aws-sdk-kms 1.32.0 → 1.37.0

data/lib/aws-sdk-kms/client_api.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
@@ -1032,6 +1034,7 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
+        o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
       end)
 
       api.add_operation(:generate_data_key_pair_without_plaintext, Seahorse::Model::Operation.new.tap do |o|
@@ -1048,6 +1051,7 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
+        o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
       end)
 
       api.add_operation(:generate_data_key_without_plaintext, Seahorse::Model::Operation.new.tap do |o|
@@ -1387,6 +1391,7 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
         o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
+        o.errors << Shapes::ShapeRef.new(shape: LimitExceededException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
       end)
 

data/lib/aws-sdk-kms/customizations.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing for info on making contributions:

data/lib/aws-sdk-kms/errors.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:

data/lib/aws-sdk-kms/resource.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:

data/lib/aws-sdk-kms/types.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
@@ -28,6 +30,7 @@ module Aws::KMS
       :alias_name,
       :alias_arn,
       :target_key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -41,6 +44,7 @@ module Aws::KMS
     #
     class AlreadyExistsException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -72,18 +76,24 @@ module Aws::KMS
     #
     class CancelKeyDeletionRequest < Struct.new(
       :key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # @!attribute [rw] key_id
-    #   The unique identifier of the master key for which deletion is
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK whose deletion is
     #   canceled.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletionResponse AWS API Documentation
     #
     class CancelKeyDeletionResponse < Struct.new(
       :key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -108,6 +118,7 @@ module Aws::KMS
     #
     class CloudHsmClusterInUseException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -160,6 +171,7 @@ module Aws::KMS
     #
     class CloudHsmClusterInvalidConfigurationException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -180,6 +192,7 @@ module Aws::KMS
     #
     class CloudHsmClusterNotActiveException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -194,6 +207,7 @@ module Aws::KMS
     #
     class CloudHsmClusterNotFoundException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -221,6 +235,7 @@ module Aws::KMS
     #
     class CloudHsmClusterNotRelatedException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -241,6 +256,7 @@ module Aws::KMS
     #
     class ConnectCustomKeyStoreRequest < Struct.new(
       :custom_key_store_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -280,6 +296,7 @@ module Aws::KMS
     class CreateAliasRequest < Struct.new(
       :alias_name,
       :target_key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -342,6 +359,7 @@ module Aws::KMS
       :cloud_hsm_cluster_id,
       :trust_anchor_certificate,
       :key_store_password)
+      SENSITIVE = [:key_store_password]
       include Aws::Structure
     end
 
