RubyGems - aws-sdk-kms - Versions diffs - 1.40.0 → 1.44.0 - Mend

aws-sdk-kms 1.40.0 → 1.44.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +299 -0
data/LICENSE.txt +202 -0
data/VERSION +1 -0
data/lib/aws-sdk-kms.rb +2 -2
data/lib/aws-sdk-kms/client.rb +1071 -387
data/lib/aws-sdk-kms/client_api.rb +80 -1
data/lib/aws-sdk-kms/customizations.rb +1 -1
data/lib/aws-sdk-kms/errors.rb +1 -1
data/lib/aws-sdk-kms/resource.rb +1 -1
data/lib/aws-sdk-kms/types.rb +700 -161
metadata +11 -9

data/lib/aws-sdk-kms/client_api.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
@@ -150,7 +150,12 @@ module Aws::KMS
     MalformedPolicyDocumentException = Shapes::StructureShape.new(name: 'MalformedPolicyDocumentException')
     MarkerType = Shapes::StringShape.new(name: 'MarkerType')
     MessageType = Shapes::StringShape.new(name: 'MessageType')
+    MultiRegionConfiguration = Shapes::StructureShape.new(name: 'MultiRegionConfiguration')
+    MultiRegionKey = Shapes::StructureShape.new(name: 'MultiRegionKey')
+    MultiRegionKeyList = Shapes::ListShape.new(name: 'MultiRegionKeyList')
+    MultiRegionKeyType = Shapes::StringShape.new(name: 'MultiRegionKeyType')
     NotFoundException = Shapes::StructureShape.new(name: 'NotFoundException')
+    NullableBooleanType = Shapes::BooleanShape.new(name: 'NullableBooleanType')
     NumberOfBytesType = Shapes::IntegerShape.new(name: 'NumberOfBytesType')
     OriginType = Shapes::StringShape.new(name: 'OriginType')
     PendingWindowInDaysType = Shapes::IntegerShape.new(name: 'PendingWindowInDaysType')
@@ -163,6 +168,9 @@ module Aws::KMS
     PutKeyPolicyRequest = Shapes::StructureShape.new(name: 'PutKeyPolicyRequest')
     ReEncryptRequest = Shapes::StructureShape.new(name: 'ReEncryptRequest')
     ReEncryptResponse = Shapes::StructureShape.new(name: 'ReEncryptResponse')
+    RegionType = Shapes::StringShape.new(name: 'RegionType')
+    ReplicateKeyRequest = Shapes::StructureShape.new(name: 'ReplicateKeyRequest')
+    ReplicateKeyResponse = Shapes::StructureShape.new(name: 'ReplicateKeyResponse')
     RetireGrantRequest = Shapes::StructureShape.new(name: 'RetireGrantRequest')
     RevokeGrantRequest = Shapes::StructureShape.new(name: 'RevokeGrantRequest')
     ScheduleKeyDeletionRequest = Shapes::StructureShape.new(name: 'ScheduleKeyDeletionRequest')
@@ -185,6 +193,7 @@ module Aws::KMS
     UpdateCustomKeyStoreRequest = Shapes::StructureShape.new(name: 'UpdateCustomKeyStoreRequest')
     UpdateCustomKeyStoreResponse = Shapes::StructureShape.new(name: 'UpdateCustomKeyStoreResponse')
     UpdateKeyDescriptionRequest = Shapes::StructureShape.new(name: 'UpdateKeyDescriptionRequest')
+    UpdatePrimaryRegionRequest = Shapes::StructureShape.new(name: 'UpdatePrimaryRegionRequest')
     VerifyRequest = Shapes::StructureShape.new(name: 'VerifyRequest')
     VerifyResponse = Shapes::StructureShape.new(name: 'VerifyResponse')
     WrappingKeySpec = Shapes::StringShape.new(name: 'WrappingKeySpec')
@@ -261,6 +270,7 @@ module Aws::KMS
     CreateKeyRequest.add_member(:custom_key_store_id, Shapes::ShapeRef.new(shape: CustomKeyStoreIdType, location_name: "CustomKeyStoreId"))
     CreateKeyRequest.add_member(:bypass_policy_lockout_safety_check, Shapes::ShapeRef.new(shape: BooleanType, location_name: "BypassPolicyLockoutSafetyCheck"))
     CreateKeyRequest.add_member(:tags, Shapes::ShapeRef.new(shape: TagList, location_name: "Tags"))
+    CreateKeyRequest.add_member(:multi_region, Shapes::ShapeRef.new(shape: NullableBooleanType, location_name: "MultiRegion"))
     CreateKeyRequest.struct_class = Types::CreateKeyRequest
     CreateKeyResponse.add_member(:key_metadata, Shapes::ShapeRef.new(shape: KeyMetadata, location_name: "KeyMetadata"))
@@ -560,6 +570,9 @@ module Aws::KMS
     KeyMetadata.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, location_name: "CustomerMasterKeySpec"))
     KeyMetadata.add_member(:encryption_algorithms, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpecList, location_name: "EncryptionAlgorithms"))
     KeyMetadata.add_member(:signing_algorithms, Shapes::ShapeRef.new(shape: SigningAlgorithmSpecList, location_name: "SigningAlgorithms"))
+    KeyMetadata.add_member(:multi_region, Shapes::ShapeRef.new(shape: NullableBooleanType, location_name: "MultiRegion"))
+    KeyMetadata.add_member(:multi_region_configuration, Shapes::ShapeRef.new(shape: MultiRegionConfiguration, location_name: "MultiRegionConfiguration"))
+    KeyMetadata.add_member(:pending_deletion_window_in_days, Shapes::ShapeRef.new(shape: PendingWindowInDaysType, location_name: "PendingDeletionWindowInDays"))
     KeyMetadata.struct_class = Types::KeyMetadata
     KeyUnavailableException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
@@ -581,6 +594,8 @@ module Aws::KMS
     ListGrantsRequest.add_member(:limit, Shapes::ShapeRef.new(shape: LimitType, location_name: "Limit"))
     ListGrantsRequest.add_member(:marker, Shapes::ShapeRef.new(shape: MarkerType, location_name: "Marker"))
     ListGrantsRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
+    ListGrantsRequest.add_member(:grant_id, Shapes::ShapeRef.new(shape: GrantIdType, location_name: "GrantId"))
+    ListGrantsRequest.add_member(:grantee_principal, Shapes::ShapeRef.new(shape: PrincipalIdType, location_name: "GranteePrincipal"))
     ListGrantsRequest.struct_class = Types::ListGrantsRequest
     ListGrantsResponse.add_member(:grants, Shapes::ShapeRef.new(shape: GrantList, location_name: "Grants"))
@@ -625,6 +640,17 @@ module Aws::KMS
     MalformedPolicyDocumentException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
     MalformedPolicyDocumentException.struct_class = Types::MalformedPolicyDocumentException
+    MultiRegionConfiguration.add_member(:multi_region_key_type, Shapes::ShapeRef.new(shape: MultiRegionKeyType, location_name: "MultiRegionKeyType"))
+    MultiRegionConfiguration.add_member(:primary_key, Shapes::ShapeRef.new(shape: MultiRegionKey, location_name: "PrimaryKey"))
+    MultiRegionConfiguration.add_member(:replica_keys, Shapes::ShapeRef.new(shape: MultiRegionKeyList, location_name: "ReplicaKeys"))
+    MultiRegionConfiguration.struct_class = Types::MultiRegionConfiguration
+    MultiRegionKey.add_member(:arn, Shapes::ShapeRef.new(shape: ArnType, location_name: "Arn"))
+    MultiRegionKey.add_member(:region, Shapes::ShapeRef.new(shape: RegionType, location_name: "Region"))
+    MultiRegionKey.struct_class = Types::MultiRegionKey
+    MultiRegionKeyList.member = Shapes::ShapeRef.new(shape: MultiRegionKey)
     NotFoundException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
     NotFoundException.struct_class = Types::NotFoundException
@@ -653,6 +679,19 @@ module Aws::KMS
     ReEncryptResponse.add_member(:destination_encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "DestinationEncryptionAlgorithm"))
     ReEncryptResponse.struct_class = Types::ReEncryptResponse
+    ReplicateKeyRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
