aws-sdk-kms 1.22.0 → 1.27.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 50f608adc3ce38ca6ab78d51990d44b4cb45d92c
4
- data.tar.gz: 78cc86d40557725592ac8127f027591ef0da79c3
3
+ metadata.gz: 6a983aaa03a80ed7188f61a1bab13d7bcddf5701
4
+ data.tar.gz: 155fd553e0ddd8cb820d3f1b4e8f051177446d1f
5
5
  SHA512:
6
- metadata.gz: 4709e5fb7f4410641b062f60c0e88640d2eb83b363f065622cf8ee6ab15221fd40ef91a4dfb1d9f33f28a2a7a488cb1fda035f8d8bf7f880cbf4730581299b06
7
- data.tar.gz: 35c99b623ac411d25627d3cc7652ac4c8fe40ef29e4794307bc3fdb9629df70c853966fe8eba4f311f2c4286e090e46b68f5a4fe42da72f6935b49348c7abb7d
6
+ metadata.gz: 39eb4bc0cfd2bb7b6cd062d5b1b54052edf5868d720bae9f20359a75b8c84721b676e20444e4454b446b576ea5009ff5d5b3259094d82a0d8eb758abd27af195
7
+ data.tar.gz: 0fd429e969b0ba7461822783be9b7ea9e77239e021ff189bdeb729327ff2179b887009eacdd77d237f32ae622851fd483cb539fe69717f9d670799e779731741
@@ -42,6 +42,6 @@ require_relative 'aws-sdk-kms/customizations'
42
42
  # @service
43
43
  module Aws::KMS
44
44
 
45
- GEM_VERSION = '1.22.0'
45
+ GEM_VERSION = '1.27.0'
46
46
 
47
47
  end
@@ -265,17 +265,17 @@ module Aws::KMS
265
265
  # @!group API Operations
266
266
 
267
267
  # Cancels the deletion of a customer master key (CMK). When this
268
- # operation is successful, the CMK is set to the `Disabled` state. To
269
- # enable a CMK, use EnableKey. You cannot perform this operation on a
270
- # CMK in a different AWS account.
268
+ # operation succeeds, the key state of the CMK is `Disabled`. To enable
269
+ # the CMK, use EnableKey. You cannot perform this operation on a CMK in
270
+ # a different AWS account.
271
271
  #
272
272
  # For more information about scheduling and canceling deletion of a CMK,
273
273
  # see [Deleting Customer Master Keys][1] in the *AWS Key Management
274
274
  # Service Developer Guide*.
275
275
  #
276
- # The result of this operation varies with the key state of the CMK. For
277
- # details, see [How Key State Affects Use of a Customer Master Key][2]
278
- # in the *AWS Key Management Service Developer Guide*.
276
+ # The CMK that you use for this operation must be in a compatible key
277
+ # state. For details, see [How Key State Affects Use of a Customer
278
+ # Master Key][2] in the *AWS Key Management Service Developer Guide*.
279
279
  #
280
280
  #
281
281
  #
@@ -405,39 +405,78 @@ module Aws::KMS
405
405
  end
406
406
 
407
407
  # Creates a display name for a customer managed customer master key
408
- # (CMK). You can use an alias to identify a CMK in selected operations,
409
- # such as Encrypt and GenerateDataKey.
410
- #
411
- # Each CMK can have multiple aliases, but each alias points to only one
412
- # CMK. The alias name must be unique in the AWS account and region. To
413
- # simplify code that runs in multiple regions, use the same alias name,
414
- # but point it to a different CMK in each region.
408
+ # (CMK). You can use an alias to identify a CMK in cryptographic
409
+ # operations, such as Encrypt and GenerateDataKey. You can change the
410
+ # CMK associated with the alias at any time.
411
+ #
412
+ # Aliases are easier to remember than key IDs. They can also help to
413
+ # simplify your applications. For example, if you use an alias in your
414
+ # code, you can change the CMK your code uses by associating a given
415
+ # alias with a different CMK.
416
+ #
417
+ # To run the same code in multiple AWS regions, use an alias in your
418
+ # code, such as `alias/ApplicationKey`. Then, in each AWS Region, create
419
+ # an `alias/ApplicationKey` alias that is associated with a CMK in that
420
+ # Region. When you run your code, it uses the `alias/ApplicationKey` CMK
421
+ # for that AWS Region without any Region-specific code.
422
+ #
423
+ # This operation does not return a response. To get the alias that you
424
+ # created, use the ListAliases operation.
425
+ #
426
+ # To use aliases successfully, be aware of the following information.
427
+ #
428
+ # * Each alias points to only one CMK at a time, although a single CMK
429
+ # can have multiple aliases. The alias and its associated CMK must be
430
+ # in the same AWS account and Region.
431
+ #
432
+ # * You can associate an alias with any customer managed CMK in the same
433
+ # AWS account and Region. However, you do not have permission to
434
+ # associate an alias with an [AWS managed CMK][1] or an [AWS owned
435
+ # CMK][2].
436
+ #
437
+ # * To change the CMK associated with an alias, use the UpdateAlias
438
+ # operation. The current CMK and the new CMK must be the same type
439
+ # (both symmetric or both asymmetric) and they must have the same key
440
+ # usage (`ENCRYPT_DECRYPT` or `SIGN_VERIFY`). This restriction
441
+ # prevents cryptographic errors in code that uses aliases.
442
+ #
443
+ # * The alias name must begin with `alias/` followed by a name, such as
444
+ # `alias/ExampleAlias`. It can contain only alphanumeric characters,
445
+ # forward slashes (/), underscores (\_), and dashes (-). The alias
446
+ # name cannot begin with `alias/aws/`. The `alias/aws/` prefix is
447
+ # reserved for [AWS managed CMKs][1].
448
+ #
449
+ # * The alias name must be unique within an AWS Region. However, you can
450
+ # use the same alias name in multiple Regions of the same AWS account.
451
+ # Each instance of the alias is associated with a CMK in its Region.
452
+ #
453
+ # * After you create an alias, you cannot change its alias name.
454
+ # However, you can use the DeleteAlias operation to delete the alias
455
+ # and then create a new alias with the desired name.
456
+ #
457
+ # * You can use an alias name or alias ARN to identify a CMK in AWS KMS
458
+ # cryptographic operations and in the DescribeKey operation. However,
459
+ # you cannot use alias names or alias ARNs in API operations that
460
+ # manage CMKs, such as DisableKey or GetKeyPolicy. For information
461
+ # about the valid CMK identifiers for each AWS KMS API operation, see
462
+ # the descriptions of the `KeyId` parameter in the API operation
463
+ # documentation.
415
464
  #
416
465
  # Because an alias is not a property of a CMK, you can delete and change
417
466
  # the aliases of a CMK without affecting the CMK. Also, aliases do not
418
467
  # appear in the response from the DescribeKey operation. To get the
419
- # aliases of all CMKs, use the ListAliases operation.
420
- #
421
- # The alias name must begin with `alias/` followed by a name, such as
422
- # `alias/ExampleAlias`. It can contain only alphanumeric characters,
423
- # forward slashes (/), underscores (\_), and dashes (-). The alias name
424
- # cannot begin with `alias/aws/`. The `alias/aws/` prefix is reserved
425
- # for [AWS managed CMKs][1].
426
- #
427
- # The alias and the CMK it is mapped to must be in the same AWS account
428
- # and the same region. You cannot perform this operation on an alias in
429
- # a different AWS account.
468
+ # aliases and alias ARNs of CMKs in each AWS account and Region, use the
469
+ # ListAliases operation.
430
470
  #
431
- # To map an existing alias to a different CMK, call UpdateAlias.
432
- #
433
- # The result of this operation varies with the key state of the CMK. For
434
- # details, see [How Key State Affects Use of a Customer Master Key][2]
435
- # in the *AWS Key Management Service Developer Guide*.
471
+ # The CMK that you use for this operation must be in a compatible key
472
+ # state. For details, see [How Key State Affects Use of a Customer
473
+ # Master Key][3] in the *AWS Key Management Service Developer Guide*.
436
474
  #
437
475
  #
438
476
  #
439
477
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
440
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
478
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
479
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
441
480
  #
442
481
  # @option params [required, String] :alias_name
443
482
  # Specifies the alias name. This value must begin with `alias/` followed
@@ -581,23 +620,58 @@ module Aws::KMS
581
620
  # key policies.
582
621
  #
583
622
  # To create a grant that allows a cryptographic operation only when the
584
- # encryption context in the operation request matches or includes a
585
- # specified encryption context, use the `Constraints` parameter. For
586
- # details, see GrantConstraints.
623
+ # request includes a particular [encryption context][1], use the
624
+ # `Constraints` parameter. For details, see GrantConstraints.
625
+ #
626
+ # You can create grants on symmetric and asymmetric CMKs. However, if
627
+ # the grant allows an operation that the CMK does not support,
628
+ # `CreateGrant` fails with a `ValidationException`.
629
+ #
630
+ # * Grants for symmetric CMKs cannot allow operations that are not
631
+ # supported for symmetric CMKs, including Sign, Verify, and
632
+ # GetPublicKey. (There are limited exceptions to this rule for legacy
633
+ # operations, but you should not create a grant for an operation that
634
+ # AWS KMS does not support.)
635
+ #
636
+ # * Grants for asymmetric CMKs cannot allow operations that are not
637
+ # supported for asymmetric CMKs, including operations that [generate
638
+ # data keys][2] or [data key pairs][3], or operations related to
639
+ # [automatic key rotation][4], [imported key material][5], or CMKs in
640
+ # [custom key stores][6].
641
+ #
642
+ # * Grants for asymmetric CMKs with a `KeyUsage` of `ENCRYPT_DECRYPT`
643
+ # cannot allow the Sign or Verify operations. Grants for asymmetric
644
+ # CMKs with a `KeyUsage` of `SIGN_VERIFY` cannot allow the Encrypt or
645
+ # Decrypt operations.
646
+ #
647
+ # * Grants for asymmetric CMKs cannot include an encryption context
648
+ # grant constraint. An encryption context is not supported on
649
+ # asymmetric CMKs.
650
+ #
651
+ # For information about symmetric and asymmetric CMKs, see [Using
652
+ # Symmetric and Asymmetric CMKs][7] in the *AWS Key Management Service
653
+ # Developer Guide*.
587
654
  #
588
655
  # To perform this operation on a CMK in a different AWS account, specify
589
656
  # the key ARN in the value of the `KeyId` parameter. For more
590
- # information about grants, see [Grants][1] in the <i> <i>AWS Key
657
+ # information about grants, see [Grants][8] in the <i> <i>AWS Key
591
658
  # Management Service Developer Guide</i> </i>.
592
659
  #
593
- # The result of this operation varies with the key state of the CMK. For
594
- # details, see [How Key State Affects Use of a Customer Master Key][2]
595
- # in the *AWS Key Management Service Developer Guide*.
660
+ # The CMK that you use for this operation must be in a compatible key
661
+ # state. For details, see [How Key State Affects Use of a Customer
662
+ # Master Key][9] in the *AWS Key Management Service Developer Guide*.
596
663
  #
597
664
  #
598
665
  #
599
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
600
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
666
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
667
+ # [2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey
668
+ # [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair
669
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
670
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
671
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
672
+ # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
673
+ # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
674
+ # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
601
675
  #
602
676
  # @option params [required, String] :key_id
603
677
  # The unique identifier for the customer master key (CMK) that the grant
@@ -720,7 +794,7 @@ module Aws::KMS
720
794
  # key_id: "KeyIdType", # required
721
795
  # grantee_principal: "PrincipalIdType", # required
722
796
  # retiring_principal: "PrincipalIdType",
723
- # operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant, RetireGrant, DescribeKey
797
+ # operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext
724
798
  # constraints: {
725
799
  # encryption_context_subset: {
726
800
  # "EncryptionContextKey" => "EncryptionContextValue",
@@ -747,31 +821,89 @@ module Aws::KMS
747
821
  req.send_request(options)
748
822
  end
749
823
 