@@ -353,6 +371,7 @@ module Aws::KMS
     #
     class CreateCustomKeyStoreResponse < Struct.new(
       :custom_key_store_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -433,15 +452,16 @@ module Aws::KMS
     #   @return [Array<String>]
     #
     # @!attribute [rw] constraints
-    #   Allows a cryptographic operation only when the encryption context
-    #   matches or includes the encryption context specified in this
+    #   Allows a [cryptographic operation][1] only when the encryption
+    #   context matches or includes the encryption context specified in this
     #   structure. For more information about encryption context, see
-    #   [Encryption Context][1] in the <i> <i>AWS Key Management Service
+    #   [Encryption Context][2] in the <i> <i>AWS Key Management Service
     #   Developer Guide</i> </i>.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #   @return [Types::GrantConstraints]
     #
     # @!attribute [rw] grant_tokens
@@ -483,6 +503,7 @@ module Aws::KMS
       :constraints,
       :grant_tokens,
       :name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -509,6 +530,7 @@ module Aws::KMS
     class CreateGrantResponse < Struct.new(
       :grant_token,
       :grant_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -575,8 +597,8 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_usage
-    #   Determines the cryptographic operations for which you can use the
-    #   CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
+    #   Determines the [cryptographic operations][1] for which you can use
+    #   the CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
     #   required only for asymmetric CMKs. You can't change the `KeyUsage`
     #   value after the CMK is created.
     #
@@ -589,6 +611,10 @@ module Aws::KMS
     #     `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
     #
     #   * For asymmetric CMKs with ECC key material, specify `SIGN_VERIFY`.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     #   @return [String]
     #
     # @!attribute [rw] customer_master_key_spec
@@ -755,6 +781,7 @@ module Aws::KMS
       :custom_key_store_id,
       :bypass_policy_lockout_safety_check,
       :tags)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -766,6 +793,7 @@ module Aws::KMS
     #
     class CreateKeyResponse < Struct.new(
       :key_metadata)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -781,6 +809,7 @@ module Aws::KMS
     #
     class CustomKeyStoreHasCMKsException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -810,6 +839,7 @@ module Aws::KMS
     #
     class CustomKeyStoreInvalidStateException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -824,6 +854,7 @@ module Aws::KMS
     #
     class CustomKeyStoreNameInUseException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -837,6 +868,7 @@ module Aws::KMS
     #
     class CustomKeyStoreNotFoundException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -922,12 +954,13 @@ module Aws::KMS
     #
     #   * `SUBNET_NOT_FOUND` - A subnet in the AWS CloudHSM cluster
     #     configuration was deleted. If AWS KMS cannot find all of the
-    #     subnets that were configured for the cluster when the custom key
-    #     store was created, attempts to connect fail. To fix this error,
-    #     create a cluster from a backup and associate it with your custom
-    #     key store. This process includes selecting a VPC and subnets. For
-    #     details, see [How to Fix a Connection Failure][1] in the *AWS Key
-    #     Management Service Developer Guide*.
+    #     subnets in the cluster configuration, attempts to connect the
+    #     custom key store to the AWS CloudHSM cluster fail. To fix this
+    #     error, create a cluster from a recent backup and associate it with
+    #     your custom key store. (This process creates a new cluster
+    #     configuration with a VPC and private subnets.) For details, see
+    #     [How to Fix a Connection Failure][1] in the *AWS Key Management
+    #     Service Developer Guide*.
     #
     #   * `USER_LOCKED_OUT` - The `kmsuser` CU account is locked out of the
     #     associated AWS CloudHSM cluster due to too many failed password
@@ -971,6 +1004,7 @@ module Aws::KMS
       :connection_state,
       :connection_error_code,
       :creation_date)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -993,9 +1027,9 @@ module Aws::KMS
     #
     # @!attribute [rw] encryption_context
     #   Specifies the encryption context to use when decrypting the data. An
-    #   encryption context is valid only for cryptographic operations with a
-    #   symmetric CMK. The standard asymmetric encryption algorithms that
-    #   AWS KMS uses do not support an encryption context.
+    #   encryption context is valid only for [cryptographic operations][1]
+    #   with a symmetric CMK. The standard asymmetric encryption algorithms
+    #   that AWS KMS uses do not support an encryption context.
     #
     #   An *encryption context* is a collection of non-secret key-value
     #   pairs that represents additional authenticated data. When you use an
@@ -1004,12 +1038,13 @@ module Aws::KMS
     #   An encryption context is optional when encrypting with a symmetric
     #   CMK, but it is highly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *AWS Key
+    #   For more information, see [Encryption Context][2] in the *AWS Key
     #   Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] grant_tokens
@@ -1077,12 +1112,17 @@ module Aws::KMS
       :grant_tokens,
       :key_id,
       :encryption_algorithm)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # @!attribute [rw] key_id
-    #   The ARN of the customer master key that was used to perform the
-    #   decryption.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
+    #   decrypt the ciphertext.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] plaintext
@@ -1100,6 +1140,7 @@ module Aws::KMS
       :key_id,
       :plaintext,
       :encryption_algorithm)
+      SENSITIVE = [:plaintext]
       include Aws::Structure
     end
 