+    ReplicateKeyRequest.add_member(:replica_region, Shapes::ShapeRef.new(shape: RegionType, required: true, location_name: "ReplicaRegion"))
+    ReplicateKeyRequest.add_member(:policy, Shapes::ShapeRef.new(shape: PolicyType, location_name: "Policy"))
+    ReplicateKeyRequest.add_member(:bypass_policy_lockout_safety_check, Shapes::ShapeRef.new(shape: BooleanType, location_name: "BypassPolicyLockoutSafetyCheck"))
+    ReplicateKeyRequest.add_member(:description, Shapes::ShapeRef.new(shape: DescriptionType, location_name: "Description"))
+    ReplicateKeyRequest.add_member(:tags, Shapes::ShapeRef.new(shape: TagList, location_name: "Tags"))
+    ReplicateKeyRequest.struct_class = Types::ReplicateKeyRequest
+    ReplicateKeyResponse.add_member(:replica_key_metadata, Shapes::ShapeRef.new(shape: KeyMetadata, location_name: "ReplicaKeyMetadata"))
+    ReplicateKeyResponse.add_member(:replica_policy, Shapes::ShapeRef.new(shape: PolicyType, location_name: "ReplicaPolicy"))
+    ReplicateKeyResponse.add_member(:replica_tags, Shapes::ShapeRef.new(shape: TagList, location_name: "ReplicaTags"))
+    ReplicateKeyResponse.struct_class = Types::ReplicateKeyResponse
     RetireGrantRequest.add_member(:grant_token, Shapes::ShapeRef.new(shape: GrantTokenType, location_name: "GrantToken"))
     RetireGrantRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
     RetireGrantRequest.add_member(:grant_id, Shapes::ShapeRef.new(shape: GrantIdType, location_name: "GrantId"))
@@ -668,6 +707,8 @@ module Aws::KMS
     ScheduleKeyDeletionResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
     ScheduleKeyDeletionResponse.add_member(:deletion_date, Shapes::ShapeRef.new(shape: DateType, location_name: "DeletionDate"))
+    ScheduleKeyDeletionResponse.add_member(:key_state, Shapes::ShapeRef.new(shape: KeyState, location_name: "KeyState"))
+    ScheduleKeyDeletionResponse.add_member(:pending_window_in_days, Shapes::ShapeRef.new(shape: PendingWindowInDaysType, location_name: "PendingWindowInDays"))
     ScheduleKeyDeletionResponse.struct_class = Types::ScheduleKeyDeletionResponse
     SignRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
@@ -722,6 +763,10 @@ module Aws::KMS
     UpdateKeyDescriptionRequest.add_member(:description, Shapes::ShapeRef.new(shape: DescriptionType, required: true, location_name: "Description"))
     UpdateKeyDescriptionRequest.struct_class = Types::UpdateKeyDescriptionRequest
+    UpdatePrimaryRegionRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
+    UpdatePrimaryRegionRequest.add_member(:primary_region, Shapes::ShapeRef.new(shape: RegionType, required: true, location_name: "PrimaryRegion"))
+    UpdatePrimaryRegionRequest.struct_class = Types::UpdatePrimaryRegionRequest
     VerifyRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
     VerifyRequest.add_member(:message, Shapes::ShapeRef.new(shape: PlaintextType, required: true, location_name: "Message"))
     VerifyRequest.add_member(:message_type, Shapes::ShapeRef.new(shape: MessageType, location_name: "MessageType"))
@@ -907,6 +952,7 @@ module Aws::KMS
         o.input = Shapes::ShapeRef.new(shape: DescribeCustomKeyStoresRequest)
         o.output = Shapes::ShapeRef.new(shape: DescribeCustomKeyStoresResponse)
         o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidMarkerException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
       end)
@@ -1190,6 +1236,7 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
         o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidMarkerException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidGrantIdException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidArnException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
@@ -1299,6 +1346,24 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
       end)
+      api.add_operation(:replicate_key, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "ReplicateKey"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: ReplicateKeyRequest)
+        o.output = Shapes::ShapeRef.new(shape: ReplicateKeyResponse)
+        o.errors << Shapes::ShapeRef.new(shape: AlreadyExistsException)
+        o.errors << Shapes::ShapeRef.new(shape: DisabledException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidArnException)
+        o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
+        o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
+        o.errors << Shapes::ShapeRef.new(shape: LimitExceededException)
+        o.errors << Shapes::ShapeRef.new(shape: MalformedPolicyDocumentException)
+        o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: TagException)
+        o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
+      end)
       api.add_operation(:retire_grant, Seahorse::Model::Operation.new.tap do |o|
         o.name = "RetireGrant"
         o.http_method = "POST"
@@ -1426,6 +1491,20 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
       end)
+      api.add_operation(:update_primary_region, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "UpdatePrimaryRegion"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: UpdatePrimaryRegionRequest)
+        o.output = Shapes::ShapeRef.new(shape: Shapes::StructureShape.new(struct_class: Aws::EmptyStructure))
+        o.errors << Shapes::ShapeRef.new(shape: DisabledException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidArnException)
+        o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
+        o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
+        o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
+      end)
       api.add_operation(:verify, Seahorse::Model::Operation.new.tap do |o|
         o.name = "Verify"
         o.http_method = "POST"

data/lib/aws-sdk-kms/customizations.rb CHANGED Viewed

@@ -2,7 +2,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing for info on making contributions:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE

data/lib/aws-sdk-kms/errors.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE

data/lib/aws-sdk-kms/resource.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE

data/lib/aws-sdk-kms/types.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
@@ -69,10 +69,10 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   The unique identifier for the customer master key (CMK) for which to
-    #   cancel deletion.
+    #   Identifies the customer master key (CMK) whose deletion is being
+    #   canceled.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the CMK.
     #
     #   For example:
     #
@@ -310,7 +310,7 @@ module Aws::KMS
     #   For help finding the key ID and ARN, see [Finding the Key ID and
     #   ARN][2] in the *AWS Key Management Service Developer Guide*.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the CMK.
     #
     #   For example:
     #
@@ -433,11 +433,11 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   The unique identifier for the customer master key (CMK) that the
-    #   grant applies to.
