aws-sdk-kms 1.28.0 → 1.33.0

data/lib/aws-sdk-kms/client_api.rb

@@ -1032,6 +1032,7 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
+        o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
       end)
 
       api.add_operation(:generate_data_key_pair_without_plaintext, Seahorse::Model::Operation.new.tap do |o|
@@ -1048,6 +1049,7 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
+        o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
       end)
 
       api.add_operation(:generate_data_key_without_plaintext, Seahorse::Model::Operation.new.tap do |o|
@@ -1387,6 +1389,7 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
         o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
+        o.errors << Shapes::ShapeRef.new(shape: LimitExceededException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
       end)
 

data/lib/aws-sdk-kms/errors.rb

@@ -6,6 +6,61 @@
 # WARNING ABOUT GENERATED CODE
 
 module Aws::KMS
+
+  # When KMS returns an error response, the Ruby SDK constructs and raises an error.
+  # These errors all extend Aws::KMS::Errors::ServiceError < {Aws::Errors::ServiceError}
+  #
+  # You can rescue all KMS errors using ServiceError:
+  #
+  #     begin
+  #       # do stuff
+  #     rescue Aws::KMS::Errors::ServiceError
+  #       # rescues all KMS API errors
+  #     end
+  #
+  #
+  # ## Request Context
+  # ServiceError objects have a {Aws::Errors::ServiceError#context #context} method that returns
+  # information about the request that generated the error.
+  # See {Seahorse::Client::RequestContext} for more information.
+  #
+  # ## Error Classes
+  # * {AlreadyExistsException}
+  # * {CloudHsmClusterInUseException}
+  # * {CloudHsmClusterInvalidConfigurationException}
+  # * {CloudHsmClusterNotActiveException}
+  # * {CloudHsmClusterNotFoundException}
+  # * {CloudHsmClusterNotRelatedException}
+  # * {CustomKeyStoreHasCMKsException}
+  # * {CustomKeyStoreInvalidStateException}
+  # * {CustomKeyStoreNameInUseException}
+  # * {CustomKeyStoreNotFoundException}
+  # * {DependencyTimeoutException}
+  # * {DisabledException}
+  # * {ExpiredImportTokenException}
+  # * {IncorrectKeyException}
+  # * {IncorrectKeyMaterialException}
+  # * {IncorrectTrustAnchorException}
+  # * {InvalidAliasNameException}
+  # * {InvalidArnException}
+  # * {InvalidCiphertextException}
+  # * {InvalidGrantIdException}
+  # * {InvalidGrantTokenException}
+  # * {InvalidImportTokenException}
+  # * {InvalidKeyUsageException}
+  # * {InvalidMarkerException}
+  # * {KMSInternalException}
+  # * {KMSInvalidSignatureException}
+  # * {KMSInvalidStateException}
+  # * {KeyUnavailableException}
+  # * {LimitExceededException}
+  # * {MalformedPolicyDocumentException}
+  # * {NotFoundException}
+  # * {TagException}
+  # * {UnsupportedOperationException}
+  #
+  # Additionally, error classes are dynamically generated for service errors based on the error code
+  # if they are not defined above.
   module Errors
 
     extend Aws::Errors::DynamicErrors
@@ -23,7 +78,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class CloudHsmClusterInUseException < ServiceError
@@ -39,7 +93,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class CloudHsmClusterInvalidConfigurationException < ServiceError
@@ -55,7 +108,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class CloudHsmClusterNotActiveException < ServiceError
@@ -71,7 +123,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class CloudHsmClusterNotFoundException < ServiceError
@@ -87,7 +138,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class CloudHsmClusterNotRelatedException < ServiceError
@@ -103,7 +153,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class CustomKeyStoreHasCMKsException < ServiceError
@@ -119,7 +168,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class CustomKeyStoreInvalidStateException < ServiceError
@@ -135,7 +183,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class CustomKeyStoreNameInUseException < ServiceError
@@ -151,7 +198,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class CustomKeyStoreNotFoundException < ServiceError
@@ -167,7 +213,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class DependencyTimeoutException < ServiceError
@@ -183,7 +228,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class DisabledException < ServiceError
@@ -199,7 +243,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class ExpiredImportTokenException < ServiceError
@@ -215,7 +258,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class IncorrectKeyException < ServiceError
@@ -231,7 +273,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class IncorrectKeyMaterialException < ServiceError
@@ -247,7 +288,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class IncorrectTrustAnchorException < ServiceError
@@ -263,7 +303,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class InvalidAliasNameException < ServiceError
@@ -279,7 +318,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class InvalidArnException < ServiceError
@@ -295,7 +333,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class InvalidCiphertextException < ServiceError
@@ -311,7 +348,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class InvalidGrantIdException < ServiceError
@@ -327,7 +363,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class InvalidGrantTokenException < ServiceError
@@ -343,7 +378,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class InvalidImportTokenException < ServiceError
@@ -359,7 +393,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class InvalidKeyUsageException < ServiceError
@@ -375,7 +408,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class InvalidMarkerException < ServiceError
@@ -391,7 +423,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class KMSInternalException < ServiceError
@@ -407,7 +438,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class KMSInvalidSignatureException < ServiceError
@@ -423,7 +453,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class KMSInvalidStateException < ServiceError
@@ -439,7 +468,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class KeyUnavailableException < ServiceError
@@ -455,7 +483,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class LimitExceededException < ServiceError
@@ -471,7 +498,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class MalformedPolicyDocumentException < ServiceError
@@ -487,7 +513,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class NotFoundException < ServiceError
@@ -503,7 +528,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class TagException < ServiceError
@@ -519,7 +543,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class UnsupportedOperationException < ServiceError
@@ -535,7 +558,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
   end

