aws-sdk-kms 1.32.0 → 1.33.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 429d3556c6ee6342d08a47f751e42a23793659d358624e577d274986f58627ef
4
- data.tar.gz: 7c5044014048141ca656e23cb3bea94088c46cfd599e21dbbec4527fadedf0cd
3
+ metadata.gz: d4e112f00791aa0e345fbcdc072a47a194819797673c861ec6a24a5677a18ce4
4
+ data.tar.gz: 6ddeb2ce04dc1eb8a04e2a5aa5fb70b7ae21d1ba82b1264b983a8bc5383f920f
5
5
  SHA512:
6
- metadata.gz: b4f4e02a1259bb6b804089bf8666ef9430be50deae769ee10d95ead6d50ab1ab11c9dc1f820b74bff70208c933edc1c169b5d30c17772957b3ae85ce9e470544
7
- data.tar.gz: ebb3e1f0e58e309e16bd5b12a2b8612533b71c2e890da215adf67df84011c9d99b1fc4def32d968f04870c623ddc04b1464e930f8d92f437e404308ef6867e5c
6
+ metadata.gz: 144354c2e93fd55c5030c48b25fb29ff8fd6dd2438407ab4d90b82bec8d0d54e5bd9a5f20be66b7314966e9d15a6591f89865b1ab8567892a5d7c5233f1e9a22
7
+ data.tar.gz: 16ed20ef755168ba9820ebaec3b7327234760dbbd77d25eb84cf9394b18792318e862618befdcfdb653f82914c25e8cc538d457368415c5d22411af85cd83f40
@@ -45,6 +45,6 @@ require_relative 'aws-sdk-kms/customizations'
45
45
  # @service
46
46
  module Aws::KMS
47
47
 
