aws-sdk-kms 1.24.0 → 1.29.0

data/lib/aws-sdk-kms/client_api.rb

@@ -47,6 +47,8 @@ module Aws::KMS
     CustomKeyStoreNotFoundException = Shapes::StructureShape.new(name: 'CustomKeyStoreNotFoundException')
     CustomKeyStoresList = Shapes::ListShape.new(name: 'CustomKeyStoresList')
     CustomKeyStoresListEntry = Shapes::StructureShape.new(name: 'CustomKeyStoresListEntry')
+    CustomerMasterKeySpec = Shapes::StringShape.new(name: 'CustomerMasterKeySpec')
+    DataKeyPairSpec = Shapes::StringShape.new(name: 'DataKeyPairSpec')
     DataKeySpec = Shapes::StringShape.new(name: 'DataKeySpec')
     DateType = Shapes::TimestampShape.new(name: 'DateType')
     DecryptRequest = Shapes::StructureShape.new(name: 'DecryptRequest')
@@ -70,12 +72,18 @@ module Aws::KMS
     EnableKeyRotationRequest = Shapes::StructureShape.new(name: 'EnableKeyRotationRequest')
     EncryptRequest = Shapes::StructureShape.new(name: 'EncryptRequest')
     EncryptResponse = Shapes::StructureShape.new(name: 'EncryptResponse')
+    EncryptionAlgorithmSpec = Shapes::StringShape.new(name: 'EncryptionAlgorithmSpec')
+    EncryptionAlgorithmSpecList = Shapes::ListShape.new(name: 'EncryptionAlgorithmSpecList')
     EncryptionContextKey = Shapes::StringShape.new(name: 'EncryptionContextKey')
     EncryptionContextType = Shapes::MapShape.new(name: 'EncryptionContextType')
     EncryptionContextValue = Shapes::StringShape.new(name: 'EncryptionContextValue')
     ErrorMessageType = Shapes::StringShape.new(name: 'ErrorMessageType')
     ExpirationModelType = Shapes::StringShape.new(name: 'ExpirationModelType')
     ExpiredImportTokenException = Shapes::StructureShape.new(name: 'ExpiredImportTokenException')
+    GenerateDataKeyPairRequest = Shapes::StructureShape.new(name: 'GenerateDataKeyPairRequest')
+    GenerateDataKeyPairResponse = Shapes::StructureShape.new(name: 'GenerateDataKeyPairResponse')
+    GenerateDataKeyPairWithoutPlaintextRequest = Shapes::StructureShape.new(name: 'GenerateDataKeyPairWithoutPlaintextRequest')
+    GenerateDataKeyPairWithoutPlaintextResponse = Shapes::StructureShape.new(name: 'GenerateDataKeyPairWithoutPlaintextResponse')
     GenerateDataKeyRequest = Shapes::StructureShape.new(name: 'GenerateDataKeyRequest')
     GenerateDataKeyResponse = Shapes::StructureShape.new(name: 'GenerateDataKeyResponse')
     GenerateDataKeyWithoutPlaintextRequest = Shapes::StructureShape.new(name: 'GenerateDataKeyWithoutPlaintextRequest')
@@ -88,6 +96,8 @@ module Aws::KMS
     GetKeyRotationStatusResponse = Shapes::StructureShape.new(name: 'GetKeyRotationStatusResponse')
     GetParametersForImportRequest = Shapes::StructureShape.new(name: 'GetParametersForImportRequest')
     GetParametersForImportResponse = Shapes::StructureShape.new(name: 'GetParametersForImportResponse')
+    GetPublicKeyRequest = Shapes::StructureShape.new(name: 'GetPublicKeyRequest')
+    GetPublicKeyResponse = Shapes::StructureShape.new(name: 'GetPublicKeyResponse')
     GrantConstraints = Shapes::StructureShape.new(name: 'GrantConstraints')
     GrantIdType = Shapes::StringShape.new(name: 'GrantIdType')
     GrantList = Shapes::ListShape.new(name: 'GrantList')
@@ -99,6 +109,7 @@ module Aws::KMS
     GrantTokenType = Shapes::StringShape.new(name: 'GrantTokenType')
     ImportKeyMaterialRequest = Shapes::StructureShape.new(name: 'ImportKeyMaterialRequest')
     ImportKeyMaterialResponse = Shapes::StructureShape.new(name: 'ImportKeyMaterialResponse')
+    IncorrectKeyException = Shapes::StructureShape.new(name: 'IncorrectKeyException')
     IncorrectKeyMaterialException = Shapes::StructureShape.new(name: 'IncorrectKeyMaterialException')
     IncorrectTrustAnchorException = Shapes::StructureShape.new(name: 'IncorrectTrustAnchorException')
     InvalidAliasNameException = Shapes::StructureShape.new(name: 'InvalidAliasNameException')
@@ -110,6 +121,7 @@ module Aws::KMS
     InvalidKeyUsageException = Shapes::StructureShape.new(name: 'InvalidKeyUsageException')
     InvalidMarkerException = Shapes::StructureShape.new(name: 'InvalidMarkerException')
     KMSInternalException = Shapes::StructureShape.new(name: 'KMSInternalException')
+    KMSInvalidSignatureException = Shapes::StructureShape.new(name: 'KMSInvalidSignatureException')
     KMSInvalidStateException = Shapes::StructureShape.new(name: 'KMSInvalidStateException')
     KeyIdType = Shapes::StringShape.new(name: 'KeyIdType')
     KeyList = Shapes::ListShape.new(name: 'KeyList')
@@ -135,6 +147,7 @@ module Aws::KMS
     ListRetirableGrantsRequest = Shapes::StructureShape.new(name: 'ListRetirableGrantsRequest')
     MalformedPolicyDocumentException = Shapes::StructureShape.new(name: 'MalformedPolicyDocumentException')
     MarkerType = Shapes::StringShape.new(name: 'MarkerType')
+    MessageType = Shapes::StringShape.new(name: 'MessageType')
     NotFoundException = Shapes::StructureShape.new(name: 'NotFoundException')
     NumberOfBytesType = Shapes::IntegerShape.new(name: 'NumberOfBytesType')
     OriginType = Shapes::StringShape.new(name: 'OriginType')
@@ -144,6 +157,7 @@ module Aws::KMS
     PolicyNameType = Shapes::StringShape.new(name: 'PolicyNameType')
     PolicyType = Shapes::StringShape.new(name: 'PolicyType')
     PrincipalIdType = Shapes::StringShape.new(name: 'PrincipalIdType')
+    PublicKeyType = Shapes::BlobShape.new(name: 'PublicKeyType')
     PutKeyPolicyRequest = Shapes::StructureShape.new(name: 'PutKeyPolicyRequest')
     ReEncryptRequest = Shapes::StructureShape.new(name: 'ReEncryptRequest')
     ReEncryptResponse = Shapes::StructureShape.new(name: 'ReEncryptResponse')
@@ -151,6 +165,10 @@ module Aws::KMS
     RevokeGrantRequest = Shapes::StructureShape.new(name: 'RevokeGrantRequest')
     ScheduleKeyDeletionRequest = Shapes::StructureShape.new(name: 'ScheduleKeyDeletionRequest')
     ScheduleKeyDeletionResponse = Shapes::StructureShape.new(name: 'ScheduleKeyDeletionResponse')
+    SignRequest = Shapes::StructureShape.new(name: 'SignRequest')
+    SignResponse = Shapes::StructureShape.new(name: 'SignResponse')
+    SigningAlgorithmSpec = Shapes::StringShape.new(name: 'SigningAlgorithmSpec')
+    SigningAlgorithmSpecList = Shapes::ListShape.new(name: 'SigningAlgorithmSpecList')
     Tag = Shapes::StructureShape.new(name: 'Tag')
     TagException = Shapes::StructureShape.new(name: 'TagException')
     TagKeyList = Shapes::ListShape.new(name: 'TagKeyList')
@@ -165,6 +183,8 @@ module Aws::KMS
     UpdateCustomKeyStoreRequest = Shapes::StructureShape.new(name: 'UpdateCustomKeyStoreRequest')
     UpdateCustomKeyStoreResponse = Shapes::StructureShape.new(name: 'UpdateCustomKeyStoreResponse')
     UpdateKeyDescriptionRequest = Shapes::StructureShape.new(name: 'UpdateKeyDescriptionRequest')
+    VerifyRequest = Shapes::StructureShape.new(name: 'VerifyRequest')
+    VerifyResponse = Shapes::StructureShape.new(name: 'VerifyResponse')
     WrappingKeySpec = Shapes::StringShape.new(name: 'WrappingKeySpec')
 
     AliasList.member = Shapes::ShapeRef.new(shape: AliasListEntry)
@@ -232,6 +252,7 @@ module Aws::KMS
     CreateKeyRequest.add_member(:policy, Shapes::ShapeRef.new(shape: PolicyType, location_name: "Policy"))
     CreateKeyRequest.add_member(:description, Shapes::ShapeRef.new(shape: DescriptionType, location_name: "Description"))
     CreateKeyRequest.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsageType, location_name: "KeyUsage"))
+    CreateKeyRequest.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, location_name: "CustomerMasterKeySpec"))
     CreateKeyRequest.add_member(:origin, Shapes::ShapeRef.new(shape: OriginType, location_name: "Origin"))
     CreateKeyRequest.add_member(:custom_key_store_id, Shapes::ShapeRef.new(shape: CustomKeyStoreIdType, location_name: "CustomKeyStoreId"))
     CreateKeyRequest.add_member(:bypass_policy_lockout_safety_check, Shapes::ShapeRef.new(shape: BooleanType, location_name: "BypassPolicyLockoutSafetyCheck"))
@@ -267,10 +288,13 @@ module Aws::KMS
     DecryptRequest.add_member(:ciphertext_blob, Shapes::ShapeRef.new(shape: CiphertextType, required: true, location_name: "CiphertextBlob"))
     DecryptRequest.add_member(:encryption_context, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContext"))
     DecryptRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
+    DecryptRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
+    DecryptRequest.add_member(:encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "EncryptionAlgorithm"))
     DecryptRequest.struct_class = Types::DecryptRequest
 
     DecryptResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
     DecryptResponse.add_member(:plaintext, Shapes::ShapeRef.new(shape: PlaintextType, location_name: "Plaintext"))
+    DecryptResponse.add_member(:encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "EncryptionAlgorithm"))
     DecryptResponse.struct_class = Types::DecryptResponse
 
