aws-sdk-kms 1.17.0 → 1.19.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -11,7 +11,7 @@ module Aws::KMS
11
11
  # Contains information about an alias.
12
12
  #
13
13
  # @!attribute [rw] alias_name
14
- # String that contains the alias.
14
+ # String that contains the alias. This value begins with `alias/`.
15
15
  # @return [String]
16
16
  #
17
17
  # @!attribute [rw] alias_arn
@@ -107,26 +107,22 @@ module Aws::KMS
107
107
  # }
108
108
  #
109
109
  # @!attribute [rw] alias_name
110
- # String that contains the display name. The name must start with the
111
- # word "alias" followed by a forward slash (alias/). Aliases that
112
- # begin with "alias/AWS" are reserved.
110
+ # Specifies the alias name. This value must begin with `alias/`
111
+ # followed by a name, such as `alias/ExampleAlias`. The alias name
112
+ # cannot begin with `alias/aws/`. The `alias/aws/` prefix is reserved
113
+ # for AWS managed CMKs.
113
114
  # @return [String]
114
115
  #
115
116
  # @!attribute [rw] target_key_id
116
- # Identifies the CMK for which you are creating the alias. This value
117
- # cannot be an alias.
118
- #
119
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
120
- #
121
- # For example:
117
+ # Identifies the CMK to which the alias refers. Specify the key ID or
118
+ # the Amazon Resource Name (ARN) of the CMK. You cannot specify
119
+ # another alias. For help finding the key ID and ARN, see [Finding the
120
+ # Key ID and ARN][1] in the *AWS Key Management Service Developer
121
+ # Guide*.
122
122
  #
123
- # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
124
123
  #
125
- # * Key ARN:
126
- # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
127
124
  #
128
- # To get the key ID and key ARN for a CMK, use ListKeys or
129
- # DescribeKey.
125
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn
130
126
  # @return [String]
131
127
  #
132
128
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateAliasRequest AWS API Documentation
@@ -160,7 +156,7 @@ module Aws::KMS
160
156
  #
161
157
  #
162
158
  #
163
- # [1]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
159
+ # [1]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
164
160
  # @return [String]
165
161
  #
166
162
  # @!attribute [rw] trust_anchor_certificate
@@ -170,7 +166,7 @@ module Aws::KMS
170
166
  #
171
167
  #
172
168
  #
173
- # [1]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html
169
+ # [1]: https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html
174
170
  # @return [String]
175
171
  #
176
172
  # @!attribute [rw] key_store_password
@@ -183,7 +179,7 @@ module Aws::KMS
183
179
  #
184
180
  #
185
181
  #
186
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
182
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
187
183
  # @return [String]
188
184
  #
189
185
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStoreRequest AWS API Documentation
@@ -258,8 +254,8 @@ module Aws::KMS
258
254
  #
259
255
  #
260
256
  #
261
- # [1]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
262
- # [2]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
257
+ # [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
258
+ # [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
263
259
  # @return [String]
264
260
  #
265
261
  # @!attribute [rw] retiring_principal
@@ -275,8 +271,8 @@ module Aws::KMS
275
271
  #
276
272
  #
277
273
  #
278
- # [1]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
279
- # [2]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
274
+ # [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
275
+ # [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
280
276
  # @return [String]
281
277
  #
282
278
  # @!attribute [rw] operations
@@ -284,14 +280,15 @@ module Aws::KMS
284
280
  # @return [Array<String>]
285
281
  #
286
282
  # @!attribute [rw] constraints
287
- # A structure that you can use to allow certain operations in the
288
- # grant only when the desired encryption context is present. For more
289
- # information about encryption context, see [Encryption Context][1] in
290
- # the *AWS Key Management Service Developer Guide*.
283
+ # Allows a cryptographic operation only when the encryption context
284
+ # matches or includes the encryption context specified in this
285
+ # structure. For more information about encryption context, see
286
+ # [Encryption Context][1] in the <i> <i>AWS Key Management Service
287
+ # Developer Guide</i> </i>.
291
288
  #
292
289
  #
293
290
  #
294
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
291
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
295
292
  # @return [Types::GrantConstraints]
296
293
  #
297
294
  # @!attribute [rw] grant_tokens
@@ -302,12 +299,13 @@ module Aws::KMS
302
299
  #
303
300
  #
304
301
  #
305
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
302
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
306
303
  # @return [Array<String>]
307
304
  #
308
305
  # @!attribute [rw] name
309
306
  # A friendly name for identifying the grant. Use this value to prevent
310
- # unintended creation of duplicate grants when retrying this request.
307
+ # the unintended creation of duplicate grants when retrying this
308
+ # request.
