aws-sdk-kms 1.25.0 → 1.30.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -6,6 +6,13 @@
6
6
  # WARNING ABOUT GENERATED CODE
7
7
 
8
8
  module Aws::KMS
9
+ # This class provides a resource oriented interface for KMS.
10
+ # To create a resource object:
11
+ # resource = Aws::KMS::Resource.new(region: 'us-west-2')
12
+ # You can supply a client object with custom configuration that will be used for all resource operations.
13
+ # If you do not pass +:client+, a default client will be constructed.
14
+ # client = Aws::KMS::Client.new(region: 'us-west-2')
15
+ # resource = Aws::KMS::Resource.new(client: client)
9
16
  class Resource
10
17
 
11
18
  # @param options ({})
@@ -324,6 +324,9 @@ module Aws::KMS
324
324
  # in the specified AWS CloudHSM cluster. AWS KMS logs into the cluster
325
325
  # as this user to manage key material on your behalf.
326
326
  #
327
+ # The password must be a string of 7 to 32 characters. Its value is
328
+ # case sensitive.
329
+ #
327
330
  # This parameter tells AWS KMS the `kmsuser` account password; it does
328
331
  # not change the password in the AWS CloudHSM cluster.
329
332
  #
@@ -360,7 +363,7 @@ module Aws::KMS
360
363
  # key_id: "KeyIdType", # required
361
364
  # grantee_principal: "PrincipalIdType", # required
362
365
  # retiring_principal: "PrincipalIdType",
363
- # operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant, RetireGrant, DescribeKey
366
+ # operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext
364
367
  # constraints: {
365
368
  # encryption_context_subset: {
366
369
  # "EncryptionContextKey" => "EncryptionContextValue",
@@ -515,7 +518,8 @@ module Aws::KMS
515
518
  # {
516
519
  # policy: "PolicyType",
517
520
  # description: "DescriptionType",
518
- # key_usage: "ENCRYPT_DECRYPT", # accepts ENCRYPT_DECRYPT
521
+ # key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT
522
+ # customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
519
523
  # origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
520
524
  # custom_key_store_id: "CustomKeyStoreIdType",
521
525
  # bypass_policy_lockout_safety_check: false,
@@ -554,7 +558,7 @@ module Aws::KMS
554
558
  # policy to the CMK. For more information, see [Default Key Policy][3]
555
559
  # in the *AWS Key Management Service Developer Guide*.
556
560
  #
557
- # The key policy size limit is 32 kilobytes (32768 bytes).
561
+ # The key policy size quota is 32 kilobytes (32768 bytes).
558
562
  #
559
563
  #
560
564
  #
@@ -571,28 +575,101 @@ module Aws::KMS
571
575
  # @return [String]
572
576
  #
573
577
  # @!attribute [rw] key_usage
574
- # The cryptographic operations for which you can use the CMK. The only
575
- # valid value is `ENCRYPT_DECRYPT`, which means you can use the CMK to
576
- # encrypt and decrypt data.
578
+ # Determines the cryptographic operations for which you can use the
579
+ # CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
580
+ # required only for asymmetric CMKs. You can't change the `KeyUsage`
581
+ # value after the CMK is created.
582
+ #
583
+ # Select only one valid value.
584
+ #
585
+ # * For symmetric CMKs, omit the parameter or specify
586
+ # `ENCRYPT_DECRYPT`.
587
+ #
588
+ # * For asymmetric CMKs with RSA key material, specify
589
+ # `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
590
+ #
591
+ # * For asymmetric CMKs with ECC key material, specify `SIGN_VERIFY`.
592
+ # @return [String]
593
+ #
594
+ # @!attribute [rw] customer_master_key_spec
595
+ # Specifies the type of CMK to create. The default value,
596
+ # `SYMMETRIC_DEFAULT`, creates a CMK with a 256-bit symmetric key for
597
+ # encryption and decryption. For help choosing a key spec for your
598
+ # CMK, see [How to Choose Your CMK Configuration][1] in the *AWS Key
599
+ # Management Service Developer Guide*.
600
+ #
601
+ # The `CustomerMasterKeySpec` determines whether the CMK contains a
602
+ # symmetric key or an asymmetric key pair. It also determines the
603
+ # encryption algorithms or signing algorithms that the CMK supports.
604
+ # You can't change the `CustomerMasterKeySpec` after the CMK is
605
+ # created. To further restrict the algorithms that can be used with
606
+ # the CMK, use a condition key in its key policy or IAM policy. For
607
+ # more information, see [kms:EncryptionAlgorithm][2] or [kms:Signing
608
+ # Algorithm][3] in the *AWS Key Management Service Developer Guide*.
609
+ #
610
+ # [AWS services that are integrated with AWS KMS][4] use symmetric
611
+ # CMKs to protect your data. These services do not support asymmetric
612
+ # CMKs. For help determining whether a CMK is symmetric or asymmetric,
613
+ # see [Identifying Symmetric and Asymmetric CMKs][5] in the *AWS Key
614
+ # Management Service Developer Guide*.
615
+ #
616
+ # AWS KMS supports the following key specs for CMKs:
617
+ #
618
+ # * Symmetric key (default)
619
+ #
620
+ # * `SYMMETRIC_DEFAULT` (AES-256-GCM)
621
+ #
622
+ # ^
623
+ #
624
+ # * Asymmetric RSA key pairs
625
+ #
626
+ # * `RSA_2048`
627
+ #
628
+ # * `RSA_3072`
629
+ #
630
+ # * `RSA_4096`
631
+ #
632
+ # * Asymmetric NIST-recommended elliptic curve key pairs
633
+ #
634
+ # * `ECC_NIST_P256` (secp256r1)
635
+ #
636
+ # * `ECC_NIST_P384` (secp384r1)
637
+ #
638
+ # * `ECC_NIST_P521` (secp521r1)
639
+ #
640
+ # * Other asymmetric elliptic curve key pairs
641
+ #
642
+ # * `ECC_SECG_P256K1` (secp256k1), commonly used for
643
+ # cryptocurrencies.
644
+ #
645
+ # ^
646
+ #
647
+ #
648
+ #
649
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html
650
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm
651
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm
652
+ # [4]: http://aws.amazon.com/kms/features/#AWS_Service_Integration
653
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html
577
654
  # @return [String]
578
655
  #
579
656
  # @!attribute [rw] origin
580
657
  # The source of the key material for the CMK. You cannot change the
581
- # origin after you create the CMK.
582
- #
583
- # The default is `AWS_KMS`, which means AWS KMS creates the key
584
- # material in its own key store.
658
+ # origin after you create the CMK. The default is `AWS_KMS`, which
659
+ # means AWS KMS creates the key material.
585
660
  #
586
661
  # When the parameter value is `EXTERNAL`, AWS KMS creates a CMK
587
662
  # without key material so that you can import key material from your
588
663
  # existing key management infrastructure. For more information about
589
664
  # importing key material into AWS KMS, see [Importing Key Material][1]
590
- # in the *AWS Key Management Service Developer Guide*.
665
+ # in the *AWS Key Management Service Developer Guide*. This value is
666
+ # valid only for symmetric CMKs.
591
667
  #
592
668
  # When the parameter value is `AWS_CLOUDHSM`, AWS KMS creates the CMK
593
669
  # in an AWS KMS [custom key store][2] and creates its key material in
594
670
  # the associated AWS CloudHSM cluster. You must also use the
595
- # `CustomKeyStoreId` parameter to identify the custom key store.
671
+ # `CustomKeyStoreId` parameter to identify the custom key store. This
672
+ # value is valid only for symmetric CMKs.
596
673
  #
597
674
  #
598
675
  #
@@ -608,6 +685,9 @@ module Aws::KMS
608
685
  # associated with the custom key store must have at least two active
609
686
  # HSMs, each in a different Availability Zone in the Region.
610
687
  #
688
+ # This parameter is valid only for symmetric CMKs. You cannot create
689
+ # an asymmetric CMK in a custom key store.
690
+ #
611
691
  # To find the ID of a custom key store, use the
612
692
  # DescribeCustomKeyStores operation.
613
693
  #
@@ -648,12 +728,20 @@ module Aws::KMS
648
728
  #
649
729
  # @!attribute [rw] tags
650
730
  # One or more tags. Each tag consists of a tag key and a tag value.
651
- # Tag keys and tag values are both required, but tag values can be
652
- # empty (null) strings.
731
+ # Both the tag key and the tag value are required, but the tag value
732
+ # can be an empty (null) string.
733
+ #
734
+ # When you add tags to an AWS resource, AWS generates a cost
735
+ # allocation report with usage and costs aggregated by tags. For
736
+ # information about adding, changing, deleting and listing tags for
737
+ # CMKs, see [Tagging Keys][1].
738
+ #
739
+ # Use this parameter to tag the CMK when it is created. To add tags to
740
+ # an existing CMK, use the TagResource operation.
653
741
  #
654
- # Use this parameter to tag the CMK when it is created. Alternately,
655
- # you can omit this parameter and instead tag the CMK after it is
656
- # created using TagResource.
742
+ #
743
+ #
744
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
657
745
  # @return [Array<Types::Tag>]
658
746
  #
659
747
