aws-sdk-kms 1.43.0 → 1.44.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 6a12f7e0f0c6456ad794104d0ff80cd604710362b377afa9002ab77f57eb3122
4
- data.tar.gz: 7e02f4d54ba00e879fa4ba432d0f7099cd2177a63c73d4e832acbeaa9d798d6b
3
+ metadata.gz: 665dc12ff757ea9a86e3ccc0a5cd47a765995c244f26a3d8f80f5957d2e3b5b4
4
+ data.tar.gz: 3092a6af153e84241145fb3e194b946fa73afb714ad60437c586268a1725b2bd
5
5
  SHA512:
6
- metadata.gz: eedb1b4f2756b40b8ca928740186f516aeb23eb7505fa47992f84950930570d3ab1f0270c6755ac946e3aa4749c25e1cb3b16f8738ff69a9064233b7a5f4b7e5
7
- data.tar.gz: 1b595fd867e90a284d1054f9901a95b507f74b77aada49254c554481d2b549b528c9af18b242b6fc81c0d9253cdf28abb449c2be961e0c5fdf50d816a69cf927
6
+ metadata.gz: 7b7bd88e8eb8f74c97c7a524c0cf0012e1855cb434c2264a470881fe49ee497d40fe291cd2e7bcabac8e7b137ff2c8f3630c31c6c1f78ecff3c88f7259bb7486
7
+ data.tar.gz: 7e358e400fb315128c5b596e5455804ff2a2d23cbf80e33cc8fb520b71f3f401c19b6164abec74a7e06e2d7b7c38c60497d6dfddaa64bee2c7ed6ce17c0e6c74
data/CHANGELOG.md CHANGED
@@ -1,6 +1,11 @@
1
1
  Unreleased Changes
2
2
  ------------------
3
3
 
4
+ 1.44.0 (2021-06-16)
5
+ ------------------
6
+
7
+ * Feature - Adds support for multi-Region keys
8
+
4
9
  1.43.0 (2021-03-10)
5
10
  ------------------
6
11
 
data/VERSION CHANGED
@@ -1 +1 @@
1
- 1.43.0
1
+ 1.44.0
data/lib/aws-sdk-kms.rb CHANGED
@@ -48,6 +48,6 @@ require_relative 'aws-sdk-kms/customizations'
48
48
  # @!group service
49
49
  module Aws::KMS
50
50
 
51
- GEM_VERSION = '1.43.0'
51
+ GEM_VERSION = '1.44.0'
52
52
 
53
53
  end
@@ -346,8 +346,8 @@ module Aws::KMS
346
346
  # Service Developer Guide*.
347
347
  #
348
348
  # The CMK that you use for this operation must be in a compatible key
349
- # state. For details, see [How Key State Affects Use of a Customer
350
- # Master Key][2] in the *AWS Key Management Service Developer Guide*.
349
+ # state. For details, see [Key state: Effect on your CMK][2] in the *AWS
350
+ # Key Management Service Developer Guide*.
351
351
  #
352
352
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
353
353
  # in a different AWS account.
@@ -363,10 +363,10 @@ module Aws::KMS
363
363
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
364
364
  #
365
365
  # @option params [required, String] :key_id
366
- # The unique identifier for the customer master key (CMK) for which to
367
- # cancel deletion.
366
+ # Identifies the customer master key (CMK) whose deletion is being
367
+ # canceled.
368
368
  #
369
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
369
+ # Specify the key ID or key ARN of the CMK.
370
370
  #
371
371
  # For example:
372
372
  #
@@ -503,42 +503,48 @@ module Aws::KMS
503
503
  req.send_request(options)
504
504
  end
505
505
 
506
- # Creates a friendly name for a customer master key (CMK). You can use
507
- # an alias to identify a CMK in the AWS KMS console, in the DescribeKey
508
- # operation and in [cryptographic operations][1], such as Encrypt and
509
- # GenerateDataKey.
506
+ # Creates a friendly name for a customer master key (CMK).
510
507
  #
511
- # You can also change the CMK that's associated with the alias
512
- # (UpdateAlias) or delete the alias (DeleteAlias) at any time. These
513
- # operations don't affect the underlying CMK.
508
+ # <note markdown="1"> Adding, deleting, or updating an alias can allow or deny permission to
509
+ # the CMK. For details, see [Using ABAC in AWS KMS][1] in the *AWS Key
510
+ # Management Service Developer Guide*.
511
+ #
512
+ # </note>
513
+ #
514
+ # You can use an alias to identify a CMK in the AWS KMS console, in the
515
+ # DescribeKey operation and in [cryptographic operations][2], such as
516
+ # Encrypt and GenerateDataKey. You can also change the CMK that's
517
+ # associated with the alias (UpdateAlias) or delete the alias
518
+ # (DeleteAlias) at any time. These operations don't affect the
519
+ # underlying CMK.
514
520
  #
515
521
  # You can associate the alias with any customer managed CMK in the same
516
- # AWS Region. Each alias is associated with only on CMK at a time, but a
517
- # CMK can have multiple aliases. A valid CMK is required. You can't
522
+ # AWS Region. Each alias is associated with only one CMK at a time, but
523
+ # a CMK can have multiple aliases. A valid CMK is required. You can't
518
524
  # create an alias without a CMK.
519
525
  #
520
526
  # The alias must be unique in the account and Region, but you can have
521
527
  # aliases with the same name in different Regions. For detailed
522
- # information about aliases, see [Using aliases][2] in the *AWS Key
528
+ # information about aliases, see [Using aliases][3] in the *AWS Key
523
529
  # Management Service Developer Guide*.
524
530
  #
525
531
  # This operation does not return a response. To get the alias that you
526
532
  # created, use the ListAliases operation.
527
533
  #
528
534
  # The CMK that you use for this operation must be in a compatible key
529
- # state. For details, see [How Key State Affects Use of a Customer
530
- # Master Key][3] in the *AWS Key Management Service Developer Guide*.
535
+ # state. For details, see [Key state: Effect on your CMK][4] in the *AWS
536
+ # Key Management Service Developer Guide*.
531
537
  #
532
538
  # **Cross-account use**\: No. You cannot perform this operation on an
533
539
  # alias in a different AWS account.
534
540
  #
535
541
  # **Required permissions**
536
542
  #
537
- # * [kms:CreateAlias][4] on the alias (IAM policy).
543
+ # * [kms:CreateAlias][5] on the alias (IAM policy).
538
544
  #
539
- # * [kms:CreateAlias][4] on the CMK (key policy).
545
+ # * [kms:CreateAlias][5] on the CMK (key policy).
540
546
  #
541
- # For details, see [Controlling access to aliases][5] in the *AWS Key
547
+ # For details, see [Controlling access to aliases][6] in the *AWS Key
542
548
  # Management Service Developer Guide*.
543
549
  #
544
550
  # **Related operations:**
@@ -551,11 +557,12 @@ module Aws::KMS
551
557
  #
552
558
  #
553
559
  #
554
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
555
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html
556
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
557
- # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
558
- # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
560
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
561
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
562
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html
563
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
564
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
565
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
559
566
  #
560
567
  # @option params [required, String] :alias_name
561
568
  # Specifies the alias name. This value must begin with `alias/` followed
@@ -580,7 +587,7 @@ module Aws::KMS
580
587
  # For help finding the key ID and ARN, see [Finding the Key ID and
581
588
  # ARN][2] in the *AWS Key Management Service Developer Guide*.
582
589
  #
583
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
590
+ # Specify the key ID or key ARN of the CMK.
584
591
  #
585
592
  # For example:
586
593
  #
@@ -737,54 +744,54 @@ module Aws::KMS
737
744
  req.send_request(options)
738
745
  end
739
746
 
740
- # Adds a grant to a customer master key (CMK). The grant allows the
741
- # grantee principal to use the CMK when the conditions specified in the
742
- # grant are met. When setting permissions, grants are an alternative to
743
- # key policies.
744
- #
745
- # To create a grant that allows a [cryptographic operation][1] only when
746
- # the request includes a particular [encryption context][2], use the
747
- # `Constraints` parameter. For details, see GrantConstraints.
748
- #
749
- # You can create grants on symmetric and asymmetric CMKs. However, if
750
- # the grant allows an operation that the CMK does not support,
751
- # `CreateGrant` fails with a `ValidationException`.
