aws-sdk-kms 1.17.0 → 1.18.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: fc41b4832991c95efd49cf2283689e5b29578b2f
4
- data.tar.gz: ac62ac9bf8a9c1e42c1b32d201d1acd5308b9974
3
+ metadata.gz: 40671c15423623b13d9dd5bf47327acf6fb71e30
4
+ data.tar.gz: 0f9ac08bae717aa3abd531c117e432e69a48d720
5
5
  SHA512:
6
- metadata.gz: 9f03c2d36659109e5e6a54c6ba4e0f307b5f320710fc9f28174233a63246efa23b2a499163907244105b88ea5d35ca06d472b1d80e47ef8798ca44cd4b94214f
7
- data.tar.gz: d49f15f7fd0832ff31e909db250e8337aa91f0ca671fc2553fb34ac410f04d310cb5c23c467076e402bfef8a1a863b38244151579678e1c683ec13df531fc88f
6
+ metadata.gz: f64112287512788f41a364d1282dd0bc6de5742936e4876f1396049313cb200291409927deebaa0402bd9408f1f6bf72b31f019fca0032eea2d146fbf83b2d70
7
+ data.tar.gz: 30a1f75cac7b3e4e90fdd4e15219301aa4b6afc33fd3b8a84fb26bc420c76238ceccf808ef67ce23b355aa432a1d1d701cc316f35915b90d31cbeb9f25b3ad35
data/lib/aws-sdk-kms.rb CHANGED
@@ -42,6 +42,6 @@ require_relative 'aws-sdk-kms/customizations'
42
42
  # @service
43
43
  module Aws::KMS
44
44
 
45
- GEM_VERSION = '1.17.0'
45
+ GEM_VERSION = '1.18.0'
46
46
 
47
47
  end
@@ -273,8 +273,8 @@ module Aws::KMS
273
273
  #
274
274
  #
275
275
  #
276
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
277
- # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
276
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
277
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
278
278
  #
279
279
  # @option params [required, String] :key_id
280
280
  # The unique identifier for the customer master key (CMK) for which to
@@ -370,11 +370,11 @@ module Aws::KMS
370
370
  #
371
371
  #
372
372
  #
373
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
374
- # [2]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters
375
- # [3]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm
376
- # [4]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
377
- # [5]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
373
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
374
+ # [2]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
375
+ # [3]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html
376
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
377
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
378
378
  #
379
379
  # @option params [required, String] :custom_key_store_id
380
380
  # Enter the key store ID of the custom key store that you want to
@@ -398,9 +398,9 @@ module Aws::KMS
398
398
  req.send_request(options)
399
399
  end
400
400
 
401
- # Creates a display name for a customer master key (CMK). You can use an
402
- # alias to identify a CMK in selected operations, such as Encrypt and
403
- # GenerateDataKey.
401
+ # Creates a display name for a customer managed customer master key
402
+ # (CMK). You can use an alias to identify a CMK in selected operations,
403
+ # such as Encrypt and GenerateDataKey.
404
404
  #
405
405
  # Each CMK can have multiple aliases, but each alias points to only one
406
406
  # CMK. The alias name must be unique in the AWS account and region. To
@@ -412,11 +412,11 @@ module Aws::KMS
412
412
  # appear in the response from the DescribeKey operation. To get the
413
413
  # aliases of all CMKs, use the ListAliases operation.
414
414
  #
415
- # An alias must start with the word `alias` followed by a forward slash
416
- # (`alias/`). The alias name can contain only alphanumeric characters,
417
- # forward slashes (/), underscores (\_), and dashes (-). Alias names
418
- # cannot begin with `aws`; that alias name prefix is reserved by Amazon
419
- # Web Services (AWS).
415
+ # The alias name must begin with `alias/` followed by a name, such as
416
+ # `alias/ExampleAlias`. It can contain only alphanumeric characters,
417
+ # forward slashes (/), underscores (\_), and dashes (-). The alias name
418
+ # cannot begin with `alias/aws/`. The `alias/aws/` prefix is reserved
419
+ # for [AWS managed CMKs][1].
420
420
  #
421
421
  # The alias and the CMK it is mapped to must be in the same AWS account
422
422
  # and the same region. You cannot perform this operation on an alias in
@@ -425,32 +425,29 @@ module Aws::KMS
425
425
  # To map an existing alias to a different CMK, call UpdateAlias.
426
426
  #
427
427
  # The result of this operation varies with the key state of the CMK. For
428
- # details, see [How Key State Affects Use of a Customer Master Key][1]
428
+ # details, see [How Key State Affects Use of a Customer Master Key][2]
429
429
  # in the *AWS Key Management Service Developer Guide*.
430
430
  #
431
431
  #
432
432
  #
433
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
433
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
434
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
434
435
  #
435
436
  # @option params [required, String] :alias_name
436
- # String that contains the display name. The name must start with the
437
- # word "alias" followed by a forward slash (alias/). Aliases that
438
- # begin with "alias/AWS" are reserved.
437
+ # Specifies the alias name. This value must begin with `alias/` followed
438
+ # by a name, such as `alias/ExampleAlias`. The alias name cannot begin
439
+ # with `alias/aws/`. The `alias/aws/` prefix is reserved for AWS managed
440
+ # CMKs.
439
441
  #
440
442
  # @option params [required, String] :target_key_id
441
- # Identifies the CMK for which you are creating the alias. This value
442
- # cannot be an alias.
443
+ # Identifies the CMK to which the alias refers. Specify the key ID or
444
+ # the Amazon Resource Name (ARN) of the CMK. You cannot specify another
445
+ # alias. For help finding the key ID and ARN, see [Finding the Key ID
446
+ # and ARN][1] in the *AWS Key Management Service Developer Guide*.
443
447
  #
444
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
445
448
  #
446
- # For example:
447
449
  #
448
- # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
449
- #
450
- # * Key ARN:
451
- # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
452
- #
453
- # To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
450
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn
454
451
  #
455
452
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
456
453
  #
@@ -483,82 +480,33 @@ module Aws::KMS
483
480
  # Creates a [custom key store][1] that is associated with an [AWS
484
481
  # CloudHSM cluster][2] that you own and manage.
485
482
  #
486
- # This operation is part of the [Custom Key Store feature][3] feature in
483
+ # This operation is part of the [Custom Key Store feature][1] feature in
487
484
  # AWS KMS, which combines the convenience and extensive integration of
488
485
  # AWS KMS with the isolation and control of a single-tenant key store.
489
486
  #
487
+ # Before you create the custom key store, you must assemble the required
488
+ # elements, including an AWS CloudHSM cluster that fulfills the
489
+ # requirements for a custom key store. For details about the required
490
+ # elements, see [Assemble the Prerequisites][3] in the *AWS Key
491
+ # Management Service Developer Guide*.
492
+ #
490
493
  # When the operation completes successfully, it returns the ID of the
491
494
  # new custom key store. Before you can use your new custom key store,
492
495
  # you need to use the ConnectCustomKeyStore operation to connect the new
493
- # key store to its AWS CloudHSM cluster.
494
- #
495
- # The `CreateCustomKeyStore` operation requires the following elements.
496
- #
497
- # * You must specify an active AWS CloudHSM cluster in the same account
498
- # and AWS Region as the custom key store. You can use an existing
499
- # cluster or [create and activate a new AWS CloudHSM cluster][4] for
500
- # the key store. AWS KMS does not require exclusive use of the
501
- # cluster.
502
- #
503
- # * You must include the content of the *trust anchor certificate* for
504
- # the cluster. You created this certificate, and saved it in the
505
- # `customerCA.crt` file, when you [initialized the cluster][5].
506
- #
507
- # * You must provide the password of the dedicated [ `kmsuser` crypto
508
- # user][6] (CU) account in the cluster.
509
- #
510
- # Before you create the custom key store, use the [createUser][7]
511
- # command in `cloudhsm_mgmt_util` to create [a crypto user (CU) named
512
- # `kmsuser` ][6]in specified AWS CloudHSM cluster. AWS KMS uses the
513
- # `kmsuser` CU account to create and manage key material on your
514
- # behalf. For instructions, see [Create the kmsuser Crypto User][8] in
515
- # the *AWS Key Management Service Developer Guide*.
516
- #
517
- # The AWS CloudHSM cluster that you specify must meet the following
518
- # requirements.
