RubyGems - aws-sdk-kms - Versions diffs - 1.30.0 → 1.35.0 - Mend

aws-sdk-kms 1.30.0 → 1.35.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +5 -5
data/lib/aws-sdk-kms.rb +3 -1
data/lib/aws-sdk-kms/client.rb +201 -148
data/lib/aws-sdk-kms/client_api.rb +5 -0
data/lib/aws-sdk-kms/customizations.rb +1 -0
data/lib/aws-sdk-kms/errors.rb +2 -0
data/lib/aws-sdk-kms/resource.rb +3 -7
data/lib/aws-sdk-kms/types.rb +279 -100
metadata +5 -5

data/lib/aws-sdk-kms/client_api.rb CHANGED

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
@@ -1032,6 +1034,7 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
+        o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
       end)
       api.add_operation(:generate_data_key_pair_without_plaintext, Seahorse::Model::Operation.new.tap do |o|
@@ -1048,6 +1051,7 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
+        o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
       end)
       api.add_operation(:generate_data_key_without_plaintext, Seahorse::Model::Operation.new.tap do |o|
@@ -1387,6 +1391,7 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
         o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
+        o.errors << Shapes::ShapeRef.new(shape: LimitExceededException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
       end)

data/lib/aws-sdk-kms/customizations.rb CHANGED

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing for info on making contributions:

data/lib/aws-sdk-kms/errors.rb CHANGED

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:

data/lib/aws-sdk-kms/resource.rb CHANGED

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
@@ -6,13 +8,7 @@
 # WARNING ABOUT GENERATED CODE
 module Aws::KMS
-  # This class provides a resource oriented interface for KMS.
-  # To create a resource object:
-  #     resource = Aws::KMS::Resource.new(region: 'us-west-2')
-  # You can supply a client object with custom configuration that will be used for all resource operations.
-  # If you do not pass +:client+, a default client will be constructed.
-  #     client = Aws::KMS::Client.new(region: 'us-west-2')
-  #     resource = Aws::KMS::Resource.new(client: client)
   class Resource
     # @param options ({})

data/lib/aws-sdk-kms/types.rb CHANGED

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
@@ -28,6 +30,7 @@ module Aws::KMS
       :alias_name,
       :alias_arn,
       :target_key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -41,6 +44,7 @@ module Aws::KMS
     #
     class AlreadyExistsException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -72,18 +76,24 @@ module Aws::KMS
     #
     class CancelKeyDeletionRequest < Struct.new(
       :key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
     # @!attribute [rw] key_id
-    #   The unique identifier of the master key for which deletion is
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK whose deletion is
     #   canceled.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletionResponse AWS API Documentation
     #
     class CancelKeyDeletionResponse < Struct.new(
       :key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -108,6 +118,7 @@ module Aws::KMS
     #
     class CloudHsmClusterInUseException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -160,6 +171,7 @@ module Aws::KMS
     #
     class CloudHsmClusterInvalidConfigurationException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -180,6 +192,7 @@ module Aws::KMS
     #
     class CloudHsmClusterNotActiveException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -194,6 +207,7 @@ module Aws::KMS
     #
     class CloudHsmClusterNotFoundException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -221,6 +235,7 @@ module Aws::KMS
     #
     class CloudHsmClusterNotRelatedException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -241,6 +256,7 @@ module Aws::KMS
     #
     class ConnectCustomKeyStoreRequest < Struct.new(
       :custom_key_store_id)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -280,6 +296,7 @@ module Aws::KMS
     class CreateAliasRequest < Struct.new(
       :alias_name,
       :target_key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -342,6 +359,7 @@ module Aws::KMS
       :cloud_hsm_cluster_id,
       :trust_anchor_certificate,
       :key_store_password)
+      SENSITIVE = [:key_store_password]
       include Aws::Structure
     end
@@ -353,6 +371,7 @@ module Aws::KMS
     #
     class CreateCustomKeyStoreResponse < Struct.new(
       :custom_key_store_id)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -433,15 +452,16 @@ module Aws::KMS