752
- #
753
- # * Grants for symmetric CMKs cannot allow operations that are not
754
- # supported for symmetric CMKs, including Sign, Verify, and
755
- # GetPublicKey. (There are limited exceptions to this rule for legacy
756
- # operations, but you should not create a grant for an operation that
757
- # AWS KMS does not support.)
758
- #
759
- # * Grants for asymmetric CMKs cannot allow operations that are not
760
- # supported for asymmetric CMKs, including operations that [generate
761
- # data keys][3] or [data key pairs][4], or operations related to
762
- # [automatic key rotation][5], [imported key material][6], or CMKs in
763
- # [custom key stores][7].
764
- #
765
- # * Grants for asymmetric CMKs with a `KeyUsage` of `ENCRYPT_DECRYPT`
766
- # cannot allow the Sign or Verify operations. Grants for asymmetric
767
- # CMKs with a `KeyUsage` of `SIGN_VERIFY` cannot allow the Encrypt or
768
- # Decrypt operations.
769
- #
770
- # * Grants for asymmetric CMKs cannot include an encryption context
771
- # grant constraint. An encryption context is not supported on
772
- # asymmetric CMKs.
747
+ # Adds a grant to a customer master key (CMK).
748
+ #
749
+ # A *grant* is a policy instrument that allows AWS principals to use AWS
750
+ # KMS customer master keys (CMKs) in cryptographic operations. It also
751
+ # can allow them to view a CMK (DescribeKey) and create and manage
752
+ # grants. When authorizing access to a CMK, grants are considered along
753
+ # with key policies and IAM policies. Grants are often used for
754
+ # temporary permissions because you can create one, use its permissions,
755
+ # and delete it without changing your key policies or IAM policies.
756
+ #
757
+ # For detailed information about grants, including grant terminology,
758
+ # see [Using grants][1] in the <i> <i>AWS Key Management Service
759
+ # Developer Guide</i> </i>. For examples of working with grants in
760
+ # several programming languages, see [Programming grants][2].
761
+ #
762
+ # The `CreateGrant` operation returns a `GrantToken` and a `GrantId`.
763
+ #
764
+ # * When you create, retire, or revoke a grant, there might be a brief
765
+ # delay, usually less than five minutes, until the grant is available
766
+ # throughout AWS KMS. This state is known as *eventual consistency*.
767
+ # Once the grant has achieved eventual consistency, the grantee
768
+ # principal can use the permissions in the grant without identifying
769
+ # the grant.
770
+ #
771
+ # However, to use the permissions in the grant immediately, use the
772
+ # `GrantToken` that `CreateGrant` returns. For details, see [Using a
773
+ # grant token][3] in the <i> <i>AWS Key Management Service Developer
774
+ # Guide</i> </i>.
775
+ #
776
+ # * The `CreateGrant` operation also returns a `GrantId`. You can use
777
+ # the `GrantId` and a key identifier to identify the grant in the
778
+ # RetireGrant and RevokeGrant operations. To find the grant ID, use
779
+ # the ListGrants or ListRetirableGrants operations.
773
780
  #
774
781
  # For information about symmetric and asymmetric CMKs, see [Using
775
- # Symmetric and Asymmetric CMKs][8] in the *AWS Key Management Service
776
- # Developer Guide*. For more information about grants, see [Grants][9]
782
+ # Symmetric and Asymmetric CMKs][4] in the *AWS Key Management Service
783
+ # Developer Guide*. For more information about grants, see [Grants][1]
777
784
  # in the <i> <i>AWS Key Management Service Developer Guide</i> </i>.
778
785
  #
779
786
  # The CMK that you use for this operation must be in a compatible key
780
- # state. For details, see [How Key State Affects Use of a Customer
781
- # Master Key][10] in the *AWS Key Management Service Developer Guide*.
787
+ # state. For details, see [Key state: Effect on your CMK][5] in the *AWS
788
+ # Key Management Service Developer Guide*.
782
789
  #
783
790
  # **Cross-account use**\: Yes. To perform this operation on a CMK in a
784
791
  # different AWS account, specify the key ARN in the value of the `KeyId`
785
792
  # parameter.
786
793
  #
787
- # **Required permissions**\: [kms:CreateGrant][11] (key policy)
794
+ # **Required permissions**\: [kms:CreateGrant][6] (key policy)
788
795
  #
789
796
  # **Related operations:**
790
797
  #
@@ -798,24 +805,19 @@ module Aws::KMS
798
805
  #
799
806
  #
800
807
  #
801
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
802
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
803
- # [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey
804
- # [4]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair
805
- # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
806
- # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
807
- # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
808
- # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
809
- # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
810
- # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
811
- # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
808
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
809
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html
810
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
811
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
812
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
813
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
812
814
  #
813
815
  # @option params [required, String] :key_id
814
- # The unique identifier for the customer master key (CMK) that the grant
815
- # applies to.
816
+ # Identifies the customer master key (CMK) for the grant. The grant
817
+ # gives principals permission to use this CMK.
816
818
  #
817
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
818
- # specify a CMK in a different AWS account, you must use the key ARN.
819
+ # Specify the key ID or key ARN of the CMK. To specify a CMK in a
820
+ # different AWS account, you must use the key ARN.
819
821
  #
820
822
  # For example:
821
823
  #
@@ -827,8 +829,7 @@ module Aws::KMS
827
829
  # To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
828
830
  #
829
831
  # @option params [required, String] :grantee_principal
830
- # The principal that is given permission to perform the operations that
831
- # the grant permits.
832
+ # The identity that gets the permissions specified in the grant.
832
833
  #
833
834
  # To specify the principal, use the [Amazon Resource Name (ARN)][1] of
834
835
  # an AWS principal. Valid AWS principals include AWS accounts (root),
@@ -861,26 +862,52 @@ module Aws::KMS
861
862
  # @option params [required, Array<String>] :operations
862
863
  # A list of operations that the grant permits.
863
864
  #
865
+ # The operation must be supported on the CMK. For example, you cannot
866
+ # create a grant for a symmetric CMK that allows the Sign operation, or
867
+ # a grant for an asymmetric CMK that allows the GenerateDataKey
868
+ # operation. If you try, AWS KMS returns a `ValidationError` exception.
869
+ # For details, see [Grant operations][1] in the *AWS Key Management
870
+ # Service Developer Guide*.
871
+ #
872
+ #
873
+ #
874
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
875
+ #
864
876
  # @option params [Types::GrantConstraints] :constraints
865
- # Allows a [cryptographic operation][1] only when the encryption context
866
- # matches or includes the encryption context specified in this
867
- # structure. For more information about encryption context, see
868
- # [Encryption Context][2] in the <i> <i>AWS Key Management Service
869
- # Developer Guide</i> </i>.
877
+ # Specifies a grant constraint.
878
+ #
879
+ # AWS KMS supports the `EncryptionContextEquals` and
880
+ # `EncryptionContextSubset` grant constraints. Each constraint value can
881
+ # include up to 8 encryption context pairs. The encryption context value
882
+ # in each constraint cannot exceed 384 characters.
883
+ #
884
+ # These grant constraints allow a [cryptographic operation][1] only when
885
+ # the encryption context in the request matches
886
+ # (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
887
+ # the encryption context specified in this structure. For more
888
+ # information about encryption context, see [Encryption Context][2] in
889
+ # the <i> <i>AWS Key Management Service Developer Guide</i> </i>. For
890
+ # information about grant constraints, see [Using grant constraints][3]
891
+ # in the *AWS Key Management Service Developer Guide*.
870
892
  #
871
- # Grant constraints are not applied to operations that do not support an
872
- # encryption context, such as cryptographic operations with asymmetric
873
- # CMKs and management operations, such as DescribeKey or RetireGrant.
893
+ # The encryption context grant constraints are supported only on
894
+ # operations that include an encryption context. You cannot use an
895
+ # encryption context grant constraint for cryptographic operations with
896
+ # asymmetric CMKs or for management operations, such as DescribeKey or
897
+ # RetireGrant.