311
309
  #
312
310
  # When this value is absent, all `CreateGrant` requests result in a
313
311
  # new grant with a unique `GrantId` even if all the supplied
@@ -343,7 +341,7 @@ module Aws::KMS
343
341
  #
344
342
  #
345
343
  #
346
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
344
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
347
345
  # @return [String]
348
346
  #
349
347
  # @!attribute [rw] grant_id
@@ -389,7 +387,8 @@ module Aws::KMS
389
387
  # request to make a subsequent PutKeyPolicy request on the CMK. This
390
388
  # reduces the risk that the CMK becomes unmanageable. For more
391
389
  # information, refer to the scenario in the [Default Key Policy][1]
392
- # section of the *AWS Key Management Service Developer Guide*.
390
+ # section of the <i> <i>AWS Key Management Service Developer
391
+ # Guide</i> </i>.
393
392
  #
394
393
  # * Each statement in the key policy must contain one or more
395
394
  # principals. The principals in the key policy must exist and be
@@ -409,9 +408,9 @@ module Aws::KMS
409
408
  #
410
409
  #
411
410
  #
412
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
413
- # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
414
- # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
411
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
412
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
413
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
415
414
  # @return [String]
416
415
  #
417
416
  # @!attribute [rw] description
@@ -422,14 +421,14 @@ module Aws::KMS
422
421
  # @return [String]
423
422
  #
424
423
  # @!attribute [rw] key_usage
425
- # The intended use of the CMK.
426
- #
427
- # You can use CMKs only for symmetric encryption and decryption.
424
+ # The cryptographic operations for which you can use the CMK. The only
425
+ # valid value is `ENCRYPT_DECRYPT`, which means you can use the CMK to
426
+ # encrypt and decrypt data.
428
427
  # @return [String]
429
428
  #
430
429
  # @!attribute [rw] origin
431
- # The source of the CMK's key material. You cannot change the origin
432
- # after you create the CMK.
430
+ # The source of the key material for the CMK. You cannot change the
431
+ # origin after you create the CMK.
433
432
  #
434
433
  # The default is `AWS_KMS`, which means AWS KMS creates the key
435
434
  # material in its own key store.
@@ -441,14 +440,14 @@ module Aws::KMS
441
440
  # in the *AWS Key Management Service Developer Guide*.
442
441
  #
443
442
  # When the parameter value is `AWS_CLOUDHSM`, AWS KMS creates the CMK
444
- # in a AWS KMS [custom key store][2] and creates its key material in
443
+ # in an AWS KMS [custom key store][2] and creates its key material in
445
444
  # the associated AWS CloudHSM cluster. You must also use the
446
445
  # `CustomKeyStoreId` parameter to identify the custom key store.
447
446
  #
448
447
  #
449
448
  #
450
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
451
- # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
449
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
450
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
452
451
  # @return [String]
453
452
  #
454
453
  # @!attribute [rw] custom_key_store_id
@@ -465,15 +464,14 @@ module Aws::KMS
465
464
  # The response includes the custom key store ID and the ID of the AWS
466
465
  # CloudHSM cluster.
467
466
  #
468
- # This operation is part of the [Custom Key Store feature][2] feature
467
+ # This operation is part of the [Custom Key Store feature][1] feature
469
468
  # in AWS KMS, which combines the convenience and extensive integration
470
469
  # of AWS KMS with the isolation and control of a single-tenant key
471
470
  # store.
472
471
  #
473
472
  #
474
473
  #
475
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
476
- # [2]: http://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
474
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
477
475
  # @return [String]
478
476
  #
479
477
  # @!attribute [rw] bypass_policy_lockout_safety_check
@@ -484,8 +482,8 @@ module Aws::KMS
484
482
  # unmanageable. Do not set this value to true indiscriminately.
485
483
  #
486
484
  # For more information, refer to the scenario in the [Default Key
487
- # Policy][1] section in the *AWS Key Management Service Developer
488
- # Guide*.
485
+ # Policy][1] section in the <i> <i>AWS Key Management Service
486
+ # Developer Guide</i> </i>.
489
487
  #
490
488
  # Use this parameter only when you include a policy in the request and
491
489
  # you intend to prevent the principal that is making the request from
@@ -495,7 +493,7 @@ module Aws::KMS
495
493
  #
496
494
  #
497
495
  #
498
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
496
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
499
497
  # @return [Boolean]
500
498
  #
501
499
  # @!attribute [rw] tags
@@ -555,7 +553,7 @@ module Aws::KMS
555
553
  #
556
554
  #
557
555
  #
558
- # [1]: http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr
556
+ # [1]: https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr
559
557
  # @return [String]
560
558
  #
561
559
  # @!attribute [rw] connection_state
@@ -578,7 +576,7 @@ module Aws::KMS
578
576
  #
579
577
  #
580
578
  #
581
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
579
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
582
580
  # @return [String]
583
581
  #
584
582
  # @!attribute [rw] connection_error_code
@@ -592,6 +590,11 @@ module Aws::KMS
592
590
  # its AWS CloudHSM cluster, the cluster must contain at least one
593
591
  # active HSM.
594
592
  #
593
+ # * `INTERNAL_ERROR` - AWS KMS could not complete the request due to
594
+ # an internal error. Retry the request. For `ConnectCustomKeyStore`
595
+ # requests, disconnect the custom key store before trying to connect
596
+ # again.