     DeleteAliasRequest.add_member(:alias_name, Shapes::ShapeRef.new(shape: AliasNameType, required: true, location_name: "AliasName"))
@@ -329,18 +353,47 @@ module Aws::KMS
     EncryptRequest.add_member(:plaintext, Shapes::ShapeRef.new(shape: PlaintextType, required: true, location_name: "Plaintext"))
     EncryptRequest.add_member(:encryption_context, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContext"))
     EncryptRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
+    EncryptRequest.add_member(:encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "EncryptionAlgorithm"))
     EncryptRequest.struct_class = Types::EncryptRequest
 
     EncryptResponse.add_member(:ciphertext_blob, Shapes::ShapeRef.new(shape: CiphertextType, location_name: "CiphertextBlob"))
     EncryptResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
+    EncryptResponse.add_member(:encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "EncryptionAlgorithm"))
     EncryptResponse.struct_class = Types::EncryptResponse
 
+    EncryptionAlgorithmSpecList.member = Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec)
+
     EncryptionContextType.key = Shapes::ShapeRef.new(shape: EncryptionContextKey)
     EncryptionContextType.value = Shapes::ShapeRef.new(shape: EncryptionContextValue)
 
     ExpiredImportTokenException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
     ExpiredImportTokenException.struct_class = Types::ExpiredImportTokenException
 
+    GenerateDataKeyPairRequest.add_member(:encryption_context, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContext"))
+    GenerateDataKeyPairRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
+    GenerateDataKeyPairRequest.add_member(:key_pair_spec, Shapes::ShapeRef.new(shape: DataKeyPairSpec, required: true, location_name: "KeyPairSpec"))
+    GenerateDataKeyPairRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
+    GenerateDataKeyPairRequest.struct_class = Types::GenerateDataKeyPairRequest
+
+    GenerateDataKeyPairResponse.add_member(:private_key_ciphertext_blob, Shapes::ShapeRef.new(shape: CiphertextType, location_name: "PrivateKeyCiphertextBlob"))
+    GenerateDataKeyPairResponse.add_member(:private_key_plaintext, Shapes::ShapeRef.new(shape: PlaintextType, location_name: "PrivateKeyPlaintext"))
+    GenerateDataKeyPairResponse.add_member(:public_key, Shapes::ShapeRef.new(shape: PublicKeyType, location_name: "PublicKey"))
+    GenerateDataKeyPairResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
+    GenerateDataKeyPairResponse.add_member(:key_pair_spec, Shapes::ShapeRef.new(shape: DataKeyPairSpec, location_name: "KeyPairSpec"))
+    GenerateDataKeyPairResponse.struct_class = Types::GenerateDataKeyPairResponse
+
+    GenerateDataKeyPairWithoutPlaintextRequest.add_member(:encryption_context, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContext"))
+    GenerateDataKeyPairWithoutPlaintextRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
+    GenerateDataKeyPairWithoutPlaintextRequest.add_member(:key_pair_spec, Shapes::ShapeRef.new(shape: DataKeyPairSpec, required: true, location_name: "KeyPairSpec"))
+    GenerateDataKeyPairWithoutPlaintextRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
+    GenerateDataKeyPairWithoutPlaintextRequest.struct_class = Types::GenerateDataKeyPairWithoutPlaintextRequest
+
+    GenerateDataKeyPairWithoutPlaintextResponse.add_member(:private_key_ciphertext_blob, Shapes::ShapeRef.new(shape: CiphertextType, location_name: "PrivateKeyCiphertextBlob"))
+    GenerateDataKeyPairWithoutPlaintextResponse.add_member(:public_key, Shapes::ShapeRef.new(shape: PublicKeyType, location_name: "PublicKey"))
+    GenerateDataKeyPairWithoutPlaintextResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
+    GenerateDataKeyPairWithoutPlaintextResponse.add_member(:key_pair_spec, Shapes::ShapeRef.new(shape: DataKeyPairSpec, location_name: "KeyPairSpec"))
+    GenerateDataKeyPairWithoutPlaintextResponse.struct_class = Types::GenerateDataKeyPairWithoutPlaintextResponse
+
     GenerateDataKeyRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
     GenerateDataKeyRequest.add_member(:encryption_context, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContext"))
     GenerateDataKeyRequest.add_member(:number_of_bytes, Shapes::ShapeRef.new(shape: NumberOfBytesType, location_name: "NumberOfBytes"))
@@ -395,6 +448,18 @@ module Aws::KMS
     GetParametersForImportResponse.add_member(:parameters_valid_to, Shapes::ShapeRef.new(shape: DateType, location_name: "ParametersValidTo"))
     GetParametersForImportResponse.struct_class = Types::GetParametersForImportResponse
 
+    GetPublicKeyRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
+    GetPublicKeyRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
+    GetPublicKeyRequest.struct_class = Types::GetPublicKeyRequest
+
+    GetPublicKeyResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
+    GetPublicKeyResponse.add_member(:public_key, Shapes::ShapeRef.new(shape: PublicKeyType, location_name: "PublicKey"))
+    GetPublicKeyResponse.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, location_name: "CustomerMasterKeySpec"))
+    GetPublicKeyResponse.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsageType, location_name: "KeyUsage"))
+    GetPublicKeyResponse.add_member(:encryption_algorithms, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpecList, location_name: "EncryptionAlgorithms"))
+    GetPublicKeyResponse.add_member(:signing_algorithms, Shapes::ShapeRef.new(shape: SigningAlgorithmSpecList, location_name: "SigningAlgorithms"))
+    GetPublicKeyResponse.struct_class = Types::GetPublicKeyResponse
+
     GrantConstraints.add_member(:encryption_context_subset, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContextSubset"))
     GrantConstraints.add_member(:encryption_context_equals, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContextEquals"))
     GrantConstraints.struct_class = Types::GrantConstraints
@@ -425,6 +490,9 @@ module Aws::KMS
 
     ImportKeyMaterialResponse.struct_class = Types::ImportKeyMaterialResponse
 
+    IncorrectKeyException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
+    IncorrectKeyException.struct_class = Types::IncorrectKeyException
+
     IncorrectKeyMaterialException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
     IncorrectKeyMaterialException.struct_class = Types::IncorrectKeyMaterialException
 
@@ -458,6 +526,9 @@ module Aws::KMS
     KMSInternalException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
     KMSInternalException.struct_class = Types::KMSInternalException
 
+    KMSInvalidSignatureException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
+    KMSInvalidSignatureException.struct_class = Types::KMSInvalidSignatureException
+
     KMSInvalidStateException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
     KMSInvalidStateException.struct_class = Types::KMSInvalidStateException
 
@@ -482,6 +553,9 @@ module Aws::KMS
     KeyMetadata.add_member(:cloud_hsm_cluster_id, Shapes::ShapeRef.new(shape: CloudHsmClusterIdType, location_name: "CloudHsmClusterId"))
     KeyMetadata.add_member(:expiration_model, Shapes::ShapeRef.new(shape: ExpirationModelType, location_name: "ExpirationModel"))
     KeyMetadata.add_member(:key_manager, Shapes::ShapeRef.new(shape: KeyManagerType, location_name: "KeyManager"))
+    KeyMetadata.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, location_name: "CustomerMasterKeySpec"))
+    KeyMetadata.add_member(:encryption_algorithms, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpecList, location_name: "EncryptionAlgorithms"))
+    KeyMetadata.add_member(:signing_algorithms, Shapes::ShapeRef.new(shape: SigningAlgorithmSpecList, location_name: "SigningAlgorithms"))
     KeyMetadata.struct_class = Types::KeyMetadata
 
     KeyUnavailableException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
@@ -560,14 +634,19 @@ module Aws::KMS
 
     ReEncryptRequest.add_member(:ciphertext_blob, Shapes::ShapeRef.new(shape: CiphertextType, required: true, location_name: "CiphertextBlob"))
     ReEncryptRequest.add_member(:source_encryption_context, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "SourceEncryptionContext"))
+    ReEncryptRequest.add_member(:source_key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "SourceKeyId"))
     ReEncryptRequest.add_member(:destination_key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "DestinationKeyId"))
     ReEncryptRequest.add_member(:destination_encryption_context, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "DestinationEncryptionContext"))
+    ReEncryptRequest.add_member(:source_encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "SourceEncryptionAlgorithm"))
+    ReEncryptRequest.add_member(:destination_encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "DestinationEncryptionAlgorithm"))
     ReEncryptRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
     ReEncryptRequest.struct_class = Types::ReEncryptRequest
 
     ReEncryptResponse.add_member(:ciphertext_blob, Shapes::ShapeRef.new(shape: CiphertextType, location_name: "CiphertextBlob"))
     ReEncryptResponse.add_member(:source_key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "SourceKeyId"))
     ReEncryptResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
+    ReEncryptResponse.add_member(:source_encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "SourceEncryptionAlgorithm"))
+    ReEncryptResponse.add_member(:destination_encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "DestinationEncryptionAlgorithm"))
     ReEncryptResponse.struct_class = Types::ReEncryptResponse
 
     RetireGrantRequest.add_member(:grant_token, Shapes::ShapeRef.new(shape: GrantTokenType, location_name: "GrantToken"))
@@ -587,6 +666,20 @@ module Aws::KMS
     ScheduleKeyDeletionResponse.add_member(:deletion_date, Shapes::ShapeRef.new(shape: DateType, location_name: "DeletionDate"))
     ScheduleKeyDeletionResponse.struct_class = Types::ScheduleKeyDeletionResponse
 
+    SignRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
+    SignRequest.add_member(:message, Shapes::ShapeRef.new(shape: PlaintextType, required: true, location_name: "Message"))
+    SignRequest.add_member(:message_type, Shapes::ShapeRef.new(shape: MessageType, location_name: "MessageType"))
+    SignRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
+    SignRequest.add_member(:signing_algorithm, Shapes::ShapeRef.new(shape: SigningAlgorithmSpec, required: true, location_name: "SigningAlgorithm"))
+    SignRequest.struct_class = Types::SignRequest
+
+    SignResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
+    SignResponse.add_member(:signature, Shapes::ShapeRef.new(shape: CiphertextType, location_name: "Signature"))
+    SignResponse.add_member(:signing_algorithm, Shapes::ShapeRef.new(shape: SigningAlgorithmSpec, location_name: "SigningAlgorithm"))
+    SignResponse.struct_class = Types::SignResponse
+
+    SigningAlgorithmSpecList.member = Shapes::ShapeRef.new(shape: SigningAlgorithmSpec)
+
     Tag.add_member(:tag_key, Shapes::ShapeRef.new(shape: TagKeyType, required: true, location_name: "TagKey"))
     Tag.add_member(:tag_value, Shapes::ShapeRef.new(shape: TagValueType, required: true, location_name: "TagValue"))
     Tag.struct_class = Types::Tag
@@ -625,6 +718,19 @@ module Aws::KMS
     UpdateKeyDescriptionRequest.add_member(:description, Shapes::ShapeRef.new(shape: DescriptionType, required: true, location_name: "Description"))
     UpdateKeyDescriptionRequest.struct_class = Types::UpdateKeyDescriptionRequest
 
