aws-sdk-kms 1.123.0 → 1.124.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 81e60e410223f2b2cbb99309fbad50439886f9e7db3e7f1f7cbe1f76725742f6
-  data.tar.gz: c6a2b9ed15729a65d456aba409399830d4d86bb5a7b2767441829b7c09e56cbf
+  metadata.gz: d8ae88408d0f29e3d59ef7764a134e301ca0c7f48c530c10abbca84debfc4ea5
+  data.tar.gz: 2eab4b5e20787e47b6032882a862dbd986ead218b68ba01b25ebe1b8d2a5084d
 SHA512:
-  metadata.gz: 92ccf453c5e58f7d7284ab5b358ef9aa55587ee3b0fbbc63d7d86cffef4ef6daad83b9d9442a60d3fc024684e2cf50327e615b137ceb073d37524bc5ee6a57c0
-  data.tar.gz: a84b166adb6ced12a7695b79938361c2774dbd18b14c3c23b52972fc1de0a7c9eddc902845310281f7dec8068c9e66ae6b4daa60caed5924cd34b75e19de6c5b
+  metadata.gz: 6beb9fd959cdd8ecbf3c8728ba6fdbc845b419a51d59bdf714bffe26ebee99b3fc3082de29ab85e0aa4a5c21ad7c22120520205f9fee6355c8f37b070e962977
+  data.tar.gz: 3eaddf3b69a40da8a41cbff482806bc8d87531de90ab6abb07be1268bde8e91f8211d4d842007b5f376348d9c5c1553d08187e1ceaee2c2f98640049bce0c782

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+1.124.0 (2026-04-27)
+------------------
+
+* Feature - KMS GetKeyLastUsage API provides information on the last successful cryptographic operation performed on KMS keys. This new API provides KMS customers with the last timestamp, CloudTrail eventId, and the cryptographic operation that was performed on the key.
+
 1.123.0 (2026-03-18)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.123.0
+1.124.0

data/lib/aws-sdk-kms/client.rb

@@ -2560,11 +2560,13 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][8] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**: Yes. If you use the `KeyId` parameter to
-    # identify a KMS key in a different Amazon Web Services account, specify
-    # the key ARN or the alias ARN of the KMS key.
+    # **Cross-account use**: Yes. To specify a KMS key in a different Amazon
+    # Web Services account, use the [key ARN][9] or [alias ARN][10]. A short
+    # [key ID][11] is also acceptable when decrypting symmetric ciphertexts,
+    # though using a full key ARN is recommended to be more explicit about
+    # the intended KMS key.
     #
-    # **Required permissions**: [kms:Decrypt][9] (key policy)
+    # **Required permissions**: [kms:Decrypt][12] (key policy)
     #
     # **Related operations:**
     #
@@ -2577,7 +2579,7 @@ module Aws::KMS
     # * ReEncrypt
     #
     # **Eventual consistency**: The KMS API follows an eventual consistency
-    # model. For more information, see [KMS eventual consistency][10].
+    # model. For more information, see [KMS eventual consistency][13].
     #
     #
     #
@@ -2589,8 +2591,11 @@ module Aws::KMS
     # [6]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
     # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
     # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
-    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
-    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/accessing-kms.html#programming-eventual-consistency
+    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
+    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-alias-ARN
+    # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id
+    # [12]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [13]: https://docs.aws.amazon.com/kms/latest/developerguide/accessing-kms.html#programming-eventual-consistency
     #
     # @option params [String, StringIO, File] :ciphertext_blob
     #   Ciphertext to be decrypted. The blob includes metadata.
@@ -2651,7 +2656,7 @@ module Aws::KMS
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify a
-    #   KMS key in a different Amazon Web Services account, you must use the
+    #   KMS key in a different Amazon Web Services account, you should use the
     #   key ARN or alias ARN.
     #
     #   For example:
@@ -6152,6 +6157,143 @@ module Aws::KMS
       req.send_request(options)
     end
 