874
898
  #
875
899
  #
876
900
  #
877
901
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
878
902
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
903
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
879
904
  #
880
905
  # @option params [Array<String>] :grant_tokens
881
906
  # A list of grant tokens.
882
907
  #
883
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
908
+ # Use a grant token when your permission to call this operation comes
909
+ # from a new grant that has not yet achieved *eventual consistency*. For
910
+ # more information, see [Grant token][1] in the *AWS Key Management
884
911
  # Service Developer Guide*.
885
912
  #
886
913
  #
@@ -1009,7 +1036,31 @@ module Aws::KMS
1009
1036
  #
1010
1037
  #
1011
1038
  #
1012
- # Imported Key Material
1039
+ # Multi-Region primary keys
1040
+ # Imported key material
1041
+ #
1042
+ # : To create a multi-Region *primary key* in the local AWS Region, use
1043
+ # the `MultiRegion` parameter with a value of `True`. To create a
1044
+ # multi-Region *replica key*, that is, a CMK with the same key ID and
1045
+ # key material as a primary key, but in a different AWS Region, use
1046
+ # the ReplicateKey operation. To change a replica key to a primary
1047
+ # key, and its primary key to a replica key, use the
1048
+ # UpdatePrimaryRegion operation.
1049
+ #
1050
+ # This operation supports *multi-Region keys*, an AWS KMS feature that
1051
+ # lets you create multiple interoperable CMKs in different AWS
1052
+ # Regions. Because these CMKs have the same key ID, key material, and
1053
+ # other metadata, you can use them to encrypt data in one AWS Region
1054
+ # and decrypt it in a different AWS Region without making a
1055
+ # cross-Region call or exposing the plaintext data. For more
1056
+ # information about multi-Region keys, see [Using multi-Region
1057
+ # keys][5] in the *AWS Key Management Service Developer Guide*.
1058
+ #
1059
+ # You can create symmetric and asymmetric multi-Region keys and
1060
+ # multi-Region keys with imported key material. You cannot create
1061
+ # multi-Region keys in a custom key store.
1062
+ #
1063
+ #
1013
1064
  #
1014
1065
  # : To import your own key material, begin by creating a symmetric CMK
1015
1066
  # with no key material. To do this, use the `Origin` parameter of
@@ -1018,33 +1069,41 @@ module Aws::KMS
1018
1069
  # token, and use the public key to encrypt your key material. Then,
1019
1070
  # use ImportKeyMaterial with your import token to import the key
1020
1071
  # material. For step-by-step instructions, see [Importing Key
1021
- # Material][5] in the <i> <i>AWS Key Management Service Developer
1072
+ # Material][6] in the <i> <i>AWS Key Management Service Developer
1022
1073
  # Guide</i> </i>. You cannot import the key material into an
1023
1074
  # asymmetric CMK.
1024
1075
  #
1076
+ # To create a multi-Region primary key with imported key material, use
1077
+ # the `Origin` parameter of `CreateKey` with a value of `EXTERNAL` and
1078
+ # the `MultiRegion` parameter with a value of `True`. To create
1079
+ # replicas of the multi-Region primary key, use the ReplicateKey
1080
+ # operation. For more information about multi-Region keys, see [Using
1081
+ # multi-Region keys][5] in the *AWS Key Management Service Developer
1082
+ # Guide*.
1083
+ #
1025
1084
  #
1026
1085
  #
1027
- # Custom Key Stores
1086
+ # Custom key store
1028
1087
  #
1029
- # : To create a symmetric CMK in a [custom key store][6], use the
1088
+ # : To create a symmetric CMK in a [custom key store][7], use the
1030
1089
  # `CustomKeyStoreId` parameter to specify the custom key store. You
1031
1090
  # must also use the `Origin` parameter with a value of `AWS_CLOUDHSM`.
1032
1091
  # The AWS CloudHSM cluster that is associated with the custom key
1033
1092
  # store must have at least two active HSMs in different Availability
1034
1093
  # Zones in the AWS Region.
1035
1094
  #
1036
- # You cannot create an asymmetric CMK in a custom key store. For
1037
- # information about custom key stores in AWS KMS see [Using Custom Key
1038
- # Stores][6] in the <i> <i>AWS Key Management Service Developer
1039
- # Guide</i> </i>.
1095
+ # You cannot create an asymmetric CMK or a multi-Region CMK in a
1096
+ # custom key store. For information about custom key stores in AWS KMS
1097
+ # see [Using Custom Key Stores][7] in the <i> <i>AWS Key Management
1098
+ # Service Developer Guide</i> </i>.
1040
1099
  #
1041
1100
  # **Cross-account use**\: No. You cannot use this operation to create a
1042
1101
  # CMK in a different AWS account.
1043
1102
  #
1044
- # **Required permissions**\: [kms:CreateKey][7] (IAM policy). To use the
1045
- # `Tags` parameter, [kms:TagResource][7] (IAM policy). For examples and
1103
+ # **Required permissions**\: [kms:CreateKey][8] (IAM policy). To use the
1104
+ # `Tags` parameter, [kms:TagResource][8] (IAM policy). For examples and
1046
1105
  # information about related permissions, see [Allow a user to create
1047
- # CMKs][8] in the *AWS Key Management Service Developer Guide*.
1106
+ # CMKs][9] in the *AWS Key Management Service Developer Guide*.
1048
1107
  #
1049
1108
  # **Related operations:**
1050
1109
  #
@@ -1060,10 +1119,11 @@ module Aws::KMS
1060
1119
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys
1061
1120
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-key-pairs
1062
1121
  # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
1063
- # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1064
- # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1065
- # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
1066
- # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key
1122
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
1123
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1124
+ # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1125
+ # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
1126
+ # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key
1067
1127
  #
1068
1128
  # @option params [String] :policy
1069
1129
  # The key policy to attach to the CMK.
@@ -1107,7 +1167,7 @@ module Aws::KMS
1107
1167
  # A description of the CMK.
1108
1168
  #
1109
1169
  # Use a description that helps you decide whether the CMK is appropriate
1110
- # for a task.
1170
+ # for a task. The default value is an empty string (no description).
1111
1171
  #
1112
1172
  # @option params [String] :key_usage
1113
1173
  # Determines the [cryptographic operations][1] for which you can use the
@@ -1191,20 +1251,19 @@ module Aws::KMS
1191
1251
  # @option params [String] :origin
1192
1252
  # The source of the key material for the CMK. You cannot change the
1193
1253
  # origin after you create the CMK. The default is `AWS_KMS`, which means
1194
- # AWS KMS creates the key material.
1254
+ # that AWS KMS creates the key material.
1195
1255
  #
1196
- # When the parameter value is `EXTERNAL`, AWS KMS creates a CMK without
1197
- # key material so that you can import key material from your existing
1198
- # key management infrastructure. For more information about importing
1199
- # key material into AWS KMS, see [Importing Key Material][1] in the *AWS
1200
- # Key Management Service Developer Guide*. This value is valid only for
1256
+ # To create a CMK with no key material (for imported key material), set
1257
+ # the value to `EXTERNAL`. For more information about importing key
1258
+ # material into AWS KMS, see [Importing Key Material][1] in the *AWS Key
1259
+ # Management Service Developer Guide*. This value is valid only for
1201
1260
  # symmetric CMKs.
1202
1261
  #
1203
- # When the parameter value is `AWS_CLOUDHSM`, AWS KMS creates the CMK in
1204
- # an AWS KMS [custom key store][2] and creates its key material in the
1205
- # associated AWS CloudHSM cluster. You must also use the
1206
- # `CustomKeyStoreId` parameter to identify the custom key store. This
1207
- # value is valid only for symmetric CMKs.
1262
+ # To create a CMK in an AWS KMS [custom key store][2] and create its key
1263
+ # material in the associated AWS CloudHSM cluster, set this value to
1264
+ # `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId` parameter to
1265
+ # identify the custom key store. This value is valid only for symmetric
1266
+ # CMKs.
1208
1267
  #
1209
1268
  #
1210
1269
  #
@@ -1219,8 +1278,9 @@ module Aws::KMS
1219
1278
  # with the custom key store must have at least two active HSMs, each in
1220
1279
  # a different Availability Zone in the Region.
1221
1280
  #
1222
- # This parameter is valid only for symmetric CMKs. You cannot create an
1223
- # asymmetric CMK in a custom key store.
1281
+ # This parameter is valid only for symmetric CMKs and regional CMKs. You
1282
+ # cannot create an asymmetric CMK or a multi-Region CMK in a custom key
1283
+ # store.