     #   @return [Array<String>]
     #
     # @!attribute [rw] constraints
-    #   Allows a cryptographic operation only when the encryption context
-    #   matches or includes the encryption context specified in this
+    #   Allows a [cryptographic operation][1] only when the encryption
+    #   context matches or includes the encryption context specified in this
     #   structure. For more information about encryption context, see
-    #   [Encryption Context][1] in the <i> <i>AWS Key Management Service
+    #   [Encryption Context][2] in the <i> <i>AWS Key Management Service
     #   Developer Guide</i> </i>.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #   @return [Types::GrantConstraints]
     #
     # @!attribute [rw] grant_tokens
@@ -483,6 +503,7 @@ module Aws::KMS
       :constraints,
       :grant_tokens,
       :name)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -509,6 +530,7 @@ module Aws::KMS
     class CreateGrantResponse < Struct.new(
       :grant_token,
       :grant_id)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -575,8 +597,8 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_usage
-    #   Determines the cryptographic operations for which you can use the
-    #   CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
+    #   Determines the [cryptographic operations][1] for which you can use
+    #   the CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
     #   required only for asymmetric CMKs. You can't change the `KeyUsage`
     #   value after the CMK is created.
     #
@@ -589,6 +611,10 @@ module Aws::KMS
     #     `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
     #
     #   * For asymmetric CMKs with ECC key material, specify `SIGN_VERIFY`.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     #   @return [String]
     #
     # @!attribute [rw] customer_master_key_spec
@@ -755,6 +781,7 @@ module Aws::KMS
       :custom_key_store_id,
       :bypass_policy_lockout_safety_check,
       :tags)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -766,6 +793,7 @@ module Aws::KMS
     #
     class CreateKeyResponse < Struct.new(
       :key_metadata)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -781,6 +809,7 @@ module Aws::KMS
     #
     class CustomKeyStoreHasCMKsException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -810,6 +839,7 @@ module Aws::KMS
     #
     class CustomKeyStoreInvalidStateException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -824,6 +854,7 @@ module Aws::KMS
     #
     class CustomKeyStoreNameInUseException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -837,6 +868,7 @@ module Aws::KMS
     #
     class CustomKeyStoreNotFoundException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -922,12 +954,13 @@ module Aws::KMS
     #
     #   * `SUBNET_NOT_FOUND` - A subnet in the AWS CloudHSM cluster
     #     configuration was deleted. If AWS KMS cannot find all of the
-    #     subnets that were configured for the cluster when the custom key
-    #     store was created, attempts to connect fail. To fix this error,
-    #     create a cluster from a backup and associate it with your custom
-    #     key store. This process includes selecting a VPC and subnets. For
-    #     details, see [How to Fix a Connection Failure][1] in the *AWS Key
-    #     Management Service Developer Guide*.
+    #     subnets in the cluster configuration, attempts to connect the
+    #     custom key store to the AWS CloudHSM cluster fail. To fix this
+    #     error, create a cluster from a recent backup and associate it with
+    #     your custom key store. (This process creates a new cluster
+    #     configuration with a VPC and private subnets.) For details, see
+    #     [How to Fix a Connection Failure][1] in the *AWS Key Management
+    #     Service Developer Guide*.
     #
     #   * `USER_LOCKED_OUT` - The `kmsuser` CU account is locked out of the
     #     associated AWS CloudHSM cluster due to too many failed password
@@ -971,6 +1004,7 @@ module Aws::KMS
       :connection_state,
       :connection_error_code,
       :creation_date)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -993,9 +1027,9 @@ module Aws::KMS
     #
     # @!attribute [rw] encryption_context
     #   Specifies the encryption context to use when decrypting the data. An
-    #   encryption context is valid only for cryptographic operations with a
-    #   symmetric CMK. The standard asymmetric encryption algorithms that
-    #   AWS KMS uses do not support an encryption context.