+    # Returns usage information about the last successful cryptographic
+    # operation performed with a specified KMS key, including the operation
+    # type, timestamp, and associated CloudTrail event ID.
+    #
+    # The `TrackingStartDate` in the `GetKeyLastUsage` response indicates
+    # the date from which KMS began recording cryptographic activity for a
+    # given key. Use this value together with `KeyCreationDate` to
+    # understand the key's usage history:
+    #
+    # * If the `KeyLastUsage` response element is *present*, the key has
+    #   been used for a successful cryptographic operation since the
+    #   `TrackingStartDate`. The response includes the operation type,
+    #   timestamp, and associated CloudTrail event ID.
+    #
+    # * If the `KeyLastUsage` response element is *empty* and
+    #   `KeyCreationDate` is on or after `TrackingStartDate`, the key has
+    #   not been used for a successful cryptographic operation since it was
+    #   created.
+    #
+    # * If the `KeyLastUsage` response element is *empty* and
+    #   `KeyCreationDate` is before `TrackingStartDate`, there is no record
+    #   of the key being used for a successful cryptographic operation since
+    #   the `TrackingStartDate`. However, the key may have been used before
+    #   tracking began. To determine whether the key was used before the
+    #   `TrackingStartDate`, examine your past CloudTrail logs.
+    #
+    # For multi-Region KMS keys, primary and replica keys track last usage
+    # independently. Each key in a multi-Region key set maintains its own
+    # usage information.
+    #
+    # The `ReEncrypt` operation uses two keys: a source key for decryption
+    # and a destination key for encryption. Usage information is recorded
+    # for both keys independently, each with the CloudTrail event ID from
+    # the respective key owner's account.
+    #
+    # <note markdown="1"> Do not use `GetKeyLastUsage` as the sole indicator when scheduling a
+    # key for deletion. Instead, first [disable the key][1] and monitor
+    # CloudTrail for `DisabledException` entries, as there could be
+    # infrequent workflows that are dependent on the key. By looking for
+    # this exception, you can identify potential dependencies and workload
+    # failures before they occur.
+    #
+    #  </note>
+    #
+    # **Cross-account use**: No. You cannot perform this operation on a KMS
+    # key in a different Amazon Web Services account.
+    #
+    # **Required permissions**: [kms:GetKeyLastUsage][2] (key policy)
+    #
+    # **Related operations:**
+    #
+    # * DescribeKey
+    #
+    # * DisableKey
+    #
+    # * ScheduleKeyDeletion
+    #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][3].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/enabling-keys.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/accessing-kms.html#programming-eventual-consistency
+    #
+    # @option params [required, String] :key_id
+    #   Identifies the KMS key to get usage information for. To specify a KMS
+    #   key, use its key ID or key ARN. Alias names are not supported.
+    #
+    #   Specify the key ID or key ARN of the KMS key.
+    #
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
+    #   DescribeKey.
+    #
+    # @return [Types::GetKeyLastUsageResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GetKeyLastUsageResponse#key_id #key_id} => String
+    #   * {Types::GetKeyLastUsageResponse#key_last_usage #key_last_usage} => Types::KeyLastUsageData
+    #   * {Types::GetKeyLastUsageResponse#tracking_start_date #tracking_start_date} => Time
+    #   * {Types::GetKeyLastUsageResponse#key_creation_date #key_creation_date} => Time
+    #
+    #
+    # @example Example: To retrieve the last usage for a KMS key
+    #
+    #   # The following example retrieves usage information about the last successful cryptographic operation performed with the
+    #   # specified KMS key, including the operation type, timestamp, and associated AWS CloudTrail event ID.
+    #
+    #   resp = client.get_key_last_usage({
+    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key to get usage information for. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key. Alias names are not supported.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     key_creation_date: Time.parse(1773253425.56), # The date and time when the KMS key was created.
+    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The globally unique identifier for the KMS key.
+    #     key_last_usage: {