+    VerifyRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
+    VerifyRequest.add_member(:message, Shapes::ShapeRef.new(shape: PlaintextType, required: true, location_name: "Message"))
+    VerifyRequest.add_member(:message_type, Shapes::ShapeRef.new(shape: MessageType, location_name: "MessageType"))
+    VerifyRequest.add_member(:signature, Shapes::ShapeRef.new(shape: CiphertextType, required: true, location_name: "Signature"))
+    VerifyRequest.add_member(:signing_algorithm, Shapes::ShapeRef.new(shape: SigningAlgorithmSpec, required: true, location_name: "SigningAlgorithm"))
+    VerifyRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
+    VerifyRequest.struct_class = Types::VerifyRequest
+
+    VerifyResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
+    VerifyResponse.add_member(:signature_valid, Shapes::ShapeRef.new(shape: BooleanType, location_name: "SignatureValid"))
+    VerifyResponse.add_member(:signing_algorithm, Shapes::ShapeRef.new(shape: SigningAlgorithmSpec, location_name: "SigningAlgorithm"))
+    VerifyResponse.struct_class = Types::VerifyResponse
+
 
     # @api private
     API = Seahorse::Model::Api.new.tap do |api|
@@ -744,6 +850,8 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: DisabledException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidCiphertextException)
         o.errors << Shapes::ShapeRef.new(shape: KeyUnavailableException)
+        o.errors << Shapes::ShapeRef.new(shape: IncorrectKeyException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
         o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
@@ -910,6 +1018,38 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
       end)
 
+      api.add_operation(:generate_data_key_pair, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "GenerateDataKeyPair"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: GenerateDataKeyPairRequest)
+        o.output = Shapes::ShapeRef.new(shape: GenerateDataKeyPairResponse)
+        o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: DisabledException)
+        o.errors << Shapes::ShapeRef.new(shape: KeyUnavailableException)
+        o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
+        o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
+        o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
+      end)
+
+      api.add_operation(:generate_data_key_pair_without_plaintext, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "GenerateDataKeyPairWithoutPlaintext"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: GenerateDataKeyPairWithoutPlaintextRequest)
+        o.output = Shapes::ShapeRef.new(shape: GenerateDataKeyPairWithoutPlaintextResponse)
+        o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: DisabledException)
+        o.errors << Shapes::ShapeRef.new(shape: KeyUnavailableException)
+        o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
+        o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
+        o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
+      end)
+
       api.add_operation(:generate_data_key_without_plaintext, Seahorse::Model::Operation.new.tap do |o|
         o.name = "GenerateDataKeyWithoutPlaintext"
         o.http_method = "POST"
@@ -979,6 +1119,24 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
       end)
 
+      api.add_operation(:get_public_key, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "GetPublicKey"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: GetPublicKeyRequest)
+        o.output = Shapes::ShapeRef.new(shape: GetPublicKeyResponse)
+        o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: DisabledException)
+        o.errors << Shapes::ShapeRef.new(shape: KeyUnavailableException)
+        o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
+        o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidArnException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
+        o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
+        o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
+      end)
+
       api.add_operation(:import_key_material, Seahorse::Model::Operation.new.tap do |o|
         o.name = "ImportKeyMaterial"
         o.http_method = "POST"
@@ -1127,6 +1285,7 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: DisabledException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidCiphertextException)
         o.errors << Shapes::ShapeRef.new(shape: KeyUnavailableException)
+        o.errors << Shapes::ShapeRef.new(shape: IncorrectKeyException)
         o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
@@ -1176,6 +1335,22 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
       end)
 
+      api.add_operation(:sign, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "Sign"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: SignRequest)
+        o.output = Shapes::ShapeRef.new(shape: SignResponse)
+        o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: DisabledException)
+        o.errors << Shapes::ShapeRef.new(shape: KeyUnavailableException)
+        o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
+        o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
+        o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
+      end)
+
       api.add_operation(:tag_resource, Seahorse::Model::Operation.new.tap do |o|
         o.name = "TagResource"
         o.http_method = "POST"
@@ -1222,6 +1397,7 @@ module Aws::KMS
         o.input = Shapes::ShapeRef.new(shape: UpdateCustomKeyStoreRequest)
         o.output = Shapes::ShapeRef.new(shape: UpdateCustomKeyStoreResponse)
         o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreNameInUseException)
         o.errors << Shapes::ShapeRef.new(shape: CloudHsmClusterNotFoundException)
         o.errors << Shapes::ShapeRef.new(shape: CloudHsmClusterNotRelatedException)
         o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreInvalidStateException)
@@ -1242,6 +1418,23 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
       end)
+
+      api.add_operation(:verify, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "Verify"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: VerifyRequest)
+        o.output = Shapes::ShapeRef.new(shape: VerifyResponse)
+        o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: DisabledException)
+        o.errors << Shapes::ShapeRef.new(shape: KeyUnavailableException)
+        o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
+        o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
+        o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
+        o.errors << Shapes::ShapeRef.new(shape: KMSInvalidSignatureException)
+      end)
     end
 
   end

data/lib/aws-sdk-kms/errors.rb

@@ -218,6 +218,22 @@ module Aws::KMS
 
     end
 
+    class IncorrectKeyException < ServiceError
+
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::KMS::Types::IncorrectKeyException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+
+    end
+
     class IncorrectKeyMaterialException < ServiceError
 
       # @param [Seahorse::Client::RequestContext] context
@@ -394,6 +410,22 @@ module Aws::KMS
 
     end
 
+    class KMSInvalidSignatureException < ServiceError
+
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::KMS::Types::KMSInvalidSignatureException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+
+    end
+
     class KMSInvalidStateException < ServiceError
 