750
- # Creates a customer managed [customer master key][1] (CMK) in your AWS
751
- # account.
824
+ # Creates a unique customer managed [customer master key][1] (CMK) in
825
+ # your AWS account and Region. You cannot use this operation to create a
826
+ # CMK in a different AWS account.
752
827
  #
753
- # You can use a CMK to encrypt small amounts of data (up to 4096 bytes)
754
- # directly. But CMKs are more commonly used to encrypt the [data
755
- # keys][2] that are used to encrypt data.
828
+ # You can use the `CreateKey` operation to create symmetric or
829
+ # asymmetric CMKs.
830
+ #
831
+ # * **Symmetric CMKs** contain a 256-bit symmetric key that never leaves
832
+ # AWS KMS unencrypted. To use the CMK, you must call AWS KMS. You can
833
+ # use a symmetric CMK to encrypt and decrypt small amounts of data,
834
+ # but they are typically used to generate [data keys][2] or data key
835
+ # pairs. For details, see GenerateDataKey and GenerateDataKeyPair.
836
+ #
837
+ # * **Asymmetric CMKs** can contain an RSA key pair or an Elliptic Curve
838
+ # (ECC) key pair. The private key in an asymmetric CMK never leaves
839
+ # AWS KMS unencrypted. However, you can use the GetPublicKey operation
840
+ # to download the public key so it can be used outside of AWS KMS.
841
+ # CMKs with RSA key pairs can be used to encrypt or decrypt data or
842
+ # sign and verify messages (but not both). CMKs with ECC key pairs can
843
+ # be used only to sign and verify messages.
844
+ #
845
+ # For information about symmetric and asymmetric CMKs, see [Using
846
+ # Symmetric and Asymmetric CMKs][3] in the *AWS Key Management Service
847
+ # Developer Guide*.
756
848
  #
757
- # To create a CMK for imported key material, use the `Origin` parameter
758
- # with a value of `EXTERNAL`.
849
+ # To create different types of CMKs, use the following guidance:
759
850
  #
760
- # To create a CMK in a [custom key store][3], use the `CustomKeyStoreId`
761
- # parameter to specify the custom key store. You must also use the
762
- # `Origin` parameter with a value of `AWS_CLOUDHSM`. The AWS CloudHSM
763
- # cluster that is associated with the custom key store must have at
764
- # least two active HSMs in different Availability Zones in the AWS
765
- # Region.
851
+ # Asymmetric CMKs
766
852
  #
767
- # You cannot use this operation to create a CMK in a different AWS
768
- # account.
853
+ # : To create an asymmetric CMK, use the `CustomerMasterKeySpec`
854
+ # parameter to specify the type of key material in the CMK. Then, use
855
+ # the `KeyUsage` parameter to determine whether the CMK will be used
856
+ # to encrypt and decrypt or sign and verify. You can't change these
857
+ # properties after the CMK is created.
858
+ #
859
+ #
860
+ #
861
+ # Symmetric CMKs
862
+ #
863
+ # : When creating a symmetric CMK, you don't need to specify the
864
+ # `CustomerMasterKeySpec` or `KeyUsage` parameters. The default value
865
+ # for `CustomerMasterKeySpec`, `SYMMETRIC_DEFAULT`, and the default
866
+ # value for `KeyUsage`, `ENCRYPT_DECRYPT`, are the only valid values
867
+ # for symmetric CMKs.
868
+ #
869
+ #
870
+ #
871
+ # Imported Key Material
872
+ #
873
+ # : To import your own key material, begin by creating a symmetric CMK
874
+ # with no key material. To do this, use the `Origin` parameter of
875
+ # `CreateKey` with a value of `EXTERNAL`. Next, use
876
+ # GetParametersForImport operation to get a public key and import
877
+ # token, and use the public key to encrypt your key material. Then,
878
+ # use ImportKeyMaterial with your import token to import the key
879
+ # material. For step-by-step instructions, see [Importing Key
880
+ # Material][4] in the <i> <i>AWS Key Management Service Developer
881
+ # Guide</i> </i>. You cannot import the key material into an
882
+ # asymmetric CMK.
883
+ #
884
+ #
885
+ #
886
+ # Custom Key Stores
887
+ #
888
+ # : To create a symmetric CMK in a [custom key store][5], use the
889
+ # `CustomKeyStoreId` parameter to specify the custom key store. You
890
+ # must also use the `Origin` parameter with a value of `AWS_CLOUDHSM`.
891
+ # The AWS CloudHSM cluster that is associated with the custom key
892
+ # store must have at least two active HSMs in different Availability
893
+ # Zones in the AWS Region.
894
+ #
895
+ # You cannot create an asymmetric CMK in a custom key store. For
896
+ # information about custom key stores in AWS KMS see [Using Custom Key
897
+ # Stores][5] in the <i> <i>AWS Key Management Service Developer
898
+ # Guide</i> </i>.
769
899
  #
770
900
  #
771
901
  #
772
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
902
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master-keys
773
903
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys
774
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
904
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
905
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
906
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
775
907
  #
776
908
  # @option params [String] :policy
777
909
  # The key policy to attach to the CMK.
@@ -814,27 +946,87 @@ module Aws::KMS
814
946
  # for a task.
815
947
  #
816
948
  # @option params [String] :key_usage
817
- # The cryptographic operations for which you can use the CMK. The only
818
- # valid value is `ENCRYPT_DECRYPT`, which means you can use the CMK to
819
- # encrypt and decrypt data.
949
+ # Determines the cryptographic operations for which you can use the CMK.
950
+ # The default value is `ENCRYPT_DECRYPT`. This parameter is required
951
+ # only for asymmetric CMKs. You can't change the `KeyUsage` value after
952
+ # the CMK is created.
953
+ #
954
+ # Select only one valid value.
955
+ #
956
+ # * For symmetric CMKs, omit the parameter or specify `ENCRYPT_DECRYPT`.
957
+ #
958
+ # * For asymmetric CMKs with RSA key material, specify `ENCRYPT_DECRYPT`
959
+ # or `SIGN_VERIFY`.
960
+ #
961
+ # * For asymmetric CMKs with ECC key material, specify `SIGN_VERIFY`.
962
+ #
963
+ # @option params [String] :customer_master_key_spec
964
+ # Specifies the type of CMK to create. The `CustomerMasterKeySpec`
965
+ # determines whether the CMK contains a symmetric key or an asymmetric
966
+ # key pair. It also determines the encryption algorithms or signing
967
+ # algorithms that the CMK supports. You can't change the
968
+ # `CustomerMasterKeySpec` after the CMK is created. To further restrict
969
+ # the algorithms that can be used with the CMK, use its key policy or
970
+ # IAM policy.
971
+ #
972
+ # For help with choosing a key spec for your CMK, see [Selecting a
973
+ # Customer Master Key Spec][1] in the *AWS Key Management Service
974
+ # Developer Guide*.
975
+ #
976
+ # The default value, `SYMMETRIC_DEFAULT`, creates a CMK with a 256-bit
977
+ # symmetric key.
978
+ #
979
+ # AWS KMS supports the following key specs for CMKs:
980
+ #
981
+ # * Symmetric key (default)
982
+ #
983
+ # * `SYMMETRIC_DEFAULT` (AES-256-GCM)
984
+ #
985
+ # ^
986
+ #
987
+ # * Asymmetric RSA key pairs
988
+ #
989
+ # * `RSA_2048`
990
+ #
991
+ # * `RSA_3072`
992
+ #
993
+ # * `RSA_4096`
994
+ #
995
+ # * Asymmetric NIST-recommended elliptic curve key pairs
996
+ #
997
+ # * `ECC_NIST_P256` (secp256r1)
998
+ #
999
+ # * `ECC_NIST_P384` (secp384r1)
1000
+ #
1001
+ # * `ECC_NIST_P521` (secp521r1)
1002
+ #
1003
+ # * Other asymmetric elliptic curve key pairs
1004
+ #
1005
+ # * `ECC_SECG_P256K1` (secp256k1), commonly used for cryptocurrencies.
1006
+ #
1007
+ # ^
1008
+ #
1009
+ #
1010
+ #
1011
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#cmk-key-spec
820
1012
  #
821
1013
  # @option params [String] :origin
822
1014
  # The source of the key material for the CMK. You cannot change the
823
- # origin after you create the CMK.
824
- #
825
- # The default is `AWS_KMS`, which means AWS KMS creates the key material
826
- # in its own key store.
1015
+ # origin after you create the CMK. The default is `AWS_KMS`, which means
1016
+ # AWS KMS creates the key material.
827
1017
  #
828
1018
  # When the parameter value is `EXTERNAL`, AWS KMS creates a CMK without
829
1019
  # key material so that you can import key material from your existing
830
1020
  # key management infrastructure. For more information about importing
831
1021
  # key material into AWS KMS, see [Importing Key Material][1] in the *AWS
832
- # Key Management Service Developer Guide*.
1022
+ # Key Management Service Developer Guide*. This value is valid only for
1023
+ # symmetric CMKs.
833
1024
  #
834
1025
  # When the parameter value is `AWS_CLOUDHSM`, AWS KMS creates the CMK in
835
1026
  # an AWS KMS [custom key store][2] and creates its key material in the
836
1027
  # associated AWS CloudHSM cluster. You must also use the
837
- # `CustomKeyStoreId` parameter to identify the custom key store.
1028
+ # `CustomKeyStoreId` parameter to identify the custom key store. This
1029
+ # value is valid only for symmetric CMKs.
838
1030
  #
839
1031
  #
840
1032
  #
@@ -849,6 +1041,9 @@ module Aws::KMS
849
1041
  # with the custom key store must have at least two active HSMs, each in
850
1042
  # a different Availability Zone in the Region.
851
1043
  #
1044
+ # This parameter is valid only for symmetric CMKs. You cannot create an
1045
+ # asymmetric CMK in a custom key store.
1046
+ #
852
1047
  # To find the ID of a custom key store, use the DescribeCustomKeyStores
853
1048
  # operation.
854
1049
  #
@@ -885,13 +1080,21 @@ module Aws::KMS
885
1080
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
886
1081
  #
887
1082
  # @option params [Array<Types::Tag>] :tags
888
- # One or more tags. Each tag consists of a tag key and a tag value. Tag
889
- # keys and tag values are both required, but tag values can be empty
890
- # (null) strings.
1083
+ # One or more tags. Each tag consists of a tag key and a tag value. Both
1084
+ # the tag key and the tag value are required, but the tag value can be
1085
+ # an empty (null) string.
1086
+ #
1087
+ # When you add tags to an AWS resource, AWS generates a cost allocation
1088
+ # report with usage and costs aggregated by tags. For information about
1089
+ # adding, changing, deleting and listing tags for CMKs, see [Tagging
1090
+ # Keys][1].
891
1091
  #
892
- # Use this parameter to tag the CMK when it is created. Alternately, you
893
- # can omit this parameter and instead tag the CMK after it is created
894
- # using TagResource.
1092
+ # Use this parameter to tag the CMK when it is created. To add tags to
1093
+ # an existing CMK, use the TagResource operation.
1094
+ #
1095
+ #
1096
+ #
1097
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
895
1098
  #
896
1099
  # @return [Types::CreateKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
897
1100
  #
@@ -932,7 +1135,8 @@ module Aws::KMS
932
1135
  # resp = client.create_key({
933
1136
  # policy: "PolicyType",
934
1137
  # description: "DescriptionType",
935
- # key_usage: "ENCRYPT_DECRYPT", # accepts ENCRYPT_DECRYPT
1138
+ # key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT
1139
+ # customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
936
1140
  # origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
937
1141
  # custom_key_store_id: "CustomKeyStoreIdType",
938
1142
  # bypass_policy_lockout_safety_check: false,
@@ -952,7 +1156,7 @@ module Aws::KMS
952
1156
  # resp.key_metadata.creation_date #=> Time
953
1157
  # resp.key_metadata.enabled #=> Boolean
954
1158
  # resp.key_metadata.description #=> String
955
- # resp.key_metadata.key_usage #=> String, one of "ENCRYPT_DECRYPT"
1159
+ # resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
956
1160
  # resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport", "Unavailable"
957
1161
  # resp.key_metadata.deletion_date #=> Time
958
1162
  # resp.key_metadata.valid_to #=> Time
@@ -961,6 +1165,11 @@ module Aws::KMS
961
1165
  # resp.key_metadata.cloud_hsm_cluster_id #=> String
962
1166
  # resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
963
1167
  # resp.key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
1168
+ # resp.key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
1169
+ # resp.key_metadata.encryption_algorithms #=> Array
1170
+ # resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
1171
+ # resp.key_metadata.signing_algorithms #=> Array
1172
+ # resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
964
1173
  #
965
1174
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey AWS API Documentation
966
1175
  #
@@ -971,39 +1180,79 @@ module Aws::KMS
971
1180
  req.send_request(options)
972
1181
  end
973
1182
 
974
- # Decrypts ciphertext. Ciphertext is plaintext that has been previously
975
- # encrypted by using any of the following operations:
1183
+ # Decrypts ciphertext that was encrypted by a AWS KMS customer master
1184
+ # key (CMK) using any of the following operations:
1185
+ #
1186
+ # * Encrypt
976
1187
  #
977
1188
  # * GenerateDataKey
978
1189
  #
1190
+ # * GenerateDataKeyPair
1191
+ #
979
1192
  # * GenerateDataKeyWithoutPlaintext
980
1193
  #
981
- # * Encrypt
1194
+ # * GenerateDataKeyPairWithoutPlaintext
1195
+ #
1196
+ # You can use this operation to decrypt ciphertext that was encrypted
1197
+ # under a symmetric or asymmetric CMK. When the CMK is asymmetric, you
1198
+ # must specify the CMK and the encryption algorithm that was used to
1199
+ # encrypt the ciphertext. For information about symmetric and asymmetric
1200
+ # CMKs, see [Using Symmetric and Asymmetric CMKs][1] in the *AWS Key
1201
+ # Management Service Developer Guide*.
1202
+ #
1203
+ # The Decrypt operation also decrypts ciphertext that was encrypted
1204
+ # outside of AWS KMS by the public key in an AWS KMS asymmetric CMK.
1205
+ # However, it cannot decrypt ciphertext produced by other libraries,
1206
+ # such as the [AWS Encryption SDK][2] or [Amazon S3 client-side
1207
+ # encryption][3]. These libraries return a ciphertext format that is
1208
+ # incompatible with AWS KMS.
1209
+ #
1210
+ # If the ciphertext was encrypted under a symmetric CMK, you do not need
1211
+ # to specify the CMK or the encryption algorithm. AWS KMS can get this
1212
+ # information from metadata that it adds to the symmetric ciphertext
1213
+ # blob. However, if you prefer, you can specify the `KeyId` to ensure
1214
+ # that a particular CMK is used to decrypt the ciphertext. If you
1215
+ # specify a different CMK than the one used to encrypt the ciphertext,
1216
+ # the `Decrypt` operation fails.
982
1217
  #
983
1218
  # Whenever possible, use key policies to give users permission to call
984
- # the Decrypt operation on the CMK, instead of IAM policies. Otherwise,
985
- # you might create an IAM user policy that gives the user Decrypt
986
- # permission on all CMKs. This user could decrypt ciphertext that was
987
- # encrypted by CMKs in other accounts if the key policy for the
988
- # cross-account CMK permits it. If you must use an IAM policy for
989
- # `Decrypt` permissions, limit the user to particular CMKs or particular
990
- # trusted accounts.
991
- #
992
- # The result of this operation varies with the key state of the CMK. For
993
- # details, see [How Key State Affects Use of a Customer Master Key][1]
994
- # in the *AWS Key Management Service Developer Guide*.
1219
+ # the Decrypt operation on a particular CMK, instead of using IAM
1220
+ # policies. Otherwise, you might create an IAM user policy that gives
1221
+ # the user Decrypt permission on all CMKs. This user could decrypt
1222
+ # ciphertext that was encrypted by CMKs in other accounts if the key
1223
+ # policy for the cross-account CMK permits it. If you must use an IAM
1224
+ # policy for `Decrypt` permissions, limit the user to particular CMKs or
1225
+ # particular trusted accounts.
995
1226
  #
1227
+ # The CMK that you use for this operation must be in a compatible key
1228
+ # state. For details, see [How Key State Affects Use of a Customer
1229
+ # Master Key][4] in the *AWS Key Management Service Developer Guide*.
996
1230
  #
997
1231
  #
998
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1232
+ #
1233
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
1234
+ # [2]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
1235
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
1236
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
999
1237
  #
1000
1238
  # @option params [required, String, IO] :ciphertext_blob
1001
1239
  # Ciphertext to be decrypted. The blob includes metadata.
1002
1240
  #
1003
1241
  # @option params [Hash<String,String>] :encryption_context
1004
- # The encryption context. If this was specified in the Encrypt function,
1005
- # it must be specified here or the decryption operation will fail. For
1006
- # more information, see [Encryption Context][1].
1242
+ # Specifies the encryption context to use when decrypting the data. An
1243
+ # encryption context is valid only for cryptographic operations with a
1244
+ # symmetric CMK. The standard asymmetric encryption algorithms that AWS
1245
+ # KMS uses do not support an encryption context.
1246
+ #
1247
+ # An *encryption context* is a collection of non-secret key-value pairs
1248
+ # that represents additional authenticated data. When you use an
1249
+ # encryption context to encrypt data, you must specify the same (an
1250
+ # exact case-sensitive match) encryption context to decrypt the data. An
1251
+ # encryption context is optional when encrypting with a symmetric CMK,
1252
+ # but it is highly recommended.
1253
+ #
1254
+ # For more information, see [Encryption Context][1] in the *AWS Key
1255
+ # Management Service Developer Guide*.
1007
1256
  #
1008
1257
  #
1009
1258
  #
@@ -1019,10 +1268,54 @@ module Aws::KMS
1019
1268
  #
1020
1269
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1021
1270
  #
1271
+ # @option params [String] :key_id
1272
+ # Specifies the customer master key (CMK) that AWS KMS will use to
1273
+ # decrypt the ciphertext. Enter a key ID of the CMK that was used to
1274
+ # encrypt the ciphertext.
1275
+ #
1276
+ # If you specify a `KeyId` value, the `Decrypt` operation succeeds only
1277
+ # if the specified CMK was used to encrypt the ciphertext.
1278
+ #
1279
+ # This parameter is required only when the ciphertext was encrypted
1280
+ # under an asymmetric CMK. Otherwise, AWS KMS uses the metadata that it
1281
+ # adds to the ciphertext blob to determine which CMK was used to encrypt
1282
+ # the ciphertext. However, you can use this parameter to ensure that a
1283
+ # particular CMK (of any kind) is used to decrypt the ciphertext.
1284
+ #
1285
+ # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1286
+ # name, or alias ARN. When using an alias name, prefix it with
1287
+ # `"alias/"`.
1288
+ #
1289
+ # For example:
1290
+ #
1291
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
1292
+ #
1293
+ # * Key ARN:
1294
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
1295
+ #
1296
+ # * Alias name: `alias/ExampleAlias`
1297
+ #
1298
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
1299
+ #
1300
+ # To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
1301
+ # To get the alias name and alias ARN, use ListAliases.
1302
+ #
1303
+ # @option params [String] :encryption_algorithm
1304
+ # Specifies the encryption algorithm that will be used to decrypt the
1305
+ # ciphertext. Specify the same algorithm that was used to encrypt the
1306
+ # data. If you specify a different algorithm, the `Decrypt` operation
1307
+ # fails.
1308
+ #
1309
+ # This parameter is required only when the ciphertext was encrypted
1310
+ # under an asymmetric CMK. The default value, `SYMMETRIC_DEFAULT`,
1311
+ # represents the only supported algorithm that is valid for symmetric
1312
+ # CMKs.
1313
+ #
1022
1314
  # @return [Types::DecryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1023
1315
  #
1024
1316
  # * {Types::DecryptResponse#key_id #key_id} => String
1025
1317
  # * {Types::DecryptResponse#plaintext #plaintext} => String
1318
+ # * {Types::DecryptResponse#encryption_algorithm #encryption_algorithm} => String
1026
1319
  #
1027
1320
  #
1028
1321
  # @example Example: To decrypt data
@@ -1047,12 +1340,15 @@ module Aws::KMS
1047
1340
  # "EncryptionContextKey" => "EncryptionContextValue",
1048
1341
  # },
1049
1342
  # grant_tokens: ["GrantTokenType"],
1343
+ # key_id: "KeyIdType",
1344
+ # encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
1050
1345
  # })
1051
1346
  #
1052
1347
  # @example Response structure
1053
1348
  #
1054
1349
  # resp.key_id #=> String
1055
1350
  # resp.plaintext #=> String
1351
+ # resp.encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
1056
1352
  #
1057
1353
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt AWS API Documentation
1058
1354
  #
@@ -1178,9 +1474,9 @@ module Aws::KMS
1178
1474
  # After you delete key material, you can use ImportKeyMaterial to
1179
1475
  # reimport the same key material into the CMK.
1180
1476
  #
1181
- # The result of this operation varies with the key state of the CMK. For
1182
- # details, see [How Key State Affects Use of a Customer Master Key][2]
1183
- # in the *AWS Key Management Service Developer Guide*.
1477
+ # The CMK that you use for this operation must be in a compatible key
1478
+ # state. For details, see [How Key State Affects Use of a Customer
1479
+ # Master Key][2] in the *AWS Key Management Service Developer Guide*.
1184
1480
  #
1185
1481
  #
1186
1482
  #
@@ -1328,20 +1624,50 @@ module Aws::KMS
1328
1624
  req.send_request(options)
1329
1625
  end
1330
1626
 