+    #       cloud_trail_event_id: "2cfd5892-ea8c-4342-ad49-4b9594b06a8b", 
+    #       kms_request_id: "040cce3e-9ef3-4651-b8cf-e47c9bafdc9b", 
+    #       operation: "Encrypt", 
+    #       timestamp: Time.parse(1773253497.0), 
+    #     }, # Contains usage information about the last time the KMS key was used for a successful cryptographic operation.
+    #     tracking_start_date: Time.parse(1773253425.56), # The date from which AWS KMS began recording cryptographic activity for this key, or the date the KMS key was created, whichever is later.
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.get_key_last_usage({
+    #     key_id: "KeyIdType", # required
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.key_id #=> String
+    #   resp.key_last_usage.operation #=> String, one of "Decrypt", "DeriveSharedSecret", "Encrypt", "GenerateDataKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateDataKeyWithoutPlaintext", "GenerateMac", "ReEncrypt", "Sign", "Verify", "VerifyMac"
+    #   resp.key_last_usage.timestamp #=> Time
+    #   resp.key_last_usage.cloud_trail_event_id #=> String
+    #   resp.key_last_usage.kms_request_id #=> String
+    #   resp.tracking_start_date #=> Time
+    #   resp.key_creation_date #=> Time
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyLastUsage AWS API Documentation
+    #
+    # @overload get_key_last_usage(params = {})
+    # @param [Hash] params ({})
+    def get_key_last_usage(params = {}, options = {})
+      req = build_request(:get_key_last_usage, params)
+      req.send_request(options)
+    end
+
     # Gets a key policy attached to the specified KMS key.
     #
     # **Cross-account use**: No. You cannot perform this operation on a KMS
@@ -8379,21 +8521,25 @@ module Aws::KMS
     # **Cross-account use**: Yes. The source KMS key and destination KMS key
     # can be in different Amazon Web Services accounts. Either or both KMS
     # keys can be in a different account than the caller. To specify a KMS
-    # key in a different account, you must use its key ARN or alias ARN.
+    # key in a different account, use the [key ARN][7] or [alias ARN][8]. A
+    # short [key ID][9] is also acceptable for the source key when
+    # decrypting symmetric ciphertexts, though using a full key ARN is
+    # recommended to be more explicit about the intended KMS key.
     #
     # **Required permissions**:
     #
-    # * [kms:ReEncryptFrom][7] permission on the source KMS key (key policy)
+    # * [kms:ReEncryptFrom][10] permission on the source KMS key (key
+    #   policy)
     #
-    # * [kms:ReEncryptTo][7] permission on the destination KMS key (key
+    # * [kms:ReEncryptTo][10] permission on the destination KMS key (key
     #   policy)
     #
     # To permit reencryption from or to a KMS key, include the
-    # `"kms:ReEncrypt*"` permission in your [key policy][8]. This permission
-    # is automatically included in the key policy when you use the console
-    # to create a KMS key. But you must include it manually when you create
-    # a KMS key programmatically or when you use the PutKeyPolicy operation
-    # to set a key policy.
+    # `"kms:ReEncrypt*"` permission in your [key policy][11]. This
+    # permission is automatically included in the key policy when you use
+    # the console to create a KMS key. But you must include it manually when
+    # you create a KMS key programmatically or when you use the PutKeyPolicy
+    # operation to set a key policy.
     #
     # **Related operations:**
     #
@@ -8406,7 +8552,7 @@ module Aws::KMS
     # * GenerateDataKeyPair
     #
     # **Eventual consistency**: The KMS API follows an eventual consistency
-    # model. For more information, see [KMS eventual consistency][9].
+    # model. For more information, see [KMS eventual consistency][12].
     #
     #
     #
@@ -8416,9 +8562,12 @@ module Aws::KMS
     # [4]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
     # [5]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
     # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
-    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
-    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
-    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/accessing-kms.html#programming-eventual-consistency
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
+    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-alias-ARN
+    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id
+    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