       # @param [Seahorse::Client::RequestContext] context

data/lib/aws-sdk-kms/types.rb

@@ -324,6 +324,9 @@ module Aws::KMS
     #   in the specified AWS CloudHSM cluster. AWS KMS logs into the cluster
     #   as this user to manage key material on your behalf.
     #
+    #   The password must be a string of 7 to 32 characters. Its value is
+    #   case sensitive.
+    #
     #   This parameter tells AWS KMS the `kmsuser` account password; it does
     #   not change the password in the AWS CloudHSM cluster.
     #
@@ -360,7 +363,7 @@ module Aws::KMS
     #         key_id: "KeyIdType", # required
     #         grantee_principal: "PrincipalIdType", # required
     #         retiring_principal: "PrincipalIdType",
-    #         operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant, RetireGrant, DescribeKey
+    #         operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext
     #         constraints: {
     #           encryption_context_subset: {
     #             "EncryptionContextKey" => "EncryptionContextValue",
@@ -515,7 +518,8 @@ module Aws::KMS
     #       {
     #         policy: "PolicyType",
     #         description: "DescriptionType",
-    #         key_usage: "ENCRYPT_DECRYPT", # accepts ENCRYPT_DECRYPT
+    #         key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT
+    #         customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
     #         origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
     #         custom_key_store_id: "CustomKeyStoreIdType",
     #         bypass_policy_lockout_safety_check: false,
@@ -554,7 +558,7 @@ module Aws::KMS
     #   policy to the CMK. For more information, see [Default Key Policy][3]
     #   in the *AWS Key Management Service Developer Guide*.
     #
-    #   The key policy size limit is 32 kilobytes (32768 bytes).
+    #   The key policy size quota is 32 kilobytes (32768 bytes).
     #
     #
     #
@@ -571,28 +575,101 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_usage
-    #   The cryptographic operations for which you can use the CMK. The only
-    #   valid value is `ENCRYPT_DECRYPT`, which means you can use the CMK to
-    #   encrypt and decrypt data.
+    #   Determines the cryptographic operations for which you can use the
+    #   CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
+    #   required only for asymmetric CMKs. You can't change the `KeyUsage`
+    #   value after the CMK is created.
+    #
+    #   Select only one valid value.
+    #
+    #   * For symmetric CMKs, omit the parameter or specify
+    #     `ENCRYPT_DECRYPT`.
+    #
+    #   * For asymmetric CMKs with RSA key material, specify
+    #     `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
+    #
+    #   * For asymmetric CMKs with ECC key material, specify `SIGN_VERIFY`.
+    #   @return [String]
+    #
+    # @!attribute [rw] customer_master_key_spec
+    #   Specifies the type of CMK to create. The default value,
+    #   `SYMMETRIC_DEFAULT`, creates a CMK with a 256-bit symmetric key for
+    #   encryption and decryption. For help choosing a key spec for your
+    #   CMK, see [How to Choose Your CMK Configuration][1] in the *AWS Key
+    #   Management Service Developer Guide*.
+    #
+    #   The `CustomerMasterKeySpec` determines whether the CMK contains a
+    #   symmetric key or an asymmetric key pair. It also determines the
+    #   encryption algorithms or signing algorithms that the CMK supports.
+    #   You can't change the `CustomerMasterKeySpec` after the CMK is
+    #   created. To further restrict the algorithms that can be used with
+    #   the CMK, use a condition key in its key policy or IAM policy. For
+    #   more information, see [kms:EncryptionAlgorithm][2] or [kms:Signing
+    #   Algorithm][3] in the *AWS Key Management Service Developer Guide*.
+    #
+    #   [AWS services that are integrated with AWS KMS][4] use symmetric
+    #   CMKs to protect your data. These services do not support asymmetric
+    #   CMKs. For help determining whether a CMK is symmetric or asymmetric,
+    #   see [Identifying Symmetric and Asymmetric CMKs][5] in the *AWS Key
+    #   Management Service Developer Guide*.
+    #
+    #   AWS KMS supports the following key specs for CMKs:
+    #
+    #   * Symmetric key (default)
+    #
+    #     * `SYMMETRIC_DEFAULT` (AES-256-GCM)
+    #
+    #     ^
+    #
+    #   * Asymmetric RSA key pairs
+    #
+    #     * `RSA_2048`
+    #
+    #     * `RSA_3072`
+    #
+    #     * `RSA_4096`
+    #
+    #   * Asymmetric NIST-recommended elliptic curve key pairs
+    #
+    #     * `ECC_NIST_P256` (secp256r1)
+    #
+    #     * `ECC_NIST_P384` (secp384r1)
+    #
+    #     * `ECC_NIST_P521` (secp521r1)
+    #
+    #   * Other asymmetric elliptic curve key pairs
+    #
+    #     * `ECC_SECG_P256K1` (secp256k1), commonly used for
+    #       cryptocurrencies.
+    #
+    #     ^
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm
+    #   [4]: http://aws.amazon.com/kms/features/#AWS_Service_Integration
+    #   [5]: https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html
     #   @return [String]
     #
     # @!attribute [rw] origin
     #   The source of the key material for the CMK. You cannot change the
-    #   origin after you create the CMK.
-    #
-    #   The default is `AWS_KMS`, which means AWS KMS creates the key
-    #   material in its own key store.
+    #   origin after you create the CMK. The default is `AWS_KMS`, which
+    #   means AWS KMS creates the key material.
     #
     #   When the parameter value is `EXTERNAL`, AWS KMS creates a CMK
     #   without key material so that you can import key material from your
     #   existing key management infrastructure. For more information about
     #   importing key material into AWS KMS, see [Importing Key Material][1]
-    #   in the *AWS Key Management Service Developer Guide*.
+    #   in the *AWS Key Management Service Developer Guide*. This value is
+    #   valid only for symmetric CMKs.
     #
     #   When the parameter value is `AWS_CLOUDHSM`, AWS KMS creates the CMK
     #   in an AWS KMS [custom key store][2] and creates its key material in
     #   the associated AWS CloudHSM cluster. You must also use the
-    #   `CustomKeyStoreId` parameter to identify the custom key store.
+    #   `CustomKeyStoreId` parameter to identify the custom key store. This
+    #   value is valid only for symmetric CMKs.
     #
     #
     #
@@ -608,6 +685,9 @@ module Aws::KMS
     #   associated with the custom key store must have at least two active
     #   HSMs, each in a different Availability Zone in the Region.
     #
+    #   This parameter is valid only for symmetric CMKs. You cannot create
+    #   an asymmetric CMK in a custom key store.
+    #
     #   To find the ID of a custom key store, use the
     #   DescribeCustomKeyStores operation.
     #
@@ -648,12 +728,20 @@ module Aws::KMS
     #
     # @!attribute [rw] tags
     #   One or more tags. Each tag consists of a tag key and a tag value.
-    #   Tag keys and tag values are both required, but tag values can be
-    #   empty (null) strings.
+    #   Both the tag key and the tag value are required, but the tag value
+    #   can be an empty (null) string.
+    #
+    #   When you add tags to an AWS resource, AWS generates a cost
+    #   allocation report with usage and costs aggregated by tags. For
+    #   information about adding, changing, deleting and listing tags for
+    #   CMKs, see [Tagging Keys][1].
+    #
+    #   Use this parameter to tag the CMK when it is created. To add tags to
+    #   an existing CMK, use the TagResource operation.
     #
-    #   Use this parameter to tag the CMK when it is created. Alternately,
-    #   you can omit this parameter and instead tag the CMK after it is
-    #   created using TagResource.
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
     #   @return [Array<Types::Tag>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKeyRequest AWS API Documentation
@@ -662,6 +750,7 @@ module Aws::KMS
       :policy,
       :description,
       :key_usage,
+      :customer_master_key_spec,
       :origin,
       :custom_key_store_id,
       :bypass_policy_lockout_safety_check,
@@ -791,9 +880,10 @@ module Aws::KMS
     #   AWS CloudHSM cluster is active and contains at least one active HSM.
     #
     #   A value of `FAILED` indicates that an attempt to connect was
-    #   unsuccessful. For help resolving a connection failure, see
-    #   [Troubleshooting a Custom Key Store][1] in the *AWS Key Management
-    #   Service Developer Guide*.
+    #   unsuccessful. The `ConnectionErrorCode` field in the response
+    #   indicates the cause of the failure. For help resolving a connection
+    #   failure, see [Troubleshooting a Custom Key Store][1] in the *AWS Key
+    #   Management Service Developer Guide*.
     #
     #
     #
@@ -801,7 +891,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] connection_error_code
-    #   Describes the connection error. Valid values are:
+    #   Describes the connection error. This field appears in the response
+    #   only when the `ConnectionState` is `FAILED`. For help resolving
+    #   these errors, see [How to Fix a Connection Failure][1] in *AWS Key
+    #   Management Service Developer Guide*.
+    #
+    #   Valid values are:
     #
     #   * `CLUSTER_NOT_FOUND` - AWS KMS cannot find the AWS CloudHSM cluster
     #     with the specified cluster ID.
@@ -817,23 +912,49 @@ module Aws::KMS
     #     again.
     #
     #   * `INVALID_CREDENTIALS` - AWS KMS does not have the correct password
-    #     for the `kmsuser` crypto user in the AWS CloudHSM cluster.
+    #     for the `kmsuser` crypto user in the AWS CloudHSM cluster. Before
+    #     you can connect your custom key store to its AWS CloudHSM cluster,
+    #     you must change the `kmsuser` account password and update the key
+    #     store password value for the custom key store.
     #
     #   * `NETWORK_ERRORS` - Network errors are preventing AWS KMS from
     #     connecting to the custom key store.
     #
+    #   * `SUBNET_NOT_FOUND` - A subnet in the AWS CloudHSM cluster
+    #     configuration was deleted. If AWS KMS cannot find all of the
+    #     subnets that were configured for the cluster when the custom key
+    #     store was created, attempts to connect fail. To fix this error,
+    #     create a cluster from a backup and associate it with your custom
+    #     key store. This process includes selecting a VPC and subnets. For
+    #     details, see [How to Fix a Connection Failure][1] in the *AWS Key
+    #     Management Service Developer Guide*.
+    #
     #   * `USER_LOCKED_OUT` - The `kmsuser` CU account is locked out of the
     #     associated AWS CloudHSM cluster due to too many failed password
     #     attempts. Before you can connect your custom key store to its AWS
     #     CloudHSM cluster, you must change the `kmsuser` account password
-    #     and update the password value for the custom key store.
+    #     and update the key store password value for the custom key store.
     #
-    #   For help with connection failures, see [Troubleshooting Custom Key
-    #   Stores][1] in the *AWS Key Management Service Developer Guide*.
+    #   * `USER_LOGGED_IN` - The `kmsuser` CU account is logged into the the
+    #     associated AWS CloudHSM cluster. This prevents AWS KMS from
+    #     rotating the `kmsuser` account password and logging into the
+    #     cluster. Before you can connect your custom key store to its AWS
+    #     CloudHSM cluster, you must log the `kmsuser` CU out of the
+    #     cluster. If you changed the `kmsuser` password to log into the
+    #     cluster, you must also and update the key store password value for
+    #     the custom key store. For help, see [How to Log Out and
+    #     Reconnect][2] in the *AWS Key Management Service Developer Guide*.
     #
+    #   * `USER_NOT_FOUND` - AWS KMS cannot find a `kmsuser` CU account in
+    #     the associated AWS CloudHSM cluster. Before you can connect your
+    #     custom key store to its AWS CloudHSM cluster, you must create a
+    #     `kmsuser` CU account in the cluster, and then update the key store
+    #     password value for the custom key store.
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#login-kmsuser-2
     #   @return [String]
     #
     # @!attribute [rw] creation_date
@@ -862,6 +983,8 @@ module Aws::KMS
     #           "EncryptionContextKey" => "EncryptionContextValue",
     #         },
     #         grant_tokens: ["GrantTokenType"],
+    #         key_id: "KeyIdType",
+    #         encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
     #       }
     #
     # @!attribute [rw] ciphertext_blob
@@ -869,9 +992,20 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] encryption_context
-    #   The encryption context. If this was specified in the Encrypt
-    #   function, it must be specified here or the decryption operation will
-    #   fail. For more information, see [Encryption Context][1].
+    #   Specifies the encryption context to use when decrypting the data. An
+    #   encryption context is valid only for cryptographic operations with a
+    #   symmetric CMK. The standard asymmetric encryption algorithms that
+    #   AWS KMS uses do not support an encryption context.
+    #
+    #   An *encryption context* is a collection of non-secret key-value
+    #   pairs that represents additional authenticated data. When you use an
+    #   encryption context to encrypt data, you must specify the same (an
+    #   exact case-sensitive match) encryption context to decrypt the data.
+    #   An encryption context is optional when encrypting with a symmetric
+    #   CMK, but it is highly recommended.
+    #
+    #   For more information, see [Encryption Context][1] in the *AWS Key
+    #   Management Service Developer Guide*.
     #
     #
     #
@@ -889,30 +1023,83 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
     #   @return [Array<String>]
     #
+    # @!attribute [rw] key_id
+    #   Specifies the customer master key (CMK) that AWS KMS will use to
+    #   decrypt the ciphertext. Enter a key ID of the CMK that was used to
+    #   encrypt the ciphertext.
+    #
+    #   If you specify a `KeyId` value, the `Decrypt` operation succeeds
+    #   only if the specified CMK was used to encrypt the ciphertext.
+    #
+    #   This parameter is required only when the ciphertext was encrypted
+    #   under an asymmetric CMK. Otherwise, AWS KMS uses the metadata that
+    #   it adds to the ciphertext blob to determine which CMK was used to
+    #   encrypt the ciphertext. However, you can use this parameter to
+    #   ensure that a particular CMK (of any kind) is used to decrypt the
+    #   ciphertext.
+    #
+    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
+    #   name, or alias ARN. When using an alias name, prefix it with
+    #   `"alias/"`.
+    #
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Alias name: `alias/ExampleAlias`
+    #
+    #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
+    #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
+    #   @return [String]
+    #
+    # @!attribute [rw] encryption_algorithm
+    #   Specifies the encryption algorithm that will be used to decrypt the
+    #   ciphertext. Specify the same algorithm that was used to encrypt the
+    #   data. If you specify a different algorithm, the `Decrypt` operation
+    #   fails.
+    #
+    #   This parameter is required only when the ciphertext was encrypted
+    #   under an asymmetric CMK. The default value, `SYMMETRIC_DEFAULT`,
+    #   represents the only supported algorithm that is valid for symmetric
+    #   CMKs.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptRequest AWS API Documentation
     #
     class DecryptRequest < Struct.new(
       :ciphertext_blob,
       :encryption_context,
-      :grant_tokens)
+      :grant_tokens,
+      :key_id,
+      :encryption_algorithm)
       include Aws::Structure
     end
 
     # @!attribute [rw] key_id
-    #   ARN of the key used to perform the decryption. This value is
-    #   returned if no errors are encountered during the operation.
+    #   The ARN of the customer master key that was used to perform the
+    #   decryption.
     #   @return [String]
     #
     # @!attribute [rw] plaintext
     #   Decrypted plaintext data. When you use the HTTP API or the AWS CLI,
-    #   the value is Base64-encoded. Otherwise, it is not encoded.
+    #   the value is Base64-encoded. Otherwise, it is not Base64-encoded.
+    #   @return [String]
+    #
+    # @!attribute [rw] encryption_algorithm
+    #   The encryption algorithm that was used to decrypt the ciphertext.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptResponse AWS API Documentation
     #
     class DecryptResponse < Struct.new(
       :key_id,
-      :plaintext)
+      :plaintext,
+      :encryption_algorithm)
       include Aws::Structure
     end
 