@@ -1119,6 +1160,7 @@ module Aws::KMS
     #
     class DeleteAliasRequest < Struct.new(
       :alias_name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1138,6 +1180,7 @@ module Aws::KMS
     #
     class DeleteCustomKeyStoreRequest < Struct.new(
       :custom_key_store_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1173,6 +1216,7 @@ module Aws::KMS
     #
     class DeleteImportedKeyMaterialRequest < Struct.new(
       :key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1186,6 +1230,7 @@ module Aws::KMS
     #
     class DependencyTimeoutException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1238,6 +1283,7 @@ module Aws::KMS
       :custom_key_store_name,
       :limit,
       :marker)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1263,6 +1309,7 @@ module Aws::KMS
       :custom_key_stores,
       :next_marker,
       :truncated)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1321,6 +1368,7 @@ module Aws::KMS
     class DescribeKeyRequest < Struct.new(
       :key_id,
       :grant_tokens)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1332,6 +1380,7 @@ module Aws::KMS
     #
     class DescribeKeyResponse < Struct.new(
       :key_metadata)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1362,6 +1411,7 @@ module Aws::KMS
     #
     class DisableKeyRequest < Struct.new(
       :key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1400,6 +1450,7 @@ module Aws::KMS
     #
     class DisableKeyRotationRequest < Struct.new(
       :key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1412,6 +1463,7 @@ module Aws::KMS
     #
     class DisabledException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1432,6 +1484,7 @@ module Aws::KMS
     #
     class DisconnectCustomKeyStoreRequest < Struct.new(
       :custom_key_store_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1466,6 +1519,7 @@ module Aws::KMS
     #
     class EnableKeyRequest < Struct.new(
       :key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1502,6 +1556,7 @@ module Aws::KMS
     #
     class EnableKeyRotationRequest < Struct.new(
       :key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1547,9 +1602,10 @@ module Aws::KMS
     #
     # @!attribute [rw] encryption_context
     #   Specifies the encryption context that will be used to encrypt the
-    #   data. An encryption context is valid only for cryptographic
-    #   operations with a symmetric CMK. The standard asymmetric encryption
-    #   algorithms that AWS KMS uses do not support an encryption context.
+    #   data. An encryption context is valid only for [cryptographic
+    #   operations][1] with a symmetric CMK. The standard asymmetric
+    #   encryption algorithms that AWS KMS uses do not support an encryption
+    #   context.
     #
     #   An *encryption context* is a collection of non-secret key-value
     #   pairs that represents additional authenticated data. When you use an
@@ -1558,12 +1614,13 @@ module Aws::KMS
     #   An encryption context is optional when encrypting with a symmetric
     #   CMK, but it is highly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *AWS Key
+    #   For more information, see [Encryption Context][2] in the *AWS Key
     #   Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] grant_tokens
@@ -1596,6 +1653,7 @@ module Aws::KMS
       :encryption_context,
       :grant_tokens,
       :encryption_algorithm)
+      SENSITIVE = [:plaintext]
       include Aws::Structure
     end
 
@@ -1605,7 +1663,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   The ID of the key used during encryption.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
+    #   encrypt the plaintext.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] encryption_algorithm
@@ -1618,6 +1681,7 @@ module Aws::KMS
       :ciphertext_blob,
       :key_id,
       :encryption_algorithm)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1633,6 +1697,7 @@ module Aws::KMS
     #
     class ExpiredImportTokenException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1669,7 +1734,9 @@ module Aws::KMS
     #
     # @!attribute [rw] key_id
     #   Specifies the symmetric CMK that encrypts the private key in the
-    #   data key pair. You cannot specify an asymmetric CMKs.
+    #   data key pair. You cannot specify an asymmetric CMK or a CMK in a
+    #   custom key store. To get the type and origin of your CMK, use the
+    #   DescribeKey operation.
     #
     #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
     #   name, or alias ARN. When using an alias name, prefix it with
@@ -1718,6 +1785,7 @@ module Aws::KMS
       :key_id,
       :key_pair_spec,
       :grant_tokens)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1738,7 +1806,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   The identifier of the CMK that encrypted the private key.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
+    #   the private key.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] key_pair_spec
@@ -1753,6 +1826,7 @@ module Aws::KMS
       :public_key,
       :key_id,
       :key_pair_spec)
+      SENSITIVE = [:private_key_plaintext]
       include Aws::Structure
     end
 