597
+ #
595
598
  # * `INVALID_CREDENTIALS` - AWS KMS does not have the correct password
596
599
  # for the `kmsuser` crypto user in the AWS CloudHSM cluster.
597
600
  #
@@ -609,7 +612,7 @@ module Aws::KMS
609
612
  #
610
613
  #
611
614
  #
612
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
615
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
613
616
  # @return [String]
614
617
  #
615
618
  # @!attribute [rw] creation_date
@@ -651,7 +654,7 @@ module Aws::KMS
651
654
  #
652
655
  #
653
656
  #
654
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
657
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
655
658
  # @return [Hash<String,String>]
656
659
  #
657
660
  # @!attribute [rw] grant_tokens
@@ -662,7 +665,7 @@ module Aws::KMS
662
665
  #
663
666
  #
664
667
  #
665
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
668
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
666
669
  # @return [Array<String>]
667
670
  #
668
671
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptRequest AWS API Documentation
@@ -681,7 +684,7 @@ module Aws::KMS
681
684
  #
682
685
  # @!attribute [rw] plaintext
683
686
  # Decrypted plaintext data. When you use the HTTP API or the AWS CLI,
684
- # the value is Base64-encdoded. Otherwise, it is not encoded.
687
+ # the value is Base64-encoded. Otherwise, it is not encoded.
685
688
  # @return [String]
686
689
  #
687
690
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptResponse AWS API Documentation
@@ -700,9 +703,8 @@ module Aws::KMS
700
703
  # }
701
704
  #
702
705
  # @!attribute [rw] alias_name
703
- # The alias to be deleted. The name must start with the word "alias"
704
- # followed by a forward slash (alias/). Aliases that begin with
705
- # "alias/aws" are reserved.
706
+ # The alias to be deleted. The alias name must begin with `alias/`
707
+ # followed by the alias name, such as `alias/ExampleAlias`.
706
708
  # @return [String]
707
709
  #
708
710
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteAliasRequest AWS API Documentation
@@ -743,8 +745,8 @@ module Aws::KMS
743
745
  # }
744
746
  #
745
747
  # @!attribute [rw] key_id
746
- # The identifier of the CMK whose key material to delete. The CMK's
747
- # `Origin` must be `EXTERNAL`.
748
+ # Identifies the CMK from which you are deleting imported key
749
+ # material. The `Origin` of the CMK must be `EXTERNAL`.
748
750
  #
749
751
  # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
750
752
  #
@@ -830,8 +832,8 @@ module Aws::KMS
830
832
  # @!attribute [rw] truncated
831
833
  # A flag that indicates whether there are more items in the list. When
832
834
  # this value is true, the list in this response is truncated. To get
833
- # more items, pass the value of the `NextMarker` element in this
834
- # response to the `Marker` parameter in a subsequent request.
835
+ # more items, pass the value of the `NextMarker` element in
836
+ # thisresponse to the `Marker` parameter in a subsequent request.
835
837
  # @return [Boolean]
836
838
  #
837
839
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStoresResponse AWS API Documentation
@@ -860,7 +862,7 @@ module Aws::KMS
860
862
  #
861
863
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
862
864
  # name, or alias ARN. When using an alias name, prefix it with
863
- # "alias/". To specify a CMK in a different AWS account, you must
865
+ # `"alias/"`. To specify a CMK in a different AWS account, you must
864
866
  # use the key ARN or alias ARN.
865
867
  #
866
868
  # For example:
@@ -879,7 +881,7 @@ module Aws::KMS
879
881
  #
880
882
  #
881
883
  #
882
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
884
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
883
885
  # @return [String]
884
886
  #
885
887
  # @!attribute [rw] grant_tokens
@@ -890,7 +892,7 @@ module Aws::KMS
890
892
  #
891
893
  #
892
894
  #
893
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
895
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
894
896
  # @return [Array<String>]
895
897
  #
896
898
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKeyRequest AWS API Documentation
@@ -1073,7 +1075,7 @@ module Aws::KMS
1073
1075
  #
1074
1076
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1075
1077
  # name, or alias ARN. When using an alias name, prefix it with
1076
- # "alias/". To specify a CMK in a different AWS account, you must
1078
+ # `"alias/"`. To specify a CMK in a different AWS account, you must
1077
1079
  # use the key ARN or alias ARN.
1078
1080
  #
1079
1081
  # For example:
@@ -1103,7 +1105,7 @@ module Aws::KMS
1103
1105
  #
1104
1106
  #
1105
1107
  #
1106
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
1108
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1107
1109
  # @return [Hash<String,String>]
1108
1110
  #
1109
1111
  # @!attribute [rw] grant_tokens
@@ -1114,7 +1116,7 @@ module Aws::KMS
1114
1116
  #
1115
1117
  #
1116
1118
  #
1117
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1119
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1118
1120
  # @return [Array<String>]
1119
1121
  #
1120
1122
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptRequest AWS API Documentation
@@ -1129,7 +1131,7 @@ module Aws::KMS
1129
1131
 
1130
1132
  # @!attribute [rw] ciphertext_blob
1131
1133
  # The encrypted plaintext. When you use the HTTP API or the AWS CLI,
1132
- # the value is Base64-encdoded. Otherwise, it is not encoded.