519
- #
520
- # * The cluster must be active and be in the same AWS account and Region
521
- # as the custom key store.
522
- #
523
- # * Each custom key store must be associated with a different AWS
524
- # CloudHSM cluster. The cluster cannot be associated with another
525
- # custom key store or have the same cluster certificate as a cluster
526
- # that is associated with another custom key store. To view the
527
- # cluster certificate, use the AWS CloudHSM [DescribeClusters][9]
528
- # operation. Clusters that share a backup history have the same
529
- # cluster certificate.
530
- #
531
- # * The cluster must be configured with subnets in at least two
532
- # different Availability Zones in the Region. Because AWS CloudHSM is
533
- # not supported in all Availability Zones, we recommend that the
534
- # cluster have subnets in all Availability Zones in the Region.
535
- #
536
- # * The cluster must contain at least two active HSMs, each in a
537
- # different Availability Zone.
538
- #
539
- # New custom key stores are not automatically connected. After you
540
- # create your custom key store, use the ConnectCustomKeyStore operation
541
- # to connect the custom key store to its associated AWS CloudHSM
542
- # cluster. Even if you are not going to use your custom key store
543
- # immediately, you might want to connect it to verify that all settings
544
- # are correct and then disconnect it until you are ready to use it.
545
- #
546
- # If this operation succeeds, it returns the ID of the new custom key
547
- # store. For help with failures, see [Troubleshoot a Custom Key
548
- # Store][10] in the *AWS KMS Developer Guide*.
549
- #
550
- #
551
- #
552
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
553
- # [2]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html
554
- # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
555
- # [4]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/create-cluster.html
556
- # [5]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr
557
- # [6]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
558
- # [7]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_mgmt_util-createUser.html
559
- # [8]: http://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore
560
- # [9]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
561
- # [10]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
496
+ # key store to its AWS CloudHSM cluster. Even if you are not going to
497
+ # use your custom key store immediately, you might want to connect it to
498
+ # verify that all settings are correct and then disconnect it until you
499
+ # are ready to use it.
500
+ #
501
+ # For help with failures, see [Troubleshooting a Custom Key Store][4] in
502
+ # the *AWS Key Management Service Developer Guide*.
503
+ #
504
+ #
505
+ #
506
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
507
+ # [2]: https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html
508
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore
509
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
562
510
  #
563
511
  # @option params [required, String] :custom_key_store_name
564
512
  # Specifies a friendly name for the custom key store. The name must be
@@ -572,7 +520,7 @@ module Aws::KMS
572
520
  #
573
521
  #
574
522
  #
575
- # [1]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
523
+ # [1]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
576
524
  #
577
525
  # @option params [required, String] :trust_anchor_certificate
578
526
  # Enter the content of the trust anchor certificate for the cluster.
@@ -581,7 +529,7 @@ module Aws::KMS
581
529
  #
582
530
  #
583
531
  #
584
- # [1]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html
532
+ # [1]: https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html
585
533
  #
586
534
  # @option params [required, String] :key_store_password
587
535
  # Enter the password of the [ `kmsuser` crypto user (CU) account][1] in
@@ -593,7 +541,7 @@ module Aws::KMS
593
541
  #
594
542
  #
595
543
  #
596
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
544
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
597
545
  #
598
546
  # @return [Types::CreateCustomKeyStoreResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
599
547
  #
@@ -621,14 +569,20 @@ module Aws::KMS
621
569
  req.send_request(options)
622
570
  end
623
571
 
624
- # Adds a grant to a customer master key (CMK). The grant specifies who
625
- # can use the CMK and under what conditions. When setting permissions,
626
- # grants are an alternative to key policies.
572
+ # Adds a grant to a customer master key (CMK). The grant allows the
573
+ # grantee principal to use the CMK when the conditions specified in the
574
+ # grant are met. When setting permissions, grants are an alternative to
575
+ # key policies.
576
+ #
577
+ # To create a grant that allows a cryptographic operation only when the
578
+ # encryption context in the operation request matches or includes a
579
+ # specified encryption context, use the `Constraints` parameter. For
580
+ # details, see GrantConstraints.
627
581
  #
628
582
  # To perform this operation on a CMK in a different AWS account, specify
629
583
  # the key ARN in the value of the `KeyId` parameter. For more
630
- # information about grants, see [Grants][1] in the *AWS Key Management
631
- # Service Developer Guide*.
584
+ # information about grants, see [Grants][1] in the <i> <i>AWS Key
585
+ # Management Service Developer Guide</i> </i>.
632
586
  #
633
587
  # The result of this operation varies with the key state of the CMK. For
634
588
  # details, see [How Key State Affects Use of a Customer Master Key][2]
@@ -636,8 +590,8 @@ module Aws::KMS
636
590
  #
637
591
  #
638
592
  #
639
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/grants.html
640
- # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
593
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
594
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
641
595
  #
642
596
  # @option params [required, String] :key_id
643
597
  # The unique identifier for the customer master key (CMK) that the grant
@@ -668,8 +622,8 @@ module Aws::KMS
668
622
  #
669
623
  #
670
624
  #
671
- # [1]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
672
- # [2]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
625
+ # [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
626
+ # [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
673
627
  #
674
628
  # @option params [String] :retiring_principal
675
629
  # The principal that is given permission to retire the grant by using
@@ -684,21 +638,22 @@ module Aws::KMS
684
638
  #
685
639
  #
686
640
  #
687
- # [1]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
688
- # [2]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
641
+ # [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
642
+ # [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
689
643
  #
690
644
  # @option params [required, Array<String>] :operations
691
645
  # A list of operations that the grant permits.
692
646
  #
693
647
  # @option params [Types::GrantConstraints] :constraints
694
- # A structure that you can use to allow certain operations in the grant
695
- # only when the desired encryption context is present. For more
696
- # information about encryption context, see [Encryption Context][1] in
697
- # the *AWS Key Management Service Developer Guide*.
648
+ # Allows a cryptographic operation only when the encryption context
649
+ # matches or includes the encryption context specified in this
650
+ # structure. For more information about encryption context, see
651
+ # [Encryption Context][1] in the <i> <i>AWS Key Management Service
652
+ # Developer Guide</i> </i>.
698
653
  #
699
654
  #
700
655
  #
701
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
656
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
702
657
  #
703
658
  # @option params [Array<String>] :grant_tokens
704
659
  # A list of grant tokens.
@@ -708,11 +663,12 @@ module Aws::KMS
708
663
  #
709
664
  #
710
665
  #
711
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
666
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
712
667
  #
713
668
  # @option params [String] :name
714
669
  # A friendly name for identifying the grant. Use this value to prevent
715
- # unintended creation of duplicate grants when retrying this request.
670
+ # the unintended creation of duplicate grants when retrying this
671
+ # request.
716
672
  #
717
673
  # When this value is absent, all `CreateGrant` requests result in a new
718
674
  # grant with a unique `GrantId` even if all the supplied parameters are
@@ -785,26 +741,21 @@ module Aws::KMS
785
741
  req.send_request(options)
786
742
  end
787
743
 
788
- # Creates a customer master key (CMK) in the caller's AWS account.
789
- #
790
- # You can use a CMK to encrypt small amounts of data (4 KiB or less)
791
- # directly, but CMKs are more commonly used to encrypt data keys, which
792
- # are used to encrypt raw data. For more information about data keys and
793
- # the difference between CMKs and data keys, see the following:
794
- #
795
- # * The GenerateDataKey operation
744
+ # Creates a customer managed [customer master key][1] (CMK) in your AWS
745
+ # account.
796
746
  #
797
- # * [AWS Key Management Service Concepts][1] in the *AWS Key Management
798
- # Service Developer Guide*
747
+ # You can use a CMK to encrypt small amounts of data (up to 4096 bytes)
748
+ # directly. But CMKs are more commonly used to encrypt the [data
749
+ # keys][2] that are used to encrypt data.
799
750
  #
800
- # If you plan to [import key material][2], use the `Origin` parameter
801
- # with a value of `EXTERNAL` to create a CMK with no key material.
751
+ # To create a CMK for imported key material, use the `Origin` parameter
752
+ # with a value of `EXTERNAL`.