+    #   Identifies the customer master key (CMK) for the grant. The grant
+    #   gives principals permission to use this CMK.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
-    #   specify a CMK in a different AWS account, you must use the key ARN.
+    #   Specify the key ID or key ARN of the CMK. To specify a CMK in a
+    #   different AWS account, you must use the key ARN.
     #
     #   For example:
     #
@@ -451,8 +451,7 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] grantee_principal
-    #   The principal that is given permission to perform the operations
-    #   that the grant permits.
+    #   The identity that gets the permissions specified in the grant.
     #
     #   To specify the principal, use the [Amazon Resource Name (ARN)][1] of
     #   an AWS principal. Valid AWS principals include AWS accounts (root),
@@ -486,30 +485,55 @@ module Aws::KMS
     #
     # @!attribute [rw] operations
     #   A list of operations that the grant permits.
+    #
+    #   The operation must be supported on the CMK. For example, you cannot
+    #   create a grant for a symmetric CMK that allows the Sign operation,
+    #   or a grant for an asymmetric CMK that allows the GenerateDataKey
+    #   operation. If you try, AWS KMS returns a `ValidationError`
+    #   exception. For details, see [Grant operations][1] in the *AWS Key
+    #   Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
     #   @return [Array<String>]
     #
     # @!attribute [rw] constraints
-    #   Allows a [cryptographic operation][1] only when the encryption
-    #   context matches or includes the encryption context specified in this
-    #   structure. For more information about encryption context, see
-    #   [Encryption Context][2] in the <i> <i>AWS Key Management Service
-    #   Developer Guide</i> </i>.
+    #   Specifies a grant constraint.
+    #
+    #   AWS KMS supports the `EncryptionContextEquals` and
+    #   `EncryptionContextSubset` grant constraints. Each constraint value
+    #   can include up to 8 encryption context pairs. The encryption context
+    #   value in each constraint cannot exceed 384 characters.
+    #
+    #   These grant constraints allow a [cryptographic operation][1] only
+    #   when the encryption context in the request matches
+    #   (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
+    #   the encryption context specified in this structure. For more
+    #   information about encryption context, see [Encryption Context][2] in
+    #   the <i> <i>AWS Key Management Service Developer Guide</i> </i>. For
+    #   information about grant constraints, see [Using grant
+    #   constraints][3] in the *AWS Key Management Service Developer Guide*.
     #
-    #   Grant constraints are not applied to operations that do not support
-    #   an encryption context, such as cryptographic operations with
-    #   asymmetric CMKs and management operations, such as DescribeKey or
-    #   RetireGrant.
+    #   The encryption context grant constraints are supported only on
+    #   operations that include an encryption context. You cannot use an
+    #   encryption context grant constraint for cryptographic operations
+    #   with asymmetric CMKs or for management operations, such as
+    #   DescribeKey or RetireGrant.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
     #   @return [Types::GrantConstraints]
     #
     # @!attribute [rw] grant_tokens
     #   A list of grant tokens.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] in the *AWS Key
     #   Management Service Developer Guide*.
     #
     #
@@ -551,7 +575,9 @@ module Aws::KMS
     # @!attribute [rw] grant_token
     #   The grant token.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] in the *AWS Key
     #   Management Service Developer Guide*.
     #
     #
@@ -562,8 +588,8 @@ module Aws::KMS
     # @!attribute [rw] grant_id
     #   The unique identifier for the grant.
     #
-    #   You can use the `GrantId` in a subsequent RetireGrant or RevokeGrant
-    #   operation.
+    #   You can use the `GrantId` in a ListGrants, RetireGrant, or
+    #   RevokeGrant operation.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrantResponse AWS API Documentation
@@ -592,6 +618,7 @@ module Aws::KMS
     #             tag_value: "TagValueType", # required
     #           },
     #         ],
+    #         multi_region: false,
     #       }
     #
     # @!attribute [rw] policy
@@ -638,7 +665,8 @@ module Aws::KMS
     #   A description of the CMK.
     #
     #   Use a description that helps you decide whether the CMK is
-    #   appropriate for a task.
+    #   appropriate for a task. The default value is an empty string (no
+    #   description).
     #   @return [String]
     #
     # @!attribute [rw] key_usage
@@ -727,20 +755,19 @@ module Aws::KMS
     # @!attribute [rw] origin
     #   The source of the key material for the CMK. You cannot change the
     #   origin after you create the CMK. The default is `AWS_KMS`, which
-    #   means AWS KMS creates the key material.
+    #   means that AWS KMS creates the key material.
     #
-    #   When the parameter value is `EXTERNAL`, AWS KMS creates a CMK
-    #   without key material so that you can import key material from your
-    #   existing key management infrastructure. For more information about
-    #   importing key material into AWS KMS, see [Importing Key Material][1]
-    #   in the *AWS Key Management Service Developer Guide*. This value is
-    #   valid only for symmetric CMKs.
+    #   To create a CMK with no key material (for imported key material),
+    #   set the value to `EXTERNAL`. For more information about importing
+    #   key material into AWS KMS, see [Importing Key Material][1] in the
+    #   *AWS Key Management Service Developer Guide*. This value is valid
+    #   only for symmetric CMKs.
     #
-    #   When the parameter value is `AWS_CLOUDHSM`, AWS KMS creates the CMK
-    #   in an AWS KMS [custom key store][2] and creates its key material in
-    #   the associated AWS CloudHSM cluster. You must also use the
-    #   `CustomKeyStoreId` parameter to identify the custom key store. This
-    #   value is valid only for symmetric CMKs.
+    #   To create a CMK in an AWS KMS [custom key store][2] and create its
+    #   key material in the associated AWS CloudHSM cluster, set this value
+    #   to `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId`
+    #   parameter to identify the custom key store. This value is valid only
+    #   for symmetric CMKs.
     #
     #
     #
@@ -756,8 +783,9 @@ module Aws::KMS
     #   associated with the custom key store must have at least two active
     #   HSMs, each in a different Availability Zone in the Region.
     #
-    #   This parameter is valid only for symmetric CMKs. You cannot create
-    #   an asymmetric CMK in a custom key store.
+    #   This parameter is valid only for symmetric CMKs and regional CMKs.
+    #   You cannot create an asymmetric CMK or a multi-Region CMK in a
+    #   custom key store.
     #
     #   To find the ID of a custom key store, use the
     #   DescribeCustomKeyStores operation.
@@ -798,27 +826,66 @@ module Aws::KMS
     #   @return [Boolean]
     #
     # @!attribute [rw] tags
-    #   One or more tags. Each tag consists of a tag key and a tag value.
-    #   Both the tag key and the tag value are required, but the tag value
-    #   can be an empty (null) string.
+    #   Assigns one or more tags to the CMK. Use this parameter to tag the
+    #   CMK when it is created. To tag an existing CMK, use the TagResource
+    #   operation.
     #
-    #   When you add tags to an AWS resource, AWS generates a cost
-    #   allocation report with usage and costs aggregated by tags. For
-    #   information about adding, changing, deleting and listing tags for
-    #   CMKs, see [Tagging Keys][1].
+    #   <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
+    #   For details, see [Using ABAC in AWS KMS][1] in the *AWS Key
+    #   Management Service Developer Guide*.