@@ -1790,7 +1864,8 @@ module Aws::KMS
     # @!attribute [rw] key_id
     #   Specifies the CMK that encrypts the private key in the data key
     #   pair. You must specify a symmetric CMK. You cannot use an asymmetric
-    #   CMK. To get the type of your CMK, use the DescribeKey operation.
+    #   CMK or a CMK in a custom key store. To get the type and origin of
+    #   your CMK, use the DescribeKey operation.
     #
     #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
     #   name, or alias ARN. When using an alias name, prefix it with
@@ -1838,6 +1913,7 @@ module Aws::KMS
       :key_id,
       :key_pair_spec,
       :grant_tokens)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1852,27 +1928,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   Specifies the CMK that encrypted the private key in the data key
-    #   pair. You must specify a symmetric CMK. You cannot use an asymmetric
-    #   CMK. To get the type of your CMK, use the DescribeKey operation.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
+    #   the private key.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`.
     #
-    #   For example:
-    #
-    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
-    #
-    #   * Key ARN:
-    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   * Alias name: `alias/ExampleAlias`
-    #
-    #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
-    #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
-    #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] key_pair_spec
@@ -1886,6 +1947,7 @@ module Aws::KMS
       :public_key,
       :key_id,
       :key_pair_spec)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1982,6 +2044,7 @@ module Aws::KMS
       :number_of_bytes,
       :key_spec,
       :grant_tokens)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1999,7 +2062,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   The identifier of the CMK that encrypted the data key.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
+    #   the data key.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyResponse AWS API Documentation
@@ -2008,6 +2076,7 @@ module Aws::KMS
       :ciphertext_blob,
       :plaintext,
       :key_id)
+      SENSITIVE = [:plaintext]
       include Aws::Structure
     end
 
@@ -2098,6 +2167,7 @@ module Aws::KMS
       :key_spec,
       :number_of_bytes,
       :grant_tokens)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2107,7 +2177,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   The identifier of the CMK that encrypted the data key.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
+    #   the data key.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextResponse AWS API Documentation
@@ -2115,6 +2190,7 @@ module Aws::KMS
     class GenerateDataKeyWithoutPlaintextResponse < Struct.new(
       :ciphertext_blob,
       :key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2145,6 +2221,7 @@ module Aws::KMS
     class GenerateRandomRequest < Struct.new(
       :number_of_bytes,
       :custom_key_store_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2157,6 +2234,7 @@ module Aws::KMS
     #
     class GenerateRandomResponse < Struct.new(
       :plaintext)
+      SENSITIVE = [:plaintext]
       include Aws::Structure
     end
 
@@ -2194,6 +2272,7 @@ module Aws::KMS
     class GetKeyPolicyRequest < Struct.new(
       :key_id,
       :policy_name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2205,6 +2284,7 @@ module Aws::KMS
     #
     class GetKeyPolicyResponse < Struct.new(
       :policy)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2236,6 +2316,7 @@ module Aws::KMS
     #
     class GetKeyRotationStatusRequest < Struct.new(
       :key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2247,6 +2328,7 @@ module Aws::KMS
     #
     class GetKeyRotationStatusResponse < Struct.new(
       :key_rotation_enabled)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2298,13 +2380,18 @@ module Aws::KMS
       :key_id,
       :wrapping_algorithm,
       :wrapping_key_spec)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # @!attribute [rw] key_id
-    #   The identifier of the CMK to use in a subsequent ImportKeyMaterial
-    #   request. This is the same CMK specified in the
-    #   `GetParametersForImport` request.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK to use in a
+    #   subsequent ImportKeyMaterial request. This is the same CMK specified
+    #   in the `GetParametersForImport` request.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] import_token
@@ -2330,6 +2417,7 @@ module Aws::KMS
       :import_token,
       :public_key,
       :parameters_valid_to)
+      SENSITIVE = [:public_key]
       include Aws::Structure
     end
 
