aws-sdk-kms 1.16.0 → 1.24.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -11,7 +11,7 @@ module Aws::KMS
11
11
  # Contains information about an alias.
12
12
  #
13
13
  # @!attribute [rw] alias_name
14
- # String that contains the alias.
14
+ # String that contains the alias. This value begins with `alias/`.
15
15
  # @return [String]
16
16
  #
17
17
  # @!attribute [rw] alias_arn
@@ -31,6 +31,19 @@ module Aws::KMS
31
31
  include Aws::Structure
32
32
  end
33
33
 
34
+ # The request was rejected because it attempted to create a resource
35
+ # that already exists.
36
+ #
37
+ # @!attribute [rw] message
38
+ # @return [String]
39
+ #
40
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/AlreadyExistsException AWS API Documentation
41
+ #
42
+ class AlreadyExistsException < Struct.new(
43
+ :message)
44
+ include Aws::Structure
45
+ end
46
+
34
47
  # @note When making an API call, you may pass CancelKeyDeletionRequest
35
48
  # data as a hash:
36
49
  #
@@ -74,6 +87,143 @@ module Aws::KMS
74
87
  include Aws::Structure
75
88
  end
76
89
 
90
+ # The request was rejected because the specified AWS CloudHSM cluster is
91
+ # already associated with a custom key store or it shares a backup
92
+ # history with a cluster that is associated with a custom key store.
93
+ # Each custom key store must be associated with a different AWS CloudHSM
94
+ # cluster.
95
+ #
96
+ # Clusters that share a backup history have the same cluster
97
+ # certificate. To view the cluster certificate of a cluster, use the
98
+ # [DescribeClusters][1] operation.
99
+ #
100
+ #
101
+ #
102
+ # [1]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
103
+ #
104
+ # @!attribute [rw] message
105
+ # @return [String]
106
+ #
107
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CloudHsmClusterInUseException AWS API Documentation
108
+ #
109
+ class CloudHsmClusterInUseException < Struct.new(
110
+ :message)
111
+ include Aws::Structure
112
+ end
113
+
114
+ # The request was rejected because the associated AWS CloudHSM cluster
115
+ # did not meet the configuration requirements for a custom key store.
116
+ #
117
+ # * The cluster must be configured with private subnets in at least two
118
+ # different Availability Zones in the Region.
119
+ #
120
+ # * The [security group for the cluster][1]
121
+ # (cloudhsm-cluster-*&lt;cluster-id&gt;*-sg) must include inbound
122
+ # rules and outbound rules that allow TCP traffic on ports 2223-2225.
123
+ # The **Source** in the inbound rules and the **Destination** in the
124
+ # outbound rules must match the security group ID. These rules are set
125
+ # by default when you create the cluster. Do not delete or change
126
+ # them. To get information about a particular security group, use the
127
+ # [DescribeSecurityGroups][2] operation.
128
+ #
129
+ # * The cluster must contain at least as many HSMs as the operation
130
+ # requires. To add HSMs, use the AWS CloudHSM [CreateHsm][3]
131
+ # operation.
132
+ #
133
+ # For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
134
+ # operations, the AWS CloudHSM cluster must have at least two active
135
+ # HSMs, each in a different Availability Zone. For the
136
+ # ConnectCustomKeyStore operation, the AWS CloudHSM must contain at
137
+ # least one active HSM.
138
+ #
139
+ # For information about the requirements for an AWS CloudHSM cluster
140
+ # that is associated with a custom key store, see [Assemble the
141
+ # Prerequisites][4] in the *AWS Key Management Service Developer Guide*.
142
+ # For information about creating a private subnet for an AWS CloudHSM
143
+ # cluster, see [Create a Private Subnet][5] in the *AWS CloudHSM User
144
+ # Guide*. For information about cluster security groups, see [Configure
145
+ # a Default Security Group][1] in the <i> <i>AWS CloudHSM User Guide</i>
146
+ # </i>.
147
+ #
148
+ #
149
+ #
150
+ # [1]: https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html
151
+ # [2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html
152
+ # [3]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html
153
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore
154
+ # [5]: https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html
155
+ #
156
+ # @!attribute [rw] message
157
+ # @return [String]
158
+ #
159
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CloudHsmClusterInvalidConfigurationException AWS API Documentation
160
+ #
161
+ class CloudHsmClusterInvalidConfigurationException < Struct.new(
162
+ :message)
163
+ include Aws::Structure
164
+ end
165
+
166
+ # The request was rejected because the AWS CloudHSM cluster that is
167
+ # associated with the custom key store is not active. Initialize and
168
+ # activate the cluster and try the command again. For detailed
169
+ # instructions, see [Getting Started][1] in the *AWS CloudHSM User
170
+ # Guide*.
171
+ #
172
+ #
173
+ #
174
+ # [1]: https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html
175
+ #
176
+ # @!attribute [rw] message
177
+ # @return [String]
178
+ #
179
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CloudHsmClusterNotActiveException AWS API Documentation
180
+ #
181
+ class CloudHsmClusterNotActiveException < Struct.new(
182
+ :message)
183
+ include Aws::Structure
184
+ end
185
+
186
+ # The request was rejected because AWS KMS cannot find the AWS CloudHSM
187
+ # cluster with the specified cluster ID. Retry the request with a
188
+ # different cluster ID.
189
+ #
190
+ # @!attribute [rw] message
191
+ # @return [String]
192
+ #
193
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CloudHsmClusterNotFoundException AWS API Documentation
194
+ #
195
+ class CloudHsmClusterNotFoundException < Struct.new(
196
+ :message)
197
+ include Aws::Structure
198
+ end
199
+
200
+ # The request was rejected because the specified AWS CloudHSM cluster
201
+ # has a different cluster certificate than the original cluster. You
202
+ # cannot use the operation to specify an unrelated cluster.
203
+ #
204
+ # Specify a cluster that shares a backup history with the original
205
+ # cluster. This includes clusters that were created from a backup of the
206
+ # current cluster, and clusters that were created from the same backup
207
+ # that produced the current cluster.
208
+ #
209
+ # Clusters that share a backup history have the same cluster
210
+ # certificate. To view the cluster certificate of a cluster, use the
211
+ # [DescribeClusters][1] operation.
212
+ #
213
+ #
214
+ #
215
+ # [1]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
216
+ #
217
+ # @!attribute [rw] message
218
+ # @return [String]
219
+ #
220
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CloudHsmClusterNotRelatedException AWS API Documentation
221
+ #
222
+ class CloudHsmClusterNotRelatedException < Struct.new(
223
+ :message)
224
+ include Aws::Structure
225
+ end
226
+
77
227
  # @note When making an API call, you may pass ConnectCustomKeyStoreRequest
78
228
  # data as a hash:
79
229
  #
@@ -107,26 +257,22 @@ module Aws::KMS
107
257
  # }
108
258
  #
109
259
  # @!attribute [rw] alias_name
110
- # String that contains the display name. The name must start with the
111
- # word "alias" followed by a forward slash (alias/). Aliases that
112
- # begin with "alias/AWS" are reserved.
260
+ # Specifies the alias name. This value must begin with `alias/`
261
+ # followed by a name, such as `alias/ExampleAlias`. The alias name
262
+ # cannot begin with `alias/aws/`. The `alias/aws/` prefix is reserved
263
+ # for AWS managed CMKs.
113
264
  # @return [String]
114
265
  #
115
266
  # @!attribute [rw] target_key_id
116
- # Identifies the CMK for which you are creating the alias. This value
117
- # cannot be an alias.
118
- #
119
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
120
- #
121
- # For example:
267
+ # Identifies the CMK to which the alias refers. Specify the key ID or
268
+ # the Amazon Resource Name (ARN) of the CMK. You cannot specify
269
+ # another alias. For help finding the key ID and ARN, see [Finding the
270
+ # Key ID and ARN][1] in the *AWS Key Management Service Developer
271
+ # Guide*.
122
272
  #
123
- # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
124
273
  #
125
- # * Key ARN:
126
- # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
127
274
  #
128
- # To get the key ID and key ARN for a CMK, use ListKeys or
129
- # DescribeKey.
275
