aws-sdk-kms 1.17.0 → 1.19.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: fc41b4832991c95efd49cf2283689e5b29578b2f
-  data.tar.gz: ac62ac9bf8a9c1e42c1b32d201d1acd5308b9974
+  metadata.gz: 6d7886a2d0907579064ff4c772c981550ffed638
+  data.tar.gz: fe97d1ae078352eb41aaf173ae92d60f31ef3bf3
 SHA512:
-  metadata.gz: 9f03c2d36659109e5e6a54c6ba4e0f307b5f320710fc9f28174233a63246efa23b2a499163907244105b88ea5d35ca06d472b1d80e47ef8798ca44cd4b94214f
-  data.tar.gz: d49f15f7fd0832ff31e909db250e8337aa91f0ca671fc2553fb34ac410f04d310cb5c23c467076e402bfef8a1a863b38244151579678e1c683ec13df531fc88f
+  metadata.gz: 7438ac50bd95051232cd3dcbf6aadfa16c32a2d74bbcb98f09deb31d414833be82c530b91f207e9c5f7474c930c7babfe94d9a2823512461f1b6baf6c549a1ef
+  data.tar.gz: 48c118cdd2cc5fe290a90541a73ff57df94c1ee9ee2e546a91c0177dd273fff22826f6029cdc53f026c68e220963a2cf0b5887a25e576fe40c3a12f0acd48faf

data/lib/aws-sdk-kms.rb

@@ -42,6 +42,6 @@ require_relative 'aws-sdk-kms/customizations'
 # @service
 module Aws::KMS
 
-  GEM_VERSION = '1.17.0'
+  GEM_VERSION = '1.19.0'
 
 end

data/lib/aws-sdk-kms/client.rb

@@ -23,6 +23,7 @@ require 'aws-sdk-core/plugins/idempotency_token.rb'
 require 'aws-sdk-core/plugins/jsonvalue_converter.rb'
 require 'aws-sdk-core/plugins/client_metrics_plugin.rb'
 require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
+require 'aws-sdk-core/plugins/transfer_encoding.rb'
 require 'aws-sdk-core/plugins/signature_v4.rb'
 require 'aws-sdk-core/plugins/protocols/json_rpc.rb'
 
@@ -55,6 +56,7 @@ module Aws::KMS
     add_plugin(Aws::Plugins::JsonvalueConverter)
     add_plugin(Aws::Plugins::ClientMetricsPlugin)
     add_plugin(Aws::Plugins::ClientMetricsSendPlugin)
+    add_plugin(Aws::Plugins::TransferEncoding)
     add_plugin(Aws::Plugins::SignatureV4)
     add_plugin(Aws::Plugins::Protocols::JsonRpc)
 
@@ -273,8 +275,8 @@ module Aws::KMS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
-    # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :key_id
     #   The unique identifier for the customer master key (CMK) for which to
@@ -370,11 +372,11 @@ module Aws::KMS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
-    # [2]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters
-    # [3]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm
-    # [4]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
-    # [5]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    # [2]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
+    # [3]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
     #
     # @option params [required, String] :custom_key_store_id
     #   Enter the key store ID of the custom key store that you want to
@@ -398,9 +400,9 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Creates a display name for a customer master key (CMK). You can use an
-    # alias to identify a CMK in selected operations, such as Encrypt and
-    # GenerateDataKey.
+    # Creates a display name for a customer managed customer master key
+    # (CMK). You can use an alias to identify a CMK in selected operations,
+    # such as Encrypt and GenerateDataKey.
     #
     # Each CMK can have multiple aliases, but each alias points to only one
     # CMK. The alias name must be unique in the AWS account and region. To
@@ -412,11 +414,11 @@ module Aws::KMS
     # appear in the response from the DescribeKey operation. To get the
     # aliases of all CMKs, use the ListAliases operation.
     #
-    # An alias must start with the word `alias` followed by a forward slash
-    # (`alias/`). The alias name can contain only alphanumeric characters,
-    # forward slashes (/), underscores (\_), and dashes (-). Alias names
-    # cannot begin with `aws`; that alias name prefix is reserved by Amazon
-    # Web Services (AWS).
+    # The alias name must begin with `alias/` followed by a name, such as
+    # `alias/ExampleAlias`. It can contain only alphanumeric characters,
+    # forward slashes (/), underscores (\_), and dashes (-). The alias name
+    # cannot begin with `alias/aws/`. The `alias/aws/` prefix is reserved
+    # for [AWS managed CMKs][1].
     #
     # The alias and the CMK it is mapped to must be in the same AWS account
     # and the same region. You cannot perform this operation on an alias in
@@ -425,32 +427,29 @@ module Aws::KMS
     # To map an existing alias to a different CMK, call UpdateAlias.
     #
     # The result of this operation varies with the key state of the CMK. For
-    # details, see [How Key State Affects Use of a Customer Master Key][1]
+    # details, see [How Key State Affects Use of a Customer Master Key][2]
     # in the *AWS Key Management Service Developer Guide*.
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :alias_name
-    #   String that contains the display name. The name must start with the
-    #   word "alias" followed by a forward slash (alias/). Aliases that
-    #   begin with "alias/AWS" are reserved.
+    #   Specifies the alias name. This value must begin with `alias/` followed
+    #   by a name, such as `alias/ExampleAlias`. The alias name cannot begin
+    #   with `alias/aws/`. The `alias/aws/` prefix is reserved for AWS managed
+    #   CMKs.
     #
     # @option params [required, String] :target_key_id
-    #   Identifies the CMK for which you are creating the alias. This value
-    #   cannot be an alias.
+    #   Identifies the CMK to which the alias refers. Specify the key ID or
+    #   the Amazon Resource Name (ARN) of the CMK. You cannot specify another
+    #   alias. For help finding the key ID and ARN, see [Finding the Key ID
+    #   and ARN][1] in the *AWS Key Management Service Developer Guide*.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
     #
-    #   For example:
     #
-    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
-    #
-    #   * Key ARN:
-    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
-    #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -483,82 +482,33 @@ module Aws::KMS
     # Creates a [custom key store][1] that is associated with an [AWS
     # CloudHSM cluster][2] that you own and manage.
     #
-    # This operation is part of the [Custom Key Store feature][3] feature in
+    # This operation is part of the [Custom Key Store feature][1] feature in
     # AWS KMS, which combines the convenience and extensive integration of
     # AWS KMS with the isolation and control of a single-tenant key store.
     #
+    # Before you create the custom key store, you must assemble the required
+    # elements, including an AWS CloudHSM cluster that fulfills the
+    # requirements for a custom key store. For details about the required
+    # elements, see [Assemble the Prerequisites][3] in the *AWS Key
+    # Management Service Developer Guide*.