1134
+ # the value is Base64-encoded. Otherwise, it is not encoded.
1133
1135
  # @return [String]
1134
1136
  #
1135
1137
  # @!attribute [rw] key_id
@@ -1158,12 +1160,11 @@ module Aws::KMS
1158
1160
  # }
1159
1161
  #
1160
1162
  # @!attribute [rw] key_id
1161
- # The identifier of the CMK under which to generate and encrypt the
1162
- # data encryption key.
1163
+ # An identifier for the CMK that encrypts the data key.
1163
1164
  #
1164
1165
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1165
1166
  # name, or alias ARN. When using an alias name, prefix it with
1166
- # "alias/". To specify a CMK in a different AWS account, you must
1167
+ # `"alias/"`. To specify a CMK in a different AWS account, you must
1167
1168
  # use the key ARN or alias ARN.
1168
1169
  #
1169
1170
  # For example:
@@ -1190,20 +1191,19 @@ module Aws::KMS
1190
1191
  #
1191
1192
  #
1192
1193
  #
1193
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
1194
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1194
1195
  # @return [Hash<String,String>]
1195
1196
  #
1196
1197
  # @!attribute [rw] number_of_bytes
1197
- # The length of the data encryption key in bytes. For example, use the
1198
- # value 64 to generate a 512-bit data key (64 bytes is 512 bits). For
1199
- # common key lengths (128-bit and 256-bit symmetric keys), we
1200
- # recommend that you use the `KeySpec` field instead of this one.
1198
+ # The length of the data key in bytes. For example, use the value 64
1199
+ # to generate a 512-bit data key (64 bytes is 512 bits). For common
1200
+ # key lengths (128-bit and 256-bit symmetric keys), we recommend that
1201
+ # you use the `KeySpec` field instead of this one.
1201
1202
  # @return [Integer]
1202
1203
  #
1203
1204
  # @!attribute [rw] key_spec
1204
- # The length of the data encryption key. Use `AES_128` to generate a
1205
- # 128-bit symmetric key, or `AES_256` to generate a 256-bit symmetric
1206
- # key.
1205
+ # The length of the data key. Use `AES_128` to generate a 128-bit
1206
+ # symmetric key, or `AES_256` to generate a 256-bit symmetric key.
1207
1207
  # @return [String]
1208
1208
  #
1209
1209
  # @!attribute [rw] grant_tokens
@@ -1214,7 +1214,7 @@ module Aws::KMS
1214
1214
  #
1215
1215
  #
1216
1216
  #
1217
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1217
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1218
1218
  # @return [Array<String>]
1219
1219
  #
1220
1220
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyRequest AWS API Documentation
@@ -1229,20 +1229,19 @@ module Aws::KMS
1229
1229
  end
1230
1230
 
1231
1231
  # @!attribute [rw] ciphertext_blob
1232
- # The encrypted data encryption key. When you use the HTTP API or the
1233
- # AWS CLI, the value is Base64-encdoded. Otherwise, it is not encoded.
1232
+ # The encrypted copy of the data key. When you use the HTTP API or the
1233
+ # AWS CLI, the value is Base64-encoded. Otherwise, it is not encoded.
1234
1234
  # @return [String]
1235
1235
  #
1236
1236
  # @!attribute [rw] plaintext
1237
- # The data encryption key. When you use the HTTP API or the AWS CLI,
1238
- # the value is Base64-encdoded. Otherwise, it is not encoded. Use this
1239
- # data key for local encryption and decryption, then remove it from
1237
+ # The plaintext data key. When you use the HTTP API or the AWS CLI,
1238
+ # the value is Base64-encoded. Otherwise, it is not encoded. Use this
1239
+ # data key to encrypt your data outside of KMS. Then, remove it from
1240
1240
  # memory as soon as possible.
1241
1241
  # @return [String]
1242
1242
  #
1243
1243
  # @!attribute [rw] key_id
1244
- # The identifier of the CMK under which the data encryption key was
1245
- # generated and encrypted.
1244
+ # The identifier of the CMK that encrypted the data key.
1246
1245
  # @return [String]
1247
1246
  #
1248
1247
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyResponse AWS API Documentation
@@ -1268,12 +1267,12 @@ module Aws::KMS
1268
1267
  # }
1269
1268
  #
1270
1269
  # @!attribute [rw] key_id
1271
- # The identifier of the customer master key (CMK) under which to
1272
- # generate and encrypt the data encryption key.
1270
+ # The identifier of the customer master key (CMK) that encrypts the
1271
+ # data key.