@@ -1186,7 +1373,9 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   A unique identifier for the customer master key (CMK).
+    #   Identifies a symmetric customer master key (CMK). You cannot enable
+    #   automatic rotation of [asymmetric CMKs][1], CMKs with [imported key
+    #   material][2], or CMKs in a [custom key store][3].
     #
     #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
     #
@@ -1199,6 +1388,12 @@ module Aws::KMS
     #
     #   To get the key ID and key ARN for a CMK, use ListKeys or
     #   DescribeKey.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotationRequest AWS API Documentation
@@ -1282,7 +1477,9 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   A unique identifier for the customer master key (CMK).
+    #   Identifies a symmetric customer master key (CMK). You cannot enable
+    #   automatic rotation of asymmetric CMKs, CMKs with imported key
+    #   material, or CMKs in a [custom key store][1].
     #
     #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
     #
@@ -1295,6 +1492,10 @@ module Aws::KMS
     #
     #   To get the key ID and key ARN for a CMK, use ListKeys or
     #   DescribeKey.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotationRequest AWS API Documentation
@@ -1314,6 +1515,7 @@ module Aws::KMS
     #           "EncryptionContextKey" => "EncryptionContextValue",
     #         },
     #         grant_tokens: ["GrantTokenType"],
+    #         encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
     #       }
     #
     # @!attribute [rw] key_id
@@ -1344,10 +1546,20 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] encryption_context
-    #   Name-value pair that specifies the encryption context to be used for
-    #   authenticated encryption. If used here, the same value must be
-    #   supplied to the `Decrypt` API or decryption will fail. For more
-    #   information, see [Encryption Context][1].
+    #   Specifies the encryption context that will be used to encrypt the
+    #   data. An encryption context is valid only for cryptographic
+    #   operations with a symmetric CMK. The standard asymmetric encryption
+    #   algorithms that AWS KMS uses do not support an encryption context.
+    #
+    #   An *encryption context* is a collection of non-secret key-value
+    #   pairs that represents additional authenticated data. When you use an
+    #   encryption context to encrypt data, you must specify the same (an
+    #   exact case-sensitive match) encryption context to decrypt the data.
+    #   An encryption context is optional when encrypting with a symmetric
+    #   CMK, but it is highly recommended.
+    #
+    #   For more information, see [Encryption Context][1] in the *AWS Key
+    #   Management Service Developer Guide*.
     #
     #
     #
@@ -1365,37 +1577,54 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
     #   @return [Array<String>]
     #
+    # @!attribute [rw] encryption_algorithm
+    #   Specifies the encryption algorithm that AWS KMS will use to encrypt
+    #   the plaintext message. The algorithm must be compatible with the CMK
+    #   that you specify.
+    #
+    #   This parameter is required only for asymmetric CMKs. The default
+    #   value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
+    #   CMKs. If you are using an asymmetric CMK, we recommend
+    #   RSAES\_OAEP\_SHA\_256.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptRequest AWS API Documentation
     #
     class EncryptRequest < Struct.new(
       :key_id,
       :plaintext,
       :encryption_context,
-      :grant_tokens)
+      :grant_tokens,
+      :encryption_algorithm)
       include Aws::Structure
     end
 
     # @!attribute [rw] ciphertext_blob
     #   The encrypted plaintext. When you use the HTTP API or the AWS CLI,
-    #   the value is Base64-encoded. Otherwise, it is not encoded.
+    #   the value is Base64-encoded. Otherwise, it is not Base64-encoded.
     #   @return [String]
     #
     # @!attribute [rw] key_id
     #   The ID of the key used during encryption.
     #   @return [String]
     #
+    # @!attribute [rw] encryption_algorithm
+    #   The encryption algorithm that was used to encrypt the plaintext.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptResponse AWS API Documentation
     #
     class EncryptResponse < Struct.new(
       :ciphertext_blob,
-      :key_id)
+      :key_id,
+      :encryption_algorithm)
       include Aws::Structure
     end
 
-    # The request was rejected because the provided import token is expired.
-    # Use GetParametersForImport to get a new import token and public key,
-    # use the new public key to encrypt the key material, and then try the
-    # request again.
+    # The request was rejected because the specified import token is
+    # expired. Use GetParametersForImport to get a new import token and
+    # public key, use the new public key to encrypt the key material, and
+    # then try the request again.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -1407,6 +1636,259 @@ module Aws::KMS
       include Aws::Structure
     end
 
+    # @note When making an API call, you may pass GenerateDataKeyPairRequest
+    #   data as a hash:
+    #
+    #       {
+    #         encryption_context: {
+    #           "EncryptionContextKey" => "EncryptionContextValue",
+    #         },
+    #         key_id: "KeyIdType", # required
+    #         key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
+    #         grant_tokens: ["GrantTokenType"],
+    #       }
+    #
+    # @!attribute [rw] encryption_context
+    #   Specifies the encryption context that will be used when encrypting
+    #   the private key in the data key pair.
+    #
+    #   An *encryption context* is a collection of non-secret key-value
+    #   pairs that represents additional authenticated data. When you use an
+    #   encryption context to encrypt data, you must specify the same (an
+    #   exact case-sensitive match) encryption context to decrypt the data.
+    #   An encryption context is optional when encrypting with a symmetric
+    #   CMK, but it is highly recommended.
+    #
+    #   For more information, see [Encryption Context][1] in the *AWS Key
+    #   Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   @return [Hash<String,String>]
+    #
+    # @!attribute [rw] key_id
+    #   Specifies the symmetric CMK that encrypts the private key in the
+    #   data key pair. You cannot specify an asymmetric CMKs.
+    #
+    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
+    #   name, or alias ARN. When using an alias name, prefix it with
+    #   `"alias/"`. To specify a CMK in a different AWS account, you must
+    #   use the key ARN or alias ARN.
+    #
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Alias name: `alias/ExampleAlias`
+    #
+    #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
+    #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
+    #   @return [String]
+    #
+    # @!attribute [rw] key_pair_spec
+    #   Determines the type of data key pair that is generated.
+    #
+    #   The AWS KMS rule that restricts the use of asymmetric RSA CMKs to
+    #   encrypt and decrypt or to sign and verify (but not both), and the
+    #   rule that permits you to use ECC CMKs only to sign and verify, are
+    #   not effective outside of AWS KMS.
+    #   @return [String]
+    #
+    # @!attribute [rw] grant_tokens
+    #   A list of grant tokens.
+    #
+    #   For more information, see [Grant Tokens][1] in the *AWS Key
+    #   Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
+    #   @return [Array<String>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairRequest AWS API Documentation
+    #
+    class GenerateDataKeyPairRequest < Struct.new(
+      :encryption_context,
+      :key_id,
+      :key_pair_spec,
+      :grant_tokens)
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] private_key_ciphertext_blob
+    #   The encrypted copy of the private key. When you use the HTTP API or
+    #   the AWS CLI, the value is Base64-encoded. Otherwise, it is not
+    #   Base64-encoded.
+    #   @return [String]
+    #
+    # @!attribute [rw] private_key_plaintext
+    #   The plaintext copy of the private key. When you use the HTTP API or
+    #   the AWS CLI, the value is Base64-encoded. Otherwise, it is not
+    #   Base64-encoded.
+    #   @return [String]
+    #
+    # @!attribute [rw] public_key
+    #   The public key (in plaintext).
+    #   @return [String]
+    #
+    # @!attribute [rw] key_id
+    #   The identifier of the CMK that encrypted the private key.
+    #   @return [String]
+    #
+    # @!attribute [rw] key_pair_spec
+    #   The type of data key pair that was generated.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairResponse AWS API Documentation
+    #
+    class GenerateDataKeyPairResponse < Struct.new(
+      :private_key_ciphertext_blob,
+      :private_key_plaintext,
+      :public_key,
+      :key_id,
+      :key_pair_spec)
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass GenerateDataKeyPairWithoutPlaintextRequest
+    #   data as a hash:
+    #
+    #       {
+    #         encryption_context: {
+    #           "EncryptionContextKey" => "EncryptionContextValue",
+    #         },
+    #         key_id: "KeyIdType", # required
+    #         key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
+    #         grant_tokens: ["GrantTokenType"],
+    #       }
+    #
+    # @!attribute [rw] encryption_context
+    #   Specifies the encryption context that will be used when encrypting
+    #   the private key in the data key pair.
+    #
+    #   An *encryption context* is a collection of non-secret key-value
+    #   pairs that represents additional authenticated data. When you use an
+    #   encryption context to encrypt data, you must specify the same (an
+    #   exact case-sensitive match) encryption context to decrypt the data.
+    #   An encryption context is optional when encrypting with a symmetric
+    #   CMK, but it is highly recommended.
+    #
+    #   For more information, see [Encryption Context][1] in the *AWS Key
+    #   Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   @return [Hash<String,String>]
+    #
+    # @!attribute [rw] key_id
+    #   Specifies the CMK that encrypts the private key in the data key
+    #   pair. You must specify a symmetric CMK. You cannot use an asymmetric
+    #   CMK. To get the type of your CMK, use the DescribeKey operation.
+    #
+    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
+    #   name, or alias ARN. When using an alias name, prefix it with
+    #   `"alias/"`.
+    #
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Alias name: `alias/ExampleAlias`
+    #
+    #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
+    #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
+    #   @return [String]
+    #
+    # @!attribute [rw] key_pair_spec
+    #   Determines the type of data key pair that is generated.
+    #
+    #   The AWS KMS rule that restricts the use of asymmetric RSA CMKs to
+    #   encrypt and decrypt or to sign and verify (but not both), and the
+    #   rule that permits you to use ECC CMKs only to sign and verify, are
+    #   not effective outside of AWS KMS.
+    #   @return [String]
+    #
+    # @!attribute [rw] grant_tokens
+    #   A list of grant tokens.
+    #
+    #   For more information, see [Grant Tokens][1] in the *AWS Key
+    #   Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
+    #   @return [Array<String>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintextRequest AWS API Documentation
+    #
+    class GenerateDataKeyPairWithoutPlaintextRequest < Struct.new(
+      :encryption_context,
+      :key_id,
+      :key_pair_spec,
+      :grant_tokens)
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] private_key_ciphertext_blob
+    #   The encrypted copy of the private key. When you use the HTTP API or
+    #   the AWS CLI, the value is Base64-encoded. Otherwise, it is not
+    #   Base64-encoded.
+    #   @return [String]
+    #
+    # @!attribute [rw] public_key
+    #   The public key (in plaintext).
+    #   @return [String]
+    #
+    # @!attribute [rw] key_id
+    #   Specifies the CMK that encrypted the private key in the data key
+    #   pair. You must specify a symmetric CMK. You cannot use an asymmetric
+    #   CMK. To get the type of your CMK, use the DescribeKey operation.
+    #
+    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
+    #   name, or alias ARN. When using an alias name, prefix it with
+    #   `"alias/"`.
+    #
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Alias name: `alias/ExampleAlias`
+    #
+    #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
+    #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
+    #   @return [String]
+    #
+    # @!attribute [rw] key_pair_spec
+    #   The type of data key pair that was generated.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintextResponse AWS API Documentation
+    #
+    class GenerateDataKeyPairWithoutPlaintextResponse < Struct.new(
+      :private_key_ciphertext_blob,
+      :public_key,
+      :key_id,
+      :key_pair_spec)
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass GenerateDataKeyRequest
     #   data as a hash:
     #
@@ -1421,7 +1903,7 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   An identifier for the CMK that encrypts the data key.
+    #   Identifies the symmetric CMK that encrypts the data key.
     #
     #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
     #   name, or alias ARN. When using an alias name, prefix it with
@@ -1444,8 +1926,15 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] encryption_context
-    #   A set of key-value pairs that represents additional authenticated
-    #   data.
+    #   Specifies the encryption context that will be used when encrypting
+    #   the data key.
+    #
+    #   An *encryption context* is a collection of non-secret key-value
+    #   pairs that represents additional authenticated data. When you use an
+    #   encryption context to encrypt data, you must specify the same (an
+    #   exact case-sensitive match) encryption context to decrypt the data.
+    #   An encryption context is optional when encrypting with a symmetric
+    #   CMK, but it is highly recommended.
     #
     #   For more information, see [Encryption Context][1] in the *AWS Key
     #   Management Service Developer Guide*.
@@ -1456,15 +1945,22 @@ module Aws::KMS
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] number_of_bytes
-    #   The length of the data key in bytes. For example, use the value 64
-    #   to generate a 512-bit data key (64 bytes is 512 bits). For common
-    #   key lengths (128-bit and 256-bit symmetric keys), we recommend that
-    #   you use the `KeySpec` field instead of this one.
+    #   Specifies the length of the data key in bytes. For example, use the
+    #   value 64 to generate a 512-bit data key (64 bytes is 512 bits). For
+    #   128-bit (16-byte) and 256-bit (32-byte) data keys, use the `KeySpec`
+    #   parameter.
+    #
+    #   You must specify either the `KeySpec` or the `NumberOfBytes`
+    #   parameter (but not both) in every `GenerateDataKey` request.
     #   @return [Integer]
     #
     # @!attribute [rw] key_spec
-    #   The length of the data key. Use `AES_128` to generate a 128-bit
-    #   symmetric key, or `AES_256` to generate a 256-bit symmetric key.
+    #   Specifies the length of the data key. Use `AES_128` to generate a
+    #   128-bit symmetric key, or `AES_256` to generate a 256-bit symmetric
+    #   key.
+    #
+    #   You must specify either the `KeySpec` or the `NumberOfBytes`
+    #   parameter (but not both) in every `GenerateDataKey` request.
     #   @return [String]
     #
     # @!attribute [rw] grant_tokens
@@ -1491,14 +1987,15 @@ module Aws::KMS
 