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn
130
276
  # @return [String]
131
277
  #
132
278
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateAliasRequest AWS API Documentation
@@ -160,7 +306,7 @@ module Aws::KMS
160
306
  #
161
307
  #
162
308
  #
163
- # [1]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
309
+ # [1]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
164
310
  # @return [String]
165
311
  #
166
312
  # @!attribute [rw] trust_anchor_certificate
@@ -170,7 +316,7 @@ module Aws::KMS
170
316
  #
171
317
  #
172
318
  #
173
- # [1]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html
319
+ # [1]: https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html
174
320
  # @return [String]
175
321
  #
176
322
  # @!attribute [rw] key_store_password
@@ -183,7 +329,7 @@ module Aws::KMS
183
329
  #
184
330
  #
185
331
  #
186
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
332
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
187
333
  # @return [String]
188
334
  #
189
335
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStoreRequest AWS API Documentation
@@ -258,8 +404,8 @@ module Aws::KMS
258
404
  #
259
405
  #
260
406
  #
261
- # [1]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
262
- # [2]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
407
+ # [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
408
+ # [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
263
409
  # @return [String]
264
410
  #
265
411
  # @!attribute [rw] retiring_principal
@@ -275,8 +421,8 @@ module Aws::KMS
275
421
  #
276
422
  #
277
423
  #
278
- # [1]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
279
- # [2]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
424
+ # [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
425
+ # [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
280
426
  # @return [String]
281
427
  #
282
428
  # @!attribute [rw] operations
@@ -284,14 +430,15 @@ module Aws::KMS
284
430
  # @return [Array<String>]
285
431
  #
286
432
  # @!attribute [rw] constraints
287
- # A structure that you can use to allow certain operations in the
288
- # grant only when the desired encryption context is present. For more
289
- # information about encryption context, see [Encryption Context][1] in
290
- # the *AWS Key Management Service Developer Guide*.
433
+ # Allows a cryptographic operation only when the encryption context
434
+ # matches or includes the encryption context specified in this
435
+ # structure. For more information about encryption context, see
436
+ # [Encryption Context][1] in the <i> <i>AWS Key Management Service
437
+ # Developer Guide</i> </i>.
291
438
  #
292
439
  #
293
440
  #
294
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
441
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
295
442
  # @return [Types::GrantConstraints]
296
443
  #
297
444
  # @!attribute [rw] grant_tokens
@@ -302,12 +449,13 @@ module Aws::KMS
302
449
  #
303
450
  #
304
451
  #
305
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
452
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
306
453
  # @return [Array<String>]
307
454
  #
308
455
  # @!attribute [rw] name
309
456
  # A friendly name for identifying the grant. Use this value to prevent
310
- # unintended creation of duplicate grants when retrying this request.
457
+ # the unintended creation of duplicate grants when retrying this
458
+ # request.
311
459
  #
312
460
  # When this value is absent, all `CreateGrant` requests result in a
313
461
  # new grant with a unique `GrantId` even if all the supplied
@@ -343,7 +491,7 @@ module Aws::KMS
343
491
  #
344
492
  #
345
493
  #
346
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
494
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
347
495
  # @return [String]
348
496
  #
349
497
  # @!attribute [rw] grant_id
@@ -389,7 +537,8 @@ module Aws::KMS
389
537
  # request to make a subsequent PutKeyPolicy request on the CMK. This
390
538
  # reduces the risk that the CMK becomes unmanageable. For more
391
539
  # information, refer to the scenario in the [Default Key Policy][1]
392
- # section of the *AWS Key Management Service Developer Guide*.
540
+ # section of the <i> <i>AWS Key Management Service Developer
541
+ # Guide</i> </i>.
393
542
  #
394
543
  # * Each statement in the key policy must contain one or more
395
544
  # principals. The principals in the key policy must exist and be
@@ -409,9 +558,9 @@ module Aws::KMS
409
558
  #
410
559
  #
411
560
  #
412
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
413
- # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
414
- # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
561
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
562
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
563
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
415
564
  # @return [String]
416
565
  #
417
566
  # @!attribute [rw] description
@@ -422,14 +571,14 @@ module Aws::KMS
422
571
  # @return [String]
423
572
  #
424
573
  # @!attribute [rw] key_usage
425
- # The intended use of the CMK.
426
- #
427
- # You can use CMKs only for symmetric encryption and decryption.
574
+ # The cryptographic operations for which you can use the CMK. The only
575
+ # valid value is `ENCRYPT_DECRYPT`, which means you can use the CMK to
576
+ # encrypt and decrypt data.
428
577
  # @return [String]
429
578
  #
430
579
  # @!attribute [rw] origin
431
- # The source of the CMK's key material. You cannot change the origin
432
- # after you create the CMK.
580
+ # The source of the key material for the CMK. You cannot change the
581
+ # origin after you create the CMK.
433
582
  #
434
583
  # The default is `AWS_KMS`, which means AWS KMS creates the key
435
584
  # material in its own key store.
@@ -441,14 +590,14 @@ module Aws::KMS
441
590
  # in the *AWS Key Management Service Developer Guide*.
442
591
  #
443
592
  # When the parameter value is `AWS_CLOUDHSM`, AWS KMS creates the CMK
444
- # in a AWS KMS [custom key store][2] and creates its key material in
593
+ # in an AWS KMS [custom key store][2] and creates its key material in
445
594
  # the associated AWS CloudHSM cluster. You must also use the
446
595
  # `CustomKeyStoreId` parameter to identify the custom key store.
447
596
  #
448
597
  #
449
598
  #
450
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
451
- # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
599
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
600
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
452
601
  # @return [String]
453
602
  #
454
603
  # @!attribute [rw] custom_key_store_id
@@ -465,15 +614,14 @@ module Aws::KMS
465
614
  # The response includes the custom key store ID and the ID of the AWS
466
615
  # CloudHSM cluster.
467
616
  #
468
- # This operation is part of the [Custom Key Store feature][2] feature
617
+ # This operation is part of the [Custom Key Store feature][1] feature
469
618
  # in AWS KMS, which combines the convenience and extensive integration
470
619
  # of AWS KMS with the isolation and control of a single-tenant key
471
620
  # store.
472
621
  #
473
622
  #
474
623
  #
475
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
476
- # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
624
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
477
625
  # @return [String]
478
626
  #
479
627
  # @!attribute [rw] bypass_policy_lockout_safety_check
@@ -484,8 +632,8 @@ module Aws::KMS
484
632
  # unmanageable. Do not set this value to true indiscriminately.
485
633
  #
486
634
  # For more information, refer to the scenario in the [Default Key
487
- # Policy][1] section in the *AWS Key Management Service Developer
488
- # Guide*.
635
+ # Policy][1] section in the <i> <i>AWS Key Management Service
636
+ # Developer Guide</i> </i>.
489
637
  #
490
638
  # Use this parameter only when you include a policy in the request and
491
639
  # you intend to prevent the principal that is making the request from
@@ -495,7 +643,7 @@ module Aws::KMS
495
643
  #
496
644
  #
497
645
  #
498
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
646
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
499
647
  # @return [Boolean]
500
648
  #
501
649
  # @!attribute [rw] tags
@@ -532,6 +680,77 @@ module Aws::KMS
532
680
  include Aws::Structure
533
681
  end
534
682
 