802
753
  #
803
- # To create a CMK in a [custom key store][3], use `CustomKeyStoreId`
754
+ # To create a CMK in a [custom key store][3], use the `CustomKeyStoreId`
804
755
  # parameter to specify the custom key store. You must also use the
805
756
  # `Origin` parameter with a value of `AWS_CLOUDHSM`. The AWS CloudHSM
806
757
  # cluster that is associated with the custom key store must have at
807
- # least two active HSMs, each in a different Availability Zone in the
758
+ # least two active HSMs in different Availability Zones in the AWS
808
759
  # Region.
809
760
  #
810
761
  # You cannot use this operation to create a CMK in a different AWS
@@ -812,9 +763,9 @@ module Aws::KMS
812
763
  #
813
764
  #
814
765
  #
815
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
816
- # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
817
- # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
766
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
767
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys
768
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
818
769
  #
819
770
  # @option params [String] :policy
820
771
  # The key policy to attach to the CMK.
@@ -826,7 +777,8 @@ module Aws::KMS
826
777
  # request to make a subsequent PutKeyPolicy request on the CMK. This
827
778
  # reduces the risk that the CMK becomes unmanageable. For more
828
779
  # information, refer to the scenario in the [Default Key Policy][1]
829
- # section of the *AWS Key Management Service Developer Guide*.
780
+ # section of the <i> <i>AWS Key Management Service Developer Guide</i>
781
+ # </i>.
830
782
  #
831
783
  # * Each statement in the key policy must contain one or more
832
784
  # principals. The principals in the key policy must exist and be
@@ -845,9 +797,9 @@ module Aws::KMS
845
797
  #
846
798
  #
847
799
  #
848
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
849
- # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
850
- # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
800
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
801
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
802
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
851
803
  #
852
804
  # @option params [String] :description
853
805
  # A description of the CMK.
@@ -856,13 +808,13 @@ module Aws::KMS
856
808
  # for a task.
857
809
  #
858
810
  # @option params [String] :key_usage
859
- # The intended use of the CMK.
860
- #
861
- # You can use CMKs only for symmetric encryption and decryption.
811
+ # The cryptographic operations for which you can use the CMK. The only
812
+ # valid value is `ENCRYPT_DECRYPT`, which means you can use the CMK to
813
+ # encrypt and decrypt data.
862
814
  #
863
815
  # @option params [String] :origin
864
- # The source of the CMK's key material. You cannot change the origin
865
- # after you create the CMK.
816
+ # The source of the key material for the CMK. You cannot change the
817
+ # origin after you create the CMK.
866
818
  #
867
819
  # The default is `AWS_KMS`, which means AWS KMS creates the key material
868
820
  # in its own key store.
@@ -874,14 +826,14 @@ module Aws::KMS
874
826
  # Key Management Service Developer Guide*.
875
827
  #
876
828
  # When the parameter value is `AWS_CLOUDHSM`, AWS KMS creates the CMK in
877
- # a AWS KMS [custom key store][2] and creates its key material in the
829
+ # an AWS KMS [custom key store][2] and creates its key material in the
878
830
  # associated AWS CloudHSM cluster. You must also use the
879
831
  # `CustomKeyStoreId` parameter to identify the custom key store.
880
832
  #
881
833
  #
882
834
  #
883
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
884
- # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
835
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
836
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
885
837
  #
886
838
  # @option params [String] :custom_key_store_id
887
839
  # Creates the CMK in the specified [custom key store][1] and the key
@@ -897,14 +849,13 @@ module Aws::KMS
897
849
  # The response includes the custom key store ID and the ID of the AWS
898
850
  # CloudHSM cluster.
899
851
  #
900
- # This operation is part of the [Custom Key Store feature][2] feature in
852
+ # This operation is part of the [Custom Key Store feature][1] feature in
901
853
  # AWS KMS, which combines the convenience and extensive integration of
902
854
  # AWS KMS with the isolation and control of a single-tenant key store.
903
855
  #
904
856
  #
905
857
  #
906
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
907
- # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
858
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
908
859
  #
909
860
  # @option params [Boolean] :bypass_policy_lockout_safety_check
910
861
  # A flag to indicate whether to bypass the key policy lockout safety
@@ -914,8 +865,8 @@ module Aws::KMS
914
865
  # unmanageable. Do not set this value to true indiscriminately.
915
866
  #
916
867
  # For more information, refer to the scenario in the [Default Key
917
- # Policy][1] section in the *AWS Key Management Service Developer
918
- # Guide*.
868
+ # Policy][1] section in the <i> <i>AWS Key Management Service Developer
869
+ # Guide</i> </i>.
919
870
  #
920
871
  # Use this parameter only when you include a policy in the request and
921
872
  # you intend to prevent the principal that is making the request from
@@ -925,7 +876,7 @@ module Aws::KMS
925
876
  #
926
877
  #
927
878
  #
928
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
879
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
929
880
  #
930
881
  # @option params [Array<Types::Tag>] :tags
931
882
  # One or more tags. Each tag consists of a tag key and a tag value. Tag
@@ -1023,15 +974,14 @@ module Aws::KMS
1023
974
  #
1024
975
  # * Encrypt
1025
976
  #
1026
- # Note that if a caller has been granted access permissions to all keys
1027
- # (through, for example, IAM user policies that grant `Decrypt`
1028
- # permission on all resources), then ciphertext encrypted by using keys
1029
- # in other accounts where the key grants access to the caller can be
1030
- # decrypted. To remedy this, we recommend that you do not grant
1031
- # `Decrypt` access in an IAM user policy. Instead grant `Decrypt` access
1032
- # only in key policies. If you must grant `Decrypt` access in an IAM
1033
- # user policy, you should scope the resource to specific keys or to
1034
- # specific trusted accounts.
977
+ # Whenever possible, use key policies to give users permission to call
978
+ # the Decrypt operation on the CMK, instead of IAM policies. Otherwise,
979
+ # you might create an IAM user policy that gives the user Decrypt
980
+ # permission on all CMKs. This user could decrypt ciphertext that was
981
+ # encrypted by CMKs in other accounts if the key policy for the
982
+ # cross-account CMK permits it. If you must use an IAM policy for
983
+ # `Decrypt` permissions, limit the user to particular CMKs or particular
984
+ # trusted accounts.
1035
985
  #
1036
986
  # The result of this operation varies with the key state of the CMK. For
1037
987
  # details, see [How Key State Affects Use of a Customer Master Key][1]
@@ -1039,7 +989,7 @@ module Aws::KMS
1039
989
  #
1040
990
  #
1041
991
  #
1042
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
992
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1043
993
  #
1044
994
  # @option params [required, String, IO] :ciphertext_blob
1045
995
  # Ciphertext to be decrypted. The blob includes metadata.
@@ -1051,7 +1001,7 @@ module Aws::KMS
1051
1001
  #
1052
1002
  #
1053
1003
  #
1054
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
1004
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1055
1005
  #
1056
1006
  # @option params [Array<String>] :grant_tokens
1057
1007
  # A list of grant tokens.
@@ -1061,7 +1011,7 @@ module Aws::KMS
1061
1011
  #
1062
1012
  #
1063
1013
  #
1064
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1014
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1065
1015
  #
1066
1016
  # @return [Types::DecryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1067
1017
  #
@@ -1121,9 +1071,8 @@ module Aws::KMS
1121
1071
  # master key (CMK), call UpdateAlias.
1122
1072
  #
1123
1073
  # @option params [required, String] :alias_name
1124
- # The alias to be deleted. The name must start with the word "alias"
1125
- # followed by a forward slash (alias/). Aliases that begin with
1126
- # "alias/aws" are reserved.
1074
+ # The alias to be deleted. The alias name must begin with `alias/`
1075
+ # followed by the alias name, such as `alias/ExampleAlias`.
1127
1076
  #
1128
1077
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
1129
1078
  #
@@ -1179,16 +1128,15 @@ module Aws::KMS
1179
1128
  # If the operation succeeds, it returns a JSON object with no
1180
1129
  # properties.
1181
1130
  #
1182
- # This operation is part of the [Custom Key Store feature][4] feature in
1131
+ # This operation is part of the [Custom Key Store feature][1] feature in
1183
1132
  # AWS KMS, which combines the convenience and extensive integration of
1184
1133
  # AWS KMS with the isolation and control of a single-tenant key store.
1185
1134
  #
1186
1135
  #
1187
1136
  #
1188
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
1189
- # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
1190
- # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
1191
- # [4]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1137
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1138
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
1139
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
1192
1140
  #
1193
1141
  # @option params [required, String] :custom_key_store_id
1194
1142
  # Enter the ID of the custom key store you want to delete. To find the
@@ -1230,12 +1178,12 @@ module Aws::KMS
1230
1178
  #
1231
1179
  #
1232
1180
  #
1233
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1234
- # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1181
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1182
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1235
1183
  #
1236
1184
  # @option params [required, String] :key_id
1237
- # The identifier of the CMK whose key material to delete. The CMK's
1238
- # `Origin` must be `EXTERNAL`.