+    # [12]: https://docs.aws.amazon.com/kms/latest/developerguide/accessing-kms.html#programming-eventual-consistency
     #
     # @option params [String, StringIO, File] :ciphertext_blob
     #   Ciphertext of the data to reencrypt.
@@ -8464,7 +8613,7 @@ module Aws::KMS
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify a
-    #   KMS key in a different Amazon Web Services account, you must use the
+    #   KMS key in a different Amazon Web Services account, you should use the
     #   key ARN or alias ARN.
     #
     #   For example:
@@ -9699,6 +9848,11 @@ module Aws::KMS
     #   * ED25519\_PH\_SHA\_512 signing algorithm requires KMS
     #     `MessageType:DIGEST`
     #
+    #   When you specify the ED25519\_PH\_SHA\_512 signing algorithm with
+    #   `MessageType:DIGEST`, KMS still performs the SHA-512 prehash described
+    #   in [Step 1 of Section 7.8.1 in FIPS 186-5][1]. This means the input is
+    #   hashed twice: once by you and once by KMS.
+    #
     #   When the value of `MessageType` is `DIGEST`, the length of the
     #   `Message` value must match the length of hashed messages for the
     #   specified signing algorithm.
@@ -9727,11 +9881,12 @@ module Aws::KMS
     #     algorithm.
     #
     #   * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
-    #     verification with SM2 key pairs][1].
+    #     verification with SM2 key pairs][2].
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/offline-operations.html#key-spec-sm-offline-verification
+    #   [1]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf#page=39
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/offline-operations.html#key-spec-sm-offline-verification
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -10239,8 +10394,10 @@ module Aws::KMS
     # about a change to the `kmsuser` crypto user password
     # (`KeyStorePassword`), or to associate the custom key store with a
     # different, but related, CloudHSM cluster (`CloudHsmClusterId`). To
-    # update any property of an CloudHSM key store, the `ConnectionState` of
-    # the CloudHSM key store must be `DISCONNECTED`.
+    # update most properties of an CloudHSM key store, the `ConnectionState`
+    # of the CloudHSM key store must be `DISCONNECTED`. However, you can
+    # update the `CustomKeyStoreName` of an AWS CloudHSM key store when it
+    # is in the `CONNECTED` or `DISCONNECTED` state.
     #
     # For an external key store, you can use this operation to change the
     # custom key store friendly name (`NewCustomKeyStoreName`), or to tell
@@ -10313,8 +10470,8 @@ module Aws::KMS
     #   This field may be displayed in plaintext in CloudTrail logs and other
     #   output.
     #
-    #   To change this value, an CloudHSM key store must be disconnected. An
-    #   external key store can be connected or disconnected.
+    #   To change this value, the custom key store can be connected or
+    #   disconnected.
     #
     # @option params [String] :key_store_password
     #   Enter the current password of the `kmsuser` crypto user (CU) in the
@@ -10902,6 +11059,11 @@ module Aws::KMS
     #   * ED25519\_PH\_SHA\_512 signing algorithm requires KMS
     #     `MessageType:DIGEST`
     #
+    #   When you specify the ED25519\_PH\_SHA\_512 signing algorithm with
+    #   `MessageType:DIGEST`, KMS still performs the SHA-512 prehash described
+    #   in [Step 1 of Section 7.8.1 in FIPS 186-5][1]. This means the input is
+    #   hashed twice: once by you and once by KMS.
+    #
     #   When the value of `MessageType` is `DIGEST`, the length of the
     #   `Message` value must match the length of hashed messages for the
     #   specified signing algorithm.
@@ -10930,11 +11092,12 @@ module Aws::KMS
     #     algorithm.
     #
     #   * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
-    #     verification with SM2 key pairs][1].
+    #     verification with SM2 key pairs][2].
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/offline-operations.html#key-spec-sm-offline-verification
+    #   [1]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf#page=39
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/offline-operations.html#key-spec-sm-offline-verification
     #
     # @option params [required, String, StringIO, File] :signature
     #   The signature that the `Sign` operation generated.
@@ -11200,7 +11363,7 @@ module Aws::KMS
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-kms'
-      context[:gem_version] = '1.123.0'
+      context[:gem_version] = '1.124.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-kms/client_api.rb