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKeyRequest AWS API Documentation
@@ -662,6 +750,7 @@ module Aws::KMS
662
750
  :policy,
663
751
  :description,
664
752
  :key_usage,
753
+ :customer_master_key_spec,
665
754
  :origin,
666
755
  :custom_key_store_id,
667
756
  :bypass_policy_lockout_safety_check,
@@ -791,9 +880,10 @@ module Aws::KMS
791
880
  # AWS CloudHSM cluster is active and contains at least one active HSM.
792
881
  #
793
882
  # A value of `FAILED` indicates that an attempt to connect was
794
- # unsuccessful. For help resolving a connection failure, see
795
- # [Troubleshooting a Custom Key Store][1] in the *AWS Key Management
796
- # Service Developer Guide*.
883
+ # unsuccessful. The `ConnectionErrorCode` field in the response
884
+ # indicates the cause of the failure. For help resolving a connection
885
+ # failure, see [Troubleshooting a Custom Key Store][1] in the *AWS Key
886
+ # Management Service Developer Guide*.
797
887
  #
798
888
  #
799
889
  #
@@ -801,7 +891,12 @@ module Aws::KMS
801
891
  # @return [String]
802
892
  #
803
893
  # @!attribute [rw] connection_error_code
804
- # Describes the connection error. Valid values are:
894
+ # Describes the connection error. This field appears in the response
895
+ # only when the `ConnectionState` is `FAILED`. For help resolving
896
+ # these errors, see [How to Fix a Connection Failure][1] in *AWS Key
897
+ # Management Service Developer Guide*.
898
+ #
899
+ # Valid values are:
805
900
  #
806
901
  # * `CLUSTER_NOT_FOUND` - AWS KMS cannot find the AWS CloudHSM cluster
807
902
  # with the specified cluster ID.
@@ -817,23 +912,49 @@ module Aws::KMS
817
912
  # again.
818
913
  #
819
914
  # * `INVALID_CREDENTIALS` - AWS KMS does not have the correct password
820
- # for the `kmsuser` crypto user in the AWS CloudHSM cluster.
915
+ # for the `kmsuser` crypto user in the AWS CloudHSM cluster. Before
916
+ # you can connect your custom key store to its AWS CloudHSM cluster,
917
+ # you must change the `kmsuser` account password and update the key
918
+ # store password value for the custom key store.
821
919
  #
822
920
  # * `NETWORK_ERRORS` - Network errors are preventing AWS KMS from
823
921
  # connecting to the custom key store.
824
922
  #
923
+ # * `SUBNET_NOT_FOUND` - A subnet in the AWS CloudHSM cluster
924
+ # configuration was deleted. If AWS KMS cannot find all of the
925
+ # subnets that were configured for the cluster when the custom key
926
+ # store was created, attempts to connect fail. To fix this error,
927
+ # create a cluster from a backup and associate it with your custom
928
+ # key store. This process includes selecting a VPC and subnets. For
929
+ # details, see [How to Fix a Connection Failure][1] in the *AWS Key
930
+ # Management Service Developer Guide*.
931
+ #
825
932
  # * `USER_LOCKED_OUT` - The `kmsuser` CU account is locked out of the
826
933
  # associated AWS CloudHSM cluster due to too many failed password
827
934
  # attempts. Before you can connect your custom key store to its AWS
828
935
  # CloudHSM cluster, you must change the `kmsuser` account password
829
- # and update the password value for the custom key store.
936
+ # and update the key store password value for the custom key store.
830
937
  #
831
- # For help with connection failures, see [Troubleshooting Custom Key
832
- # Stores][1] in the *AWS Key Management Service Developer Guide*.
938
+ # * `USER_LOGGED_IN` - The `kmsuser` CU account is logged into the the
939
+ # associated AWS CloudHSM cluster. This prevents AWS KMS from
940
+ # rotating the `kmsuser` account password and logging into the
941
+ # cluster. Before you can connect your custom key store to its AWS
942
+ # CloudHSM cluster, you must log the `kmsuser` CU out of the
943
+ # cluster. If you changed the `kmsuser` password to log into the
944
+ # cluster, you must also and update the key store password value for
945
+ # the custom key store. For help, see [How to Log Out and
946
+ # Reconnect][2] in the *AWS Key Management Service Developer Guide*.
833
947
  #
948
+ # * `USER_NOT_FOUND` - AWS KMS cannot find a `kmsuser` CU account in
949
+ # the associated AWS CloudHSM cluster. Before you can connect your
950
+ # custom key store to its AWS CloudHSM cluster, you must create a
951
+ # `kmsuser` CU account in the cluster, and then update the key store
952
+ # password value for the custom key store.
834
953
  #
835
954
  #
836
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
955
+ #
956
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed
957
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#login-kmsuser-2
837
958
  # @return [String]
838
959
  #
839
960
  # @!attribute [rw] creation_date
@@ -862,6 +983,8 @@ module Aws::KMS
862
983
  # "EncryptionContextKey" => "EncryptionContextValue",
863
984
  # },
864
985
  # grant_tokens: ["GrantTokenType"],
986
+ # key_id: "KeyIdType",
987
+ # encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
865
988
  # }
866
989
  #
867
990
  # @!attribute [rw] ciphertext_blob
@@ -869,9 +992,20 @@ module Aws::KMS
869
992
  # @return [String]
870
993
  #
871
994
  # @!attribute [rw] encryption_context
872
- # The encryption context. If this was specified in the Encrypt
873
- # function, it must be specified here or the decryption operation will
874
- # fail. For more information, see [Encryption Context][1].
995
+ # Specifies the encryption context to use when decrypting the data. An
996
+ # encryption context is valid only for cryptographic operations with a
997
+ # symmetric CMK. The standard asymmetric encryption algorithms that
998
+ # AWS KMS uses do not support an encryption context.
999
+ #
1000
+ # An *encryption context* is a collection of non-secret key-value
1001
+ # pairs that represents additional authenticated data. When you use an
1002
+ # encryption context to encrypt data, you must specify the same (an
1003
+ # exact case-sensitive match) encryption context to decrypt the data.
1004
+ # An encryption context is optional when encrypting with a symmetric
1005
+ # CMK, but it is highly recommended.
1006
+ #
1007
+ # For more information, see [Encryption Context][1] in the *AWS Key
1008
+ # Management Service Developer Guide*.
875
1009
  #
876
1010
  #
877
1011
  #
@@ -889,30 +1023,83 @@ module Aws::KMS
889
1023
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
890
1024
  # @return [Array<String>]
891
1025
  #
1026
+ # @!attribute [rw] key_id
1027
+ # Specifies the customer master key (CMK) that AWS KMS will use to
1028
+ # decrypt the ciphertext. Enter a key ID of the CMK that was used to
1029
+ # encrypt the ciphertext.
1030
+ #
1031
+ # If you specify a `KeyId` value, the `Decrypt` operation succeeds
1032
+ # only if the specified CMK was used to encrypt the ciphertext.
1033
+ #
1034
+ # This parameter is required only when the ciphertext was encrypted
1035
+ # under an asymmetric CMK. Otherwise, AWS KMS uses the metadata that
1036
+ # it adds to the ciphertext blob to determine which CMK was used to
1037
+ # encrypt the ciphertext. However, you can use this parameter to
1038
+ # ensure that a particular CMK (of any kind) is used to decrypt the
1039
+ # ciphertext.
1040
+ #
1041
+ # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1042
+ # name, or alias ARN. When using an alias name, prefix it with
1043
+ # `"alias/"`.
1044
+ #
1045
+ # For example:
1046
+ #
1047
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
1048
+ #
1049
+ # * Key ARN:
1050
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
1051
+ #
1052
+ # * Alias name: `alias/ExampleAlias`
1053
+ #
1054
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
1055
+ #
1056
+ # To get the key ID and key ARN for a CMK, use ListKeys or
1057
+ # DescribeKey. To get the alias name and alias ARN, use ListAliases.
1058
+ # @return [String]
1059
+ #
1060
+ # @!attribute [rw] encryption_algorithm
1061
+ # Specifies the encryption algorithm that will be used to decrypt the
1062
+ # ciphertext. Specify the same algorithm that was used to encrypt the
1063
+ # data. If you specify a different algorithm, the `Decrypt` operation
1064
+ # fails.
1065
+ #
1066
+ # This parameter is required only when the ciphertext was encrypted
1067
+ # under an asymmetric CMK. The default value, `SYMMETRIC_DEFAULT`,
1068
+ # represents the only supported algorithm that is valid for symmetric
1069
+ # CMKs.
1070
+ # @return [String]
1071
+ #
892
1072
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptRequest AWS API Documentation
893
1073
  #
894
1074
  class DecryptRequest < Struct.new(
895
1075
  :ciphertext_blob,
896
1076
  :encryption_context,
897
- :grant_tokens)
1077
+ :grant_tokens,
1078
+ :key_id,
1079
+ :encryption_algorithm)
898
1080
  include Aws::Structure
899
1081
  end
900
1082
 
