry mode is provided.
+    #     * `legacy` - The pre-existing retry behavior. This is the default
+    #       value if no retry mode is provided.
     #
     #     * `standard` - A standardized set of retry rules across the AWS SDKs.
     #       This includes support for retry quotas, which limit the number of
     #       unsuccessful retries a client can make.
     #
-    #     * `adaptive` - An experimental retry mode that includes all the
-    #       functionality of `standard` mode along with automatic client side
-    #       throttling.  This is a provisional mode that may change behavior
-    #       in the future.
+    #     * `adaptive` - A retry mode that includes all the functionality of
+    #       `standard` mode along with automatic client side throttling.
     #
     #   @option options [String] :sdk_ua_app_id
     #     A unique and opaque application ID that is appended to the
@@ -1247,6 +1245,12 @@ module Aws::KMS
     # temporary permissions because you can create one, use its permissions,
     # and delete it without changing your key policies or IAM policies.
     #
+    # You can create a grant for an Amazon Web Services principal (IAM user,
+    # IAM role, or Amazon Web Services account) by specifying the
+    # `GranteePrincipal` parameter. You can also create a grant for an
+    # Amazon Web Services service principal by specifying the
+    # `GranteeServicePrincipal` parameter.
+    #
     # For detailed information about grants, including grant terminology,
     # see [Grants in KMS][1] in the <i> <i>Key Management Service Developer
     # Guide</i> </i>. For examples of creating grants in several programming
@@ -1320,7 +1324,7 @@ module Aws::KMS
     #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #
-    # @option params [required, String] :grantee_principal
+    # @option params [String] :grantee_principal
     #   The identity that gets the permissions specified in the grant.
     #
     #   To specify the grantee principal, use the Amazon Resource Name (ARN)
@@ -1330,6 +1334,9 @@ module Aws::KMS
     #   [IAM ARNs][1] in the <i> <i>Identity and Access Management User
     #   Guide</i> </i>.
     #
+    #   You must specify either `GranteePrincipal` or
+    #   `GranteeServicePrincipal`, but not both.
+    #
     #
     #
     #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
@@ -1350,6 +1357,9 @@ module Aws::KMS
     #   see RevokeGrant and [Retiring and revoking grants][3] in the *Key
     #   Management Service Developer Guide*.
     #
+    #   You can specify either `RetiringPrincipal` or
+    #   `RetiringServicePrincipal`, but not both.
+    #
     #
     #
     #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
@@ -1378,39 +1388,52 @@ module Aws::KMS
     #   This field may be displayed in plaintext in CloudTrail logs and other
     #   output.
     #
-    #   KMS supports the `EncryptionContextEquals` and
-    #   `EncryptionContextSubset` grant constraints, which allow the
-    #   permissions in the grant only when the encryption context in the
-    #   request matches (`EncryptionContextEquals`) or includes
-    #   (`EncryptionContextSubset`) the encryption context specified in the
-    #   constraint.
-    #
-    #   The encryption context grant constraints are supported only on [grant
-    #   operations][1] that include an `EncryptionContext` parameter, such as
-    #   cryptographic operations on symmetric encryption KMS keys. Grants with
-    #   grant constraints can include the DescribeKey and RetireGrant
-    #   operations, but the constraint doesn't apply to these operations. If
-    #   a grant with a grant constraint includes the `CreateGrant` operation,
-    #   the constraint requires that any grants created with the `CreateGrant`
-    #   permission have an equally strict or stricter encryption context
-    #   constraint.
-    #
-    #   You cannot use an encryption context grant constraint for
-    #   cryptographic operations with asymmetric KMS keys or HMAC KMS keys.
-    #   Operations with these keys don't support an encryption context.
-    #
-    #   Each constraint value can include up to 8 encryption context pairs.
-    #   The encryption context value in each constraint cannot exceed 384
-    #   characters. For information about grant constraints, see [Using grant
-    #   constraints][2] in the *Key Management Service Developer Guide*. For
-    #   more information about encryption context, see [Encryption context][3]
-    #   in the <i> <i>Key Management Service Developer Guide</i> </i>.
+    #   KMS supports the following grant constraints.
+    #
+    #   * `EncryptionContextEquals` and `EncryptionContextSubset` — These
+    #     encryption context grant constraints allow the permissions in the
+    #     grant only when the encryption context in the request matches
+    #     (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
+    #     the encryption context specified in the constraint.
+    #
+    #     Encryption context grant constraints are supported only on [grant
+    #     operations][1] that include an `EncryptionContext` parameter, such
+    #     as cryptographic operations on symmetric encryption KMS keys. You
+    #     cannot use an encryption context grant constraint for cryptographic
+    #     operations with asymmetric KMS keys or HMAC KMS keys. Operations
+    #     with these keys don't support an encryption context. Grants with
+    #     encryption context grant constraints can include the DescribeKey and
+    #     RetireGrant operations, but the constraint doesn't apply to these
+    #     operations. If a grant with an encryption context grant constraint
+    #     includes the `CreateGrant` operation, the constraint requires that
+    #     any grants created with the `CreateGrant` permission have an equally
+    #     strict or stricter encryption context constraint.
+    #
+    #     Each constraint value can include up to 8 encryption context pairs.