+    #   encryption context is valid only for [cryptographic operations][1]
+    #   with a symmetric CMK. The standard asymmetric encryption algorithms
+    #   that AWS KMS uses do not support an encryption context.
     #
     #   An *encryption context* is a collection of non-secret key-value
     #   pairs that represents additional authenticated data. When you use an
@@ -1004,12 +1038,13 @@ module Aws::KMS
     #   An encryption context is optional when encrypting with a symmetric
     #   CMK, but it is highly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *AWS Key
+    #   For more information, see [Encryption Context][2] in the *AWS Key
     #   Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] grant_tokens
@@ -1077,12 +1112,17 @@ module Aws::KMS
       :grant_tokens,
       :key_id,
       :encryption_algorithm)
+      SENSITIVE = []
       include Aws::Structure
     end
     # @!attribute [rw] key_id
-    #   The ARN of the customer master key that was used to perform the
-    #   decryption.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
+    #   decrypt the ciphertext.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] plaintext
@@ -1100,6 +1140,7 @@ module Aws::KMS
       :key_id,
       :plaintext,
       :encryption_algorithm)
+      SENSITIVE = [:plaintext]
       include Aws::Structure
     end
@@ -1119,6 +1160,7 @@ module Aws::KMS
     #
     class DeleteAliasRequest < Struct.new(
       :alias_name)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1138,6 +1180,7 @@ module Aws::KMS
     #
     class DeleteCustomKeyStoreRequest < Struct.new(
       :custom_key_store_id)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1173,6 +1216,7 @@ module Aws::KMS
     #
     class DeleteImportedKeyMaterialRequest < Struct.new(
       :key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1186,6 +1230,7 @@ module Aws::KMS
     #
     class DependencyTimeoutException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1238,6 +1283,7 @@ module Aws::KMS
       :custom_key_store_name,
       :limit,
       :marker)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1263,6 +1309,7 @@ module Aws::KMS
       :custom_key_stores,
       :next_marker,
       :truncated)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1321,6 +1368,7 @@ module Aws::KMS
     class DescribeKeyRequest < Struct.new(
       :key_id,
       :grant_tokens)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1332,6 +1380,7 @@ module Aws::KMS
     #
     class DescribeKeyResponse < Struct.new(
       :key_metadata)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1362,6 +1411,7 @@ module Aws::KMS
     #
     class DisableKeyRequest < Struct.new(
       :key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1400,6 +1450,7 @@ module Aws::KMS
     #
     class DisableKeyRotationRequest < Struct.new(
       :key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1412,6 +1463,7 @@ module Aws::KMS
     #
     class DisabledException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1432,6 +1484,7 @@ module Aws::KMS
     #
     class DisconnectCustomKeyStoreRequest < Struct.new(
       :custom_key_store_id)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1466,6 +1519,7 @@ module Aws::KMS
     #
     class EnableKeyRequest < Struct.new(
       :key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1502,6 +1556,7 @@ module Aws::KMS
     #
     class EnableKeyRotationRequest < Struct.new(
       :key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1547,9 +1602,10 @@ module Aws::KMS
     #
     # @!attribute [rw] encryption_context
     #   Specifies the encryption context that will be used to encrypt the
-    #   data. An encryption context is valid only for cryptographic
-    #   operations with a symmetric CMK. The standard asymmetric encryption
-    #   algorithms that AWS KMS uses do not support an encryption context.
+    #   data. An encryption context is valid only for [cryptographic
+    #   operations][1] with a symmetric CMK. The standard asymmetric
+    #   encryption algorithms that AWS KMS uses do not support an encryption
+    #   context.