@@ -35,6 +35,7 @@ module Aws::KMS
     CloudHsmClusterNotActiveException = Shapes::StructureShape.new(name: 'CloudHsmClusterNotActiveException')
     CloudHsmClusterNotFoundException = Shapes::StructureShape.new(name: 'CloudHsmClusterNotFoundException')
     CloudHsmClusterNotRelatedException = Shapes::StructureShape.new(name: 'CloudHsmClusterNotRelatedException')
+    CloudTrailEventIdType = Shapes::StringShape.new(name: 'CloudTrailEventIdType')
     ConflictException = Shapes::StructureShape.new(name: 'ConflictException')
     ConnectCustomKeyStoreRequest = Shapes::StructureShape.new(name: 'ConnectCustomKeyStoreRequest')
     ConnectCustomKeyStoreResponse = Shapes::StructureShape.new(name: 'ConnectCustomKeyStoreResponse')
@@ -107,6 +108,8 @@ module Aws::KMS
     GenerateMacResponse = Shapes::StructureShape.new(name: 'GenerateMacResponse')
     GenerateRandomRequest = Shapes::StructureShape.new(name: 'GenerateRandomRequest')
     GenerateRandomResponse = Shapes::StructureShape.new(name: 'GenerateRandomResponse')
+    GetKeyLastUsageRequest = Shapes::StructureShape.new(name: 'GetKeyLastUsageRequest')
+    GetKeyLastUsageResponse = Shapes::StructureShape.new(name: 'GetKeyLastUsageResponse')
     GetKeyPolicyRequest = Shapes::StructureShape.new(name: 'GetKeyPolicyRequest')
     GetKeyPolicyResponse = Shapes::StructureShape.new(name: 'GetKeyPolicyResponse')
     GetKeyRotationStatusRequest = Shapes::StructureShape.new(name: 'GetKeyRotationStatusRequest')
@@ -148,6 +151,8 @@ module Aws::KMS
     KeyAgreementAlgorithmSpecList = Shapes::ListShape.new(name: 'KeyAgreementAlgorithmSpecList')
     KeyEncryptionMechanism = Shapes::StringShape.new(name: 'KeyEncryptionMechanism')
     KeyIdType = Shapes::StringShape.new(name: 'KeyIdType')
+    KeyLastUsageData = Shapes::StructureShape.new(name: 'KeyLastUsageData')
+    KeyLastUsageTrackingOperation = Shapes::StringShape.new(name: 'KeyLastUsageTrackingOperation')
     KeyList = Shapes::ListShape.new(name: 'KeyList')
     KeyListEntry = Shapes::StructureShape.new(name: 'KeyListEntry')
     KeyManagerType = Shapes::StringShape.new(name: 'KeyManagerType')
@@ -159,6 +164,7 @@ module Aws::KMS
     KeyStorePasswordType = Shapes::StringShape.new(name: 'KeyStorePasswordType')
     KeyUnavailableException = Shapes::StructureShape.new(name: 'KeyUnavailableException')
     KeyUsageType = Shapes::StringShape.new(name: 'KeyUsageType')
+    KmsRequestIdType = Shapes::StringShape.new(name: 'KmsRequestIdType')
     LimitExceededException = Shapes::StructureShape.new(name: 'LimitExceededException')
     LimitType = Shapes::IntegerShape.new(name: 'LimitType')
     ListAliasesRequest = Shapes::StructureShape.new(name: 'ListAliasesRequest')
@@ -571,6 +577,15 @@ module Aws::KMS
     GenerateRandomResponse.add_member(:ciphertext_for_recipient, Shapes::ShapeRef.new(shape: CiphertextType, location_name: "CiphertextForRecipient"))
     GenerateRandomResponse.struct_class = Types::GenerateRandomResponse
 