683
+ # The request was rejected because the custom key store contains AWS KMS
684
+ # customer master keys (CMKs). After verifying that you do not need to
685
+ # use the CMKs, use the ScheduleKeyDeletion operation to delete the
686
+ # CMKs. After they are deleted, you can delete the custom key store.
687
+ #
688
+ # @!attribute [rw] message
689
+ # @return [String]
690
+ #
691
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CustomKeyStoreHasCMKsException AWS API Documentation
692
+ #
693
+ class CustomKeyStoreHasCMKsException < Struct.new(
694
+ :message)
695
+ include Aws::Structure
696
+ end
697
+
698
+ # The request was rejected because of the `ConnectionState` of the
699
+ # custom key store. To get the `ConnectionState` of a custom key store,
700
+ # use the DescribeCustomKeyStores operation.
701
+ #
702
+ # This exception is thrown under the following conditions:
703
+ #
704
+ # * You requested the CreateKey or GenerateRandom operation in a custom
705
+ # key store that is not connected. These operations are valid only
706
+ # when the custom key store `ConnectionState` is `CONNECTED`.
707
+ #
708
+ # * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore
709
+ # operation on a custom key store that is not disconnected. This
710
+ # operation is valid only when the custom key store `ConnectionState`
711
+ # is `DISCONNECTED`.
712
+ #
713
+ # * You requested the ConnectCustomKeyStore operation on a custom key
714
+ # store with a `ConnectionState` of `DISCONNECTING` or `FAILED`. This
715
+ # operation is valid for all other `ConnectionState` values.
716
+ #
717
+ # @!attribute [rw] message
718
+ # @return [String]
719
+ #
720
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CustomKeyStoreInvalidStateException AWS API Documentation
721
+ #
722
+ class CustomKeyStoreInvalidStateException < Struct.new(
723
+ :message)
724
+ include Aws::Structure
725
+ end
726
+
727
+ # The request was rejected because the specified custom key store name
728
+ # is already assigned to another custom key store in the account. Try
729
+ # again with a custom key store name that is unique in the account.
730
+ #
731
+ # @!attribute [rw] message
732
+ # @return [String]
733
+ #
734
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CustomKeyStoreNameInUseException AWS API Documentation
735
+ #
736
+ class CustomKeyStoreNameInUseException < Struct.new(
737
+ :message)
738
+ include Aws::Structure
739
+ end
740
+
741
+ # The request was rejected because AWS KMS cannot find a custom key
742
+ # store with the specified key store name or ID.
743
+ #
744
+ # @!attribute [rw] message
745
+ # @return [String]
746
+ #
747
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CustomKeyStoreNotFoundException AWS API Documentation
748
+ #
749
+ class CustomKeyStoreNotFoundException < Struct.new(
750
+ :message)
751
+ include Aws::Structure
752
+ end
753
+
535
754
  # Contains information about each custom key store in the custom key
536
755
  # store list.
537
756
  #
@@ -555,7 +774,7 @@ module Aws::KMS
555
774
  #
556
775
  #
557
776
  #
558
- # [1]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr
777
+ # [1]: https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr
559
778
  # @return [String]
560
779
  #
561
780
  # @!attribute [rw] connection_state
@@ -578,7 +797,7 @@ module Aws::KMS
578
797
  #
579
798
  #
580
799
  #
581
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
800
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
582
801
  # @return [String]
583
802
  #
584
803
  # @!attribute [rw] connection_error_code
@@ -592,6 +811,11 @@ module Aws::KMS
592
811
  # its AWS CloudHSM cluster, the cluster must contain at least one
593
812
  # active HSM.
594
813
  #
814
+ # * `INTERNAL_ERROR` - AWS KMS could not complete the request due to
815
+ # an internal error. Retry the request. For `ConnectCustomKeyStore`
816
+ # requests, disconnect the custom key store before trying to connect
817
+ # again.
818
+ #
595
819
  # * `INVALID_CREDENTIALS` - AWS KMS does not have the correct password
596
820
  # for the `kmsuser` crypto user in the AWS CloudHSM cluster.
597
821
  #
@@ -609,7 +833,7 @@ module Aws::KMS
609
833
  #
610
834
  #
611
835
  #
612
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
836
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
613
837
  # @return [String]
614
838
  #
615
839
  # @!attribute [rw] creation_date
@@ -651,7 +875,7 @@ module Aws::KMS
651
875
  #
652
876
  #
653
877
  #
654
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
878
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
655
879
  # @return [Hash<String,String>]
656
880
  #
657
881
  # @!attribute [rw] grant_tokens
@@ -662,7 +886,7 @@ module Aws::KMS
662
886
  #
663
887
  #
664
888
  #
665
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
889
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
666
890
  # @return [Array<String>]
667
891
  #
668
892
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptRequest AWS API Documentation
@@ -681,7 +905,7 @@ module Aws::KMS
681
905
  #
682
906
  # @!attribute [rw] plaintext
683
907
  # Decrypted plaintext data. When you use the HTTP API or the AWS CLI,
684
- # the value is Base64-encdoded. Otherwise, it is not encoded.
908
+ # the value is Base64-encoded. Otherwise, it is not encoded.
685
909
  # @return [String]
686
910
  #
687
911
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptResponse AWS API Documentation
@@ -700,9 +924,8 @@ module Aws::KMS
700
924
  # }
701
925
  #
702
926
  # @!attribute [rw] alias_name
703
- # The alias to be deleted. The name must start with the word "alias"
704
- # followed by a forward slash (alias/). Aliases that begin with
705
- # "alias/aws" are reserved.
927
+ # The alias to be deleted. The alias name must begin with `alias/`
928
+ # followed by the alias name, such as `alias/ExampleAlias`.
706
929
  # @return [String]
707
930
  #
708
931
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteAliasRequest AWS API Documentation
@@ -743,8 +966,8 @@ module Aws::KMS
743
966
  # }
744
967
  #
745
968
  # @!attribute [rw] key_id
746
- # The identifier of the CMK whose key material to delete. The CMK's
747
- # `Origin` must be `EXTERNAL`.
969
+ # Identifies the CMK from which you are deleting imported key
970
+ # material. The `Origin` of the CMK must be `EXTERNAL`.
748
971
  #
749
972
  # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
750
973
  #
@@ -766,6 +989,19 @@ module Aws::KMS
766
989
  include Aws::Structure
767
990
  end
768
991
 