1331
- # Provides detailed information about the specified customer master key
1332
- # (CMK).
1627
+ # Provides detailed information about a customer master key (CMK). You
1628
+ # can run `DescribeKey` on a [customer managed CMK][1] or an [AWS
1629
+ # managed CMK][2].
1630
+ #
1631
+ # This detailed information includes the key ARN, creation date (and
1632
+ # deletion date, if applicable), the key state, and the origin and
1633
+ # expiration date (if any) of the key material. For CMKs in custom key
1634
+ # stores, it includes information about the custom key store, such as
1635
+ # the key store ID and the AWS CloudHSM cluster ID. It includes fields,
1636
+ # like `KeySpec`, that help you distinguish symmetric from asymmetric
1637
+ # CMKs. It also provides information that is particularly important to
1638
+ # asymmetric CMKs, such as the key usage (encryption or signing) and the
1639
+ # encryption algorithms or signing algorithms that the CMK supports.
1640
+ #
1641
+ # `DescribeKey` does not return the following information:
1642
+ #
1643
+ # * Aliases associated with the CMK. To get this information, use
1644
+ # ListAliases.
1645
+ #
1646
+ # * Whether automatic key rotation is enabled on the CMK. To get this
1647
+ # information, use GetKeyRotationStatus. Also, some key states prevent
1648
+ # a CMK from being automatically rotated. For details, see [How
1649
+ # Automatic Key Rotation Works][3] in *AWS Key Management Service
1650
+ # Developer Guide*.
1651
+ #
1652
+ # * Tags on the CMK. To get this information, use ListResourceTags.
1333
1653
  #
1334
- # You can use `DescribeKey` on a predefined AWS alias, that is, an AWS
1335
- # alias with no key ID. When you do, AWS KMS associates the alias with
1336
- # an [AWS managed CMK][1] and returns its `KeyId` and `Arn` in the
1337
- # response.
1654
+ # * Key policies and grants on the CMK. To get this information, use
1655
+ # GetKeyPolicy and ListGrants.
1656
+ #
1657
+ # If you call the `DescribeKey` operation on a *predefined AWS alias*,
1658
+ # that is, an AWS alias with no key ID, AWS KMS creates an [AWS managed
1659
+ # CMK][4]. Then, it associates the alias with the new CMK, and returns
1660
+ # the `KeyId` and `Arn` of the new CMK in the response.
1338
1661
  #
1339
1662
  # To perform this operation on a CMK in a different AWS account, specify
1340
1663
  # the key ARN or alias ARN in the value of the KeyId parameter.
1341
1664
  #
1342
1665
  #
1343
1666
  #
1344
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
1667
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
1668
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
1669
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works
1670
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
1345
1671
  #
1346
1672
  # @option params [required, String] :key_id
1347
1673
  # Describes the specified customer master key (CMK).
@@ -1427,7 +1753,7 @@ module Aws::KMS
1427
1753
  # resp.key_metadata.creation_date #=> Time
1428
1754
  # resp.key_metadata.enabled #=> Boolean
1429
1755
  # resp.key_metadata.description #=> String
1430
- # resp.key_metadata.key_usage #=> String, one of "ENCRYPT_DECRYPT"
1756
+ # resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
1431
1757
  # resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport", "Unavailable"
1432
1758
  # resp.key_metadata.deletion_date #=> Time
1433
1759
  # resp.key_metadata.valid_to #=> Time
@@ -1436,6 +1762,11 @@ module Aws::KMS
1436
1762
  # resp.key_metadata.cloud_hsm_cluster_id #=> String
1437
1763
  # resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
1438
1764
  # resp.key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
1765
+ # resp.key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
1766
+ # resp.key_metadata.encryption_algorithms #=> Array
1767
+ # resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
1768
+ # resp.key_metadata.signing_algorithms #=> Array
1769
+ # resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
1439
1770
  #
1440
1771
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey AWS API Documentation
1441
1772
  #
@@ -1454,9 +1785,9 @@ module Aws::KMS
1454
1785
  # [How Key State Affects the Use of a Customer Master Key][1] in the <i>
1455
1786
  # <i>AWS Key Management Service Developer Guide</i> </i>.
1456
1787
  #
1457
- # The result of this operation varies with the key state of the CMK. For
1458
- # details, see [How Key State Affects Use of a Customer Master Key][1]
1459
- # in the *AWS Key Management Service Developer Guide*.
1788
+ # The CMK that you use for this operation must be in a compatible key
1789
+ # state. For details, see [How Key State Affects Use of a Customer
1790
+ # Master Key][1] in the *AWS Key Management Service Developer Guide*.
1460
1791
  #
1461
1792
  #
1462
1793
  #
@@ -1503,20 +1834,26 @@ module Aws::KMS
1503
1834
  end
1504
1835
 
1505
1836
  # Disables [automatic rotation of the key material][1] for the specified
1506
- # customer master key (CMK). You cannot perform this operation on a CMK
1507
- # in a different AWS account.
1837
+ # symmetric customer master key (CMK).
1508
1838
  #
1509
- # The result of this operation varies with the key state of the CMK. For
1510
- # details, see [How Key State Affects Use of a Customer Master Key][2]
1511
- # in the *AWS Key Management Service Developer Guide*.
1839
+ # You cannot enable automatic rotation of asymmetric CMKs, CMKs with
1840
+ # imported key material, or CMKs in a [custom key store][2]. You cannot
1841
+ # perform this operation on a CMK in a different AWS account.
1842
+ #
1843
+ # The CMK that you use for this operation must be in a compatible key
1844
+ # state. For details, see [How Key State Affects Use of a Customer
1845
+ # Master Key][3] in the *AWS Key Management Service Developer Guide*.
1512
1846
  #
1513
1847
  #
1514
1848
  #
1515
1849
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
1516
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1850
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1851
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1517
1852
  #
1518
1853
  # @option params [required, String] :key_id
1519
- # A unique identifier for the customer master key (CMK).
1854
+ # Identifies a symmetric customer master key (CMK). You cannot enable
1855
+ # automatic rotation of [asymmetric CMKs][1], CMKs with [imported key
1856
+ # material][2], or CMKs in a [custom key store][3].
1520
1857
  #
1521
1858
  # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
1522
1859
  #
@@ -1529,6 +1866,12 @@ module Aws::KMS
1529
1866
  #
1530
1867
  # To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
1531
1868
  #
1869
+ #
1870
+ #
1871
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks
1872
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1873
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1874
+ #
1532
1875
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
1533
1876
  #
1534
1877
  #
@@ -1611,9 +1954,9 @@ module Aws::KMS
1611
1954
  # allows you to use the CMK for cryptographic operations. You cannot
1612
1955
  # perform this operation on a CMK in a different AWS account.
1613
1956
  #
1614
- # The result of this operation varies with the key state of the CMK. For
1615
- # details, see [How Key State Affects Use of a Customer Master Key][1]
1616
- # in the *AWS Key Management Service Developer Guide*.
1957
+ # The CMK that you use for this operation must be in a compatible key
1958
+ # state. For details, see [How Key State Affects Use of a Customer
1959
+ # Master Key][1] in the *AWS Key Management Service Developer Guide*.
1617
1960
  #
1618
1961
  #
1619
1962
  #
@@ -1660,15 +2003,15 @@ module Aws::KMS
1660
2003
  end
1661
2004
 
1662
2005
  # Enables [automatic rotation of the key material][1] for the specified
1663
- # customer master key (CMK). You cannot perform this operation on a CMK
1664
- # in a different AWS account.
2006
+ # symmetric customer master key (CMK). You cannot perform this operation
2007
+ # on a CMK in a different AWS account.
1665
2008
  #
1666
- # You cannot enable automatic rotation of CMKs with imported key
1667
- # material or CMKs in a [custom key store][2].
2009
+ # You cannot enable automatic rotation of asymmetric CMKs, CMKs with
2010
+ # imported key material, or CMKs in a [custom key store][2].
1668
2011
  #
1669
- # The result of this operation varies with the key state of the CMK. For
1670
- # details, see [How Key State Affects Use of a Customer Master Key][3]
1671
- # in the *AWS Key Management Service Developer Guide*.
2012
+ # The CMK that you use for this operation must be in a compatible key
2013
+ # state. For details, see [How Key State Affects Use of a Customer
2014
+ # Master Key][3] in the *AWS Key Management Service Developer Guide*.
1672
2015
  #
1673
2016
  #
1674
2017
  #
@@ -1677,7 +2020,9 @@ module Aws::KMS
1677
2020
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1678
2021
  #
1679
2022
  # @option params [required, String] :key_id
1680
- # A unique identifier for the customer master key (CMK).
2023
+ # Identifies a symmetric customer master key (CMK). You cannot enable
2024
+ # automatic rotation of asymmetric CMKs, CMKs with imported key
2025
+ # material, or CMKs in a [custom key store][1].
1681
2026
  #
1682
2027
  # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
1683
2028
  #
@@ -1690,6 +2035,10 @@ module Aws::KMS
1690
2035
  #
1691
2036
  # To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
1692
2037
  #
2038
+ #
2039
+ #
2040
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
2041
+ #
1693
2042
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
1694
2043
  #
1695
2044
  #
@@ -1719,9 +2068,8 @@ module Aws::KMS
1719
2068
  # Encrypts plaintext into ciphertext by using a customer master key
1720
2069
  # (CMK). The `Encrypt` operation has two primary use cases:
1721
2070
  #
1722
- # * You can encrypt up to 4 kilobytes (4096 bytes) of arbitrary data
1723
- # such as an RSA key, a database password, or other sensitive
1724
- # information.
2071
+ # * You can encrypt small amounts of arbitrary data, such as a personal
2072
+ # identifier or database password, or other sensitive information.
1725
2073
  #
1726
2074
  # * You can use the `Encrypt` operation to move encrypted data from one
1727
2075
  # AWS region to another. In the first region, generate a data key and
@@ -1730,24 +2078,76 @@ module Aws::KMS
1730
2078
  # safely move the encrypted data and encrypted data key to the new
1731
2079
  # region, and decrypt in the new region when necessary.
1732
2080
  #
1733
- # You don't need use this operation to encrypt a data key within a
1734
- # region. The GenerateDataKey and GenerateDataKeyWithoutPlaintext
1735
- # operations return an encrypted data key.
2081
+ # You don't need to use the `Encrypt` operation to encrypt a data key.
2082
+ # The GenerateDataKey and GenerateDataKeyPair operations return a
2083
+ # plaintext data key and an encrypted copy of that data key.
1736
2084
  #
1737
- # Also, you don't need to use this operation to encrypt data in your
1738
- # application. You can use the plaintext and encrypted data keys that
1739
- # the `GenerateDataKey` operation returns.
2085
+ # When you encrypt data, you must specify a symmetric or asymmetric CMK
2086
+ # to use in the encryption operation. The CMK must have a `KeyUsage`
2087
+ # value of `ENCRYPT_DECRYPT.` To find the `KeyUsage` of a CMK, use the
2088
+ # DescribeKey operation.
1740
2089
  #
1741
- # The result of this operation varies with the key state of the CMK. For
1742
- # details, see [How Key State Affects Use of a Customer Master Key][1]
1743
- # in the *AWS Key Management Service Developer Guide*.
2090
+ # If you use a symmetric CMK, you can use an encryption context to add
2091
+ # additional security to your encryption operation. If you specify an
2092
+ # `EncryptionContext` when encrypting data, you must specify the same
2093
+ # encryption context (a case-sensitive exact match) when decrypting the
2094
+ # data. Otherwise, the request to decrypt fails with an
2095
+ # `InvalidCiphertextException`. For more information, see [Encryption
2096
+ # Context][1] in the *AWS Key Management Service Developer Guide*.
2097
+ #
2098
+ # If you specify an asymmetric CMK, you must also specify the encryption
2099
+ # algorithm. The algorithm must be compatible with the CMK type.
2100
+ #
2101
+ # When you use an asymmetric CMK to encrypt or reencrypt data, be sure
2102
+ # to record the CMK and encryption algorithm that you choose. You will
2103
+ # be required to provide the same CMK and encryption algorithm when you
2104
+ # decrypt the data. If the CMK and algorithm do not match the values
2105
+ # used to encrypt the data, the decrypt operation fails.
2106
+ #
2107
+ # You are not required to supply the CMK ID and encryption algorithm
2108
+ # when you decrypt with symmetric CMKs because AWS KMS stores this
2109
+ # information in the ciphertext blob. AWS KMS cannot store metadata in
2110
+ # ciphertext generated with asymmetric keys. The standard format for
2111
+ # asymmetric key ciphertext does not include configurable fields.
2112
+ #
2113
+ # The maximum size of the data that you can encrypt varies with the type
2114
+ # of CMK and the encryption algorithm that you choose.
2115
+ #
2116
+ # * Symmetric CMKs
2117
+ #
2118
+ # * `SYMMETRIC_DEFAULT`\: 4096 bytes
2119
+ #
2120
+ # ^
2121
+ #
2122
+ # * `RSA_2048`
2123
+ #
2124
+ # * `RSAES_OAEP_SHA_1`\: 214 bytes
2125
+ #
2126
+ # * `RSAES_OAEP_SHA_256`\: 190 bytes
2127
+ #
2128
+ # * `RSA_3072`
2129
+ #
2130
+ # * `RSAES_OAEP_SHA_1`\: 342 bytes
2131
+ #
2132
+ # * `RSAES_OAEP_SHA_256`\: 318 bytes
2133
+ #
2134
+ # * `RSA_4096`
2135
+ #
2136
+ # * `RSAES_OAEP_SHA_1`\: 470 bytes
2137
+ #
2138
+ # * `RSAES_OAEP_SHA_256`\: 446 bytes
2139
+ #
2140
+ # The CMK that you use for this operation must be in a compatible key
2141
+ # state. For details, see [How Key State Affects Use of a Customer
2142
+ # Master Key][2] in the *AWS Key Management Service Developer Guide*.
1744
2143
  #
1745
2144
  # To perform this operation on a CMK in a different AWS account, specify
1746
2145
  # the key ARN or alias ARN in the value of the KeyId parameter.
1747
2146
  #
1748
2147
  #
1749
2148
  #
1750
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2149
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
2150
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1751
2151
  #
1752
2152
  # @option params [required, String] :key_id
1753
2153
  # A unique identifier for the customer master key (CMK).
@@ -1775,10 +2175,20 @@ module Aws::KMS
1775
2175
  # Data to be encrypted.
1776
2176
  #
1777
2177
  # @option params [Hash<String,String>] :encryption_context
1778
- # Name-value pair that specifies the encryption context to be used for
1779
- # authenticated encryption. If used here, the same value must be
1780
- # supplied to the `Decrypt` API or decryption will fail. For more
1781
- # information, see [Encryption Context][1].
2178
+ # Specifies the encryption context that will be used to encrypt the
2179
+ # data. An encryption context is valid only for cryptographic operations
2180
+ # with a symmetric CMK. The standard asymmetric encryption algorithms
2181
+ # that AWS KMS uses do not support an encryption context.
2182
+ #
2183
+ # An *encryption context* is a collection of non-secret key-value pairs
2184
+ # that represents additional authenticated data. When you use an
2185
+ # encryption context to encrypt data, you must specify the same (an
2186
+ # exact case-sensitive match) encryption context to decrypt the data. An
2187
+ # encryption context is optional when encrypting with a symmetric CMK,
2188
+ # but it is highly recommended.
2189
+ #
2190
+ # For more information, see [Encryption Context][1] in the *AWS Key
2191
+ # Management Service Developer Guide*.
1782
2192
  #
1783
2193
  #
1784
2194
  #
@@ -1794,10 +2204,21 @@ module Aws::KMS
1794
2204
  #
1795
2205
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1796
2206
  #
2207
+ # @option params [String] :encryption_algorithm
2208
+ # Specifies the encryption algorithm that AWS KMS will use to encrypt
2209
+ # the plaintext message. The algorithm must be compatible with the CMK
2210
+ # that you specify.
2211
+ #
2212
+ # This parameter is required only for asymmetric CMKs. The default
2213
+ # value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric CMKs.
2214
+ # If you are using an asymmetric CMK, we recommend
2215
+ # RSAES\_OAEP\_SHA\_256.
2216
+ #
1797
2217
  # @return [Types::EncryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1798
2218
  #
1799
2219
  # * {Types::EncryptResponse#ciphertext_blob #ciphertext_blob} => String
1800
2220
  # * {Types::EncryptResponse#key_id #key_id} => String
2221
+ # * {Types::EncryptResponse#encryption_algorithm #encryption_algorithm} => String
1801
2222
  #
1802
2223
  #
1803
2224
  # @example Example: To encrypt data
@@ -1824,12 +2245,14 @@ module Aws::KMS
1824
2245
  # "EncryptionContextKey" => "EncryptionContextValue",
1825
2246
  # },
1826
2247
  # grant_tokens: ["GrantTokenType"],
2248
+ # encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
1827
2249
  # })
1828
2250
  #
1829
2251
  # @example Response structure
1830
2252
  #
1831
2253
  # resp.ciphertext_blob #=> String
1832
2254
  # resp.key_id #=> String
2255
+ # resp.encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
1833
2256
  #
1834
2257
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Encrypt AWS API Documentation
1835
2258
  #
@@ -1840,27 +2263,45 @@ module Aws::KMS
1840
2263
  req.send_request(options)
1841
2264
  end
1842
2265
 