data/lib/aws-sdk-kms/resource.rb

@@ -6,6 +6,7 @@
 # WARNING ABOUT GENERATED CODE
 
 module Aws::KMS
+
   class Resource
 
     # @param options ({})

data/lib/aws-sdk-kms/types.rb

@@ -76,8 +76,12 @@ module Aws::KMS
     end
 
     # @!attribute [rw] key_id
-    #   The unique identifier of the master key for which deletion is
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK whose deletion is
     #   canceled.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletionResponse AWS API Documentation
@@ -433,15 +437,16 @@ module Aws::KMS
     #   @return [Array<String>]
     #
     # @!attribute [rw] constraints
-    #   Allows a cryptographic operation only when the encryption context
-    #   matches or includes the encryption context specified in this
+    #   Allows a [cryptographic operation][1] only when the encryption
+    #   context matches or includes the encryption context specified in this
     #   structure. For more information about encryption context, see
-    #   [Encryption Context][1] in the <i> <i>AWS Key Management Service
+    #   [Encryption Context][2] in the <i> <i>AWS Key Management Service
     #   Developer Guide</i> </i>.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #   @return [Types::GrantConstraints]
     #
     # @!attribute [rw] grant_tokens
@@ -575,8 +580,8 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_usage
-    #   Determines the cryptographic operations for which you can use the
-    #   CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
+    #   Determines the [cryptographic operations][1] for which you can use
+    #   the CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
     #   required only for asymmetric CMKs. You can't change the `KeyUsage`
     #   value after the CMK is created.
     #
@@ -589,6 +594,10 @@ module Aws::KMS
     #     `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
     #
     #   * For asymmetric CMKs with ECC key material, specify `SIGN_VERIFY`.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     #   @return [String]
     #
     # @!attribute [rw] customer_master_key_spec
@@ -920,6 +929,16 @@ module Aws::KMS
     #   * `NETWORK_ERRORS` - Network errors are preventing AWS KMS from
     #     connecting to the custom key store.
     #
+    #   * `SUBNET_NOT_FOUND` - A subnet in the AWS CloudHSM cluster
+    #     configuration was deleted. If AWS KMS cannot find all of the
+    #     subnets in the cluster configuration, attempts to connect the
+    #     custom key store to the AWS CloudHSM cluster fail. To fix this
+    #     error, create a cluster from a recent backup and associate it with
+    #     your custom key store. (This process creates a new cluster
+    #     configuration with a VPC and private subnets.) For details, see
+    #     [How to Fix a Connection Failure][1] in the *AWS Key Management
+    #     Service Developer Guide*.
+    #
     #   * `USER_LOCKED_OUT` - The `kmsuser` CU account is locked out of the
     #     associated AWS CloudHSM cluster due to too many failed password
     #     attempts. Before you can connect your custom key store to its AWS
@@ -984,9 +1003,9 @@ module Aws::KMS
     #
     # @!attribute [rw] encryption_context
     #   Specifies the encryption context to use when decrypting the data. An
-    #   encryption context is valid only for cryptographic operations with a
-    #   symmetric CMK. The standard asymmetric encryption algorithms that
-    #   AWS KMS uses do not support an encryption context.
+    #   encryption context is valid only for [cryptographic operations][1]
+    #   with a symmetric CMK. The standard asymmetric encryption algorithms
+    #   that AWS KMS uses do not support an encryption context.
     #
     #   An *encryption context* is a collection of non-secret key-value
     #   pairs that represents additional authenticated data. When you use an
@@ -995,12 +1014,13 @@ module Aws::KMS
     #   An encryption context is optional when encrypting with a symmetric
     #   CMK, but it is highly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *AWS Key
+    #   For more information, see [Encryption Context][2] in the *AWS Key
     #   Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] grant_tokens
@@ -1072,8 +1092,12 @@ module Aws::KMS
     end
 