48
- GEM_VERSION = '1.32.0'
48
+ GEM_VERSION = '1.33.0'
49
49
 
50
50
  end
@@ -460,9 +460,9 @@ module Aws::KMS
460
460
  end
461
461
 
462
462
  # Creates a display name for a customer managed customer master key
463
- # (CMK). You can use an alias to identify a CMK in cryptographic
464
- # operations, such as Encrypt and GenerateDataKey. You can change the
465
- # CMK associated with the alias at any time.
463
+ # (CMK). You can use an alias to identify a CMK in [cryptographic
464
+ # operations][1], such as Encrypt and GenerateDataKey. You can change
465
+ # the CMK associated with the alias at any time.
466
466
  #
467
467
  # Aliases are easier to remember than key IDs. They can also help to
468
468
  # simplify your applications. For example, if you use an alias in your
@@ -486,8 +486,8 @@ module Aws::KMS
486
486
  #
487
487
  # * You can associate an alias with any customer managed CMK in the same
488
488
  # AWS account and Region. However, you do not have permission to
489
- # associate an alias with an [AWS managed CMK][1] or an [AWS owned
490
- # CMK][2].
489
+ # associate an alias with an [AWS managed CMK][2] or an [AWS owned
490
+ # CMK][3].
491
491
  #
492
492
  # * To change the CMK associated with an alias, use the UpdateAlias
493
493
  # operation. The current CMK and the new CMK must be the same type
@@ -499,7 +499,7 @@ module Aws::KMS
499
499
  # `alias/ExampleAlias`. It can contain only alphanumeric characters,
500
500
  # forward slashes (/), underscores (\_), and dashes (-). The alias
501
501
  # name cannot begin with `alias/aws/`. The `alias/aws/` prefix is
502
- # reserved for [AWS managed CMKs][1].
502
+ # reserved for [AWS managed CMKs][2].
503
503
  #
504
504
  # * The alias name must be unique within an AWS Region. However, you can
505
505
  # use the same alias name in multiple Regions of the same AWS account.
@@ -510,12 +510,12 @@ module Aws::KMS
510
510
  # and then create a new alias with the desired name.
511
511
  #
512
512
  # * You can use an alias name or alias ARN to identify a CMK in AWS KMS
513
- # cryptographic operations and in the DescribeKey operation. However,
514
- # you cannot use alias names or alias ARNs in API operations that
515
- # manage CMKs, such as DisableKey or GetKeyPolicy. For information
516
- # about the valid CMK identifiers for each AWS KMS API operation, see
517
- # the descriptions of the `KeyId` parameter in the API operation
518
- # documentation.
513
+ # [cryptographic operations][1] and in the DescribeKey operation.
514
+ # However, you cannot use alias names or alias ARNs in API operations
515
+ # that manage CMKs, such as DisableKey or GetKeyPolicy. For
516
+ # information about the valid CMK identifiers for each AWS KMS API
517
+ # operation, see the descriptions of the `KeyId` parameter in the API
518
+ # operation documentation.
519
519
  #
520
520
  # Because an alias is not a property of a CMK, you can delete and change
521
521
  # the aliases of a CMK without affecting the CMK. Also, aliases do not
@@ -525,13 +525,14 @@ module Aws::KMS
525
525
  #
526
526
  # The CMK that you use for this operation must be in a compatible key
527
527
  # state. For details, see [How Key State Affects Use of a Customer
528
- # Master Key][3] in the *AWS Key Management Service Developer Guide*.
528
+ # Master Key][4] in the *AWS Key Management Service Developer Guide*.
529
529
  #
530
530
  #
531
531
  #
532
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
533
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
534
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
532
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
533
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
534
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
535
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
535
536
  #
536
537
  # @option params [required, String] :alias_name
537
538
  # Specifies the alias name. This value must begin with `alias/` followed
@@ -677,8 +678,8 @@ module Aws::KMS
677
678
  # grant are met. When setting permissions, grants are an alternative to
678
679
  # key policies.
679
680
  #
680
- # To create a grant that allows a cryptographic operation only when the
681
- # request includes a particular [encryption context][1], use the
681
+ # To create a grant that allows a [cryptographic operation][1] only when
682
+ # the request includes a particular [encryption context][2], use the
682
683
  # `Constraints` parameter. For details, see GrantConstraints.
683
684
  #
684
685
  # You can create grants on symmetric and asymmetric CMKs. However, if
@@ -693,9 +694,9 @@ module Aws::KMS
693
694
  #
694
695
  # * Grants for asymmetric CMKs cannot allow operations that are not
695
696
  # supported for asymmetric CMKs, including operations that [generate
696
- # data keys][2] or [data key pairs][3], or operations related to
697
- # [automatic key rotation][4], [imported key material][5], or CMKs in
698
- # [custom key stores][6].
697
+ # data keys][3] or [data key pairs][4], or operations related to
698
+ # [automatic key rotation][5], [imported key material][6], or CMKs in
699
+ # [custom key stores][7].
699
700
  #
700
701
  # * Grants for asymmetric CMKs with a `KeyUsage` of `ENCRYPT_DECRYPT`
701
702
  # cannot allow the Sign or Verify operations. Grants for asymmetric
@@ -707,29 +708,30 @@ module Aws::KMS
707
708
  # asymmetric CMKs.
708
709
  #
709
710
  # For information about symmetric and asymmetric CMKs, see [Using
710
- # Symmetric and Asymmetric CMKs][7] in the *AWS Key Management Service
711
+ # Symmetric and Asymmetric CMKs][8] in the *AWS Key Management Service
711
712
  # Developer Guide*.
712
713
  #
713
714
  # To perform this operation on a CMK in a different AWS account, specify
714
715
  # the key ARN in the value of the `KeyId` parameter. For more
715
- # information about grants, see [Grants][8] in the <i> <i>AWS Key
716
+ # information about grants, see [Grants][9] in the <i> <i>AWS Key
716
717
  # Management Service Developer Guide</i> </i>.
717
718
  #
718
719
  # The CMK that you use for this operation must be in a compatible key
719
720
  # state. For details, see [How Key State Affects Use of a Customer
720
- # Master Key][9] in the *AWS Key Management Service Developer Guide*.
721
+ # Master Key][10] in the *AWS Key Management Service Developer Guide*.
721
722
  #
722
723
  #
723
724
  #
724
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
725
- # [2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey
726
- # [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair
727
- # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
728
- # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
729
- # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
730
- # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
731
- # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
732
- # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
725
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
726
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
727
+ # [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey
728
+ # [4]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair
729
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
730
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
731
+ # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
732
+ # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
733
+ # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
734
+ # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
733
735
  #
734
736
  # @option params [required, String] :key_id
735
737
  # The unique identifier for the customer master key (CMK) that the grant
@@ -783,15 +785,16 @@ module Aws::KMS
783
785
  # A list of operations that the grant permits.
784
786
  #
785
787
  # @option params [Types::GrantConstraints] :constraints
786
- # Allows a cryptographic operation only when the encryption context
788
+ # Allows a [cryptographic operation][1] only when the encryption context
787
789
  # matches or includes the encryption context specified in this
788
790
  # structure. For more information about encryption context, see
789
- # [Encryption Context][1] in the <i> <i>AWS Key Management Service
791
+ # [Encryption Context][2] in the <i> <i>AWS Key Management Service
790
792
  # Developer Guide</i> </i>.
791
793
  #
792
794
  #
793
795
  #
794
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
796
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
797
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
795
798
  #
796
799
  # @option params [Array<String>] :grant_tokens
797
800
  # A list of grant tokens.
@@ -1006,10 +1009,10 @@ module Aws::KMS
1006
1009
  # for a task.
1007
1010
  #
1008
1011
  # @option params [String] :key_usage
1009
- # Determines the cryptographic operations for which you can use the CMK.
1010
- # The default value is `ENCRYPT_DECRYPT`. This parameter is required
1011
- # only for asymmetric CMKs. You can't change the `KeyUsage` value after
1012
- # the CMK is created.
1012
+ # Determines the [cryptographic operations][1] for which you can use the
1013
+ # CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
1014
+ # required only for asymmetric CMKs. You can't change the `KeyUsage`
1015
+ # value after the CMK is created.
1013
1016
  #
1014
1017
  # Select only one valid value.
1015
1018
  #
@@ -1020,6 +1023,10 @@ module Aws::KMS
1020
1023
  #
1021
1024
  # * For asymmetric CMKs with ECC key material, specify `SIGN_VERIFY`.
1022
1025
  #
1026
+ #
1027
+ #
1028
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
1029
+ #
1023
1030
  # @option params [String] :customer_master_key_spec
1024
1031
  # Specifies the type of CMK to create. The default value,
1025
1032
  # `SYMMETRIC_DEFAULT`, creates a CMK with a 256-bit symmetric key for
@@ -1310,9 +1317,9 @@ module Aws::KMS
1310
1317
  #
1311
1318
  # @option params [Hash<String,String>] :encryption_context
1312
1319
  # Specifies the encryption context to use when decrypting the data. An
1313
- # encryption context is valid only for cryptographic operations with a
1314
- # symmetric CMK. The standard asymmetric encryption algorithms that AWS
1315
- # KMS uses do not support an encryption context.
1320
+ # encryption context is valid only for [cryptographic operations][1]
1321
+ # with a symmetric CMK. The standard asymmetric encryption algorithms
1322
+ # that AWS KMS uses do not support an encryption context.
1316
1323
  #
1317
1324
  # An *encryption context* is a collection of non-secret key-value pairs
1318
1325
  # that represents additional authenticated data. When you use an
@@ -1321,12 +1328,13 @@ module Aws::KMS
1321
1328
  # encryption context is optional when encrypting with a symmetric CMK,
1322
1329
  # but it is highly recommended.
1323
1330
  #
1324
- # For more information, see [Encryption Context][1] in the *AWS Key
1331
+ # For more information, see [Encryption Context][2] in the *AWS Key
1325
1332
  # Management Service Developer Guide*.
1326
1333
  #
1327
1334
  #
1328
1335
  #
1329
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1336
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
1337
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1330
1338
  #
1331
1339
  # @option params [Array<String>] :grant_tokens
1332
1340
  # A list of grant tokens.
@@ -1479,13 +1487,13 @@ module Aws::KMS
1479
1487
  # The custom key store that you delete cannot contain any AWS KMS
1480
1488
  # [customer master keys (CMKs)][2]. Before deleting the key store,
1481
1489
  # verify that you will never need to use any of the CMKs in the key
1482
- # store for any cryptographic operations. Then, use ScheduleKeyDeletion
1483
- # to delete the AWS KMS customer master keys (CMKs) from the key store.
1484
- # When the scheduled waiting period expires, the `ScheduleKeyDeletion`
1485
- # operation deletes the CMKs. Then it makes a best effort to delete the
1486
- # key material from the associated cluster. However, you might need to
1487
- # manually [delete the orphaned key material][3] from the cluster and
1488
- # its backups.
1490
+ # store for any [cryptographic operations][3]. Then, use
1491
+ # ScheduleKeyDeletion to delete the AWS KMS customer master keys (CMKs)
1492
+ # from the key store. When the scheduled waiting period expires, the
1493
+ # `ScheduleKeyDeletion` operation deletes the CMKs. Then it makes a best
1494
+ # effort to delete the key material from the associated cluster.
1495
+ # However, you might need to manually [delete the orphaned key
1496
+ # material][4] from the cluster and its backups.
1489
1497
  #
1490
1498
  # After all CMKs are deleted from AWS KMS, use DisconnectCustomKeyStore
1491
1499
  # to disconnect the key store from AWS KMS. Then, you can delete the
@@ -1508,7 +1516,8 @@ module Aws::KMS
1508
1516
  #
1509
1517
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1510
1518
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
1511
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
1519
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
1520
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
1512
1521
  #
1513
1522
  # @option params [required, String] :custom_key_store_id
1514
1523
  # Enter the ID of the custom key store you want to delete. To find the
@@ -1848,20 +1857,21 @@ module Aws::KMS
1848
1857
  end
1849
1858
 