+    #
     # When the operation completes successfully, it returns the ID of the
     # new custom key store. Before you can use your new custom key store,
     # you need to use the ConnectCustomKeyStore operation to connect the new
-    # key store to its AWS CloudHSM cluster.
-    #
-    # The `CreateCustomKeyStore` operation requires the following elements.
-    #
-    # * You must specify an active AWS CloudHSM cluster in the same account
-    #   and AWS Region as the custom key store. You can use an existing
-    #   cluster or [create and activate a new AWS CloudHSM cluster][4] for
-    #   the key store. AWS KMS does not require exclusive use of the
-    #   cluster.
-    #
-    # * You must include the content of the *trust anchor certificate* for
-    #   the cluster. You created this certificate, and saved it in the
-    #   `customerCA.crt` file, when you [initialized the cluster][5].
-    #
-    # * You must provide the password of the dedicated [ `kmsuser` crypto
-    #   user][6] (CU) account in the cluster.
-    #
-    #   Before you create the custom key store, use the [createUser][7]
-    #   command in `cloudhsm_mgmt_util` to create [a crypto user (CU) named
-    #   `kmsuser` ][6]in specified AWS CloudHSM cluster. AWS KMS uses the
-    #   `kmsuser` CU account to create and manage key material on your
-    #   behalf. For instructions, see [Create the kmsuser Crypto User][8] in
-    #   the *AWS Key Management Service Developer Guide*.
-    #
-    # The AWS CloudHSM cluster that you specify must meet the following
-    # requirements.
-    #
-    # * The cluster must be active and be in the same AWS account and Region
-    #   as the custom key store.
-    #
-    # * Each custom key store must be associated with a different AWS
-    #   CloudHSM cluster. The cluster cannot be associated with another
-    #   custom key store or have the same cluster certificate as a cluster
-    #   that is associated with another custom key store. To view the
-    #   cluster certificate, use the AWS CloudHSM [DescribeClusters][9]
-    #   operation. Clusters that share a backup history have the same
-    #   cluster certificate.
-    #
-    # * The cluster must be configured with subnets in at least two
-    #   different Availability Zones in the Region. Because AWS CloudHSM is
-    #   not supported in all Availability Zones, we recommend that the
-    #   cluster have subnets in all Availability Zones in the Region.
-    #
-    # * The cluster must contain at least two active HSMs, each in a
-    #   different Availability Zone.
-    #
-    # New custom key stores are not automatically connected. After you
-    # create your custom key store, use the ConnectCustomKeyStore operation
-    # to connect the custom key store to its associated AWS CloudHSM
-    # cluster. Even if you are not going to use your custom key store
-    # immediately, you might want to connect it to verify that all settings
-    # are correct and then disconnect it until you are ready to use it.
-    #
-    # If this operation succeeds, it returns the ID of the new custom key
-    # store. For help with failures, see [Troubleshoot a Custom Key
-    # Store][10] in the *AWS KMS Developer Guide*.
-    #
-    #
-    #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
-    # [2]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html
-    # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
-    # [4]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/create-cluster.html
-    # [5]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr
-    # [6]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
-    # [7]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_mgmt_util-createUser.html
-    # [8]: http://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore
-    # [9]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
-    # [10]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
+    # key store to its AWS CloudHSM cluster. Even if you are not going to
+    # use your custom key store immediately, you might want to connect it to
+    # verify that all settings are correct and then disconnect it until you
+    # are ready to use it.
+    #
+    # For help with failures, see [Troubleshooting a Custom Key Store][4] in
+    # the *AWS Key Management Service Developer Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    # [2]: https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
     #
     # @option params [required, String] :custom_key_store_name
     #   Specifies a friendly name for the custom key store. The name must be
@@ -572,7 +522,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
+    #   [1]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
     #
     # @option params [required, String] :trust_anchor_certificate
     #   Enter the content of the trust anchor certificate for the cluster.
@@ -581,7 +531,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html
+    #   [1]: https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html
     #
     # @option params [required, String] :key_store_password
     #   Enter the password of the [ `kmsuser` crypto user (CU) account][1] in
@@ -593,7 +543,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
     #
     # @return [Types::CreateCustomKeyStoreResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -621,14 +571,20 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Adds a grant to a customer master key (CMK). The grant specifies who
-    # can use the CMK and under what conditions. When setting permissions,
-    # grants are an alternative to key policies.
+    # Adds a grant to a customer master key (CMK). The grant allows the
+    # grantee principal to use the CMK when the conditions specified in the
+    # grant are met. When setting permissions, grants are an alternative to
+    # key policies.
+    #
+    # To create a grant that allows a cryptographic operation only when the
+    # encryption context in the operation request matches or includes a
+    # specified encryption context, use the `Constraints` parameter. For
+    # details, see GrantConstraints.
     #
     # To perform this operation on a CMK in a different AWS account, specify
     # the key ARN in the value of the `KeyId` parameter. For more
-    # information about grants, see [Grants][1] in the *AWS Key Management
-    # Service Developer Guide*.
+    # information about grants, see [Grants][1] in the <i> <i>AWS Key
+    # Management Service Developer Guide</i> </i>.
     #
     # The result of this operation varies with the key state of the CMK. For
     # details, see [How Key State Affects Use of a Customer Master Key][2]
@@ -636,8 +592,8 @@ module Aws::KMS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/grants.html
-    # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :key_id
     #   The unique identifier for the customer master key (CMK) that the grant
@@ -668,8 +624,8 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
-    #   [2]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
+    #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
     #
     # @option params [String] :retiring_principal
     #   The principal that is given permission to retire the grant by using
@@ -684,21 +640,22 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
-    #   [2]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
+    #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
     #
     # @option params [required, Array<String>] :operations
     #   A list of operations that the grant permits.
     #
     # @option params [Types::GrantConstraints] :constraints
-    #   A structure that you can use to allow certain operations in the grant
-    #   only when the desired encryption context is present. For more
-    #   information about encryption context, see [Encryption Context][1] in
-    #   the *AWS Key Management Service Developer Guide*.