+    #     The encryption context value in each constraint cannot exceed 384
+    #     characters. For more information about encryption context, see
+    #     [Encryption context][2] in the <i> <i>Key Management Service
+    #     Developer Guide</i> </i>.
+    #
+    #   * `SourceArn` — This grant constraint allows the permissions in the
+    #     grant only when the request is made on behalf of a specific Amazon
+    #     Web Services resource, identified by its [Amazon Resource Name
+    #     (ARN)][3]. This is effectively the same as having the
+    #     [aws:SourceArn][4] global condition key in the grant. The SourceArn
+    #     constraint is supported on grants for all types of KMS keys and can
+    #     also be applied to the DescribeKey operation when specified in the
+    #     request. However, it does not apply to RetireGrant operation.
+    #
+    #   For information about grant constraints, see [Using grant
+    #   constraints][5] in the *Key Management Service Developer Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [3]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    #   [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn
+    #   [5]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -1456,6 +1479,32 @@ module Aws::KMS
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
     #
+    # @option params [String] :grantee_service_principal
+    #   The Amazon Web Services [service principal][1] that gets the
+    #   permissions specified in the grant.
+    #
+    #   When you specify a `GranteeServicePrincipal`, you must also specify a
+    #   `SourceArn` grant constraint. In addition, you must specify either a
+    #   `RetiringPrincipal` or a `RetiringServicePrincipal`.
+    #
+    #   You must specify either `GranteePrincipal` or
+    #   `GranteeServicePrincipal`, but not both.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
+    #
+    # @option params [String] :retiring_service_principal
+    #   The Amazon Web Services [service principal][1] that has permission to
+    #   use the RetireGrant operation to retire the grant.
+    #
+    #   You can specify either `RetiringPrincipal` or
+    #   `RetiringServicePrincipal`, but not both.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
+    #
     # @return [Types::CreateGrantResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::CreateGrantResponse#grant_token #grant_token} => String
@@ -1481,11 +1530,38 @@ module Aws::KMS
     #     grant_token: "AQpAM2RhZTk1MGMyNTk2ZmZmMzEyYWVhOWViN2I1MWM4Mzc0MWFiYjc0ZDE1ODkyNGFlNTIzODZhMzgyZjBlNGY3NiKIAgEBAgB4Pa6VDCWW__MSrqnre1HIN0Grt00ViSSuUjhqOC8OT3YAAADfMIHcBgkqhkiG9w0BBwaggc4wgcsCAQAwgcUGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMmqLyBTAegIn9XlK5AgEQgIGXZQjkBcl1dykDdqZBUQ6L1OfUivQy7JVYO2-ZJP7m6f1g8GzV47HX5phdtONAP7K_HQIflcgpkoCqd_fUnE114mSmiagWkbQ5sqAVV3ov-VeqgrvMe5ZFEWLMSluvBAqdjHEdMIkHMlhlj4ENZbzBfo9Wxk8b8SnwP4kc4gGivedzFXo-dwN8fxjjq_ZZ9JFOj2ijIbj5FyogDCN0drOfi8RORSEuCEmPvjFRMFAwcmwFkN2NPp89amA", # The grant token.
     #   }
     #
+    # @example Example: To create a grant for a service principal
+    #
+    #   # The following example creates a grant that allows the specified AWS service principal to encrypt and decrypt data with
+    #   # the specified KMS key. The grant includes a SourceArn constraint that restricts the grant permissions to requests
+    #   # associated with the specified DynamoDB table.
+    #
+    #   resp = client.create_grant({
+    #     constraints: {
+    #       source_arn: "arn:aws:dynamodb:us-east-2:444455556666:table/ExampleTable", 
+    #     }, # The SourceArn grant constraint restricts the grant permissions to requests associated with the specified AWS resource.
+    #     grantee_service_principal: "service-name.amazonaws.com", # The AWS service principal that is given permission to perform the operations specified in the grant.
+    #     key_id: "arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key to which the grant applies. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
+    #     operations: [
+    #       "Encrypt", 
+    #       "Decrypt", 
+    #       "GenerateDataKey", 
+    #       "DescribeKey", 
+    #     ], # A list of operations that the grant allows.
+    #     retiring_service_principal: "service-name.amazonaws.com", # The AWS service principal that can retire the grant.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     grant_id: "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2", # The unique identifier of the grant.
+    #     grant_token: "AQpAM2RhZTk1MGMyNTk2ZmZmMzEyYWVhOWViN2I1MWM4Mzc0MWFiYjc0ZDE1ODkyNGFlNTIzODZhMzgyZjBlNGY3NiKIAgEBAgB4Pa6VDCWW...", # The grant token.