@@ -2380,12 +2468,17 @@ module Aws::KMS
     class GetPublicKeyRequest < Struct.new(
       :key_id,
       :grant_tokens)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # @!attribute [rw] key_id
-    #   The identifier of the asymmetric CMK from which the public key was
-    #   downloaded.
+    #   The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK from
+    #   which the public key was downloaded.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] public_key
@@ -2443,29 +2536,20 @@ module Aws::KMS
       :key_usage,
       :encryption_algorithms,
       :signing_algorithms)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # Use this structure to allow cryptographic operations in the grant only
-    # when the operation request includes the specified [encryption
-    # context][1].
-    #
-    # AWS KMS applies the grant constraints only when the grant allows a
-    # cryptographic operation that accepts an encryption context as input,
-    # such as the following.
+    # Use this structure to allow [cryptographic operations][1] in the grant
+    # only when the operation request includes the specified [encryption
+    # context][2].
     #
-    # * Encrypt
-    #
-    # * Decrypt
-    #
-    # * GenerateDataKey
-    #
-    # * GenerateDataKeyWithoutPlaintext
-    #
-    # * ReEncrypt
-    #
-    # AWS KMS does not apply the grant constraints to other operations, such
-    # as DescribeKey or ScheduleKeyDeletion.
+    # AWS KMS applies the grant constraints only to cryptographic operations
+    # that support an encryption context, that is, all cryptographic
+    # operations with a [symmetric CMK][3]. Grant constraints are not
+    # applied to operations that do not support an encryption context, such
+    # as cryptographic operations with asymmetric CMKs and management
+    # operations, such as DescribeKey or ScheduleKeyDeletion.
     #
     # In a cryptographic operation, the encryption context in the decryption
     # operation must be an exact, case-sensitive match for the keys and
@@ -2479,13 +2563,15 @@ module Aws::KMS
     # differ only by case. To require a fully case-sensitive encryption
     # context, use the `kms:EncryptionContext:` and
     # `kms:EncryptionContextKeys` conditions in an IAM or key policy. For
-    # details, see [kms:EncryptionContext:][2] in the <i> <i>AWS Key
+    # details, see [kms:EncryptionContext:][4] in the <i> <i>AWS Key
     # Management Service Developer Guide</i> </i>.
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
-    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context
     #
     # @note When making an API call, you may pass GrantConstraints
     #   data as a hash:
@@ -2501,17 +2587,25 @@ module Aws::KMS
     #
     # @!attribute [rw] encryption_context_subset
     #   A list of key-value pairs that must be included in the encryption
-    #   context of the cryptographic operation request. The grant allows the
-    #   cryptographic operation only when the encryption context in the
-    #   request includes the key-value pairs specified in this constraint,
-    #   although it can include additional key-value pairs.
+    #   context of the [cryptographic operation][1] request. The grant
+    #   allows the cryptographic operation only when the encryption context
+    #   in the request includes the key-value pairs specified in this
+    #   constraint, although it can include additional key-value pairs.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] encryption_context_equals
     #   A list of key-value pairs that must match the encryption context in
-    #   the cryptographic operation request. The grant allows the operation
-    #   only when the encryption context in the request is the same as the
-    #   encryption context specified in this constraint.
+    #   the [cryptographic operation][1] request. The grant allows the
+    #   operation only when the encryption context in the request is the
+    #   same as the encryption context specified in this constraint.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     #   @return [Hash<String,String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GrantConstraints AWS API Documentation
@@ -2519,10 +2613,11 @@ module Aws::KMS
     class GrantConstraints < Struct.new(
       :encryption_context_subset,
       :encryption_context_equals)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # Contains information about an entry in a list of grants.
+    # Contains information about a grant.
     #
     # @!attribute [rw] key_id
     #   The unique identifier for the customer master key (CMK) to which the
@@ -2544,7 +2639,18 @@ module Aws::KMS
     #   @return [Time]
     #
     # @!attribute [rw] grantee_principal
-    #   The principal that receives the grant's permissions.
+    #   The identity that gets the permissions in the grant.
+    #
+    #   The `GranteePrincipal` field in the `ListGrants` response usually
+    #   contains the user or role designated as the grantee principal in the
+    #   grant. However, when the grantee principal in the grant is an AWS
+    #   service, the `GranteePrincipal` field contains the [service
+    #   principal][1], which might represent several different grantee
+    #   principals.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
     #   @return [String]
     #
     # @!attribute [rw] retiring_principal
@@ -2576,6 +2682,7 @@ module Aws::KMS
       :issuing_account,
       :operations,
       :constraints)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2647,6 +2754,7 @@ module Aws::KMS
       :encrypted_key_material,
       :valid_to,
       :expiration_model)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2666,6 +2774,7 @@ module Aws::KMS
     #
     class IncorrectKeyException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2680,6 +2789,7 @@ module Aws::KMS
     #
     class IncorrectKeyMaterialException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2701,6 +2811,7 @@ module Aws::KMS
     #
     class IncorrectTrustAnchorException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2714,6 +2825,7 @@ module Aws::KMS
     #
     class InvalidAliasNameException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2727,6 +2839,7 @@ module Aws::KMS
     #
     class InvalidArnException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2745,6 +2858,7 @@ module Aws::KMS
     #
     class InvalidCiphertextException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2757,6 +2871,7 @@ module Aws::KMS
     #
     class InvalidGrantIdException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2770,6 +2885,7 @@ module Aws::KMS
     #
     class InvalidGrantTokenException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2783,6 +2899,7 @@ module Aws::KMS
     #