1224
1284
  #
1225
1285
  # To find the ID of a custom key store, use the DescribeCustomKeyStores
1226
1286
  # operation.
@@ -1258,25 +1318,63 @@ module Aws::KMS
1258
1318
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
1259
1319
  #
1260
1320
  # @option params [Array<Types::Tag>] :tags
1261
- # One or more tags. Each tag consists of a tag key and a tag value. Both
1262
- # the tag key and the tag value are required, but the tag value can be
1263
- # an empty (null) string.
1321
+ # Assigns one or more tags to the CMK. Use this parameter to tag the CMK
1322
+ # when it is created. To tag an existing CMK, use the TagResource
1323
+ # operation.
1264
1324
  #
1265
- # When you add tags to an AWS resource, AWS generates a cost allocation
1266
- # report with usage and costs aggregated by tags. For information about
1267
- # adding, changing, deleting and listing tags for CMKs, see [Tagging
1268
- # Keys][1].
1325
+ # <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
1326
+ # For details, see [Using ABAC in AWS KMS][1] in the *AWS Key Management
1327
+ # Service Developer Guide*.
1269
1328
  #
1270
- # Use this parameter to tag the CMK when it is created. To add tags to
1271
- # an existing CMK, use the TagResource operation.
1329
+ # </note>
1272
1330
  #
1273
1331
  # To use this parameter, you must have [kms:TagResource][2] permission
1274
1332
  # in an IAM policy.
1275
1333
  #
1334
+ # Each tag consists of a tag key and a tag value. Both the tag key and
1335
+ # the tag value are required, but the tag value can be an empty (null)
1336
+ # string. You cannot have more than one tag on a CMK with the same tag
1337
+ # key. If you specify an existing tag key with a different tag value,
1338
+ # AWS KMS replaces the current tag value with the specified one.
1276
1339
  #
1340
+ # When you assign tags to an AWS resource, AWS generates a cost
1341
+ # allocation report with usage and costs aggregated by tags. Tags can
1342
+ # also be used to control access to a CMK. For details, see [Tagging
1343
+ # Keys][3].
1277
1344
  #
1278
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
1345
+ #
1346
+ #
1347
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
1279
1348
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
1349
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
1350
+ #
1351
+ # @option params [Boolean] :multi_region
1352
+ # Creates a multi-Region primary key that you can replicate into other
1353
+ # AWS Regions. You cannot change this value after you create the CMK.
1354
+ #
1355
+ # For a multi-Region key, set this parameter to `True`. For a
1356
+ # single-Region CMK, omit this parameter or set it to `False`. The
1357
+ # default value is `False`.
1358
+ #
1359
+ # This operation supports *multi-Region keys*, an AWS KMS feature that
1360
+ # lets you create multiple interoperable CMKs in different AWS Regions.
1361
+ # Because these CMKs have the same key ID, key material, and other
1362
+ # metadata, you can use them to encrypt data in one AWS Region and
1363
+ # decrypt it in a different AWS Region without making a cross-Region
1364
+ # call or exposing the plaintext data. For more information about
1365
+ # multi-Region keys, see [Using multi-Region keys][1] in the *AWS Key
1366
+ # Management Service Developer Guide*.
1367
+ #
1368
+ # This value creates a *primary key*, not a replica. To create a
1369
+ # *replica key*, use the ReplicateKey operation.
1370
+ #
1371
+ # You can create a symmetric or asymmetric multi-Region CMK, and you can
1372
+ # create a multi-Region CMK with imported key material. However, you
1373
+ # cannot create a multi-Region CMK in a custom key store.
1374
+ #
1375
+ #
1376
+ #
1377
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
1280
1378
  #
1281
1379
  # @return [Types::CreateKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1282
1380
  #
@@ -1328,6 +1426,7 @@ module Aws::KMS
1328
1426
  # tag_value: "TagValueType", # required
1329
1427
  # },
1330
1428
  # ],
1429
+ # multi_region: false,
1331
1430
  # })
1332
1431
  #
1333
1432
  # @example Response structure
@@ -1339,7 +1438,7 @@ module Aws::KMS
1339
1438
  # resp.key_metadata.enabled #=> Boolean
1340
1439
  # resp.key_metadata.description #=> String
1341
1440
  # resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
1342
- # resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport", "Unavailable"
1441
+ # resp.key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
1343
1442
  # resp.key_metadata.deletion_date #=> Time
1344
1443
  # resp.key_metadata.valid_to #=> Time
1345
1444
  # resp.key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL", "AWS_CLOUDHSM"
@@ -1352,6 +1451,14 @@ module Aws::KMS
1352
1451
  # resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
1353
1452
  # resp.key_metadata.signing_algorithms #=> Array
1354
1453
  # resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
1454
+ # resp.key_metadata.multi_region #=> Boolean
1455
+ # resp.key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
1456
+ # resp.key_metadata.multi_region_configuration.primary_key.arn #=> String
1457
+ # resp.key_metadata.multi_region_configuration.primary_key.region #=> String
1458
+ # resp.key_metadata.multi_region_configuration.replica_keys #=> Array
1459
+ # resp.key_metadata.multi_region_configuration.replica_keys[0].arn #=> String
1460
+ # resp.key_metadata.multi_region_configuration.replica_keys[0].region #=> String
1461
+ # resp.key_metadata.pending_deletion_window_in_days #=> Integer
1355
1462
  #
1356
1463
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey AWS API Documentation
1357
1464
  #
@@ -1412,8 +1519,8 @@ module Aws::KMS
1412
1519
  # policies][4] in the *AWS Key Management Service Developer Guide*.
1413
1520
  #
1414
1521
  # The CMK that you use for this operation must be in a compatible key
1415
- # state. For details, see [How Key State Affects Use of a Customer
1416
- # Master Key][5] in the *AWS Key Management Service Developer Guide*.
1522
+ # state. For details, see [Key state: Effect on your CMK][5] in the *AWS
1523
+ # Key Management Service Developer Guide*.
1417
1524
  #
1418
1525
  # **Cross-account use**\: Yes. You can decrypt a ciphertext using a CMK
1419
1526
  # in a different AWS account.
@@ -1466,8 +1573,12 @@ module Aws::KMS
1466
1573
  # @option params [Array<String>] :grant_tokens
1467
1574
  # A list of grant tokens.
1468
1575
  #
1469
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
1470
- # Service Developer Guide*.
1576
+ # Use a grant token when your permission to call this operation comes
1577
+ # from a newly created grant that has not yet achieved eventual
1578
+ # consistency. Use a grant token when your permission to call this
1579
+ # operation comes from a new grant that has not yet achieved *eventual
1580
+ # consistency*. For more information, see [Grant token][1] in the *AWS
1581
+ # Key Management Service Developer Guide*.
1471
1582
  #
1472
1583
  #
1473
1584
  #
@@ -1484,10 +1595,9 @@ module Aws::KMS
1484
1595
  # However, it is always recommended as a best practice. This practice
1485
1596
  # ensures that you use the CMK that you intend.
1486
1597
  #
1487
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1488
- # name, or alias ARN. When using an alias name, prefix it with
1489
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
1490
- # the key ARN or alias ARN.
1598
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
1599
+ # When using an alias name, prefix it with `"alias/"`. To specify a CMK
1600
+ # in a different AWS account, you must use the key ARN or alias ARN.
1491
1601
  #
1492
1602
  # For example:
1493
1603
  #
@@ -1565,6 +1675,12 @@ module Aws::KMS
1565
1675
 
1566
1676
  # Deletes the specified alias.
1567
1677
  #
1678
+ # <note markdown="1"> Adding, deleting, or updating an alias can allow or deny permission to
1679
+ # the CMK. For details, see [Using ABAC in AWS KMS][1] in the *AWS Key
1680
+ # Management Service Developer Guide*.
1681
+ #
1682
+ # </note>
1683
+ #
1568
1684
  # Because an alias is not a property of a CMK, you can delete and change
1569
1685
  # the aliases of a CMK without affecting the CMK. Also, aliases do not
1570
1686
  # appear in the response from the DescribeKey operation. To get the
@@ -1580,11 +1696,11 @@ module Aws::KMS
1580
1696
  #
1581
1697
  # **Required permissions**
1582
1698
  #
1583
- # * [kms:DeleteAlias][1] on the alias (IAM policy).