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.create_grant({
     #     key_id: "KeyIdType", # required
-    #     grantee_principal: "PrincipalIdType", # required
+    #     grantee_principal: "PrincipalIdType",
     #     retiring_principal: "PrincipalIdType",
     #     operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateMac, VerifyMac, DeriveSharedSecret
     #     constraints: {
@@ -1495,10 +1571,13 @@ module Aws::KMS
     #       encryption_context_equals: {
     #         "EncryptionContextKey" => "EncryptionContextValue",
     #       },
+    #       source_arn: "GrantConstraintSourceArnType",
     #     },
     #     grant_tokens: ["GrantTokenType"],
     #     name: "GrantNameType",
     #     dry_run: false,
+    #     grantee_service_principal: "ServicePrincipalType",
+    #     retiring_service_principal: "ServicePrincipalType",
     #   })
     #
     # @example Response structure
@@ -1604,7 +1683,6 @@ module Aws::KMS
     #
     #
     # Multi-Region primary keys
-    # Imported key material
     #
     # : To create a multi-Region *primary key* in the local Amazon Web
     #   Services Region, use the `MultiRegion` parameter with a value of
@@ -1632,6 +1710,8 @@ module Aws::KMS
     #
     #
     #
+    # Imported key material
+    #
     # : To import your own key material into a KMS key, begin by creating a
     #   KMS key with no key material. To do this, use the `Origin` parameter
     #   of `CreateKey` with a value of `EXTERNAL`. Next, use
@@ -2559,11 +2639,13 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][8] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**: Yes. If you use the `KeyId` parameter to
-    # identify a KMS key in a different Amazon Web Services account, specify
-    # the key ARN or the alias ARN of the KMS key.
+    # **Cross-account use**: Yes. To specify a KMS key in a different Amazon
+    # Web Services account, use the [key ARN][9] or [alias ARN][10]. A short
+    # [key ID][11] is also acceptable when decrypting symmetric ciphertexts,
+    # though using a full key ARN is recommended to be more explicit about
+    # the intended KMS key.
     #
-    # **Required permissions**: [kms:Decrypt][9] (key policy)
+    # **Required permissions**: [kms:Decrypt][12] (key policy)
     #
     # **Related operations:**
     #
@@ -2576,7 +2658,7 @@ module Aws::KMS
     # * ReEncrypt
     #
     # **Eventual consistency**: The KMS API follows an eventual consistency
-    # model. For more information, see [KMS eventual consistency][10].
+    # model. For more information, see [KMS eventual consistency][13].
     #
     #
     #
@@ -2588,12 +2670,18 @@ module Aws::KMS
     # [6]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
     # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
-    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
-    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/accessing-kms.html#programming-eventual-consistency
+    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
+    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-alias-ARN
+    # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id
+    # [12]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [13]: https://docs.aws.amazon.com/kms/latest/developerguide/accessing-kms.html#programming-eventual-consistency
     #
-    # @option params [required, String, StringIO, File] :ciphertext_blob
+    # @option params [String, StringIO, File] :ciphertext_blob
     #   Ciphertext to be decrypted. The blob includes metadata.
     #
+    #   This parameter is required in all cases except when `DryRun` is `true`
+    #   and `DryRunModifiers` is set to `IGNORE_CIPHERTEXT`.
+    #
     # @option params [Hash<String,String>] :encryption_context
     #   Specifies the encryption context to use when decrypting the data. An
     #   encryption context is valid only for [cryptographic operations][1]
@@ -2638,15 +2726,16 @@ module Aws::KMS
     #   `IncorrectKeyException`.
     #
     #   This parameter is required only when the ciphertext was encrypted
-    #   under an asymmetric KMS key. If you used a symmetric encryption KMS
-    #   key, KMS can get the KMS key from metadata that it adds to the
-    #   symmetric ciphertext blob. However, it is always recommended as a best
-    #   practice. This practice ensures that you use the KMS key that you
-    #   intend.
+    #   under an asymmetric KMS key or when `DryRun` is `true` and
+    #   `DryRunModifiers` is set to `IGNORE_CIPHERTEXT`. If you used a
+    #   symmetric encryption KMS key, KMS can get the KMS key from metadata
+    #   that it adds to the symmetric ciphertext blob. However, it is always
+    #   recommended as a best practice. This practice ensures that you use the
+    #   KMS key that you intend.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify a
-    #   KMS key in a different Amazon Web Services account, you must use the
+    #   KMS key in a different Amazon Web Services account, you should use the
     #   key ARN or alias ARN.
     #
     #   For example:
@@ -2714,6 +2803,22 @@ module Aws::KMS
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
     #
+    # @option params [Array<String>] :dry_run_modifiers
+    #   Specifies the modifiers to apply to the dry run operation.
+    #   `DryRunModifiers` is an optional parameter that only applies when
+    #   `DryRun` is set to `true`.
+    #
+    #   When set to `IGNORE_CIPHERTEXT`, KMS performs only authorization
+    #   validation without ciphertext validation. This allows you to test
+    #   permissions without requiring a valid ciphertext blob.
+    #
+    #   To learn more about how to use this parameter, see [Testing your
+    #   permissions][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
+    #
     # @return [Types::DecryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::DecryptResponse#key_id #key_id} => String
@@ -2784,7 +2889,7 @@ module Aws::KMS
     # @example Request syntax with placeholder values
     #
     #   resp = client.decrypt({
-    #     ciphertext_blob: "data", # required
+    #     ciphertext_blob: "data",
     #     encryption_context: {
     #       "EncryptionContextKey" => "EncryptionContextValue",
     #     },
@@ -2796,6 +2901,7 @@ module Aws::KMS
     #       attestation_document: "data",
     #     },
     #     dry_run: false,
+    #     dry_run_modifiers: ["IGNORE_CIPHERTEXT"], # accepts IGNORE_CIPHERTEXT
     #   })
     #
     # @example Response structure
@@ -6130,6 +6236,143 @@ module Aws::KMS
       req.send_request(options)
     end
 
+    # Returns usage information about the last successful cryptographic
+    # operation performed with a specified KMS key, including the operation
+    # type, timestamp, and associated CloudTrail event ID.