     #
     #   An *encryption context* is a collection of non-secret key-value
     #   pairs that represents additional authenticated data. When you use an
@@ -1558,12 +1614,13 @@ module Aws::KMS
     #   An encryption context is optional when encrypting with a symmetric
     #   CMK, but it is highly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *AWS Key
+    #   For more information, see [Encryption Context][2] in the *AWS Key
     #   Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] grant_tokens
@@ -1596,6 +1653,7 @@ module Aws::KMS
       :encryption_context,
       :grant_tokens,
       :encryption_algorithm)
+      SENSITIVE = [:plaintext]
       include Aws::Structure
     end
@@ -1605,7 +1663,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   The ID of the key used during encryption.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
+    #   encrypt the plaintext.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] encryption_algorithm
@@ -1618,6 +1681,7 @@ module Aws::KMS
       :ciphertext_blob,
       :key_id,
       :encryption_algorithm)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1633,6 +1697,7 @@ module Aws::KMS
     #
     class ExpiredImportTokenException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1669,7 +1734,9 @@ module Aws::KMS
     #
     # @!attribute [rw] key_id
     #   Specifies the symmetric CMK that encrypts the private key in the
-    #   data key pair. You cannot specify an asymmetric CMKs.
+    #   data key pair. You cannot specify an asymmetric CMK or a CMK in a
+    #   custom key store. To get the type and origin of your CMK, use the
+    #   DescribeKey operation.
     #
     #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
     #   name, or alias ARN. When using an alias name, prefix it with
@@ -1718,6 +1785,7 @@ module Aws::KMS
       :key_id,
       :key_pair_spec,
       :grant_tokens)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1738,7 +1806,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   The identifier of the CMK that encrypted the private key.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
+    #   the private key.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] key_pair_spec
@@ -1753,6 +1826,7 @@ module Aws::KMS
       :public_key,
       :key_id,
       :key_pair_spec)
+      SENSITIVE = [:private_key_plaintext]
       include Aws::Structure
     end
@@ -1790,7 +1864,8 @@ module Aws::KMS
     # @!attribute [rw] key_id
     #   Specifies the CMK that encrypts the private key in the data key
     #   pair. You must specify a symmetric CMK. You cannot use an asymmetric
-    #   CMK. To get the type of your CMK, use the DescribeKey operation.
+    #   CMK or a CMK in a custom key store. To get the type and origin of
+    #   your CMK, use the DescribeKey operation.
     #
     #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
     #   name, or alias ARN. When using an alias name, prefix it with
@@ -1838,6 +1913,7 @@ module Aws::KMS
       :key_id,
       :key_pair_spec,
       :grant_tokens)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1852,27 +1928,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   Specifies the CMK that encrypted the private key in the data key
-    #   pair. You must specify a symmetric CMK. You cannot use an asymmetric
-    #   CMK. To get the type of your CMK, use the DescribeKey operation.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
+    #   the private key.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`.