1699
+ # * [kms:DeleteAlias][2] on the alias (IAM policy).
1584
1700
  #
1585
- # * [kms:DeleteAlias][1] on the CMK (key policy).
1701
+ # * [kms:DeleteAlias][2] on the CMK (key policy).
1586
1702
  #
1587
- # For details, see [Controlling access to aliases][2] in the *AWS Key
1703
+ # For details, see [Controlling access to aliases][3] in the *AWS Key
1588
1704
  # Management Service Developer Guide*.
1589
1705
  #
1590
1706
  # **Related operations:**
@@ -1597,8 +1713,9 @@ module Aws::KMS
1597
1713
  #
1598
1714
  #
1599
1715
  #
1600
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
1601
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
1716
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
1717
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
1718
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
1602
1719
  #
1603
1720
  # @option params [required, String] :alias_name
1604
1721
  # The alias to be deleted. The alias name must begin with `alias/`
@@ -1721,8 +1838,8 @@ module Aws::KMS
1721
1838
  # reimport the same key material into the CMK.
1722
1839
  #
1723
1840
  # The CMK that you use for this operation must be in a compatible key
1724
- # state. For details, see [How Key State Affects Use of a Customer
1725
- # Master Key][2] in the *AWS Key Management Service Developer Guide*.
1841
+ # state. For details, see [Key state: Effect on your CMK][2] in the *AWS
1842
+ # Key Management Service Developer Guide*.
1726
1843
  #
1727
1844
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
1728
1845
  # in a different AWS account.
@@ -1746,7 +1863,7 @@ module Aws::KMS
1746
1863
  # Identifies the CMK from which you are deleting imported key material.
1747
1864
  # The `Origin` of the CMK must be `EXTERNAL`.
1748
1865
  #
1749
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
1866
+ # Specify the key ID or key ARN of the CMK.
1750
1867
  #
1751
1868
  # For example:
1752
1869
  #
@@ -1784,14 +1901,14 @@ module Aws::KMS
1784
1901
  end
1785
1902
 
1786
1903
  # Gets information about [custom key stores][1] in the account and
1787
- # region.
1904
+ # Region.
1788
1905
  #
1789
1906
  # This operation is part of the [Custom Key Store feature][1] feature in
1790
1907
  # AWS KMS, which combines the convenience and extensive integration of
1791
1908
  # AWS KMS with the isolation and control of a single-tenant key store.
1792
1909
  #
1793
1910
  # By default, this operation returns information about all custom key
1794
- # stores in the account and region. To get only information about a
1911
+ # stores in the account and Region. To get only information about a
1795
1912
  # particular custom key store, use either the `CustomKeyStoreName` or
1796
1913
  # `CustomKeyStoreId` parameter (but not both).
1797
1914
  #
@@ -1842,7 +1959,7 @@ module Aws::KMS
1842
1959
  # key store ID.
1843
1960
  #
1844
1961
  # By default, this operation gets information about all custom key
1845
- # stores in the account and region. To limit the output to a particular
1962
+ # stores in the account and Region. To limit the output to a particular
1846
1963
  # custom key store, you can use either the `CustomKeyStoreId` or
1847
1964
  # `CustomKeyStoreName` parameter, but not both.
1848
1965
  #
@@ -1851,7 +1968,7 @@ module Aws::KMS
1851
1968
  # friendly name of the custom key store.
1852
1969
  #
1853
1970
  # By default, this operation gets information about all custom key
1854
- # stores in the account and region. To limit the output to a particular
1971
+ # stores in the account and Region. To limit the output to a particular
1855
1972
  # custom key store, you can use either the `CustomKeyStoreId` or
1856
1973
  # `CustomKeyStoreName` parameter, but not both.
1857
1974
  #
@@ -1974,10 +2091,9 @@ module Aws::KMS
1974
2091
  # KMS associates the alias with an [AWS managed CMK][1] and returns its
1975
2092
  # `KeyId` and `Arn` in the response.
1976
2093
  #
1977
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1978
- # name, or alias ARN. When using an alias name, prefix it with
1979
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
1980
- # the key ARN or alias ARN.
2094
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
2095
+ # When using an alias name, prefix it with `"alias/"`. To specify a CMK
2096
+ # in a different AWS account, you must use the key ARN or alias ARN.
1981
2097
  #
1982
2098
  # For example:
1983
2099
  #
@@ -2000,7 +2116,9 @@ module Aws::KMS
2000
2116
  # @option params [Array<String>] :grant_tokens
2001
2117
  # A list of grant tokens.
2002
2118
  #
2003
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
2119
+ # Use a grant token when your permission to call this operation comes
2120
+ # from a new grant that has not yet achieved *eventual consistency*. For
2121
+ # more information, see [Grant token][1] in the *AWS Key Management
2004
2122
  # Service Developer Guide*.
2005
2123
  #
2006
2124
  #
@@ -2012,9 +2130,9 @@ module Aws::KMS
2012
2130
  # * {Types::DescribeKeyResponse#key_metadata #key_metadata} => Types::KeyMetadata
2013
2131
  #
2014
2132
  #
2015
- # @example Example: To obtain information about a customer master key (CMK)
2133
+ # @example Example: To get details about a customer master key (CMK)
2016
2134
  #
2017
- # # The following example returns information (metadata) about the specified CMK.
2135
+ # # The following example gets metadata about a symmetric CMK.
2018
2136
  #
2019
2137
  # resp = client.describe_key({
2020
2138
  # key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the CMK that you want information about. You can use the key ID or the Amazon Resource Name (ARN) of the CMK.
@@ -2026,12 +2144,17 @@ module Aws::KMS
2026
2144
  # aws_account_id: "111122223333",
2027
2145
  # arn: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
2028
2146
  # creation_date: Time.parse("2017-07-05T14:04:55-07:00"),
2147
+ # customer_master_key_spec: "SYMMETRIC_DEFAULT",
2029
2148
  # description: "",
2030
2149
  # enabled: true,
2150
+ # encryption_algorithms: [
2151
+ # "SYMMETRIC_DEFAULT",
2152
+ # ],
2031
2153
  # key_id: "1234abcd-12ab-34cd-56ef-1234567890ab",
2032
2154
  # key_manager: "CUSTOMER",
2033
2155
  # key_state: "Enabled",
2034
2156
  # key_usage: "ENCRYPT_DECRYPT",
2157
+ # multi_region: false,
2035
2158
  # origin: "AWS_KMS",
2036
2159
  # }, # An object that contains information about the specified CMK.
2037
2160
  # }
@@ -2052,7 +2175,7 @@ module Aws::KMS
2052
2175
  # resp.key_metadata.enabled #=> Boolean
2053
2176
  # resp.key_metadata.description #=> String
2054
2177
  # resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
2055
- # resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport", "Unavailable"
2178
+ # resp.key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
2056
2179
  # resp.key_metadata.deletion_date #=> Time
2057
2180
  # resp.key_metadata.valid_to #=> Time
2058
2181
  # resp.key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL", "AWS_CLOUDHSM"
@@ -2065,6 +2188,14 @@ module Aws::KMS
2065
2188
  # resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
2066
2189
  # resp.key_metadata.signing_algorithms #=> Array
2067
2190
  # resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
2191
+ # resp.key_metadata.multi_region #=> Boolean
2192
+ # resp.key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
2193
+ # resp.key_metadata.multi_region_configuration.primary_key.arn #=> String
2194
+ # resp.key_metadata.multi_region_configuration.primary_key.region #=> String
2195
+ # resp.key_metadata.multi_region_configuration.replica_keys #=> Array
2196
+ # resp.key_metadata.multi_region_configuration.replica_keys[0].arn #=> String
2197
+ # resp.key_metadata.multi_region_configuration.replica_keys[0].region #=> String
2198
+ # resp.key_metadata.pending_deletion_window_in_days #=> Integer
2068
2199
  #
2069
2200
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey AWS API Documentation
2070
2201
  #
@@ -2079,12 +2210,12 @@ module Aws::KMS
2079
2210
  # temporarily prevents use of the CMK for [cryptographic operations][1].
2080
2211
  #
2081
2212
  # For more information about how key state affects the use of a CMK, see
2082
- # [How Key State Affects the Use of a Customer Master Key][2] in the <i>
2083
- # <i>AWS Key Management Service Developer Guide</i> </i>.