     class InvalidImportTokenException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2810,6 +2927,7 @@ module Aws::KMS
     #
     class InvalidKeyUsageException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2823,6 +2941,7 @@ module Aws::KMS
     #
     class InvalidMarkerException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2836,6 +2955,7 @@ module Aws::KMS
     #
     class KMSInternalException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2851,6 +2971,7 @@ module Aws::KMS
     #
     class KMSInvalidSignatureException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2872,6 +2993,7 @@ module Aws::KMS
     #
     class KMSInvalidStateException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2890,6 +3012,7 @@ module Aws::KMS
     class KeyListEntry < Struct.new(
       :key_id,
       :key_arn)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2930,15 +3053,19 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_usage
-    #   The cryptographic operations for which you can use the CMK.
+    #   The [cryptographic operations][1] for which you can use the CMK.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     #   @return [String]
     #
     # @!attribute [rw] key_state
-    #   The state of the CMK.
+    #   The current status of the CMK.
     #
     #   For more information about how key state affects the use of a CMK,
-    #   see [How Key State Affects the Use of a Customer Master Key][1] in
-    #   the *AWS Key Management Service Developer Guide*.
+    #   see [Key state: Effect on your CMK][1] in the *AWS Key Management
+    #   Service Developer Guide*.
     #
     #
     #
@@ -3011,16 +3138,16 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] encryption_algorithms
-    #   A list of encryption algorithms that the CMK supports. You cannot
-    #   use the CMK with other encryption algorithms within AWS KMS.
+    #   The encryption algorithms that the CMK supports. You cannot use the
+    #   CMK with other encryption algorithms within AWS KMS.
     #
     #   This field appears only when the `KeyUsage` of the CMK is
     #   `ENCRYPT_DECRYPT`.
     #   @return [Array<String>]
     #
     # @!attribute [rw] signing_algorithms
-    #   A list of signing algorithms that the CMK supports. You cannot use
-    #   the CMK with other signing algorithms within AWS KMS.
+    #   The signing algorithms that the CMK supports. You cannot use the CMK
+    #   with other signing algorithms within AWS KMS.
     #
     #   This field appears only when the `KeyUsage` of the CMK is
     #   `SIGN_VERIFY`.
@@ -3047,6 +3174,7 @@ module Aws::KMS
       :customer_master_key_spec,
       :encryption_algorithms,
       :signing_algorithms)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3060,6 +3188,7 @@ module Aws::KMS
     #
     class KeyUnavailableException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3078,6 +3207,7 @@ module Aws::KMS
     #
     class LimitExceededException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3122,6 +3252,7 @@ module Aws::KMS
       :key_id,
       :limit,
       :marker)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3147,6 +3278,7 @@ module Aws::KMS
       :aliases,
       :next_marker,
       :truncated)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3198,6 +3330,7 @@ module Aws::KMS
       :limit,
       :marker,
       :key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3223,6 +3356,7 @@ module Aws::KMS
       :grants,
       :next_marker,
       :truncated)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3275,6 +3409,7 @@ module Aws::KMS
       :key_id,
       :limit,
       :marker)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3300,6 +3435,7 @@ module Aws::KMS
       :policy_names,
       :next_marker,
       :truncated)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3332,6 +3468,7 @@ module Aws::KMS
     class ListKeysRequest < Struct.new(
       :limit,
       :marker)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3357,6 +3494,7 @@ module Aws::KMS
       :keys,
       :next_marker,
       :truncated)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3409,6 +3547,7 @@ module Aws::KMS
       :key_id,
       :limit,
       :marker)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3436,6 +3575,7 @@ module Aws::KMS
       :tags,
       :next_marker,
       :truncated)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3486,6 +3626,7 @@ module Aws::KMS
       :limit,
       :marker,
       :retiring_principal)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3499,6 +3640,7 @@ module Aws::KMS
     #
     class MalformedPolicyDocumentException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3512,6 +3654,7 @@ module Aws::KMS
     #
     class NotFoundException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3608,6 +3751,7 @@ module Aws::KMS
       :policy_name,
       :policy,
       :bypass_policy_lockout_safety_check)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3781,6 +3925,7 @@ module Aws::KMS
       :source_encryption_algorithm,
       :destination_encryption_algorithm,
       :grant_tokens)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3794,7 +3939,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   Unique identifier of the CMK used to reencrypt the data.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
+    #   reencrypt the data.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] source_encryption_algorithm
@@ -3814,6 +3964,7 @@ module Aws::KMS
       :key_id,
       :source_encryption_algorithm,
       :destination_encryption_algorithm)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3853,6 +4004,7 @@ module Aws::KMS
       :grant_token,
       :key_id,
       :grant_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3891,6 +4043,7 @@ module Aws::KMS
     class RevokeGrantRequest < Struct.new(
       :key_id,
       :grant_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -3931,12 +4084,17 @@ module Aws::KMS
     class ScheduleKeyDeletionRequest < Struct.new(
       :key_id,
       :pending_window_in_days)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # @!attribute [rw] key_id
-    #   The unique identifier of the customer master key (CMK) for which
-    #   deletion is scheduled.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK whose deletion is
+    #   scheduled.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] deletion_date
@@ -3949,6 +4107,7 @@ module Aws::KMS
     class ScheduleKeyDeletionResponse < Struct.new(
       :key_id,
       :deletion_date)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4029,12 +4188,17 @@ module Aws::KMS
       :message_type,
       :grant_tokens,
       :signing_algorithm)
+      SENSITIVE = [:message]
       include Aws::Structure
     end
 