992
+ # The system timed out while trying to fulfill the request. The request
993
+ # can be retried.
994
+ #
995
+ # @!attribute [rw] message
996
+ # @return [String]
997
+ #
998
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DependencyTimeoutException AWS API Documentation
999
+ #
1000
+ class DependencyTimeoutException < Struct.new(
1001
+ :message)
1002
+ include Aws::Structure
1003
+ end
1004
+
769
1005
  # @note When making an API call, you may pass DescribeCustomKeyStoresRequest
770
1006
  # data as a hash:
771
1007
  #
@@ -830,8 +1066,8 @@ module Aws::KMS
830
1066
  # @!attribute [rw] truncated
831
1067
  # A flag that indicates whether there are more items in the list. When
832
1068
  # this value is true, the list in this response is truncated. To get
833
- # more items, pass the value of the `NextMarker` element in this
834
- # response to the `Marker` parameter in a subsequent request.
1069
+ # more items, pass the value of the `NextMarker` element in
1070
+ # thisresponse to the `Marker` parameter in a subsequent request.
835
1071
  # @return [Boolean]
836
1072
  #
837
1073
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStoresResponse AWS API Documentation
@@ -860,7 +1096,7 @@ module Aws::KMS
860
1096
  #
861
1097
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
862
1098
  # name, or alias ARN. When using an alias name, prefix it with
863
- # "alias/". To specify a CMK in a different AWS account, you must
1099
+ # `"alias/"`. To specify a CMK in a different AWS account, you must
864
1100
  # use the key ARN or alias ARN.
865
1101
  #
866
1102
  # For example:
@@ -879,7 +1115,7 @@ module Aws::KMS
879
1115
  #
880
1116
  #
881
1117
  #
882
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
1118
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
883
1119
  # @return [String]
884
1120
  #
885
1121
  # @!attribute [rw] grant_tokens
@@ -890,7 +1126,7 @@ module Aws::KMS
890
1126
  #
891
1127
  #
892
1128
  #
893
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1129
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
894
1130
  # @return [Array<String>]
895
1131
  #
896
1132
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKeyRequest AWS API Documentation
@@ -972,6 +1208,18 @@ module Aws::KMS
972
1208
  include Aws::Structure
973
1209
  end
974
1210
 
1211
+ # The request was rejected because the specified CMK is not enabled.
1212
+ #
1213
+ # @!attribute [rw] message
1214
+ # @return [String]
1215
+ #
1216
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisabledException AWS API Documentation
1217
+ #
1218
+ class DisabledException < Struct.new(
1219
+ :message)
1220
+ include Aws::Structure
1221
+ end
1222
+
975
1223
  # @note When making an API call, you may pass DisconnectCustomKeyStoreRequest
976
1224
  # data as a hash:
977
1225
  #
@@ -1073,7 +1321,7 @@ module Aws::KMS
1073
1321
  #
1074
1322
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1075
1323
  # name, or alias ARN. When using an alias name, prefix it with
1076
- # "alias/". To specify a CMK in a different AWS account, you must
1324
+ # `"alias/"`. To specify a CMK in a different AWS account, you must
1077
1325
  # use the key ARN or alias ARN.
1078
1326
  #
1079
1327
  # For example:
@@ -1103,7 +1351,7 @@ module Aws::KMS
1103
1351
  #
1104
1352
  #
1105
1353
  #
1106
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
1354
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1107
1355
  # @return [Hash<String,String>]
1108
1356
  #
1109
1357
  # @!attribute [rw] grant_tokens
@@ -1114,7 +1362,7 @@ module Aws::KMS
1114
1362
  #
1115
1363
  #
1116
1364
  #
1117
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1365
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1118
1366
  # @return [Array<String>]
1119
1367
  #
1120
1368
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptRequest AWS API Documentation
@@ -1129,7 +1377,7 @@ module Aws::KMS
1129
1377
 
1130
1378
  # @!attribute [rw] ciphertext_blob
1131
1379
  # The encrypted plaintext. When you use the HTTP API or the AWS CLI,
1132
- # the value is Base64-encdoded. Otherwise, it is not encoded.
1380
+ # the value is Base64-encoded. Otherwise, it is not encoded.
1133
1381
  # @return [String]
1134
1382
  #
1135
1383
  # @!attribute [rw] key_id
@@ -1144,6 +1392,21 @@ module Aws::KMS
1144
1392
  include Aws::Structure
1145
1393
  end
1146
1394
 
1395
+ # The request was rejected because the provided import token is expired.
1396
+ # Use GetParametersForImport to get a new import token and public key,
1397
+ # use the new public key to encrypt the key material, and then try the
1398
+ # request again.
1399
+ #
1400
+ # @!attribute [rw] message
1401
+ # @return [String]
1402
+ #
1403
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ExpiredImportTokenException AWS API Documentation
1404
+ #
1405
+ class ExpiredImportTokenException < Struct.new(
1406
+ :message)
1407
+ include Aws::Structure
1408
+ end
1409
+
1147
1410
  # @note When making an API call, you may pass GenerateDataKeyRequest
1148
1411
  # data as a hash:
1149
1412
  #
@@ -1158,12 +1421,11 @@ module Aws::KMS
1158
1421
  # }
1159
1422
  #
1160
1423
  # @!attribute [rw] key_id
1161
- # The identifier of the CMK under which to generate and encrypt the
1162
- # data encryption key.
1424
+ # An identifier for the CMK that encrypts the data key.
1163
1425
  #
1164
1426
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1165
1427
  # name, or alias ARN. When using an alias name, prefix it with
1166
- # "alias/". To specify a CMK in a different AWS account, you must
1428
+ # `"alias/"`. To specify a CMK in a different AWS account, you must
1167
1429
  # use the key ARN or alias ARN.
1168
1430
  #
1169
1431
  # For example:
@@ -1190,20 +1452,19 @@ module Aws::KMS
1190
1452
  #
1191
1453
  #
1192
1454
  #
1193
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
1455
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1194
1456
  # @return [Hash<String,String>]
1195
1457
  #
1196
1458
  # @!attribute [rw] number_of_bytes
1197
- # The length of the data encryption key in bytes. For example, use the
1198
- # value 64 to generate a 512-bit data key (64 bytes is 512 bits). For
1199
- # common key lengths (128-bit and 256-bit symmetric keys), we
1200
- # recommend that you use the `KeySpec` field instead of this one.
1459
+ # The length of the data key in bytes. For example, use the value 64
1460
+ # to generate a 512-bit data key (64 bytes is 512 bits). For common
1461
+ # key lengths (128-bit and 256-bit symmetric keys), we recommend that
1462
+ # you use the `KeySpec` field instead of this one.
1201
1463
  # @return [Integer]
1202
1464
  #
1203
1465
  # @!attribute [rw] key_spec
1204
- # The length of the data encryption key. Use `AES_128` to generate a
1205
- # 128-bit symmetric key, or `AES_256` to generate a 256-bit symmetric
1206
- # key.
1466
+ # The length of the data key. Use `AES_128` to generate a 128-bit
1467
+ # symmetric key, or `AES_256` to generate a 256-bit symmetric key.
1207
1468
  # @return [String]
1208
1469
  #
1209
1470
  # @!attribute [rw] grant_tokens
@@ -1214,7 +1475,7 @@ module Aws::KMS
1214
1475
  #
1215
1476
  #
1216
1477
  #
1217
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1478
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1218
1479
  # @return [Array<String>]
1219
1480
  #
1220
1481
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyRequest AWS API Documentation
@@ -1229,20 +1490,19 @@ module Aws::KMS
1229
1490
  end
1230
1491
 