     # @!attribute [rw] key_id
-    #   The ARN of the customer master key that was used to perform the
-    #   decryption.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
+    #   decrypt the ciphertext.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] plaintext
@@ -1538,9 +1562,10 @@ module Aws::KMS
     #
     # @!attribute [rw] encryption_context
     #   Specifies the encryption context that will be used to encrypt the
-    #   data. An encryption context is valid only for cryptographic
-    #   operations with a symmetric CMK. The standard asymmetric encryption
-    #   algorithms that AWS KMS uses do not support an encryption context.
+    #   data. An encryption context is valid only for [cryptographic
+    #   operations][1] with a symmetric CMK. The standard asymmetric
+    #   encryption algorithms that AWS KMS uses do not support an encryption
+    #   context.
     #
     #   An *encryption context* is a collection of non-secret key-value
     #   pairs that represents additional authenticated data. When you use an
@@ -1549,12 +1574,13 @@ module Aws::KMS
     #   An encryption context is optional when encrypting with a symmetric
     #   CMK, but it is highly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *AWS Key
+    #   For more information, see [Encryption Context][2] in the *AWS Key
     #   Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] grant_tokens
@@ -1596,7 +1622,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   The ID of the key used during encryption.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
+    #   encrypt the plaintext.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] encryption_algorithm
@@ -1660,7 +1691,9 @@ module Aws::KMS
     #
     # @!attribute [rw] key_id
     #   Specifies the symmetric CMK that encrypts the private key in the
-    #   data key pair. You cannot specify an asymmetric CMKs.
+    #   data key pair. You cannot specify an asymmetric CMK or a CMK in a
+    #   custom key store. To get the type and origin of your CMK, use the
+    #   DescribeKey operation.
     #
     #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
     #   name, or alias ARN. When using an alias name, prefix it with
@@ -1729,7 +1762,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   The identifier of the CMK that encrypted the private key.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
+    #   the private key.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] key_pair_spec
@@ -1781,7 +1819,8 @@ module Aws::KMS
     # @!attribute [rw] key_id
     #   Specifies the CMK that encrypts the private key in the data key
     #   pair. You must specify a symmetric CMK. You cannot use an asymmetric
-    #   CMK. To get the type of your CMK, use the DescribeKey operation.
+    #   CMK or a CMK in a custom key store. To get the type and origin of
+    #   your CMK, use the DescribeKey operation.
     #
     #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
     #   name, or alias ARN. When using an alias name, prefix it with
@@ -1843,27 +1882,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   Specifies the CMK that encrypted the private key in the data key
-    #   pair. You must specify a symmetric CMK. You cannot use an asymmetric
-    #   CMK. To get the type of your CMK, use the DescribeKey operation.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
+    #   the private key.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`.
-    #
-    #   For example:
-    #
-    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   * Key ARN:
-    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
-    #
-    #   * Alias name: `alias/ExampleAlias`
-    #
-    #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
-    #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] key_pair_spec
@@ -1990,7 +2014,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   The identifier of the CMK that encrypted the data key.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
+    #   the data key.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyResponse AWS API Documentation
@@ -2098,7 +2127,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   The identifier of the CMK that encrypted the data key.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
+    #   the data key.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextResponse AWS API Documentation
@@ -2293,9 +2327,13 @@ module Aws::KMS
     end
 
     # @!attribute [rw] key_id
-    #   The identifier of the CMK to use in a subsequent ImportKeyMaterial
-    #   request. This is the same CMK specified in the
-    #   `GetParametersForImport` request.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK to use in a
+    #   subsequent ImportKeyMaterial request. This is the same CMK specified
+    #   in the `GetParametersForImport` request.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] import_token
@@ -2375,21 +2413,27 @@ module Aws::KMS
     end
 