1185
+ # Identifies the CMK from which you are deleting imported key material.
1186
+ # The `Origin` of the CMK must be `EXTERNAL`.
1239
1187
  #
1240
1188
  # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
1241
1189
  #
@@ -1277,7 +1225,7 @@ module Aws::KMS
1277
1225
  # Gets information about [custom key stores][1] in the account and
1278
1226
  # region.
1279
1227
  #
1280
- # This operation is part of the [Custom Key Store feature][2] feature in
1228
+ # This operation is part of the [Custom Key Store feature][1] feature in
1281
1229
  # AWS KMS, which combines the convenience and extensive integration of
1282
1230
  # AWS KMS with the isolation and control of a single-tenant key store.
1283
1231
  #
@@ -1301,14 +1249,13 @@ module Aws::KMS
1301
1249
  # number of HSMs required for the operation, if any.
1302
1250
  #
1303
1251
  # For help repairing your custom key store, see the [Troubleshooting
1304
- # Custom Key Stores][3] topic in the *AWS Key Management Service
1252
+ # Custom Key Stores][2] topic in the *AWS Key Management Service
1305
1253
  # Developer Guide*.
1306
1254
  #
1307
1255
  #
1308
1256
  #
1309
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
1310
- # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1311
- # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore-html
1257
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1258
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
1312
1259
  #
1313
1260
  # @option params [String] :custom_key_store_id
1314
1261
  # Gets only information about the specified custom key store. Enter the
@@ -1361,7 +1308,7 @@ module Aws::KMS
1361
1308
  # resp.custom_key_stores[0].cloud_hsm_cluster_id #=> String
1362
1309
  # resp.custom_key_stores[0].trust_anchor_certificate #=> String
1363
1310
  # resp.custom_key_stores[0].connection_state #=> String, one of "CONNECTED", "CONNECTING", "FAILED", "DISCONNECTED", "DISCONNECTING"
1364
- # resp.custom_key_stores[0].connection_error_code #=> String, one of "INVALID_CREDENTIALS", "CLUSTER_NOT_FOUND", "NETWORK_ERRORS", "INSUFFICIENT_CLOUDHSM_HSMS", "USER_LOCKED_OUT"
1311
+ # resp.custom_key_stores[0].connection_error_code #=> String, one of "INVALID_CREDENTIALS", "CLUSTER_NOT_FOUND", "NETWORK_ERRORS", "INTERNAL_ERROR", "INSUFFICIENT_CLOUDHSM_HSMS", "USER_LOCKED_OUT"
1365
1312
  # resp.custom_key_stores[0].creation_date #=> Time
1366
1313
  # resp.next_marker #=> String
1367
1314
  # resp.truncated #=> Boolean
@@ -1378,16 +1325,17 @@ module Aws::KMS
1378
1325
  # Provides detailed information about the specified customer master key
1379
1326
  # (CMK).
1380
1327
  #
1381
- # If you use `DescribeKey` on a predefined AWS alias, that is, an AWS
1382
- # alias with no key ID, AWS KMS associates the alias with an [AWS
1383
- # managed CMK][1] and returns its `KeyId` and `Arn` in the response.
1328
+ # You can use `DescribeKey` on a predefined AWS alias, that is, an AWS
1329
+ # alias with no key ID. When you do, AWS KMS associates the alias with
1330
+ # an [AWS managed CMK][1] and returns its `KeyId` and `Arn` in the
1331
+ # response.
1384
1332
  #
1385
1333
  # To perform this operation on a CMK in a different AWS account, specify
1386
1334
  # the key ARN or alias ARN in the value of the KeyId parameter.
1387
1335
  #
1388
1336
  #
1389
1337
  #
1390
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
1338
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
1391
1339
  #
1392
1340
  # @option params [required, String] :key_id
1393
1341
  # Describes the specified customer master key (CMK).
@@ -1398,7 +1346,7 @@ module Aws::KMS
1398
1346
  #
1399
1347
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1400
1348
  # name, or alias ARN. When using an alias name, prefix it with
1401
- # "alias/". To specify a CMK in a different AWS account, you must use
1349
+ # `"alias/"`. To specify a CMK in a different AWS account, you must use
1402
1350
  # the key ARN or alias ARN.
1403
1351
  #
1404
1352
  # For example:
@@ -1417,7 +1365,7 @@ module Aws::KMS
1417
1365
  #
1418
1366
  #
1419
1367
  #
1420
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
1368
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
1421
1369
  #
1422
1370
  # @option params [Array<String>] :grant_tokens
1423
1371
  # A list of grant tokens.
@@ -1427,7 +1375,7 @@ module Aws::KMS
1427
1375
  #
1428
1376
  #
1429
1377
  #
1430
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1378
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1431
1379
  #
1432
1380
  # @return [Types::DescribeKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1433
1381
  #
@@ -1497,8 +1445,8 @@ module Aws::KMS
1497
1445
  # this operation on a CMK in a different AWS account.
1498
1446
  #
1499
1447
  # For more information about how key state affects the use of a CMK, see
1500
- # [How Key State Affects the Use of a Customer Master Key][1] in the
1501
- # *AWS Key Management Service Developer Guide*.
1448
+ # [How Key State Affects the Use of a Customer Master Key][1] in the <i>
1449
+ # <i>AWS Key Management Service Developer Guide</i> </i>.
1502
1450
  #
1503
1451
  # The result of this operation varies with the key state of the CMK. For
1504
1452
  # details, see [How Key State Affects Use of a Customer Master Key][1]
@@ -1506,7 +1454,7 @@ module Aws::KMS
1506
1454
  #
1507
1455
  #
1508
1456
  #
1509
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1457
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1510
1458
  #
1511
1459
  # @option params [required, String] :key_id
1512
1460
  # A unique identifier for the customer master key (CMK).
@@ -1558,8 +1506,8 @@ module Aws::KMS
1558
1506
  #
1559
1507
  #
1560
1508
  #
1561
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
1562
- # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1509
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
1510
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1563
1511
  #
1564
1512
  # @option params [required, String] :key_id
1565
1513
  # A unique identifier for the customer master key (CMK).
@@ -1623,14 +1571,13 @@ module Aws::KMS
1623
1571
  # If the operation succeeds, it returns a JSON object with no
1624
1572
  # properties.
1625
1573
  #
1626
- # This operation is part of the [Custom Key Store feature][2] feature in
1574
+ # This operation is part of the [Custom Key Store feature][1] feature in
1627
1575
  # AWS KMS, which combines the convenience and extensive integration of
1628
1576
  # AWS KMS with the isolation and control of a single-tenant key store.
1629
1577
  #
1630
1578
  #
1631
1579
  #
1632
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
1633
- # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1580
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1634
1581
  #
1635
1582
  # @option params [required, String] :custom_key_store_id
1636
1583
  # Enter the ID of the custom key store you want to disconnect. To find
@@ -1664,7 +1611,7 @@ module Aws::KMS
1664
1611
  #
1665
1612
  #
1666
1613
  #
1667
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1614
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1668
1615
  #
1669
1616
  # @option params [required, String] :key_id
1670
1617
  # A unique identifier for the customer master key (CMK).
@@ -1719,9 +1666,9 @@ module Aws::KMS
1719
1666
  #
1720
1667
  #
1721
1668
  #
1722
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
1723
- # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
1724
- # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1669
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
1670
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1671
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1725
1672
  #
1726
1673
  # @option params [required, String] :key_id
1727
1674
  # A unique identifier for the customer master key (CMK).
@@ -1770,40 +1717,38 @@ module Aws::KMS
1770
1717
  # such as an RSA key, a database password, or other sensitive
1771
1718
  # information.
1772
1719
  #
1773
- # * To move encrypted data from one AWS region to another, you can use
1774
- # this operation to encrypt in the new region the plaintext data key
1775
- # that was used to encrypt the data in the original region. This
1776
- # provides you with an encrypted copy of the data key that can be
1777
- # decrypted in the new region and used there to decrypt the encrypted
1778
- # data.