1231
1492
  # @!attribute [rw] ciphertext_blob
1232
- # The encrypted data encryption key. When you use the HTTP API or the
1233
- # AWS CLI, the value is Base64-encdoded. Otherwise, it is not encoded.
1493
+ # The encrypted copy of the data key. When you use the HTTP API or the
1494
+ # AWS CLI, the value is Base64-encoded. Otherwise, it is not encoded.
1234
1495
  # @return [String]
1235
1496
  #
1236
1497
  # @!attribute [rw] plaintext
1237
- # The data encryption key. When you use the HTTP API or the AWS CLI,
1238
- # the value is Base64-encdoded. Otherwise, it is not encoded. Use this
1239
- # data key for local encryption and decryption, then remove it from
1498
+ # The plaintext data key. When you use the HTTP API or the AWS CLI,
1499
+ # the value is Base64-encoded. Otherwise, it is not encoded. Use this
1500
+ # data key to encrypt your data outside of KMS. Then, remove it from
1240
1501
  # memory as soon as possible.
1241
1502
  # @return [String]
1242
1503
  #
1243
1504
  # @!attribute [rw] key_id
1244
- # The identifier of the CMK under which the data encryption key was
1245
- # generated and encrypted.
1505
+ # The identifier of the CMK that encrypted the data key.
1246
1506
  # @return [String]
1247
1507
  #
1248
1508
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyResponse AWS API Documentation
@@ -1268,12 +1528,12 @@ module Aws::KMS
1268
1528
  # }
1269
1529
  #
1270
1530
  # @!attribute [rw] key_id
1271
- # The identifier of the customer master key (CMK) under which to
1272
- # generate and encrypt the data encryption key.
1531
+ # The identifier of the customer master key (CMK) that encrypts the
1532
+ # data key.
1273
1533
  #
1274
1534
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1275
1535
  # name, or alias ARN. When using an alias name, prefix it with
1276
- # "alias/". To specify a CMK in a different AWS account, you must
1536
+ # `"alias/"`. To specify a CMK in a different AWS account, you must
1277
1537
  # use the key ARN or alias ARN.
1278
1538
  #
1279
1539
  # For example:
@@ -1300,20 +1560,19 @@ module Aws::KMS
1300
1560
  #
1301
1561
  #
1302
1562
  #
1303
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
1563
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1304
1564
  # @return [Hash<String,String>]
1305
1565
  #
1306
1566
  # @!attribute [rw] key_spec
1307
- # The length of the data encryption key. Use `AES_128` to generate a
1308
- # 128-bit symmetric key, or `AES_256` to generate a 256-bit symmetric
1309
- # key.
1567
+ # The length of the data key. Use `AES_128` to generate a 128-bit
1568
+ # symmetric key, or `AES_256` to generate a 256-bit symmetric key.
1310
1569
  # @return [String]
1311
1570
  #
1312
1571
  # @!attribute [rw] number_of_bytes
1313
- # The length of the data encryption key in bytes. For example, use the
1314
- # value 64 to generate a 512-bit data key (64 bytes is 512 bits). For
1315
- # common key lengths (128-bit and 256-bit symmetric keys), we
1316
- # recommend that you use the `KeySpec` field instead of this one.
1572
+ # The length of the data key in bytes. For example, use the value 64
1573
+ # to generate a 512-bit data key (64 bytes is 512 bits). For common
1574
+ # key lengths (128-bit and 256-bit symmetric keys), we recommend that
1575
+ # you use the `KeySpec` field instead of this one.
1317
1576
  # @return [Integer]
1318
1577
  #
1319
1578
  # @!attribute [rw] grant_tokens
@@ -1324,7 +1583,7 @@ module Aws::KMS
1324
1583
  #
1325
1584
  #
1326
1585
  #
1327
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1586
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1328
1587
  # @return [Array<String>]
1329
1588
  #
1330
1589
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextRequest AWS API Documentation
@@ -1339,13 +1598,12 @@ module Aws::KMS
1339
1598
  end
1340
1599
 
1341
1600
  # @!attribute [rw] ciphertext_blob
1342
- # The encrypted data encryption key. When you use the HTTP API or the
1343
- # AWS CLI, the value is Base64-encdoded. Otherwise, it is not encoded.
1601
+ # The encrypted data key. When you use the HTTP API or the AWS CLI,
1602
+ # the value is Base64-encoded. Otherwise, it is not encoded.
1344
1603
  # @return [String]
1345
1604
  #
1346
1605
  # @!attribute [rw] key_id
1347
- # The identifier of the CMK under which the data encryption key was
1348
- # generated and encrypted.
1606
+ # The identifier of the CMK that encrypted the data key.
1349
1607
  # @return [String]
1350
1608
  #
1351
1609
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextResponse AWS API Documentation
@@ -1375,7 +1633,7 @@ module Aws::KMS
1375
1633
  #
1376
1634
  #
1377
1635
  #
1378
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
1636
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1379
1637
  # @return [String]
1380
1638
  #
1381
1639
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomRequest AWS API Documentation
@@ -1388,7 +1646,7 @@ module Aws::KMS
1388
1646
 
1389
1647
  # @!attribute [rw] plaintext
1390
1648
  # The random byte string. When you use the HTTP API or the AWS CLI,
1391
- # the value is Base64-encdoded. Otherwise, it is not encoded.
1649
+ # the value is Base64-encoded. Otherwise, it is not encoded.
1392
1650
  # @return [String]
1393
1651
  #
1394
1652
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomResponse AWS API Documentation
@@ -1522,7 +1780,7 @@ module Aws::KMS
1522
1780
  #
1523
1781
  #
1524
1782
  #
1525
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html
1783
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html
1526
1784
  # @return [String]
1527
1785
  #
1528
1786
  # @!attribute [rw] wrapping_key_spec
@@ -1571,23 +1829,46 @@ module Aws::KMS
1571
1829
  include Aws::Structure
1572
1830
  end
1573
1831
 
1574
- # A structure that you can use to allow certain operations in the grant
1575
- # only when the desired encryption context is present. For more
1576
- # information about encryption context, see [Encryption Context][1] in
1577
- # the *AWS Key Management Service Developer Guide*.
1832
+ # Use this structure to allow cryptographic operations in the grant only
1833
+ # when the operation request includes the specified [encryption
1834
+ # context][1].
1835
+ #
1836
+ # AWS KMS applies the grant constraints only when the grant allows a
1837
+ # cryptographic operation that accepts an encryption context as input,
1838
+ # such as the following.
1839
+ #
1840
+ # * Encrypt
1841
+ #
1842
+ # * Decrypt
1843
+ #
1844
+ # * GenerateDataKey
1845
+ #
1846
+ # * GenerateDataKeyWithoutPlaintext
1847
+ #
1848
+ # * ReEncrypt
1849
+ #
1850
+ # AWS KMS does not apply the grant constraints to other operations, such
1851
+ # as DescribeKey or ScheduleKeyDeletion.
1852
+ #
1853
+ # In a cryptographic operation, the encryption context in the decryption
1854
+ # operation must be an exact, case-sensitive match for the keys and
1855
+ # values in the encryption context of the encryption operation. Only the
1856
+ # order of the pairs can vary.
1857
+ #
1858
+ # However, in a grant constraint, the key in each key-value pair is not
1859
+ # case sensitive, but the value is case sensitive.
1578
1860
  #
1579
- # Grant constraints apply only to operations that accept encryption
1580
- # context as input. For example, the ` DescribeKey ` operation does not
1581
- # accept encryption context as input. A grant that allows the
1582
- # `DescribeKey` operation does so regardless of the grant constraints.
1583
- # In constrast, the ` Encrypt ` operation accepts encryption context as
1584
- # input. A grant that allows the `Encrypt` operation does so only when
1585
- # the encryption context of the `Encrypt` operation satisfies the grant
1586
- # constraints.
1861
+ # To avoid confusion, do not use multiple encryption context pairs that
1862
+ # differ only by case. To require a fully case-sensitive encryption
1863
+ # context, use the `kms:EncryptionContext:` and
1864
+ # `kms:EncryptionContextKeys` conditions in an IAM or key policy. For
1865
+ # details, see [kms:EncryptionContext:][2] in the <i> <i>AWS Key
1866
+ # Management Service Developer Guide</i> </i>.
1587
1867
  #
1588
1868
  #
1589
1869
  #
1590
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
1870
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1871
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context
1591
1872
  #
1592
1873
  # @note When making an API call, you may pass GrantConstraints
1593
1874
  # data as a hash:
@@ -1602,20 +1883,18 @@ module Aws::KMS
1602
1883
  # }
1603
1884
  #
1604
1885
  # @!attribute [rw] encryption_context_subset
1605
- # A list of key-value pairs, all of which must be present in the
1606
- # encryption context of certain subsequent operations that the grant
1607
- # allows. When certain subsequent operations allowed by the grant
1608
- # include encryption context that matches this list or is a superset
1609
- # of this list, the grant allows the operation. Otherwise, the grant
1610
- # does not allow the operation.
1886
+ # A list of key-value pairs that must be included in the encryption
1887
+ # context of the cryptographic operation request. The grant allows the
1888
+ # cryptographic operation only when the encryption context in the
1889
+ # request includes the key-value pairs specified in this constraint,
1890
+ # although it can include additional key-value pairs.
1611
1891
  # @return [Hash<String,String>]
1612
1892
  #
1613
1893
  # @!attribute [rw] encryption_context_equals
1614
- # A list of key-value pairs that must be present in the encryption
1615
- # context of certain subsequent operations that the grant allows. When
1616
- # certain subsequent operations allowed by the grant include
1617
- # encryption context that matches this list, the grant allows the
1618
- # operation. Otherwise, the grant does not allow the operation.
1894
+ # A list of key-value pairs that must match the encryption context in
1895
+ # the cryptographic operation request. The grant allows the operation
1896
+ # only when the encryption context in the request is the same as the
1897
+ # encryption context specified in this constraint.
1619
1898
  # @return [Hash<String,String>]
1620
1899
  #
1621
1900
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GrantConstraints AWS API Documentation
@@ -1756,6 +2035,180 @@ module Aws::KMS
1756
2035
  #
1757
2036
  class ImportKeyMaterialResponse < Aws::EmptyStructure; end
1758
2037
 