+    #
+    # The `TrackingStartDate` in the `GetKeyLastUsage` response indicates
+    # the date from which KMS began recording cryptographic activity for a
+    # given key. Use this value together with `KeyCreationDate` to
+    # understand the key's usage history:
+    #
+    # * If the `KeyLastUsage` response element is *present*, the key has
+    #   been used for a successful cryptographic operation since the
+    #   `TrackingStartDate`. The response includes the operation type,
+    #   timestamp, and associated CloudTrail event ID.
+    #
+    # * If the `KeyLastUsage` response element is *empty* and
+    #   `KeyCreationDate` is on or after `TrackingStartDate`, the key has
+    #   not been used for a successful cryptographic operation since it was
+    #   created.
+    #
+    # * If the `KeyLastUsage` response element is *empty* and
+    #   `KeyCreationDate` is before `TrackingStartDate`, there is no record
+    #   of the key being used for a successful cryptographic operation since
+    #   the `TrackingStartDate`. However, the key may have been used before
+    #   tracking began. To determine whether the key was used before the
+    #   `TrackingStartDate`, examine your past CloudTrail logs.
+    #
+    # For multi-Region KMS keys, primary and replica keys track last usage
+    # independently. Each key in a multi-Region key set maintains its own
+    # usage information.
+    #
+    # The `ReEncrypt` operation uses two keys: a source key for decryption
+    # and a destination key for encryption. Usage information is recorded
+    # for both keys independently, each with the CloudTrail event ID from
+    # the respective key owner's account.
+    #
+    # <note markdown="1"> Do not use `GetKeyLastUsage` as the sole indicator when scheduling a
+    # key for deletion. Instead, first [disable the key][1] and monitor
+    # CloudTrail for `DisabledException` entries, as there could be
+    # infrequent workflows that are dependent on the key. By looking for
+    # this exception, you can identify potential dependencies and workload
+    # failures before they occur.
+    #
+    #  </note>
+    #
+    # **Cross-account use**: No. You cannot perform this operation on a KMS
+    # key in a different Amazon Web Services account.
+    #
+    # **Required permissions**: [kms:GetKeyLastUsage][2] (key policy)
+    #
+    # **Related operations:**
+    #
+    # * DescribeKey
+    #
+    # * DisableKey
+    #
+    # * ScheduleKeyDeletion
+    #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][3].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/enabling-keys.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/accessing-kms.html#programming-eventual-consistency
+    #
+    # @option params [required, String] :key_id
+    #   Identifies the KMS key to get usage information for. To specify a KMS
+    #   key, use its key ID or key ARN. Alias names are not supported.
+    #
+    #   Specify the key ID or key ARN of the KMS key.
+    #
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
+    #   DescribeKey.
+    #
+    # @return [Types::GetKeyLastUsageResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GetKeyLastUsageResponse#key_id #key_id} => String
+    #   * {Types::GetKeyLastUsageResponse#key_last_usage #key_last_usage} => Types::KeyLastUsageData
+    #   * {Types::GetKeyLastUsageResponse#tracking_start_date #tracking_start_date} => Time
+    #   * {Types::GetKeyLastUsageResponse#key_creation_date #key_creation_date} => Time
+    #
+    #
+    # @example Example: To retrieve the last usage for a KMS key
+    #
+    #   # The following example retrieves usage information about the last successful cryptographic operation performed with the
+    #   # specified KMS key, including the operation type, timestamp, and associated AWS CloudTrail event ID.
+    #
+    #   resp = client.get_key_last_usage({
+    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key to get usage information for. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key. Alias names are not supported.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     key_creation_date: Time.parse(1773253425.56), # The date and time when the KMS key was created.
+    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The globally unique identifier for the KMS key.
+    #     key_last_usage: {
+    #       cloud_trail_event_id: "2cfd5892-ea8c-4342-ad49-4b9594b06a8b", 
+    #       kms_request_id: "040cce3e-9ef3-4651-b8cf-e47c9bafdc9b", 
+    #       operation: "Encrypt", 
+    #       timestamp: Time.parse(1773253497.0), 
+    #     }, # Contains usage information about the last time the KMS key was used for a successful cryptographic operation.
+    #     tracking_start_date: Time.parse(1773253425.56), # The date from which AWS KMS began recording cryptographic activity for this key, or the date the KMS key was created, whichever is later.