+    #   Allows a cryptographic operation only when the encryption context
+    #   matches or includes the encryption context specified in this
+    #   structure. For more information about encryption context, see
+    #   [Encryption Context][1] in the <i> <i>AWS Key Management Service
+    #   Developer Guide</i> </i>.
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -708,11 +665,12 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
     #
     # @option params [String] :name
     #   A friendly name for identifying the grant. Use this value to prevent
-    #   unintended creation of duplicate grants when retrying this request.
+    #   the unintended creation of duplicate grants when retrying this
+    #   request.
     #
     #   When this value is absent, all `CreateGrant` requests result in a new
     #   grant with a unique `GrantId` even if all the supplied parameters are
@@ -785,26 +743,21 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Creates a customer master key (CMK) in the caller's AWS account.
-    #
-    # You can use a CMK to encrypt small amounts of data (4 KiB or less)
-    # directly, but CMKs are more commonly used to encrypt data keys, which
-    # are used to encrypt raw data. For more information about data keys and
-    # the difference between CMKs and data keys, see the following:
-    #
-    # * The GenerateDataKey operation
+    # Creates a customer managed [customer master key][1] (CMK) in your AWS
+    # account.
     #
-    # * [AWS Key Management Service Concepts][1] in the *AWS Key Management
-    #   Service Developer Guide*
+    # You can use a CMK to encrypt small amounts of data (up to 4096 bytes)
+    # directly. But CMKs are more commonly used to encrypt the [data
+    # keys][2] that are used to encrypt data.
     #
-    # If you plan to [import key material][2], use the `Origin` parameter
-    # with a value of `EXTERNAL` to create a CMK with no key material.
+    # To create a CMK for imported key material, use the `Origin` parameter
+    # with a value of `EXTERNAL`.
     #
-    # To create a CMK in a [custom key store][3], use `CustomKeyStoreId`
+    # To create a CMK in a [custom key store][3], use the `CustomKeyStoreId`
     # parameter to specify the custom key store. You must also use the
     # `Origin` parameter with a value of `AWS_CLOUDHSM`. The AWS CloudHSM
     # cluster that is associated with the custom key store must have at
-    # least two active HSMs, each in a different Availability Zone in the
+    # least two active HSMs in different Availability Zones in the AWS
     # Region.
     #
     # You cannot use this operation to create a CMK in a different AWS
@@ -812,9 +765,9 @@ module Aws::KMS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
-    # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
     #
     # @option params [String] :policy
     #   The key policy to attach to the CMK.
@@ -826,7 +779,8 @@ module Aws::KMS
     #     request to make a subsequent PutKeyPolicy request on the CMK. This
     #     reduces the risk that the CMK becomes unmanageable. For more
     #     information, refer to the scenario in the [Default Key Policy][1]
-    #     section of the *AWS Key Management Service Developer Guide*.
+    #     section of the <i> <i>AWS Key Management Service Developer Guide</i>
+    #     </i>.
     #
     #   * Each statement in the key policy must contain one or more
     #     principals. The principals in the key policy must exist and be
@@ -845,9 +799,9 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
-    #   [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
-    #   [3]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
     #
     # @option params [String] :description
     #   A description of the CMK.
@@ -856,13 +810,13 @@ module Aws::KMS
     #   for a task.
     #
     # @option params [String] :key_usage
-    #   The intended use of the CMK.
-    #
-    #   You can use CMKs only for symmetric encryption and decryption.
+    #   The cryptographic operations for which you can use the CMK. The only
+    #   valid value is `ENCRYPT_DECRYPT`, which means you can use the CMK to
+    #   encrypt and decrypt data.
     #
     # @option params [String] :origin
-    #   The source of the CMK's key material. You cannot change the origin
-    #   after you create the CMK.
+    #   The source of the key material for the CMK. You cannot change the
+    #   origin after you create the CMK.
     #
     #   The default is `AWS_KMS`, which means AWS KMS creates the key material
     #   in its own key store.
@@ -874,14 +828,14 @@ module Aws::KMS
     #   Key Management Service Developer Guide*.
     #
     #   When the parameter value is `AWS_CLOUDHSM`, AWS KMS creates the CMK in
-    #   a AWS KMS [custom key store][2] and creates its key material in the
+    #   an AWS KMS [custom key store][2] and creates its key material in the
     #   associated AWS CloudHSM cluster. You must also use the
     #   `CustomKeyStoreId` parameter to identify the custom key store.
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    #   [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
     #
     # @option params [String] :custom_key_store_id
     #   Creates the CMK in the specified [custom key store][1] and the key
@@ -897,14 +851,13 @@ module Aws::KMS
     #   The response includes the custom key store ID and the ID of the AWS
     #   CloudHSM cluster.
     #
-    #   This operation is part of the [Custom Key Store feature][2] feature in
+    #   This operation is part of the [Custom Key Store feature][1] feature in
     #   AWS KMS, which combines the convenience and extensive integration of
     #   AWS KMS with the isolation and control of a single-tenant key store.
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
-    #   [2]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
     #
     # @option params [Boolean] :bypass_policy_lockout_safety_check
     #   A flag to indicate whether to bypass the key policy lockout safety
@@ -914,8 +867,8 @@ module Aws::KMS
     #   unmanageable. Do not set this value to true indiscriminately.
     #
     #    For more information, refer to the scenario in the [Default Key
-    #   Policy][1] section in the *AWS Key Management Service Developer
-    #   Guide*.
+    #   Policy][1] section in the <i> <i>AWS Key Management Service Developer
+    #   Guide</i> </i>.
     #
     #   Use this parameter only when you include a policy in the request and
     #   you intend to prevent the principal that is making the request from
@@ -925,7 +878,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
     #
     # @option params [Array<Types::Tag>] :tags
     #   One or more tags. Each tag consists of a tag key and a tag value. Tag
@@ -1023,15 +976,14 @@ module Aws::KMS
     #
     # * Encrypt
     #
-    # Note that if a caller has been granted access permissions to all keys
-    # (through, for example, IAM user policies that grant `Decrypt`
-    # permission on all resources), then ciphertext encrypted by using keys
-    # in other accounts where the key grants access to the caller can be
-    # decrypted. To remedy this, we recommend that you do not grant
-    # `Decrypt` access in an IAM user policy. Instead grant `Decrypt` access
-    # only in key policies. If you must grant `Decrypt` access in an IAM
-    # user policy, you should scope the resource to specific keys or to
-    # specific trusted accounts.