2038
+ # The request was rejected because the provided key material is invalid
2039
+ # or is not the same key material that was previously imported into this
2040
+ # customer master key (CMK).
2041
+ #
2042
+ # @!attribute [rw] message
2043
+ # @return [String]
2044
+ #
2045
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/IncorrectKeyMaterialException AWS API Documentation
2046
+ #
2047
+ class IncorrectKeyMaterialException < Struct.new(
2048
+ :message)
2049
+ include Aws::Structure
2050
+ end
2051
+
2052
+ # The request was rejected because the trust anchor certificate in the
2053
+ # request is not the trust anchor certificate for the specified AWS
2054
+ # CloudHSM cluster.
2055
+ #
2056
+ # When you [initialize the cluster][1], you create the trust anchor
2057
+ # certificate and save it in the `customerCA.crt` file.
2058
+ #
2059
+ #
2060
+ #
2061
+ # [1]: https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr
2062
+ #
2063
+ # @!attribute [rw] message
2064
+ # @return [String]
2065
+ #
2066
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/IncorrectTrustAnchorException AWS API Documentation
2067
+ #
2068
+ class IncorrectTrustAnchorException < Struct.new(
2069
+ :message)
2070
+ include Aws::Structure
2071
+ end
2072
+
2073
+ # The request was rejected because the specified alias name is not
2074
+ # valid.
2075
+ #
2076
+ # @!attribute [rw] message
2077
+ # @return [String]
2078
+ #
2079
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/InvalidAliasNameException AWS API Documentation
2080
+ #
2081
+ class InvalidAliasNameException < Struct.new(
2082
+ :message)
2083
+ include Aws::Structure
2084
+ end
2085
+
2086
+ # The request was rejected because a specified ARN, or an ARN in a key
2087
+ # policy, is not valid.
2088
+ #
2089
+ # @!attribute [rw] message
2090
+ # @return [String]
2091
+ #
2092
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/InvalidArnException AWS API Documentation
2093
+ #
2094
+ class InvalidArnException < Struct.new(
2095
+ :message)
2096
+ include Aws::Structure
2097
+ end
2098
+
2099
+ # The request was rejected because the specified ciphertext, or
2100
+ # additional authenticated data incorporated into the ciphertext, such
2101
+ # as the encryption context, is corrupted, missing, or otherwise
2102
+ # invalid.
2103
+ #
2104
+ # @!attribute [rw] message
2105
+ # @return [String]
2106
+ #
2107
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/InvalidCiphertextException AWS API Documentation
2108
+ #
2109
+ class InvalidCiphertextException < Struct.new(
2110
+ :message)
2111
+ include Aws::Structure
2112
+ end
2113
+
2114
+ # The request was rejected because the specified `GrantId` is not valid.
2115
+ #
2116
+ # @!attribute [rw] message
2117
+ # @return [String]
2118
+ #
2119
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/InvalidGrantIdException AWS API Documentation
2120
+ #
2121
+ class InvalidGrantIdException < Struct.new(
2122
+ :message)
2123
+ include Aws::Structure
2124
+ end
2125
+
2126
+ # The request was rejected because the specified grant token is not
2127
+ # valid.
2128
+ #
2129
+ # @!attribute [rw] message
2130
+ # @return [String]
2131
+ #
2132
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/InvalidGrantTokenException AWS API Documentation
2133
+ #
2134
+ class InvalidGrantTokenException < Struct.new(
2135
+ :message)
2136
+ include Aws::Structure
2137
+ end
2138
+
2139
+ # The request was rejected because the provided import token is invalid
2140
+ # or is associated with a different customer master key (CMK).
2141
+ #
2142
+ # @!attribute [rw] message
2143
+ # @return [String]
2144
+ #
2145
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/InvalidImportTokenException AWS API Documentation
2146
+ #
2147
+ class InvalidImportTokenException < Struct.new(
2148
+ :message)
2149
+ include Aws::Structure
2150
+ end
2151
+
2152
+ # The request was rejected because the specified `KeySpec` value is not
2153
+ # valid.
2154
+ #
2155
+ # @!attribute [rw] message
2156
+ # @return [String]
2157
+ #
2158
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/InvalidKeyUsageException AWS API Documentation
2159
+ #
2160
+ class InvalidKeyUsageException < Struct.new(
2161
+ :message)
2162
+ include Aws::Structure
2163
+ end
2164
+
2165
+ # The request was rejected because the marker that specifies where
2166
+ # pagination should next begin is not valid.
2167
+ #
2168
+ # @!attribute [rw] message
2169
+ # @return [String]
2170
+ #
2171
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/InvalidMarkerException AWS API Documentation
2172
+ #
2173
+ class InvalidMarkerException < Struct.new(
2174
+ :message)
2175
+ include Aws::Structure
2176
+ end
2177
+
2178
+ # The request was rejected because an internal exception occurred. The
2179
+ # request can be retried.
2180
+ #
2181
+ # @!attribute [rw] message
2182
+ # @return [String]
2183
+ #
2184
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KMSInternalException AWS API Documentation
2185
+ #
2186
+ class KMSInternalException < Struct.new(
2187
+ :message)
2188
+ include Aws::Structure
2189
+ end
2190
+
2191
+ # The request was rejected because the state of the specified resource
2192
+ # is not valid for this request.
2193
+ #
2194
+ # For more information about how key state affects the use of a CMK, see
2195
+ # [How Key State Affects Use of a Customer Master Key][1] in the *AWS
2196
+ # Key Management Service Developer Guide*.
2197
+ #
2198
+ #
2199
+ #
2200
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2201
+ #
2202
+ # @!attribute [rw] message
2203
+ # @return [String]
2204
+ #
2205
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KMSInvalidStateException AWS API Documentation
2206
+ #
2207
+ class KMSInvalidStateException < Struct.new(
2208
+ :message)
2209
+ include Aws::Structure
2210
+ end
2211
+
1759
2212
  # Contains information about each entry in the key list.
1760
2213
  #
1761
2214
  # @!attribute [rw] key_id
@@ -1794,7 +2247,7 @@ module Aws::KMS
1794
2247
  #
1795
2248
  #
1796
2249
  #
1797
- # [1]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kms
2250
+ # [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kms
1798
2251
  # @return [String]
1799
2252
  #
1800
2253
  # @!attribute [rw] creation_date
@@ -1811,9 +2264,9 @@ module Aws::KMS
1811
2264
  # @return [String]
1812
2265
  #
1813
2266
  # @!attribute [rw] key_usage
1814
- # The cryptographic operations for which you can use the CMK.
1815
- # Currently the only allowed value is `ENCRYPT_DECRYPT`, which means
1816
- # you can use the CMK for the Encrypt and Decrypt operations.
2267
+ # The cryptographic operations for which you can use the CMK. The only
2268
+ # valid value is `ENCRYPT_DECRYPT`, which means you can use the CMK to
2269
+ # encrypt and decrypt data.
1817
2270
  # @return [String]
1818
2271
  #
1819
2272
  # @!attribute [rw] key_state
@@ -1825,7 +2278,7 @@ module Aws::KMS
1825
2278
  #
1826
2279
  #
1827
2280
  #
1828
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2281
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1829
2282
  # @return [String]
1830
2283
  #
1831
2284
  # @!attribute [rw] deletion_date
@@ -1857,7 +2310,7 @@ module Aws::KMS
1857
2310
  #
1858
2311
  #
1859
2312
  #
1860
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
2313
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1861
2314
  # @return [String]
1862
2315
  #
1863
2316
  # @!attribute [rw] cloud_hsm_cluster_id
@@ -1869,7 +2322,7 @@ module Aws::KMS
1869
2322
  #
1870
2323
  #
1871
2324
  #
1872
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
2325
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1873
2326
  # @return [String]
1874
2327
  #
1875
2328
  # @!attribute [rw] expiration_model
@@ -1879,13 +2332,14 @@ module Aws::KMS
1879
2332
  # @return [String]
1880
2333
  #
1881
2334
  # @!attribute [rw] key_manager
1882
- # The CMK's manager. CMKs are either customer-managed or AWS-managed.
1883
- # For more information about the difference, see [Customer Master
1884
- # Keys][1] in the *AWS Key Management Service Developer Guide*.
2335
+ # The manager of the CMK. CMKs in your AWS account are either customer
2336
+ # managed or AWS managed. For more information about the difference,
2337
+ # see [Customer Master Keys][1] in the *AWS Key Management Service
2338
+ # Developer Guide*.
1885
2339
  #
1886
2340
  #
1887
2341
  #
1888
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
2342
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
1889
2343
  # @return [String]
1890
2344
  #
1891
2345
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
@@ -1909,6 +2363,37 @@ module Aws::KMS
1909
2363
  include Aws::Structure
1910
2364
  end
1911
2365
 