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.get_key_last_usage({
+    #     key_id: "KeyIdType", # required
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.key_id #=> String
+    #   resp.key_last_usage.operation #=> String, one of "Decrypt", "DeriveSharedSecret", "Encrypt", "GenerateDataKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateDataKeyWithoutPlaintext", "GenerateMac", "ReEncrypt", "Sign", "Verify", "VerifyMac"
+    #   resp.key_last_usage.timestamp #=> Time
+    #   resp.key_last_usage.cloud_trail_event_id #=> String
+    #   resp.key_last_usage.kms_request_id #=> String
+    #   resp.tracking_start_date #=> Time
+    #   resp.key_creation_date #=> Time
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyLastUsage AWS API Documentation
+    #
+    # @overload get_key_last_usage(params = {})
+    # @param [Hash] params ({})
+    def get_key_last_usage(params = {}, options = {})
+      req = build_request(:get_key_last_usage, params)
+      req.send_request(options)
+    end
+
     # Gets a key policy attached to the specified KMS key.
     #
     # **Cross-account use**: No. You cannot perform this operation on a KMS
@@ -7292,7 +7535,7 @@ module Aws::KMS
     # Gets a list of all grants for the specified KMS key.
     #
     # You must specify the KMS key in all requests. You can filter the grant
-    # list by grant ID or grantee principal.
+    # list by grant ID, grantee principal, or grantee service principal.
     #
     # For detailed information about grants, including grant terminology,
     # see [Grants in KMS][1] in the <i> <i>Key Management Service Developer
@@ -7300,12 +7543,18 @@ module Aws::KMS
     # languages, see [Use CreateGrant with an Amazon Web Services SDK or
     # CLI][2].
     #
-    # <note markdown="1"> The `GranteePrincipal` field in the `ListGrants` response usually
-    # contains the user or role designated as the grantee principal in the
-    # grant. However, when the grantee principal in the grant is an Amazon
-    # Web Services service, the `GranteePrincipal` field contains the
-    # [service principal][3], which might represent several different
-    # grantee principals.
+    # <note markdown="1"> When a grant is created with the `GranteePrincipal` field, the
+    # `ListGrants` response usually contains the user or role designated as
+    # the grantee principal in the grant. However, if the grantee principal
+    # is an Amazon Web Services service, the `GranteePrincipal` field
+    # contains an Amazon Web Services [service principal][3], which might
+    # correspond to several different grantee principals, such as an IAM
+    # user, IAM role, or Amazon Web Services account.
+    #
+    #  When a grant is created with the `GranteeServicePrincipal` field, the
+    # `ListGrants` response always includes a `GranteeServicePrincipal` that
+    # indicates the grantee is actually an Amazon Web Services [service
+    # principal][3].
     #
     #  </note>
     #
@@ -7374,6 +7623,17 @@ module Aws::KMS
     #   Returns only grants where the specified principal is the grantee
     #   principal for the grant.
     #
+    #   You can specify either `GranteePrincipal` or
+    #   `GranteeServicePrincipal`, but not both.
+    #
+    # @option params [String] :grantee_service_principal
+    #   Returns only grants where the specified Amazon Web Services service
+    #   principal is the grantee service principal for the grant. This filter
+    #   is only usable by callers in a service principal.
+    #
+    #   You can specify either `GranteePrincipal` or
+    #   `GranteeServicePrincipal`, but not both.
+    #
     # @return [Types::ListGrantsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::ListGrantsResponse#grants #grants} => Array&lt;Types::GrantListEntry&gt;
@@ -7449,6 +7709,40 @@ module Aws::KMS
     #     truncated: true, # A boolean that indicates whether there are more items in the list. Returns true when there are more items, or false when there are not.
     #   }
     #
+    # @example Example: To list grants for a grantee service principal
+    #
+    #   # The following example lists grants for the specified KMS key that were created with a GranteeServicePrincipal. The
+    #   # response includes the GranteeServicePrincipal, RetiringServicePrincipal, and SourceArn constraint fields.
+    #
+    #   resp = client.list_grants({
+    #     grantee_service_principal: "service-name.amazonaws.com", # Returns only grants where the specified AWS service principal is the grantee service principal.
+    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key whose grants you want to list. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     grants: [
+    #       {
+    #         constraints: {
+    #           source_arn: "arn:aws:dynamodb:us-east-2:111122223333:table/ExampleTable", 
+    #         }, 
+    #         creation_date: Time.parse("2026-03-06T10:15:00-08:00"), 
+    #         grant_id: "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2", 
+    #         grantee_service_principal: "service-name.amazonaws.com", 
+    #         issuing_account: "arn:aws:iam::111122223333:root", 
+    #         key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", 
+    #         operations: [
+    #           "Encrypt", 
+    #           "Decrypt", 
+    #           "GenerateDataKey", 
+    #           "DescribeKey", 
+    #         ], 
+    #         retiring_service_principal: "service-name.amazonaws.com", 
+    #       }, 
+    #     ], # A list of grants.
+    #     truncated: false, # A boolean that indicates whether there are more items in the list. Returns true when there are more items, or false when there are not.