2213
+ # [Key state: Effect on your CMK][2] in the <i> <i>AWS Key Management
2214
+ # Service Developer Guide</i> </i>.
2084
2215
  #
2085
2216
  # The CMK that you use for this operation must be in a compatible key
2086
- # state. For details, see [How Key State Affects Use of a Customer
2087
- # Master Key][2] in the *AWS Key Management Service Developer Guide*.
2217
+ # state. For details, see [Key state: Effect on your CMK][2] in the *AWS
2218
+ # Key Management Service Developer Guide*.
2088
2219
  #
2089
2220
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
2090
2221
  # in a different AWS account.
@@ -2100,9 +2231,9 @@ module Aws::KMS
2100
2231
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
2101
2232
  #
2102
2233
  # @option params [required, String] :key_id
2103
- # A unique identifier for the customer master key (CMK).
2234
+ # Identifies the customer master key (CMK) to disable.
2104
2235
  #
2105
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
2236
+ # Specify the key ID or key ARN of the CMK.
2106
2237
  #
2107
2238
  # For example:
2108
2239
  #
@@ -2142,17 +2273,19 @@ module Aws::KMS
2142
2273
  # Disables [automatic rotation of the key material][1] for the specified
2143
2274
  # symmetric customer master key (CMK).
2144
2275
  #
2145
- # You cannot enable automatic rotation of asymmetric CMKs, CMKs with
2146
- # imported key material, or CMKs in a [custom key store][2].
2276
+ # You cannot enable automatic rotation of [asymmetric CMKs][2], CMKs
2277
+ # with [imported key material][3], or CMKs in a [custom key store][4].
2278
+ # To enable or disable automatic rotation of a set of related
2279
+ # [multi-Region keys][5], set the property on the primary key.
2147
2280
  #
2148
2281
  # The CMK that you use for this operation must be in a compatible key
2149
- # state. For details, see [How Key State Affects Use of a Customer
2150
- # Master Key][3] in the *AWS Key Management Service Developer Guide*.
2282
+ # state. For details, see [Key state: Effect on your CMK][6] in the *AWS
2283
+ # Key Management Service Developer Guide*.
2151
2284
  #
2152
2285
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
2153
2286
  # in a different AWS account.
2154
2287
  #
2155
- # **Required permissions**\: [kms:DisableKeyRotation][4] (key policy)
2288
+ # **Required permissions**\: [kms:DisableKeyRotation][7] (key policy)
2156
2289
  #
2157
2290
  # **Related operations:**
2158
2291
  #
@@ -2163,16 +2296,19 @@ module Aws::KMS
2163
2296
  #
2164
2297
  #
2165
2298
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
2166
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
2167
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2168
- # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
2299
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
2300
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
2301
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
2302
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
2303
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2304
+ # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
2169
2305
  #
2170
2306
  # @option params [required, String] :key_id
2171
2307
  # Identifies a symmetric customer master key (CMK). You cannot enable or
2172
2308
  # disable automatic rotation of [asymmetric CMKs][1], CMKs with
2173
2309
  # [imported key material][2], or CMKs in a [custom key store][3].
2174
2310
  #
2175
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
2311
+ # Specify the key ID or key ARN of the CMK.
2176
2312
  #
2177
2313
  # For example:
2178
2314
  #
@@ -2291,8 +2427,8 @@ module Aws::KMS
2291
2427
  # allows you to use the CMK for [cryptographic operations][1].
2292
2428
  #
2293
2429
  # The CMK that you use for this operation must be in a compatible key
2294
- # state. For details, see [How Key State Affects Use of a Customer
2295
- # Master Key][2] in the *AWS Key Management Service Developer Guide*.
2430
+ # state. For details, see [Key state: Effect on your CMK][2] in the *AWS
2431
+ # Key Management Service Developer Guide*.
2296
2432
  #
2297
2433
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
2298
2434
  # in a different AWS account.
@@ -2308,9 +2444,9 @@ module Aws::KMS
2308
2444
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
2309
2445
  #
2310
2446
  # @option params [required, String] :key_id
2311
- # A unique identifier for the customer master key (CMK).
2447
+ # Identifies the customer master key (CMK) to enable.
2312
2448
  #
2313
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
2449
+ # Specify the key ID or key ARN of the CMK.
2314
2450
  #
2315
2451
  # For example:
2316
2452
  #
@@ -2350,17 +2486,19 @@ module Aws::KMS
2350
2486
  # Enables [automatic rotation of the key material][1] for the specified
2351
2487
  # symmetric customer master key (CMK).
2352
2488
  #
2353
- # You cannot enable automatic rotation of asymmetric CMKs, CMKs with
2354
- # imported key material, or CMKs in a [custom key store][2].
2489
+ # You cannot enable automatic rotation of [asymmetric CMKs][2], CMKs
2490
+ # with [imported key material][3], or CMKs in a [custom key store][4].
2491
+ # To enable or disable automatic rotation of a set of related
2492
+ # [multi-Region keys][5], set the property on the primary key.
2355
2493
  #
2356
2494
  # The CMK that you use for this operation must be in a compatible key
2357
- # state. For details, see [How Key State Affects Use of a Customer
2358
- # Master Key][3] in the *AWS Key Management Service Developer Guide*.
2495
+ # state. For details, see [Key state: Effect on your CMK][6] in the *AWS
2496
+ # Key Management Service Developer Guide*.
2359
2497
  #
2360
2498
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
2361
2499
  # in a different AWS account.
2362
2500
  #
2363
- # **Required permissions**\: [kms:EnableKeyRotation][4] (key policy)
2501
+ # **Required permissions**\: [kms:EnableKeyRotation][7] (key policy)
2364
2502
  #
2365
2503
  # **Related operations:**
2366
2504
  #
@@ -2371,16 +2509,21 @@ module Aws::KMS
2371
2509
  #
2372
2510
  #
2373
2511
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
2374
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
2375
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2376
- # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
2512
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
2513
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
2514
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
2515
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
2516
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2517
+ # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
2377
2518
  #
2378
2519
  # @option params [required, String] :key_id
2379
2520
  # Identifies a symmetric customer master key (CMK). You cannot enable
2380
- # automatic rotation of asymmetric CMKs, CMKs with imported key
2381
- # material, or CMKs in a [custom key store][1].
2521
+ # automatic rotation of [asymmetric CMKs][1], CMKs with [imported key
2522
+ # material][2], or CMKs in a [custom key store][3]. To enable or disable
2523
+ # automatic rotation of a set of related [multi-Region keys][4], set the
2524
+ # property on the primary key.
2382
2525
  #
2383
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
2526
+ # Specify the key ID or key ARN of the CMK.
2384
2527
  #
2385
2528
  # For example:
2386
2529
  #
@@ -2393,7 +2536,10 @@ module Aws::KMS
2393
2536
  #
2394
2537
  #
2395
2538
  #
2396
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
2539
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
2540
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
2541
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
2542
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
2397
2543
  #
2398
2544
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
2399
2545
  #
@@ -2496,8 +2642,8 @@ module Aws::KMS
2496
2642
  # * `RSAES_OAEP_SHA_256`\: 446 bytes
2497
2643
  #
2498
2644
  # The CMK that you use for this operation must be in a compatible key
2499
- # state. For details, see [How Key State Affects Use of a Customer
2500
- # Master Key][2] in the *AWS Key Management Service Developer Guide*.
2645
+ # state. For details, see [Key state: Effect on your CMK][2] in the *AWS
2646
+ # Key Management Service Developer Guide*.
2501
2647
  #
2502
2648
  # **Cross-account use**\: Yes. To perform this operation with a CMK in a
2503
2649
  # different AWS account, specify the key ARN or alias ARN in the value
@@ -2520,12 +2666,12 @@ module Aws::KMS
2520
2666
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
2521
2667
  #
2522
2668
  # @option params [required, String] :key_id
2523
- # A unique identifier for the customer master key (CMK).
2669
+ # Identifies the customer master key (CMK) to use in the encryption
2670
+ # operation.
2524
2671
  #
2525
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2526
- # name, or alias ARN. When using an alias name, prefix it with
2527
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
2528
- # the key ARN or alias ARN.