1850
1859
  # Sets the state of a customer master key (CMK) to disabled, thereby
1851
- # preventing its use for cryptographic operations. You cannot perform
1852
- # this operation on a CMK in a different AWS account.
1860
+ # preventing its use for [cryptographic operations][1]. You cannot
1861
+ # perform this operation on a CMK in a different AWS account.
1853
1862
  #
1854
1863
  # For more information about how key state affects the use of a CMK, see
1855
- # [How Key State Affects the Use of a Customer Master Key][1] in the <i>
1864
+ # [How Key State Affects the Use of a Customer Master Key][2] in the <i>
1856
1865
  # <i>AWS Key Management Service Developer Guide</i> </i>.
1857
1866
  #
1858
1867
  # The CMK that you use for this operation must be in a compatible key
1859
1868
  # state. For details, see [How Key State Affects Use of a Customer
1860
- # Master Key][1] in the *AWS Key Management Service Developer Guide*.
1869
+ # Master Key][2] in the *AWS Key Management Service Developer Guide*.
1861
1870
  #
1862
1871
  #
1863
1872
  #
1864
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1873
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
1874
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1865
1875
  #
1866
1876
  # @option params [required, String] :key_id
1867
1877
  # A unique identifier for the customer master key (CMK).
@@ -1976,8 +1986,8 @@ module Aws::KMS
1976
1986
  #
1977
1987
  # <note markdown="1"> While a custom key store is disconnected, all attempts to create
1978
1988
  # customer master keys (CMKs) in the custom key store or to use existing
1979
- # CMKs in cryptographic operations will fail. This action can prevent
1980
- # users from storing and accessing sensitive data.
1989
+ # CMKs in [cryptographic operations][2] will fail. This action can
1990
+ # prevent users from storing and accessing sensitive data.
1981
1991
  #
1982
1992
  # </note>
1983
1993
  #
@@ -1997,6 +2007,7 @@ module Aws::KMS
1997
2007
  #
1998
2008
  #
1999
2009
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
2010
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
2000
2011
  #
2001
2012
  # @option params [required, String] :custom_key_store_id
2002
2013
  # Enter the ID of the custom key store you want to disconnect. To find
@@ -2021,16 +2032,17 @@ module Aws::KMS
2021
2032
  end
2022
2033
 
2023
2034
  # Sets the key state of a customer master key (CMK) to enabled. This
2024
- # allows you to use the CMK for cryptographic operations. You cannot
2025
- # perform this operation on a CMK in a different AWS account.
2035
+ # allows you to use the CMK for [cryptographic operations][1]. You
2036
+ # cannot perform this operation on a CMK in a different AWS account.
2026
2037
  #
2027
2038
  # The CMK that you use for this operation must be in a compatible key
2028
2039
  # state. For details, see [How Key State Affects Use of a Customer
2029
- # Master Key][1] in the *AWS Key Management Service Developer Guide*.
2040
+ # Master Key][2] in the *AWS Key Management Service Developer Guide*.
2030
2041
  #
2031
2042
  #
2032
2043
  #
2033
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2044
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
2045
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2034
2046
  #
2035
2047
  # @option params [required, String] :key_id
2036
2048
  # A unique identifier for the customer master key (CMK).
@@ -2142,11 +2154,13 @@ module Aws::KMS
2142
2154
  # identifier or database password, or other sensitive information.
2143
2155
  #
2144
2156
  # * You can use the `Encrypt` operation to move encrypted data from one
2145
- # AWS region to another. In the first region, generate a data key and
2146
- # use the plaintext key to encrypt the data. Then, in the new region,
2147
- # call the `Encrypt` method on same plaintext data key. Now, you can
2148
- # safely move the encrypted data and encrypted data key to the new
2149
- # region, and decrypt in the new region when necessary.
2157
+ # AWS Region to another. For example, in Region A, generate a data key
2158
+ # and use the plaintext key to encrypt your data. Then, in Region A,
2159
+ # use the `Encrypt` operation to encrypt the plaintext data key under
2160
+ # a CMK in Region B. Now, you can move the encrypted data and the
2161
+ # encrypted data key to Region B. When necessary, you can decrypt the
2162
+ # encrypted data key and the encrypted data entirely within in Region
2163
+ # B.
2150
2164
  #
2151
2165
  # You don't need to use the `Encrypt` operation to encrypt a data key.
2152
2166
  # The GenerateDataKey and GenerateDataKeyPair operations return a
@@ -2246,9 +2260,10 @@ module Aws::KMS
2246
2260
  #
2247
2261
  # @option params [Hash<String,String>] :encryption_context
2248
2262
  # Specifies the encryption context that will be used to encrypt the
2249
- # data. An encryption context is valid only for cryptographic operations
2250
- # with a symmetric CMK. The standard asymmetric encryption algorithms
2251
- # that AWS KMS uses do not support an encryption context.
2263
+ # data. An encryption context is valid only for [cryptographic
2264
+ # operations][1] with a symmetric CMK. The standard asymmetric
2265
+ # encryption algorithms that AWS KMS uses do not support an encryption
2266
+ # context.
2252
2267
  #
2253
2268
  # An *encryption context* is a collection of non-secret key-value pairs
2254
2269
  # that represents additional authenticated data. When you use an
@@ -2257,12 +2272,13 @@ module Aws::KMS
2257
2272
  # encryption context is optional when encrypting with a symmetric CMK,
2258
2273
  # but it is highly recommended.
2259
2274
  #
2260
- # For more information, see [Encryption Context][1] in the *AWS Key
2275
+ # For more information, see [Encryption Context][2] in the *AWS Key
2261
2276
  # Management Service Developer Guide*.
2262
2277
  #
2263
2278
  #
2264
2279
  #
2265
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
2280
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
2281
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
2266
2282
  #
2267
2283
  # @option params [Array<String>] :grant_tokens
2268
2284
  # A list of grant tokens.
@@ -2333,28 +2349,22 @@ module Aws::KMS
2333
2349
  req.send_request(options)
2334
2350
  end
2335
2351
 