+    GetKeyLastUsageRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
+    GetKeyLastUsageRequest.struct_class = Types::GetKeyLastUsageRequest
+
+    GetKeyLastUsageResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
+    GetKeyLastUsageResponse.add_member(:key_last_usage, Shapes::ShapeRef.new(shape: KeyLastUsageData, location_name: "KeyLastUsage"))
+    GetKeyLastUsageResponse.add_member(:tracking_start_date, Shapes::ShapeRef.new(shape: DateType, location_name: "TrackingStartDate"))
+    GetKeyLastUsageResponse.add_member(:key_creation_date, Shapes::ShapeRef.new(shape: DateType, location_name: "KeyCreationDate"))
+    GetKeyLastUsageResponse.struct_class = Types::GetKeyLastUsageResponse
+
     GetKeyPolicyRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
     GetKeyPolicyRequest.add_member(:policy_name, Shapes::ShapeRef.new(shape: PolicyNameType, location_name: "PolicyName"))
     GetKeyPolicyRequest.struct_class = Types::GetKeyPolicyRequest
@@ -696,6 +711,12 @@ module Aws::KMS
 
     KeyAgreementAlgorithmSpecList.member = Shapes::ShapeRef.new(shape: KeyAgreementAlgorithmSpec)
 
+    KeyLastUsageData.add_member(:operation, Shapes::ShapeRef.new(shape: KeyLastUsageTrackingOperation, location_name: "Operation"))
+    KeyLastUsageData.add_member(:timestamp, Shapes::ShapeRef.new(shape: DateType, location_name: "Timestamp"))
+    KeyLastUsageData.add_member(:cloud_trail_event_id, Shapes::ShapeRef.new(shape: CloudTrailEventIdType, location_name: "CloudTrailEventId"))
+    KeyLastUsageData.add_member(:kms_request_id, Shapes::ShapeRef.new(shape: KmsRequestIdType, location_name: "KmsRequestId"))
+    KeyLastUsageData.struct_class = Types::KeyLastUsageData
+
     KeyList.member = Shapes::ShapeRef.new(shape: KeyListEntry)
 
     KeyListEntry.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
@@ -1462,6 +1483,18 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreInvalidStateException)
       end)
 
+      api.add_operation(:get_key_last_usage, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "GetKeyLastUsage"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: GetKeyLastUsageRequest)
+        o.output = Shapes::ShapeRef.new(shape: GetKeyLastUsageResponse)
+        o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidArnException)
+        o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
+        o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
+      end)
+
       api.add_operation(:get_key_policy, Seahorse::Model::Operation.new.tap do |o|
         o.name = "GetKeyPolicy"
         o.http_method = "POST"

data/lib/aws-sdk-kms/types.rb

@@ -1245,9 +1245,11 @@ module Aws::KMS
     #   This operation is valid for all other `ConnectionState` values.
     #
     # * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore
-    #   operation on a custom key store that is not disconnected. This
-    #   operation is valid only when the custom key store `ConnectionState`
-    #   is `DISCONNECTED`.
+    #   operation on a custom key store that is not disconnected.
+    #   `UpdateCustomKeyStore` can be called on a custom key store in the
+    #   `CONNECTED` state only to update `NewCustomKeyStoreName`. For all
+    #   other properties, the custom key store `ConnectionState` must be
+    #   `DISCONNECTED`.
     #
     # * You requested the GenerateRandom operation in an CloudHSM key store
     #   that is not connected. This operation is valid only when the
@@ -1619,7 +1621,7 @@ module Aws::KMS
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify
-    #   a KMS key in a different Amazon Web Services account, you must use
+    #   a KMS key in a different Amazon Web Services account, you should use
     #   the key ARN or alias ARN.
     #
     #   For example:
@@ -3425,6 +3427,61 @@ module Aws::KMS
       include Aws::Structure
     end
 