     # @!attribute [rw] key_id
-    #   The identifier of the asymmetric CMK from which the public key was
-    #   downloaded.
+    #   The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK from
+    #   which the public key was downloaded.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] public_key
     #   The exported public key.
     #
-    #   This value is returned as a binary [Distinguished Encoding Rules][1]
-    #   (DER)-encoded object. To decode it, use an ASN.1 parsing tool, such
-    #   as [OpenSSL asn1parse][2].
+    #   The value is a DER-encoded X.509 public key, also known as
+    #   `SubjectPublicKeyInfo` (SPKI), as defined in [RFC 5280][1]. When you
+    #   use the HTTP API or the AWS CLI, the value is Base64-encoded.
+    #   Otherwise, it is not Base64-encoded.
+    #
     #
     #
     #
-    #   [1]: https://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
-    #   [2]: https://www.openssl.org/docs/man1.0.2/man1/asn1parse.html
+    #
+    #   [1]: https://tools.ietf.org/html/rfc5280
     #   @return [String]
     #
     # @!attribute [rw] customer_master_key_spec
@@ -2435,26 +2479,16 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # Use this structure to allow cryptographic operations in the grant only
-    # when the operation request includes the specified [encryption
-    # context][1].
-    #
-    # AWS KMS applies the grant constraints only when the grant allows a
-    # cryptographic operation that accepts an encryption context as input,
-    # such as the following.
-    #
-    # * Encrypt
-    #
-    # * Decrypt
-    #
-    # * GenerateDataKey
-    #
-    # * GenerateDataKeyWithoutPlaintext
+    # Use this structure to allow [cryptographic operations][1] in the grant
+    # only when the operation request includes the specified [encryption
+    # context][2].
     #
-    # * ReEncrypt
-    #
-    # AWS KMS does not apply the grant constraints to other operations, such
-    # as DescribeKey or ScheduleKeyDeletion.
+    # AWS KMS applies the grant constraints only to cryptographic operations
+    # that support an encryption context, that is, all cryptographic
+    # operations with a [symmetric CMK][3]. Grant constraints are not
+    # applied to operations that do not support an encryption context, such
+    # as cryptographic operations with asymmetric CMKs and management
+    # operations, such as DescribeKey or ScheduleKeyDeletion.
     #
     # In a cryptographic operation, the encryption context in the decryption
     # operation must be an exact, case-sensitive match for the keys and
@@ -2468,13 +2502,15 @@ module Aws::KMS
     # differ only by case. To require a fully case-sensitive encryption
     # context, use the `kms:EncryptionContext:` and
     # `kms:EncryptionContextKeys` conditions in an IAM or key policy. For
-    # details, see [kms:EncryptionContext:][2] in the <i> <i>AWS Key
+    # details, see [kms:EncryptionContext:][4] in the <i> <i>AWS Key
     # Management Service Developer Guide</i> </i>.
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
-    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context
     #
     # @note When making an API call, you may pass GrantConstraints
     #   data as a hash:
@@ -2490,17 +2526,25 @@ module Aws::KMS
     #
     # @!attribute [rw] encryption_context_subset
     #   A list of key-value pairs that must be included in the encryption
-    #   context of the cryptographic operation request. The grant allows the
-    #   cryptographic operation only when the encryption context in the
-    #   request includes the key-value pairs specified in this constraint,
-    #   although it can include additional key-value pairs.
+    #   context of the [cryptographic operation][1] request. The grant
+    #   allows the cryptographic operation only when the encryption context
+    #   in the request includes the key-value pairs specified in this
+    #   constraint, although it can include additional key-value pairs.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] encryption_context_equals
     #   A list of key-value pairs that must match the encryption context in
-    #   the cryptographic operation request. The grant allows the operation
-    #   only when the encryption context in the request is the same as the
-    #   encryption context specified in this constraint.
+    #   the [cryptographic operation][1] request. The grant allows the
+    #   operation only when the encryption context in the request is the
+    #   same as the encryption context specified in this constraint.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     #   @return [Hash<String,String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GrantConstraints AWS API Documentation
@@ -2511,7 +2555,7 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # Contains information about an entry in a list of grants.
+    # Contains information about a grant.
     #
     # @!attribute [rw] key_id
     #   The unique identifier for the customer master key (CMK) to which the
@@ -2533,7 +2577,18 @@ module Aws::KMS
     #   @return [Time]
     #
     # @!attribute [rw] grantee_principal
-    #   The principal that receives the grant's permissions.
+    #   The identity that gets the permissions in the grant.
+    #
+    #   The `GranteePrincipal` field in the `ListGrants` response usually
+    #   contains the user or role designated as the grantee principal in the
+    #   grant. However, when the grantee principal in the grant is an AWS
+    #   service, the `GranteePrincipal` field contains the [service
+    #   principal][1], which might represent several different grantee
+    #   principals.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
     #   @return [String]
     #
     # @!attribute [rw] retiring_principal
@@ -2919,15 +2974,19 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_usage
-    #   The cryptographic operations for which you can use the CMK.
+    #   The [cryptographic operations][1] for which you can use the CMK.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     #   @return [String]
     #
     # @!attribute [rw] key_state
-    #   The state of the CMK.
+    #   The current status of the CMK.
     #
     #   For more information about how key state affects the use of a CMK,
-    #   see [How Key State Affects the Use of a Customer Master Key][1] in
-    #   the *AWS Key Management Service Developer Guide*.
+    #   see [Key state: Effect on your CMK][1] in the *AWS Key Management
+    #   Service Developer Guide*.
     #
     #
     #
@@ -3000,16 +3059,16 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] encryption_algorithms
-    #   A list of encryption algorithms that the CMK supports. You cannot
-    #   use the CMK with other encryption algorithms within AWS KMS.
+    #   The encryption algorithms that the CMK supports. You cannot use the
+    #   CMK with other encryption algorithms within AWS KMS.
     #
     #   This field appears only when the `KeyUsage` of the CMK is
     #   `ENCRYPT_DECRYPT`.
     #   @return [Array<String>]
     #
     # @!attribute [rw] signing_algorithms
-    #   A list of signing algorithms that the CMK supports. You cannot use
-    #   the CMK with other signing algorithms within AWS KMS.
+    #   The signing algorithms that the CMK supports. You cannot use the CMK
+    #   with other signing algorithms within AWS KMS.
     #
     #   This field appears only when the `KeyUsage` of the CMK is
     #   `SIGN_VERIFY`.
@@ -3783,7 +3842,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   Unique identifier of the CMK used to reencrypt the data.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
+    #   reencrypt the data.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] source_encryption_algorithm
@@ -3924,8 +3988,12 @@ module Aws::KMS
     end
 