2336
- # Generates a unique symmetric data key. This operation returns a
2337
- # plaintext copy of the data key and a copy that is encrypted under a
2338
- # customer master key (CMK) that you specify. You can use the plaintext
2339
- # key to encrypt your data outside of AWS KMS and store the encrypted
2340
- # data key with the encrypted data.
2352
+ # Generates a unique symmetric data key for client-side encryption. This
2353
+ # operation returns a plaintext copy of the data key and a copy that is
2354
+ # encrypted under a customer master key (CMK) that you specify. You can
2355
+ # use the plaintext key to encrypt your data outside of AWS KMS and
2356
+ # store the encrypted data key with the encrypted data.
2341
2357
  #
2342
2358
  # `GenerateDataKey` returns a unique data key for each request. The
2343
- # bytes in the key are not related to the caller or CMK that is used to
2344
- # encrypt the data key.
2359
+ # bytes in the plaintext key are not related to the caller or the CMK.
2345
2360
  #
2346
2361
  # To generate a data key, specify the symmetric CMK that will be used to
2347
2362
  # encrypt the data key. You cannot use an asymmetric CMK to generate
2348
2363
  # data keys. To get the type of your CMK, use the DescribeKey operation.
2349
- #
2350
2364
  # You must also specify the length of the data key. Use either the
2351
2365
  # `KeySpec` or `NumberOfBytes` parameters (but not both). For 128-bit
2352
2366
  # and 256-bit data keys, use the `KeySpec` parameter.
2353
2367
  #
2354
- # If the operation succeeds, the plaintext copy of the data key is in
2355
- # the `Plaintext` field of the response, and the encrypted copy of the
2356
- # data key in the `CiphertextBlob` field.
2357
- #
2358
2368
  # To get only an encrypted copy of the data key, use
2359
2369
  # GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key
2360
2370
  # pair, use the GenerateDataKeyPair or
@@ -2365,7 +2375,7 @@ module Aws::KMS
2365
2375
  # to the encryption operation. If you specify an `EncryptionContext`,
2366
2376
  # you must specify the same encryption context (a case-sensitive exact
2367
2377
  # match) when decrypting the encrypted data key. Otherwise, the request
2368
- # to decrypt fails with an InvalidCiphertextException. For more
2378
+ # to decrypt fails with an `InvalidCiphertextException`. For more
2369
2379
  # information, see [Encryption Context][1] in the *AWS Key Management
2370
2380
  # Service Developer Guide*.
2371
2381
  #
@@ -2373,30 +2383,40 @@ module Aws::KMS
2373
2383
  # state. For details, see [How Key State Affects Use of a Customer
2374
2384
  # Master Key][2] in the *AWS Key Management Service Developer Guide*.
2375
2385
  #
2386
+ # **How to use your data key**
2387
+ #
2376
2388
  # We recommend that you use the following pattern to encrypt data
2377
- # locally in your application:
2389
+ # locally in your application. You can write your own code or use a
2390
+ # client-side encryption library, such as the [AWS Encryption SDK][3],
2391
+ # the [Amazon DynamoDB Encryption Client][4], or [Amazon S3 client-side
2392
+ # encryption][5] to do these tasks for you.
2378
2393
  #
2379
- # 1. Use the `GenerateDataKey` operation to get a data encryption key.
2394
+ # To encrypt data outside of AWS KMS:
2380
2395
  #
2381
- # 2. Use the plaintext data key (returned in the `Plaintext` field of
2382
- # the response) to encrypt data locally, then erase the plaintext
2383
- # data key from memory.
2396
+ # 1. Use the `GenerateDataKey` operation to get a data key.
2397
+ #
2398
+ # 2. Use the plaintext data key (in the `Plaintext` field of the
2399
+ # response) to encrypt your data outside of AWS KMS. Then erase the
2400
+ # plaintext data key from memory.
2384
2401
  #
2385
- # 3. Store the encrypted data key (returned in the `CiphertextBlob`
2386
- # field of the response) alongside the locally encrypted data.
2402
+ # 3. Store the encrypted data key (in the `CiphertextBlob` field of the
2403
+ # response) with the encrypted data.
2387
2404
  #
2388
- # To decrypt data locally:
2405
+ # To decrypt data outside of AWS KMS:
2389
2406
  #
2390
2407
  # 1. Use the Decrypt operation to decrypt the encrypted data key. The
2391
2408
  # operation returns a plaintext copy of the data key.
2392
2409
  #
2393
- # 2. Use the plaintext data key to decrypt data locally, then erase the
2394
- # plaintext data key from memory.
2410
+ # 2. Use the plaintext data key to decrypt data outside of AWS KMS,
2411
+ # then erase the plaintext data key from memory.
2395
2412
  #
2396
2413
  #
2397
2414
  #
2398
2415
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
2399
2416
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2417
+ # [3]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
2418
+ # [4]: https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/
2419
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
2400
2420
  #
2401
2421
  # @option params [required, String] :key_id
2402
2422
  # Identifies the symmetric CMK that encrypts the data key.
@@ -2534,8 +2554,8 @@ module Aws::KMS
2534
2554
  #
2535
2555
  # To generate a data key pair, you must specify a symmetric customer
2536
2556
  # master key (CMK) to encrypt the private key in a data key pair. You
2537
- # cannot use an asymmetric CMK. To get the type of your CMK, use the
2538
- # DescribeKey operation.
2557
+ # cannot use an asymmetric CMK or a CMK in a custom key store. To get
2558
+ # the type and origin of your CMK, use the DescribeKey operation.
2539
2559
  #
2540
2560
  # If you are using the data key pair to encrypt data, or for any
2541
2561
  # operation where you don't immediately need a private key, consider
@@ -2550,7 +2570,7 @@ module Aws::KMS
2550
2570
  # to the encryption operation. If you specify an `EncryptionContext`,
2551
2571
  # you must specify the same encryption context (a case-sensitive exact
2552
2572
  # match) when decrypting the encrypted data key. Otherwise, the request
2553
- # to decrypt fails with an InvalidCiphertextException. For more
2573
+ # to decrypt fails with an `InvalidCiphertextException`. For more
2554
2574
  # information, see [Encryption Context][1] in the *AWS Key Management
2555
2575
  # Service Developer Guide*.
2556
2576
  #
@@ -2583,7 +2603,9 @@ module Aws::KMS
2583
2603
  #
2584
2604
  # @option params [required, String] :key_id
2585
2605
  # Specifies the symmetric CMK that encrypts the private key in the data
2586
- # key pair. You cannot specify an asymmetric CMKs.
2606
+ # key pair. You cannot specify an asymmetric CMK or a CMK in a custom
2607
+ # key store. To get the type and origin of your CMK, use the DescribeKey
2608
+ # operation.
2587
2609
  #
2588
2610
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2589
2611
  # name, or alias ARN. When using an alias name, prefix it with
@@ -2666,8 +2688,9 @@ module Aws::KMS
2666
2688
  #
2667
2689
  # To generate a data key pair, you must specify a symmetric customer
2668
2690
  # master key (CMK) to encrypt the private key in the data key pair. You
2669
- # cannot use an asymmetric CMK. To get the type of your CMK, use the
2670
- # `KeySpec` field in the DescribeKey response.
2691
+ # cannot use an asymmetric CMK or a CMK in a custom key store. To get