1273
1272
  #
1274
1273
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1275
1274
  # name, or alias ARN. When using an alias name, prefix it with
1276
- # "alias/". To specify a CMK in a different AWS account, you must
1275
+ # `"alias/"`. To specify a CMK in a different AWS account, you must
1277
1276
  # use the key ARN or alias ARN.
1278
1277
  #
1279
1278
  # For example:
@@ -1300,20 +1299,19 @@ module Aws::KMS
1300
1299
  #
1301
1300
  #
1302
1301
  #
1303
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
1302
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1304
1303
  # @return [Hash<String,String>]
1305
1304
  #
1306
1305
  # @!attribute [rw] key_spec
1307
- # The length of the data encryption key. Use `AES_128` to generate a
1308
- # 128-bit symmetric key, or `AES_256` to generate a 256-bit symmetric
1309
- # key.
1306
+ # The length of the data key. Use `AES_128` to generate a 128-bit
1307
+ # symmetric key, or `AES_256` to generate a 256-bit symmetric key.
1310
1308
  # @return [String]
1311
1309
  #
1312
1310
  # @!attribute [rw] number_of_bytes
1313
- # The length of the data encryption key in bytes. For example, use the
1314
- # value 64 to generate a 512-bit data key (64 bytes is 512 bits). For
1315
- # common key lengths (128-bit and 256-bit symmetric keys), we
1316
- # recommend that you use the `KeySpec` field instead of this one.
1311
+ # The length of the data key in bytes. For example, use the value 64
1312
+ # to generate a 512-bit data key (64 bytes is 512 bits). For common
1313
+ # key lengths (128-bit and 256-bit symmetric keys), we recommend that
1314
+ # you use the `KeySpec` field instead of this one.
1317
1315
  # @return [Integer]
1318
1316
  #
1319
1317
  # @!attribute [rw] grant_tokens
@@ -1324,7 +1322,7 @@ module Aws::KMS
1324
1322
  #
1325
1323
  #
1326
1324
  #
1327
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1325
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1328
1326
  # @return [Array<String>]
1329
1327
  #
1330
1328
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextRequest AWS API Documentation
@@ -1339,13 +1337,12 @@ module Aws::KMS
1339
1337
  end
1340
1338
 
1341
1339
  # @!attribute [rw] ciphertext_blob
1342
- # The encrypted data encryption key. When you use the HTTP API or the
1343
- # AWS CLI, the value is Base64-encdoded. Otherwise, it is not encoded.
1340
+ # The encrypted data key. When you use the HTTP API or the AWS CLI,
1341
+ # the value is Base64-encoded. Otherwise, it is not encoded.
1344
1342
  # @return [String]
1345
1343
  #
1346
1344
  # @!attribute [rw] key_id
1347
- # The identifier of the CMK under which the data encryption key was
1348
- # generated and encrypted.
1345
+ # The identifier of the CMK that encrypted the data key.
1349
1346
  # @return [String]
1350
1347
  #
1351
1348
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextResponse AWS API Documentation
@@ -1375,7 +1372,7 @@ module Aws::KMS
1375
1372
  #
1376
1373
  #
1377
1374
  #
1378
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
1375
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1379
1376
  # @return [String]
1380
1377
  #
1381
1378
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomRequest AWS API Documentation
@@ -1388,7 +1385,7 @@ module Aws::KMS
1388
1385
 
1389
1386
  # @!attribute [rw] plaintext
1390
1387
  # The random byte string. When you use the HTTP API or the AWS CLI,
1391
- # the value is Base64-encdoded. Otherwise, it is not encoded.
1388
+ # the value is Base64-encoded. Otherwise, it is not encoded.
1392
1389
  # @return [String]
1393
1390
  #
1394
1391
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomResponse AWS API Documentation
@@ -1522,7 +1519,7 @@ module Aws::KMS
1522
1519
  #
1523
1520
  #
1524
1521
  #
1525
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html
1522
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html
1526
1523
  # @return [String]
1527
1524
  #
1528
1525
  # @!attribute [rw] wrapping_key_spec
@@ -1571,23 +1568,46 @@ module Aws::KMS
1571
1568
  include Aws::Structure
1572
1569
  end
1573
1570
 
1574
- # A structure that you can use to allow certain operations in the grant
1575
- # only when the desired encryption context is present. For more
1576
- # information about encryption context, see [Encryption Context][1] in
1577
- # the *AWS Key Management Service Developer Guide*.
1571
+ # Use this structure to allow cryptographic operations in the grant only
1572
+ # when the operation request includes the specified [encryption
1573
+ # context][1].
1574
+ #
1575
+ # AWS KMS applies the grant constraints only when the grant allows a
1576
+ # cryptographic operation that accepts an encryption context as input,
1577
+ # such as the following.
1578
+ #
1579
+ # * Encrypt
1580
+ #
1581
+ # * Decrypt
1582
+ #
1583
+ # * GenerateDataKey
1584
+ #
1585
+ # * GenerateDataKeyWithoutPlaintext
1586
+ #
1587
+ # * ReEncrypt
1578
1588
  #
1579
- # Grant constraints apply only to operations that accept encryption
1580
- # context as input. For example, the ` DescribeKey ` operation does not
1581
- # accept encryption context as input. A grant that allows the
1582
- # `DescribeKey` operation does so regardless of the grant constraints.