1720
+ # * You can use the `Encrypt` operation to move encrypted data from one
1721
+ # AWS region to another. In the first region, generate a data key and
1722
+ # use the plaintext key to encrypt the data. Then, in the new region,
1723
+ # call the `Encrypt` method on same plaintext data key. Now, you can
1724
+ # safely move the encrypted data and encrypted data key to the new
1725
+ # region, and decrypt in the new region when necessary.
1779
1726
  #
1780
- # To perform this operation on a CMK in a different AWS account, specify
1781
- # the key ARN or alias ARN in the value of the KeyId parameter.
1782
- #
1783
- # Unless you are moving encrypted data from one region to another, you
1784
- # don't use this operation to encrypt a generated data key within a
1785
- # region. To get data keys that are already encrypted, call the
1786
- # GenerateDataKey or GenerateDataKeyWithoutPlaintext operation. Data
1787
- # keys don't need to be encrypted again by calling `Encrypt`.
1727
+ # You don't need use this operation to encrypt a data key within a
1728
+ # region. The GenerateDataKey and GenerateDataKeyWithoutPlaintext
1729
+ # operations return an encrypted data key.
1788
1730
  #
1789
- # To encrypt data locally in your application, use the GenerateDataKey
1790
- # operation to return a plaintext data encryption key and a copy of the
1791
- # key encrypted under the CMK of your choosing.
1731
+ # Also, you don't need to use this operation to encrypt data in your
1732
+ # application. You can use the plaintext and encrypted data keys that
1733
+ # the `GenerateDataKey` operation returns.
1792
1734
  #
1793
1735
  # The result of this operation varies with the key state of the CMK. For
1794
1736
  # details, see [How Key State Affects Use of a Customer Master Key][1]
1795
1737
  # in the *AWS Key Management Service Developer Guide*.
1796
1738
  #
1739
+ # To perform this operation on a CMK in a different AWS account, specify
1740
+ # the key ARN or alias ARN in the value of the KeyId parameter.
1741
+ #
1797
1742
  #
1798
1743
  #
1799
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1744
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1800
1745
  #
1801
1746
  # @option params [required, String] :key_id
1802
1747
  # A unique identifier for the customer master key (CMK).
1803
1748
  #
1804
1749
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1805
1750
  # name, or alias ARN. When using an alias name, prefix it with
1806
- # "alias/". To specify a CMK in a different AWS account, you must use
1751
+ # `"alias/"`. To specify a CMK in a different AWS account, you must use
1807
1752
  # the key ARN or alias ARN.
1808
1753
  #
1809
1754
  # For example:
@@ -1831,7 +1776,7 @@ module Aws::KMS
1831
1776
  #
1832
1777
  #
1833
1778
  #
1834
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
1779
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1835
1780
  #
1836
1781
  # @option params [Array<String>] :grant_tokens
1837
1782
  # A list of grant tokens.
@@ -1841,7 +1786,7 @@ module Aws::KMS
1841
1786
  #
1842
1787
  #
1843
1788
  #
1844
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1789
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1845
1790
  #
1846
1791
  # @return [Types::EncryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1847
1792
  #
@@ -1855,12 +1800,12 @@ module Aws::KMS
1855
1800
  #
1856
1801
  # resp = client.encrypt({
1857
1802
  # key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the CMK to use for encryption. You can use the key ID or Amazon Resource Name (ARN) of the CMK, or the name or ARN of an alias that refers to the CMK.
1858
- # plaintext: "data", # The data to encrypt.
1803
+ # plaintext: "<binary data>", # The data to encrypt.
1859
1804
  # })
1860
1805
  #
1861
1806
  # resp.to_h outputs the following:
1862
1807
  # {
1863
- # ciphertext_blob: "encrypted data", # The encrypted data (ciphertext).
1808
+ # ciphertext_blob: "<binary data>", # The encrypted data (ciphertext).
1864
1809
  # key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the CMK that was used to encrypt the data.
1865
1810
  # }
1866
1811
  #
@@ -1889,54 +1834,60 @@ module Aws::KMS
1889
1834
  req.send_request(options)
1890
1835
  end
1891
1836
 
1892
- # Returns a data encryption key that you can use in your application to
1893
- # encrypt data locally.
1894
- #
1895
- # You must specify the customer master key (CMK) under which to generate
1896
- # the data key. You must also specify the length of the data key using
1897
- # either the `KeySpec` or `NumberOfBytes` field. You must specify one
1898
- # field or the other, but not both. For common key lengths (128-bit and
1899
- # 256-bit symmetric keys), we recommend that you use `KeySpec`. To
1837
+ # Generates a unique data key. This operation returns a plaintext copy
1838
+ # of the data key and a copy that is encrypted under a customer master
1839
+ # key (CMK) that you specify. You can use the plaintext key to encrypt
1840
+ # your data outside of KMS and store the encrypted data key with the
1841
+ # encrypted data.
1842
+ #
1843
+ # `GenerateDataKey` returns a unique data key for each request. The
1844
+ # bytes in the key are not related to the caller or CMK that is used to
1845
+ # encrypt the data key.
1846
+ #
1847
+ # To generate a data key, you need to specify the customer master key
1848
+ # (CMK) that will be used to encrypt the data key. You must also specify
1849
+ # the length of the data key using either the `KeySpec` or
1850
+ # `NumberOfBytes` field (but not both). For common key lengths (128-bit
1851
+ # and 256-bit symmetric keys), we recommend that you use `KeySpec`. To
1900
1852
  # perform this operation on a CMK in a different AWS account, specify
1901
1853
  # the key ARN or alias ARN in the value of the KeyId parameter.
1902
1854
  #
1903
- # This operation returns a plaintext copy of the data key in the
1904
- # `Plaintext` field of the response, and an encrypted copy of the data
1905
- # key in the `CiphertextBlob` field. The data key is encrypted under the
1906
- # CMK specified in the `KeyId` field of the request.
1855
+ # You will find the plaintext copy of the data key in the `Plaintext`
1856
+ # field of the response, and the encrypted copy of the data key in the
1857
+ # `CiphertextBlob` field.
1907
1858
  #
1908
1859
  # We recommend that you use the following pattern to encrypt data
1909
1860
  # locally in your application:
1910
1861
  #
1911
- # 1. Use this operation (`GenerateDataKey`) to get a data encryption
1912
- # key.
1862
+ # 1. Use the `GenerateDataKey` operation to get a data encryption key.
1913
1863
  #
1914
- # 2. Use the plaintext data encryption key (returned in the `Plaintext`
1915
- # field of the response) to encrypt data locally, then erase the
1916
- # plaintext data key from memory.
1864
+ # 2. Use the plaintext data key (returned in the `Plaintext` field of
1865
+ # the response) to encrypt data locally, then erase the plaintext
1866
+ # data key from memory.
1917
1867
  #
1918
1868
  # 3. Store the encrypted data key (returned in the `CiphertextBlob`
1919
1869
  # field of the response) alongside the locally encrypted data.
1920
1870
  #
1921
1871
  # To decrypt data locally:
1922
1872
  #
1923
- # 1. Use the Decrypt operation to decrypt the encrypted data key into a
1924
- # plaintext copy of the data key.
1873
+ # 1. Use the Decrypt operation to decrypt the encrypted data key. The
1874
+ # operation returns a plaintext copy of the data key.
1925
1875
  #
1926
1876
  # 2. Use the plaintext data key to decrypt data locally, then erase the
1927
1877
  # plaintext data key from memory.
1928
1878
  #
1929
- # To return only an encrypted copy of the data key, use
1930
- # GenerateDataKeyWithoutPlaintext. To return a random byte string that
1931
- # is cryptographically secure, use GenerateRandom.
1879
+ # To get only an encrypted copy of the data key, use
1880
+ # GenerateDataKeyWithoutPlaintext. To get a cryptographically secure
1881
+ # random byte string, use GenerateRandom.
1932
1882
  #
1933
- # If you use the optional `EncryptionContext` field, you must store at
1934
- # least enough information to be able to reconstruct the full encryption
1935
- # context when you later send the ciphertext to the Decrypt operation.
1936
- # It is a good practice to choose an encryption context that you can
1937
- # reconstruct on the fly to better secure the ciphertext. For more
1938
- # information, see [Encryption Context][1] in the *AWS Key Management
1939
- # Service Developer Guide*.