901
1083
  # @!attribute [rw] key_id
902
- # ARN of the key used to perform the decryption. This value is
903
- # returned if no errors are encountered during the operation.
1084
+ # The ARN of the customer master key that was used to perform the
1085
+ # decryption.
904
1086
  # @return [String]
905
1087
  #
906
1088
  # @!attribute [rw] plaintext
907
1089
  # Decrypted plaintext data. When you use the HTTP API or the AWS CLI,
908
- # the value is Base64-encoded. Otherwise, it is not encoded.
1090
+ # the value is Base64-encoded. Otherwise, it is not Base64-encoded.
1091
+ # @return [String]
1092
+ #
1093
+ # @!attribute [rw] encryption_algorithm
1094
+ # The encryption algorithm that was used to decrypt the ciphertext.
909
1095
  # @return [String]
910
1096
  #
911
1097
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptResponse AWS API Documentation
912
1098
  #
913
1099
  class DecryptResponse < Struct.new(
914
1100
  :key_id,
915
- :plaintext)
1101
+ :plaintext,
1102
+ :encryption_algorithm)
916
1103
  include Aws::Structure
917
1104
  end
918
1105
 
@@ -1186,7 +1373,9 @@ module Aws::KMS
1186
1373
  # }
1187
1374
  #
1188
1375
  # @!attribute [rw] key_id
1189
- # A unique identifier for the customer master key (CMK).
1376
+ # Identifies a symmetric customer master key (CMK). You cannot enable
1377
+ # automatic rotation of [asymmetric CMKs][1], CMKs with [imported key
1378
+ # material][2], or CMKs in a [custom key store][3].
1190
1379
  #
1191
1380
  # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
1192
1381
  #
@@ -1199,6 +1388,12 @@ module Aws::KMS
1199
1388
  #
1200
1389
  # To get the key ID and key ARN for a CMK, use ListKeys or
1201
1390
  # DescribeKey.
1391
+ #
1392
+ #
1393
+ #
1394
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks
1395
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1396
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1202
1397
  # @return [String]
1203
1398
  #
1204
1399
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotationRequest AWS API Documentation
@@ -1282,7 +1477,9 @@ module Aws::KMS
1282
1477
  # }
1283
1478
  #
1284
1479
  # @!attribute [rw] key_id
1285
- # A unique identifier for the customer master key (CMK).
1480
+ # Identifies a symmetric customer master key (CMK). You cannot enable
1481
+ # automatic rotation of asymmetric CMKs, CMKs with imported key
1482
+ # material, or CMKs in a [custom key store][1].
1286
1483
  #
1287
1484
  # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
1288
1485
  #
@@ -1295,6 +1492,10 @@ module Aws::KMS
1295
1492
  #
1296
1493
  # To get the key ID and key ARN for a CMK, use ListKeys or
1297
1494
  # DescribeKey.
1495
+ #
1496
+ #
1497
+ #
1498
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1298
1499
  # @return [String]
1299
1500
  #
1300
1501
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotationRequest AWS API Documentation
@@ -1314,6 +1515,7 @@ module Aws::KMS
1314
1515
  # "EncryptionContextKey" => "EncryptionContextValue",
1315
1516
  # },
1316
1517
  # grant_tokens: ["GrantTokenType"],
1518
+ # encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
1317
1519
  # }
1318
1520
  #
1319
1521
  # @!attribute [rw] key_id
@@ -1344,10 +1546,20 @@ module Aws::KMS
1344
1546
  # @return [String]
1345
1547
  #
1346
1548
  # @!attribute [rw] encryption_context
1347
- # Name-value pair that specifies the encryption context to be used for
1348
- # authenticated encryption. If used here, the same value must be
1349
- # supplied to the `Decrypt` API or decryption will fail. For more
1350
- # information, see [Encryption Context][1].
1549
+ # Specifies the encryption context that will be used to encrypt the
1550
+ # data. An encryption context is valid only for cryptographic
1551
+ # operations with a symmetric CMK. The standard asymmetric encryption
1552
+ # algorithms that AWS KMS uses do not support an encryption context.
1553
+ #
1554
+ # An *encryption context* is a collection of non-secret key-value
1555
+ # pairs that represents additional authenticated data. When you use an
1556
+ # encryption context to encrypt data, you must specify the same (an
1557
+ # exact case-sensitive match) encryption context to decrypt the data.
1558
+ # An encryption context is optional when encrypting with a symmetric
1559
+ # CMK, but it is highly recommended.
1560
+ #
1561
+ # For more information, see [Encryption Context][1] in the *AWS Key
1562
+ # Management Service Developer Guide*.
1351
1563
  #
1352
1564
  #
1353
1565
  #
@@ -1365,37 +1577,54 @@ module Aws::KMS
1365
1577
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1366
1578
  # @return [Array<String>]
1367
1579
  #
1580
+ # @!attribute [rw] encryption_algorithm
1581
+ # Specifies the encryption algorithm that AWS KMS will use to encrypt
1582
+ # the plaintext message. The algorithm must be compatible with the CMK
1583
+ # that you specify.
1584
+ #
1585
+ # This parameter is required only for asymmetric CMKs. The default
1586
+ # value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
1587
+ # CMKs. If you are using an asymmetric CMK, we recommend
1588
+ # RSAES\_OAEP\_SHA\_256.
1589
+ # @return [String]
1590
+ #
1368
1591
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptRequest AWS API Documentation
1369
1592
  #
1370
1593
  class EncryptRequest < Struct.new(
1371
1594
  :key_id,
1372
1595
  :plaintext,
1373
1596
  :encryption_context,
1374
- :grant_tokens)
1597
+ :grant_tokens,
1598
+ :encryption_algorithm)
1375
1599
  include Aws::Structure
1376
1600
  end
1377
1601
 
1378
1602
  # @!attribute [rw] ciphertext_blob
1379
1603
  # The encrypted plaintext. When you use the HTTP API or the AWS CLI,
1380
- # the value is Base64-encoded. Otherwise, it is not encoded.
1604
+ # the value is Base64-encoded. Otherwise, it is not Base64-encoded.
1381
1605
  # @return [String]
1382
1606
  #
1383
1607
  # @!attribute [rw] key_id
1384
1608
  # The ID of the key used during encryption.
1385
1609
  # @return [String]
1386
1610
  #
1611
+ # @!attribute [rw] encryption_algorithm
1612
+ # The encryption algorithm that was used to encrypt the plaintext.
1613
+ # @return [String]
1614
+ #
1387
1615
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptResponse AWS API Documentation
1388
1616
  #
1389
1617
  class EncryptResponse < Struct.new(
1390
1618
  :ciphertext_blob,
1391
- :key_id)
1619
+ :key_id,
1620
+ :encryption_algorithm)
1392
1621
  include Aws::Structure
1393
1622
  end
1394
1623
 
1395
- # The request was rejected because the provided import token is expired.
1396
- # Use GetParametersForImport to get a new import token and public key,
1397
- # use the new public key to encrypt the key material, and then try the
1398
- # request again.
1624
+ # The request was rejected because the specified import token is
1625
+ # expired. Use GetParametersForImport to get a new import token and
1626
+ # public key, use the new public key to encrypt the key material, and
1627
+ # then try the request again.
1399
1628
  #
1400
1629
  # @!attribute [rw] message
1401
1630
  # @return [String]
@@ -1407,6 +1636,259 @@ module Aws::KMS
1407
1636
  include Aws::Structure
1408
1637
  end
1409
1638
 