2692
+ # the type and origin of your CMK, use the `KeySpec` field in the
2693
+ # DescribeKey response.
2671
2694
  #
2672
2695
  # You can use the public key that `GenerateDataKeyPairWithoutPlaintext`
2673
2696
  # returns to encrypt data or verify a signature outside of AWS KMS.
@@ -2683,7 +2706,7 @@ module Aws::KMS
2683
2706
  # to the encryption operation. If you specify an `EncryptionContext`,
2684
2707
  # you must specify the same encryption context (a case-sensitive exact
2685
2708
  # match) when decrypting the encrypted data key. Otherwise, the request
2686
- # to decrypt fails with an InvalidCiphertextException. For more
2709
+ # to decrypt fails with an `InvalidCiphertextException`. For more
2687
2710
  # information, see [Encryption Context][1] in the *AWS Key Management
2688
2711
  # Service Developer Guide*.
2689
2712
  #
@@ -2716,8 +2739,9 @@ module Aws::KMS
2716
2739
  #
2717
2740
  # @option params [required, String] :key_id
2718
2741
  # Specifies the CMK that encrypts the private key in the data key pair.
2719
- # You must specify a symmetric CMK. You cannot use an asymmetric CMK. To
2720
- # get the type of your CMK, use the DescribeKey operation.
2742
+ # You must specify a symmetric CMK. You cannot use an asymmetric CMK or
2743
+ # a CMK in a custom key store. To get the type and origin of your CMK,
2744
+ # use the DescribeKey operation.
2721
2745
  #
2722
2746
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2723
2747
  # name, or alias ARN. When using an alias name, prefix it with
@@ -2826,7 +2850,7 @@ module Aws::KMS
2826
2850
  # to the encryption operation. If you specify an `EncryptionContext`,
2827
2851
  # you must specify the same encryption context (a case-sensitive exact
2828
2852
  # match) when decrypting the encrypted data key. Otherwise, the request
2829
- # to decrypt fails with an InvalidCiphertextException. For more
2853
+ # to decrypt fails with an `InvalidCiphertextException`. For more
2830
2854
  # information, see [Encryption Context][1] in the *AWS Key Management
2831
2855
  # Service Developer Guide*.
2832
2856
  #
@@ -3660,6 +3684,19 @@ module Aws::KMS
3660
3684
  # To perform this operation on a CMK in a different AWS account, specify
3661
3685
  # the key ARN in the value of the `KeyId` parameter.
3662
3686
  #
3687
+ # <note markdown="1"> The `GranteePrincipal` field in the `ListGrants` response usually
3688
+ # contains the user or role designated as the grantee principal in the
3689
+ # grant. However, when the grantee principal in the grant is an AWS
3690
+ # service, the `GranteePrincipal` field contains the [service
3691
+ # principal][1], which might represent several different grantee
3692
+ # principals.
3693
+ #
3694
+ # </note>
3695
+ #
3696
+ #
3697
+ #
3698
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
3699
+ #
3663
3700
  # @option params [Integer] :limit
3664
3701
  # Use this parameter to specify the maximum number of items to return.
3665
3702
  # When this value is present, AWS KMS does not return more than the
@@ -4289,16 +4326,16 @@ module Aws::KMS
4289
4326
  # under which data is encrypted, such as when you [manually rotate][1] a
4290
4327
  # CMK or change the CMK that protects a ciphertext. You can also use it
4291
4328
  # to reencrypt ciphertext under the same CMK, such as to change the
4292
- # encryption context of a ciphertext.
4329
+ # [encryption context][2] of a ciphertext.
4293
4330
  #
4294
4331
  # The `ReEncrypt` operation can decrypt ciphertext that was encrypted by
4295
4332
  # using an AWS KMS CMK in an AWS KMS operation, such as Encrypt or
4296
4333
  # GenerateDataKey. It can also decrypt ciphertext that was encrypted by
4297
- # using the public key of an asymmetric CMK outside of AWS KMS. However,
4298
- # it cannot decrypt ciphertext produced by other libraries, such as the
4299
- # [AWS Encryption SDK][2] or [Amazon S3 client-side encryption][3].
4300
- # These libraries return a ciphertext format that is incompatible with
4301
- # AWS KMS.
4334
+ # using the public key of an [asymmetric CMK][3] outside of AWS KMS.
4335
+ # However, it cannot decrypt ciphertext produced by other libraries,
4336
+ # such as the [AWS Encryption SDK][4] or [Amazon S3 client-side
4337
+ # encryption][5]. These libraries return a ciphertext format that is
4338
+ # incompatible with AWS KMS.
4302
4339
  #
4303
4340
  # When you use the `ReEncrypt` operation, you need to provide
4304
4341
  # information for the decrypt operation and the subsequent encrypt
@@ -4336,29 +4373,30 @@ module Aws::KMS
4336
4373
  # Unlike other AWS KMS API operations, `ReEncrypt` callers must have two
4337
4374
  # permissions:
4338
4375
  #
4339
- # * `kms:EncryptFrom` permission on the source CMK
4340
- #
4341
- # * `kms:EncryptTo` permission on the destination CMK
4376
+ # * `kms:ReEncryptFrom` permission on the source CMK
4342
4377
  #
4343
- # To permit reencryption from
4378
+ # * `kms:ReEncryptTo` permission on the destination CMK
4344
4379
  #
4345
- # or to a CMK, include the `"kms:ReEncrypt*"` permission in your [key
4346
- # policy][4]. This permission is automatically included in the key
4347
- # policy when you use the console to create a CMK. But you must include
4348
- # it manually when you create a CMK programmatically or when you use the
4349
- # PutKeyPolicy operation set a key policy.
4380
+ # To permit reencryption from or to a CMK, include the
4381
+ # `"kms:ReEncrypt*"` permission in your [key policy][6]. This permission
4382
+ # is automatically included in the key policy when you use the console
4383
+ # to create a CMK. But you must include it manually when you create a
4384
+ # CMK programmatically or when you use the PutKeyPolicy operation to set
4385
+ # a key policy.
4350
4386
  #
4351
4387
  # The CMK that you use for this operation must be in a compatible key
4352
4388
  # state. For details, see [How Key State Affects Use of a Customer
4353
- # Master Key][5] in the *AWS Key Management Service Developer Guide*.
4389
+ # Master Key][7] in the *AWS Key Management Service Developer Guide*.
4354
4390
  #
4355
4391
  #
4356
4392
  #
4357
4393
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually
4358
- # [2]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
4359
- # [3]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
4360
- # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
4361
- # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
4394
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
4395
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
4396
+ # [4]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
4397
+ # [5]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
4398
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
4399
+ # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
4362
4400
  #
4363
4401
  # @option params [required, String, IO] :ciphertext_blob
4364
4402
  # Ciphertext of the data to reencrypt.
@@ -5437,7 +5475,7 @@ module Aws::KMS
5437
5475
  params: params,
5438
5476
  config: config)
5439
5477
  context[:gem_name] = 'aws-sdk-kms'
5440
- context[:gem_version] = '1.32.0'
5478
+ context[:gem_version] = '1.33.0'
5441
5479
  Seahorse::Client::Request.new(handlers, context)
5442
5480
  end
5443
5481
 