1843
- # Generates a unique data key. This operation returns a plaintext copy
1844
- # of the data key and a copy that is encrypted under a customer master
1845
- # key (CMK) that you specify. You can use the plaintext key to encrypt
1846
- # your data outside of KMS and store the encrypted data key with the
1847
- # encrypted data.
2266
+ # Generates a unique symmetric data key. This operation returns a
2267
+ # plaintext copy of the data key and a copy that is encrypted under a
2268
+ # customer master key (CMK) that you specify. You can use the plaintext
2269
+ # key to encrypt your data outside of AWS KMS and store the encrypted
2270
+ # data key with the encrypted data.
1848
2271
  #
1849
2272
  # `GenerateDataKey` returns a unique data key for each request. The
1850
2273
  # bytes in the key are not related to the caller or CMK that is used to
1851
2274
  # encrypt the data key.
1852
2275
  #
1853
- # To generate a data key, you need to specify the customer master key
1854
- # (CMK) that will be used to encrypt the data key. You must also specify
1855
- # the length of the data key using either the `KeySpec` or
1856
- # `NumberOfBytes` field (but not both). For common key lengths (128-bit
1857
- # and 256-bit symmetric keys), we recommend that you use `KeySpec`. To
1858
- # perform this operation on a CMK in a different AWS account, specify
1859
- # the key ARN or alias ARN in the value of the KeyId parameter.
2276
+ # To generate a data key, specify the symmetric CMK that will be used to
2277
+ # encrypt the data key. You cannot use an asymmetric CMK to generate
2278
+ # data keys.
2279
+ #
2280
+ # You must also specify the length of the data key. Use either the
2281
+ # `KeySpec` or `NumberOfBytes` parameters (but not both). For 128-bit
2282
+ # and 256-bit data keys, use the `KeySpec` parameter.
2283
+ #
2284
+ # If the operation succeeds, the plaintext copy of the data key is in
2285
+ # the `Plaintext` field of the response, and the encrypted copy of the
2286
+ # data key in the `CiphertextBlob` field.
2287
+ #
2288
+ # To get only an encrypted copy of the data key, use
2289
+ # GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key
2290
+ # pair, use the GenerateDataKeyPair or
2291
+ # GenerateDataKeyPairWithoutPlaintext operation. To get a
2292
+ # cryptographically secure random byte string, use GenerateRandom.
2293
+ #
2294
+ # You can use the optional encryption context to add additional security
2295
+ # to the encryption operation. If you specify an `EncryptionContext`,
2296
+ # you must specify the same encryption context (a case-sensitive exact
2297
+ # match) when decrypting the encrypted data key. Otherwise, the request
2298
+ # to decrypt fails with an InvalidCiphertextException. For more
2299
+ # information, see [Encryption Context][1] in the *AWS Key Management
2300
+ # Service Developer Guide*.
1860
2301
  #
1861
- # You will find the plaintext copy of the data key in the `Plaintext`
1862
- # field of the response, and the encrypted copy of the data key in the
1863
- # `CiphertextBlob` field.
2302
+ # The CMK that you use for this operation must be in a compatible key
2303
+ # state. For details, see [How Key State Affects Use of a Customer
2304
+ # Master Key][2] in the *AWS Key Management Service Developer Guide*.
1864
2305
  #
1865
2306
  # We recommend that you use the following pattern to encrypt data
1866
2307
  # locally in your application:
@@ -1882,30 +2323,13 @@ module Aws::KMS
1882
2323
  # 2. Use the plaintext data key to decrypt data locally, then erase the
1883
2324
  # plaintext data key from memory.
1884
2325
  #
1885
- # To get only an encrypted copy of the data key, use
1886
- # GenerateDataKeyWithoutPlaintext. To get a cryptographically secure
1887
- # random byte string, use GenerateRandom.
1888
- #
1889
- # You can use the optional encryption context to add additional security
1890
- # to your encryption operation. When you specify an `EncryptionContext`
1891
- # in the `GenerateDataKey` operation, you must specify the same
1892
- # encryption context (a case-sensitive exact match) in your request to
1893
- # Decrypt the data key. Otherwise, the request to decrypt fails with an
1894
- # `InvalidCiphertextException`. For more information, see [Encryption
1895
- # Context][1] in the <i> <i>AWS Key Management Service Developer
1896
- # Guide</i> </i>.
1897
- #
1898
- # The result of this operation varies with the key state of the CMK. For
1899
- # details, see [How Key State Affects Use of a Customer Master Key][2]
1900
- # in the *AWS Key Management Service Developer Guide*.
1901
- #
1902
2326
  #
1903
2327
  #
1904
2328
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1905
2329
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1906
2330
  #
1907
2331
  # @option params [required, String] :key_id
1908
- # An identifier for the CMK that encrypts the data key.
2332
+ # Identifies the symmetric CMK that encrypts the data key.
1909
2333
  #
1910
2334
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1911
2335
  # name, or alias ARN. When using an alias name, prefix it with
@@ -1927,8 +2351,15 @@ module Aws::KMS
1927
2351
  # To get the alias name and alias ARN, use ListAliases.
1928
2352
  #
1929
2353
  # @option params [Hash<String,String>] :encryption_context
1930
- # A set of key-value pairs that represents additional authenticated
1931
- # data.
2354
+ # Specifies the encryption context that will be used when encrypting the
2355
+ # data key.
2356
+ #
2357
+ # An *encryption context* is a collection of non-secret key-value pairs
2358
+ # that represents additional authenticated data. When you use an
2359
+ # encryption context to encrypt data, you must specify the same (an
2360
+ # exact case-sensitive match) encryption context to decrypt the data. An
2361
+ # encryption context is optional when encrypting with a symmetric CMK,
2362
+ # but it is highly recommended.
1932
2363
  #
1933
2364
  # For more information, see [Encryption Context][1] in the *AWS Key
1934
2365
  # Management Service Developer Guide*.
@@ -1938,14 +2369,21 @@ module Aws::KMS
1938
2369
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1939
2370
  #
1940
2371
  # @option params [Integer] :number_of_bytes
1941
- # The length of the data key in bytes. For example, use the value 64 to
1942
- # generate a 512-bit data key (64 bytes is 512 bits). For common key
1943
- # lengths (128-bit and 256-bit symmetric keys), we recommend that you
1944
- # use the `KeySpec` field instead of this one.
2372
+ # Specifies the length of the data key in bytes. For example, use the
2373
+ # value 64 to generate a 512-bit data key (64 bytes is 512 bits). For
2374
+ # 128-bit (16-byte) and 256-bit (32-byte) data keys, use the `KeySpec`
2375
+ # parameter.
2376
+ #
2377
+ # You must specify either the `KeySpec` or the `NumberOfBytes` parameter
2378
+ # (but not both) in every `GenerateDataKey` request.
1945
2379
  #
1946
2380
  # @option params [String] :key_spec
1947
- # The length of the data key. Use `AES_128` to generate a 128-bit
1948
- # symmetric key, or `AES_256` to generate a 256-bit symmetric key.
2381
+ # Specifies the length of the data key. Use `AES_128` to generate a
2382
+ # 128-bit symmetric key, or `AES_256` to generate a 256-bit symmetric
2383
+ # key.
2384
+ #
2385
+ # You must specify either the `KeySpec` or the `NumberOfBytes` parameter
2386
+ # (but not both) in every `GenerateDataKey` request.
1949
2387
  #
1950
2388
  # @option params [Array<String>] :grant_tokens
1951
2389
  # A list of grant tokens.
@@ -2008,40 +2446,74 @@ module Aws::KMS
2008
2446
  req.send_request(options)
2009
2447
  end
2010
2448
 