     # @!attribute [rw] key_id
-    #   The unique identifier of the customer master key (CMK) for which
-    #   deletion is scheduled.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK whose deletion is
+    #   scheduled.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] deletion_date
@@ -3988,8 +4056,8 @@ module Aws::KMS
     #
     # @!attribute [rw] message_type
     #   Tells AWS KMS whether the value of the `Message` parameter is a
-    #   message or message digest. To indicate a message, enter `RAW`. To
-    #   indicate a message digest, enter `DIGEST`.
+    #   message or message digest. The default value, RAW, indicates a
+    #   message. To indicate a message digest, enter `DIGEST`.
     #   @return [String]
     #
     # @!attribute [rw] grant_tokens
@@ -4022,12 +4090,33 @@ module Aws::KMS
     end
 
     # @!attribute [rw] key_id
-    #   The Amazon Resource Name (ARN) of the asymmetric CMK that was used
-    #   to sign the message.
+    #   The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK that
+    #   was used to sign the message.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] signature
     #   The cryptographic signature that was generated for the message.
+    #
+    #   * When used with the supported RSA signing algorithms, the encoding
+    #     of this value is defined by [PKCS #1 in RFC 8017][1].
+    #
+    #   * When used with the `ECDSA_SHA_256`, `ECDSA_SHA_384`, or
+    #     `ECDSA_SHA_512` signing algorithms, this value is a DER-encoded
+    #     object as defined by ANS X9.62–2005 and [RFC 3279 Section
+    #     2.2.3][2]. This is the most commonly used signature format and is
+    #     appropriate for most uses.
+    #
+    #   When you use the HTTP API or the AWS CLI, the value is
+    #   Base64-encoded. Otherwise, it is not Base64-encoded.
+    #
+    #
+    #
+    #   [1]: https://tools.ietf.org/html/rfc8017
+    #   [2]: https://tools.ietf.org/html/rfc3279#section-2.2.3
     #   @return [String]
     #
     # @!attribute [rw] signing_algorithm
@@ -4420,8 +4509,12 @@ module Aws::KMS
     end
 
     # @!attribute [rw] key_id
-    #   The unique identifier for the asymmetric CMK that was used to verify
-    #   the signature.
+    #   The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK that
+    #   was used to verify the signature.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] signature_valid