@@ -1032,6 +1032,7 @@ module Aws::KMS
1032
1032
  o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
1033
1033
  o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
1034
1034
  o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
1035
+ o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
1035
1036
  end)
1036
1037
 
1037
1038
  api.add_operation(:generate_data_key_pair_without_plaintext, Seahorse::Model::Operation.new.tap do |o|
@@ -1048,6 +1049,7 @@ module Aws::KMS
1048
1049
  o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
1049
1050
  o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
1050
1051
  o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
1052
+ o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
1051
1053
  end)
1052
1054
 
1053
1055
  api.add_operation(:generate_data_key_without_plaintext, Seahorse::Model::Operation.new.tap do |o|
@@ -1387,6 +1389,7 @@ module Aws::KMS
1387
1389
  o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
1388
1390
  o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
1389
1391
  o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
1392
+ o.errors << Shapes::ShapeRef.new(shape: LimitExceededException)
1390
1393
  o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
1391
1394
  end)
1392
1395
 
@@ -76,8 +76,12 @@ module Aws::KMS
76
76
  end
77
77
 
78
78
  # @!attribute [rw] key_id
79
- # The unique identifier of the master key for which deletion is
79
+ # The Amazon Resource Name ([key ARN][1]) of the CMK whose deletion is
80
80
  # canceled.
81
+ #
82
+ #
83
+ #
84
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
81
85
  # @return [String]
82
86
  #
83
87
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletionResponse AWS API Documentation
@@ -433,15 +437,16 @@ module Aws::KMS
433
437
  # @return [Array<String>]
434
438
  #
435
439
  # @!attribute [rw] constraints
436
- # Allows a cryptographic operation only when the encryption context
437
- # matches or includes the encryption context specified in this
440
+ # Allows a [cryptographic operation][1] only when the encryption
441
+ # context matches or includes the encryption context specified in this
438
442
  # structure. For more information about encryption context, see
439
- # [Encryption Context][1] in the <i> <i>AWS Key Management Service
443
+ # [Encryption Context][2] in the <i> <i>AWS Key Management Service
440
444
  # Developer Guide</i> </i>.
441
445
  #
442
446
  #
443
447
  #
444
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
448
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
449
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
445
450
  # @return [Types::GrantConstraints]
446
451
  #
447
452
  # @!attribute [rw] grant_tokens
@@ -575,8 +580,8 @@ module Aws::KMS
575
580
  # @return [String]
576
581
  #
577
582
  # @!attribute [rw] key_usage
578
- # Determines the cryptographic operations for which you can use the
579
- # CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
583
+ # Determines the [cryptographic operations][1] for which you can use
584
+ # the CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
580
585
  # required only for asymmetric CMKs. You can't change the `KeyUsage`
581
586
  # value after the CMK is created.
582
587
  #
@@ -589,6 +594,10 @@ module Aws::KMS
589
594
  # `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
590
595
  #
591
596
  # * For asymmetric CMKs with ECC key material, specify `SIGN_VERIFY`.
597
+ #
598
+ #
599
+ #
600
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
592
601
  # @return [String]
593
602
  #
594
603
  # @!attribute [rw] customer_master_key_spec
@@ -922,12 +931,13 @@ module Aws::KMS
922
931
  #
923
932
  # * `SUBNET_NOT_FOUND` - A subnet in the AWS CloudHSM cluster
924
933
  # configuration was deleted. If AWS KMS cannot find all of the
925
- # subnets that were configured for the cluster when the custom key
926
- # store was created, attempts to connect fail. To fix this error,
927
- # create a cluster from a backup and associate it with your custom
928
- # key store. This process includes selecting a VPC and subnets. For
929
- # details, see [How to Fix a Connection Failure][1] in the *AWS Key
930
- # Management Service Developer Guide*.
934
+ # subnets in the cluster configuration, attempts to connect the
935
+ # custom key store to the AWS CloudHSM cluster fail. To fix this
936
+ # error, create a cluster from a recent backup and associate it with
937
+ # your custom key store. (This process creates a new cluster
938
+ # configuration with a VPC and private subnets.) For details, see
939
+ # [How to Fix a Connection Failure][1] in the *AWS Key Management
940
+ # Service Developer Guide*.
931
941
  #
932
942
  # * `USER_LOCKED_OUT` - The `kmsuser` CU account is locked out of the
933
943
  # associated AWS CloudHSM cluster due to too many failed password
@@ -993,9 +1003,9 @@ module Aws::KMS
993
1003
  #
994
1004
  # @!attribute [rw] encryption_context
995
1005
  # Specifies the encryption context to use when decrypting the data. An
996
- # encryption context is valid only for cryptographic operations with a
997
- # symmetric CMK. The standard asymmetric encryption algorithms that
998
- # AWS KMS uses do not support an encryption context.
1006
+ # encryption context is valid only for [cryptographic operations][1]
1007
+ # with a symmetric CMK. The standard asymmetric encryption algorithms
1008
+ # that AWS KMS uses do not support an encryption context.
999
1009
  #
1000
1010
  # An *encryption context* is a collection of non-secret key-value
1001
1011
  # pairs that represents additional authenticated data. When you use an
@@ -1004,12 +1014,13 @@ module Aws::KMS
1004
1014
  # An encryption context is optional when encrypting with a symmetric
1005
1015
  # CMK, but it is highly recommended.
1006
1016
  #
1007
- # For more information, see [Encryption Context][1] in the *AWS Key
1017
+ # For more information, see [Encryption Context][2] in the *AWS Key
1008
1018
  # Management Service Developer Guide*.
1009
1019
  #
1010
1020
  #
1011
1021
  #
1012
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1022
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
1023
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1013
1024
  # @return [Hash<String,String>]
1014
1025
  #
1015
1026
  # @!attribute [rw] grant_tokens
@@ -1081,8 +1092,12 @@ module Aws::KMS
1081
1092
  end
1082
1093
 