+    # @!attribute [rw] key_id
+    #   Identifies the KMS key to get usage information for. To specify a
+    #   KMS key, use its key ID or key ARN. Alias names are not supported.
+    #
+    #   Specify the key ID or key ARN of the KMS key.
+    #
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
+    #   DescribeKey.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyLastUsageRequest AWS API Documentation
+    #
+    class GetKeyLastUsageRequest < Struct.new(
+      :key_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] key_id
+    #   The globally unique identifier for the KMS key.
+    #   @return [String]
+    #
+    # @!attribute [rw] key_last_usage
+    #   Contains usage information about the last time the KMS key was used
+    #   for a successful cryptographic operation. If the key has not been
+    #   used since tracking began, this response element is empty.
+    #   @return [Types::KeyLastUsageData]
+    #
+    # @!attribute [rw] tracking_start_date
+    #   The date from which KMS began recording cryptographic activity for
+    #   this key, or the date the KMS key was created, whichever is later.
+    #   @return [Time]
+    #
+    # @!attribute [rw] key_creation_date
+    #   The date and time when the KMS key was created.
+    #   @return [Time]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyLastUsageResponse AWS API Documentation
+    #
+    class GetKeyLastUsageResponse < Struct.new(
+      :key_id,
+      :key_last_usage,
+      :tracking_start_date,
+      :key_creation_date)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] key_id
     #   Gets the key policy for the specified KMS key.
     #
@@ -4356,6 +4413,43 @@ module Aws::KMS
       include Aws::Structure
     end
 
+    # Contains usage information about the last time the KMS key was used
+    # for a successful cryptographic operation.
+    #
+    # @!attribute [rw] operation
+    #   The last successful cryptographic operation the KMS key was used
+    #   for. Absent if the key has not been used since KMS began tracking.
+    #   @return [String]
+    #
+    # @!attribute [rw] timestamp
+    #   The date and time when the KMS key was most recently used for a
+    #   successful cryptographic operation. Absent if the key has not been
+    #   used since KMS began tracking.
+    #   @return [Time]
+    #
+    # @!attribute [rw] cloud_trail_event_id
+    #   The CloudTrail `eventId` associated with the last successful
+    #   cryptographic operation. Absent if the key has not been used since
+    #   KMS began tracking.
+    #   @return [String]
+    #
+    # @!attribute [rw] kms_request_id
+    #   The KMS request ID associated with the last successful cryptographic
+    #   operation. Absent if the key has not been used since KMS began
+    #   tracking.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyLastUsageData AWS API Documentation
+    #
+    class KeyLastUsageData < Struct.new(
+      :operation,
+      :timestamp,
+      :cloud_trail_event_id,
+      :kms_request_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Contains information about each entry in the key list.
     #
     # @!attribute [rw] key_id
@@ -5407,7 +5501,7 @@ module Aws::KMS
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify
-    #   a KMS key in a different Amazon Web Services account, you must use
+    #   a KMS key in a different Amazon Web Services account, you should use
     #   the key ARN or alias ARN.
     #
     #   For example:
@@ -6277,6 +6371,11 @@ module Aws::KMS
     #   * ED25519\_PH\_SHA\_512 signing algorithm requires KMS
     #     `MessageType:DIGEST`
     #
+    #   When you specify the ED25519\_PH\_SHA\_512 signing algorithm with
+    #   `MessageType:DIGEST`, KMS still performs the SHA-512 prehash
+    #   described in [Step 1 of Section 7.8.1 in FIPS 186-5][1]. This means
+    #   the input is hashed twice: once by you and once by KMS.
+    #
     #   When the value of `MessageType` is `DIGEST`, the length of the
     #   `Message` value must match the length of hashed messages for the
     #   specified signing algorithm.
@@ -6305,11 +6404,12 @@ module Aws::KMS
     #     hashing algorithm.
     #
     #   * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
-    #     verification with SM2 key pairs][1].
+    #     verification with SM2 key pairs][2].
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/offline-operations.html#key-spec-sm-offline-verification
+    #   [1]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf#page=39
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/offline-operations.html#key-spec-sm-offline-verification
     #   @return [String]
     #
     # @!attribute [rw] grant_tokens
@@ -6597,8 +6697,8 @@ module Aws::KMS
     #   This field may be displayed in plaintext in CloudTrail logs and
     #   other output.
     #
-    #   To change this value, an CloudHSM key store must be disconnected. An
-    #   external key store can be connected or disconnected.
+    #   To change this value, the custom key store can be connected or
+    #   disconnected.
     #   @return [String]
     #
     # @!attribute [rw] key_store_password
@@ -6978,6 +7078,11 @@ module Aws::KMS
     #   * ED25519\_PH\_SHA\_512 signing algorithm requires KMS
     #     `MessageType:DIGEST`
     #
+    #   When you specify the ED25519\_PH\_SHA\_512 signing algorithm with
+    #   `MessageType:DIGEST`, KMS still performs the SHA-512 prehash
+    #   described in [Step 1 of Section 7.8.1 in FIPS 186-5][1]. This means
+    #   the input is hashed twice: once by you and once by KMS.
+    #
     #   When the value of `MessageType` is `DIGEST`, the length of the
     #   `Message` value must match the length of hashed messages for the
     #   specified signing algorithm.
@@ -7007,11 +7112,12 @@ module Aws::KMS
     #     hashing algorithm.
     #
     #   * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
-    #     verification with SM2 key pairs][1].
+    #     verification with SM2 key pairs][2].
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/offline-operations.html#key-spec-sm-offline-verification
+    #   [1]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf#page=39
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/offline-operations.html#key-spec-sm-offline-verification
     #   @return [String]
     #
     # @!attribute [rw] signature