2011
- # Generates a unique data key. This operation returns a data key that is
2012
- # encrypted under a customer master key (CMK) that you specify.
2013
- # `GenerateDataKeyWithoutPlaintext` is identical to GenerateDataKey
2014
- # except that returns only the encrypted copy of the data key.
2449
+ # Generates a unique asymmetric data key pair. The `GenerateDataKeyPair`
2450
+ # operation returns a plaintext public key, a plaintext private key, and
2451
+ # a copy of the private key that is encrypted under the symmetric CMK
2452
+ # you specify. You can use the data key pair to perform asymmetric
2453
+ # cryptography outside of AWS KMS.
2454
+ #
2455
+ # `GenerateDataKeyPair` returns a unique data key pair for each request.
2456
+ # The bytes in the keys are not related to the caller or the CMK that is
2457
+ # used to encrypt the private key.
2458
+ #
2459
+ # You can use the public key that `GenerateDataKeyPair` returns to
2460
+ # encrypt data or verify a signature outside of AWS KMS. Then, store the
2461
+ # encrypted private key with the data. When you are ready to decrypt
2462
+ # data or sign a message, you can use the Decrypt operation to decrypt
2463
+ # the encrypted private key.
2464
+ #
2465
+ # To generate a data key pair, you must specify a symmetric customer
2466
+ # master key (CMK) to encrypt the private key in a data key pair. You
2467
+ # cannot use an asymmetric CMK. To get the type of your CMK, use the
2468
+ # DescribeKey operation.
2469
+ #
2470
+ # If you are using the data key pair to encrypt data, or for any
2471
+ # operation where you don't immediately need a private key, consider
2472
+ # using the GenerateDataKeyPairWithoutPlaintext operation.
2473
+ # `GenerateDataKeyPairWithoutPlaintext` returns a plaintext public key
2474
+ # and an encrypted private key, but omits the plaintext private key that
2475
+ # you need only to decrypt ciphertext or sign a message. Later, when you
2476
+ # need to decrypt the data or sign a message, use the Decrypt operation
2477
+ # to decrypt the encrypted private key in the data key pair.
2015
2478
  #
2016
- # Like `GenerateDataKey`, `GenerateDataKeyWithoutPlaintext` returns a
2017
- # unique data key for each request. The bytes in the key are not related
2018
- # to the caller or CMK that is used to encrypt the data key.
2479
+ # You can use the optional encryption context to add additional security
2480
+ # to the encryption operation. If you specify an `EncryptionContext`,
2481
+ # you must specify the same encryption context (a case-sensitive exact
2482
+ # match) when decrypting the encrypted data key. Otherwise, the request
2483
+ # to decrypt fails with an InvalidCiphertextException. For more
2484
+ # information, see [Encryption Context][1] in the *AWS Key Management
2485
+ # Service Developer Guide*.
2019
2486
  #
2020
- # This operation is useful for systems that need to encrypt data at some
2021
- # point, but not immediately. When you need to encrypt the data, you
2022
- # call the Decrypt operation on the encrypted copy of the key.
2487
+ # The CMK that you use for this operation must be in a compatible key
2488
+ # state. For details, see [How Key State Affects Use of a Customer
2489
+ # Master Key][2] in the *AWS Key Management Service Developer Guide*.
2023
2490
  #
2024
- # It's also useful in distributed systems with different levels of
2025
- # trust. For example, you might store encrypted data in containers. One
2026
- # component of your system creates new containers and stores an
2027
- # encrypted data key with each container. Then, a different component
2028
- # puts the data into the containers. That component first decrypts the
2029
- # data key, uses the plaintext data key to encrypt data, puts the
2030
- # encrypted data into the container, and then destroys the plaintext
2031
- # data key. In this system, the component that creates the containers
2032
- # never sees the plaintext data key.
2033
2491
  #
2034
- # The result of this operation varies with the key state of the CMK. For
2035
- # details, see [How Key State Affects Use of a Customer Master Key][1]
2036
- # in the *AWS Key Management Service Developer Guide*.
2037
2492
  #
2493
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
2494
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2495
+ #
2496
+ # @option params [Hash<String,String>] :encryption_context
2497
+ # Specifies the encryption context that will be used when encrypting the
2498
+ # private key in the data key pair.
2499
+ #
2500
+ # An *encryption context* is a collection of non-secret key-value pairs
2501
+ # that represents additional authenticated data. When you use an
2502
+ # encryption context to encrypt data, you must specify the same (an
2503
+ # exact case-sensitive match) encryption context to decrypt the data. An
2504
+ # encryption context is optional when encrypting with a symmetric CMK,
2505
+ # but it is highly recommended.
2506
+ #
2507
+ # For more information, see [Encryption Context][1] in the *AWS Key
2508
+ # Management Service Developer Guide*.
2038
2509
  #
2039
2510
  #
2040
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2511
+ #
2512
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
2041
2513
  #
2042
2514
  # @option params [required, String] :key_id
2043
- # The identifier of the customer master key (CMK) that encrypts the data
2044
- # key.
2515
+ # Specifies the symmetric CMK that encrypts the private key in the data
2516
+ # key pair. You cannot specify an asymmetric CMKs.
2045
2517
  #
2046
2518
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2047
2519
  # name, or alias ARN. When using an alias name, prefix it with
@@ -2062,26 +2534,13 @@ module Aws::KMS
2062
2534
  # To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
2063
2535
  # To get the alias name and alias ARN, use ListAliases.
2064
2536
  #
2065
- # @option params [Hash<String,String>] :encryption_context
2066
- # A set of key-value pairs that represents additional authenticated
2067
- # data.
2068
- #
2069
- # For more information, see [Encryption Context][1] in the *AWS Key
2070
- # Management Service Developer Guide*.
2071
- #
2072
- #
2073
- #
2074
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
2075
- #
2076
- # @option params [String] :key_spec
2077
- # The length of the data key. Use `AES_128` to generate a 128-bit
2078
- # symmetric key, or `AES_256` to generate a 256-bit symmetric key.
2537
+ # @option params [required, String] :key_pair_spec
2538
+ # Determines the type of data key pair that is generated.
2079
2539
  #
2080
- # @option params [Integer] :number_of_bytes
2081
- # The length of the data key in bytes. For example, use the value 64 to
2082
- # generate a 512-bit data key (64 bytes is 512 bits). For common key
2083
- # lengths (128-bit and 256-bit symmetric keys), we recommend that you
2084
- # use the `KeySpec` field instead of this one.
2540
+ # The AWS KMS rule that restricts the use of asymmetric RSA CMKs to
2541
+ # encrypt and decrypt or to sign and verify (but not both), and the rule
2542
+ # that permits you to use ECC CMKs only to sign and verify, are not
2543
+ # effective outside of AWS KMS.
2085
2544
  #
2086
2545
  # @option params [Array<String>] :grant_tokens
2087
2546
  # A list of grant tokens.
@@ -2093,36 +2552,317 @@ module Aws::KMS
2093
2552
  #
2094
2553
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
2095
2554
  #
2096
- # @return [Types::GenerateDataKeyWithoutPlaintextResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
2097
- #
2098
- # * {Types::GenerateDataKeyWithoutPlaintextResponse#ciphertext_blob #ciphertext_blob} => String
2099
- # * {Types::GenerateDataKeyWithoutPlaintextResponse#key_id #key_id} => String
2100
- #
2101
- #
2102
- # @example Example: To generate an encrypted data key
2103
- #
2104
- # # The following example generates an encrypted copy of a 256-bit symmetric data encryption key (data key). The data key is
2105
- # # encrypted with the specified customer master key (CMK).
2106
- #
2107
- # resp = client.generate_data_key_without_plaintext({
2108
- # key_id: "alias/ExampleAlias", # The identifier of the CMK to use to encrypt the data key. You can use the key ID or Amazon Resource Name (ARN) of the CMK, or the name or ARN of an alias that refers to the CMK.
2109
- # key_spec: "AES_256", # Specifies the type of data key to return.
2110
- # })
2555
+ # @return [Types::GenerateDataKeyPairResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
2111
2556
  #
2112
- # resp.to_h outputs the following:
2113
- # {
2114
- # ciphertext_blob: "<binary data>", # The encrypted data key.
2115
- # key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the CMK that was used to encrypt the data key.
2116
- # }
2557
+ # * {Types::GenerateDataKeyPairResponse#private_key_ciphertext_blob #private_key_ciphertext_blob} => String
2558
+ # * {Types::GenerateDataKeyPairResponse#private_key_plaintext #private_key_plaintext} => String
2559
+ # * {Types::GenerateDataKeyPairResponse#public_key #public_key} => String
2560
+ # * {Types::GenerateDataKeyPairResponse#key_id #key_id} => String
2561
+ # * {Types::GenerateDataKeyPairResponse#key_pair_spec #key_pair_spec} => String
2117
2562
  #
2118
2563
  # @example Request syntax with placeholder values
2119
2564
  #
2120
- # resp = client.generate_data_key_without_plaintext({
2121
- # key_id: "KeyIdType", # required
2565
+ # resp = client.generate_data_key_pair({
2122
2566
  # encryption_context: {
2123
2567
  # "EncryptionContextKey" => "EncryptionContextValue",
2124
2568
  # },
2125
- # key_spec: "AES_256", # accepts AES_256, AES_128
2569
+ # key_id: "KeyIdType", # required
2570
+ # key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
2571
+ # grant_tokens: ["GrantTokenType"],
2572
+ # })
2573
+ #
2574
+ # @example Response structure
2575
+ #
2576
+ # resp.private_key_ciphertext_blob #=> String
2577
+ # resp.private_key_plaintext #=> String
2578
+ # resp.public_key #=> String
2579
+ # resp.key_id #=> String
2580
+ # resp.key_pair_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1"
2581
+ #
2582
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPair AWS API Documentation
2583
+ #
2584
+ # @overload generate_data_key_pair(params = {})
2585
+ # @param [Hash] params ({})
2586
+ def generate_data_key_pair(params = {}, options = {})
2587
+ req = build_request(:generate_data_key_pair, params)
2588
+ req.send_request(options)
2589
+ end
2590
+
2591
+ # Generates a unique asymmetric data key pair. The
2592
+ # `GenerateDataKeyPairWithoutPlaintext` operation returns a plaintext
2593
+ # public key and a copy of the private key that is encrypted under the
2594
+ # symmetric CMK you specify. Unlike GenerateDataKeyPair, this operation
2595
+ # does not return a plaintext private key.
2596
+ #
2597
+ # To generate a data key pair, you must specify a symmetric customer
2598
+ # master key (CMK) to encrypt the private key in the data key pair. You
2599
+ # cannot use an asymmetric CMK. To get the type of your CMK, use the
2600
+ # `KeySpec` field in the DescribeKey response.
2601
+ #
2602
+ # You can use the public key that `GenerateDataKeyPairWithoutPlaintext`
2603
+ # returns to encrypt data or verify a signature outside of AWS KMS.
2604
+ # Then, store the encrypted private key with the data. When you are
2605
+ # ready to decrypt data or sign a message, you can use the Decrypt
2606
+ # operation to decrypt the encrypted private key.
2607
+ #
2608
+ # `GenerateDataKeyPairWithoutPlaintext` returns a unique data key pair
2609
+ # for each request. The bytes in the key are not related to the caller
2610
+ # or CMK that is used to encrypt the private key.
2611
+ #
2612
+ # You can use the optional encryption context to add additional security
2613
+ # to the encryption operation. If you specify an `EncryptionContext`,
2614
+ # you must specify the same encryption context (a case-sensitive exact
2615
+ # match) when decrypting the encrypted data key. Otherwise, the request
2616
+ # to decrypt fails with an InvalidCiphertextException. For more
2617
+ # information, see [Encryption Context][1] in the *AWS Key Management
2618
+ # Service Developer Guide*.
2619
+ #
2620
+ # The CMK that you use for this operation must be in a compatible key
2621
+ # state. For details, see [How Key State Affects Use of a Customer
2622
+ # Master Key][2] in the *AWS Key Management Service Developer Guide*.
2623
+ #
2624
+ #
2625
+ #
2626
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
2627
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2628
+ #
2629
+ # @option params [Hash<String,String>] :encryption_context
2630
+ # Specifies the encryption context that will be used when encrypting the
2631
+ # private key in the data key pair.
2632
+ #
2633
+ # An *encryption context* is a collection of non-secret key-value pairs
2634
+ # that represents additional authenticated data. When you use an
2635
+ # encryption context to encrypt data, you must specify the same (an
2636
+ # exact case-sensitive match) encryption context to decrypt the data. An
2637
+ # encryption context is optional when encrypting with a symmetric CMK,
2638
+ # but it is highly recommended.
2639
+ #
2640
+ # For more information, see [Encryption Context][1] in the *AWS Key
2641
+ # Management Service Developer Guide*.
2642
+ #
2643
+ #
2644
+ #
2645
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
2646
+ #
2647
+ # @option params [required, String] :key_id
2648
+ # Specifies the CMK that encrypts the private key in the data key pair.
2649
+ # You must specify a symmetric CMK. You cannot use an asymmetric CMK.
2650
+ #
2651
+ # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2652
+ # name, or alias ARN. When using an alias name, prefix it with
2653
+ # `"alias/"`.
2654
+ #
2655
+ # For example:
2656
+ #
2657
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
2658
+ #
2659
+ # * Key ARN:
2660
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
2661
+ #
2662
+ # * Alias name: `alias/ExampleAlias`
2663
+ #
2664
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
2665
+ #
2666
+ # To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
2667
+ # To get the alias name and alias ARN, use ListAliases.
2668
+ #
2669
+ # @option params [required, String] :key_pair_spec
2670
+ # Determines the type of data key pair that is generated.
2671
+ #
2672
+ # The AWS KMS rule that restricts the use of asymmetric RSA CMKs to
2673
+ # encrypt and decrypt or to sign and verify (but not both), and the rule
2674
+ # that permits you to use ECC CMKs only to sign and verify, are not
2675
+ # effective outside of AWS KMS.
2676
+ #
2677
+ # @option params [Array<String>] :grant_tokens
2678
+ # A list of grant tokens.
2679
+ #
2680
+ # For more information, see [Grant Tokens][1] in the *AWS Key Management
2681
+ # Service Developer Guide*.
2682
+ #
2683
+ #
2684
+ #
2685
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
2686
+ #
2687
+ # @return [Types::GenerateDataKeyPairWithoutPlaintextResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
2688
+ #
2689
+ # * {Types::GenerateDataKeyPairWithoutPlaintextResponse#private_key_ciphertext_blob #private_key_ciphertext_blob} => String
2690
+ # * {Types::GenerateDataKeyPairWithoutPlaintextResponse#public_key #public_key} => String
2691
+ # * {Types::GenerateDataKeyPairWithoutPlaintextResponse#key_id #key_id} => String
2692
+ # * {Types::GenerateDataKeyPairWithoutPlaintextResponse#key_pair_spec #key_pair_spec} => String
2693
+ #
2694
+ # @example Request syntax with placeholder values
2695
+ #
2696
+ # resp = client.generate_data_key_pair_without_plaintext({
2697
+ # encryption_context: {
2698
+ # "EncryptionContextKey" => "EncryptionContextValue",
2699
+ # },
2700
+ # key_id: "KeyIdType", # required
2701
+ # key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
2702
+ # grant_tokens: ["GrantTokenType"],
2703
+ # })
2704
+ #
2705
+ # @example Response structure
2706
+ #
2707
+ # resp.private_key_ciphertext_blob #=> String
2708
+ # resp.public_key #=> String
2709
+ # resp.key_id #=> String
2710
+ # resp.key_pair_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1"
2711
+ #
2712
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintext AWS API Documentation
2713
+ #
2714
+ # @overload generate_data_key_pair_without_plaintext(params = {})
2715
+ # @param [Hash] params ({})
2716
+ def generate_data_key_pair_without_plaintext(params = {}, options = {})
2717
+ req = build_request(:generate_data_key_pair_without_plaintext, params)
2718
+ req.send_request(options)
2719
+ end
2720
+
2721
+ # Generates a unique symmetric data key. This operation returns a data
2722
+ # key that is encrypted under a customer master key (CMK) that you
2723
+ # specify. To request an asymmetric data key pair, use the
2724
+ # GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext operations.
2725
+ #
2726
+ # `GenerateDataKeyWithoutPlaintext` is identical to the GenerateDataKey
2727
+ # operation except that returns only the encrypted copy of the data key.
2728
+ # This operation is useful for systems that need to encrypt data at some
2729
+ # point, but not immediately. When you need to encrypt the data, you
2730
+ # call the Decrypt operation on the encrypted copy of the key.
2731
+ #
2732
+ # It's also useful in distributed systems with different levels of
2733
+ # trust. For example, you might store encrypted data in containers. One
2734
+ # component of your system creates new containers and stores an
2735
+ # encrypted data key with each container. Then, a different component
2736
+ # puts the data into the containers. That component first decrypts the
2737
+ # data key, uses the plaintext data key to encrypt data, puts the
2738
+ # encrypted data into the container, and then destroys the plaintext
2739
+ # data key. In this system, the component that creates the containers
2740
+ # never sees the plaintext data key.
2741
+ #
2742
+ # `GenerateDataKeyWithoutPlaintext` returns a unique data key for each
2743
+ # request. The bytes in the keys are not related to the caller or CMK
2744
+ # that is used to encrypt the private key.
2745
+ #
2746
+ # To generate a data key, you must specify the symmetric customer master
2747
+ # key (CMK) that is used to encrypt the data key. You cannot use an
2748
+ # asymmetric CMK to generate a data key. To get the type of your CMK,
2749
+ # use the `KeySpec` field in the DescribeKey response. You must also
2750
+ # specify the length of the data key using either the `KeySpec` or
2751
+ # `NumberOfBytes` field (but not both). For common key lengths (128-bit
2752
+ # and 256-bit symmetric keys), use the `KeySpec` parameter.
2753
+ #
2754
+ # If the operation succeeds, you will find the plaintext copy of the
2755
+ # data key in the `Plaintext` field of the response, and the encrypted
2756
+ # copy of the data key in the `CiphertextBlob` field.
2757
+ #
2758
+ # You can use the optional encryption context to add additional security
2759
+ # to the encryption operation. If you specify an `EncryptionContext`,
2760
+ # you must specify the same encryption context (a case-sensitive exact
2761
+ # match) when decrypting the encrypted data key. Otherwise, the request
2762
+ # to decrypt fails with an InvalidCiphertextException. For more
2763
+ # information, see [Encryption Context][1] in the *AWS Key Management
2764
+ # Service Developer Guide*.
2765
+ #
2766
+ # The CMK that you use for this operation must be in a compatible key
2767
+ # state. For details, see [How Key State Affects Use of a Customer
2768
+ # Master Key][2] in the *AWS Key Management Service Developer Guide*.
2769
+ #
2770
+ #
2771
+ #
2772
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
2773
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2774
+ #
2775
+ # @option params [required, String] :key_id
2776
+ # The identifier of the symmetric customer master key (CMK) that
2777
+ # encrypts the data key.
2778
+ #
2779
+ # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2780
+ # name, or alias ARN. When using an alias name, prefix it with
2781
+ # `"alias/"`. To specify a CMK in a different AWS account, you must use
2782
+ # the key ARN or alias ARN.
2783
+ #
2784
+ # For example:
2785
+ #
2786
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
2787
+ #
2788
+ # * Key ARN:
2789
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
2790
+ #
2791
+ # * Alias name: `alias/ExampleAlias`
2792
+ #
2793
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
2794
+ #
2795
+ # To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
2796
+ # To get the alias name and alias ARN, use ListAliases.
2797
+ #
2798
+ # @option params [Hash<String,String>] :encryption_context
2799
+ # Specifies the encryption context that will be used when encrypting the
2800
+ # data key.
2801
+ #
2802
+ # An *encryption context* is a collection of non-secret key-value pairs
2803
+ # that represents additional authenticated data. When you use an
2804
+ # encryption context to encrypt data, you must specify the same (an
2805
+ # exact case-sensitive match) encryption context to decrypt the data. An
2806
+ # encryption context is optional when encrypting with a symmetric CMK,
2807
+ # but it is highly recommended.
2808
+ #
2809
+ # For more information, see [Encryption Context][1] in the *AWS Key
2810
+ # Management Service Developer Guide*.
2811
+ #
2812
+ #
2813
+ #
2814
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
2815
+ #
2816
+ # @option params [String] :key_spec
2817
+ # The length of the data key. Use `AES_128` to generate a 128-bit
2818
+ # symmetric key, or `AES_256` to generate a 256-bit symmetric key.
2819
+ #
2820
+ # @option params [Integer] :number_of_bytes
2821
+ # The length of the data key in bytes. For example, use the value 64 to
2822
+ # generate a 512-bit data key (64 bytes is 512 bits). For common key
2823
+ # lengths (128-bit and 256-bit symmetric keys), we recommend that you
2824
+ # use the `KeySpec` field instead of this one.
2825
+ #
2826
+ # @option params [Array<String>] :grant_tokens
2827
+ # A list of grant tokens.
2828
+ #
2829
+ # For more information, see [Grant Tokens][1] in the *AWS Key Management
2830
+ # Service Developer Guide*.
2831
+ #
2832
+ #
2833
+ #
2834
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
2835
+ #
2836
+ # @return [Types::GenerateDataKeyWithoutPlaintextResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
2837
+ #
2838
+ # * {Types::GenerateDataKeyWithoutPlaintextResponse#ciphertext_blob #ciphertext_blob} => String
2839
+ # * {Types::GenerateDataKeyWithoutPlaintextResponse#key_id #key_id} => String
2840
+ #
2841
+ #
2842
+ # @example Example: To generate an encrypted data key
2843
+ #
2844
+ # # The following example generates an encrypted copy of a 256-bit symmetric data encryption key (data key). The data key is
2845
+ # # encrypted with the specified customer master key (CMK).
2846
+ #
2847
+ # resp = client.generate_data_key_without_plaintext({
2848
+ # key_id: "alias/ExampleAlias", # The identifier of the CMK to use to encrypt the data key. You can use the key ID or Amazon Resource Name (ARN) of the CMK, or the name or ARN of an alias that refers to the CMK.
2849
+ # key_spec: "AES_256", # Specifies the type of data key to return.
2850
+ # })
2851
+ #
2852
+ # resp.to_h outputs the following:
2853
+ # {
2854
+ # ciphertext_blob: "<binary data>", # The encrypted data key.
2855
+ # key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the CMK that was used to encrypt the data key.
2856
+ # }
2857
+ #
2858
+ # @example Request syntax with placeholder values
2859
+ #
2860
+ # resp = client.generate_data_key_without_plaintext({
2861
+ # key_id: "KeyIdType", # required
2862
+ # encryption_context: {
2863
+ # "EncryptionContextKey" => "EncryptionContextValue",
2864
+ # },
2865
+ # key_spec: "AES_256", # accepts AES_256, AES_128
2126
2866
  # number_of_bytes: 1,
2127
2867
  # grant_tokens: ["GrantTokenType"],
2128
2868
  # })
@@ -2270,9 +3010,13 @@ module Aws::KMS
2270
3010
  # key material][1] is enabled for the specified customer master key
2271
3011
  # (CMK).
2272
3012
  #
2273
- # The result of this operation varies with the key state of the CMK. For
2274
- # details, see [How Key State Affects Use of a Customer Master Key][2]
2275
- # in the *AWS Key Management Service Developer Guide*.
3013
+ # You cannot enable automatic rotation of asymmetric CMKs, CMKs with
3014
+ # imported key material, or CMKs in a [custom key store][2]. The key
3015
+ # rotation status for these CMKs is always `false`.
3016
+ #
3017
+ # The CMK that you use for this operation must be in a compatible key
3018
+ # state. For details, see [How Key State Affects Use of a Customer
3019
+ # Master Key][3] in the *AWS Key Management Service Developer Guide*.
2276
3020
  #
2277
3021
  # * Disabled: The key rotation status does not change when you disable a
2278
3022
  # CMK. However, while the CMK is disabled, AWS KMS does not rotate the
@@ -2289,7 +3033,8 @@ module Aws::KMS
2289
3033
  #
2290
3034
  #
2291
3035
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
2292
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3036
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
3037
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2293
3038
  #
2294
3039
  # @option params [required, String] :key_id
2295
3040
  # A unique identifier for the customer master key (CMK).
@@ -2343,29 +3088,32 @@ module Aws::KMS
2343
3088
  req.send_request(options)
2344
3089
  end
2345
3090
 