1583
- # In constrast, the ` Encrypt ` operation accepts encryption context as
1584
- # input. A grant that allows the `Encrypt` operation does so only when
1585
- # the encryption context of the `Encrypt` operation satisfies the grant
1586
- # constraints.
1589
+ # AWS KMS does not apply the grant constraints to other operations, such
1590
+ # as DescribeKey or ScheduleKeyDeletion.
1587
1591
  #
1592
+ # In a cryptographic operation, the encryption context in the decryption
1593
+ # operation must be an exact, case-sensitive match for the keys and
1594
+ # values in the encryption context of the encryption operation. Only the
1595
+ # order of the pairs can vary.
1588
1596
  #
1597
+ # However, in a grant constraint, the key in each key-value pair is not
1598
+ # case sensitive, but the value is case sensitive.
1589
1599
  #
1590
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
1600
+ # To avoid confusion, do not use multiple encryption context pairs that
1601
+ # differ only by case. To require a fully case-sensitive encryption
1602
+ # context, use the `kms:EncryptionContext:` and
1603
+ # `kms:EncryptionContextKeys` conditions in an IAM or key policy. For
1604
+ # details, see [kms:EncryptionContext:][2] in the <i> <i>AWS Key
1605
+ # Management Service Developer Guide</i> </i>.
1606
+ #
1607
+ #
1608
+ #
1609
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1610
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context
1591
1611
  #
1592
1612
  # @note When making an API call, you may pass GrantConstraints
1593
1613
  # data as a hash:
@@ -1602,20 +1622,18 @@ module Aws::KMS
1602
1622
  # }
1603
1623
  #
1604
1624
  # @!attribute [rw] encryption_context_subset
1605
- # A list of key-value pairs, all of which must be present in the
1606
- # encryption context of certain subsequent operations that the grant
1607
- # allows. When certain subsequent operations allowed by the grant
1608
- # include encryption context that matches this list or is a superset
1609
- # of this list, the grant allows the operation. Otherwise, the grant
1610
- # does not allow the operation.
1625
+ # A list of key-value pairs that must be included in the encryption
1626
+ # context of the cryptographic operation request. The grant allows the
1627
+ # cryptographic operation only when the encryption context in the
1628
+ # request includes the key-value pairs specified in this constraint,
1629
+ # although it can include additional key-value pairs.
1611
1630
  # @return [Hash<String,String>]
1612
1631
  #
1613
1632
  # @!attribute [rw] encryption_context_equals
1614
- # A list of key-value pairs that must be present in the encryption
1615
- # context of certain subsequent operations that the grant allows. When
1616
- # certain subsequent operations allowed by the grant include
1617
- # encryption context that matches this list, the grant allows the
1618
- # operation. Otherwise, the grant does not allow the operation.
1633
+ # A list of key-value pairs that must match the encryption context in
1634
+ # the cryptographic operation request. The grant allows the operation
1635
+ # only when the encryption context in the request is the same as the
1636
+ # encryption context specified in this constraint.
1619
1637
  # @return [Hash<String,String>]
1620
1638
  #
1621
1639
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GrantConstraints AWS API Documentation
@@ -1794,7 +1812,7 @@ module Aws::KMS
1794
1812
  #
1795
1813
  #
1796
1814
  #
1797
- # [1]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kms
1815
+ # [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kms
1798
1816
  # @return [String]
1799
1817
  #
1800
1818
  # @!attribute [rw] creation_date
@@ -1811,9 +1829,9 @@ module Aws::KMS
1811
1829
  # @return [String]
1812
1830
  #
1813
1831
  # @!attribute [rw] key_usage
1814
- # The cryptographic operations for which you can use the CMK.
1815
- # Currently the only allowed value is `ENCRYPT_DECRYPT`, which means
1816
- # you can use the CMK for the Encrypt and Decrypt operations.
1832
+ # The cryptographic operations for which you can use the CMK. The only
1833
+ # valid value is `ENCRYPT_DECRYPT`, which means you can use the CMK to
1834
+ # encrypt and decrypt data.
1817
1835
  # @return [String]
1818
1836
  #
1819
1837
  # @!attribute [rw] key_state
@@ -1825,7 +1843,7 @@ module Aws::KMS
1825
1843
  #
1826
1844
  #
1827
1845
  #
1828
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1846
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1829
1847
  # @return [String]
1830
1848
  #
1831
1849
  # @!attribute [rw] deletion_date
@@ -1857,7 +1875,7 @@ module Aws::KMS
1857
1875
  #
1858
1876
  #
1859
1877
  #
1860
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
1878
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1861
1879
  # @return [String]
1862
1880
  #
1863
1881
  # @!attribute [rw] cloud_hsm_cluster_id
@@ -1869,7 +1887,7 @@ module Aws::KMS
1869
1887
  #
1870
1888
  #
1871
1889
  #
1872
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
1890
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1873
1891
  # @return [String]
1874
1892
  #
1875
1893
  # @!attribute [rw] expiration_model
@@ -1879,13 +1897,14 @@ module Aws::KMS
1879
1897
  # @return [String]
1880
1898
  #
1881
1899
  # @!attribute [rw] key_manager
1882
- # The CMK's manager. CMKs are either customer-managed or AWS-managed.