2366
+ # The request was rejected because the specified CMK was not available.
2367
+ # The request can be retried.
2368
+ #
2369
+ # @!attribute [rw] message
2370
+ # @return [String]
2371
+ #
2372
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyUnavailableException AWS API Documentation
2373
+ #
2374
+ class KeyUnavailableException < Struct.new(
2375
+ :message)
2376
+ include Aws::Structure
2377
+ end
2378
+
2379
+ # The request was rejected because a limit was exceeded. For more
2380
+ # information, see [Limits][1] in the *AWS Key Management Service
2381
+ # Developer Guide*.
2382
+ #
2383
+ #
2384
+ #
2385
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/limits.html
2386
+ #
2387
+ # @!attribute [rw] message
2388
+ # @return [String]
2389
+ #
2390
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/LimitExceededException AWS API Documentation
2391
+ #
2392
+ class LimitExceededException < Struct.new(
2393
+ :message)
2394
+ include Aws::Structure
2395
+ end
2396
+
1912
2397
  # @note When making an API call, you may pass ListAliasesRequest
1913
2398
  # data as a hash:
1914
2399
  #
@@ -1965,8 +2450,8 @@ module Aws::KMS
1965
2450
  # @!attribute [rw] truncated
1966
2451
  # A flag that indicates whether there are more items in the list. When
1967
2452
  # this value is true, the list in this response is truncated. To get
1968
- # more items, pass the value of the `NextMarker` element in this
1969
- # response to the `Marker` parameter in a subsequent request.
2453
+ # more items, pass the value of the `NextMarker` element in
2454
+ # thisresponse to the `Marker` parameter in a subsequent request.
1970
2455
  # @return [Boolean]
1971
2456
  #
1972
2457
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliasesResponse AWS API Documentation
@@ -2041,8 +2526,8 @@ module Aws::KMS
2041
2526
  # @!attribute [rw] truncated
2042
2527
  # A flag that indicates whether there are more items in the list. When
2043
2528
  # this value is true, the list in this response is truncated. To get
2044
- # more items, pass the value of the `NextMarker` element in this
2045
- # response to the `Marker` parameter in a subsequent request.
2529
+ # more items, pass the value of the `NextMarker` element in
2530
+ # thisresponse to the `Marker` parameter in a subsequent request.
2046
2531
  # @return [Boolean]
2047
2532
  #
2048
2533
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrantsResponse AWS API Documentation
@@ -2088,7 +2573,7 @@ module Aws::KMS
2088
2573
  # and 1000, inclusive. If you do not include a value, it defaults to
2089
2574
  # 100.
2090
2575
  #
2091
- # Currently only 1 policy can be attached to a key.
2576
+ # Only one policy can be attached to a key.
2092
2577
  # @return [Integer]
2093
2578
  #
2094
2579
  # @!attribute [rw] marker
@@ -2107,8 +2592,7 @@ module Aws::KMS
2107
2592
  end
2108
2593
 
2109
2594
  # @!attribute [rw] policy_names
2110
- # A list of key policy names. Currently, there is only one key policy
2111
- # per CMK and it is always named `default`.
2595
+ # A list of key policy names. The only valid value is `default`.
2112
2596
  # @return [Array<String>]
2113
2597
  #
2114
2598
  # @!attribute [rw] next_marker
@@ -2119,8 +2603,8 @@ module Aws::KMS
2119
2603
  # @!attribute [rw] truncated
2120
2604
  # A flag that indicates whether there are more items in the list. When
2121
2605
  # this value is true, the list in this response is truncated. To get
2122
- # more items, pass the value of the `NextMarker` element in this
2123
- # response to the `Marker` parameter in a subsequent request.
2606
+ # more items, pass the value of the `NextMarker` element in
2607
+ # thisresponse to the `Marker` parameter in a subsequent request.
2124
2608
  # @return [Boolean]
2125
2609
  #
2126
2610
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPoliciesResponse AWS API Documentation
@@ -2176,8 +2660,8 @@ module Aws::KMS
2176
2660
  # @!attribute [rw] truncated
2177
2661
  # A flag that indicates whether there are more items in the list. When
2178
2662
  # this value is true, the list in this response is truncated. To get
2179
- # more items, pass the value of the `NextMarker` element in this
2180
- # response to the `Marker` parameter in a subsequent request.
2663
+ # more items, pass the value of the `NextMarker` element in
2664
+ # thisresponse to the `Marker` parameter in a subsequent request.
2181
2665
  # @return [Boolean]
2182
2666
  #
2183
2667
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeysResponse AWS API Documentation
@@ -2255,8 +2739,8 @@ module Aws::KMS
2255
2739
  # @!attribute [rw] truncated
2256
2740
  # A flag that indicates whether there are more items in the list. When
2257
2741
  # this value is true, the list in this response is truncated. To get
2258
- # more items, pass the value of the `NextMarker` element in this
2259
- # response to the `Marker` parameter in a subsequent request.
2742
+ # more items, pass the value of the `NextMarker` element in
2743
+ # thisresponse to the `Marker` parameter in a subsequent request.
2260
2744
  # @return [Boolean]
2261
2745
  #
2262
2746
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTagsResponse AWS API Documentation
@@ -2305,8 +2789,8 @@ module Aws::KMS
2305
2789
  #
2306
2790
  #
2307
2791
  #
2308
- # [1]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
2309
- # [2]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
2792
+ # [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
2793
+ # [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
2310
2794
  # @return [String]
2311
2795
  #
2312
2796
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrantsRequest AWS API Documentation
@@ -2318,6 +2802,32 @@ module Aws::KMS
2318
2802
  include Aws::Structure
2319
2803
  end
2320
2804
 