     # @!attribute [rw] ciphertext_blob
     #   The encrypted copy of the data key. When you use the HTTP API or the
-    #   AWS CLI, the value is Base64-encoded. Otherwise, it is not encoded.
+    #   AWS CLI, the value is Base64-encoded. Otherwise, it is not
+    #   Base64-encoded.
     #   @return [String]
     #
     # @!attribute [rw] plaintext
     #   The plaintext data key. When you use the HTTP API or the AWS CLI,
-    #   the value is Base64-encoded. Otherwise, it is not encoded. Use this
-    #   data key to encrypt your data outside of KMS. Then, remove it from
-    #   memory as soon as possible.
+    #   the value is Base64-encoded. Otherwise, it is not Base64-encoded.
+    #   Use this data key to encrypt your data outside of KMS. Then, remove
+    #   it from memory as soon as possible.
     #   @return [String]
     #
     # @!attribute [rw] key_id
@@ -1528,8 +2025,8 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   The identifier of the customer master key (CMK) that encrypts the
-    #   data key.
+    #   The identifier of the symmetric customer master key (CMK) that
+    #   encrypts the data key.
     #
     #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
     #   name, or alias ARN. When using an alias name, prefix it with
@@ -1552,8 +2049,15 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] encryption_context
-    #   A set of key-value pairs that represents additional authenticated
-    #   data.
+    #   Specifies the encryption context that will be used when encrypting
+    #   the data key.
+    #
+    #   An *encryption context* is a collection of non-secret key-value
+    #   pairs that represents additional authenticated data. When you use an
+    #   encryption context to encrypt data, you must specify the same (an
+    #   exact case-sensitive match) encryption context to decrypt the data.
+    #   An encryption context is optional when encrypting with a symmetric
+    #   CMK, but it is highly recommended.
     #
     #   For more information, see [Encryption Context][1] in the *AWS Key
     #   Management Service Developer Guide*.
@@ -1599,7 +2103,7 @@ module Aws::KMS
 
     # @!attribute [rw] ciphertext_blob
     #   The encrypted data key. When you use the HTTP API or the AWS CLI,
-    #   the value is Base64-encoded. Otherwise, it is not encoded.
+    #   the value is Base64-encoded. Otherwise, it is not Base64-encoded.
     #   @return [String]
     #
     # @!attribute [rw] key_id
@@ -1646,7 +2150,7 @@ module Aws::KMS
 
     # @!attribute [rw] plaintext
     #   The random byte string. When you use the HTTP API or the AWS CLI,
-    #   the value is Base64-encoded. Otherwise, it is not encoded.
+    #   the value is Base64-encoded. Otherwise, it is not Base64-encoded.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomResponse AWS API Documentation
@@ -1756,8 +2260,8 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   The identifier of the CMK into which you will import key material.
-    #   The CMK's `Origin` must be `EXTERNAL`.
+    #   The identifier of the symmetric CMK into which you will import key
+    #   material. The `Origin` of the CMK must be `EXTERNAL`.
     #
     #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
     #
@@ -1803,29 +2307,142 @@ module Aws::KMS
     #   `GetParametersForImport` request.
     #   @return [String]
     #
-    # @!attribute [rw] import_token
-    #   The import token to send in a subsequent ImportKeyMaterial request.
+    # @!attribute [rw] import_token
+    #   The import token to send in a subsequent ImportKeyMaterial request.
+    #   @return [String]
+    #
+    # @!attribute [rw] public_key
+    #   The public key to use to encrypt the key material before importing
+    #   it with ImportKeyMaterial.
+    #   @return [String]
+    #
+    # @!attribute [rw] parameters_valid_to
+    #   The time at which the import token and public key are no longer
+    #   valid. After this time, you cannot use them to make an
+    #   ImportKeyMaterial request and you must send another
+    #   `GetParametersForImport` request to get new ones.
+    #   @return [Time]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImportResponse AWS API Documentation
+    #
+    class GetParametersForImportResponse < Struct.new(
+      :key_id,
+      :import_token,
+      :public_key,
+      :parameters_valid_to)
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass GetPublicKeyRequest
+    #   data as a hash:
+    #
+    #       {
+    #         key_id: "KeyIdType", # required
+    #         grant_tokens: ["GrantTokenType"],
+    #       }
+    #
+    # @!attribute [rw] key_id
+    #   Identifies the asymmetric CMK that includes the public key.
+    #
+    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
+    #   name, or alias ARN. When using an alias name, prefix it with
+    #   `"alias/"`. To specify a CMK in a different AWS account, you must
+    #   use the key ARN or alias ARN.
+    #
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Alias name: `alias/ExampleAlias`
+    #
+    #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
+    #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
+    #   @return [String]
+    #
+    # @!attribute [rw] grant_tokens
+    #   A list of grant tokens.
+    #
+    #   For more information, see [Grant Tokens][1] in the *AWS Key
+    #   Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
+    #   @return [Array<String>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKeyRequest AWS API Documentation
+    #
+    class GetPublicKeyRequest < Struct.new(
+      :key_id,
+      :grant_tokens)
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] key_id
+    #   The identifier of the asymmetric CMK from which the public key was
+    #   downloaded.
+    #   @return [String]
+    #
+    # @!attribute [rw] public_key
+    #   The exported public key.
+    #
+    #   The value is a DER-encoded X.509 public key, also known as
+    #   `SubjectPublicKeyInfo` (SPKI), as defined in [RFC 5280][1]. When you
+    #   use the HTTP API or the AWS CLI, the value is Base64-encoded.
+    #   Otherwise, it is not Base64-encoded.
+    #
+    #
+    #
+    #
+    #
+    #   [1]: https://tools.ietf.org/html/rfc5280
+    #   @return [String]
+    #
+    # @!attribute [rw] customer_master_key_spec
+    #   The type of the of the public key that was downloaded.
     #   @return [String]
     #
-    # @!attribute [rw] public_key
-    #   The public key to use to encrypt the key material before importing
-    #   it with ImportKeyMaterial.
+    # @!attribute [rw] key_usage
+    #   The permitted use of the public key. Valid values are
+    #   `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
+    #
+    #   This information is critical. If a public key with `SIGN_VERIFY` key
+    #   usage encrypts data outside of AWS KMS, the ciphertext cannot be
+    #   decrypted.
     #   @return [String]
     #
-    # @!attribute [rw] parameters_valid_to
-    #   The time at which the import token and public key are no longer
-    #   valid. After this time, you cannot use them to make an
-    #   ImportKeyMaterial request and you must send another
-    #   `GetParametersForImport` request to get new ones.
-    #   @return [Time]
+    # @!attribute [rw] encryption_algorithms
+    #   The encryption algorithms that AWS KMS supports for this key.
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImportResponse AWS API Documentation
+    #   This information is critical. If a public key encrypts data outside
+    #   of AWS KMS by using an unsupported encryption algorithm, the
+    #   ciphertext cannot be decrypted.
     #
-    class GetParametersForImportResponse < Struct.new(
+    #   This field appears in the response only when the `KeyUsage` of the
+    #   public key is `ENCRYPT_DECRYPT`.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] signing_algorithms
+    #   The signing algorithms that AWS KMS supports for this key.
+    #
+    #   This field appears in the response only when the `KeyUsage` of the
+    #   public key is `SIGN_VERIFY`.
+    #   @return [Array<String>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKeyResponse AWS API Documentation
+    #
+    class GetPublicKeyResponse < Struct.new(
       :key_id,
-      :import_token,
       :public_key,
-      :parameters_valid_to)
+      :customer_master_key_spec,
+      :key_usage,
+      :encryption_algorithms,
+      :signing_algorithms)
       include Aws::Structure
     end
 