     #
-    #   Use this parameter to tag the CMK when it is created. To add tags to
-    #   an existing CMK, use the TagResource operation.
+    #    </note>
     #
     #   To use this parameter, you must have [kms:TagResource][2] permission
     #   in an IAM policy.
     #
+    #   Each tag consists of a tag key and a tag value. Both the tag key and
+    #   the tag value are required, but the tag value can be an empty (null)
+    #   string. You cannot have more than one tag on a CMK with the same tag
+    #   key. If you specify an existing tag key with a different tag value,
+    #   AWS KMS replaces the current tag value with the specified one.
+    #
+    #   When you assign tags to an AWS resource, AWS generates a cost
+    #   allocation report with usage and costs aggregated by tags. Tags can
+    #   also be used to control access to a CMK. For details, see [Tagging
+    #   Keys][3].
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
     #   @return [Array<Types::Tag>]
     #
+    # @!attribute [rw] multi_region
+    #   Creates a multi-Region primary key that you can replicate into other
+    #   AWS Regions. You cannot change this value after you create the CMK.
+    #
+    #   For a multi-Region key, set this parameter to `True`. For a
+    #   single-Region CMK, omit this parameter or set it to `False`. The
+    #   default value is `False`.
+    #
+    #   This operation supports *multi-Region keys*, an AWS KMS feature that
+    #   lets you create multiple interoperable CMKs in different AWS
+    #   Regions. Because these CMKs have the same key ID, key material, and
+    #   other metadata, you can use them to encrypt data in one AWS Region
+    #   and decrypt it in a different AWS Region without making a
+    #   cross-Region call or exposing the plaintext data. For more
+    #   information about multi-Region keys, see [Using multi-Region
+    #   keys][1] in the *AWS Key Management Service Developer Guide*.
+    #
+    #   This value creates a *primary key*, not a replica. To create a
+    #   *replica key*, use the ReplicateKey operation.
+    #
+    #   You can create a symmetric or asymmetric multi-Region CMK, and you
+    #   can create a multi-Region CMK with imported key material. However,
+    #   you cannot create a multi-Region CMK in a custom key store.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKeyRequest AWS API Documentation
     #
     class CreateKeyRequest < Struct.new(
@@ -829,7 +896,8 @@ module Aws::KMS
       :origin,
       :custom_key_store_id,
       :bypass_policy_lockout_safety_check,
-      :tags)
+      :tags,
+      :multi_region)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1099,8 +1167,12 @@ module Aws::KMS
     # @!attribute [rw] grant_tokens
     #   A list of grant tokens.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
-    #   Management Service Developer Guide*.
+    #   Use a grant token when your permission to call this operation comes
+    #   from a newly created grant that has not yet achieved eventual
+    #   consistency. Use a grant token when your permission to call this
+    #   operation comes from a new grant that has not yet achieved *eventual
+    #   consistency*. For more information, see [Grant token][1] in the *AWS
+    #   Key Management Service Developer Guide*.
     #
     #
     #
@@ -1118,10 +1190,10 @@ module Aws::KMS
     #   blob. However, it is always recommended as a best practice. This
     #   practice ensures that you use the CMK that you intend.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`. To specify a CMK in a different AWS account, you must
-    #   use the key ARN or alias ARN.
+    #   To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
+    #   When using an alias name, prefix it with `"alias/"`. To specify a
+    #   CMK in a different AWS account, you must use the key ARN or alias
+    #   ARN.
     #
     #   For example:
     #
@@ -1245,7 +1317,7 @@ module Aws::KMS
     #   Identifies the CMK from which you are deleting imported key
     #   material. The `Origin` of the CMK must be `EXTERNAL`.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the CMK.
     #
     #   For example:
     #
@@ -1295,7 +1367,7 @@ module Aws::KMS
     #   the key store ID.
     #
     #   By default, this operation gets information about all custom key
-    #   stores in the account and region. To limit the output to a
+    #   stores in the account and Region. To limit the output to a
     #   particular custom key store, you can use either the
     #   `CustomKeyStoreId` or `CustomKeyStoreName` parameter, but not both.
     #   @return [String]
@@ -1305,7 +1377,7 @@ module Aws::KMS
     #   the friendly name of the custom key store.
     #
     #   By default, this operation gets information about all custom key
-    #   stores in the account and region. To limit the output to a
+    #   stores in the account and Region. To limit the output to a
     #   particular custom key store, you can use either the
     #   `CustomKeyStoreId` or `CustomKeyStoreName` parameter, but not both.
     #   @return [String]
@@ -1374,10 +1446,10 @@ module Aws::KMS
     #   KMS associates the alias with an [AWS managed CMK][1] and returns
     #   its `KeyId` and `Arn` in the response.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`. To specify a CMK in a different AWS account, you must
-    #   use the key ARN or alias ARN.
+    #   To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
+    #   When using an alias name, prefix it with `"alias/"`. To specify a
+    #   CMK in a different AWS account, you must use the key ARN or alias
+    #   ARN.
     #
     #   For example:
     #
@@ -1401,7 +1473,9 @@ module Aws::KMS
     # @!attribute [rw] grant_tokens
     #   A list of grant tokens.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] in the *AWS Key
     #   Management Service Developer Guide*.
     #
     #
@@ -1438,9 +1512,9 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   A unique identifier for the customer master key (CMK).
+    #   Identifies the customer master key (CMK) to disable.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the CMK.
     #
     #   For example:
     #
@@ -1473,7 +1547,7 @@ module Aws::KMS
     #   or disable automatic rotation of [asymmetric CMKs][1], CMKs with
     #   [imported key material][2], or CMKs in a [custom key store][3].
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the CMK.
     #
     #   For example:
     #
@@ -1546,9 +1620,9 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   A unique identifier for the customer master key (CMK).
+    #   Identifies the customer master key (CMK) to enable.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the CMK.
     #
     #   For example:
     #
@@ -1578,10 +1652,12 @@ module Aws::KMS
     #
     # @!attribute [rw] key_id
     #   Identifies a symmetric customer master key (CMK). You cannot enable
-    #   automatic rotation of asymmetric CMKs, CMKs with imported key
-    #   material, or CMKs in a [custom key store][1].
+    #   automatic rotation of [asymmetric CMKs][1], CMKs with [imported key
+    #   material][2], or CMKs in a [custom key store][3]. To enable or
+    #   disable automatic rotation of a set of related [multi-Region
+    #   keys][4], set the property on the primary key.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the CMK.
     #
     #   For example:
     #
@@ -1595,7 +1671,10 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotationRequest AWS API Documentation
@@ -1620,12 +1699,13 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   A unique identifier for the customer master key (CMK).
+    #   Identifies the customer master key (CMK) to use in the encryption
+    #   operation.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`. To specify a CMK in a different AWS account, you must
-    #   use the key ARN or alias ARN.
+    #   To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
+    #   When using an alias name, prefix it with `"alias/"`. To specify a
+    #   CMK in a different AWS account, you must use the key ARN or alias
+    #   ARN.