+    # Whenever possible, use key policies to give users permission to call
+    # the Decrypt operation on the CMK, instead of IAM policies. Otherwise,
+    # you might create an IAM user policy that gives the user Decrypt
+    # permission on all CMKs. This user could decrypt ciphertext that was
+    # encrypted by CMKs in other accounts if the key policy for the
+    # cross-account CMK permits it. If you must use an IAM policy for
+    # `Decrypt` permissions, limit the user to particular CMKs or particular
+    # trusted accounts.
     #
     # The result of this operation varies with the key state of the CMK. For
     # details, see [How Key State Affects Use of a Customer Master Key][1]
@@ -1039,7 +991,7 @@ module Aws::KMS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String, IO] :ciphertext_blob
     #   Ciphertext to be decrypted. The blob includes metadata.
@@ -1051,7 +1003,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -1061,7 +1013,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
     #
     # @return [Types::DecryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -1121,9 +1073,8 @@ module Aws::KMS
     # master key (CMK), call UpdateAlias.
     #
     # @option params [required, String] :alias_name
-    #   The alias to be deleted. The name must start with the word "alias"
-    #   followed by a forward slash (alias/). Aliases that begin with
-    #   "alias/aws" are reserved.
+    #   The alias to be deleted. The alias name must begin with `alias/`
+    #   followed by the alias name, such as `alias/ExampleAlias`.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -1179,16 +1130,15 @@ module Aws::KMS
     # If the operation succeeds, it returns a JSON object with no
     # properties.
     #
-    # This operation is part of the [Custom Key Store feature][4] feature in
+    # This operation is part of the [Custom Key Store feature][1] feature in
     # AWS KMS, which combines the convenience and extensive integration of
     # AWS KMS with the isolation and control of a single-tenant key store.
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
-    # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
-    # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
-    # [4]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
     #
     # @option params [required, String] :custom_key_store_id
     #   Enter the ID of the custom key store you want to delete. To find the
@@ -1230,12 +1180,12 @@ module Aws::KMS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :key_id
-    #   The identifier of the CMK whose key material to delete. The CMK's
-    #   `Origin` must be `EXTERNAL`.
+    #   Identifies the CMK from which you are deleting imported key material.
+    #   The `Origin` of the CMK must be `EXTERNAL`.
     #
     #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
     #
@@ -1277,7 +1227,7 @@ module Aws::KMS
     # Gets information about [custom key stores][1] in the account and
     # region.
     #
-    # This operation is part of the [Custom Key Store feature][2] feature in
+    # This operation is part of the [Custom Key Store feature][1] feature in
     # AWS KMS, which combines the convenience and extensive integration of
     # AWS KMS with the isolation and control of a single-tenant key store.
     #
@@ -1301,14 +1251,13 @@ module Aws::KMS
     # number of HSMs required for the operation, if any.
     #
     # For help repairing your custom key store, see the [Troubleshooting
-    # Custom Key Stores][3] topic in the *AWS Key Management Service
+    # Custom Key Stores][2] topic in the *AWS Key Management Service
     # Developer Guide*.
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
-    # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
-    # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore-html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
     #
     # @option params [String] :custom_key_store_id
     #   Gets only information about the specified custom key store. Enter the
@@ -1361,7 +1310,7 @@ module Aws::KMS
     #   resp.custom_key_stores[0].cloud_hsm_cluster_id #=> String
     #   resp.custom_key_stores[0].trust_anchor_certificate #=> String
     #   resp.custom_key_stores[0].connection_state #=> String, one of "CONNECTED", "CONNECTING", "FAILED", "DISCONNECTED", "DISCONNECTING"
-    #   resp.custom_key_stores[0].connection_error_code #=> String, one of "INVALID_CREDENTIALS", "CLUSTER_NOT_FOUND", "NETWORK_ERRORS", "INSUFFICIENT_CLOUDHSM_HSMS", "USER_LOCKED_OUT"
+    #   resp.custom_key_stores[0].connection_error_code #=> String, one of "INVALID_CREDENTIALS", "CLUSTER_NOT_FOUND", "NETWORK_ERRORS", "INTERNAL_ERROR", "INSUFFICIENT_CLOUDHSM_HSMS", "USER_LOCKED_OUT"
     #   resp.custom_key_stores[0].creation_date #=> Time
     #   resp.next_marker #=> String
     #   resp.truncated #=> Boolean
@@ -1378,16 +1327,17 @@ module Aws::KMS
     # Provides detailed information about the specified customer master key
     # (CMK).
     #
-    # If you use `DescribeKey` on a predefined AWS alias, that is, an AWS
-    # alias with no key ID, AWS KMS associates the alias with an [AWS
-    # managed CMK][1] and returns its `KeyId` and `Arn` in the response.
+    # You can use `DescribeKey` on a predefined AWS alias, that is, an AWS
+    # alias with no key ID. When you do, AWS KMS associates the alias with
+    # an [AWS managed CMK][1] and returns its `KeyId` and `Arn` in the
+    # response.
     #
     # To perform this operation on a CMK in a different AWS account, specify
     # the key ARN or alias ARN in the value of the KeyId parameter.
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
     #
     # @option params [required, String] :key_id
     #   Describes the specified customer master key (CMK).
@@ -1398,7 +1348,7 @@ module Aws::KMS
     #
     #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
     #   name, or alias ARN. When using an alias name, prefix it with
-    #   "alias/". To specify a CMK in a different AWS account, you must use
+    #   `"alias/"`. To specify a CMK in a different AWS account, you must use
     #   the key ARN or alias ARN.
     #
     #   For example:
@@ -1417,7 +1367,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -1427,7 +1377,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
     #
     # @return [Types::DescribeKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -1497,8 +1447,8 @@ module Aws::KMS
     # this operation on a CMK in a different AWS account.
     #
     # For more information about how key state affects the use of a CMK, see
-    # [How Key State Affects the Use of a Customer Master Key][1] in the
-    # *AWS Key Management Service Developer Guide*.
+    # [How Key State Affects the Use of a Customer Master Key][1] in the <i>
+    # <i>AWS Key Management Service Developer Guide</i> </i>.