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.list_grants({
@@ -7457,6 +7751,7 @@ module Aws::KMS
     #     key_id: "KeyIdType", # required
     #     grant_id: "GrantIdType",
     #     grantee_principal: "PrincipalIdType",
+    #     grantee_service_principal: "ServicePrincipalType",
     #   })
     #
     # @example Response structure
@@ -7475,6 +7770,9 @@ module Aws::KMS
     #   resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
     #   resp.grants[0].constraints.encryption_context_equals #=> Hash
     #   resp.grants[0].constraints.encryption_context_equals["EncryptionContextKey"] #=> String
+    #   resp.grants[0].constraints.source_arn #=> String
+    #   resp.grants[0].grantee_service_principal #=> String
+    #   resp.grants[0].retiring_service_principal #=> String
     #   resp.next_marker #=> String
     #   resp.truncated #=> Boolean
     #
@@ -7977,7 +8275,8 @@ module Aws::KMS
     end
 
     # Returns information about all grants in the Amazon Web Services
-    # account and Region that have the specified retiring principal.
+    # account and Region that have the specified retiring principal or
+    # retiring service principal.
     #
     # You can specify any principal in your Amazon Web Services account. The
     # grants that are returned include grants for KMS keys in your Amazon
@@ -8002,12 +8301,16 @@ module Aws::KMS
     # **Required permissions**: [kms:ListRetirableGrants][3] (IAM policy) in
     # your Amazon Web Services account.
     #
-    # <note markdown="1"> KMS authorizes `ListRetirableGrants` requests by evaluating the caller
-    # account's kms:ListRetirableGrants permissions. The authorized
-    # resource in `ListRetirableGrants` calls is the retiring principal
-    # specified in the request. KMS does not evaluate the caller's
-    # permissions to verify their access to any KMS keys or grants that
-    # might be returned by the `ListRetirableGrants` call.
+    # <note markdown="1"> When listing retirable grants by `RetiringPrincipal`, KMS authorizes
+    # `ListRetirableGrants` requests by evaluating the caller account's
+    # kms:ListRetirableGrants permissions. The authorized resource in
+    # `ListRetirableGrants` calls is the retiring principal specified in the
+    # request. KMS does not evaluate the caller's permissions to verify
+    # their access to any KMS keys or grants that might be returned by the
+    # `ListRetirableGrants` call.
+    #
+    #  The `RetiringServicePrincipal` filter is only usable by callers in a
+    # service principal.
     #
     #  </note>
     #
@@ -8044,7 +8347,7 @@ module Aws::KMS
     #   response with truncated results. Set it to the value of `NextMarker`
     #   from the truncated response you just received.
     #
-    # @option params [required, String] :retiring_principal
+    # @option params [String] :retiring_principal
     #   The retiring principal for which to list grants. Enter a principal in
     #   your Amazon Web Services account.
     #
@@ -8055,11 +8358,21 @@ module Aws::KMS
     #   principal, see [IAM ARNs][2] in the <i> <i>Identity and Access
     #   Management User Guide</i> </i>.
     #
+    #   You must specify either `RetiringPrincipal` or
+    #   `RetiringServicePrincipal`, but not both.
+    #
     #
     #
     #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
     #
+    # @option params [String] :retiring_service_principal
+    #   The retiring service principal for which to list grants. This filter
+    #   is only usable by callers in a service principal.
+    #
+    #   You must specify either `RetiringPrincipal` or
+    #   `RetiringServicePrincipal`, but not both.
+    #
     # @return [Types::ListGrantsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::ListGrantsResponse#grants #grants} => Array&lt;Types::GrantListEntry&gt;
@@ -8096,12 +8409,45 @@ module Aws::KMS
     #     truncated: false, # A boolean that indicates whether there are more items in the list. Returns true when there are more items, or false when there are not.
     #   }
     #
+    # @example Example: To list grants that the specified service principal can retire
+    #
+    #   # The following example lists the grants that the specified AWS service principal can retire.
+    #
+    #   resp = client.list_retirable_grants({
+    #     retiring_service_principal: "service-name.amazonaws.com", # The retiring service principal whose grants you want to list. Use the AWS service principal name of the service (for example, service-name.amazonaws.com).
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     grants: [
+    #       {
+    #         constraints: {
+    #           source_arn: "arn:aws:dynamodb:us-east-2:444455556666:table/ExampleTable", 
+    #         }, 
+    #         creation_date: Time.parse("2026-03-06T10:15:00-08:00"), 
+    #         grant_id: "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2", 
+    #         grantee_service_principal: "service-name.amazonaws.com", 
+    #         issuing_account: "arn:aws:iam::444455556666:root", 
+    #         key_id: "arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab", 
+    #         operations: [
+    #           "Encrypt", 
+    #           "Decrypt", 
+    #           "GenerateDataKey", 
+    #           "DescribeKey", 
+    #         ], 
+    #         retiring_service_principal: "service-name.amazonaws.com", 
+    #       }, 
+    #     ], # A list of grants that the specified service principal can retire.
+    #     truncated: false, # A boolean that indicates whether there are more items in the list. Returns true when there are more items, or false when there are not.