1883
+ # You can use the optional encryption context to add additional security
1884
+ # to your encryption operation. When you specify an `EncryptionContext`
1885
+ # in the `GenerateDataKey` operation, you must specify the same
1886
+ # encryption context (a case-sensitive exact match) in your request to
1887
+ # Decrypt the data key. Otherwise, the request to decrypt fails with an
1888
+ # `InvalidCiphertextException`. For more information, see [Encryption
1889
+ # Context][1] in the <i> <i>AWS Key Management Service Developer
1890
+ # Guide</i> </i>.
1940
1891
  #
1941
1892
  # The result of this operation varies with the key state of the CMK. For
1942
1893
  # details, see [How Key State Affects Use of a Customer Master Key][2]
@@ -1944,16 +1895,15 @@ module Aws::KMS
1944
1895
  #
1945
1896
  #
1946
1897
  #
1947
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
1948
- # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1898
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1899
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1949
1900
  #
1950
1901
  # @option params [required, String] :key_id
1951
- # The identifier of the CMK under which to generate and encrypt the data
1952
- # encryption key.
1902
+ # An identifier for the CMK that encrypts the data key.
1953
1903
  #
1954
1904
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1955
1905
  # name, or alias ARN. When using an alias name, prefix it with
1956
- # "alias/". To specify a CMK in a different AWS account, you must use
1906
+ # `"alias/"`. To specify a CMK in a different AWS account, you must use
1957
1907
  # the key ARN or alias ARN.
1958
1908
  #
1959
1909
  # For example:
@@ -1979,18 +1929,17 @@ module Aws::KMS
1979
1929
  #
1980
1930
  #
1981
1931
  #
1982
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
1932
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1983
1933
  #
1984
1934
  # @option params [Integer] :number_of_bytes
1985
- # The length of the data encryption key in bytes. For example, use the
1986
- # value 64 to generate a 512-bit data key (64 bytes is 512 bits). For
1987
- # common key lengths (128-bit and 256-bit symmetric keys), we recommend
1988
- # that you use the `KeySpec` field instead of this one.
1935
+ # The length of the data key in bytes. For example, use the value 64 to
1936
+ # generate a 512-bit data key (64 bytes is 512 bits). For common key
1937
+ # lengths (128-bit and 256-bit symmetric keys), we recommend that you
1938
+ # use the `KeySpec` field instead of this one.
1989
1939
  #
1990
1940
  # @option params [String] :key_spec
1991
- # The length of the data encryption key. Use `AES_128` to generate a
1992
- # 128-bit symmetric key, or `AES_256` to generate a 256-bit symmetric
1993
- # key.
1941
+ # The length of the data key. Use `AES_128` to generate a 128-bit
1942
+ # symmetric key, or `AES_256` to generate a 256-bit symmetric key.
1994
1943
  #
1995
1944
  # @option params [Array<String>] :grant_tokens
1996
1945
  # A list of grant tokens.
@@ -2000,7 +1949,7 @@ module Aws::KMS
2000
1949
  #
2001
1950
  #
2002
1951
  #
2003
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1952
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
2004
1953
  #
2005
1954
  # @return [Types::GenerateDataKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
2006
1955
  #
@@ -2053,26 +2002,28 @@ module Aws::KMS
2053
2002
  req.send_request(options)
2054
2003
  end
2055
2004
 
2056
- # Returns a data encryption key encrypted under a customer master key
2057
- # (CMK). This operation is identical to GenerateDataKey but returns only
2058
- # the encrypted copy of the data key.
2059
- #
2060
- # To perform this operation on a CMK in a different AWS account, specify
2061
- # the key ARN or alias ARN in the value of the KeyId parameter.
2062
- #
2063
- # This operation is useful in a system that has multiple components with
2064
- # different degrees of trust. For example, consider a system that stores
2065
- # encrypted data in containers. Each container stores the encrypted data
2066
- # and an encrypted copy of the data key. One component of the system,
2067
- # called the *control plane*, creates new containers. When it creates a
2068
- # new container, it uses this operation
2069
- # (`GenerateDataKeyWithoutPlaintext`) to get an encrypted data key and
2070
- # then stores it in the container. Later, a different component of the
2071
- # system, called the *data plane*, puts encrypted data into the
2072
- # containers. To do this, it passes the encrypted data key to the
2073
- # Decrypt operation, then uses the returned plaintext data key to
2074
- # encrypt data, and finally stores the encrypted data in the container.
2075
- # In this system, the control plane never sees the plaintext data key.
2005
+ # Generates a unique data key. This operation returns a data key that is
2006
+ # encrypted under a customer master key (CMK) that you specify.
2007
+ # `GenerateDataKeyWithoutPlaintext` is identical to GenerateDataKey
2008
+ # except that returns only the encrypted copy of the data key.
2009
+ #
2010
+ # Like `GenerateDataKey`, `GenerateDataKeyWithoutPlaintext` returns a
2011
+ # unique data key for each request. The bytes in the key are not related
2012
+ # to the caller or CMK that is used to encrypt the data key.
2013
+ #
2014
+ # This operation is useful for systems that need to encrypt data at some
2015
+ # point, but not immediately. When you need to encrypt the data, you
2016
+ # call the Decrypt operation on the encrypted copy of the key.
2017
+ #
2018
+ # It's also useful in distributed systems with different levels of
2019
+ # trust. For example, you might store encrypted data in containers. One
2020
+ # component of your system creates new containers and stores an
2021
+ # encrypted data key with each container. Then, a different component
2022
+ # puts the data into the containers. That component first decrypts the
2023
+ # data key, uses the plaintext data key to encrypt data, puts the
2024
+ # encrypted data into the container, and then destroys the plaintext
2025
+ # data key. In this system, the component that creates the containers
2026
+ # never sees the plaintext data key.
2076
2027
  #
2077
2028
  # The result of this operation varies with the key state of the CMK. For
2078
2029
  # details, see [How Key State Affects Use of a Customer Master Key][1]
@@ -2080,15 +2031,15 @@ module Aws::KMS
2080
2031
  #
2081
2032
  #
2082
2033
  #
2083
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2034
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2084
2035
  #
2085
2036
  # @option params [required, String] :key_id
2086
- # The identifier of the customer master key (CMK) under which to
2087
- # generate and encrypt the data encryption key.
2037
+ # The identifier of the customer master key (CMK) that encrypts the data
2038
+ # key.
2088
2039
  #
2089
2040
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2090
2041
  # name, or alias ARN. When using an alias name, prefix it with
2091
- # "alias/". To specify a CMK in a different AWS account, you must use
2042
+ # `"alias/"`. To specify a CMK in a different AWS account, you must use
2092
2043
  # the key ARN or alias ARN.
2093
2044
  #
2094
2045
  # For example:
@@ -2114,18 +2065,17 @@ module Aws::KMS
2114
2065
  #
2115
2066
  #
2116
2067
  #
2117
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
2068
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
2118
2069
  #
2119
2070
  # @option params [String] :key_spec
2120
- # The length of the data encryption key. Use `AES_128` to generate a
2121
- # 128-bit symmetric key, or `AES_256` to generate a 256-bit symmetric
2122
- # key.
2071
+ # The length of the data key. Use `AES_128` to generate a 128-bit
2072
+ # symmetric key, or `AES_256` to generate a 256-bit symmetric key.
2123
2073
  #
2124
2074
  # @option params [Integer] :number_of_bytes
2125
- # The length of the data encryption key in bytes. For example, use the
2126
- # value 64 to generate a 512-bit data key (64 bytes is 512 bits). For
2127
- # common key lengths (128-bit and 256-bit symmetric keys), we recommend
2128
- # that you use the `KeySpec` field instead of this one.
2075
+ # The length of the data key in bytes. For example, use the value 64 to
2076
+ # generate a 512-bit data key (64 bytes is 512 bits). For common key
2077
+ # lengths (128-bit and 256-bit symmetric keys), we recommend that you
2078
+ # use the `KeySpec` field instead of this one.