1639
+ # @note When making an API call, you may pass GenerateDataKeyPairRequest
1640
+ # data as a hash:
1641
+ #
1642
+ # {
1643
+ # encryption_context: {
1644
+ # "EncryptionContextKey" => "EncryptionContextValue",
1645
+ # },
1646
+ # key_id: "KeyIdType", # required
1647
+ # key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
1648
+ # grant_tokens: ["GrantTokenType"],
1649
+ # }
1650
+ #
1651
+ # @!attribute [rw] encryption_context
1652
+ # Specifies the encryption context that will be used when encrypting
1653
+ # the private key in the data key pair.
1654
+ #
1655
+ # An *encryption context* is a collection of non-secret key-value
1656
+ # pairs that represents additional authenticated data. When you use an
1657
+ # encryption context to encrypt data, you must specify the same (an
1658
+ # exact case-sensitive match) encryption context to decrypt the data.
1659
+ # An encryption context is optional when encrypting with a symmetric
1660
+ # CMK, but it is highly recommended.
1661
+ #
1662
+ # For more information, see [Encryption Context][1] in the *AWS Key
1663
+ # Management Service Developer Guide*.
1664
+ #
1665
+ #
1666
+ #
1667
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1668
+ # @return [Hash<String,String>]
1669
+ #
1670
+ # @!attribute [rw] key_id
1671
+ # Specifies the symmetric CMK that encrypts the private key in the
1672
+ # data key pair. You cannot specify an asymmetric CMKs.
1673
+ #
1674
+ # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1675
+ # name, or alias ARN. When using an alias name, prefix it with
1676
+ # `"alias/"`. To specify a CMK in a different AWS account, you must
1677
+ # use the key ARN or alias ARN.
1678
+ #
1679
+ # For example:
1680
+ #
1681
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
1682
+ #
1683
+ # * Key ARN:
1684
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
1685
+ #
1686
+ # * Alias name: `alias/ExampleAlias`
1687
+ #
1688
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
1689
+ #
1690
+ # To get the key ID and key ARN for a CMK, use ListKeys or
1691
+ # DescribeKey. To get the alias name and alias ARN, use ListAliases.
1692
+ # @return [String]
1693
+ #
1694
+ # @!attribute [rw] key_pair_spec
1695
+ # Determines the type of data key pair that is generated.
1696
+ #
1697
+ # The AWS KMS rule that restricts the use of asymmetric RSA CMKs to
1698
+ # encrypt and decrypt or to sign and verify (but not both), and the
1699
+ # rule that permits you to use ECC CMKs only to sign and verify, are
1700
+ # not effective outside of AWS KMS.
1701
+ # @return [String]
1702
+ #
1703
+ # @!attribute [rw] grant_tokens
1704
+ # A list of grant tokens.
1705
+ #
1706
+ # For more information, see [Grant Tokens][1] in the *AWS Key
1707
+ # Management Service Developer Guide*.
1708
+ #
1709
+ #
1710
+ #
1711
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1712
+ # @return [Array<String>]
1713
+ #
1714
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairRequest AWS API Documentation
1715
+ #
1716
+ class GenerateDataKeyPairRequest < Struct.new(
1717
+ :encryption_context,
1718
+ :key_id,
1719
+ :key_pair_spec,
1720
+ :grant_tokens)
1721
+ include Aws::Structure
1722
+ end
1723
+
1724
+ # @!attribute [rw] private_key_ciphertext_blob
1725
+ # The encrypted copy of the private key. When you use the HTTP API or
1726
+ # the AWS CLI, the value is Base64-encoded. Otherwise, it is not
1727
+ # Base64-encoded.
1728
+ # @return [String]
1729
+ #
1730
+ # @!attribute [rw] private_key_plaintext
1731
+ # The plaintext copy of the private key. When you use the HTTP API or
1732
+ # the AWS CLI, the value is Base64-encoded. Otherwise, it is not
1733
+ # Base64-encoded.
1734
+ # @return [String]
1735
+ #
1736
+ # @!attribute [rw] public_key
1737
+ # The public key (in plaintext).
1738
+ # @return [String]
1739
+ #
1740
+ # @!attribute [rw] key_id
1741
+ # The identifier of the CMK that encrypted the private key.
1742
+ # @return [String]
1743
+ #
1744
+ # @!attribute [rw] key_pair_spec
1745
+ # The type of data key pair that was generated.
1746
+ # @return [String]
1747
+ #
1748
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairResponse AWS API Documentation
1749
+ #
1750
+ class GenerateDataKeyPairResponse < Struct.new(
1751
+ :private_key_ciphertext_blob,
1752
+ :private_key_plaintext,
1753
+ :public_key,
1754
+ :key_id,
1755
+ :key_pair_spec)
1756
+ include Aws::Structure
1757
+ end
1758
+
1759
+ # @note When making an API call, you may pass GenerateDataKeyPairWithoutPlaintextRequest
1760
+ # data as a hash:
1761
+ #
1762
+ # {
1763
+ # encryption_context: {
1764
+ # "EncryptionContextKey" => "EncryptionContextValue",
1765
+ # },
1766
+ # key_id: "KeyIdType", # required
1767
+ # key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
1768
+ # grant_tokens: ["GrantTokenType"],
1769
+ # }
1770
+ #
1771
+ # @!attribute [rw] encryption_context
1772
+ # Specifies the encryption context that will be used when encrypting
1773
+ # the private key in the data key pair.
1774
+ #
1775
+ # An *encryption context* is a collection of non-secret key-value
1776
+ # pairs that represents additional authenticated data. When you use an
1777
+ # encryption context to encrypt data, you must specify the same (an
1778
+ # exact case-sensitive match) encryption context to decrypt the data.
1779
+ # An encryption context is optional when encrypting with a symmetric
1780
+ # CMK, but it is highly recommended.
1781
+ #
1782
+ # For more information, see [Encryption Context][1] in the *AWS Key
1783
+ # Management Service Developer Guide*.
1784
+ #
1785
+ #
1786
+ #
1787
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1788
+ # @return [Hash<String,String>]
1789
+ #
1790
+ # @!attribute [rw] key_id
1791
+ # Specifies the CMK that encrypts the private key in the data key
1792
+ # pair. You must specify a symmetric CMK. You cannot use an asymmetric
1793
+ # CMK. To get the type of your CMK, use the DescribeKey operation.
1794
+ #
1795
+ # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1796
+ # name, or alias ARN. When using an alias name, prefix it with
1797
+ # `"alias/"`.
1798
+ #
1799
+ # For example:
1800
+ #
1801
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
1802
+ #
1803
+ # * Key ARN:
1804
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
1805
+ #
1806
+ # * Alias name: `alias/ExampleAlias`
1807
+ #
1808
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
1809
+ #
1810
+ # To get the key ID and key ARN for a CMK, use ListKeys or
1811
+ # DescribeKey. To get the alias name and alias ARN, use ListAliases.
1812
+ # @return [String]
1813
+ #
1814
+ # @!attribute [rw] key_pair_spec
1815
+ # Determines the type of data key pair that is generated.
1816
+ #
1817
+ # The AWS KMS rule that restricts the use of asymmetric RSA CMKs to
1818
+ # encrypt and decrypt or to sign and verify (but not both), and the
1819
+ # rule that permits you to use ECC CMKs only to sign and verify, are
1820
+ # not effective outside of AWS KMS.
1821
+ # @return [String]
1822
+ #
1823
+ # @!attribute [rw] grant_tokens
1824
+ # A list of grant tokens.
1825
+ #
1826
+ # For more information, see [Grant Tokens][1] in the *AWS Key
1827
+ # Management Service Developer Guide*.
1828
+ #
1829
+ #
1830
+ #
1831
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1832
+ # @return [Array<String>]
1833
+ #
1834
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintextRequest AWS API Documentation
1835
+ #
1836
+ class GenerateDataKeyPairWithoutPlaintextRequest < Struct.new(
1837
+ :encryption_context,
1838
+ :key_id,
1839
+ :key_pair_spec,
1840
+ :grant_tokens)
1841
+ include Aws::Structure
1842
+ end
1843
+
1844
+ # @!attribute [rw] private_key_ciphertext_blob
1845
+ # The encrypted copy of the private key. When you use the HTTP API or
1846
+ # the AWS CLI, the value is Base64-encoded. Otherwise, it is not
1847
+ # Base64-encoded.
1848
+ # @return [String]
1849
+ #
1850
+ # @!attribute [rw] public_key
1851
+ # The public key (in plaintext).
1852
+ # @return [String]
1853
+ #
1854
+ # @!attribute [rw] key_id
1855
+ # Specifies the CMK that encrypted the private key in the data key
1856
+ # pair. You must specify a symmetric CMK. You cannot use an asymmetric
1857
+ # CMK. To get the type of your CMK, use the DescribeKey operation.
1858
+ #
1859
+ # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1860
+ # name, or alias ARN. When using an alias name, prefix it with
1861
+ # `"alias/"`.
1862
+ #
1863
+ # For example:
1864
+ #
1865
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
1866
+ #
1867
+ # * Key ARN:
1868
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
1869
+ #
1870
+ # * Alias name: `alias/ExampleAlias`
1871
+ #
1872
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
1873
+ #
1874
+ # To get the key ID and key ARN for a CMK, use ListKeys or
1875
+ # DescribeKey. To get the alias name and alias ARN, use ListAliases.
1876
+ # @return [String]
1877
+ #
1878
+ # @!attribute [rw] key_pair_spec
1879
+ # The type of data key pair that was generated.
1880
+ # @return [String]
1881
+ #
1882
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintextResponse AWS API Documentation
1883
+ #
1884
+ class GenerateDataKeyPairWithoutPlaintextResponse < Struct.new(
1885
+ :private_key_ciphertext_blob,
1886
+ :public_key,
1887
+ :key_id,
1888
+ :key_pair_spec)
1889
+ include Aws::Structure
1890
+ end
1891
+
1410
1892
  # @note When making an API call, you may pass GenerateDataKeyRequest
1411
1893
  # data as a hash:
1412
1894
  #
@@ -1421,7 +1903,7 @@ module Aws::KMS
1421
1903
  # }
1422
1904
  #
1423
1905
  # @!attribute [rw] key_id
1424
- # An identifier for the CMK that encrypts the data key.
1906
+ # Identifies the symmetric CMK that encrypts the data key.
1425
1907
  #
1426
1908
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1427
1909
  # name, or alias ARN. When using an alias name, prefix it with
@@ -1444,8 +1926,15 @@ module Aws::KMS
1444
1926
  # @return [String]
1445
1927
  #
1446
1928
  # @!attribute [rw] encryption_context
1447
- # A set of key-value pairs that represents additional authenticated
1448
- # data.
1929
+ # Specifies the encryption context that will be used when encrypting
1930
+ # the data key.
1931
+ #
1932
+ # An *encryption context* is a collection of non-secret key-value
1933
+ # pairs that represents additional authenticated data. When you use an
1934
+ # encryption context to encrypt data, you must specify the same (an
1935
+ # exact case-sensitive match) encryption context to decrypt the data.
1936
+ # An encryption context is optional when encrypting with a symmetric
1937
+ # CMK, but it is highly recommended.
1449
1938
  #
1450
1939
  # For more information, see [Encryption Context][1] in the *AWS Key
1451
1940
  # Management Service Developer Guide*.
@@ -1456,15 +1945,22 @@ module Aws::KMS
1456
1945
  # @return [Hash<String,String>]
1457
1946
  #
1458
1947
  # @!attribute [rw] number_of_bytes
1459
- # The length of the data key in bytes. For example, use the value 64
1460
- # to generate a 512-bit data key (64 bytes is 512 bits). For common
1461
- # key lengths (128-bit and 256-bit symmetric keys), we recommend that
1462
- # you use the `KeySpec` field instead of this one.
1948
+ # Specifies the length of the data key in bytes. For example, use the
1949
+ # value 64 to generate a 512-bit data key (64 bytes is 512 bits). For
1950
+ # 128-bit (16-byte) and 256-bit (32-byte) data keys, use the `KeySpec`
1951
+ # parameter.
1952
+ #
1953
+ # You must specify either the `KeySpec` or the `NumberOfBytes`
1954
+ # parameter (but not both) in every `GenerateDataKey` request.
1463
1955
  # @return [Integer]
1464
1956
  #
1465
1957
  # @!attribute [rw] key_spec
1466
- # The length of the data key. Use `AES_128` to generate a 128-bit
1467
- # symmetric key, or `AES_256` to generate a 256-bit symmetric key.
1958
+ # Specifies the length of the data key. Use `AES_128` to generate a
1959
+ # 128-bit symmetric key, or `AES_256` to generate a 256-bit symmetric
1960
+ # key.
1961
+ #
1962
+ # You must specify either the `KeySpec` or the `NumberOfBytes`
1963
+ # parameter (but not both) in every `GenerateDataKey` request.
1468
1964
  # @return [String]
1469
1965
  #
1470
1966
  # @!attribute [rw] grant_tokens
@@ -1491,14 +1987,15 @@ module Aws::KMS
1491
1987
 