     #
     # The result of this operation varies with the key state of the CMK. For
     # details, see [How Key State Affects Use of a Customer Master Key][1]
@@ -1506,7 +1456,7 @@ module Aws::KMS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :key_id
     #   A unique identifier for the customer master key (CMK).
@@ -1558,8 +1508,8 @@ module Aws::KMS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
-    # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :key_id
     #   A unique identifier for the customer master key (CMK).
@@ -1623,14 +1573,13 @@ module Aws::KMS
     # If the operation succeeds, it returns a JSON object with no
     # properties.
     #
-    # This operation is part of the [Custom Key Store feature][2] feature in
+    # This operation is part of the [Custom Key Store feature][1] feature in
     # AWS KMS, which combines the convenience and extensive integration of
     # AWS KMS with the isolation and control of a single-tenant key store.
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
-    # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
     #
     # @option params [required, String] :custom_key_store_id
     #   Enter the ID of the custom key store you want to disconnect. To find
@@ -1664,7 +1613,7 @@ module Aws::KMS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :key_id
     #   A unique identifier for the customer master key (CMK).
@@ -1719,9 +1668,9 @@ module Aws::KMS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
-    # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
-    # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :key_id
     #   A unique identifier for the customer master key (CMK).
@@ -1770,40 +1719,38 @@ module Aws::KMS
     #   such as an RSA key, a database password, or other sensitive
     #   information.
     #
-    # * To move encrypted data from one AWS region to another, you can use
-    #   this operation to encrypt in the new region the plaintext data key
-    #   that was used to encrypt the data in the original region. This
-    #   provides you with an encrypted copy of the data key that can be
-    #   decrypted in the new region and used there to decrypt the encrypted
-    #   data.
+    # * You can use the `Encrypt` operation to move encrypted data from one
+    #   AWS region to another. In the first region, generate a data key and
+    #   use the plaintext key to encrypt the data. Then, in the new region,
+    #   call the `Encrypt` method on same plaintext data key. Now, you can
+    #   safely move the encrypted data and encrypted data key to the new
+    #   region, and decrypt in the new region when necessary.
     #
-    # To perform this operation on a CMK in a different AWS account, specify
-    # the key ARN or alias ARN in the value of the KeyId parameter.
-    #
-    # Unless you are moving encrypted data from one region to another, you
-    # don't use this operation to encrypt a generated data key within a
-    # region. To get data keys that are already encrypted, call the
-    # GenerateDataKey or GenerateDataKeyWithoutPlaintext operation. Data
-    # keys don't need to be encrypted again by calling `Encrypt`.
+    # You don't need use this operation to encrypt a data key within a
+    # region. The GenerateDataKey and GenerateDataKeyWithoutPlaintext
+    # operations return an encrypted data key.
     #
-    # To encrypt data locally in your application, use the GenerateDataKey
-    # operation to return a plaintext data encryption key and a copy of the
-    # key encrypted under the CMK of your choosing.
+    # Also, you don't need to use this operation to encrypt data in your
+    # application. You can use the plaintext and encrypted data keys that
+    # the `GenerateDataKey` operation returns.
     #
     # The result of this operation varies with the key state of the CMK. For
     # details, see [How Key State Affects Use of a Customer Master Key][1]
     # in the *AWS Key Management Service Developer Guide*.
     #
+    # To perform this operation on a CMK in a different AWS account, specify
+    # the key ARN or alias ARN in the value of the KeyId parameter.
+    #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :key_id
     #   A unique identifier for the customer master key (CMK).
     #
     #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
     #   name, or alias ARN. When using an alias name, prefix it with
-    #   "alias/". To specify a CMK in a different AWS account, you must use
+    #   `"alias/"`. To specify a CMK in a different AWS account, you must use
     #   the key ARN or alias ARN.
     #
     #   For example:
@@ -1831,7 +1778,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -1841,7 +1788,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
     #
     # @return [Types::EncryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -1855,12 +1802,12 @@ module Aws::KMS
     #
     #   resp = client.encrypt({
     #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the CMK to use for encryption. You can use the key ID or Amazon Resource Name (ARN) of the CMK, or the name or ARN of an alias that refers to the CMK.
-    #     plaintext: "data", # The data to encrypt.
+    #     plaintext: "<binary data>", # The data to encrypt.
     #   })
     #
     #   resp.to_h outputs the following:
     #   {
-    #     ciphertext_blob: "encrypted data", # The encrypted data (ciphertext).
+    #     ciphertext_blob: "<binary data>", # The encrypted data (ciphertext).
     #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the CMK that was used to encrypt the data.
     #   }
     #
@@ -1889,54 +1836,60 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Returns a data encryption key that you can use in your application to
-    # encrypt data locally.
-    #
-    # You must specify the customer master key (CMK) under which to generate
-    # the data key. You must also specify the length of the data key using
-    # either the `KeySpec` or `NumberOfBytes` field. You must specify one
-    # field or the other, but not both. For common key lengths (128-bit and
-    # 256-bit symmetric keys), we recommend that you use `KeySpec`. To
+    # Generates a unique data key. This operation returns a plaintext copy
+    # of the data key and a copy that is encrypted under a customer master
+    # key (CMK) that you specify. You can use the plaintext key to encrypt
+    # your data outside of KMS and store the encrypted data key with the
+    # encrypted data.
+    #
+    # `GenerateDataKey` returns a unique data key for each request. The
+    # bytes in the key are not related to the caller or CMK that is used to
+    # encrypt the data key.
+    #
+    # To generate a data key, you need to specify the customer master key
+    # (CMK) that will be used to encrypt the data key. You must also specify
+    # the length of the data key using either the `KeySpec` or
+    # `NumberOfBytes` field (but not both). For common key lengths (128-bit
+    # and 256-bit symmetric keys), we recommend that you use `KeySpec`. To
     # perform this operation on a CMK in a different AWS account, specify
     # the key ARN or alias ARN in the value of the KeyId parameter.
     #
-    # This operation returns a plaintext copy of the data key in the
-    # `Plaintext` field of the response, and an encrypted copy of the data
-    # key in the `CiphertextBlob` field. The data key is encrypted under the
-    # CMK specified in the `KeyId` field of the request.
+    # You will find the plaintext copy of the data key in the `Plaintext`
+    # field of the response, and the encrypted copy of the data key in the
+    # `CiphertextBlob` field.
     #
     # We recommend that you use the following pattern to encrypt data
     # locally in your application:
     #
-    # 1.  Use this operation (`GenerateDataKey`) to get a data encryption
-    #     key.
+    # 1.  Use the `GenerateDataKey` operation to get a data encryption key.
     #
-    # 2.  Use the plaintext data encryption key (returned in the `Plaintext`
-    #     field of the response) to encrypt data locally, then erase the
-    #     plaintext data key from memory.