@@ -1974,8 +2591,10 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   The identifier of the CMK to import the key material into. The
-    #   CMK's `Origin` must be `EXTERNAL`.
+    #   The identifier of the symmetric CMK that receives the imported key
+    #   material. The CMK's `Origin` must be `EXTERNAL`. This must be the
+    #   same CMK specified in the `KeyID` parameter of the corresponding
+    #   GetParametersForImport request.
     #
     #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
     #
@@ -1998,10 +2617,10 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] encrypted_key_material
-    #   The encrypted key material to import. It must be encrypted with the
-    #   public key that you received in the response to a previous
-    #   GetParametersForImport request, using the wrapping algorithm that
-    #   you specified in that request.
+    #   The encrypted key material to import. The key material must be
+    #   encrypted with the public wrapping key that GetParametersForImport
+    #   returned, using the wrapping algorithm that you specified in the
+    #   same `GetParametersForImport` request.
     #   @return [String]
     #
     # @!attribute [rw] valid_to
@@ -2035,9 +2654,24 @@ module Aws::KMS
     #
     class ImportKeyMaterialResponse < Aws::EmptyStructure; end
 
-    # The request was rejected because the provided key material is invalid
-    # or is not the same key material that was previously imported into this
-    # customer master key (CMK).
+    # The request was rejected because the specified CMK cannot decrypt the
+    # data. The `KeyId` in a Decrypt request and the `SourceKeyId` in a
+    # ReEncrypt request must identify the same CMK that was used to encrypt
+    # the ciphertext.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/IncorrectKeyException AWS API Documentation
+    #
+    class IncorrectKeyException < Struct.new(
+      :message)
+      include Aws::Structure
+    end
+
+    # The request was rejected because the key material in the request is,
+    # expired, invalid, or is not the same key material that was previously
+    # imported into this customer master key (CMK).
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -2096,10 +2730,13 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # The request was rejected because the specified ciphertext, or
-    # additional authenticated data incorporated into the ciphertext, such
-    # as the encryption context, is corrupted, missing, or otherwise
-    # invalid.
+    # From the Decrypt or ReEncrypt operation, the request was rejected
+    # because the specified ciphertext, or additional authenticated data
+    # incorporated into the ciphertext, such as the encryption context, is
+    # corrupted, missing, or otherwise invalid.
+    #
+    # From the ImportKeyMaterial operation, the request was rejected because
+    # AWS KMS could not decrypt the encrypted (wrapped) key material.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -2149,8 +2786,22 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # The request was rejected because the specified `KeySpec` value is not
-    # valid.
+    # The request was rejected for one of the following reasons:
+    #
+    # * The `KeyUsage` value of the CMK is incompatible with the API
+    #   operation.
+    #
+    # * The encryption algorithm or signing algorithm specified for the
+    #   operation is incompatible with the type of key material in the CMK
+    #   `(CustomerMasterKeySpec`).
+    #
+    # For encrypting, decrypting, re-encrypting, and generating data keys,
+    # the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying,
+    # the `KeyUsage` must be `SIGN_VERIFY`. To find the `KeyUsage` of a CMK,
+    # use the DescribeKey operation.
+    #
+    # To find the encryption or signing algorithms supported for a
+    # particular CMK, use the DescribeKey operation.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -2188,12 +2839,27 @@ module Aws::KMS
       include Aws::Structure
     end
 
+    # The request was rejected because the signature verification failed.
+    # Signature verification fails when it cannot confirm that signature was
+    # produced by signing the specified message with the specified CMK and
+    # signing algorithm.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KMSInvalidSignatureException AWS API Documentation
+    #
+    class KMSInvalidSignatureException < Struct.new(
+      :message)
+      include Aws::Structure
+    end
+
     # The request was rejected because the state of the specified resource
     # is not valid for this request.
     #
     # For more information about how key state affects the use of a CMK, see
-    # [How Key State Affects Use of a Customer Master Key][1] in the *AWS
-    # Key Management Service Developer Guide*.
+    # [How Key State Affects Use of a Customer Master Key][1] in the <i>
+    # <i>AWS Key Management Service Developer Guide</i> </i>.
     #
     #
     #
@@ -2264,9 +2930,7 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_usage
-    #   The cryptographic operations for which you can use the CMK. The only
-    #   valid value is `ENCRYPT_DECRYPT`, which means you can use the CMK to
-    #   encrypt and decrypt data.
+    #   The cryptographic operations for which you can use the CMK.
     #   @return [String]
     #
     # @!attribute [rw] key_state
@@ -2342,6 +3006,26 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
     #   @return [String]
     #
+    # @!attribute [rw] customer_master_key_spec
+    #   Describes the type of key material in the CMK.
+    #   @return [String]
+    #
+    # @!attribute [rw] encryption_algorithms
+    #   A list of encryption algorithms that the CMK supports. You cannot
+    #   use the CMK with other encryption algorithms within AWS KMS.
+    #
+    #   This field appears only when the `KeyUsage` of the CMK is
+    #   `ENCRYPT_DECRYPT`.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] signing_algorithms
+    #   A list of signing algorithms that the CMK supports. You cannot use
+    #   the CMK with other signing algorithms within AWS KMS.
+    #
+    #   This field appears only when the `KeyUsage` of the CMK is
+    #   `SIGN_VERIFY`.
+    #   @return [Array<String>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
     #
     class KeyMetadata < Struct.new(
@@ -2359,12 +3043,15 @@ module Aws::KMS
       :custom_key_store_id,
       :cloud_hsm_cluster_id,
       :expiration_model,
-      :key_manager)
+      :key_manager,
+      :customer_master_key_spec,
+      :encryption_algorithms,
+      :signing_algorithms)
       include Aws::Structure
     end
 
     # The request was rejected because the specified CMK was not available.
-    # The request can be retried.
+    # You can retry the request.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -2376,8 +3063,8 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # The request was rejected because a limit was exceeded. For more
-    # information, see [Limits][1] in the *AWS Key Management Service
+    # The request was rejected because a quota was exceeded. For more
+    # information, see [Quotas][1] in the *AWS Key Management Service
     # Developer Guide*.
     #
     #
@@ -2881,12 +3568,15 @@ module Aws::KMS
     #     visible][2] in the *AWS Identity and Access Management User
     #     Guide*.
     #
-    #   The key policy size limit is 32 kilobytes (32768 bytes).
+    #   The key policy cannot exceed 32 kilobytes (32768 bytes). For more
+    #   information, see [Resource Quotas][3] in the *AWS Key Management
+    #   Service Developer Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/resource-limits.html
     #   @return [String]
     #
     # @!attribute [rw] bypass_policy_lockout_safety_check
@@ -2929,10 +3619,13 @@ module Aws::KMS
     #         source_encryption_context: {
     #           "EncryptionContextKey" => "EncryptionContextValue",
     #         },
+    #         source_key_id: "KeyIdType",
     #         destination_key_id: "KeyIdType", # required
     #         destination_encryption_context: {
     #           "EncryptionContextKey" => "EncryptionContextValue",
     #         },
+    #         source_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
+    #         destination_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
     #         grant_tokens: ["GrantTokenType"],
     #       }
     #
@@ -2941,12 +3634,64 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] source_encryption_context
-    #   Encryption context used to encrypt and decrypt the data specified in
-    #   the `CiphertextBlob` parameter.
+    #   Specifies the encryption context to use to decrypt the ciphertext.
+    #   Enter the same encryption context that was used to encrypt the
+    #   ciphertext.
+    #
+    #   An *encryption context* is a collection of non-secret key-value
+    #   pairs that represents additional authenticated data. When you use an
+    #   encryption context to encrypt data, you must specify the same (an
+    #   exact case-sensitive match) encryption context to decrypt the data.
+    #   An encryption context is optional when encrypting with a symmetric
+    #   CMK, but it is highly recommended.
+    #
+    #   For more information, see [Encryption Context][1] in the *AWS Key
+    #   Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #   @return [Hash<String,String>]
     #
+    # @!attribute [rw] source_key_id
+    #   A unique identifier for the CMK that is used to decrypt the
+    #   ciphertext before it reencrypts it using the destination CMK.
+    #
+    #   This parameter is required only when the ciphertext was encrypted
+    #   under an asymmetric CMK. Otherwise, AWS KMS uses the metadata that
+    #   it adds to the ciphertext blob to determine which CMK was used to
+    #   encrypt the ciphertext. However, you can use this parameter to
+    #   ensure that a particular CMK (of any kind) is used to decrypt the
+    #   ciphertext before it is reencrypted.
+    #
+    #   If you specify a `KeyId` value, the decrypt part of the `ReEncrypt`
+    #   operation succeeds only if the specified CMK was used to encrypt the
+    #   ciphertext.
+    #
+    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
+    #   name, or alias ARN. When using an alias name, prefix it with
+    #   `"alias/"`.
+    #
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Alias name: `alias/ExampleAlias`
+    #
+    #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
+    #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
+    #   @return [String]
+    #
     # @!attribute [rw] destination_key_id
     #   A unique identifier for the CMK that is used to reencrypt the data.
+    #   Specify a symmetric or asymmetric CMK with a `KeyUsage` value of
+    #   `ENCRYPT_DECRYPT`. To find the `KeyUsage` value of a CMK, use the
+    #   DescribeKey operation.
     #
     #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
     #   name, or alias ARN. When using an alias name, prefix it with
@@ -2969,9 +3714,51 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] destination_encryption_context
-    #   Encryption context to use when the data is reencrypted.
+    #   Specifies that encryption context to use when the reencrypting the
+    #   data.
+    #
+    #   A destination encryption context is valid only when the destination
+    #   CMK is a symmetric CMK. The standard ciphertext format for
+    #   asymmetric CMKs does not include fields for metadata.
+    #
+    #   An *encryption context* is a collection of non-secret key-value
+    #   pairs that represents additional authenticated data. When you use an
+    #   encryption context to encrypt data, you must specify the same (an
+    #   exact case-sensitive match) encryption context to decrypt the data.
+    #   An encryption context is optional when encrypting with a symmetric
+    #   CMK, but it is highly recommended.
+    #
+    #   For more information, see [Encryption Context][1] in the *AWS Key
+    #   Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #   @return [Hash<String,String>]
     #
+    # @!attribute [rw] source_encryption_algorithm
+    #   Specifies the encryption algorithm that AWS KMS will use to decrypt
+    #   the ciphertext before it is reencrypted. The default value,
+    #   `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric
+    #   CMKs.
+    #
+    #   Specify the same algorithm that was used to encrypt the ciphertext.
+    #   If you specify a different algorithm, the decrypt attempt fails.
+    #
+    #   This parameter is required only when the ciphertext was encrypted
+    #   under an asymmetric CMK.
+    #   @return [String]
+    #
+    # @!attribute [rw] destination_encryption_algorithm
+    #   Specifies the encryption algorithm that AWS KMS will use to reecrypt
+    #   the data after it has decrypted it. The default value,
+    #   `SYMMETRIC_DEFAULT`, represents the encryption algorithm used for
+    #   symmetric CMKs.
+    #
+    #   This parameter is required only when the destination CMK is an
+    #   asymmetric CMK.
+    #   @return [String]
+    #
     # @!attribute [rw] grant_tokens
     #   A list of grant tokens.
     #
@@ -2988,15 +3775,18 @@ module Aws::KMS
     class ReEncryptRequest < Struct.new(
       :ciphertext_blob,
       :source_encryption_context,
+      :source_key_id,
       :destination_key_id,
       :destination_encryption_context,
+      :source_encryption_algorithm,
+      :destination_encryption_algorithm,
       :grant_tokens)
       include Aws::Structure
     end
 