2672
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
2673
+ # When using an alias name, prefix it with `"alias/"`. To specify a CMK
2674
+ # in a different AWS account, you must use the key ARN or alias ARN.
2529
2675
  #
2530
2676
  # For example:
2531
2677
  #
@@ -2569,7 +2715,9 @@ module Aws::KMS
2569
2715
  # @option params [Array<String>] :grant_tokens
2570
2716
  # A list of grant tokens.
2571
2717
  #
2572
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
2718
+ # Use a grant token when your permission to call this operation comes
2719
+ # from a new grant that has not yet achieved *eventual consistency*. For
2720
+ # more information, see [Grant token][1] in the *AWS Key Management
2573
2721
  # Service Developer Guide*.
2574
2722
  #
2575
2723
  #
@@ -2666,8 +2814,8 @@ module Aws::KMS
2666
2814
  # Service Developer Guide*.
2667
2815
  #
2668
2816
  # The CMK that you use for this operation must be in a compatible key
2669
- # state. For details, see [How Key State Affects Use of a Customer
2670
- # Master Key][2] in the *AWS Key Management Service Developer Guide*.
2817
+ # state. For details, see [Key state: Effect on your CMK][2] in the *AWS
2818
+ # Key Management Service Developer Guide*.
2671
2819
  #
2672
2820
  # **How to use your data key**
2673
2821
  #
@@ -2726,10 +2874,9 @@ module Aws::KMS
2726
2874
  # @option params [required, String] :key_id
2727
2875
  # Identifies the symmetric CMK that encrypts the data key.
2728
2876
  #
2729
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2730
- # name, or alias ARN. When using an alias name, prefix it with
2731
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
2732
- # the key ARN or alias ARN.
2877
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
2878
+ # When using an alias name, prefix it with `"alias/"`. To specify a CMK
2879
+ # in a different AWS account, you must use the key ARN or alias ARN.
2733
2880
  #
2734
2881
  # For example:
2735
2882
  #
@@ -2783,7 +2930,9 @@ module Aws::KMS
2783
2930
  # @option params [Array<String>] :grant_tokens
2784
2931
  # A list of grant tokens.
2785
2932
  #
2786
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
2933
+ # Use a grant token when your permission to call this operation comes
2934
+ # from a new grant that has not yet achieved *eventual consistency*. For
2935
+ # more information, see [Grant token][1] in the *AWS Key Management
2787
2936
  # Service Developer Guide*.
2788
2937
  #
2789
2938
  #
@@ -2880,8 +3029,8 @@ module Aws::KMS
2880
3029
  # Service Developer Guide*.
2881
3030
  #
2882
3031
  # The CMK that you use for this operation must be in a compatible key
2883
- # state. For details, see [How Key State Affects Use of a Customer
2884
- # Master Key][2] in the *AWS Key Management Service Developer Guide*.
3032
+ # state. For details, see [Key state: Effect on your CMK][2] in the *AWS
3033
+ # Key Management Service Developer Guide*.
2885
3034
  #
2886
3035
  # **Cross-account use**\: Yes. To perform this operation with a CMK in a
2887
3036
  # different AWS account, specify the key ARN or alias ARN in the value
@@ -2931,10 +3080,9 @@ module Aws::KMS
2931
3080
  # key store. To get the type and origin of your CMK, use the DescribeKey
2932
3081
  # operation.
2933
3082
  #
2934
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2935
- # name, or alias ARN. When using an alias name, prefix it with
2936
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
2937
- # the key ARN or alias ARN.
3083
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
3084
+ # When using an alias name, prefix it with `"alias/"`. To specify a CMK
3085
+ # in a different AWS account, you must use the key ARN or alias ARN.
2938
3086
  #
2939
3087
  # For example:
2940
3088
  #
@@ -2961,7 +3109,9 @@ module Aws::KMS
2961
3109
  # @option params [Array<String>] :grant_tokens
2962
3110
  # A list of grant tokens.
2963
3111
  #
2964
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
3112
+ # Use a grant token when your permission to call this operation comes
3113
+ # from a new grant that has not yet achieved *eventual consistency*. For
3114
+ # more information, see [Grant token][1] in the *AWS Key Management
2965
3115
  # Service Developer Guide*.
2966
3116
  #
2967
3117
  #
@@ -3035,8 +3185,8 @@ module Aws::KMS
3035
3185
  # Service Developer Guide*.
3036
3186
  #
3037
3187
  # The CMK that you use for this operation must be in a compatible key
3038
- # state. For details, see [How Key State Affects Use of a Customer
3039
- # Master Key][2] in the *AWS Key Management Service Developer Guide*.
3188
+ # state. For details, see [Key state: Effect on your CMK][2] in the *AWS
3189
+ # Key Management Service Developer Guide*.
3040
3190
  #
3041
3191
  # **Cross-account use**\: Yes. To perform this operation with a CMK in a
3042
3192
  # different AWS account, specify the key ARN or alias ARN in the value
@@ -3087,10 +3237,9 @@ module Aws::KMS
3087
3237
  # a CMK in a custom key store. To get the type and origin of your CMK,
3088
3238
  # use the DescribeKey operation.
3089
3239
  #
3090
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
3091
- # name, or alias ARN. When using an alias name, prefix it with
3092
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
3093
- # the key ARN or alias ARN.
3240
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
3241
+ # When using an alias name, prefix it with `"alias/"`. To specify a CMK
3242
+ # in a different AWS account, you must use the key ARN or alias ARN.
3094
3243
  #
3095
3244
  # For example:
3096
3245
  #
@@ -3117,7 +3266,9 @@ module Aws::KMS
3117
3266
  # @option params [Array<String>] :grant_tokens
3118
3267
  # A list of grant tokens.
3119
3268
  #
3120
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
3269
+ # Use a grant token when your permission to call this operation comes
3270
+ # from a new grant that has not yet achieved *eventual consistency*. For
3271
+ # more information, see [Grant token][1] in the *AWS Key Management
3121
3272
  # Service Developer Guide*.
3122
3273
  #
3123
3274
  #
@@ -3200,8 +3351,8 @@ module Aws::KMS
3200
3351
  # Service Developer Guide*.
3201
3352
  #
3202
3353
  # The CMK that you use for this operation must be in a compatible key
3203
- # state. For details, see [How Key State Affects Use of a Customer
3204
- # Master Key][2] in the *AWS Key Management Service Developer Guide*.
3354
+ # state. For details, see [Key state: Effect on your CMK][2] in the *AWS
3355
+ # Key Management Service Developer Guide*.
3205
3356
  #
3206
3357
  # **Cross-account use**\: Yes. To perform this operation with a CMK in a
3207
3358
  # different AWS account, specify the key ARN or alias ARN in the value
@@ -3232,10 +3383,9 @@ module Aws::KMS
3232
3383
  # The identifier of the symmetric customer master key (CMK) that
3233
3384
  # encrypts the data key.
3234
3385
  #
3235
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
3236
- # name, or alias ARN. When using an alias name, prefix it with
3237
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
3238
- # the key ARN or alias ARN.
3386
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
3387
+ # When using an alias name, prefix it with `"alias/"`. To specify a CMK
3388
+ # in a different AWS account, you must use the key ARN or alias ARN.
3239
3389
  #
3240
3390
  # For example:
3241
3391
  #
@@ -3282,7 +3432,9 @@ module Aws::KMS
3282
3432
  # @option params [Array<String>] :grant_tokens
3283
3433
  # A list of grant tokens.
3284
3434
  #
3285
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
3435
+ # Use a grant token when your permission to call this operation comes
3436
+ # from a new grant that has not yet achieved *eventual consistency*. For
3437
+ # more information, see [Grant token][1] in the *AWS Key Management
3286
3438
  # Service Developer Guide*.
3287
3439
  #
3288
3440
  #
@@ -3345,14 +3497,14 @@ module Aws::KMS
3345
3497
  # ID.
3346
3498
  #
3347
3499
  # For more information about entropy and random number generation, see
3348
- # the [AWS Key Management Service Cryptographic Details][2] whitepaper.
3500
+ # [AWS Key Management Service Cryptographic Details][2].