1492
1988
  # @!attribute [rw] ciphertext_blob
1493
1989
  # The encrypted copy of the data key. When you use the HTTP API or the
1494
- # AWS CLI, the value is Base64-encoded. Otherwise, it is not encoded.
1990
+ # AWS CLI, the value is Base64-encoded. Otherwise, it is not
1991
+ # Base64-encoded.
1495
1992
  # @return [String]
1496
1993
  #
1497
1994
  # @!attribute [rw] plaintext
1498
1995
  # The plaintext data key. When you use the HTTP API or the AWS CLI,
1499
- # the value is Base64-encoded. Otherwise, it is not encoded. Use this
1500
- # data key to encrypt your data outside of KMS. Then, remove it from
1501
- # memory as soon as possible.
1996
+ # the value is Base64-encoded. Otherwise, it is not Base64-encoded.
1997
+ # Use this data key to encrypt your data outside of KMS. Then, remove
1998
+ # it from memory as soon as possible.
1502
1999
  # @return [String]
1503
2000
  #
1504
2001
  # @!attribute [rw] key_id
@@ -1528,8 +2025,8 @@ module Aws::KMS
1528
2025
  # }
1529
2026
  #
1530
2027
  # @!attribute [rw] key_id
1531
- # The identifier of the customer master key (CMK) that encrypts the
1532
- # data key.
2028
+ # The identifier of the symmetric customer master key (CMK) that
2029
+ # encrypts the data key.
1533
2030
  #
1534
2031
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1535
2032
  # name, or alias ARN. When using an alias name, prefix it with
@@ -1552,8 +2049,15 @@ module Aws::KMS
1552
2049
  # @return [String]
1553
2050
  #
1554
2051
  # @!attribute [rw] encryption_context
1555
- # A set of key-value pairs that represents additional authenticated
1556
- # data.
2052
+ # Specifies the encryption context that will be used when encrypting
2053
+ # the data key.
2054
+ #
2055
+ # An *encryption context* is a collection of non-secret key-value
2056
+ # pairs that represents additional authenticated data. When you use an
2057
+ # encryption context to encrypt data, you must specify the same (an
2058
+ # exact case-sensitive match) encryption context to decrypt the data.
2059
+ # An encryption context is optional when encrypting with a symmetric
2060
+ # CMK, but it is highly recommended.
1557
2061
  #
1558
2062
  # For more information, see [Encryption Context][1] in the *AWS Key
1559
2063
  # Management Service Developer Guide*.
@@ -1599,7 +2103,7 @@ module Aws::KMS
1599
2103
 
1600
2104
  # @!attribute [rw] ciphertext_blob
1601
2105
  # The encrypted data key. When you use the HTTP API or the AWS CLI,
1602
- # the value is Base64-encoded. Otherwise, it is not encoded.
2106
+ # the value is Base64-encoded. Otherwise, it is not Base64-encoded.
1603
2107
  # @return [String]
1604
2108
  #
1605
2109
  # @!attribute [rw] key_id
@@ -1646,7 +2150,7 @@ module Aws::KMS
1646
2150
 
1647
2151
  # @!attribute [rw] plaintext
1648
2152
  # The random byte string. When you use the HTTP API or the AWS CLI,
1649
- # the value is Base64-encoded. Otherwise, it is not encoded.
2153
+ # the value is Base64-encoded. Otherwise, it is not Base64-encoded.
1650
2154
  # @return [String]
1651
2155
  #
1652
2156
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomResponse AWS API Documentation
@@ -1756,8 +2260,8 @@ module Aws::KMS
1756
2260
  # }
1757
2261
  #
1758
2262
  # @!attribute [rw] key_id
1759
- # The identifier of the CMK into which you will import key material.
1760
- # The CMK's `Origin` must be `EXTERNAL`.
2263
+ # The identifier of the symmetric CMK into which you will import key
2264
+ # material. The `Origin` of the CMK must be `EXTERNAL`.
1761
2265
  #
1762
2266
  # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
1763
2267
  #
@@ -1803,29 +2307,142 @@ module Aws::KMS
1803
2307
  # `GetParametersForImport` request.
1804
2308
  # @return [String]
1805
2309
  #
1806
- # @!attribute [rw] import_token
1807
- # The import token to send in a subsequent ImportKeyMaterial request.
2310
+ # @!attribute [rw] import_token
2311
+ # The import token to send in a subsequent ImportKeyMaterial request.
2312
+ # @return [String]
2313
+ #
2314
+ # @!attribute [rw] public_key
2315
+ # The public key to use to encrypt the key material before importing
2316
+ # it with ImportKeyMaterial.
2317
+ # @return [String]
2318
+ #
2319
+ # @!attribute [rw] parameters_valid_to
2320
+ # The time at which the import token and public key are no longer
2321
+ # valid. After this time, you cannot use them to make an
2322
+ # ImportKeyMaterial request and you must send another
2323
+ # `GetParametersForImport` request to get new ones.
2324
+ # @return [Time]
2325
+ #
2326
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImportResponse AWS API Documentation
2327
+ #
2328
+ class GetParametersForImportResponse < Struct.new(
2329
+ :key_id,
2330
+ :import_token,
2331
+ :public_key,
2332
+ :parameters_valid_to)
2333
+ include Aws::Structure
2334
+ end
2335
+
2336
+ # @note When making an API call, you may pass GetPublicKeyRequest
2337
+ # data as a hash:
2338
+ #
2339
+ # {
2340
+ # key_id: "KeyIdType", # required
2341
+ # grant_tokens: ["GrantTokenType"],
2342
+ # }
2343
+ #
2344
+ # @!attribute [rw] key_id
2345
+ # Identifies the asymmetric CMK that includes the public key.
2346
+ #
2347
+ # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2348
+ # name, or alias ARN. When using an alias name, prefix it with
2349
+ # `"alias/"`. To specify a CMK in a different AWS account, you must
2350
+ # use the key ARN or alias ARN.
2351
+ #
2352
+ # For example:
2353
+ #
2354
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
2355
+ #
2356
+ # * Key ARN:
2357
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
2358
+ #
2359
+ # * Alias name: `alias/ExampleAlias`
2360
+ #
2361
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
2362
+ #
2363
+ # To get the key ID and key ARN for a CMK, use ListKeys or
2364
+ # DescribeKey. To get the alias name and alias ARN, use ListAliases.
2365
+ # @return [String]
2366
+ #
2367
+ # @!attribute [rw] grant_tokens
2368
+ # A list of grant tokens.
2369
+ #
2370
+ # For more information, see [Grant Tokens][1] in the *AWS Key
2371
+ # Management Service Developer Guide*.
2372
+ #
2373
+ #
2374
+ #
2375
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
2376
+ # @return [Array<String>]
2377
+ #
2378
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKeyRequest AWS API Documentation
2379
+ #
2380
+ class GetPublicKeyRequest < Struct.new(
2381
+ :key_id,
2382
+ :grant_tokens)
2383
+ include Aws::Structure
2384
+ end
2385
+
2386
+ # @!attribute [rw] key_id
2387
+ # The identifier of the asymmetric CMK from which the public key was
2388
+ # downloaded.
2389
+ # @return [String]
2390
+ #
2391
+ # @!attribute [rw] public_key
2392
+ # The exported public key.
2393
+ #
2394
+ # The value is a DER-encoded X.509 public key, also known as
2395
+ # `SubjectPublicKeyInfo` (SPKI), as defined in [RFC 5280][1]. When you
2396
+ # use the HTTP API or the AWS CLI, the value is Base64-encoded.
2397
+ # Otherwise, it is not Base64-encoded.
2398
+ #
2399
+ #
2400
+ #
2401
+ #
2402
+ #
2403
+ # [1]: https://tools.ietf.org/html/rfc5280
2404
+ # @return [String]
2405
+ #
2406
+ # @!attribute [rw] customer_master_key_spec
2407
+ # The type of the of the public key that was downloaded.
1808
2408
  # @return [String]
1809
2409
  #
1810
- # @!attribute [rw] public_key
1811
- # The public key to use to encrypt the key material before importing
1812
- # it with ImportKeyMaterial.
2410
+ # @!attribute [rw] key_usage
2411
+ # The permitted use of the public key. Valid values are
2412
+ # `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
2413
+ #
2414
+ # This information is critical. If a public key with `SIGN_VERIFY` key
2415
+ # usage encrypts data outside of AWS KMS, the ciphertext cannot be
2416
+ # decrypted.
1813
2417
  # @return [String]
1814
2418
  #
1815
- # @!attribute [rw] parameters_valid_to
1816
- # The time at which the import token and public key are no longer
1817
- # valid. After this time, you cannot use them to make an
1818
- # ImportKeyMaterial request and you must send another
1819
- # `GetParametersForImport` request to get new ones.
1820
- # @return [Time]
2419
+ # @!attribute [rw] encryption_algorithms
2420
+ # The encryption algorithms that AWS KMS supports for this key.
1821
2421
  #
1822
- # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImportResponse AWS API Documentation
2422
+ # This information is critical. If a public key encrypts data outside
2423
+ # of AWS KMS by using an unsupported encryption algorithm, the
2424
+ # ciphertext cannot be decrypted.
1823
2425
  #
1824
- class GetParametersForImportResponse < Struct.new(
2426
+ # This field appears in the response only when the `KeyUsage` of the
2427
+ # public key is `ENCRYPT_DECRYPT`.
2428
+ # @return [Array<String>]
2429
+ #
2430
+ # @!attribute [rw] signing_algorithms
2431
+ # The signing algorithms that AWS KMS supports for this key.
2432
+ #
2433
+ # This field appears in the response only when the `KeyUsage` of the
2434
+ # public key is `SIGN_VERIFY`.
2435
+ # @return [Array<String>]
2436
+ #
2437
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKeyResponse AWS API Documentation
2438
+ #
2439
+ class GetPublicKeyResponse < Struct.new(
1825
2440
  :key_id,
1826
- :import_token,
1827
2441
  :public_key,
1828
- :parameters_valid_to)
2442
+ :customer_master_key_spec,
2443
+ :key_usage,
2444
+ :encryption_algorithms,
2445
+ :signing_algorithms)
1829
2446
  include Aws::Structure
1830
2447
  end
1831
2448
 