1883
- # For more information about the difference, see [Customer Master
1884
- # Keys][1] in the *AWS Key Management Service Developer Guide*.
1900
+ # The manager of the CMK. CMKs in your AWS account are either customer
1901
+ # managed or AWS managed. For more information about the difference,
1902
+ # see [Customer Master Keys][1] in the *AWS Key Management Service
1903
+ # Developer Guide*.
1885
1904
  #
1886
1905
  #
1887
1906
  #
1888
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
1907
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
1889
1908
  # @return [String]
1890
1909
  #
1891
1910
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
@@ -1965,8 +1984,8 @@ module Aws::KMS
1965
1984
  # @!attribute [rw] truncated
1966
1985
  # A flag that indicates whether there are more items in the list. When
1967
1986
  # this value is true, the list in this response is truncated. To get
1968
- # more items, pass the value of the `NextMarker` element in this
1969
- # response to the `Marker` parameter in a subsequent request.
1987
+ # more items, pass the value of the `NextMarker` element in
1988
+ # thisresponse to the `Marker` parameter in a subsequent request.
1970
1989
  # @return [Boolean]
1971
1990
  #
1972
1991
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliasesResponse AWS API Documentation
@@ -2041,8 +2060,8 @@ module Aws::KMS
2041
2060
  # @!attribute [rw] truncated
2042
2061
  # A flag that indicates whether there are more items in the list. When
2043
2062
  # this value is true, the list in this response is truncated. To get
2044
- # more items, pass the value of the `NextMarker` element in this
2045
- # response to the `Marker` parameter in a subsequent request.
2063
+ # more items, pass the value of the `NextMarker` element in
2064
+ # thisresponse to the `Marker` parameter in a subsequent request.
2046
2065
  # @return [Boolean]
2047
2066
  #
2048
2067
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrantsResponse AWS API Documentation
@@ -2088,7 +2107,7 @@ module Aws::KMS
2088
2107
  # and 1000, inclusive. If you do not include a value, it defaults to
2089
2108
  # 100.
2090
2109
  #
2091
- # Currently only 1 policy can be attached to a key.
2110
+ # Only one policy can be attached to a key.
2092
2111
  # @return [Integer]
2093
2112
  #
2094
2113
  # @!attribute [rw] marker
@@ -2107,8 +2126,7 @@ module Aws::KMS
2107
2126
  end
2108
2127
 
2109
2128
  # @!attribute [rw] policy_names
2110
- # A list of key policy names. Currently, there is only one key policy
2111
- # per CMK and it is always named `default`.
2129
+ # A list of key policy names. The only valid value is `default`.
2112
2130
  # @return [Array<String>]
2113
2131
  #
2114
2132
  # @!attribute [rw] next_marker
@@ -2119,8 +2137,8 @@ module Aws::KMS
2119
2137
  # @!attribute [rw] truncated
2120
2138
  # A flag that indicates whether there are more items in the list. When
2121
2139
  # this value is true, the list in this response is truncated. To get
2122
- # more items, pass the value of the `NextMarker` element in this
2123
- # response to the `Marker` parameter in a subsequent request.
2140
+ # more items, pass the value of the `NextMarker` element in
2141
+ # thisresponse to the `Marker` parameter in a subsequent request.
2124
2142
  # @return [Boolean]
2125
2143
  #
2126
2144
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPoliciesResponse AWS API Documentation
@@ -2176,8 +2194,8 @@ module Aws::KMS
2176
2194
  # @!attribute [rw] truncated
2177
2195
  # A flag that indicates whether there are more items in the list. When
2178
2196
  # this value is true, the list in this response is truncated. To get
2179
- # more items, pass the value of the `NextMarker` element in this
2180
- # response to the `Marker` parameter in a subsequent request.
2197
+ # more items, pass the value of the `NextMarker` element in
2198
+ # thisresponse to the `Marker` parameter in a subsequent request.
2181
2199
  # @return [Boolean]
2182
2200
  #
2183
2201
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeysResponse AWS API Documentation
@@ -2255,8 +2273,8 @@ module Aws::KMS
2255
2273
  # @!attribute [rw] truncated
2256
2274
  # A flag that indicates whether there are more items in the list. When
2257
2275
  # this value is true, the list in this response is truncated. To get
2258
- # more items, pass the value of the `NextMarker` element in this
2259
- # response to the `Marker` parameter in a subsequent request.
2276
+ # more items, pass the value of the `NextMarker` element in
2277
+ # thisresponse to the `Marker` parameter in a subsequent request.