     # @!attribute [rw] key_id
-    #   The Amazon Resource Name (ARN) of the asymmetric CMK that was used
-    #   to sign the message.
+    #   The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK that
+    #   was used to sign the message.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] signature
@@ -4068,6 +4232,7 @@ module Aws::KMS
       :key_id,
       :signature,
       :signing_algorithm)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4104,6 +4269,7 @@ module Aws::KMS
     class Tag < Struct.new(
       :tag_key,
       :tag_value)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4116,6 +4282,7 @@ module Aws::KMS
     #
     class TagException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4157,6 +4324,7 @@ module Aws::KMS
     class TagResourceRequest < Struct.new(
       :key_id,
       :tags)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4170,6 +4338,7 @@ module Aws::KMS
     #
     class UnsupportedOperationException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4206,6 +4375,7 @@ module Aws::KMS
     class UntagResourceRequest < Struct.new(
       :key_id,
       :tag_keys)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4254,6 +4424,7 @@ module Aws::KMS
     class UpdateAliasRequest < Struct.new(
       :alias_name,
       :target_key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4313,6 +4484,7 @@ module Aws::KMS
       :new_custom_key_store_name,
       :key_store_password,
       :cloud_hsm_cluster_id)
+      SENSITIVE = [:key_store_password]
       include Aws::Structure
     end
 
@@ -4353,6 +4525,7 @@ module Aws::KMS
     class UpdateKeyDescriptionRequest < Struct.new(
       :key_id,
       :description)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -4444,12 +4617,17 @@ module Aws::KMS
       :signature,
       :signing_algorithm,
       :grant_tokens)
+      SENSITIVE = [:message]
       include Aws::Structure
     end
 
     # @!attribute [rw] key_id
-    #   The unique identifier for the asymmetric CMK that was used to verify
-    #   the signature.
+    #   The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK that
+    #   was used to verify the signature.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] signature_valid
@@ -4470,6 +4648,7 @@ module Aws::KMS
       :key_id,
       :signature_valid,
       :signing_algorithm)
+      SENSITIVE = []
       include Aws::Structure
     end