@@ -1974,8 +2591,10 @@ module Aws::KMS
1974
2591
  # }
1975
2592
  #
1976
2593
  # @!attribute [rw] key_id
1977
- # The identifier of the CMK to import the key material into. The
1978
- # CMK's `Origin` must be `EXTERNAL`.
2594
+ # The identifier of the symmetric CMK that receives the imported key
2595
+ # material. The CMK's `Origin` must be `EXTERNAL`. This must be the
2596
+ # same CMK specified in the `KeyID` parameter of the corresponding
2597
+ # GetParametersForImport request.
1979
2598
  #
1980
2599
  # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
1981
2600
  #
@@ -1998,10 +2617,10 @@ module Aws::KMS
1998
2617
  # @return [String]
1999
2618
  #
2000
2619
  # @!attribute [rw] encrypted_key_material
2001
- # The encrypted key material to import. It must be encrypted with the
2002
- # public key that you received in the response to a previous
2003
- # GetParametersForImport request, using the wrapping algorithm that
2004
- # you specified in that request.
2620
+ # The encrypted key material to import. The key material must be
2621
+ # encrypted with the public wrapping key that GetParametersForImport
2622
+ # returned, using the wrapping algorithm that you specified in the
2623
+ # same `GetParametersForImport` request.
2005
2624
  # @return [String]
2006
2625
  #
2007
2626
  # @!attribute [rw] valid_to
@@ -2035,9 +2654,24 @@ module Aws::KMS
2035
2654
  #
2036
2655
  class ImportKeyMaterialResponse < Aws::EmptyStructure; end
2037
2656
 
2038
- # The request was rejected because the provided key material is invalid
2039
- # or is not the same key material that was previously imported into this
2040
- # customer master key (CMK).
2657
+ # The request was rejected because the specified CMK cannot decrypt the
2658
+ # data. The `KeyId` in a Decrypt request and the `SourceKeyId` in a
2659
+ # ReEncrypt request must identify the same CMK that was used to encrypt
2660
+ # the ciphertext.
2661
+ #
2662
+ # @!attribute [rw] message
2663
+ # @return [String]
2664
+ #
2665
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/IncorrectKeyException AWS API Documentation
2666
+ #
2667
+ class IncorrectKeyException < Struct.new(
2668
+ :message)
2669
+ include Aws::Structure
2670
+ end
2671
+
2672
+ # The request was rejected because the key material in the request is,
2673
+ # expired, invalid, or is not the same key material that was previously
2674
+ # imported into this customer master key (CMK).
2041
2675
  #
2042
2676
  # @!attribute [rw] message
2043
2677
  # @return [String]
@@ -2096,10 +2730,13 @@ module Aws::KMS
2096
2730
  include Aws::Structure
2097
2731
  end
2098
2732
 
2099
- # The request was rejected because the specified ciphertext, or
2100
- # additional authenticated data incorporated into the ciphertext, such
2101
- # as the encryption context, is corrupted, missing, or otherwise
2102
- # invalid.
2733
+ # From the Decrypt or ReEncrypt operation, the request was rejected
2734
+ # because the specified ciphertext, or additional authenticated data
2735
+ # incorporated into the ciphertext, such as the encryption context, is
2736
+ # corrupted, missing, or otherwise invalid.
2737
+ #
2738
+ # From the ImportKeyMaterial operation, the request was rejected because
2739
+ # AWS KMS could not decrypt the encrypted (wrapped) key material.
2103
2740
  #
2104
2741
  # @!attribute [rw] message
2105
2742
  # @return [String]
@@ -2149,8 +2786,22 @@ module Aws::KMS
2149
2786
  include Aws::Structure
2150
2787
  end
2151
2788
 
2152
- # The request was rejected because the specified `KeySpec` value is not
2153
- # valid.
2789
+ # The request was rejected for one of the following reasons:
2790
+ #
2791
+ # * The `KeyUsage` value of the CMK is incompatible with the API
2792
+ # operation.
2793
+ #
2794
+ # * The encryption algorithm or signing algorithm specified for the
2795
+ # operation is incompatible with the type of key material in the CMK
2796
+ # `(CustomerMasterKeySpec`).
2797
+ #
2798
+ # For encrypting, decrypting, re-encrypting, and generating data keys,
2799
+ # the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying,
2800
+ # the `KeyUsage` must be `SIGN_VERIFY`. To find the `KeyUsage` of a CMK,
2801
+ # use the DescribeKey operation.
2802
+ #
2803
+ # To find the encryption or signing algorithms supported for a
2804
+ # particular CMK, use the DescribeKey operation.
2154
2805
  #
2155
2806
  # @!attribute [rw] message
2156
2807
  # @return [String]
@@ -2188,12 +2839,27 @@ module Aws::KMS
2188
2839
  include Aws::Structure
2189
2840
  end
2190
2841
 
2842
+ # The request was rejected because the signature verification failed.
2843
+ # Signature verification fails when it cannot confirm that signature was
2844
+ # produced by signing the specified message with the specified CMK and
2845
+ # signing algorithm.
2846
+ #
2847
+ # @!attribute [rw] message
2848
+ # @return [String]
2849
+ #
2850
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KMSInvalidSignatureException AWS API Documentation
2851
+ #
2852
+ class KMSInvalidSignatureException < Struct.new(
2853
+ :message)
2854
+ include Aws::Structure
2855
+ end
2856
+
2191
2857
  # The request was rejected because the state of the specified resource
2192
2858
  # is not valid for this request.
2193
2859
  #
2194
2860
  # For more information about how key state affects the use of a CMK, see
2195
- # [How Key State Affects Use of a Customer Master Key][1] in the *AWS
2196
- # Key Management Service Developer Guide*.
2861
+ # [How Key State Affects Use of a Customer Master Key][1] in the <i>
2862
+ # <i>AWS Key Management Service Developer Guide</i> </i>.
2197
2863
  #
2198
2864
  #
2199
2865
  #
@@ -2264,9 +2930,7 @@ module Aws::KMS
2264
2930
  # @return [String]
2265
2931
  #
2266
2932
  # @!attribute [rw] key_usage
2267
- # The cryptographic operations for which you can use the CMK. The only
2268
- # valid value is `ENCRYPT_DECRYPT`, which means you can use the CMK to
2269
- # encrypt and decrypt data.
2933
+ # The cryptographic operations for which you can use the CMK.
2270
2934
  # @return [String]
2271
2935
  #
2272
2936
  # @!attribute [rw] key_state
@@ -2342,6 +3006,26 @@ module Aws::KMS
2342
3006
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
2343
3007
  # @return [String]
2344
3008
  #
3009
+ # @!attribute [rw] customer_master_key_spec
3010
+ # Describes the type of key material in the CMK.
3011
+ # @return [String]
3012
+ #
3013
+ # @!attribute [rw] encryption_algorithms
3014
+ # A list of encryption algorithms that the CMK supports. You cannot
3015
+ # use the CMK with other encryption algorithms within AWS KMS.
3016
+ #
3017
+ # This field appears only when the `KeyUsage` of the CMK is
3018
+ # `ENCRYPT_DECRYPT`.
3019
+ # @return [Array<String>]
3020
+ #
3021
+ # @!attribute [rw] signing_algorithms
3022
+ # A list of signing algorithms that the CMK supports. You cannot use
3023
+ # the CMK with other signing algorithms within AWS KMS.
3024
+ #
3025
+ # This field appears only when the `KeyUsage` of the CMK is
3026
+ # `SIGN_VERIFY`.
3027
+ # @return [Array<String>]
3028
+ #
2345
3029
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
2346
3030
  #
2347
3031
  class KeyMetadata < Struct.new(
@@ -2359,12 +3043,15 @@ module Aws::KMS
2359
3043
  :custom_key_store_id,
2360
3044
  :cloud_hsm_cluster_id,
2361
3045
  :expiration_model,
2362
- :key_manager)
3046
+ :key_manager,
3047
+ :customer_master_key_spec,
3048
+ :encryption_algorithms,
3049
+ :signing_algorithms)
2363
3050
  include Aws::Structure
2364
3051
  end
2365
3052
 
2366
3053
  # The request was rejected because the specified CMK was not available.
2367
- # The request can be retried.
3054
+ # You can retry the request.
2368
3055
  #
2369
3056
  # @!attribute [rw] message
2370
3057
  # @return [String]
@@ -2376,8 +3063,8 @@ module Aws::KMS
2376
3063
  include Aws::Structure
2377
3064
  end
2378
3065
 