2805
+ # The request was rejected because the specified policy is not
2806
+ # syntactically or semantically correct.
2807
+ #
2808
+ # @!attribute [rw] message
2809
+ # @return [String]
2810
+ #
2811
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/MalformedPolicyDocumentException AWS API Documentation
2812
+ #
2813
+ class MalformedPolicyDocumentException < Struct.new(
2814
+ :message)
2815
+ include Aws::Structure
2816
+ end
2817
+
2818
+ # The request was rejected because the specified entity or resource
2819
+ # could not be found.
2820
+ #
2821
+ # @!attribute [rw] message
2822
+ # @return [String]
2823
+ #
2824
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/NotFoundException AWS API Documentation
2825
+ #
2826
+ class NotFoundException < Struct.new(
2827
+ :message)
2828
+ include Aws::Structure
2829
+ end
2830
+
2321
2831
  # @note When making an API call, you may pass PutKeyPolicyRequest
2322
2832
  # data as a hash:
2323
2833
  #
@@ -2375,8 +2885,8 @@ module Aws::KMS
2375
2885
  #
2376
2886
  #
2377
2887
  #
2378
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
2379
- # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
2888
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
2889
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
2380
2890
  # @return [String]
2381
2891
  #
2382
2892
  # @!attribute [rw] bypass_policy_lockout_safety_check
@@ -2398,7 +2908,7 @@ module Aws::KMS
2398
2908
  #
2399
2909
  #
2400
2910
  #
2401
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
2911
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
2402
2912
  # @return [Boolean]
2403
2913
  #
2404
2914
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicyRequest AWS API Documentation
@@ -2440,7 +2950,7 @@ module Aws::KMS
2440
2950
  #
2441
2951
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2442
2952
  # name, or alias ARN. When using an alias name, prefix it with
2443
- # "alias/". To specify a CMK in a different AWS account, you must
2953
+ # `"alias/"`. To specify a CMK in a different AWS account, you must
2444
2954
  # use the key ARN or alias ARN.
2445
2955
  #
2446
2956
  # For example:
@@ -2470,7 +2980,7 @@ module Aws::KMS
2470
2980
  #
2471
2981
  #
2472
2982
  #
2473
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
2983
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
2474
2984
  # @return [Array<String>]
2475
2985
  #
2476
2986
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncryptRequest AWS API Documentation
@@ -2486,7 +2996,7 @@ module Aws::KMS
2486
2996
 
2487
2997
  # @!attribute [rw] ciphertext_blob
2488
2998
  # The reencrypted data. When you use the HTTP API or the AWS CLI, the
2489
- # value is Base64-encdoded. Otherwise, it is not encoded.
2999
+ # value is Base64-encoded. Otherwise, it is not encoded.
2490
3000
  # @return [String]
2491
3001
  #
2492
3002
  # @!attribute [rw] source_key_id
@@ -2651,7 +3161,7 @@ module Aws::KMS
2651
3161
  #
2652
3162
  #
2653
3163
  #
2654
- # [1]: http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html
3164
+ # [1]: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html
2655
3165
  #
2656
3166
  # @note When making an API call, you may pass Tag
2657
3167
  # data as a hash:
@@ -2677,6 +3187,18 @@ module Aws::KMS
2677
3187
  include Aws::Structure
2678
3188
  end
2679
3189
 
3190
+ # The request was rejected because one or more tags are not valid.
3191
+ #
3192
+ # @!attribute [rw] message
3193
+ # @return [String]
3194
+ #
3195
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/TagException AWS API Documentation
3196
+ #
3197
+ class TagException < Struct.new(
3198
+ :message)
3199
+ include Aws::Structure
3200
+ end
3201
+
2680
3202
  # @note When making an API call, you may pass TagResourceRequest
2681
3203
  # data as a hash:
2682
3204
  #
@@ -2718,6 +3240,19 @@ module Aws::KMS
2718
3240
  include Aws::Structure
2719
3241
  end
2720
3242
 
3243
+ # The request was rejected because a specified parameter is not
3244
+ # supported or a specified resource is not valid for this operation.
3245
+ #
3246
+ # @!attribute [rw] message
3247
+ # @return [String]
3248
+ #
3249
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UnsupportedOperationException AWS API Documentation
3250
+ #
3251
+ class UnsupportedOperationException < Struct.new(
3252
+ :message)
3253
+ include Aws::Structure
3254
+ end
3255
+
2721
3256
  # @note When making an API call, you may pass UntagResourceRequest
2722
3257
  # data as a hash:
2723
3258
  #
@@ -2763,14 +3298,15 @@ module Aws::KMS
2763
3298
  # }
2764
3299
  #
2765
3300
  # @!attribute [rw] alias_name
2766
- # String that contains the name of the alias to be modified. The name
2767
- # must start with the word "alias" followed by a forward slash
2768
- # (alias/). Aliases that begin with "alias/aws" are reserved.
3301
+ # Specifies the name of the alias to change. This value must begin
3302
+ # with `alias/` followed by the alias name, such as
3303
+ # `alias/ExampleAlias`.
2769
3304
  # @return [String]
2770
3305
  #
2771
3306
  # @!attribute [rw] target_key_id
2772
- # Unique identifier of the customer master key to be mapped to the
2773
- # alias.
3307
+ # Unique identifier of the customer master key (CMK) to be mapped to
3308
+ # the alias. When the update operation completes, the alias will point
3309
+ # to this CMK.
2774
3310
  #
2775
3311
  # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
2776
3312
  #
@@ -2831,17 +3367,18 @@ module Aws::KMS
2831
3367
  # Associates the custom key store with a related AWS CloudHSM cluster.
2832
3368
  #
2833
3369
  # Enter the cluster ID of the cluster that you used to create the
2834
- # custom key store or a cluster that shares a backup history with the
2835
- # original cluster. You cannot use this parameter to associate a
2836
- # custom key store with a different cluster.
2837
- #
2838
- # Clusters that share a backup history have the same cluster
2839
- # certificate. To view the cluster certificate of a cluster, use the
2840
- # [DescribeClusters][1] operation.
3370
+ # custom key store or a cluster that shares a backup history and has
3371
+ # the same cluster certificate as the original cluster. You cannot use
3372
+ # this parameter to associate a custom key store with an unrelated
3373
+ # cluster. In addition, the replacement cluster must [fulfill the
3374
+ # requirements][1] for a cluster associated with a custom key store.
3375
+ # To view the cluster certificate of a cluster, use the
3376
+ # [DescribeClusters][2] operation.
2841
3377
  #
2842
3378
  #
2843
3379
  #
2844
- # [1]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
3380
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore
3381
+ # [2]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
2845
3382
  # @return [String]
2846
3383
  #
2847
3384
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStoreRequest AWS API Documentation