     #
-    #   For example:
-    #
-    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
-    #
-    #   * Key ARN:
-    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   * Alias name: `alias/ExampleAlias`
-    #
-    #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
-    #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
-    #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] key_pair_spec
@@ -1886,6 +1947,7 @@ module Aws::KMS
       :public_key,
       :key_id,
       :key_pair_spec)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1982,6 +2044,7 @@ module Aws::KMS
       :number_of_bytes,
       :key_spec,
       :grant_tokens)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1999,7 +2062,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   The identifier of the CMK that encrypted the data key.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
+    #   the data key.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyResponse AWS API Documentation
@@ -2008,6 +2076,7 @@ module Aws::KMS
       :ciphertext_blob,
       :plaintext,
       :key_id)
+      SENSITIVE = [:plaintext]
       include Aws::Structure
     end
@@ -2098,6 +2167,7 @@ module Aws::KMS
       :key_spec,
       :number_of_bytes,
       :grant_tokens)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2107,7 +2177,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   The identifier of the CMK that encrypted the data key.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
+    #   the data key.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextResponse AWS API Documentation
@@ -2115,6 +2190,7 @@ module Aws::KMS
     class GenerateDataKeyWithoutPlaintextResponse < Struct.new(
       :ciphertext_blob,
       :key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2145,6 +2221,7 @@ module Aws::KMS
     class GenerateRandomRequest < Struct.new(
       :number_of_bytes,
       :custom_key_store_id)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2157,6 +2234,7 @@ module Aws::KMS
     #
     class GenerateRandomResponse < Struct.new(
       :plaintext)
+      SENSITIVE = [:plaintext]
       include Aws::Structure
     end
@@ -2194,6 +2272,7 @@ module Aws::KMS
     class GetKeyPolicyRequest < Struct.new(
       :key_id,
       :policy_name)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2205,6 +2284,7 @@ module Aws::KMS
     #
     class GetKeyPolicyResponse < Struct.new(
       :policy)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2236,6 +2316,7 @@ module Aws::KMS
     #
     class GetKeyRotationStatusRequest < Struct.new(
       :key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2247,6 +2328,7 @@ module Aws::KMS
     #
     class GetKeyRotationStatusResponse < Struct.new(
       :key_rotation_enabled)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2298,13 +2380,18 @@ module Aws::KMS
       :key_id,
       :wrapping_algorithm,
       :wrapping_key_spec)
+      SENSITIVE = []
       include Aws::Structure
     end
     # @!attribute [rw] key_id
-    #   The identifier of the CMK to use in a subsequent ImportKeyMaterial
-    #   request. This is the same CMK specified in the
-    #   `GetParametersForImport` request.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK to use in a
+    #   subsequent ImportKeyMaterial request. This is the same CMK specified
+    #   in the `GetParametersForImport` request.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] import_token
@@ -2330,6 +2417,7 @@ module Aws::KMS
       :import_token,
       :public_key,
       :parameters_valid_to)
+      SENSITIVE = [:public_key]
       include Aws::Structure
     end
@@ -2380,12 +2468,17 @@ module Aws::KMS
     class GetPublicKeyRequest < Struct.new(
       :key_id,
       :grant_tokens)
+      SENSITIVE = []
       include Aws::Structure
     end
     # @!attribute [rw] key_id
-    #   The identifier of the asymmetric CMK from which the public key was
-    #   downloaded.
+    #   The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK from
+    #   which the public key was downloaded.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] public_key
@@ -2443,29 +2536,20 @@ module Aws::KMS
       :key_usage,
       :encryption_algorithms,
       :signing_algorithms)
+      SENSITIVE = []
       include Aws::Structure
     end
-    # Use this structure to allow cryptographic operations in the grant only
-    # when the operation request includes the specified [encryption
-    # context][1].
-    #
-    # AWS KMS applies the grant constraints only when the grant allows a
-    # cryptographic operation that accepts an encryption context as input,
-    # such as the following.
+    # Use this structure to allow [cryptographic operations][1] in the grant
+    # only when the operation request includes the specified [encryption
+    # context][2].
     #
-    # * Encrypt
-    #
-    # * Decrypt
-    #
-    # * GenerateDataKey
-    #
-    # * GenerateDataKeyWithoutPlaintext
-    #
-    # * ReEncrypt
-    #
-    # AWS KMS does not apply the grant constraints to other operations, such
-    # as DescribeKey or ScheduleKeyDeletion.
+    # AWS KMS applies the grant constraints only to cryptographic operations
+    # that support an encryption context, that is, all cryptographic
+    # operations with a [symmetric CMK][3]. Grant constraints are not
+    # applied to operations that do not support an encryption context, such
+    # as cryptographic operations with asymmetric CMKs and management
+    # operations, such as DescribeKey or ScheduleKeyDeletion.