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.list_retirable_grants({
     #     limit: 1,
     #     marker: "MarkerType",
-    #     retiring_principal: "PrincipalIdType", # required
+    #     retiring_principal: "PrincipalIdType",
+    #     retiring_service_principal: "ServicePrincipalType",
     #   })
     #
     # @example Response structure
@@ -8120,6 +8466,9 @@ module Aws::KMS
     #   resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
     #   resp.grants[0].constraints.encryption_context_equals #=> Hash
     #   resp.grants[0].constraints.encryption_context_equals["EncryptionContextKey"] #=> String
+    #   resp.grants[0].constraints.source_arn #=> String
+    #   resp.grants[0].grantee_service_principal #=> String
+    #   resp.grants[0].retiring_service_principal #=> String
     #   resp.next_marker #=> String
     #   resp.truncated #=> Boolean
     #
@@ -8354,24 +8703,35 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][6] in the *Key
     # Management Service Developer Guide*.
     #
+    # <note markdown="1"> When using grants with `SourceArn` constraints for `ReEncrypt`
+    # operations, the grants on both the source KMS key (for
+    # `ReEncryptFrom`) and the destination KMS key (for `ReEncryptTo`) must
+    # specify the same `SourceArn` value.
+    #
+    #  </note>
+    #
     # **Cross-account use**: Yes. The source KMS key and destination KMS key
     # can be in different Amazon Web Services accounts. Either or both KMS
     # keys can be in a different account than the caller. To specify a KMS
-    # key in a different account, you must use its key ARN or alias ARN.
+    # key in a different account, use the [key ARN][7] or [alias ARN][8]. A
+    # short [key ID][9] is also acceptable for the source key when
+    # decrypting symmetric ciphertexts, though using a full key ARN is
+    # recommended to be more explicit about the intended KMS key.
     #
     # **Required permissions**:
     #
-    # * [kms:ReEncryptFrom][7] permission on the source KMS key (key policy)
+    # * [kms:ReEncryptFrom][10] permission on the source KMS key (key
+    #   policy)
     #
-    # * [kms:ReEncryptTo][7] permission on the destination KMS key (key
+    # * [kms:ReEncryptTo][10] permission on the destination KMS key (key
     #   policy)
     #
     # To permit reencryption from or to a KMS key, include the
-    # `"kms:ReEncrypt*"` permission in your [key policy][8]. This permission
-    # is automatically included in the key policy when you use the console
-    # to create a KMS key. But you must include it manually when you create
-    # a KMS key programmatically or when you use the PutKeyPolicy operation
-    # to set a key policy.
+    # `"kms:ReEncrypt*"` permission in your [key policy][11]. This
+    # permission is automatically included in the key policy when you use
+    # the console to create a KMS key. But you must include it manually when
+    # you create a KMS key programmatically or when you use the PutKeyPolicy
+    # operation to set a key policy.
     #
     # **Related operations:**
     #
@@ -8384,7 +8744,7 @@ module Aws::KMS
     # * GenerateDataKeyPair
     #
     # **Eventual consistency**: The KMS API follows an eventual consistency
-    # model. For more information, see [KMS eventual consistency][9].
+    # model. For more information, see [KMS eventual consistency][12].
     #
     #
     #
@@ -8394,13 +8754,19 @@ module Aws::KMS
     # [4]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
     # [5]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
     # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
-    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
-    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
-    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/accessing-kms.html#programming-eventual-consistency
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
+    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-alias-ARN
+    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id
+    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
+    # [12]: https://docs.aws.amazon.com/kms/latest/developerguide/accessing-kms.html#programming-eventual-consistency
     #
-    # @option params [required, String, StringIO, File] :ciphertext_blob
+    # @option params [String, StringIO, File] :ciphertext_blob
     #   Ciphertext of the data to reencrypt.
     #
+    #   This parameter is required in all cases except when `DryRun` is `true`
+    #   and `DryRunModifiers` is set to `IGNORE_CIPHERTEXT`.
+    #
     # @option params [Hash<String,String>] :source_encryption_context
     #   Specifies the encryption context to use to decrypt the ciphertext.
     #   Enter the same encryption context that was used to encrypt the
@@ -8430,15 +8796,16 @@ module Aws::KMS
     #   an `IncorrectKeyException`.
     #
     #   This parameter is required only when the ciphertext was encrypted
-    #   under an asymmetric KMS key. If you used a symmetric encryption KMS
-    #   key, KMS can get the KMS key from metadata that it adds to the
-    #   symmetric ciphertext blob. However, it is always recommended as a best
-    #   practice. This practice ensures that you use the KMS key that you
-    #   intend.
+    #   under an asymmetric KMS key or when `DryRun` is `true` and
+    #   `DryRunModifiers` is set to `IGNORE_CIPHERTEXT`. If you used a
+    #   symmetric encryption KMS key, KMS can get the KMS key from metadata
+    #   that it adds to the symmetric ciphertext blob. However, it is always
+    #   recommended as a best practice. This practice ensures that you use the
+    #   KMS key that you intend.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify a
-    #   KMS key in a different Amazon Web Services account, you must use the
+    #   KMS key in a different Amazon Web Services account, you should use the
     #   key ARN or alias ARN.
     #
     #   For example:
@@ -8552,6 +8919,22 @@ module Aws::KMS
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
     #
+    # @option params [Array<String>] :dry_run_modifiers
+    #   Specifies the modifiers to apply to the dry run operation.
+    #   `DryRunModifiers` is an optional parameter that only applies when
+    #   `DryRun` is set to `true`.
+    #
+    #   When set to `IGNORE_CIPHERTEXT`, KMS performs only authorization
+    #   validation without ciphertext validation. This allows you to test
+    #   permissions without requiring a valid ciphertext blob.