+    # 2.  Use the plaintext data key (returned in the `Plaintext` field of
+    #     the response) to encrypt data locally, then erase the plaintext
+    #     data key from memory.
     #
     # 3.  Store the encrypted data key (returned in the `CiphertextBlob`
     #     field of the response) alongside the locally encrypted data.
     #
     # To decrypt data locally:
     #
-    # 1.  Use the Decrypt operation to decrypt the encrypted data key into a
-    #     plaintext copy of the data key.
+    # 1.  Use the Decrypt operation to decrypt the encrypted data key. The
+    #     operation returns a plaintext copy of the data key.
     #
     # 2.  Use the plaintext data key to decrypt data locally, then erase the
     #     plaintext data key from memory.
     #
-    # To return only an encrypted copy of the data key, use
-    # GenerateDataKeyWithoutPlaintext. To return a random byte string that
-    # is cryptographically secure, use GenerateRandom.
+    # To get only an encrypted copy of the data key, use
+    # GenerateDataKeyWithoutPlaintext. To get a cryptographically secure
+    # random byte string, use GenerateRandom.
     #
-    # If you use the optional `EncryptionContext` field, you must store at
-    # least enough information to be able to reconstruct the full encryption
-    # context when you later send the ciphertext to the Decrypt operation.
-    # It is a good practice to choose an encryption context that you can
-    # reconstruct on the fly to better secure the ciphertext. For more
-    # information, see [Encryption Context][1] in the *AWS Key Management
-    # Service Developer Guide*.
+    # You can use the optional encryption context to add additional security
+    # to your encryption operation. When you specify an `EncryptionContext`
+    # in the `GenerateDataKey` operation, you must specify the same
+    # encryption context (a case-sensitive exact match) in your request to
+    # Decrypt the data key. Otherwise, the request to decrypt fails with an
+    # `InvalidCiphertextException`. For more information, see [Encryption
+    # Context][1] in the <i> <i>AWS Key Management Service Developer
+    # Guide</i> </i>.
     #
     # The result of this operation varies with the key state of the CMK. For
     # details, see [How Key State Affects Use of a Customer Master Key][2]
@@ -1944,16 +1897,15 @@ module Aws::KMS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
-    # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :key_id
-    #   The identifier of the CMK under which to generate and encrypt the data
-    #   encryption key.
+    #   An identifier for the CMK that encrypts the data key.
     #
     #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
     #   name, or alias ARN. When using an alias name, prefix it with
-    #   "alias/". To specify a CMK in a different AWS account, you must use
+    #   `"alias/"`. To specify a CMK in a different AWS account, you must use
     #   the key ARN or alias ARN.
     #
     #   For example:
@@ -1979,18 +1931,17 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #
     # @option params [Integer] :number_of_bytes
-    #   The length of the data encryption key in bytes. For example, use the
-    #   value 64 to generate a 512-bit data key (64 bytes is 512 bits). For
-    #   common key lengths (128-bit and 256-bit symmetric keys), we recommend
-    #   that you use the `KeySpec` field instead of this one.
+    #   The length of the data key in bytes. For example, use the value 64 to
+    #   generate a 512-bit data key (64 bytes is 512 bits). For common key
+    #   lengths (128-bit and 256-bit symmetric keys), we recommend that you
+    #   use the `KeySpec` field instead of this one.
     #
     # @option params [String] :key_spec
-    #   The length of the data encryption key. Use `AES_128` to generate a
-    #   128-bit symmetric key, or `AES_256` to generate a 256-bit symmetric
-    #   key.
+    #   The length of the data key. Use `AES_128` to generate a 128-bit
+    #   symmetric key, or `AES_256` to generate a 256-bit symmetric key.
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -2000,7 +1951,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
     #
     # @return [Types::GenerateDataKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -2053,26 +2004,28 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Returns a data encryption key encrypted under a customer master key
-    # (CMK). This operation is identical to GenerateDataKey but returns only
-    # the encrypted copy of the data key.
-    #
-    # To perform this operation on a CMK in a different AWS account, specify
-    # the key ARN or alias ARN in the value of the KeyId parameter.
-    #
-    # This operation is useful in a system that has multiple components with
-    # different degrees of trust. For example, consider a system that stores
-    # encrypted data in containers. Each container stores the encrypted data
-    # and an encrypted copy of the data key. One component of the system,
-    # called the *control plane*, creates new containers. When it creates a
-    # new container, it uses this operation
-    # (`GenerateDataKeyWithoutPlaintext`) to get an encrypted data key and
-    # then stores it in the container. Later, a different component of the
-    # system, called the *data plane*, puts encrypted data into the
-    # containers. To do this, it passes the encrypted data key to the
-    # Decrypt operation, then uses the returned plaintext data key to
-    # encrypt data, and finally stores the encrypted data in the container.
-    # In this system, the control plane never sees the plaintext data key.
+    # Generates a unique data key. This operation returns a data key that is
+    # encrypted under a customer master key (CMK) that you specify.
+    # `GenerateDataKeyWithoutPlaintext` is identical to GenerateDataKey
+    # except that returns only the encrypted copy of the data key.
+    #
+    # Like `GenerateDataKey`, `GenerateDataKeyWithoutPlaintext` returns a
+    # unique data key for each request. The bytes in the key are not related
+    # to the caller or CMK that is used to encrypt the data key.
+    #
+    # This operation is useful for systems that need to encrypt data at some
+    # point, but not immediately. When you need to encrypt the data, you
+    # call the Decrypt operation on the encrypted copy of the key.
+    #
+    # It's also useful in distributed systems with different levels of
+    # trust. For example, you might store encrypted data in containers. One
+    # component of your system creates new containers and stores an
+    # encrypted data key with each container. Then, a different component
+    # puts the data into the containers. That component first decrypts the
+    # data key, uses the plaintext data key to encrypt data, puts the
+    # encrypted data into the container, and then destroys the plaintext
+    # data key. In this system, the component that creates the containers
+    # never sees the plaintext data key.
     #
     # The result of this operation varies with the key state of the CMK. For
     # details, see [How Key State Affects Use of a Customer Master Key][1]
@@ -2080,15 +2033,15 @@ module Aws::KMS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :key_id
-    #   The identifier of the customer master key (CMK) under which to
-    #   generate and encrypt the data encryption key.
+    #   The identifier of the customer master key (CMK) that encrypts the data
+    #   key.