     #
     # In a cryptographic operation, the encryption context in the decryption
     # operation must be an exact, case-sensitive match for the keys and
@@ -2479,13 +2563,15 @@ module Aws::KMS
     # differ only by case. To require a fully case-sensitive encryption
     # context, use the `kms:EncryptionContext:` and
     # `kms:EncryptionContextKeys` conditions in an IAM or key policy. For
-    # details, see [kms:EncryptionContext:][2] in the <i> <i>AWS Key
+    # details, see [kms:EncryptionContext:][4] in the <i> <i>AWS Key
     # Management Service Developer Guide</i> </i>.
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
-    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context
     #
     # @note When making an API call, you may pass GrantConstraints
     #   data as a hash:
@@ -2501,17 +2587,25 @@ module Aws::KMS
     #
     # @!attribute [rw] encryption_context_subset
     #   A list of key-value pairs that must be included in the encryption
-    #   context of the cryptographic operation request. The grant allows the
-    #   cryptographic operation only when the encryption context in the
-    #   request includes the key-value pairs specified in this constraint,
-    #   although it can include additional key-value pairs.
+    #   context of the [cryptographic operation][1] request. The grant
+    #   allows the cryptographic operation only when the encryption context
+    #   in the request includes the key-value pairs specified in this
+    #   constraint, although it can include additional key-value pairs.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] encryption_context_equals
     #   A list of key-value pairs that must match the encryption context in
-    #   the cryptographic operation request. The grant allows the operation
-    #   only when the encryption context in the request is the same as the
-    #   encryption context specified in this constraint.
+    #   the [cryptographic operation][1] request. The grant allows the
+    #   operation only when the encryption context in the request is the
+    #   same as the encryption context specified in this constraint.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     #   @return [Hash<String,String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GrantConstraints AWS API Documentation
@@ -2519,10 +2613,11 @@ module Aws::KMS
     class GrantConstraints < Struct.new(
       :encryption_context_subset,
       :encryption_context_equals)
+      SENSITIVE = []
       include Aws::Structure
     end
-    # Contains information about an entry in a list of grants.
+    # Contains information about a grant.
     #
     # @!attribute [rw] key_id
     #   The unique identifier for the customer master key (CMK) to which the
@@ -2544,7 +2639,18 @@ module Aws::KMS
     #   @return [Time]
     #
     # @!attribute [rw] grantee_principal
-    #   The principal that receives the grant's permissions.
+    #   The identity that gets the permissions in the grant.
+    #
+    #   The `GranteePrincipal` field in the `ListGrants` response usually
+    #   contains the user or role designated as the grantee principal in the
+    #   grant. However, when the grantee principal in the grant is an AWS
+    #   service, the `GranteePrincipal` field contains the [service
+    #   principal][1], which might represent several different grantee
+    #   principals.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
     #   @return [String]
     #
     # @!attribute [rw] retiring_principal
@@ -2576,6 +2682,7 @@ module Aws::KMS
       :issuing_account,
       :operations,
       :constraints)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2647,6 +2754,7 @@ module Aws::KMS
       :encrypted_key_material,
       :valid_to,
       :expiration_model)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2666,6 +2774,7 @@ module Aws::KMS
     #
     class IncorrectKeyException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2680,6 +2789,7 @@ module Aws::KMS
     #
     class IncorrectKeyMaterialException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2701,6 +2811,7 @@ module Aws::KMS
     #
     class IncorrectTrustAnchorException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2714,6 +2825,7 @@ module Aws::KMS
     #
     class InvalidAliasNameException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2727,6 +2839,7 @@ module Aws::KMS
     #
     class InvalidArnException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2745,6 +2858,7 @@ module Aws::KMS
     #
     class InvalidCiphertextException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2757,6 +2871,7 @@ module Aws::KMS
     #
     class InvalidGrantIdException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2770,6 +2885,7 @@ module Aws::KMS
     #
     class InvalidGrantTokenException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2783,6 +2899,7 @@ module Aws::KMS
     #
     class InvalidImportTokenException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2810,6 +2927,7 @@ module Aws::KMS
     #
     class InvalidKeyUsageException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2823,6 +2941,7 @@ module Aws::KMS
     #
     class InvalidMarkerException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2836,6 +2955,7 @@ module Aws::KMS
     #
     class KMSInternalException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2851,6 +2971,7 @@ module Aws::KMS
     #
     class KMSInvalidSignatureException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2872,6 +2993,7 @@ module Aws::KMS
     #
     class KMSInvalidStateException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2890,6 +3012,7 @@ module Aws::KMS
     class KeyListEntry < Struct.new(
       :key_id,
       :key_arn)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2930,15 +3053,19 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_usage
-    #   The cryptographic operations for which you can use the CMK.