1083
1094
  # @!attribute [rw] key_id
1084
- # The ARN of the customer master key that was used to perform the
1085
- # decryption.
1095
+ # The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
1096
+ # decrypt the ciphertext.
1097
+ #
1098
+ #
1099
+ #
1100
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
1086
1101
  # @return [String]
1087
1102
  #
1088
1103
  # @!attribute [rw] plaintext
@@ -1547,9 +1562,10 @@ module Aws::KMS
1547
1562
  #
1548
1563
  # @!attribute [rw] encryption_context
1549
1564
  # Specifies the encryption context that will be used to encrypt the
1550
- # data. An encryption context is valid only for cryptographic
1551
- # operations with a symmetric CMK. The standard asymmetric encryption
1552
- # algorithms that AWS KMS uses do not support an encryption context.
1565
+ # data. An encryption context is valid only for [cryptographic
1566
+ # operations][1] with a symmetric CMK. The standard asymmetric
1567
+ # encryption algorithms that AWS KMS uses do not support an encryption
1568
+ # context.
1553
1569
  #
1554
1570
  # An *encryption context* is a collection of non-secret key-value
1555
1571
  # pairs that represents additional authenticated data. When you use an
@@ -1558,12 +1574,13 @@ module Aws::KMS
1558
1574
  # An encryption context is optional when encrypting with a symmetric
1559
1575
  # CMK, but it is highly recommended.
1560
1576
  #
1561
- # For more information, see [Encryption Context][1] in the *AWS Key
1577
+ # For more information, see [Encryption Context][2] in the *AWS Key
1562
1578
  # Management Service Developer Guide*.
1563
1579
  #
1564
1580
  #
1565
1581
  #
1566
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1582
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
1583
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1567
1584
  # @return [Hash<String,String>]
1568
1585
  #
1569
1586
  # @!attribute [rw] grant_tokens
@@ -1605,7 +1622,12 @@ module Aws::KMS
1605
1622
  # @return [String]
1606
1623
  #
1607
1624
  # @!attribute [rw] key_id
1608
- # The ID of the key used during encryption.
1625
+ # The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
1626
+ # encrypt the plaintext.
1627
+ #
1628
+ #
1629
+ #
1630
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
1609
1631
  # @return [String]
1610
1632
  #
1611
1633
  # @!attribute [rw] encryption_algorithm
@@ -1669,7 +1691,9 @@ module Aws::KMS
1669
1691
  #
1670
1692
  # @!attribute [rw] key_id
1671
1693
  # Specifies the symmetric CMK that encrypts the private key in the
1672
- # data key pair. You cannot specify an asymmetric CMKs.
1694
+ # data key pair. You cannot specify an asymmetric CMK or a CMK in a
1695
+ # custom key store. To get the type and origin of your CMK, use the
1696
+ # DescribeKey operation.
1673
1697
  #
1674
1698
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1675
1699
  # name, or alias ARN. When using an alias name, prefix it with
@@ -1738,7 +1762,12 @@ module Aws::KMS
1738
1762
  # @return [String]
1739
1763
  #
1740
1764
  # @!attribute [rw] key_id
1741
- # The identifier of the CMK that encrypted the private key.
1765
+ # The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
1766
+ # the private key.
1767
+ #
1768
+ #
1769
+ #
1770
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
1742
1771
  # @return [String]
1743
1772
  #
1744
1773
  # @!attribute [rw] key_pair_spec
@@ -1790,7 +1819,8 @@ module Aws::KMS
1790
1819
  # @!attribute [rw] key_id
1791
1820
  # Specifies the CMK that encrypts the private key in the data key
1792
1821
  # pair. You must specify a symmetric CMK. You cannot use an asymmetric
1793
- # CMK. To get the type of your CMK, use the DescribeKey operation.
1822
+ # CMK or a CMK in a custom key store. To get the type and origin of
1823
+ # your CMK, use the DescribeKey operation.
1794
1824
  #
1795
1825
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1796
1826
  # name, or alias ARN. When using an alias name, prefix it with
@@ -1852,27 +1882,12 @@ module Aws::KMS
1852
1882
  # @return [String]
1853
1883
  #
1854
1884
  # @!attribute [rw] key_id
1855
- # Specifies the CMK that encrypted the private key in the data key
1856
- # pair. You must specify a symmetric CMK. You cannot use an asymmetric
1857
- # CMK. To get the type of your CMK, use the DescribeKey operation.
1885
+ # The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
1886
+ # the private key.
1858
1887
  #
1859
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1860
- # name, or alias ARN. When using an alias name, prefix it with
1861
- # `"alias/"`.
1862
1888
  #
1863
- # For example:
1864
1889
  #
1865
- # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
1866
- #
1867
- # * Key ARN:
1868
- # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
1869
- #
1870
- # * Alias name: `alias/ExampleAlias`
1871
- #
1872
- # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
1873
- #
1874
- # To get the key ID and key ARN for a CMK, use ListKeys or
1875
- # DescribeKey. To get the alias name and alias ARN, use ListAliases.
1890
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
1876
1891
  # @return [String]
1877
1892
  #
1878
1893
  # @!attribute [rw] key_pair_spec
@@ -1999,7 +2014,12 @@ module Aws::KMS
1999
2014
  # @return [String]
2000
2015
  #
2001
2016
  # @!attribute [rw] key_id
2002
- # The identifier of the CMK that encrypted the data key.
2017
+ # The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
2018
+ # the data key.
2019
+ #
2020
+ #
2021
+ #
2022
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
2003
2023
  # @return [String]
2004
2024
  #
2005
2025
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyResponse AWS API Documentation
@@ -2107,7 +2127,12 @@ module Aws::KMS
2107
2127
  # @return [String]
2108
2128
  #
2109
2129
  # @!attribute [rw] key_id
2110
- # The identifier of the CMK that encrypted the data key.
2130
+ # The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
2131
+ # the data key.
2132
+ #
2133
+ #
2134
+ #
2135
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
2111
2136
  # @return [String]
2112
2137
  #
2113
2138
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextResponse AWS API Documentation
@@ -2302,9 +2327,13 @@ module Aws::KMS
2302
2327
  end
2303
2328
 
2304
2329
  # @!attribute [rw] key_id
2305
- # The identifier of the CMK to use in a subsequent ImportKeyMaterial
2306
- # request. This is the same CMK specified in the
2307
- # `GetParametersForImport` request.
2330
+ # The Amazon Resource Name ([key ARN][1]) of the CMK to use in a
2331
+ # subsequent ImportKeyMaterial request. This is the same CMK specified
2332
+ # in the `GetParametersForImport` request.
2333
+ #
2334
+ #
2335
+ #
2336
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
2308
2337
  # @return [String]
2309
2338
  #
2310
2339
  # @!attribute [rw] import_token
@@ -2384,8 +2413,12 @@ module Aws::KMS
2384
2413
  end
2385
2414
 
2386
2415
  # @!attribute [rw] key_id
2387
- # The identifier of the asymmetric CMK from which the public key was
2388
- # downloaded.
2416
+ # The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK from
2417
+ # which the public key was downloaded.
2418
+ #
2419
+ #
2420
+ #
2421
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
2389
2422
  # @return [String]
2390
2423
  #
2391
2424
  # @!attribute [rw] public_key
@@ -2446,26 +2479,16 @@ module Aws::KMS
2446
2479
  include Aws::Structure
2447
2480
  end
2448
2481
 
2449
- # Use this structure to allow cryptographic operations in the grant only
2450
- # when the operation request includes the specified [encryption
2451
- # context][1].
2452
- #
2453
- # AWS KMS applies the grant constraints only when the grant allows a
2454
- # cryptographic operation that accepts an encryption context as input,
2455
- # such as the following.
2456
- #
2457
- # * Encrypt
2482
+ # Use this structure to allow [cryptographic operations][1] in the grant
2483
+ # only when the operation request includes the specified [encryption
2484
+ # context][2].
2458
2485
  #
2459
- # * Decrypt
2460
- #
2461
- # * GenerateDataKey
2462
- #
2463
- # * GenerateDataKeyWithoutPlaintext
2464
- #
2465
- # * ReEncrypt
2466
- #
2467
- # AWS KMS does not apply the grant constraints to other operations, such
2468
- # as DescribeKey or ScheduleKeyDeletion.
2486
+ # AWS KMS applies the grant constraints only to cryptographic operations
2487
+ # that support an encryption context, that is, all cryptographic
2488
+ # operations with a [symmetric CMK][3]. Grant constraints are not
2489
+ # applied to operations that do not support an encryption context, such
2490
+ # as cryptographic operations with asymmetric CMKs and management
2491
+ # operations, such as DescribeKey or ScheduleKeyDeletion.
2469
2492
  #
2470
2493
  # In a cryptographic operation, the encryption context in the decryption
2471
2494
  # operation must be an exact, case-sensitive match for the keys and
@@ -2479,13 +2502,15 @@ module Aws::KMS
2479
2502
  # differ only by case. To require a fully case-sensitive encryption
2480
2503
  # context, use the `kms:EncryptionContext:` and
2481
2504
  # `kms:EncryptionContextKeys` conditions in an IAM or key policy. For
2482
- # details, see [kms:EncryptionContext:][2] in the <i> <i>AWS Key
2505
+ # details, see [kms:EncryptionContext:][4] in the <i> <i>AWS Key
2483
2506
  # Management Service Developer Guide</i> </i>.
2484
2507
  #
2485
2508
  #
2486
2509
  #
2487
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
2488
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context
2510
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
2511
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
2512
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks
2513
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context
2489
2514
  #
2490
2515
  # @note When making an API call, you may pass GrantConstraints
2491
2516
  # data as a hash:
@@ -2501,17 +2526,25 @@ module Aws::KMS
2501
2526
  #
2502
2527
  # @!attribute [rw] encryption_context_subset
2503
2528
  # A list of key-value pairs that must be included in the encryption
2504
- # context of the cryptographic operation request. The grant allows the
2505
- # cryptographic operation only when the encryption context in the
2506
- # request includes the key-value pairs specified in this constraint,
2507
- # although it can include additional key-value pairs.
2529
+ # context of the [cryptographic operation][1] request. The grant
2530
+ # allows the cryptographic operation only when the encryption context
2531
+ # in the request includes the key-value pairs specified in this
2532
+ # constraint, although it can include additional key-value pairs.
2533
+ #
2534
+ #
2535
+ #
2536
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
2508
2537
  # @return [Hash<String,String>]
2509
2538
  #
2510
2539
  # @!attribute [rw] encryption_context_equals
2511
2540
  # A list of key-value pairs that must match the encryption context in
2512
- # the cryptographic operation request. The grant allows the operation
2513
- # only when the encryption context in the request is the same as the
2514
- # encryption context specified in this constraint.
2541
+ # the [cryptographic operation][1] request. The grant allows the
2542
+ # operation only when the encryption context in the request is the
2543
+ # same as the encryption context specified in this constraint.
2544
+ #
2545
+ #
2546
+ #
2547
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
2515
2548
  # @return [Hash<String,String>]
2516
2549
  #
2517
2550
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GrantConstraints AWS API Documentation
@@ -2522,7 +2555,7 @@ module Aws::KMS
2522
2555
  include Aws::Structure
2523
2556
  end
2524
2557
 