     #
     #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
     #   name, or alias ARN. When using an alias name, prefix it with
-    #   "alias/". To specify a CMK in a different AWS account, you must use
+    #   `"alias/"`. To specify a CMK in a different AWS account, you must use
     #   the key ARN or alias ARN.
     #
     #   For example:
@@ -2114,18 +2067,17 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #
     # @option params [String] :key_spec
-    #   The length of the data encryption key. Use `AES_128` to generate a
-    #   128-bit symmetric key, or `AES_256` to generate a 256-bit symmetric
-    #   key.
+    #   The length of the data key. Use `AES_128` to generate a 128-bit
+    #   symmetric key, or `AES_256` to generate a 256-bit symmetric key.
     #
     # @option params [Integer] :number_of_bytes
-    #   The length of the data encryption key in bytes. For example, use the
-    #   value 64 to generate a 512-bit data key (64 bytes is 512 bits). For
-    #   common key lengths (128-bit and 256-bit symmetric keys), we recommend
-    #   that you use the `KeySpec` field instead of this one.
+    #   The length of the data key in bytes. For example, use the value 64 to
+    #   generate a 512-bit data key (64 bytes is 512 bits). For common key
+    #   lengths (128-bit and 256-bit symmetric keys), we recommend that you
+    #   use the `KeySpec` field instead of this one.
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -2135,7 +2087,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
     #
     # @return [Types::GenerateDataKeyWithoutPlaintextResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -2197,7 +2149,7 @@ module Aws::KMS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
     # [2]: https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
     #
     # @option params [Integer] :number_of_bytes
@@ -2210,7 +2162,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
     #
     # @return [Types::GenerateRandomResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -2332,8 +2284,8 @@ module Aws::KMS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
-    # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :key_id
     #   A unique identifier for the customer master key (CMK).
@@ -2413,8 +2365,8 @@ module Aws::KMS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :key_id
     #   The identifier of the CMK into which you will import key material. The
@@ -2439,7 +2391,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html
     #
     # @option params [required, String] :wrapping_key_spec
     #   The type of wrapping key (public key) to return in the response. Only
@@ -2542,8 +2494,8 @@ module Aws::KMS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :key_id
     #   The identifier of the CMK to import the key material into. The CMK's
@@ -2617,23 +2569,29 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Gets a list of all aliases in the caller's AWS account and region.
-    # You cannot list aliases in other accounts. For more information about
+    # Gets a list of aliases in the caller's AWS account and region. You
+    # cannot list aliases in other accounts. For more information about
     # aliases, see CreateAlias.
     #
-    # By default, the `ListAliases` command returns all aliases in the
-    # account and region. To get only the aliases that point to a particular
+    # By default, the ListAliases command returns all aliases in the account
+    # and region. To get only the aliases that point to a particular
     # customer master key (CMK), use the `KeyId` parameter.
     #
-    # The `ListAliases` response might include several aliases have no
-    # `TargetKeyId` field. These are predefined aliases that AWS has created
-    # but has not yet associated with a CMK. Aliases that AWS creates in
-    # your account, including predefined aliases, do not count against your
-    # [AWS KMS aliases limit][1].
+    # The `ListAliases` response can include aliases that you created and
+    # associated with your customer managed CMKs, and aliases that AWS
+    # created and associated with AWS managed CMKs in your account. You can
+    # recognize AWS aliases because their names have the format
+    # `aws/<service-name>`, such as `aws/dynamodb`.
     #
+    # The response might also include aliases that have no `TargetKeyId`
+    # field. These are predefined aliases that AWS has created but has not
+    # yet associated with a CMK. Aliases that AWS creates in your account,
+    # including predefined aliases, do not count against your [AWS KMS
+    # aliases limit][1].
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit
+    #
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit
     #
     # @option params [String] :key_id
     #   Lists only aliases that refer to the specified CMK. The value of this
@@ -2915,7 +2873,7 @@ module Aws::KMS
     #   and 1000, inclusive. If you do not include a value, it defaults to
     #   100.
     #
-    #   Currently only 1 policy can be attached to a key.
+    #   Only one policy can be attached to a key.
     #
     # @option params [String] :marker
     #   Use this parameter in a subsequent request after you receive a
@@ -3184,8 +3142,8 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
-    #   [2]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
+    #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
     #
     # @return [Types::ListGrantsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -3265,7 +3223,7 @@ module Aws::KMS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
     #
     # @option params [required, String] :key_id
     #   A unique identifier for the customer master key (CMK).
@@ -3309,8 +3267,8 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
-    #   [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
     #
     # @option params [Boolean] :bypass_policy_lockout_safety_check
     #   A flag to indicate whether to bypass the key policy lockout safety
@@ -3331,7 +3289,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -3376,7 +3334,7 @@ module Aws::KMS
     # destination CMK. We recommend that you include the `"kms:ReEncrypt*"`
     # permission in your [key policies][1] to permit reencryption from or to
     # the CMK. This permission is automatically included in the key policy
-    # when you create a CMK through the console, but you must include it
+    # when you create a CMK through the console. But you must include it
     # manually when you create a CMK programmatically or when you set a key
     # policy with the PutKeyPolicy operation.
     #
@@ -3386,8 +3344,8 @@ module Aws::KMS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
-    # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String, IO] :ciphertext_blob
     #   Ciphertext of the data to reencrypt.
@@ -3401,7 +3359,7 @@ module Aws::KMS
     #
     #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
     #   name, or alias ARN. When using an alias name, prefix it with
-    #   "alias/". To specify a CMK in a different AWS account, you must use
+    #   `"alias/"`. To specify a CMK in a different AWS account, you must use
     #   the key ARN or alias ARN.
     #
     #   For example:
@@ -3429,7 +3387,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
     #
     # @return [Types::ReEncryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -3635,10 +3593,10 @@ module Aws::KMS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
-    # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
-    # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
-    # [4]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :key_id
     #   The unique identifier of the customer master key (CMK) to delete.
@@ -3723,8 +3681,8 @@ module Aws::KMS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html
-    # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :key_id
     #   A unique identifier for the CMK you are tagging.
@@ -3794,7 +3752,7 @@ module Aws::KMS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :key_id
     #   A unique identifier for the CMK from which you are removing tags.
@@ -3859,30 +3817,29 @@ module Aws::KMS
     # To get the aliases of all CMKs in the account, use the ListAliases
     # operation.
     #
-    # An alias name can contain only alphanumeric characters, forward
-    # slashes (/), underscores (\_), and dashes (-). An alias must start
-    # with the word `alias` followed by a forward slash (`alias/`). The
-    # alias name can contain only alphanumeric characters, forward slashes
-    # (/), underscores (\_), and dashes (-). Alias names cannot begin with
-    # `aws`; that alias name prefix is reserved by Amazon Web Services
-    # (AWS).