2346
- # Returns the items you need in order to import key material into AWS
2347
- # KMS from your existing key management infrastructure. For more
2348
- # information about importing key material into AWS KMS, see [Importing
2349
- # Key Material][1] in the *AWS Key Management Service Developer Guide*.
2350
- #
2351
- # You must specify the key ID of the customer master key (CMK) into
2352
- # which you will import key material. This CMK's `Origin` must be
2353
- # `EXTERNAL`. You must also specify the wrapping algorithm and type of
2354
- # wrapping key (public key) that you will use to encrypt the key
2355
- # material. You cannot perform this operation on a CMK in a different
2356
- # AWS account.
3091
+ # Returns the items you need to import key material into a symmetric,
3092
+ # customer managed customer master key (CMK). For more information about
3093
+ # importing key material into AWS KMS, see [Importing Key Material][1]
3094
+ # in the *AWS Key Management Service Developer Guide*.
2357
3095
  #
2358
3096
  # This operation returns a public key and an import token. Use the
2359
- # public key to encrypt the key material. Store the import token to send
2360
- # with a subsequent ImportKeyMaterial request. The public key and import
2361
- # token from the same response must be used together. These items are
2362
- # valid for 24 hours. When they expire, they cannot be used for a
2363
- # subsequent ImportKeyMaterial request. To get new ones, send another
3097
+ # public key to encrypt the symmetric key material. Store the import
3098
+ # token to send with a subsequent ImportKeyMaterial request.
3099
+ #
3100
+ # You must specify the key ID of the symmetric CMK into which you will
3101
+ # import key material. This CMK's `Origin` must be `EXTERNAL`. You must
3102
+ # also specify the wrapping algorithm and type of wrapping key (public
3103
+ # key) that you will use to encrypt the key material. You cannot perform
3104
+ # this operation on an asymmetric CMK or on any CMK in a different AWS
3105
+ # account.
3106
+ #
3107
+ # To import key material, you must use the public key and import token
3108
+ # from the same response. These items are valid for 24 hours. The
3109
+ # expiration date and time appear in the `GetParametersForImport`
3110
+ # response. You cannot use an expired token in an ImportKeyMaterial
3111
+ # request. If your key and token expire, send another
2364
3112
  # `GetParametersForImport` request.
2365
3113
  #
2366
- # The result of this operation varies with the key state of the CMK. For
2367
- # details, see [How Key State Affects Use of a Customer Master Key][2]
2368
- # in the *AWS Key Management Service Developer Guide*.
3114
+ # The CMK that you use for this operation must be in a compatible key
3115
+ # state. For details, see [How Key State Affects Use of a Customer
3116
+ # Master Key][2] in the *AWS Key Management Service Developer Guide*.
2369
3117
  #
2370
3118
  #
2371
3119
  #
@@ -2373,8 +3121,8 @@ module Aws::KMS
2373
3121
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2374
3122
  #
2375
3123
  # @option params [required, String] :key_id
2376
- # The identifier of the CMK into which you will import key material. The
2377
- # CMK's `Origin` must be `EXTERNAL`.
3124
+ # The identifier of the symmetric CMK into which you will import key
3125
+ # material. The `Origin` of the CMK must be `EXTERNAL`.
2378
3126
  #
2379
3127
  # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
2380
3128
  #
@@ -2451,12 +3199,136 @@ module Aws::KMS
2451
3199
  req.send_request(options)
2452
3200
  end
2453
3201
 
2454
- # Imports key material into an existing AWS KMS customer master key
2455
- # (CMK) that was created without key material. You cannot perform this
2456
- # operation on a CMK in a different AWS account. For more information
2457
- # about creating CMKs with no key material and then importing key
2458
- # material, see [Importing Key Material][1] in the *AWS Key Management
2459
- # Service Developer Guide*.
3202
+ # Returns the public key of an asymmetric CMK. Unlike the private key of
3203
+ # a asymmetric CMK, which never leaves AWS KMS unencrypted, callers with
3204
+ # `kms:GetPublicKey` permission can download the public key of an
3205
+ # asymmetric CMK. You can share the public key to allow others to
3206
+ # encrypt messages and verify signatures outside of AWS KMS. For
3207
+ # information about symmetric and asymmetric CMKs, see [Using Symmetric
3208
+ # and Asymmetric CMKs][1] in the *AWS Key Management Service Developer
3209
+ # Guide*.
3210
+ #
3211
+ # You do not need to download the public key. Instead, you can use the
3212
+ # public key within AWS KMS by calling the Encrypt, ReEncrypt, or Verify
3213
+ # operations with the identifier of an asymmetric CMK. When you use the
3214
+ # public key within AWS KMS, you benefit from the authentication,
3215
+ # authorization, and logging that are part of every AWS KMS operation.
3216
+ # You also reduce of risk of encrypting data that cannot be decrypted.
3217
+ # These features are not effective outside of AWS KMS. For details, see
3218
+ # [Special Considerations for Downloading Public Keys][2].
3219
+ #
3220
+ # To help you use the public key safely outside of AWS KMS,
3221
+ # `GetPublicKey` returns important information about the public key in
3222
+ # the response, including:
3223
+ #
3224
+ # * [CustomerMasterKeySpec][3]\: The type of key material in the public
3225
+ # key, such as `RSA_4096` or `ECC_NIST_P521`.
3226
+ #
3227
+ # * [KeyUsage][4]\: Whether the key is used for encryption or signing.
3228
+ #
3229
+ # * [EncryptionAlgorithms][5] or [SigningAlgorithms][6]\: A list of the
3230
+ # encryption algorithms or the signing algorithms for the key.
3231
+ #
3232
+ # Although AWS KMS cannot enforce these restrictions on external
3233
+ # operations, it is crucial that you use this information to prevent the
3234
+ # public key from being used improperly. For example, you can prevent a
3235
+ # public signing key from being used encrypt data, or prevent a public
3236
+ # key from being used with an encryption algorithm that is not supported
3237
+ # by AWS KMS. You can also avoid errors, such as using the wrong signing
3238
+ # algorithm in a verification operation.
3239
+ #
3240
+ # The CMK that you use for this operation must be in a compatible key
3241
+ # state. For details, see [How Key State Affects Use of a Customer
3242
+ # Master Key][7] in the *AWS Key Management Service Developer Guide*.
3243
+ #
3244
+ #
3245
+ #
3246
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
3247
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/download-public-key.html#download-public-key-considerations
3248
+ # [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-CustomerMasterKeySpec
3249
+ # [4]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeyUsage
3250
+ # [5]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms
3251
+ # [6]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-SigningAlgorithms
3252
+ # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3253
+ #
3254
+ # @option params [required, String] :key_id
3255
+ # Identifies the asymmetric CMK that includes the public key.
3256
+ #
3257
+ # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
3258
+ # name, or alias ARN. When using an alias name, prefix it with
3259
+ # `"alias/"`. To specify a CMK in a different AWS account, you must use
3260
+ # the key ARN or alias ARN.
3261
+ #
3262
+ # For example:
3263
+ #
3264
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
3265
+ #
3266
+ # * Key ARN:
3267
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
3268
+ #
3269
+ # * Alias name: `alias/ExampleAlias`
3270
+ #
3271
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
3272
+ #
3273
+ # To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
3274
+ # To get the alias name and alias ARN, use ListAliases.
3275
+ #
3276
+ # @option params [Array<String>] :grant_tokens
3277
+ # A list of grant tokens.
3278
+ #
3279
+ # For more information, see [Grant Tokens][1] in the *AWS Key Management
3280
+ # Service Developer Guide*.
3281
+ #
3282
+ #
3283
+ #
3284
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
3285
+ #
3286
+ # @return [Types::GetPublicKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
3287
+ #
3288
+ # * {Types::GetPublicKeyResponse#key_id #key_id} => String
3289
+ # * {Types::GetPublicKeyResponse#public_key #public_key} => String
3290
+ # * {Types::GetPublicKeyResponse#customer_master_key_spec #customer_master_key_spec} => String
3291
+ # * {Types::GetPublicKeyResponse#key_usage #key_usage} => String
3292
+ # * {Types::GetPublicKeyResponse#encryption_algorithms #encryption_algorithms} => Array&lt;String&gt;
3293
+ # * {Types::GetPublicKeyResponse#signing_algorithms #signing_algorithms} => Array&lt;String&gt;
3294
+ #
3295
+ # @example Request syntax with placeholder values
3296
+ #
3297
+ # resp = client.get_public_key({
3298
+ # key_id: "KeyIdType", # required
3299
+ # grant_tokens: ["GrantTokenType"],
3300
+ # })
3301
+ #
3302
+ # @example Response structure
3303
+ #
3304
+ # resp.key_id #=> String
3305
+ # resp.public_key #=> String
3306
+ # resp.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
3307
+ # resp.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
3308
+ # resp.encryption_algorithms #=> Array
3309
+ # resp.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
3310
+ # resp.signing_algorithms #=> Array
3311
+ # resp.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
3312
+ #
3313
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKey AWS API Documentation
3314
+ #
3315
+ # @overload get_public_key(params = {})
3316
+ # @param [Hash] params ({})
3317
+ def get_public_key(params = {}, options = {})
3318
+ req = build_request(:get_public_key, params)
3319
+ req.send_request(options)
3320
+ end
3321
+
3322
+ # Imports key material into an existing symmetric AWS KMS customer
3323
+ # master key (CMK) that was created without key material. After you
3324
+ # successfully import key material into a CMK, you can [reimport the
3325
+ # same key material][1] into that CMK, but you cannot import different
3326
+ # key material.
3327
+ #
3328
+ # You cannot perform this operation on an asymmetric CMK or on any CMK
3329
+ # in a different AWS account. For more information about creating CMKs
3330
+ # with no key material and then importing key material, see [Importing
3331
+ # Key Material][2] in the *AWS Key Management Service Developer Guide*.
2460
3332
  #
2461
3333
  # Before using this operation, call GetParametersForImport. Its response
2462
3334
  # includes a public key and an import token. Use the public key to
@@ -2475,35 +3347,43 @@ module Aws::KMS
2475
3347
  # * The encrypted key material. To get the public key to encrypt the key
2476
3348
  # material, call GetParametersForImport.
2477
3349
  #
2478
- # * The import token that GetParametersForImport returned. This token
2479
- # and the public key used to encrypt the key material must have come
2480
- # from the same response.
3350
+ # * The import token that GetParametersForImport returned. You must use
3351
+ # a public key and token from the same `GetParametersForImport`
3352
+ # response.
2481
3353
  #
2482
3354
  # * Whether the key material expires and if so, when. If you set an
2483
- # expiration date, you can change it only by reimporting the same key
2484
- # material and specifying a new expiration date. If the key material
2485
- # expires, AWS KMS deletes the key material and the CMK becomes
2486
- # unusable. To use the CMK again, you must reimport the same key
2487
- # material.
3355
+ # expiration date, AWS KMS deletes the key material from the CMK on
3356
+ # the specified date, and the CMK becomes unusable. To use the CMK
3357
+ # again, you must reimport the same key material. The only way to
3358
+ # change an expiration date is by reimporting the same key material
3359
+ # and specifying a new expiration date.
2488
3360
  #
2489
3361
  # When this operation is successful, the key state of the CMK changes
2490
- # from `PendingImport` to `Enabled`, and you can use the CMK. After you
2491
- # successfully import key material into a CMK, you can reimport the same
2492
- # key material into that CMK, but you cannot import different key
2493
- # material.
3362
+ # from `PendingImport` to `Enabled`, and you can use the CMK.
2494
3363
  #
2495
- # The result of this operation varies with the key state of the CMK. For
2496
- # details, see [How Key State Affects Use of a Customer Master Key][2]
2497
- # in the *AWS Key Management Service Developer Guide*.
3364
+ # If this operation fails, use the exception to help determine the
3365
+ # problem. If the error is related to the key material, the import
3366
+ # token, or wrapping key, use GetParametersForImport to get a new public
3367
+ # key and import token for the CMK and repeat the import procedure. For
3368
+ # help, see [How To Import Key Material][3] in the *AWS Key Management
3369
+ # Service Developer Guide*.
2498
3370
  #
3371
+ # The CMK that you use for this operation must be in a compatible key
3372
+ # state. For details, see [How Key State Affects Use of a Customer
3373
+ # Master Key][4] in the *AWS Key Management Service Developer Guide*.
2499
3374
  #
2500
3375
  #
2501
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
2502
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3376
+ #
3377
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material
3378
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
3379
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-overview
3380
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2503
3381
  #
2504
3382
  # @option params [required, String] :key_id
2505
- # The identifier of the CMK to import the key material into. The CMK's
2506
- # `Origin` must be `EXTERNAL`.
3383
+ # The identifier of the symmetric CMK that receives the imported key
3384
+ # material. The CMK's `Origin` must be `EXTERNAL`. This must be the
3385
+ # same CMK specified in the `KeyID` parameter of the corresponding
3386
+ # GetParametersForImport request.
2507
3387
  #
2508
3388
  # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
2509
3389
  #
@@ -2522,10 +3402,10 @@ module Aws::KMS
2522
3402
  # contained the public key that you used to encrypt the key material.
2523
3403
  #
2524
3404
  # @option params [required, String, IO] :encrypted_key_material
2525
- # The encrypted key material to import. It must be encrypted with the
2526
- # public key that you received in the response to a previous
2527
- # GetParametersForImport request, using the wrapping algorithm that you
2528
- # specified in that request.
3405
+ # The encrypted key material to import. The key material must be
3406
+ # encrypted with the public wrapping key that GetParametersForImport
3407
+ # returned, using the wrapping algorithm that you specified in the same
3408
+ # `GetParametersForImport` request.
2529
3409
  #
2530
3410
  # @option params [Time,DateTime,Date,Integer,String] :valid_to
2531
3411
  # The time at which the imported key material expires. When the key
@@ -2831,7 +3711,7 @@ module Aws::KMS
2831
3711
  # resp.grants[0].retiring_principal #=> String
2832
3712
  # resp.grants[0].issuing_account #=> String
2833
3713
  # resp.grants[0].operations #=> Array
2834
- # resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "CreateGrant", "RetireGrant", "DescribeKey"
3714
+ # resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext"
2835
3715
  # resp.grants[0].constraints.encryption_context_subset #=> Hash
2836
3716
  # resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
2837
3717
  # resp.grants[0].constraints.encryption_context_equals #=> Hash
@@ -2932,7 +3812,7 @@ module Aws::KMS
2932
3812
  end
2933
3813
 