2260
2278
  # @return [Boolean]
2261
2279
  #
2262
2280
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTagsResponse AWS API Documentation
@@ -2305,8 +2323,8 @@ module Aws::KMS
2305
2323
  #
2306
2324
  #
2307
2325
  #
2308
- # [1]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
2309
- # [2]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
2326
+ # [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
2327
+ # [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
2310
2328
  # @return [String]
2311
2329
  #
2312
2330
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrantsRequest AWS API Documentation
@@ -2375,8 +2393,8 @@ module Aws::KMS
2375
2393
  #
2376
2394
  #
2377
2395
  #
2378
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
2379
- # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
2396
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
2397
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
2380
2398
  # @return [String]
2381
2399
  #
2382
2400
  # @!attribute [rw] bypass_policy_lockout_safety_check
@@ -2398,7 +2416,7 @@ module Aws::KMS
2398
2416
  #
2399
2417
  #
2400
2418
  #
2401
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
2419
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
2402
2420
  # @return [Boolean]
2403
2421
  #
2404
2422
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicyRequest AWS API Documentation
@@ -2440,7 +2458,7 @@ module Aws::KMS
2440
2458
  #
2441
2459
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2442
2460
  # name, or alias ARN. When using an alias name, prefix it with
2443
- # "alias/". To specify a CMK in a different AWS account, you must
2461
+ # `"alias/"`. To specify a CMK in a different AWS account, you must
2444
2462
  # use the key ARN or alias ARN.
2445
2463
  #
2446
2464
  # For example:
@@ -2470,7 +2488,7 @@ module Aws::KMS
2470
2488
  #
2471
2489
  #
2472
2490
  #
2473
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
2491
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
2474
2492
  # @return [Array<String>]
2475
2493
  #
2476
2494
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncryptRequest AWS API Documentation
@@ -2486,7 +2504,7 @@ module Aws::KMS
2486
2504
 
2487
2505
  # @!attribute [rw] ciphertext_blob
2488
2506
  # The reencrypted data. When you use the HTTP API or the AWS CLI, the
2489
- # value is Base64-encdoded. Otherwise, it is not encoded.
2507
+ # value is Base64-encoded. Otherwise, it is not encoded.
2490
2508
  # @return [String]
2491
2509
  #
2492
2510
  # @!attribute [rw] source_key_id
@@ -2651,7 +2669,7 @@ module Aws::KMS
2651
2669
  #
2652
2670
  #
2653
2671
  #
2654
- # [1]: http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html
2672
+ # [1]: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html
2655
2673
  #
2656
2674
  # @note When making an API call, you may pass Tag
2657
2675
  # data as a hash:
@@ -2763,14 +2781,15 @@ module Aws::KMS
2763
2781
  # }
2764
2782
  #
2765
2783
  # @!attribute [rw] alias_name
2766
- # String that contains the name of the alias to be modified. The name
2767
- # must start with the word "alias" followed by a forward slash
2768
- # (alias/). Aliases that begin with "alias/aws" are reserved.
2784
+ # Specifies the name of the alias to change. This value must begin
2785
+ # with `alias/` followed by the alias name, such as
2786
+ # `alias/ExampleAlias`.
2769
2787
  # @return [String]
2770
2788
  #
2771
2789
  # @!attribute [rw] target_key_id
2772
- # Unique identifier of the customer master key to be mapped to the
2773
- # alias.
2790
+ # Unique identifier of the customer master key (CMK) to be mapped to
2791
+ # the alias. When the update operation completes, the alias will point
2792
+ # to this CMK.
2774
2793
  #
2775
2794
  # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
2776
2795
  #
@@ -2831,17 +2850,18 @@ module Aws::KMS
2831
2850
  # Associates the custom key store with a related AWS CloudHSM cluster.
2832
2851
  #
2833
2852
  # Enter the cluster ID of the cluster that you used to create the
2834
- # custom key store or a cluster that shares a backup history with the
2835
- # original cluster. You cannot use this parameter to associate a
2836
- # custom key store with a different cluster.
2837
- #
2838
- # Clusters that share a backup history have the same cluster
2839
- # certificate. To view the cluster certificate of a cluster, use the
2840
- # [DescribeClusters][1] operation.
2853
+ # custom key store or a cluster that shares a backup history and has
2854
+ # the same cluster certificate as the original cluster. You cannot use
2855
+ # this parameter to associate a custom key store with an unrelated
2856
+ # cluster. In addition, the replacement cluster must [fulfill the
2857
+ # requirements][1] for a cluster associated with a custom key store.
2858
+ # To view the cluster certificate of a cluster, use the
2859
+ # [DescribeClusters][2] operation.
2841
2860
  #
2842
2861
  #
2843
2862
  #
2844
- # [1]: http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
2863
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore
2864
+ # [2]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
2845
2865
  # @return [String]
2846
2866
  #
2847
2867
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStoreRequest AWS API Documentation