+    # The alias name must begin with `alias/` followed by a name, such as
+    # `alias/ExampleAlias`. It can contain only alphanumeric characters,
+    # forward slashes (/), underscores (\_), and dashes (-). The alias name
+    # cannot begin with `alias/aws/`. The `alias/aws/` prefix is reserved
+    # for [AWS managed CMKs][1].
     #
     # The result of this operation varies with the key state of the CMK. For
-    # details, see [How Key State Affects Use of a Customer Master Key][1]
+    # details, see [How Key State Affects Use of a Customer Master Key][2]
     # in the *AWS Key Management Service Developer Guide*.
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :alias_name
-    #   String that contains the name of the alias to be modified. The name
-    #   must start with the word "alias" followed by a forward slash
-    #   (alias/). Aliases that begin with "alias/aws" are reserved.
+    #   Specifies the name of the alias to change. This value must begin with
+    #   `alias/` followed by the alias name, such as `alias/ExampleAlias`.
     #
     # @option params [required, String] :target_key_id
-    #   Unique identifier of the customer master key to be mapped to the
-    #   alias.
+    #   Unique identifier of the customer master key (CMK) to be mapped to the
+    #   alias. When the update operation completes, the alias will point to
+    #   this CMK.
     #
     #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
     #
@@ -3937,42 +3894,28 @@ module Aws::KMS
     # ConnectCustomKeyStore. To find the connection state of a custom key
     # store, use the DescribeCustomKeyStores operation.
     #
-    # Use the `NewCustomKeyStoreName` parameter to change the friendly name
-    # of the custom key store to the value that you specify.
+    # Use the parameters of `UpdateCustomKeyStore` to edit your keystore
+    # settings.
     #
-    # Use the `KeyStorePassword` parameter tell AWS KMS the current password
-    # of the [ `kmsuser` crypto user (CU)][1] in the associated AWS CloudHSM
-    # cluster. You can use this parameter to fix connection failures that
-    # occur when AWS KMS cannot log into the associated cluster because the
-    # `kmsuser` password has changed. This value does not change the
-    # password in the AWS CloudHSM cluster.
+    # * Use the **NewCustomKeyStoreName** parameter to change the friendly
+    #   name of the custom key store to the value that you specify.
     #
-    # Use the `CloudHsmClusterId` parameter to associate the custom key
-    # store with a related AWS CloudHSM cluster, that is, a cluster that
-    # shares a backup history with the original cluster. You can use this
-    # parameter to repair a custom key store if its AWS CloudHSM cluster
-    # becomes corrupted or is deleted, or when you need to create or restore
-    # a cluster from a backup.
     #
-    # The cluster ID must identify a AWS CloudHSM cluster with the following
-    # requirements.
     #
-    # * The cluster must be active and be in the same AWS account and Region
-    #   as the custom key store.
+    # * Use the **KeyStorePassword** parameter tell AWS KMS the current
+    #   password of the [ `kmsuser` crypto user (CU)][1] in the associated
+    #   AWS CloudHSM cluster. You can use this parameter to [fix connection
+    #   failures][2] that occur when AWS KMS cannot log into the associated
+    #   cluster because the `kmsuser` password has changed. This value does
+    #   not change the password in the AWS CloudHSM cluster.
     #
-    # * The cluster must have the same cluster certificate as the original
-    #   cluster. You cannot use this parameter to associate the custom key
-    #   store with an unrelated cluster. To view the cluster certificate,
-    #   use the AWS CloudHSM [DescribeClusters][2] operation. Clusters that
-    #   share a backup history have the same cluster certificate.
     #
-    # * The cluster must be configured with subnets in at least two
-    #   different Availability Zones in the Region. Because AWS CloudHSM is
-    #   not supported in all Availability Zones, we recommend that the
-    #   cluster have subnets in all Availability Zones in the Region.
     #
-    # * The cluster must contain at least two active HSMs, each in a
-    #   different Availability Zone.
+    # * Use the **CloudHsmClusterId** parameter to associate the custom key
+    #   store with a different, but related, AWS CloudHSM cluster. You can
+    #   use this parameter to repair a custom key store if its AWS CloudHSM
+    #   cluster becomes corrupted or is deleted, or when you need to create
+    #   or restore a cluster from a backup.
     #
     # If the operation succeeds, it returns a JSON object with no
     # properties.
@@ -3983,9 +3926,9 @@ module Aws::KMS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
-    # [2]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
-    # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-password
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
     #
     # @option params [required, String] :custom_key_store_id
     #   Identifies the custom key store that you want to update. Enter the ID
@@ -4009,17 +3952,18 @@ module Aws::KMS
     #   Associates the custom key store with a related AWS CloudHSM cluster.
     #
     #   Enter the cluster ID of the cluster that you used to create the custom
-    #   key store or a cluster that shares a backup history with the original
-    #   cluster. You cannot use this parameter to associate a custom key store
-    #   with a different cluster.
-    #
-    #   Clusters that share a backup history have the same cluster
-    #   certificate. To view the cluster certificate of a cluster, use the
-    #   [DescribeClusters][1] operation.
+    #   key store or a cluster that shares a backup history and has the same
+    #   cluster certificate as the original cluster. You cannot use this
+    #   parameter to associate a custom key store with an unrelated cluster.
+    #   In addition, the replacement cluster must [fulfill the
+    #   requirements][1] for a cluster associated with a custom key store. To
+    #   view the cluster certificate of a cluster, use the
+    #   [DescribeClusters][2] operation.
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore
+    #   [2]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -4042,7 +3986,7 @@ module Aws::KMS
     end
 
     # Updates the description of a customer master key (CMK). To see the
-    # decription of a CMK, use DescribeKey.
+    # description of a CMK, use DescribeKey.
     #
     # You cannot perform this operation on a CMK in a different AWS account.
     #
@@ -4052,7 +3996,7 @@ module Aws::KMS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :key_id
     #   A unique identifier for the customer master key (CMK).
@@ -4112,7 +4056,7 @@ module Aws::KMS
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-kms'
-      context[:gem_version] = '1.17.0'
+      context[:gem_version] = '1.19.0'
       Seahorse::Client::Request.new(handlers, context)
     end