     #
     #   For example:
     #
@@ -1672,7 +1752,9 @@ module Aws::KMS
     # @!attribute [rw] grant_tokens
     #   A list of grant tokens.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] in the *AWS Key
     #   Management Service Developer Guide*.
     #
     #
@@ -1784,10 +1866,10 @@ module Aws::KMS
     #   custom key store. To get the type and origin of your CMK, use the
     #   DescribeKey operation.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`. To specify a CMK in a different AWS account, you must
-    #   use the key ARN or alias ARN.
+    #   To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
+    #   When using an alias name, prefix it with `"alias/"`. To specify a
+    #   CMK in a different AWS account, you must use the key ARN or alias
+    #   ARN.
     #
     #   For example:
     #
@@ -1816,7 +1898,9 @@ module Aws::KMS
     # @!attribute [rw] grant_tokens
     #   A list of grant tokens.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] in the *AWS Key
     #   Management Service Developer Guide*.
     #
     #
@@ -1913,10 +1997,10 @@ module Aws::KMS
     #   CMK or a CMK in a custom key store. To get the type and origin of
     #   your CMK, use the DescribeKey operation.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`. To specify a CMK in a different AWS account, you must
-    #   use the key ARN or alias ARN.
+    #   To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
+    #   When using an alias name, prefix it with `"alias/"`. To specify a
+    #   CMK in a different AWS account, you must use the key ARN or alias
+    #   ARN.
     #
     #   For example:
     #
@@ -1945,7 +2029,9 @@ module Aws::KMS
     # @!attribute [rw] grant_tokens
     #   A list of grant tokens.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] in the *AWS Key
     #   Management Service Developer Guide*.
     #
     #
@@ -2014,10 +2100,10 @@ module Aws::KMS
     # @!attribute [rw] key_id
     #   Identifies the symmetric CMK that encrypts the data key.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`. To specify a CMK in a different AWS account, you must
-    #   use the key ARN or alias ARN.
+    #   To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
+    #   When using an alias name, prefix it with `"alias/"`. To specify a
+    #   CMK in a different AWS account, you must use the key ARN or alias
+    #   ARN.
     #
     #   For example:
     #
@@ -2075,7 +2161,9 @@ module Aws::KMS
     # @!attribute [rw] grant_tokens
     #   A list of grant tokens.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] in the *AWS Key
     #   Management Service Developer Guide*.
     #
     #
@@ -2144,10 +2232,10 @@ module Aws::KMS
     #   The identifier of the symmetric customer master key (CMK) that
     #   encrypts the data key.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`. To specify a CMK in a different AWS account, you must
-    #   use the key ARN or alias ARN.
+    #   To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
+    #   When using an alias name, prefix it with `"alias/"`. To specify a
+    #   CMK in a different AWS account, you must use the key ARN or alias
+    #   ARN.
     #
     #   For example:
     #
@@ -2198,7 +2286,9 @@ module Aws::KMS
     # @!attribute [rw] grant_tokens
     #   A list of grant tokens.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] in the *AWS Key
     #   Management Service Developer Guide*.
     #
     #
@@ -2294,9 +2384,9 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   A unique identifier for the customer master key (CMK).
+    #   Gets the key policy for the specified customer master key (CMK).
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the CMK.
     #
     #   For example:
     #
@@ -2343,10 +2433,11 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   A unique identifier for the customer master key (CMK).
+    #   Gets the rotation status for the specified customer master key
+    #   (CMK).
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
-    #   specify a CMK in a different AWS account, you must use the key ARN.
+    #   Specify the key ID or key ARN of the CMK. To specify a CMK in a
+    #   different AWS account, you must use the key ARN.
     #
     #   For example:
     #
@@ -2392,7 +2483,7 @@ module Aws::KMS
     #   The identifier of the symmetric CMK into which you will import key
     #   material. The `Origin` of the CMK must be `EXTERNAL`.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the CMK.
     #
     #   For example:
     #
@@ -2479,10 +2570,10 @@ module Aws::KMS
     # @!attribute [rw] key_id
     #   Identifies the asymmetric CMK that includes the public key.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`. To specify a CMK in a different AWS account, you must
-    #   use the key ARN or alias ARN.
+    #   To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
+    #   When using an alias name, prefix it with `"alias/"`. To specify a
+    #   CMK in a different AWS account, you must use the key ARN or alias
+    #   ARN.
     #
     #   For example:
     #
@@ -2502,7 +2593,9 @@ module Aws::KMS
     # @!attribute [rw] grant_tokens
     #   A list of grant tokens.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] in the *AWS Key
     #   Management Service Developer Guide*.
     #
     #
@@ -2750,7 +2843,7 @@ module Aws::KMS
     #   same CMK specified in the `KeyID` parameter of the corresponding
     #   GetParametersForImport request.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the CMK.
     #
     #   For example:
     #
@@ -3120,8 +3213,14 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] deletion_date
-    #   The date and time after which AWS KMS deletes the CMK. This value is
-    #   present only when `KeyState` is `PendingDeletion`.
+    #   The date and time after which AWS KMS deletes this CMK. This value
+    #   is present only when the CMK is scheduled for deletion, that is,
+    #   when its `KeyState` is `PendingDeletion`.
+    #
+    #   When the primary key in a multi-Region key is scheduled for deletion
+    #   but still has replica keys, its key state is
+    #   `PendingReplicaDeletion` and the length of its waiting period is
+    #   displayed in the `PendingDeletionWindowInDays` field.
     #   @return [Time]
     #
     # @!attribute [rw] valid_to
@@ -3188,7 +3287,7 @@ module Aws::KMS
     #   The encryption algorithms that the CMK supports. You cannot use the
     #   CMK with other encryption algorithms within AWS KMS.
     #
-    #   This field appears only when the `KeyUsage` of the CMK is
+    #   This value is present only when the `KeyUsage` of the CMK is
     #   `ENCRYPT_DECRYPT`.
     #   @return [Array<String>]
     #
@@ -3200,6 +3299,57 @@ module Aws::KMS
     #   `SIGN_VERIFY`.
     #   @return [Array<String>]
     #
+    # @!attribute [rw] multi_region
+    #   Indicates whether the CMK is a multi-Region (`True`) or regional
+    #   (`False`) key. This value is `True` for multi-Region primary and
+    #   replica CMKs and `False` for regional CMKs.
+    #
+    #   For more information about multi-Region keys, see [Using
+    #   multi-Region keys][1] in the *AWS Key Management Service Developer
+    #   Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] multi_region_configuration
+    #   Lists the primary and replica CMKs in same multi-Region CMK. This
+    #   field is present only when the value of the `MultiRegion` field is
+    #   `True`.
+    #
+    #   For more information about any listed CMK, use the DescribeKey
+    #   operation.
+    #
+    #   * `MultiRegionKeyType` indicates whether the CMK is a `PRIMARY` or
+    #     `REPLICA` key.
+    #
+    #   * `PrimaryKey` displays the key ARN and Region of the primary key.
+    #     This field displays the current CMK if it is the primary key.
+    #
+    #   * `ReplicaKeys` displays the key ARNs and Regions of all replica
+    #     keys. This field includes the current CMK if it is a replica key.