     # @!attribute [rw] ciphertext_blob
     #   The reencrypted data. When you use the HTTP API or the AWS CLI, the
-    #   value is Base64-encoded. Otherwise, it is not encoded.
+    #   value is Base64-encoded. Otherwise, it is not Base64-encoded.
     #   @return [String]
     #
     # @!attribute [rw] source_key_id
@@ -3007,12 +3797,23 @@ module Aws::KMS
     #   Unique identifier of the CMK used to reencrypt the data.
     #   @return [String]
     #
+    # @!attribute [rw] source_encryption_algorithm
+    #   The encryption algorithm that was used to decrypt the ciphertext
+    #   before it was reencrypted.
+    #   @return [String]
+    #
+    # @!attribute [rw] destination_encryption_algorithm
+    #   The encryption algorithm that was used to reencrypt the data.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncryptResponse AWS API Documentation
     #
     class ReEncryptResponse < Struct.new(
       :ciphertext_blob,
       :source_key_id,
-      :key_id)
+      :key_id,
+      :source_encryption_algorithm,
+      :destination_encryption_algorithm)
       include Aws::Structure
     end
 
@@ -3151,6 +3952,125 @@ module Aws::KMS
       include Aws::Structure
     end
 
+    # @note When making an API call, you may pass SignRequest
+    #   data as a hash:
+    #
+    #       {
+    #         key_id: "KeyIdType", # required
+    #         message: "data", # required
+    #         message_type: "RAW", # accepts RAW, DIGEST
+    #         grant_tokens: ["GrantTokenType"],
+    #         signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
+    #       }
+    #
+    # @!attribute [rw] key_id
+    #   Identifies an asymmetric CMK. AWS KMS uses the private key in the
+    #   asymmetric CMK to sign the message. The `KeyUsage` type of the CMK
+    #   must be `SIGN_VERIFY`. To find the `KeyUsage` of a CMK, use the
+    #   DescribeKey operation.
+    #
+    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
+    #   name, or alias ARN. When using an alias name, prefix it with
+    #   `"alias/"`. To specify a CMK in a different AWS account, you must
+    #   use the key ARN or alias ARN.
+    #
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Alias name: `alias/ExampleAlias`
+    #
+    #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
+    #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
+    #   @return [String]
+    #
+    # @!attribute [rw] message
+    #   Specifies the message or message digest to sign. Messages can be
+    #   0-4096 bytes. To sign a larger message, provide the message digest.
+    #
+    #   If you provide a message, AWS KMS generates a hash digest of the
+    #   message and then signs it.
+    #   @return [String]
+    #
+    # @!attribute [rw] message_type
+    #   Tells AWS KMS whether the value of the `Message` parameter is a
+    #   message or message digest. The default value, RAW, indicates a
+    #   message. To indicate a message digest, enter `DIGEST`.
+    #   @return [String]
+    #
+    # @!attribute [rw] grant_tokens
+    #   A list of grant tokens.
+    #
+    #   For more information, see [Grant Tokens][1] in the *AWS Key
+    #   Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] signing_algorithm
+    #   Specifies the signing algorithm to use when signing the message.
+    #
+    #   Choose an algorithm that is compatible with the type and size of the
+    #   specified asymmetric CMK.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/SignRequest AWS API Documentation
+    #
+    class SignRequest < Struct.new(
+      :key_id,
+      :message,
+      :message_type,
+      :grant_tokens,
+      :signing_algorithm)
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] key_id
+    #   The Amazon Resource Name (ARN) of the asymmetric CMK that was used
+    #   to sign the message.
+    #   @return [String]
+    #
+    # @!attribute [rw] signature
+    #   The cryptographic signature that was generated for the message.
+    #
+    #   * When used with the supported RSA signing algorithms, the encoding
+    #     of this value is defined by [PKCS #1 in RFC 8017][1].
+    #
+    #   * When used with the `ECDSA_SHA_256`, `ECDSA_SHA_384`, or
+    #     `ECDSA_SHA_512` signing algorithms, this value is a DER-encoded
+    #     object as defined by ANS X9.62–2005 and [RFC 3279 Section
+    #     2.2.3][2]. This is the most commonly used signature format and is
+    #     appropriate for most uses.
+    #
+    #   When you use the HTTP API or the AWS CLI, the value is
+    #   Base64-encoded. Otherwise, it is not Base64-encoded.
+    #
+    #
+    #
+    #   [1]: https://tools.ietf.org/html/rfc8017
+    #   [2]: https://tools.ietf.org/html/rfc3279#section-2.2.3
+    #   @return [String]
+    #
+    # @!attribute [rw] signing_algorithm
+    #   The signing algorithm that was used to sign the message.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/SignResponse AWS API Documentation
+    #
+    class SignResponse < Struct.new(
+      :key_id,
+      :signature,
+      :signing_algorithm)
+      include Aws::Structure
+    end
+
     # A key-value pair. A tag consists of a tag key and a tag value. Tag
     # keys and tag values are both required, but tag values can be empty
     # (null) strings.
@@ -3298,15 +4218,20 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] alias_name
-    #   Specifies the name of the alias to change. This value must begin
+    #   Identifies the alias that is changing its CMK. This value must begin
     #   with `alias/` followed by the alias name, such as
-    #   `alias/ExampleAlias`.
+    #   `alias/ExampleAlias`. You cannot use UpdateAlias to change the alias
+    #   name.
     #   @return [String]
     #
     # @!attribute [rw] target_key_id
-    #   Unique identifier of the customer master key (CMK) to be mapped to
-    #   the alias. When the update operation completes, the alias will point
-    #   to this CMK.
+    #   Identifies the CMK to associate with the alias. When the update
+    #   operation completes, the alias will point to this CMK.
+    #
+    #   The CMK must be in the same AWS account and Region as the alias.
+    #   Also, the new target CMK must be the same type as the current target
+    #   CMK (both symmetric or both asymmetric) and they must have the same
+    #   key usage.
     #
     #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
     #
@@ -3431,5 +4356,122 @@ module Aws::KMS
       include Aws::Structure
     end
 
+    # @note When making an API call, you may pass VerifyRequest
+    #   data as a hash:
+    #
+    #       {
+    #         key_id: "KeyIdType", # required
+    #         message: "data", # required
+    #         message_type: "RAW", # accepts RAW, DIGEST
+    #         signature: "data", # required
+    #         signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
+    #         grant_tokens: ["GrantTokenType"],
+    #       }
+    #
+    # @!attribute [rw] key_id
+    #   Identifies the asymmetric CMK that will be used to verify the
+    #   signature. This must be the same CMK that was used to generate the
+    #   signature. If you specify a different CMK, the signature
+    #   verification fails.
+    #
+    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
+    #   name, or alias ARN. When using an alias name, prefix it with
+    #   `"alias/"`. To specify a CMK in a different AWS account, you must
+    #   use the key ARN or alias ARN.
+    #
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Alias name: `alias/ExampleAlias`
+    #
+    #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
+    #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
+    #   @return [String]
+    #
+    # @!attribute [rw] message
+    #   Specifies the message that was signed. You can submit a raw message
+    #   of up to 4096 bytes, or a hash digest of the message. If you submit
+    #   a digest, use the `MessageType` parameter with a value of `DIGEST`.
+    #
+    #   If the message specified here is different from the message that was
+    #   signed, the signature verification fails. A message and its hash
+    #   digest are considered to be the same message.
+    #   @return [String]
+    #
+    # @!attribute [rw] message_type
+    #   Tells AWS KMS whether the value of the `Message` parameter is a
+    #   message or message digest. The default value, RAW, indicates a
+    #   message. To indicate a message digest, enter `DIGEST`.
+    #
+    #   Use the `DIGEST` value only when the value of the `Message`
+    #   parameter is a message digest. If you use the `DIGEST` value with a
+    #   raw message, the security of the verification operation can be
+    #   compromised.
+    #   @return [String]
+    #
+    # @!attribute [rw] signature
+    #   The signature that the `Sign` operation generated.
+    #   @return [String]
+    #
+    # @!attribute [rw] signing_algorithm
+    #   The signing algorithm that was used to sign the message. If you
+    #   submit a different algorithm, the signature verification fails.
+    #   @return [String]
+    #
+    # @!attribute [rw] grant_tokens
+    #   A list of grant tokens.
+    #
+    #   For more information, see [Grant Tokens][1] in the *AWS Key
+    #   Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
+    #   @return [Array<String>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyRequest AWS API Documentation
+    #
+    class VerifyRequest < Struct.new(
+      :key_id,
+      :message,
+      :message_type,
+      :signature,
+      :signing_algorithm,
+      :grant_tokens)
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] key_id
+    #   The unique identifier for the asymmetric CMK that was used to verify
+    #   the signature.
+    #   @return [String]
+    #
+    # @!attribute [rw] signature_valid
+    #   A Boolean value that indicates whether the signature was verified. A
+    #   value of `True` indicates that the `Signature` was produced by
+    #   signing the `Message` with the specified `KeyID` and
+    #   `SigningAlgorithm.` If the signature is not verified, the `Verify`
+    #   operation fails with a `KMSInvalidSignatureException` exception.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] signing_algorithm
+    #   The signing algorithm that was used to verify the signature.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyResponse AWS API Documentation
+    #
+    class VerifyResponse < Struct.new(
+      :key_id,
+      :signature_valid,
+      :signing_algorithm)
+      include Aws::Structure
+    end
+
   end
 end