2129
2079
  #
2130
2080
  # @option params [Array<String>] :grant_tokens
2131
2081
  # A list of grant tokens.
@@ -2135,7 +2085,7 @@ module Aws::KMS
2135
2085
  #
2136
2086
  #
2137
2087
  #
2138
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
2088
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
2139
2089
  #
2140
2090
  # @return [Types::GenerateDataKeyWithoutPlaintextResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
2141
2091
  #
@@ -2197,7 +2147,7 @@ module Aws::KMS
2197
2147
  #
2198
2148
  #
2199
2149
  #
2200
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
2150
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
2201
2151
  # [2]: https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
2202
2152
  #
2203
2153
  # @option params [Integer] :number_of_bytes
@@ -2210,7 +2160,7 @@ module Aws::KMS
2210
2160
  #
2211
2161
  #
2212
2162
  #
2213
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
2163
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
2214
2164
  #
2215
2165
  # @return [Types::GenerateRandomResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
2216
2166
  #
@@ -2332,8 +2282,8 @@ module Aws::KMS
2332
2282
  #
2333
2283
  #
2334
2284
  #
2335
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
2336
- # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2285
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
2286
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2337
2287
  #
2338
2288
  # @option params [required, String] :key_id
2339
2289
  # A unique identifier for the customer master key (CMK).
@@ -2413,8 +2363,8 @@ module Aws::KMS
2413
2363
  #
2414
2364
  #
2415
2365
  #
2416
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
2417
- # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2366
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
2367
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2418
2368
  #
2419
2369
  # @option params [required, String] :key_id
2420
2370
  # The identifier of the CMK into which you will import key material. The
@@ -2439,7 +2389,7 @@ module Aws::KMS
2439
2389
  #
2440
2390
  #
2441
2391
  #
2442
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html
2392
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html
2443
2393
  #
2444
2394
  # @option params [required, String] :wrapping_key_spec
2445
2395
  # The type of wrapping key (public key) to return in the response. Only
@@ -2542,8 +2492,8 @@ module Aws::KMS
2542
2492
  #
2543
2493
  #
2544
2494
  #
2545
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
2546
- # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2495
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
2496
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2547
2497
  #
2548
2498
  # @option params [required, String] :key_id
2549
2499
  # The identifier of the CMK to import the key material into. The CMK's
@@ -2617,23 +2567,29 @@ module Aws::KMS
2617
2567
  req.send_request(options)
2618
2568
  end
2619
2569
 
2620
- # Gets a list of all aliases in the caller's AWS account and region.
2621
- # You cannot list aliases in other accounts. For more information about
2570
+ # Gets a list of aliases in the caller's AWS account and region. You
2571
+ # cannot list aliases in other accounts. For more information about
2622
2572
  # aliases, see CreateAlias.
2623
2573
  #
2624
- # By default, the `ListAliases` command returns all aliases in the
2625
- # account and region. To get only the aliases that point to a particular
2574
+ # By default, the ListAliases command returns all aliases in the account
2575
+ # and region. To get only the aliases that point to a particular
2626
2576
  # customer master key (CMK), use the `KeyId` parameter.
2627
2577
  #
2628
- # The `ListAliases` response might include several aliases have no
2629
- # `TargetKeyId` field. These are predefined aliases that AWS has created
2630
- # but has not yet associated with a CMK. Aliases that AWS creates in
2631
- # your account, including predefined aliases, do not count against your
2632
- # [AWS KMS aliases limit][1].
2578
+ # The `ListAliases` response can include aliases that you created and
2579
+ # associated with your customer managed CMKs, and aliases that AWS
2580
+ # created and associated with AWS managed CMKs in your account. You can
2581
+ # recognize AWS aliases because their names have the format
2582
+ # `aws/<service-name>`, such as `aws/dynamodb`.
2633
2583
  #
2584
+ # The response might also include aliases that have no `TargetKeyId`
2585
+ # field. These are predefined aliases that AWS has created but has not
2586
+ # yet associated with a CMK. Aliases that AWS creates in your account,
2587
+ # including predefined aliases, do not count against your [AWS KMS
2588
+ # aliases limit][1].
2634
2589
  #
2635
2590
  #
2636
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit
2591
+ #
2592
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit
2637
2593
  #
2638
2594
  # @option params [String] :key_id
2639
2595
  # Lists only aliases that refer to the specified CMK. The value of this
@@ -2915,7 +2871,7 @@ module Aws::KMS
2915
2871
  # and 1000, inclusive. If you do not include a value, it defaults to
2916
2872
  # 100.
2917
2873
  #
2918
- # Currently only 1 policy can be attached to a key.
2874
+ # Only one policy can be attached to a key.
2919
2875
  #
2920
2876
  # @option params [String] :marker
2921
2877
  # Use this parameter in a subsequent request after you receive a
@@ -3184,8 +3140,8 @@ module Aws::KMS
3184
3140
  #
3185
3141
  #
3186
3142
  #
3187
- # [1]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
3188
- # [2]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
3143
+ # [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
3144
+ # [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
3189
3145
  #
3190
3146
  # @return [Types::ListGrantsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
3191
3147
  #
@@ -3265,7 +3221,7 @@ module Aws::KMS
3265
3221
  #
3266
3222
  #
3267
3223
  #
3268
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
3224
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
3269
3225
  #
3270
3226
  # @option params [required, String] :key_id
3271
3227
  # A unique identifier for the customer master key (CMK).
@@ -3309,8 +3265,8 @@ module Aws::KMS
3309
3265
  #
3310
3266
  #
3311
3267
  #
3312
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
3313
- # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
3268
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
3269
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
3314
3270
  #
3315
3271
  # @option params [Boolean] :bypass_policy_lockout_safety_check
3316
3272
  # A flag to indicate whether to bypass the key policy lockout safety
@@ -3331,7 +3287,7 @@ module Aws::KMS
3331
3287
  #
3332
3288
  #
3333
3289
  #
3334
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
3290
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
3335
3291
  #
3336
3292
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
3337
3293
  #
@@ -3376,7 +3332,7 @@ module Aws::KMS
3376
3332
  # destination CMK. We recommend that you include the `"kms:ReEncrypt*"`
3377
3333
  # permission in your [key policies][1] to permit reencryption from or to
3378
3334
  # the CMK. This permission is automatically included in the key policy
3379
- # when you create a CMK through the console, but you must include it
3335
+ # when you create a CMK through the console. But you must include it
3380
3336
  # manually when you create a CMK programmatically or when you set a key
3381
3337
  # policy with the PutKeyPolicy operation.
3382
3338
  #
@@ -3386,8 +3342,8 @@ module Aws::KMS
3386
3342
  #
3387
3343
  #
3388
3344
  #
3389
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
3390
- # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3345
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
3346
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3391
3347
  #
3392
3348
  # @option params [required, String, IO] :ciphertext_blob
3393
3349
  # Ciphertext of the data to reencrypt.
@@ -3401,7 +3357,7 @@ module Aws::KMS
3401
3357
  #
3402
3358
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
3403
3359
  # name, or alias ARN. When using an alias name, prefix it with
3404
- # "alias/". To specify a CMK in a different AWS account, you must use
3360
+ # `"alias/"`. To specify a CMK in a different AWS account, you must use
3405
3361
  # the key ARN or alias ARN.
3406
3362
  #
3407
3363
  # For example:
@@ -3429,7 +3385,7 @@ module Aws::KMS
3429
3385
  #
3430
3386
  #
3431
3387
  #
3432
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
3388
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
3433
3389
  #
3434
3390
  # @return [Types::ReEncryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
3435
3391
  #
@@ -3635,10 +3591,10 @@ module Aws::KMS
3635
3591
  #
3636
3592
  #
3637
3593
  #
3638
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
3639
- # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
3640
- # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
3641
- # [4]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3594
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
3595
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
3596
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
3597
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3642
3598
  #
3643
3599
  # @option params [required, String] :key_id
3644
3600
  # The unique identifier of the customer master key (CMK) to delete.
@@ -3723,8 +3679,8 @@ module Aws::KMS
3723
3679
  #
3724
3680
  #
3725
3681
  #
3726
- # [1]: http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html
3727
- # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3682
+ # [1]: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html
3683
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3728
3684
  #
3729
3685
  # @option params [required, String] :key_id
3730
3686
  # A unique identifier for the CMK you are tagging.
@@ -3794,7 +3750,7 @@ module Aws::KMS
3794
3750
  #
3795
3751
  #
3796
3752
  #
3797
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3753
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3798
3754
  #
3799
3755
  # @option params [required, String] :key_id
3800
3756
  # A unique identifier for the CMK from which you are removing tags.
@@ -3859,30 +3815,29 @@ module Aws::KMS
3859
3815
  # To get the aliases of all CMKs in the account, use the ListAliases
3860
3816
  # operation.
3861
3817
  #
3862
- # An alias name can contain only alphanumeric characters, forward
3863
- # slashes (/), underscores (\_), and dashes (-). An alias must start
3864
- # with the word `alias` followed by a forward slash (`alias/`). The
3865
- # alias name can contain only alphanumeric characters, forward slashes
3866
- # (/), underscores (\_), and dashes (-). Alias names cannot begin with
3867
- # `aws`; that alias name prefix is reserved by Amazon Web Services
3868
- # (AWS).