+    #   The [cryptographic operations][1] for which you can use the CMK.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     #   @return [String]
     #
     # @!attribute [rw] key_state
-    #   The state of the CMK.
+    #   The current status of the CMK.
     #
     #   For more information about how key state affects the use of a CMK,
-    #   see [How Key State Affects the Use of a Customer Master Key][1] in
-    #   the *AWS Key Management Service Developer Guide*.
+    #   see [Key state: Effect on your CMK][1] in the *AWS Key Management
+    #   Service Developer Guide*.
     #
     #
     #
@@ -3011,16 +3138,16 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] encryption_algorithms
-    #   A list of encryption algorithms that the CMK supports. You cannot
-    #   use the CMK with other encryption algorithms within AWS KMS.
+    #   The encryption algorithms that the CMK supports. You cannot use the
+    #   CMK with other encryption algorithms within AWS KMS.
     #
     #   This field appears only when the `KeyUsage` of the CMK is
     #   `ENCRYPT_DECRYPT`.
     #   @return [Array<String>]
     #
     # @!attribute [rw] signing_algorithms
-    #   A list of signing algorithms that the CMK supports. You cannot use
-    #   the CMK with other signing algorithms within AWS KMS.
+    #   The signing algorithms that the CMK supports. You cannot use the CMK
+    #   with other signing algorithms within AWS KMS.
     #
     #   This field appears only when the `KeyUsage` of the CMK is
     #   `SIGN_VERIFY`.
@@ -3047,6 +3174,7 @@ module Aws::KMS
       :customer_master_key_spec,
       :encryption_algorithms,
       :signing_algorithms)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3060,6 +3188,7 @@ module Aws::KMS
     #
     class KeyUnavailableException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3078,6 +3207,7 @@ module Aws::KMS
     #
     class LimitExceededException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3122,6 +3252,7 @@ module Aws::KMS
       :key_id,
       :limit,
       :marker)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3147,6 +3278,7 @@ module Aws::KMS
       :aliases,
       :next_marker,
       :truncated)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3198,6 +3330,7 @@ module Aws::KMS
       :limit,
       :marker,
       :key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3223,6 +3356,7 @@ module Aws::KMS
       :grants,
       :next_marker,
       :truncated)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3275,6 +3409,7 @@ module Aws::KMS
       :key_id,
       :limit,
       :marker)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3300,6 +3435,7 @@ module Aws::KMS
       :policy_names,
       :next_marker,
       :truncated)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3332,6 +3468,7 @@ module Aws::KMS
     class ListKeysRequest < Struct.new(
       :limit,
       :marker)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3357,6 +3494,7 @@ module Aws::KMS
       :keys,
       :next_marker,
       :truncated)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3409,6 +3547,7 @@ module Aws::KMS
       :key_id,
       :limit,
       :marker)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3436,6 +3575,7 @@ module Aws::KMS
       :tags,
       :next_marker,
       :truncated)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3486,6 +3626,7 @@ module Aws::KMS
       :limit,
       :marker,
       :retiring_principal)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3499,6 +3640,7 @@ module Aws::KMS
     #
     class MalformedPolicyDocumentException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3512,6 +3654,7 @@ module Aws::KMS
     #
     class NotFoundException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3608,6 +3751,7 @@ module Aws::KMS
       :policy_name,
       :policy,
       :bypass_policy_lockout_safety_check)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3781,6 +3925,7 @@ module Aws::KMS
       :source_encryption_algorithm,
       :destination_encryption_algorithm,