2379
- # The request was rejected because a limit was exceeded. For more
2380
- # information, see [Limits][1] in the *AWS Key Management Service
3066
+ # The request was rejected because a quota was exceeded. For more
3067
+ # information, see [Quotas][1] in the *AWS Key Management Service
2381
3068
  # Developer Guide*.
2382
3069
  #
2383
3070
  #
@@ -2881,12 +3568,15 @@ module Aws::KMS
2881
3568
  # visible][2] in the *AWS Identity and Access Management User
2882
3569
  # Guide*.
2883
3570
  #
2884
- # The key policy size limit is 32 kilobytes (32768 bytes).
3571
+ # The key policy cannot exceed 32 kilobytes (32768 bytes). For more
3572
+ # information, see [Resource Quotas][3] in the *AWS Key Management
3573
+ # Service Developer Guide*.
2885
3574
  #
2886
3575
  #
2887
3576
  #
2888
3577
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
2889
3578
  # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
3579
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/resource-limits.html
2890
3580
  # @return [String]
2891
3581
  #
2892
3582
  # @!attribute [rw] bypass_policy_lockout_safety_check
@@ -2929,10 +3619,13 @@ module Aws::KMS
2929
3619
  # source_encryption_context: {
2930
3620
  # "EncryptionContextKey" => "EncryptionContextValue",
2931
3621
  # },
3622
+ # source_key_id: "KeyIdType",
2932
3623
  # destination_key_id: "KeyIdType", # required
2933
3624
  # destination_encryption_context: {
2934
3625
  # "EncryptionContextKey" => "EncryptionContextValue",
2935
3626
  # },
3627
+ # source_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
3628
+ # destination_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
2936
3629
  # grant_tokens: ["GrantTokenType"],
2937
3630
  # }
2938
3631
  #
@@ -2941,12 +3634,64 @@ module Aws::KMS
2941
3634
  # @return [String]
2942
3635
  #
2943
3636
  # @!attribute [rw] source_encryption_context
2944
- # Encryption context used to encrypt and decrypt the data specified in
2945
- # the `CiphertextBlob` parameter.
3637
+ # Specifies the encryption context to use to decrypt the ciphertext.
3638
+ # Enter the same encryption context that was used to encrypt the
3639
+ # ciphertext.
3640
+ #
3641
+ # An *encryption context* is a collection of non-secret key-value
3642
+ # pairs that represents additional authenticated data. When you use an
3643
+ # encryption context to encrypt data, you must specify the same (an
3644
+ # exact case-sensitive match) encryption context to decrypt the data.
3645
+ # An encryption context is optional when encrypting with a symmetric
3646
+ # CMK, but it is highly recommended.
3647
+ #
3648
+ # For more information, see [Encryption Context][1] in the *AWS Key
3649
+ # Management Service Developer Guide*.
3650
+ #
3651
+ #
3652
+ #
3653
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
2946
3654
  # @return [Hash<String,String>]
2947
3655
  #
3656
+ # @!attribute [rw] source_key_id
3657
+ # A unique identifier for the CMK that is used to decrypt the
3658
+ # ciphertext before it reencrypts it using the destination CMK.
3659
+ #
3660
+ # This parameter is required only when the ciphertext was encrypted
3661
+ # under an asymmetric CMK. Otherwise, AWS KMS uses the metadata that
3662
+ # it adds to the ciphertext blob to determine which CMK was used to
3663
+ # encrypt the ciphertext. However, you can use this parameter to
3664
+ # ensure that a particular CMK (of any kind) is used to decrypt the
3665
+ # ciphertext before it is reencrypted.
3666
+ #
3667
+ # If you specify a `KeyId` value, the decrypt part of the `ReEncrypt`
3668
+ # operation succeeds only if the specified CMK was used to encrypt the
3669
+ # ciphertext.
3670
+ #
3671
+ # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
3672
+ # name, or alias ARN. When using an alias name, prefix it with
3673
+ # `"alias/"`.
3674
+ #
3675
+ # For example:
3676
+ #
3677
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
3678
+ #
3679
+ # * Key ARN:
3680
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
3681
+ #
3682
+ # * Alias name: `alias/ExampleAlias`
3683
+ #
3684
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
3685
+ #
3686
+ # To get the key ID and key ARN for a CMK, use ListKeys or
3687
+ # DescribeKey. To get the alias name and alias ARN, use ListAliases.
3688
+ # @return [String]
3689
+ #
2948
3690
  # @!attribute [rw] destination_key_id
2949
3691
  # A unique identifier for the CMK that is used to reencrypt the data.
3692
+ # Specify a symmetric or asymmetric CMK with a `KeyUsage` value of
3693
+ # `ENCRYPT_DECRYPT`. To find the `KeyUsage` value of a CMK, use the
3694
+ # DescribeKey operation.
2950
3695
  #
2951
3696
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2952
3697
  # name, or alias ARN. When using an alias name, prefix it with
@@ -2969,9 +3714,51 @@ module Aws::KMS
2969
3714
  # @return [String]
2970
3715
  #
2971
3716
  # @!attribute [rw] destination_encryption_context
2972
- # Encryption context to use when the data is reencrypted.
3717
+ # Specifies that encryption context to use when the reencrypting the
3718
+ # data.
3719
+ #
3720
+ # A destination encryption context is valid only when the destination
3721
+ # CMK is a symmetric CMK. The standard ciphertext format for
3722
+ # asymmetric CMKs does not include fields for metadata.
3723
+ #
3724
+ # An *encryption context* is a collection of non-secret key-value
3725
+ # pairs that represents additional authenticated data. When you use an
3726
+ # encryption context to encrypt data, you must specify the same (an
3727
+ # exact case-sensitive match) encryption context to decrypt the data.
3728
+ # An encryption context is optional when encrypting with a symmetric
3729
+ # CMK, but it is highly recommended.
3730
+ #
3731
+ # For more information, see [Encryption Context][1] in the *AWS Key
3732
+ # Management Service Developer Guide*.
3733
+ #
3734
+ #
3735
+ #
3736
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
2973
3737
  # @return [Hash<String,String>]
2974
3738
  #
3739
+ # @!attribute [rw] source_encryption_algorithm
3740
+ # Specifies the encryption algorithm that AWS KMS will use to decrypt
3741
+ # the ciphertext before it is reencrypted. The default value,
3742
+ # `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric
3743
+ # CMKs.
3744
+ #
3745
+ # Specify the same algorithm that was used to encrypt the ciphertext.
3746
+ # If you specify a different algorithm, the decrypt attempt fails.
3747
+ #
3748
+ # This parameter is required only when the ciphertext was encrypted
3749
+ # under an asymmetric CMK.
3750
+ # @return [String]
3751
+ #
3752
+ # @!attribute [rw] destination_encryption_algorithm
3753
+ # Specifies the encryption algorithm that AWS KMS will use to reecrypt
3754
+ # the data after it has decrypted it. The default value,
3755
+ # `SYMMETRIC_DEFAULT`, represents the encryption algorithm used for
3756
+ # symmetric CMKs.
3757
+ #
3758
+ # This parameter is required only when the destination CMK is an
3759
+ # asymmetric CMK.
3760
+ # @return [String]
3761
+ #
2975
3762
  # @!attribute [rw] grant_tokens
2976
3763
  # A list of grant tokens.
2977
3764
  #
@@ -2988,15 +3775,18 @@ module Aws::KMS
2988
3775
  class ReEncryptRequest < Struct.new(
2989
3776
  :ciphertext_blob,
2990
3777
  :source_encryption_context,
3778
+ :source_key_id,
2991
3779
  :destination_key_id,
2992
3780
  :destination_encryption_context,
3781
+ :source_encryption_algorithm,
3782
+ :destination_encryption_algorithm,
2993
3783
  :grant_tokens)
2994
3784
  include Aws::Structure
2995
3785
  end
2996
3786
 
2997
3787
  # @!attribute [rw] ciphertext_blob
2998
3788
  # The reencrypted data. When you use the HTTP API or the AWS CLI, the
2999
- # value is Base64-encoded. Otherwise, it is not encoded.
3789
+ # value is Base64-encoded. Otherwise, it is not Base64-encoded.
3000
3790
  # @return [String]
3001
3791
  #
3002
3792
  # @!attribute [rw] source_key_id
@@ -3007,12 +3797,23 @@ module Aws::KMS
3007
3797
  # Unique identifier of the CMK used to reencrypt the data.
3008
3798
  # @return [String]
3009
3799
  #
3800
+ # @!attribute [rw] source_encryption_algorithm
3801
+ # The encryption algorithm that was used to decrypt the ciphertext
3802
+ # before it was reencrypted.
3803
+ # @return [String]
3804
+ #
3805
+ # @!attribute [rw] destination_encryption_algorithm
3806
+ # The encryption algorithm that was used to reencrypt the data.
3807
+ # @return [String]
3808
+ #
3010
3809
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncryptResponse AWS API Documentation
3011
3810
  #
3012
3811
  class ReEncryptResponse < Struct.new(
3013
3812
  :ciphertext_blob,
3014
3813
  :source_key_id,
3015
- :key_id)
3814
+ :key_id,
3815
+ :source_encryption_algorithm,
3816
+ :destination_encryption_algorithm)
3016
3817
  include Aws::Structure
3017
3818
  end
3018
3819
 
@@ -3151,6 +3952,125 @@ module Aws::KMS
3151
3952
  include Aws::Structure
3152
3953
  end
3153
3954
 