3818
+ # The alias name must begin with `alias/` followed by a name, such as
3819
+ # `alias/ExampleAlias`. It can contain only alphanumeric characters,
3820
+ # forward slashes (/), underscores (\_), and dashes (-). The alias name
3821
+ # cannot begin with `alias/aws/`. The `alias/aws/` prefix is reserved
3822
+ # for [AWS managed CMKs][1].
3869
3823
  #
3870
3824
  # The result of this operation varies with the key state of the CMK. For
3871
- # details, see [How Key State Affects Use of a Customer Master Key][1]
3825
+ # details, see [How Key State Affects Use of a Customer Master Key][2]
3872
3826
  # in the *AWS Key Management Service Developer Guide*.
3873
3827
  #
3874
3828
  #
3875
3829
  #
3876
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3830
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
3831
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3877
3832
  #
3878
3833
  # @option params [required, String] :alias_name
3879
- # String that contains the name of the alias to be modified. The name
3880
- # must start with the word "alias" followed by a forward slash
3881
- # (alias/). Aliases that begin with "alias/aws" are reserved.
3834
+ # Specifies the name of the alias to change. This value must begin with
3835
+ # `alias/` followed by the alias name, such as `alias/ExampleAlias`.
3882
3836
  #
3883
3837
  # @option params [required, String] :target_key_id
3884
- # Unique identifier of the customer master key to be mapped to the
3885
- # alias.
3838
+ # Unique identifier of the customer master key (CMK) to be mapped to the
3839
+ # alias. When the update operation completes, the alias will point to
3840
+ # this CMK.
3886
3841
  #
3887
3842
  # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
3888
3843
  #
@@ -3937,42 +3892,28 @@ module Aws::KMS
3937
3892
  # ConnectCustomKeyStore. To find the connection state of a custom key
3938
3893
  # store, use the DescribeCustomKeyStores operation.
3939
3894
  #
3940
- # Use the `NewCustomKeyStoreName` parameter to change the friendly name
3941
- # of the custom key store to the value that you specify.
3895
+ # Use the parameters of `UpdateCustomKeyStore` to edit your keystore
3896
+ # settings.
3942
3897
  #
3943
- # Use the `KeyStorePassword` parameter tell AWS KMS the current password
3944
- # of the [ `kmsuser` crypto user (CU)][1] in the associated AWS CloudHSM
3945
- # cluster. You can use this parameter to fix connection failures that
3946
- # occur when AWS KMS cannot log into the associated cluster because the
3947
- # `kmsuser` password has changed. This value does not change the
3948
- # password in the AWS CloudHSM cluster.
3898
+ # * Use the **NewCustomKeyStoreName** parameter to change the friendly
3899
+ # name of the custom key store to the value that you specify.
3949
3900
  #
3950
- # Use the `CloudHsmClusterId` parameter to associate the custom key
3951
- # store with a related AWS CloudHSM cluster, that is, a cluster that
3952
- # shares a backup history with the original cluster. You can use this
3953
- # parameter to repair a custom key store if its AWS CloudHSM cluster
3954
- # becomes corrupted or is deleted, or when you need to create or restore
3955
- # a cluster from a backup.
3956
3901
  #
3957
- # The cluster ID must identify a AWS CloudHSM cluster with the following
3958
- # requirements.
3959
3902
  #
3960
- # * The cluster must be active and be in the same AWS account and Region
3961
- # as the custom key store.
3903
+ # * Use the **KeyStorePassword** parameter tell AWS KMS the current
3904
+ # password of the [ `kmsuser` crypto user (CU)][1] in the associated
3905
+ # AWS CloudHSM cluster. You can use this parameter to [fix connection
3906
+ # failures][2] that occur when AWS KMS cannot log into the associated
3907
+ # cluster because the `kmsuser` password has changed. This value does
3908
+ # not change the password in the AWS CloudHSM cluster.
3962
3909
  #
3963
- # * The cluster must have the same cluster certificate as the original
3964
- # cluster. You cannot use this parameter to associate the custom key
3965
- # store with an unrelated cluster. To view the cluster certificate,
3966
- # use the AWS CloudHSM [DescribeClusters][2] operation. Clusters that
3967
- # share a backup history have the same cluster certificate.
3968
3910
  #
3969
- # * The cluster must be configured with subnets in at least two
3970
- # different Availability Zones in the Region. Because AWS CloudHSM is
3971
- # not supported in all Availability Zones, we recommend that the
3972
- # cluster have subnets in all Availability Zones in the Region.
3973
3911
  #
3974
- # * The cluster must contain at least two active HSMs, each in a
3975
- # different Availability Zone.
3912
+ # * Use the **CloudHsmClusterId** parameter to associate the custom key
3913
+ # store with a different, but related, AWS CloudHSM cluster. You can
3914
+ # use this parameter to repair a custom key store if its AWS CloudHSM
3915
+ # cluster becomes corrupted or is deleted, or when you need to create
3916
+ # or restore a cluster from a backup.
3976
3917
  #
3977
3918
  # If the operation succeeds, it returns a JSON object with no
3978
3919
  # properties.
@@ -3983,9 +3924,9 @@ module Aws::KMS
3983
3924
  #
3984
3925
  #
3985
3926
  #
3986
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
3987
- # [2]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
3988
- # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
3927
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
3928
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-password
3929
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
3989
3930
  #
3990
3931
  # @option params [required, String] :custom_key_store_id
3991
3932
  # Identifies the custom key store that you want to update. Enter the ID
@@ -4009,17 +3950,18 @@ module Aws::KMS
4009
3950
  # Associates the custom key store with a related AWS CloudHSM cluster.
4010
3951
  #
4011
3952
  # Enter the cluster ID of the cluster that you used to create the custom
4012
- # key store or a cluster that shares a backup history with the original
4013
- # cluster. You cannot use this parameter to associate a custom key store
4014
- # with a different cluster.
4015
- #
4016
- # Clusters that share a backup history have the same cluster
4017
- # certificate. To view the cluster certificate of a cluster, use the
4018
- # [DescribeClusters][1] operation.
3953
+ # key store or a cluster that shares a backup history and has the same
3954
+ # cluster certificate as the original cluster. You cannot use this
3955
+ # parameter to associate a custom key store with an unrelated cluster.
3956
+ # In addition, the replacement cluster must [fulfill the
3957
+ # requirements][1] for a cluster associated with a custom key store. To
3958
+ # view the cluster certificate of a cluster, use the
3959
+ # [DescribeClusters][2] operation.
4019
3960
  #
4020
3961
  #
4021
3962
  #
4022
- # [1]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
3963
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore
3964
+ # [2]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
4023
3965
  #
4024
3966
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
4025
3967
  #
@@ -4042,7 +3984,7 @@ module Aws::KMS
4042
3984
  end
4043
3985
 
4044
3986
  # Updates the description of a customer master key (CMK). To see the
4045
- # decription of a CMK, use DescribeKey.
3987
+ # description of a CMK, use DescribeKey.
4046
3988
  #
4047
3989
  # You cannot perform this operation on a CMK in a different AWS account.
4048
3990
  #
@@ -4052,7 +3994,7 @@ module Aws::KMS
4052
3994
  #
4053
3995
  #
4054
3996
  #
4055
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3997
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
4056
3998
  #
4057
3999
  # @option params [required, String] :key_id
4058
4000
  # A unique identifier for the customer master key (CMK).
@@ -4112,7 +4054,7 @@ module Aws::KMS
4112
4054
  params: params,
4113
4055
  config: config)
4114
4056
  context[:gem_name] = 'aws-sdk-kms'
4115
- context[:gem_version] = '1.17.0'
4057
+ context[:gem_version] = '1.18.0'
4116
4058
  Seahorse::Client::Request.new(handlers, context)
4117
4059
  end
4118
4060