2934
3814
  # Gets a list of all customer master keys (CMKs) in the caller's AWS
2935
- # account and region.
3815
+ # account and Region.
2936
3816
  #
2937
3817
  # @option params [Integer] :limit
2938
3818
  # Use this parameter to specify the maximum number of items to return.
@@ -3202,7 +4082,7 @@ module Aws::KMS
3202
4082
  # resp.grants[0].retiring_principal #=> String
3203
4083
  # resp.grants[0].issuing_account #=> String
3204
4084
  # resp.grants[0].operations #=> Array
3205
- # resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "CreateGrant", "RetireGrant", "DescribeKey"
4085
+ # resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext"
3206
4086
  # resp.grants[0].constraints.encryption_context_subset #=> Hash
3207
4087
  # resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
3208
4088
  # resp.grants[0].constraints.encryption_context_equals #=> Hash
@@ -3326,40 +4206,142 @@ module Aws::KMS
3326
4206
  req.send_request(options)
3327
4207
  end
3328
4208
 
3329
- # Encrypts data on the server side with a new customer master key (CMK)
3330
- # without exposing the plaintext of the data on the client side. The
3331
- # data is first decrypted and then reencrypted. You can also use this
3332
- # operation to change the encryption context of a ciphertext.
3333
- #
3334
- # You can reencrypt data using CMKs in different AWS accounts.
3335
- #
3336
- # Unlike other operations, `ReEncrypt` is authorized twice, once as
3337
- # `ReEncryptFrom` on the source CMK and once as `ReEncryptTo` on the
3338
- # destination CMK. We recommend that you include the `"kms:ReEncrypt*"`
3339
- # permission in your [key policies][1] to permit reencryption from or to
3340
- # the CMK. This permission is automatically included in the key policy
3341
- # when you create a CMK through the console. But you must include it
3342
- # manually when you create a CMK programmatically or when you set a key
3343
- # policy with the PutKeyPolicy operation.
3344
- #
3345
- # The result of this operation varies with the key state of the CMK. For
3346
- # details, see [How Key State Affects Use of a Customer Master Key][2]
3347
- # in the *AWS Key Management Service Developer Guide*.
4209
+ # Decrypts ciphertext and then reencrypts it entirely within AWS KMS.
4210
+ # You can use this operation to change the customer master key (CMK)
4211
+ # under which data is encrypted, such as when you [manually rotate][1] a
4212
+ # CMK or change the CMK that protects a ciphertext. You can also use it
4213
+ # to reencrypt ciphertext under the same CMK, such as to change the
4214
+ # encryption context of a ciphertext.
4215
+ #
4216
+ # The `ReEncrypt` operation can decrypt ciphertext that was encrypted by
4217
+ # using an AWS KMS CMK in an AWS KMS operation, such as Encrypt or
4218
+ # GenerateDataKey. It can also decrypt ciphertext that was encrypted by
4219
+ # using the public key of an asymmetric CMK outside of AWS KMS. However,
4220
+ # it cannot decrypt ciphertext produced by other libraries, such as the
4221
+ # [AWS Encryption SDK][2] or [Amazon S3 client-side encryption][3].
4222
+ # These libraries return a ciphertext format that is incompatible with
4223
+ # AWS KMS.
4224
+ #
4225
+ # When you use the `ReEncrypt` operation, you need to provide
4226
+ # information for the decrypt operation and the subsequent encrypt
4227
+ # operation.
3348
4228
  #
4229
+ # * If your ciphertext was encrypted under an asymmetric CMK, you must
4230
+ # identify the *source CMK*, that is, the CMK that encrypted the
4231
+ # ciphertext. You must also supply the encryption algorithm that was
4232
+ # used. This information is required to decrypt the data.
4233
+ #
4234
+ # * It is optional, but you can specify a source CMK even when the
4235
+ # ciphertext was encrypted under a symmetric CMK. This ensures that
4236
+ # the ciphertext is decrypted only by using a particular CMK. If the
4237
+ # CMK that you specify cannot decrypt the ciphertext, the `ReEncrypt`
4238
+ # operation fails.
4239
+ #
4240
+ # * To reencrypt the data, you must specify the *destination CMK*, that
4241
+ # is, the CMK that re-encrypts the data after it is decrypted. You can
4242
+ # select a symmetric or asymmetric CMK. If the destination CMK is an
4243
+ # asymmetric CMK, you must also provide the encryption algorithm. The
4244
+ # algorithm that you choose must be compatible with the CMK.
4245
+ #
4246
+ # When you use an asymmetric CMK to encrypt or reencrypt data, be sure
4247
+ # to record the CMK and encryption algorithm that you choose. You will
4248
+ # be required to provide the same CMK and encryption algorithm when
4249
+ # you decrypt the data. If the CMK and algorithm do not match the
4250
+ # values used to encrypt the data, the decrypt operation fails.
4251
+ #
4252
+ # You are not required to supply the CMK ID and encryption algorithm
4253
+ # when you decrypt with symmetric CMKs because AWS KMS stores this
4254
+ # information in the ciphertext blob. AWS KMS cannot store metadata in
4255
+ # ciphertext generated with asymmetric keys. The standard format for
4256
+ # asymmetric key ciphertext does not include configurable fields.
4257
+ #
4258
+ # Unlike other AWS KMS API operations, `ReEncrypt` callers must have two
4259
+ # permissions:
4260
+ #
4261
+ # * `kms:EncryptFrom` permission on the source CMK
4262
+ #
4263
+ # * `kms:EncryptTo` permission on the destination CMK
4264
+ #
4265
+ # To permit reencryption from
4266
+ #
4267
+ # or to a CMK, include the `"kms:ReEncrypt*"` permission in your [key
4268
+ # policy][4]. This permission is automatically included in the key
4269
+ # policy when you use the console to create a CMK. But you must include
4270
+ # it manually when you create a CMK programmatically or when you use the
4271
+ # PutKeyPolicy operation set a key policy.
4272
+ #
4273
+ # The CMK that you use for this operation must be in a compatible key
4274
+ # state. For details, see [How Key State Affects Use of a Customer
4275
+ # Master Key][5] in the *AWS Key Management Service Developer Guide*.
3349
4276
  #
3350
4277
  #
3351
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
3352
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
4278
+ #
4279
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually
4280
+ # [2]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
4281
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
4282
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
4283
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3353
4284
  #
3354
4285
  # @option params [required, String, IO] :ciphertext_blob
3355
4286
  # Ciphertext of the data to reencrypt.
3356
4287
  #
3357
4288
  # @option params [Hash<String,String>] :source_encryption_context
3358
- # Encryption context used to encrypt and decrypt the data specified in
3359
- # the `CiphertextBlob` parameter.
4289
+ # Specifies the encryption context to use to decrypt the ciphertext.
4290
+ # Enter the same encryption context that was used to encrypt the
4291
+ # ciphertext.
4292
+ #
4293
+ # An *encryption context* is a collection of non-secret key-value pairs
4294
+ # that represents additional authenticated data. When you use an
4295
+ # encryption context to encrypt data, you must specify the same (an
4296
+ # exact case-sensitive match) encryption context to decrypt the data. An
4297
+ # encryption context is optional when encrypting with a symmetric CMK,
4298
+ # but it is highly recommended.
4299
+ #
4300
+ # For more information, see [Encryption Context][1] in the *AWS Key
4301
+ # Management Service Developer Guide*.
4302
+ #
4303
+ #
4304
+ #
4305
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
4306
+ #
4307
+ # @option params [String] :source_key_id
4308
+ # A unique identifier for the CMK that is used to decrypt the ciphertext
4309
+ # before it reencrypts it using the destination CMK.
4310
+ #
4311
+ # This parameter is required only when the ciphertext was encrypted
4312
+ # under an asymmetric CMK. Otherwise, AWS KMS uses the metadata that it
4313
+ # adds to the ciphertext blob to determine which CMK was used to encrypt
4314
+ # the ciphertext. However, you can use this parameter to ensure that a
4315
+ # particular CMK (of any kind) is used to decrypt the ciphertext before
4316
+ # it is reencrypted.
4317
+ #
4318
+ # If you specify a `KeyId` value, the decrypt part of the `ReEncrypt`
4319
+ # operation succeeds only if the specified CMK was used to encrypt the
4320
+ # ciphertext.
4321
+ #
4322
+ # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
4323
+ # name, or alias ARN. When using an alias name, prefix it with
4324
+ # `"alias/"`.
4325
+ #
4326
+ # For example:
4327
+ #
4328
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
4329
+ #
4330
+ # * Key ARN:
4331
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
4332
+ #
4333
+ # * Alias name: `alias/ExampleAlias`
4334
+ #
4335
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
4336
+ #
4337
+ # To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
4338
+ # To get the alias name and alias ARN, use ListAliases.
3360
4339
  #
3361
4340
  # @option params [required, String] :destination_key_id
3362
4341
  # A unique identifier for the CMK that is used to reencrypt the data.
4342
+ # Specify a symmetric or asymmetric CMK with a `KeyUsage` value of
4343
+ # `ENCRYPT_DECRYPT`. To find the `KeyUsage` value of a CMK, use the
4344
+ # DescribeKey operation.
3363
4345
  #
3364
4346
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
3365
4347
  # name, or alias ARN. When using an alias name, prefix it with
@@ -3381,7 +4363,46 @@ module Aws::KMS
3381
4363
  # To get the alias name and alias ARN, use ListAliases.
3382
4364
  #
3383
4365
  # @option params [Hash<String,String>] :destination_encryption_context
3384
- # Encryption context to use when the data is reencrypted.
4366
+ # Specifies that encryption context to use when the reencrypting the
4367
+ # data.
4368
+ #
4369
+ # A destination encryption context is valid only when the destination
4370
+ # CMK is a symmetric CMK. The standard ciphertext format for asymmetric
4371
+ # CMKs does not include fields for metadata.
4372
+ #
4373
+ # An *encryption context* is a collection of non-secret key-value pairs
4374
+ # that represents additional authenticated data. When you use an
4375
+ # encryption context to encrypt data, you must specify the same (an
4376
+ # exact case-sensitive match) encryption context to decrypt the data. An
4377
+ # encryption context is optional when encrypting with a symmetric CMK,
4378
+ # but it is highly recommended.
4379
+ #
4380
+ # For more information, see [Encryption Context][1] in the *AWS Key
4381
+ # Management Service Developer Guide*.
4382
+ #
4383
+ #
4384
+ #
4385
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
4386
+ #
4387
+ # @option params [String] :source_encryption_algorithm
4388
+ # Specifies the encryption algorithm that AWS KMS will use to decrypt
4389
+ # the ciphertext before it is reencrypted. The default value,
4390
+ # `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric CMKs.
4391
+ #
4392
+ # Specify the same algorithm that was used to encrypt the ciphertext. If
4393
+ # you specify a different algorithm, the decrypt attempt fails.
4394
+ #
4395
+ # This parameter is required only when the ciphertext was encrypted
4396
+ # under an asymmetric CMK.
4397
+ #
4398
+ # @option params [String] :destination_encryption_algorithm
4399
+ # Specifies the encryption algorithm that AWS KMS will use to reecrypt
4400
+ # the data after it has decrypted it. The default value,
4401
+ # `SYMMETRIC_DEFAULT`, represents the encryption algorithm used for
4402
+ # symmetric CMKs.
4403
+ #
4404
+ # This parameter is required only when the destination CMK is an
4405
+ # asymmetric CMK.
3385
4406
  #
3386
4407
  # @option params [Array<String>] :grant_tokens
3387
4408
  # A list of grant tokens.
@@ -3398,6 +4419,8 @@ module Aws::KMS
3398
4419
  # * {Types::ReEncryptResponse#ciphertext_blob #ciphertext_blob} => String
3399
4420
  # * {Types::ReEncryptResponse#source_key_id #source_key_id} => String
3400
4421
  # * {Types::ReEncryptResponse#key_id #key_id} => String
4422
+ # * {Types::ReEncryptResponse#source_encryption_algorithm #source_encryption_algorithm} => String
4423
+ # * {Types::ReEncryptResponse#destination_encryption_algorithm #destination_encryption_algorithm} => String
3401
4424
  #
3402
4425
  #
3403
4426
  # @example Example: To reencrypt data
@@ -3423,10 +4446,13 @@ module Aws::KMS
3423
4446
  # source_encryption_context: {
3424
4447
  # "EncryptionContextKey" => "EncryptionContextValue",
3425
4448
  # },
4449
+ # source_key_id: "KeyIdType",
3426
4450
  # destination_key_id: "KeyIdType", # required
3427
4451
  # destination_encryption_context: {
3428
4452
  # "EncryptionContextKey" => "EncryptionContextValue",
3429
4453
  # },
4454
+ # source_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
4455
+ # destination_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
3430
4456
  # grant_tokens: ["GrantTokenType"],
3431
4457
  # })
3432
4458
  #
@@ -3435,6 +4461,8 @@ module Aws::KMS
3435
4461
  # resp.ciphertext_blob #=> String
3436
4462
  # resp.source_key_id #=> String
3437
4463
  # resp.key_id #=> String
4464
+ # resp.source_encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
4465
+ # resp.destination_encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
3438
4466
  #
3439
4467
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncrypt AWS API Documentation
3440
4468
  #
@@ -3591,9 +4619,9 @@ module Aws::KMS
3591
4619
  # [Deleting Customer Master Keys][3] in the *AWS Key Management Service
3592
4620
  # Developer Guide*.
3593
4621
  #
3594
- # The result of this operation varies with the key state of the CMK. For
3595
- # details, see [How Key State Affects Use of a Customer Master Key][4]
3596
- # in the *AWS Key Management Service Developer Guide*.
4622
+ # The CMK that you use for this operation must be in a compatible key
4623
+ # state. For details, see [How Key State Affects Use of a Customer
4624
+ # Master Key][4] in the *AWS Key Management Service Developer Guide*.
3597
4625
  #
3598
4626
  #
3599
4627
  #
@@ -3665,6 +4693,138 @@ module Aws::KMS
3665
4693
  req.send_request(options)
3666
4694
  end
3667
4695
 