+    #
+    #   To learn more about how to use this parameter, see [Testing your
+    #   permissions][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
+    #
     # @return [Types::ReEncryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::ReEncryptResponse#ciphertext_blob #ciphertext_blob} => String
@@ -8586,7 +8969,7 @@ module Aws::KMS
     # @example Request syntax with placeholder values
     #
     #   resp = client.re_encrypt({
-    #     ciphertext_blob: "data", # required
+    #     ciphertext_blob: "data",
     #     source_encryption_context: {
     #       "EncryptionContextKey" => "EncryptionContextValue",
     #     },
@@ -8599,6 +8982,7 @@ module Aws::KMS
     #     destination_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
     #     grant_tokens: ["GrantTokenType"],
     #     dry_run: false,
+    #     dry_run_modifiers: ["IGNORE_CIPHERTEXT"], # accepts IGNORE_CIPHERTEXT
     #   })
     #
     # @example Response structure
@@ -9239,7 +9623,7 @@ module Aws::KMS
     # automatically rotate, as scheduled, on April 14, 2024 and every 730
     # days thereafter.
     #
-    # <note markdown="1"> You can perform on-demand key rotation a **maximum of 10 times** per
+    # <note markdown="1"> You can perform on-demand key rotation a **maximum of 25 times** per
     # KMS key. You can use the KMS console to view the number of remaining
     # on-demand rotations available for a KMS key.
     #
@@ -9656,6 +10040,11 @@ module Aws::KMS
     #   * ED25519\_PH\_SHA\_512 signing algorithm requires KMS
     #     `MessageType:DIGEST`
     #
+    #   When you specify the ED25519\_PH\_SHA\_512 signing algorithm with
+    #   `MessageType:DIGEST`, KMS still performs the SHA-512 prehash described
+    #   in [Step 1 of Section 7.8.1 in FIPS 186-5][1]. This means the input is
+    #   hashed twice: once by you and once by KMS.
+    #
     #   When the value of `MessageType` is `DIGEST`, the length of the
     #   `Message` value must match the length of hashed messages for the
     #   specified signing algorithm.
@@ -9684,11 +10073,12 @@ module Aws::KMS
     #     algorithm.
     #
     #   * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
-    #     verification with SM2 key pairs][1].
+    #     verification with SM2 key pairs][2].
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/offline-operations.html#key-spec-sm-offline-verification
+    #   [1]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf#page=39
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/offline-operations.html#key-spec-sm-offline-verification
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -10196,8 +10586,10 @@ module Aws::KMS
     # about a change to the `kmsuser` crypto user password
     # (`KeyStorePassword`), or to associate the custom key store with a
     # different, but related, CloudHSM cluster (`CloudHsmClusterId`). To
-    # update any property of an CloudHSM key store, the `ConnectionState` of
-    # the CloudHSM key store must be `DISCONNECTED`.
+    # update most properties of an CloudHSM key store, the `ConnectionState`
+    # of the CloudHSM key store must be `DISCONNECTED`. However, you can
+    # update the `CustomKeyStoreName` of an AWS CloudHSM key store when it
+    # is in the `CONNECTED` or `DISCONNECTED` state.
     #
     # For an external key store, you can use this operation to change the
     # custom key store friendly name (`NewCustomKeyStoreName`), or to tell
@@ -10270,8 +10662,8 @@ module Aws::KMS
     #   This field may be displayed in plaintext in CloudTrail logs and other
     #   output.
     #
-    #   To change this value, an CloudHSM key store must be disconnected. An
-    #   external key store can be connected or disconnected.
+    #   To change this value, the custom key store can be connected or
+    #   disconnected.
     #
     # @option params [String] :key_store_password
     #   Enter the current password of the `kmsuser` crypto user (CU) in the
@@ -10859,6 +11251,11 @@ module Aws::KMS
     #   * ED25519\_PH\_SHA\_512 signing algorithm requires KMS
     #     `MessageType:DIGEST`
     #
+    #   When you specify the ED25519\_PH\_SHA\_512 signing algorithm with
+    #   `MessageType:DIGEST`, KMS still performs the SHA-512 prehash described
+    #   in [Step 1 of Section 7.8.1 in FIPS 186-5][1]. This means the input is
+    #   hashed twice: once by you and once by KMS.
+    #
     #   When the value of `MessageType` is `DIGEST`, the length of the
     #   `Message` value must match the length of hashed messages for the
     #   specified signing algorithm.
@@ -10887,11 +11284,12 @@ module Aws::KMS
     #     algorithm.
     #
     #   * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
-    #     verification with SM2 key pairs][1].
+    #     verification with SM2 key pairs][2].
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/offline-operations.html#key-spec-sm-offline-verification
+    #   [1]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf#page=39
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/offline-operations.html#key-spec-sm-offline-verification
     #
     # @option params [required, String, StringIO, File] :signature
     #   The signature that the `Sign` operation generated.
@@ -11157,7 +11555,7 @@ module Aws::KMS
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-kms'
-      context[:gem_version] = '1.121.0'
+      context[:gem_version] = '1.129.0'
       Seahorse::Client::Request.new(handlers, context)
     end