data/lib/aws-sdk-kms.rb

@@ -54,7 +54,7 @@ module Aws::KMS
   autoload :EndpointProvider, 'aws-sdk-kms/endpoint_provider'
   autoload :Endpoints, 'aws-sdk-kms/endpoints'
 
-  GEM_VERSION = '1.123.0'
+  GEM_VERSION = '1.124.0'
 
 end
 

data/sig/client.rbs

@@ -438,6 +438,19 @@ module Aws
                            ) -> _GenerateRandomResponseSuccess
                          | (?Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _GenerateRandomResponseSuccess
 
+      interface _GetKeyLastUsageResponseSuccess
+        include ::Seahorse::Client::_ResponseSuccess[Types::GetKeyLastUsageResponse]
+        def key_id: () -> ::String
+        def key_last_usage: () -> Types::KeyLastUsageData
+        def tracking_start_date: () -> ::Time
+        def key_creation_date: () -> ::Time
+      end
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#get_key_last_usage-instance_method
+      def get_key_last_usage: (
+                                key_id: ::String
+                              ) -> _GetKeyLastUsageResponseSuccess
+                            | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _GetKeyLastUsageResponseSuccess
+
       interface _GetKeyPolicyResponseSuccess
         include ::Seahorse::Client::_ResponseSuccess[Types::GetKeyPolicyResponse]
         def policy: () -> ::String

data/sig/types.rbs

@@ -429,6 +429,19 @@ module Aws::KMS
       SENSITIVE: [:plaintext]
     end
 
+    class GetKeyLastUsageRequest
+      attr_accessor key_id: ::String
+      SENSITIVE: []
+    end
+
+    class GetKeyLastUsageResponse
+      attr_accessor key_id: ::String
+      attr_accessor key_last_usage: Types::KeyLastUsageData
+      attr_accessor tracking_start_date: ::Time
+      attr_accessor key_creation_date: ::Time
+      SENSITIVE: []
+    end
+
     class GetKeyPolicyRequest
       attr_accessor key_id: ::String
       attr_accessor policy_name: ::String
@@ -600,6 +613,14 @@ module Aws::KMS
       SENSITIVE: []
     end
 
+    class KeyLastUsageData
+      attr_accessor operation: ("Decrypt" | "DeriveSharedSecret" | "Encrypt" | "GenerateDataKey" | "GenerateDataKeyPair" | "GenerateDataKeyPairWithoutPlaintext" | "GenerateDataKeyWithoutPlaintext" | "GenerateMac" | "ReEncrypt" | "Sign" | "Verify" | "VerifyMac")
+      attr_accessor timestamp: ::Time
+      attr_accessor cloud_trail_event_id: ::String
+      attr_accessor kms_request_id: ::String
+      SENSITIVE: []
+    end
+
     class KeyListEntry
       attr_accessor key_id: ::String
       attr_accessor key_arn: ::String

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-kms
 version: !ruby/object:Gem::Version
-  version: 1.123.0
+  version: 1.124.0
 platform: ruby
 authors:
 - Amazon Web Services