+    #   @return [Types::MultiRegionConfiguration]
+    #
+    # @!attribute [rw] pending_deletion_window_in_days
+    #   The waiting period before the primary key in a multi-Region key is
+    #   deleted. This waiting period begins when the last of its replica
+    #   keys is deleted. This value is present only when the `KeyState` of
+    #   the CMK is `PendingReplicaDeletion`. That indicates that the CMK is
+    #   the primary key in a multi-Region key, it is scheduled for deletion,
+    #   and it still has existing replica keys.
+    #
+    #   When a regional CMK or a replica key in a multi-Region key is
+    #   scheduled for deletion, its deletion date is displayed in the
+    #   `DeletionDate` field. However, when the primary key in a
+    #   multi-Region key is scheduled for deletion, its waiting period
+    #   doesn't begin until all of its replica keys are deleted. This value
+    #   displays that waiting period. When the last replica key in the
+    #   multi-Region key is deleted, the `KeyState` of the scheduled primary
+    #   key changes from `PendingReplicaDeletion` to `PendingDeletion` and
+    #   the deletion date appears in the `DeletionDate` field.
+    #   @return [Integer]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
     #
     class KeyMetadata < Struct.new(
@@ -3220,7 +3370,10 @@ module Aws::KMS
       :key_manager,
       :customer_master_key_spec,
       :encryption_algorithms,
-      :signing_algorithms)
+      :signing_algorithms,
+      :multi_region,
+      :multi_region_configuration,
+      :pending_deletion_window_in_days)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3274,7 +3427,7 @@ module Aws::KMS
     #   This parameter is optional. If you omit it, `ListAliases` returns
     #   all aliases in the account and Region.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the CMK.
     #
     #   For example:
     #
@@ -3346,6 +3499,8 @@ module Aws::KMS
     #         limit: 1,
     #         marker: "MarkerType",
     #         key_id: "KeyIdType", # required
+    #         grant_id: "GrantIdType",
+    #         grantee_principal: "PrincipalIdType",
     #       }
     #
     # @!attribute [rw] limit
@@ -3365,10 +3520,11 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   A unique identifier for the customer master key (CMK).
+    #   Returns only grants for the specified customer master key (CMK).
+    #   This parameter is required.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
-    #   specify a CMK in a different AWS account, you must use the key ARN.
+    #   Specify the key ID or key ARN of the CMK. To specify a CMK in a
+    #   different AWS account, you must use the key ARN.
     #
     #   For example:
     #
@@ -3381,12 +3537,24 @@ module Aws::KMS
     #   DescribeKey.
     #   @return [String]
     #
+    # @!attribute [rw] grant_id
+    #   Returns only the grant with the specified grant ID. The grant ID
+    #   uniquely identifies the grant.
+    #   @return [String]
+    #
+    # @!attribute [rw] grantee_principal
+    #   Returns only grants where the specified principal is the grantee
+    #   principal for the grant.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrantsRequest AWS API Documentation
     #
     class ListGrantsRequest < Struct.new(
       :limit,
       :marker,
-      :key_id)
+      :key_id,
+      :grant_id,
+      :grantee_principal)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3427,9 +3595,10 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   A unique identifier for the customer master key (CMK).
+    #   Gets the names of key policies for the specified customer master key
+    #   (CMK).
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the CMK.
     #
     #   For example:
     #
@@ -3565,9 +3734,9 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   A unique identifier for the customer master key (CMK).
+    #   Gets tags on the specified customer master key (CMK).
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the CMK.
     #
     #   For example:
     #
@@ -3610,6 +3779,16 @@ module Aws::KMS
     # @!attribute [rw] tags
     #   A list of tags. Each tag consists of a tag key and a tag value.
+    #
+    #   <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
+    #   For details, see [Using ABAC in AWS KMS][1] in the *AWS Key
+    #   Management Service Developer Guide*.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
     #   @return [Array<Types::Tag>]
     #
     # @!attribute [rw] next_marker
@@ -3702,6 +3881,58 @@ module Aws::KMS
       include Aws::Structure
     end
+    # Describes the configuration of this multi-Region CMK. This field
+    # appears only when the CMK is a primary or replica of a multi-Region
+    # CMK.
+    #
+    # For more information about any listed CMK, use the DescribeKey
+    # operation.
+    #
+    # @!attribute [rw] multi_region_key_type
+    #   Indicates whether the CMK is a `PRIMARY` or `REPLICA` key.
+    #   @return [String]
+    #
+    # @!attribute [rw] primary_key
+    #   Displays the key ARN and Region of the primary key. This field
+    #   includes the current CMK if it is the primary key.
+    #   @return [Types::MultiRegionKey]
+    #
+    # @!attribute [rw] replica_keys
+    #   displays the key ARNs and Regions of all replica keys. This field
+    #   includes the current CMK if it is a replica key.
+    #   @return [Array<Types::MultiRegionKey>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/MultiRegionConfiguration AWS API Documentation
+    #
+    class MultiRegionConfiguration < Struct.new(
+      :multi_region_key_type,
+      :primary_key,
+      :replica_keys)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+    # Describes the primary or replica key in a multi-Region key.
+    #
+    # @!attribute [rw] arn
+    #   Displays the key ARN of a primary or replica key of a multi-Region
+    #   key.
+    #   @return [String]
+    #
+    # @!attribute [rw] region
+    #   Displays the AWS Region of a primary or replica key in a
+    #   multi-Region key.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/MultiRegionKey AWS API Documentation
+    #
+    class MultiRegionKey < Struct.new(
+      :arn,
+      :region)
+      SENSITIVE = []
+      include Aws::Structure
+    end
     # The request was rejected because the specified entity or resource
     # could not be found.
     #
@@ -3727,9 +3958,9 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   A unique identifier for the customer master key (CMK).
+    #   Sets the key policy on the specified customer master key (CMK).
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the CMK.
     #
     #   For example:
     #
@@ -3866,10 +4097,10 @@ module Aws::KMS
     #   blob. However, it is always recommended as a best practice. This
     #   practice ensures that you use the CMK that you intend.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`. To specify a CMK in a different AWS account, you must
-    #   use the key ARN or alias ARN.
+    #   To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
+    #   When using an alias name, prefix it with `"alias/"`. To specify a
+    #   CMK in a different AWS account, you must use the key ARN or alias
+    #   ARN.
     #
     #   For example:
     #
@@ -3892,10 +4123,10 @@ module Aws::KMS
     #   `ENCRYPT_DECRYPT`. To find the `KeyUsage` value of a CMK, use the
     #   DescribeKey operation.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`. To specify a CMK in a different AWS account, you must
-    #   use the key ARN or alias ARN.
+    #   To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
+    #   When using an alias name, prefix it with `"alias/"`. To specify a
+    #   CMK in a different AWS account, you must use the key ARN or alias
+    #   ARN.
     #
     #   For example:
     #
@@ -3961,7 +4192,9 @@ module Aws::KMS
     # @!attribute [rw] grant_tokens
     #   A list of grant tokens.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] in the *AWS Key
     #   Management Service Developer Guide*.
     #
     #
@@ -4023,6 +4256,221 @@ module Aws::KMS
       include Aws::Structure
     end
+    # @note When making an API call, you may pass ReplicateKeyRequest
+    #   data as a hash:
+    #
+    #       {
+    #         key_id: "KeyIdType", # required
+    #         replica_region: "RegionType", # required
+    #         policy: "PolicyType",
+    #         bypass_policy_lockout_safety_check: false,
+    #         description: "DescriptionType",
+    #         tags: [
+    #           {
+    #             tag_key: "TagKeyType", # required
+    #             tag_value: "TagValueType", # required
+    #           },
+    #         ],
+    #       }
+    #
+    # @!attribute [rw] key_id
+    #   Identifies the multi-Region primary key that is being replicated. To
+    #   determine whether a CMK is a multi-Region primary key, use the
+    #   DescribeKey operation to check the value of the `MultiRegionKeyType`
+    #   property.