       :grant_tokens)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3794,7 +3939,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   Unique identifier of the CMK used to reencrypt the data.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
+    #   reencrypt the data.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] source_encryption_algorithm
@@ -3814,6 +3964,7 @@ module Aws::KMS
       :key_id,
       :source_encryption_algorithm,
       :destination_encryption_algorithm)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3853,6 +4004,7 @@ module Aws::KMS
       :grant_token,
       :key_id,
       :grant_id)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3891,6 +4043,7 @@ module Aws::KMS
     class RevokeGrantRequest < Struct.new(
       :key_id,
       :grant_id)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3931,12 +4084,17 @@ module Aws::KMS
     class ScheduleKeyDeletionRequest < Struct.new(
       :key_id,
       :pending_window_in_days)
+      SENSITIVE = []
       include Aws::Structure
     end
     # @!attribute [rw] key_id
-    #   The unique identifier of the customer master key (CMK) for which
-    #   deletion is scheduled.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK whose deletion is
+    #   scheduled.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] deletion_date
@@ -3949,6 +4107,7 @@ module Aws::KMS
     class ScheduleKeyDeletionResponse < Struct.new(
       :key_id,
       :deletion_date)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -4029,12 +4188,17 @@ module Aws::KMS
       :message_type,
       :grant_tokens,
       :signing_algorithm)
+      SENSITIVE = [:message]
       include Aws::Structure
     end
     # @!attribute [rw] key_id
-    #   The Amazon Resource Name (ARN) of the asymmetric CMK that was used
-    #   to sign the message.
+    #   The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK that
+    #   was used to sign the message.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] signature
@@ -4068,6 +4232,7 @@ module Aws::KMS
       :key_id,
       :signature,
       :signing_algorithm)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -4104,6 +4269,7 @@ module Aws::KMS
     class Tag < Struct.new(
       :tag_key,
       :tag_value)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -4116,6 +4282,7 @@ module Aws::KMS
     #
     class TagException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -4157,6 +4324,7 @@ module Aws::KMS
     class TagResourceRequest < Struct.new(
       :key_id,
       :tags)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -4170,6 +4338,7 @@ module Aws::KMS
     #
     class UnsupportedOperationException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -4206,6 +4375,7 @@ module Aws::KMS
     class UntagResourceRequest < Struct.new(
       :key_id,
       :tag_keys)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -4254,6 +4424,7 @@ module Aws::KMS
     class UpdateAliasRequest < Struct.new(
       :alias_name,
       :target_key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -4313,6 +4484,7 @@ module Aws::KMS
       :new_custom_key_store_name,
       :key_store_password,
       :cloud_hsm_cluster_id)
+      SENSITIVE = [:key_store_password]
       include Aws::Structure
     end
@@ -4353,6 +4525,7 @@ module Aws::KMS
     class UpdateKeyDescriptionRequest < Struct.new(
       :key_id,
       :description)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -4444,12 +4617,17 @@ module Aws::KMS
       :signature,
       :signing_algorithm,
       :grant_tokens)
+      SENSITIVE = [:message]
       include Aws::Structure
     end
     # @!attribute [rw] key_id
-    #   The unique identifier for the asymmetric CMK that was used to verify
-    #   the signature.
+    #   The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK that
+    #   was used to verify the signature.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] signature_valid
@@ -4470,6 +4648,7 @@ module Aws::KMS
       :key_id,
       :signature_valid,
       :signing_algorithm)
+      SENSITIVE = []
       include Aws::Structure
     end