4696
+ # Creates a [digital signature][1] for a message or message digest by
4697
+ # using the private key in an asymmetric CMK. To verify the signature,
4698
+ # use the Verify operation, or use the public key in the same asymmetric
4699
+ # CMK outside of AWS KMS. For information about symmetric and asymmetric
4700
+ # CMKs, see [Using Symmetric and Asymmetric CMKs][2] in the *AWS Key
4701
+ # Management Service Developer Guide*.
4702
+ #
4703
+ # Digital signatures are generated and verified by using asymmetric key
4704
+ # pair, such as an RSA or ECC pair that is represented by an asymmetric
4705
+ # customer master key (CMK). The key owner (or an authorized user) uses
4706
+ # their private key to sign a message. Anyone with the public key can
4707
+ # verify that the message was signed with that particular private key
4708
+ # and that the message hasn't changed since it was signed.
4709
+ #
4710
+ # To use the `Sign` operation, provide the following information:
4711
+ #
4712
+ # * Use the `KeyId` parameter to identify an asymmetric CMK with a
4713
+ # `KeyUsage` value of `SIGN_VERIFY`. To get the `KeyUsage` value of a
4714
+ # CMK, use the DescribeKey operation. The caller must have `kms:Sign`
4715
+ # permission on the CMK.
4716
+ #
4717
+ # * Use the `Message` parameter to specify the message or message digest
4718
+ # to sign. You can submit messages of up to 4096 bytes. To sign a
4719
+ # larger message, generate a hash digest of the message, and then
4720
+ # provide the hash digest in the `Message` parameter. To indicate
4721
+ # whether the message is a full message or a digest, use the
4722
+ # `MessageType` parameter.
4723
+ #
4724
+ # * Choose a signing algorithm that is compatible with the CMK.
4725
+ #
4726
+ # When signing a message, be sure to record the CMK and the signing
4727
+ # algorithm. This information is required to verify the signature.
4728
+ #
4729
+ # To verify the signature that this operation generates, use the Verify
4730
+ # operation. Or use the GetPublicKey operation to download the public
4731
+ # key and then use the public key to verify the signature outside of AWS
4732
+ # KMS.
4733
+ #
4734
+ # The CMK that you use for this operation must be in a compatible key
4735
+ # state. For details, see [How Key State Affects Use of a Customer
4736
+ # Master Key][3] in the *AWS Key Management Service Developer Guide*.
4737
+ #
4738
+ #
4739
+ #
4740
+ # [1]: https://en.wikipedia.org/wiki/Digital_signature
4741
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
4742
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
4743
+ #
4744
+ # @option params [required, String] :key_id
4745
+ # Identifies an asymmetric CMK. AWS KMS uses the private key in the
4746
+ # asymmetric CMK to sign the message. The `KeyUsage` type of the CMK
4747
+ # must be `SIGN_VERIFY`. To find the `KeyUsage` of a CMK, use the
4748
+ # DescribeKey operation.
4749
+ #
4750
+ # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
4751
+ # name, or alias ARN. When using an alias name, prefix it with
4752
+ # `"alias/"`. To specify a CMK in a different AWS account, you must use
4753
+ # the key ARN or alias ARN.
4754
+ #
4755
+ # For example:
4756
+ #
4757
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
4758
+ #
4759
+ # * Key ARN:
4760
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
4761
+ #
4762
+ # * Alias name: `alias/ExampleAlias`
4763
+ #
4764
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
4765
+ #
4766
+ # To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
4767
+ # To get the alias name and alias ARN, use ListAliases.
4768
+ #
4769
+ # @option params [required, String, IO] :message
4770
+ # Specifies the message or message digest to sign. Messages can be
4771
+ # 0-4096 bytes. To sign a larger message, provide the message digest.
4772
+ #
4773
+ # If you provide a message, AWS KMS generates a hash digest of the
4774
+ # message and then signs it.
4775
+ #
4776
+ # @option params [String] :message_type
4777
+ # Tells AWS KMS whether the value of the `Message` parameter is a
4778
+ # message or message digest. To indicate a message, enter `RAW`. To
4779
+ # indicate a message digest, enter `DIGEST`.
4780
+ #
4781
+ # @option params [Array<String>] :grant_tokens
4782
+ # A list of grant tokens.
4783
+ #
4784
+ # For more information, see [Grant Tokens][1] in the *AWS Key Management
4785
+ # Service Developer Guide*.
4786
+ #
4787
+ #
4788
+ #
4789
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
4790
+ #
4791
+ # @option params [required, String] :signing_algorithm
4792
+ # Specifies the signing algorithm to use when signing the message.
4793
+ #
4794
+ # Choose an algorithm that is compatible with the type and size of the
4795
+ # specified asymmetric CMK.
4796
+ #
4797
+ # @return [Types::SignResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
4798
+ #
4799
+ # * {Types::SignResponse#key_id #key_id} => String
4800
+ # * {Types::SignResponse#signature #signature} => String
4801
+ # * {Types::SignResponse#signing_algorithm #signing_algorithm} => String
4802
+ #
4803
+ # @example Request syntax with placeholder values
4804
+ #
4805
+ # resp = client.sign({
4806
+ # key_id: "KeyIdType", # required
4807
+ # message: "data", # required
4808
+ # message_type: "RAW", # accepts RAW, DIGEST
4809
+ # grant_tokens: ["GrantTokenType"],
4810
+ # signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
4811
+ # })
4812
+ #
4813
+ # @example Response structure
4814
+ #
4815
+ # resp.key_id #=> String
4816
+ # resp.signature #=> String
4817
+ # resp.signing_algorithm #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
4818
+ #
4819
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Sign AWS API Documentation
4820
+ #
4821
+ # @overload sign(params = {})
4822
+ # @param [Hash] params ({})
4823
+ def sign(params = {}, options = {})
4824
+ req = build_request(:sign, params)
4825
+ req.send_request(options)
4826
+ end
4827
+
3668
4828
  # Adds or edits tags for a customer master key (CMK). You cannot perform
3669
4829
  # this operation on a CMK in a different AWS account.
3670
4830
  #
@@ -3679,9 +4839,9 @@ module Aws::KMS
3679
4839
  # see [User-Defined Tag Restrictions][1] in the *AWS Billing and Cost
3680
4840
  # Management User Guide*.
3681
4841
  #
3682
- # The result of this operation varies with the key state of the CMK. For
3683
- # details, see [How Key State Affects Use of a Customer Master Key][2]
3684
- # in the *AWS Key Management Service Developer Guide*.
4842
+ # The CMK that you use for this operation must be in a compatible key
4843
+ # state. For details, see [How Key State Affects Use of a Customer
4844
+ # Master Key][2] in the *AWS Key Management Service Developer Guide*.
3685
4845
  #
3686
4846
  #
3687
4847
  #
@@ -3750,9 +4910,9 @@ module Aws::KMS
3750
4910
  # To remove a tag, specify the tag key. To change the tag value of an
3751
4911
  # existing tag key, use TagResource.
3752
4912
  #
3753
- # The result of this operation varies with the key state of the CMK. For
3754
- # details, see [How Key State Affects Use of a Customer Master Key][1]
3755
- # in the *AWS Key Management Service Developer Guide*.
4913
+ # The CMK that you use for this operation must be in a compatible key
4914
+ # state. For details, see [How Key State Affects Use of a Customer
4915
+ # Master Key][1] in the *AWS Key Management Service Developer Guide*.
3756
4916
  #
3757
4917
  #
3758
4918
  #
@@ -3806,14 +4966,22 @@ module Aws::KMS
3806
4966
  req.send_request(options)
3807
4967
  end
3808
4968
 
3809
- # Associates an existing alias with a different customer master key
3810
- # (CMK). Each CMK can have multiple aliases, but the aliases must be
3811
- # unique within the account and region. You cannot perform this
4969
+ # Associates an existing AWS KMS alias with a different customer master
4970
+ # key (CMK). Each alias is associated with only one CMK at a time,
4971
+ # although a CMK can have multiple aliases. The alias and the CMK must
4972
+ # be in the same AWS account and region. You cannot perform this
3812
4973
  # operation on an alias in a different AWS account.
3813
4974
  #
3814
- # This operation works only on existing aliases. To change the alias of
3815
- # a CMK to a new value, use CreateAlias to create a new alias and
3816
- # DeleteAlias to delete the old alias.
4975
+ # The current and new CMK must be the same type (both symmetric or both
4976
+ # asymmetric), and they must have the same key usage (`ENCRYPT_DECRYPT`
4977
+ # or `SIGN_VERIFY`). This restriction prevents errors in code that uses
4978
+ # aliases. If you must assign an alias to a different type of CMK, use
4979
+ # DeleteAlias to delete the old alias and CreateAlias to create a new
4980
+ # alias.
4981
+ #
4982
+ # You cannot use `UpdateAlias` to change an alias name. To change an
4983
+ # alias name, use DeleteAlias to delete the old alias and CreateAlias to
4984
+ # create a new alias.
3817
4985
  #
3818
4986
  # Because an alias is not a property of a CMK, you can create, update,
3819
4987
  # and delete the aliases of a CMK without affecting the CMK. Also,
@@ -3821,29 +4989,28 @@ module Aws::KMS
3821
4989
  # To get the aliases of all CMKs in the account, use the ListAliases
3822
4990
  # operation.
3823
4991
  #
3824
- # The alias name must begin with `alias/` followed by a name, such as
3825
- # `alias/ExampleAlias`. It can contain only alphanumeric characters,
3826
- # forward slashes (/), underscores (\_), and dashes (-). The alias name
3827
- # cannot begin with `alias/aws/`. The `alias/aws/` prefix is reserved
3828
- # for [AWS managed CMKs][1].
4992
+ # The CMK that you use for this operation must be in a compatible key
4993
+ # state. For details, see [How Key State Affects Use of a Customer
4994
+ # Master Key][1] in the *AWS Key Management Service Developer Guide*.
3829
4995
  #
3830
- # The result of this operation varies with the key state of the CMK. For
3831
- # details, see [How Key State Affects Use of a Customer Master Key][2]
3832
- # in the *AWS Key Management Service Developer Guide*.
3833
4996
  #
3834
4997
  #
3835
- #
3836
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
3837
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
4998
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3838
4999
  #
3839
5000
  # @option params [required, String] :alias_name
3840
- # Specifies the name of the alias to change. This value must begin with
3841
- # `alias/` followed by the alias name, such as `alias/ExampleAlias`.
5001
+ # Identifies the alias that is changing its CMK. This value must begin
5002
+ # with `alias/` followed by the alias name, such as
5003
+ # `alias/ExampleAlias`. You cannot use UpdateAlias to change the alias
5004
+ # name.
3842
5005
  #
3843
5006
  # @option params [required, String] :target_key_id
3844
- # Unique identifier of the customer master key (CMK) to be mapped to the
3845
- # alias. When the update operation completes, the alias will point to
3846
- # this CMK.
5007
+ # Identifies the CMK to associate with the alias. When the update
5008
+ # operation completes, the alias will point to this CMK.
5009
+ #
5010
+ # The CMK must be in the same AWS account and Region as the alias. Also,
5011
+ # the new target CMK must be the same type as the current target CMK
5012
+ # (both symmetric or both asymmetric) and they must have the same key
5013
+ # usage.
3847
5014
  #
3848
5015
  # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
3849
5016
  #
@@ -3994,9 +5161,9 @@ module Aws::KMS
3994
5161
  #
3995
5162
  # You cannot perform this operation on a CMK in a different AWS account.
3996
5163
  #
3997
- # The result of this operation varies with the key state of the CMK. For
3998
- # details, see [How Key State Affects Use of a Customer Master Key][1]
3999
- # in the *AWS Key Management Service Developer Guide*.
5164
+ # The CMK that you use for this operation must be in a compatible key
5165
+ # state. For details, see [How Key State Affects Use of a Customer
5166
+ # Master Key][1] in the *AWS Key Management Service Developer Guide*.
4000
5167
  #
4001
5168
  #
4002
5169
  #
@@ -4047,6 +5214,133 @@ module Aws::KMS
4047
5214
  req.send_request(options)
4048
5215
  end
4049
5216
 
5217
+ # Verifies a digital signature that was generated by the Sign operation.
5218
+ #
5219
+ #
5220
+ #
5221
+ # Verification confirms that an authorized user signed the message with
5222
+ # the specified CMK and signing algorithm, and the message hasn't
5223
+ # changed since it was signed. If the signature is verified, the value
5224
+ # of the `SignatureValid` field in the response is `True`. If the
5225
+ # signature verification fails, the `Verify` operation fails with an
5226
+ # `KMSInvalidSignatureException` exception.
5227
+ #
5228
+ # A digital signature is generated by using the private key in an
5229
+ # asymmetric CMK. The signature is verified by using the public key in
5230
+ # the same asymmetric CMK. For information about symmetric and
5231
+ # asymmetric CMKs, see [Using Symmetric and Asymmetric CMKs][1] in the
5232
+ # *AWS Key Management Service Developer Guide*.
5233
+ #
5234
+ # To verify a digital signature, you can use the `Verify` operation.
5235
+ # Specify the same asymmetric CMK, message, and signing algorithm that
5236
+ # were used to produce the signature.
5237
+ #
5238
+ # You can also verify the digital signature by using the public key of
5239
+ # the CMK outside of AWS KMS. Use the GetPublicKey operation to download
5240
+ # the public key in the asymmetric CMK and then use the public key to
5241
+ # verify the signature outside of AWS KMS. The advantage of using the
5242
+ # `Verify` operation is that it is performed within AWS KMS. As a
5243
+ # result, it's easy to call, the operation is performed within the FIPS
5244
+ # boundary, it is logged in AWS CloudTrail, and you can use key policy
5245
+ # and IAM policy to determine who is authorized to use the CMK to verify
5246
+ # signatures.
5247
+ #
5248
+ # The CMK that you use for this operation must be in a compatible key
5249
+ # state. For details, see [How Key State Affects Use of a Customer
5250
+ # Master Key][2] in the *AWS Key Management Service Developer Guide*.
5251
+ #
5252
+ #
5253
+ #
5254
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
5255
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
5256
+ #
5257
+ # @option params [required, String] :key_id
5258
+ # Identifies the asymmetric CMK that will be used to verify the
5259
+ # signature. This must be the same CMK that was used to generate the
5260
+ # signature. If you specify a different CMK, the signature verification
5261
+ # fails.
5262
+ #
5263
+ # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
5264
+ # name, or alias ARN. When using an alias name, prefix it with
5265
+ # `"alias/"`. To specify a CMK in a different AWS account, you must use
5266
+ # the key ARN or alias ARN.
5267
+ #
5268
+ # For example:
5269
+ #
5270
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
5271
+ #
5272
+ # * Key ARN:
5273
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
5274
+ #
5275
+ # * Alias name: `alias/ExampleAlias`
5276
+ #
5277
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
5278
+ #
5279
+ # To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
5280
+ # To get the alias name and alias ARN, use ListAliases.
5281
+ #
5282
+ # @option params [required, String, IO] :message
5283
+ # Specifies the message that was signed, or a hash digest of that
5284
+ # message. Messages can be 0-4096 bytes. To verify a larger message,
5285
+ # provide a hash digest of the message.
5286
+ #
5287
+ # If the digest of the message specified here is different from the
5288
+ # message digest that was signed, the signature verification fails.
5289
+ #
5290
+ # @option params [String] :message_type
5291
+ # Tells AWS KMS whether the value of the `Message` parameter is a
5292
+ # message or message digest. To indicate a message, enter `RAW`. To
5293
+ # indicate a message digest, enter `DIGEST`.
5294
+ #
5295
+ # @option params [required, String, IO] :signature
5296
+ # The signature that the `Sign` operation generated.
5297
+ #
5298
+ # @option params [required, String] :signing_algorithm
5299
+ # The signing algorithm that was used to sign the message. If you submit
5300
+ # a different algorithm, the signature verification fails.
5301
+ #
5302
+ # @option params [Array<String>] :grant_tokens
5303
+ # A list of grant tokens.
5304
+ #
5305
+ # For more information, see [Grant Tokens][1] in the *AWS Key Management
5306
+ # Service Developer Guide*.
5307
+ #
5308
+ #
5309
+ #
5310
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
5311
+ #
5312
+ # @return [Types::VerifyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
5313
+ #
5314
+ # * {Types::VerifyResponse#key_id #key_id} => String
5315
+ # * {Types::VerifyResponse#signature_valid #signature_valid} => Boolean
5316
+ # * {Types::VerifyResponse#signing_algorithm #signing_algorithm} => String
5317
+ #
5318
+ # @example Request syntax with placeholder values
5319
+ #
5320
+ # resp = client.verify({
5321
+ # key_id: "KeyIdType", # required
5322
+ # message: "data", # required
5323
+ # message_type: "RAW", # accepts RAW, DIGEST
5324
+ # signature: "data", # required
5325
+ # signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
5326
+ # grant_tokens: ["GrantTokenType"],
5327
+ # })
5328
+ #
5329
+ # @example Response structure
5330
+ #
5331
+ # resp.key_id #=> String
5332
+ # resp.signature_valid #=> Boolean
5333
+ # resp.signing_algorithm #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
5334
+ #
5335
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Verify AWS API Documentation
5336
+ #
5337
+ # @overload verify(params = {})
5338
+ # @param [Hash] params ({})
5339
+ def verify(params = {}, options = {})
5340
+ req = build_request(:verify, params)
5341
+ req.send_request(options)
5342
+ end
5343
+
4050
5344
  # @!endgroup
4051
5345
 
4052
5346
  # @param params ({})
@@ -4060,7 +5354,7 @@ module Aws::KMS
4060
5354
  params: params,
4061
5355
  config: config)
4062
5356
  context[:gem_name] = 'aws-sdk-kms'
4063
- context[:gem_version] = '1.22.0'
5357
+ context[:gem_version] = '1.27.0'
4064
5358
  Seahorse::Client::Request.new(handlers, context)
4065
5359
  end
4066
5360