3955
+ # @note When making an API call, you may pass SignRequest
3956
+ # data as a hash:
3957
+ #
3958
+ # {
3959
+ # key_id: "KeyIdType", # required
3960
+ # message: "data", # required
3961
+ # message_type: "RAW", # accepts RAW, DIGEST
3962
+ # grant_tokens: ["GrantTokenType"],
3963
+ # signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
3964
+ # }
3965
+ #
3966
+ # @!attribute [rw] key_id
3967
+ # Identifies an asymmetric CMK. AWS KMS uses the private key in the
3968
+ # asymmetric CMK to sign the message. The `KeyUsage` type of the CMK
3969
+ # must be `SIGN_VERIFY`. To find the `KeyUsage` of a CMK, use the
3970
+ # DescribeKey operation.
3971
+ #
3972
+ # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
3973
+ # name, or alias ARN. When using an alias name, prefix it with
3974
+ # `"alias/"`. To specify a CMK in a different AWS account, you must
3975
+ # use the key ARN or alias ARN.
3976
+ #
3977
+ # For example:
3978
+ #
3979
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
3980
+ #
3981
+ # * Key ARN:
3982
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
3983
+ #
3984
+ # * Alias name: `alias/ExampleAlias`
3985
+ #
3986
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
3987
+ #
3988
+ # To get the key ID and key ARN for a CMK, use ListKeys or
3989
+ # DescribeKey. To get the alias name and alias ARN, use ListAliases.
3990
+ # @return [String]
3991
+ #
3992
+ # @!attribute [rw] message
3993
+ # Specifies the message or message digest to sign. Messages can be
3994
+ # 0-4096 bytes. To sign a larger message, provide the message digest.
3995
+ #
3996
+ # If you provide a message, AWS KMS generates a hash digest of the
3997
+ # message and then signs it.
3998
+ # @return [String]
3999
+ #
4000
+ # @!attribute [rw] message_type
4001
+ # Tells AWS KMS whether the value of the `Message` parameter is a
4002
+ # message or message digest. The default value, RAW, indicates a
4003
+ # message. To indicate a message digest, enter `DIGEST`.
4004
+ # @return [String]
4005
+ #
4006
+ # @!attribute [rw] grant_tokens
4007
+ # A list of grant tokens.
4008
+ #
4009
+ # For more information, see [Grant Tokens][1] in the *AWS Key
4010
+ # Management Service Developer Guide*.
4011
+ #
4012
+ #
4013
+ #
4014
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
4015
+ # @return [Array<String>]
4016
+ #
4017
+ # @!attribute [rw] signing_algorithm
4018
+ # Specifies the signing algorithm to use when signing the message.
4019
+ #
4020
+ # Choose an algorithm that is compatible with the type and size of the
4021
+ # specified asymmetric CMK.
4022
+ # @return [String]
4023
+ #
4024
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/SignRequest AWS API Documentation
4025
+ #
4026
+ class SignRequest < Struct.new(
4027
+ :key_id,
4028
+ :message,
4029
+ :message_type,
4030
+ :grant_tokens,
4031
+ :signing_algorithm)
4032
+ include Aws::Structure
4033
+ end
4034
+
4035
+ # @!attribute [rw] key_id
4036
+ # The Amazon Resource Name (ARN) of the asymmetric CMK that was used
4037
+ # to sign the message.
4038
+ # @return [String]
4039
+ #
4040
+ # @!attribute [rw] signature
4041
+ # The cryptographic signature that was generated for the message.
4042
+ #
4043
+ # * When used with the supported RSA signing algorithms, the encoding
4044
+ # of this value is defined by [PKCS #1 in RFC 8017][1].
4045
+ #
4046
+ # * When used with the `ECDSA_SHA_256`, `ECDSA_SHA_384`, or
4047
+ # `ECDSA_SHA_512` signing algorithms, this value is a DER-encoded
4048
+ # object as defined by ANS X9.62–2005 and [RFC 3279 Section
4049
+ # 2.2.3][2]. This is the most commonly used signature format and is
4050
+ # appropriate for most uses.
4051
+ #
4052
+ # When you use the HTTP API or the AWS CLI, the value is
4053
+ # Base64-encoded. Otherwise, it is not Base64-encoded.
4054
+ #
4055
+ #
4056
+ #
4057
+ # [1]: https://tools.ietf.org/html/rfc8017
4058
+ # [2]: https://tools.ietf.org/html/rfc3279#section-2.2.3
4059
+ # @return [String]
4060
+ #
4061
+ # @!attribute [rw] signing_algorithm
4062
+ # The signing algorithm that was used to sign the message.
4063
+ # @return [String]
4064
+ #
4065
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/SignResponse AWS API Documentation
4066
+ #
4067
+ class SignResponse < Struct.new(
4068
+ :key_id,
4069
+ :signature,
4070
+ :signing_algorithm)
4071
+ include Aws::Structure
4072
+ end
4073
+
3154
4074
  # A key-value pair. A tag consists of a tag key and a tag value. Tag
3155
4075
  # keys and tag values are both required, but tag values can be empty
3156
4076
  # (null) strings.
@@ -3298,15 +4218,20 @@ module Aws::KMS
3298
4218
  # }
3299
4219
  #
3300
4220
  # @!attribute [rw] alias_name
3301
- # Specifies the name of the alias to change. This value must begin
4221
+ # Identifies the alias that is changing its CMK. This value must begin
3302
4222
  # with `alias/` followed by the alias name, such as
3303
- # `alias/ExampleAlias`.
4223
+ # `alias/ExampleAlias`. You cannot use UpdateAlias to change the alias
4224
+ # name.
3304
4225
  # @return [String]
3305
4226
  #
3306
4227
  # @!attribute [rw] target_key_id
3307
- # Unique identifier of the customer master key (CMK) to be mapped to
3308
- # the alias. When the update operation completes, the alias will point
3309
- # to this CMK.
4228
+ # Identifies the CMK to associate with the alias. When the update
4229
+ # operation completes, the alias will point to this CMK.
4230
+ #
4231
+ # The CMK must be in the same AWS account and Region as the alias.
4232
+ # Also, the new target CMK must be the same type as the current target
4233
+ # CMK (both symmetric or both asymmetric) and they must have the same
4234
+ # key usage.
3310
4235
  #
3311
4236
  # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
3312
4237
  #
@@ -3431,5 +4356,122 @@ module Aws::KMS
3431
4356
  include Aws::Structure
3432
4357
  end
3433
4358
 
4359
+ # @note When making an API call, you may pass VerifyRequest
4360
+ # data as a hash:
4361
+ #
4362
+ # {
4363
+ # key_id: "KeyIdType", # required
4364
+ # message: "data", # required
4365
+ # message_type: "RAW", # accepts RAW, DIGEST
4366
+ # signature: "data", # required
4367
+ # signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
4368
+ # grant_tokens: ["GrantTokenType"],
4369
+ # }
4370
+ #
4371
+ # @!attribute [rw] key_id
4372
+ # Identifies the asymmetric CMK that will be used to verify the
4373
+ # signature. This must be the same CMK that was used to generate the
4374
+ # signature. If you specify a different CMK, the signature
4375
+ # verification fails.
4376
+ #
4377
+ # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
4378
+ # name, or alias ARN. When using an alias name, prefix it with
4379
+ # `"alias/"`. To specify a CMK in a different AWS account, you must
4380
+ # use the key ARN or alias ARN.
4381
+ #
4382
+ # For example:
4383
+ #
4384
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
4385
+ #
4386
+ # * Key ARN:
4387
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
4388
+ #
4389
+ # * Alias name: `alias/ExampleAlias`
4390
+ #
4391
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
4392
+ #
4393
+ # To get the key ID and key ARN for a CMK, use ListKeys or
4394
+ # DescribeKey. To get the alias name and alias ARN, use ListAliases.
4395
+ # @return [String]
4396
+ #
4397
+ # @!attribute [rw] message
4398
+ # Specifies the message that was signed. You can submit a raw message
4399
+ # of up to 4096 bytes, or a hash digest of the message. If you submit
4400
+ # a digest, use the `MessageType` parameter with a value of `DIGEST`.
4401
+ #
4402
+ # If the message specified here is different from the message that was
4403
+ # signed, the signature verification fails. A message and its hash
4404
+ # digest are considered to be the same message.
4405
+ # @return [String]
4406
+ #
4407
+ # @!attribute [rw] message_type
4408
+ # Tells AWS KMS whether the value of the `Message` parameter is a
4409
+ # message or message digest. The default value, RAW, indicates a
4410
+ # message. To indicate a message digest, enter `DIGEST`.
4411
+ #
4412
+ # Use the `DIGEST` value only when the value of the `Message`
4413
+ # parameter is a message digest. If you use the `DIGEST` value with a
4414
+ # raw message, the security of the verification operation can be
4415
+ # compromised.
4416
+ # @return [String]
4417
+ #
4418
+ # @!attribute [rw] signature
4419
+ # The signature that the `Sign` operation generated.
4420
+ # @return [String]
4421
+ #
4422
+ # @!attribute [rw] signing_algorithm
4423
+ # The signing algorithm that was used to sign the message. If you
4424
+ # submit a different algorithm, the signature verification fails.
4425
+ # @return [String]
4426
+ #
4427
+ # @!attribute [rw] grant_tokens
4428
+ # A list of grant tokens.
4429
+ #
4430
+ # For more information, see [Grant Tokens][1] in the *AWS Key
4431
+ # Management Service Developer Guide*.
4432
+ #
4433
+ #
4434
+ #
4435
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
4436
+ # @return [Array<String>]
4437
+ #
4438
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyRequest AWS API Documentation
4439
+ #
4440
+ class VerifyRequest < Struct.new(
4441
+ :key_id,
4442
+ :message,
4443
+ :message_type,
4444
+ :signature,
4445
+ :signing_algorithm,
4446
+ :grant_tokens)
4447
+ include Aws::Structure
4448
+ end
4449
+
4450
+ # @!attribute [rw] key_id
4451
+ # The unique identifier for the asymmetric CMK that was used to verify
4452
+ # the signature.
4453
+ # @return [String]
4454
+ #
4455
+ # @!attribute [rw] signature_valid
4456
+ # A Boolean value that indicates whether the signature was verified. A
4457
+ # value of `True` indicates that the `Signature` was produced by
4458
+ # signing the `Message` with the specified `KeyID` and
4459
+ # `SigningAlgorithm.` If the signature is not verified, the `Verify`
4460
+ # operation fails with a `KMSInvalidSignatureException` exception.
4461
+ # @return [Boolean]
4462
+ #
4463
+ # @!attribute [rw] signing_algorithm
4464
+ # The signing algorithm that was used to verify the signature.
4465
+ # @return [String]
4466
+ #
4467
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyResponse AWS API Documentation
4468
+ #
4469
+ class VerifyResponse < Struct.new(
4470
+ :key_id,
4471
+ :signature_valid,
4472
+ :signing_algorithm)
4473
+ include Aws::Structure
4474
+ end
4475
+
3434
4476
  end
3435
4477
  end