+    #
+    #   Specify the key ID or key ARN of a multi-Region primary key.
+    #
+    #   For example:
+    #
+    #   * Key ID: `mrk-1234abcd12ab34cd56ef1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab`
+    #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   DescribeKey.
+    #   @return [String]
+    #
+    # @!attribute [rw] replica_region
+    #   The Region ID of the AWS Region for this replica key.
+    #
+    #   Enter the Region ID, such as `us-east-1` or `ap-southeast-2`. For a
+    #   list of AWS Regions in which AWS KMS is supported, see [AWS KMS
+    #   service endpoints][1] in the *Amazon Web Services General
+    #   Reference*.
+    #
+    #   The replica must be in a different AWS Region than its primary key
+    #   and other replicas of that primary key, but in the same AWS
+    #   partition. AWS KMS must be available in the replica Region. If the
+    #   Region is not enabled by default, the AWS account must be enabled in
+    #   the Region.
+    #
+    #   For information about AWS partitions, see [Amazon Resource Names
+    #   (ARNs) in the *Amazon Web Services General Reference*.][2] For
+    #   information about enabling and disabling Regions, see [Enabling a
+    #   Region][3] and [Disabling a Region][4] in the *Amazon Web Services
+    #   General Reference*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region
+    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    #   [3]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
+    #   [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
+    #   @return [String]
+    #
+    # @!attribute [rw] policy
+    #   The key policy to attach to the CMK. This parameter is optional. If
+    #   you do not provide a key policy, AWS KMS attaches the [default key
+    #   policy][1] to the CMK.
+    #
+    #   The key policy is not a shared property of multi-Region keys. You
+    #   can specify the same key policy or a different key policy for each
+    #   key in a set of related multi-Region keys. AWS KMS does not
+    #   synchronize this property.
+    #
+    #   If you provide a key policy, it must meet the following criteria:
+    #
+    #   * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
+    #     key policy must give the caller `kms:PutKeyPolicy` permission on
+    #     the replica CMK. This reduces the risk that the CMK becomes
+    #     unmanageable. For more information, refer to the scenario in the
+    #     [Default Key Policy][2] section of the <i> <i>AWS Key Management
+    #     Service Developer Guide</i> </i>.
+    #
+    #   * Each statement in the key policy must contain one or more
+    #     principals. The principals in the key policy must exist and be
+    #     visible to AWS KMS. When you create a new AWS principal (for
+    #     example, an IAM user or role), you might need to enforce a delay
+    #     before including the new principal in a key policy because the new
+    #     principal might not be immediately visible to AWS KMS. For more
+    #     information, see [Changes that I make are not always immediately
+    #     visible][3] in the *AWS Identity and Access Management User
+    #     Guide*.
+    #
+    #   * The key policy size quota is 32 kilobytes (32768 bytes).
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
+    #   @return [String]
+    #
+    # @!attribute [rw] bypass_policy_lockout_safety_check
+    #   A flag to indicate whether to bypass the key policy lockout safety
+    #   check.
+    #
+    #   Setting this value to true increases the risk that the CMK becomes
+    #   unmanageable. Do not set this value to true indiscriminately.
+    #
+    #    For more information, refer to the scenario in the [Default Key
+    #   Policy][1] section in the *AWS Key Management Service Developer
+    #   Guide*.
+    #
+    #   Use this parameter only when you intend to prevent the principal
+    #   that is making the request from making a subsequent `PutKeyPolicy`
+    #   request on the CMK.
+    #
+    #   The default value is false.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] description
+    #   A description of the CMK. Use a description that helps you decide
+    #   whether the CMK is appropriate for a task. The default value is an
+    #   empty string (no description).
+    #
+    #   The description is not a shared property of multi-Region keys. You
+    #   can specify the same description or a different description for each
+    #   key in a set of related multi-Region keys. AWS KMS does not
+    #   synchronize this property.
+    #   @return [String]
+    #
+    # @!attribute [rw] tags
+    #   Assigns one or more tags to the replica key. Use this parameter to
+    #   tag the CMK when it is created. To tag an existing CMK, use the
+    #   TagResource operation.
+    #
+    #   <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
+    #   For details, see [Using ABAC in AWS KMS][1] in the *AWS Key
+    #   Management Service Developer Guide*.
+    #
+    #    </note>
+    #
+    #   To use this parameter, you must have [kms:TagResource][2] permission
+    #   in an IAM policy.
+    #
+    #   Tags are not a shared property of multi-Region keys. You can specify
+    #   the same tags or different tags for each key in a set of related
+    #   multi-Region keys. AWS KMS does not synchronize this property.
+    #
+    #   Each tag consists of a tag key and a tag value. Both the tag key and
+    #   the tag value are required, but the tag value can be an empty (null)
+    #   string. You cannot have more than one tag on a CMK with the same tag
+    #   key. If you specify an existing tag key with a different tag value,
+    #   AWS KMS replaces the current tag value with the specified one.
+    #
+    #   When you assign tags to an AWS resource, AWS generates a cost
+    #   allocation report with usage and costs aggregated by tags. Tags can
+    #   also be used to control access to a CMK. For details, see [Tagging
+    #   Keys][3].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
+    #   @return [Array<Types::Tag>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKeyRequest AWS API Documentation
+    #
+    class ReplicateKeyRequest < Struct.new(
+      :key_id,
+      :replica_region,
+      :policy,
+      :bypass_policy_lockout_safety_check,
+      :description,
+      :tags)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+    # @!attribute [rw] replica_key_metadata
+    #   Displays details about the new replica CMK, including its Amazon
+    #   Resource Name ([key ARN][1]) and [key state][2]. It also includes
+    #   the ARN and AWS Region of its primary key and other replica keys.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    #   @return [Types::KeyMetadata]
+    #
+    # @!attribute [rw] replica_policy
+    #   The key policy of the new replica key. The value is a key policy
+    #   document in JSON format.
+    #   @return [String]
+    #
+    # @!attribute [rw] replica_tags
+    #   The tags on the new replica key. The value is a list of tag key and
+    #   tag value pairs.
+    #   @return [Array<Types::Tag>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKeyResponse AWS API Documentation
+    #
+    class ReplicateKeyResponse < Struct.new(
+      :replica_key_metadata,
+      :replica_policy,
+      :replica_tags)
+      SENSITIVE = []
+      include Aws::Structure
+    end
     # @note When making an API call, you may pass RetireGrantRequest
     #   data as a hash:
     #
@@ -4033,19 +4481,31 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] grant_token
-    #   Token that identifies the grant to be retired.
+    #   Identifies the grant to be retired. You can use a grant token to
+    #   identify a new grant even before it has achieved eventual
+    #   consistency.