2525
- # Contains information about an entry in a list of grants.
2558
+ # Contains information about a grant.
2526
2559
  #
2527
2560
  # @!attribute [rw] key_id
2528
2561
  # The unique identifier for the customer master key (CMK) to which the
@@ -2544,7 +2577,18 @@ module Aws::KMS
2544
2577
  # @return [Time]
2545
2578
  #
2546
2579
  # @!attribute [rw] grantee_principal
2547
- # The principal that receives the grant's permissions.
2580
+ # The identity that gets the permissions in the grant.
2581
+ #
2582
+ # The `GranteePrincipal` field in the `ListGrants` response usually
2583
+ # contains the user or role designated as the grantee principal in the
2584
+ # grant. However, when the grantee principal in the grant is an AWS
2585
+ # service, the `GranteePrincipal` field contains the [service
2586
+ # principal][1], which might represent several different grantee
2587
+ # principals.
2588
+ #
2589
+ #
2590
+ #
2591
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
2548
2592
  # @return [String]
2549
2593
  #
2550
2594
  # @!attribute [rw] retiring_principal
@@ -2930,15 +2974,19 @@ module Aws::KMS
2930
2974
  # @return [String]
2931
2975
  #
2932
2976
  # @!attribute [rw] key_usage
2933
- # The cryptographic operations for which you can use the CMK.
2977
+ # The [cryptographic operations][1] for which you can use the CMK.
2978
+ #
2979
+ #
2980
+ #
2981
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
2934
2982
  # @return [String]
2935
2983
  #
2936
2984
  # @!attribute [rw] key_state
2937
- # The state of the CMK.
2985
+ # The current status of the CMK.
2938
2986
  #
2939
2987
  # For more information about how key state affects the use of a CMK,
2940
- # see [How Key State Affects the Use of a Customer Master Key][1] in
2941
- # the *AWS Key Management Service Developer Guide*.
2988
+ # see [Key state: Effect on your CMK][1] in the *AWS Key Management
2989
+ # Service Developer Guide*.
2942
2990
  #
2943
2991
  #
2944
2992
  #
@@ -3011,16 +3059,16 @@ module Aws::KMS
3011
3059
  # @return [String]
3012
3060
  #
3013
3061
  # @!attribute [rw] encryption_algorithms
3014
- # A list of encryption algorithms that the CMK supports. You cannot
3015
- # use the CMK with other encryption algorithms within AWS KMS.
3062
+ # The encryption algorithms that the CMK supports. You cannot use the
3063
+ # CMK with other encryption algorithms within AWS KMS.
3016
3064
  #
3017
3065
  # This field appears only when the `KeyUsage` of the CMK is
3018
3066
  # `ENCRYPT_DECRYPT`.
3019
3067
  # @return [Array<String>]
3020
3068
  #
3021
3069
  # @!attribute [rw] signing_algorithms
3022
- # A list of signing algorithms that the CMK supports. You cannot use
3023
- # the CMK with other signing algorithms within AWS KMS.
3070
+ # The signing algorithms that the CMK supports. You cannot use the CMK
3071
+ # with other signing algorithms within AWS KMS.
3024
3072
  #
3025
3073
  # This field appears only when the `KeyUsage` of the CMK is
3026
3074
  # `SIGN_VERIFY`.
@@ -3794,7 +3842,12 @@ module Aws::KMS
3794
3842
  # @return [String]
3795
3843
  #
3796
3844
  # @!attribute [rw] key_id
3797
- # Unique identifier of the CMK used to reencrypt the data.
3845
+ # The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
3846
+ # reencrypt the data.
3847
+ #
3848
+ #
3849
+ #
3850
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
3798
3851
  # @return [String]
3799
3852
  #
3800
3853
  # @!attribute [rw] source_encryption_algorithm
@@ -3935,8 +3988,12 @@ module Aws::KMS
3935
3988
  end
3936
3989
 
3937
3990
  # @!attribute [rw] key_id
3938
- # The unique identifier of the customer master key (CMK) for which
3939
- # deletion is scheduled.
3991
+ # The Amazon Resource Name ([key ARN][1]) of the CMK whose deletion is
3992
+ # scheduled.
3993
+ #
3994
+ #
3995
+ #
3996
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
3940
3997
  # @return [String]
3941
3998
  #
3942
3999
  # @!attribute [rw] deletion_date
@@ -4033,8 +4090,12 @@ module Aws::KMS
4033
4090
  end
4034
4091
 
4035
4092
  # @!attribute [rw] key_id
4036
- # The Amazon Resource Name (ARN) of the asymmetric CMK that was used
4037
- # to sign the message.
4093
+ # The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK that
4094
+ # was used to sign the message.
4095
+ #
4096
+ #
4097
+ #
4098
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
4038
4099
  # @return [String]
4039
4100
  #
4040
4101
  # @!attribute [rw] signature
@@ -4448,8 +4509,12 @@ module Aws::KMS
4448
4509
  end
4449
4510
 
4450
4511
  # @!attribute [rw] key_id
4451
- # The unique identifier for the asymmetric CMK that was used to verify
4452
- # the signature.
4512
+ # The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK that
4513
+ # was used to verify the signature.
4514
+ #
4515
+ #
4516
+ #
4517
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
4453
4518
  # @return [String]
4454
4519
  #
4455
4520
  # @!attribute [rw] signature_valid
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: aws-sdk-kms
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.32.0
4
+ version: 1.33.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Amazon Web Services
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-05-28 00:00:00.000000000 Z
11
+ date: 2020-06-01 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: aws-sdk-core