+    #
+    #   Only the CreateGrant operation returns a grant token. For details,
+    #   see [Grant token][1] and [Eventual consistency][2] in the *AWS Key
+    #   Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   The Amazon Resource Name (ARN) of the CMK associated with the grant.
+    #   The key ARN CMK associated with the grant. To find the key ARN, use
+    #   the ListKeys operation.
     #
     #   For example:
     #   `arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #   @return [String]
     #
     # @!attribute [rw] grant_id
-    #   Unique identifier of the grant to retire. The grant ID is returned
-    #   in the response to a `CreateGrant` operation.
+    #   Identifies the grant to retire. To get the grant ID, use
+    #   CreateGrant, ListGrants, or ListRetirableGrants.
     #
     #   * Grant ID Example -
     #     0123456789012345678901234567890123456789012345678901234567890123
@@ -4072,11 +4532,12 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   A unique identifier for the customer master key associated with the
-    #   grant.
+    #   A unique identifier for the customer master key (CMK) associated
+    #   with the grant. To get the key ID and key ARN for a CMK, use
+    #   ListKeys or DescribeKey.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
-    #   specify a CMK in a different AWS account, you must use the key ARN.
+    #   Specify the key ID or key ARN of the CMK. To specify a CMK in a
+    #   different AWS account, you must use the key ARN.
     #
     #   For example:
     #
@@ -4090,7 +4551,8 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] grant_id
-    #   Identifier of the grant to be revoked.
+    #   Identifies the grant to revoke. To get the grant ID, use
+    #   CreateGrant, ListGrants, or ListRetirableGrants.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrantRequest AWS API Documentation
@@ -4113,7 +4575,7 @@ module Aws::KMS
     # @!attribute [rw] key_id
     #   The unique identifier of the customer master key (CMK) to delete.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the CMK.
     #
     #   For example:
     #
@@ -4130,6 +4592,10 @@ module Aws::KMS
     #   The waiting period, specified in number of days. After the waiting
     #   period ends, AWS KMS deletes the customer master key (CMK).
     #
+    #   If the CMK is a multi-Region primary key with replicas, the waiting
+    #   period begins when the last of its replica keys is deleted.
+    #   Otherwise, the waiting period begins immediately.
+    #
     #   This value is optional. If you include a value, it must be between 7
     #   and 30, inclusive. If you do not include a value, it defaults to 30.
     #   @return [Integer]
@@ -4155,13 +4621,39 @@ module Aws::KMS
     # @!attribute [rw] deletion_date
     #   The date and time after which AWS KMS deletes the customer master
     #   key (CMK).
+    #
+    #   If the CMK is a multi-Region primary key with replica keys, this
+    #   field does not appear. The deletion date for the primary key isn't
+    #   known until its last replica key is deleted.
     #   @return [Time]
     #
+    # @!attribute [rw] key_state
+    #   The current status of the CMK.
+    #
+    #   For more information about how key state affects the use of a CMK,
+    #   see [Key state: Effect on your CMK][1] in the *AWS Key Management
+    #   Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    #   @return [String]
+    #
+    # @!attribute [rw] pending_window_in_days
+    #   The waiting period before the CMK is deleted.
+    #
+    #   If the CMK is a multi-Region primary key with replicas, the waiting
+    #   period begins when the last of its replica keys is deleted.
+    #   Otherwise, the waiting period begins immediately.
+    #   @return [Integer]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletionResponse AWS API Documentation
     #
     class ScheduleKeyDeletionResponse < Struct.new(
       :key_id,
-      :deletion_date)
+      :deletion_date,
+      :key_state,
+      :pending_window_in_days)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -4183,10 +4675,10 @@ module Aws::KMS
     #   must be `SIGN_VERIFY`. To find the `KeyUsage` of a CMK, use the
     #   DescribeKey operation.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`. To specify a CMK in a different AWS account, you must
-    #   use the key ARN or alias ARN.
+    #   To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
+    #   When using an alias name, prefix it with `"alias/"`. To specify a
+    #   CMK in a different AWS account, you must use the key ARN or alias
+    #   ARN.
     #
     #   For example:
     #
@@ -4220,7 +4712,9 @@ module Aws::KMS
     # @!attribute [rw] grant_tokens
     #   A list of grant tokens.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] in the *AWS Key
     #   Management Service Developer Guide*.
     #
     #
@@ -4357,7 +4851,7 @@ module Aws::KMS
     # @!attribute [rw] key_id
     #   Identifies a customer managed CMK in the account and Region.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the CMK.
     #
     #   For example:
     #
@@ -4415,7 +4909,7 @@ module Aws::KMS
     # @!attribute [rw] key_id
     #   Identifies the CMK from which you are removing tags.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the CMK.
     #
     #   For example:
     #
@@ -4466,7 +4960,7 @@ module Aws::KMS
     #   CMK (both symmetric or both asymmetric) and they must have the same
     #   key usage.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the CMK.
     #
     #   For example:
     #
@@ -4569,9 +5063,9 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   A unique identifier for the customer master key (CMK).
+    #   Updates the description of the specified customer master key (CMK).
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the CMK.
     #
     #   For example:
     #
@@ -4597,6 +5091,49 @@ module Aws::KMS
       include Aws::Structure
     end
+    # @note When making an API call, you may pass UpdatePrimaryRegionRequest
+    #   data as a hash:
+    #
+    #       {
+    #         key_id: "KeyIdType", # required
+    #         primary_region: "RegionType", # required
+    #       }
+    #
+    # @!attribute [rw] key_id
+    #   Identifies the current primary key. When the operation completes,
+    #   this CMK will be a replica key.
+    #
+    #   Specify the key ID or key ARN of a multi-Region primary key.
+    #
+    #   For example:
+    #
+    #   * Key ID: `mrk-1234abcd12ab34cd56ef1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab`
+    #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   DescribeKey.
+    #   @return [String]
+    #
+    # @!attribute [rw] primary_region
+    #   The AWS Region of the new primary key. Enter the Region ID, such as
+    #   `us-east-1` or `ap-southeast-2`. There must be an existing replica
+    #   key in this Region.
+    #
+    #   When the operation completes, the multi-Region key in this Region
+    #   will be the primary key.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdatePrimaryRegionRequest AWS API Documentation
+    #
+    class UpdatePrimaryRegionRequest < Struct.new(
+      :key_id,
+      :primary_region)
+      SENSITIVE = []
+      include Aws::Structure
+    end
     # @note When making an API call, you may pass VerifyRequest
     #   data as a hash:
     #
@@ -4615,10 +5152,10 @@ module Aws::KMS
     #   signature. If you specify a different CMK, the signature
     #   verification fails.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`. To specify a CMK in a different AWS account, you must
-    #   use the key ARN or alias ARN.
+    #   To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
+    #   When using an alias name, prefix it with `"alias/"`. To specify a
+    #   CMK in a different AWS account, you must use the key ARN or alias
+    #   ARN.
     #
     #   For example:
     #
@@ -4668,7 +5205,9 @@ module Aws::KMS
     # @!attribute [rw] grant_tokens
     #   A list of grant tokens.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] in the *AWS Key
     #   Management Service Developer Guide*.
     #
     #