3349
3501
  #
3350
3502
  # **Required permissions**\: [kms:GenerateRandom][3] (IAM policy)
3351
3503
  #
3352
3504
  #
3353
3505
  #
3354
3506
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
3355
- # [2]: https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
3507
+ # [2]: https://docs.aws.amazon.com/kms/latest/cryptographic-details/
3356
3508
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
3357
3509
  #
3358
3510
  # @option params [Integer] :number_of_bytes
@@ -3419,9 +3571,9 @@ module Aws::KMS
3419
3571
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
3420
3572
  #
3421
3573
  # @option params [required, String] :key_id
3422
- # A unique identifier for the customer master key (CMK).
3574
+ # Gets the key policy for the specified customer master key (CMK).
3423
3575
  #
3424
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
3576
+ # Specify the key ID or key ARN of the CMK.
3425
3577
  #
3426
3578
  # For example:
3427
3579
  #
@@ -3479,13 +3631,15 @@ module Aws::KMS
3479
3631
  # key material][1] is enabled for the specified customer master key
3480
3632
  # (CMK).
3481
3633
  #
3482
- # You cannot enable automatic rotation of asymmetric CMKs, CMKs with
3483
- # imported key material, or CMKs in a [custom key store][2]. The key
3634
+ # You cannot enable automatic rotation of [asymmetric CMKs][2], CMKs
3635
+ # with [imported key material][3], or CMKs in a [custom key store][4].
3636
+ # To enable or disable automatic rotation of a set of related
3637
+ # [multi-Region keys][5], set the property on the primary key. The key
3484
3638
  # rotation status for these CMKs is always `false`.
3485
3639
  #
3486
3640
  # The CMK that you use for this operation must be in a compatible key
3487
- # state. For details, see [How Key State Affects Use of a Customer
3488
- # Master Key][3] in the *AWS Key Management Service Developer Guide*.
3641
+ # state. For details, see [Key state: Effect on your CMK][6] in the *AWS
3642
+ # Key Management Service Developer Guide*.
3489
3643
  #
3490
3644
  # * Disabled: The key rotation status does not change when you disable a
3491
3645
  # CMK. However, while the CMK is disabled, AWS KMS does not rotate the
@@ -3500,7 +3654,7 @@ module Aws::KMS
3500
3654
  # different AWS account, specify the key ARN in the value of the `KeyId`
3501
3655
  # parameter.
3502
3656
  #
3503
- # **Required permissions**\: [kms:GetKeyRotationStatus][4] (key policy)
3657
+ # **Required permissions**\: [kms:GetKeyRotationStatus][7] (key policy)
3504
3658
  #
3505
3659
  # **Related operations:**
3506
3660
  #
@@ -3511,15 +3665,18 @@ module Aws::KMS
3511
3665
  #
3512
3666
  #
3513
3667
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
3514
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
3515
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3516
- # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
3668
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
3669
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
3670
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
3671
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
3672
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3673
+ # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
3517
3674
  #
3518
3675
  # @option params [required, String] :key_id
3519
- # A unique identifier for the customer master key (CMK).
3676
+ # Gets the rotation status for the specified customer master key (CMK).
3520
3677
  #
3521
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
3522
- # specify a CMK in a different AWS account, you must use the key ARN.
3678
+ # Specify the key ID or key ARN of the CMK. To specify a CMK in a
3679
+ # different AWS account, you must use the key ARN.
3523
3680
  #
3524
3681
  # For example:
3525
3682
  #
@@ -3591,8 +3748,8 @@ module Aws::KMS
3591
3748
  # `GetParametersForImport` request.
3592
3749
  #
3593
3750
  # The CMK that you use for this operation must be in a compatible key
3594
- # state. For details, see [How Key State Affects Use of a Customer
3595
- # Master Key][2] in the *AWS Key Management Service Developer Guide*.
3751
+ # state. For details, see [Key state: Effect on your CMK][2] in the *AWS
3752
+ # Key Management Service Developer Guide*.
3596
3753
  #
3597
3754
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
3598
3755
  # in a different AWS account.
@@ -3616,7 +3773,7 @@ module Aws::KMS
3616
3773
  # The identifier of the symmetric CMK into which you will import key
3617
3774
  # material. The `Origin` of the CMK must be `EXTERNAL`.
3618
3775
  #
3619
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
3776
+ # Specify the key ID or key ARN of the CMK.
3620
3777
  #
3621
3778
  # For example:
3622
3779
  #
@@ -3730,8 +3887,8 @@ module Aws::KMS
3730
3887
  # algorithm in a verification operation.
3731
3888
  #
3732
3889
  # The CMK that you use for this operation must be in a compatible key
3733
- # state. For details, see [How Key State Affects Use of a Customer
3734
- # Master Key][7] in the *AWS Key Management Service Developer Guide*.
3890
+ # state. For details, see [Key state: Effect on your CMK][7] in the *AWS
3891
+ # Key Management Service Developer Guide*.
3735
3892
  #
3736
3893
  # **Cross-account use**\: Yes. To perform this operation with a CMK in a
3737
3894
  # different AWS account, specify the key ARN or alias ARN in the value
@@ -3755,10 +3912,9 @@ module Aws::KMS
3755
3912
  # @option params [required, String] :key_id
3756
3913
  # Identifies the asymmetric CMK that includes the public key.
3757
3914
  #
3758
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
3759
- # name, or alias ARN. When using an alias name, prefix it with
3760
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
3761
- # the key ARN or alias ARN.
3915
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
3916
+ # When using an alias name, prefix it with `"alias/"`. To specify a CMK
3917
+ # in a different AWS account, you must use the key ARN or alias ARN.
3762
3918
  #
3763
3919
  # For example:
3764
3920
  #
@@ -3777,7 +3933,9 @@ module Aws::KMS
3777
3933
  # @option params [Array<String>] :grant_tokens
3778
3934
  # A list of grant tokens.
3779
3935
  #
3780
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
3936
+ # Use a grant token when your permission to call this operation comes
3937
+ # from a new grant that has not yet achieved *eventual consistency*. For
3938
+ # more information, see [Grant token][1] in the *AWS Key Management
3781
3939
  # Service Developer Guide*.
3782
3940
  #
3783
3941
  #
@@ -3870,8 +4028,8 @@ module Aws::KMS
3870
4028
  # Service Developer Guide*.
3871
4029
  #
3872
4030
  # The CMK that you use for this operation must be in a compatible key
3873
- # state. For details, see [How Key State Affects Use of a Customer
3874
- # Master Key][4] in the *AWS Key Management Service Developer Guide*.
4031
+ # state. For details, see [Key state: Effect on your CMK][4] in the *AWS
4032
+ # Key Management Service Developer Guide*.
3875
4033
  #
3876
4034
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
3877
4035
  # in a different AWS account.
@@ -3898,7 +4056,7 @@ module Aws::KMS
3898
4056
  # same CMK specified in the `KeyID` parameter of the corresponding
3899
4057
  # GetParametersForImport request.
3900
4058
  #
3901
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
4059
+ # Specify the key ID or key ARN of the CMK.
3902
4060
  #
3903
4061
  # For example:
3904
4062
  #
@@ -4014,7 +4172,7 @@ module Aws::KMS
4014
4172
  # This parameter is optional. If you omit it, `ListAliases` returns all
4015
4173
  # aliases in the account and Region.
4016
4174
  #
4017
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
4175
+ # Specify the key ID or key ARN of the CMK.
4018
4176
  #
4019
4177
  # For example:
4020
4178
  #
@@ -4181,8 +4339,8 @@ module Aws::KMS
4181
4339
  # Returns only grants for the specified customer master key (CMK). This
4182
4340
  # parameter is required.
4183
4341
  #
4184
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
4185
- # specify a CMK in a different AWS account, you must use the key ARN.
4342
+ # Specify the key ID or key ARN of the CMK. To specify a CMK in a
4343
+ # different AWS account, you must use the key ARN.
4186
4344
  #
4187
4345
  # For example:
4188
4346
  #
@@ -4335,9 +4493,10 @@ module Aws::KMS
4335
4493
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
4336
4494
  #
4337
4495
  # @option params [required, String] :key_id
4338
- # A unique identifier for the customer master key (CMK).
4496
+ # Gets the names of key policies for the specified customer master key
4497
+ # (CMK).
4339
4498
  #
4340
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
4499
+ # Specify the key ID or key ARN of the CMK.
4341
4500
  #
4342
4501
  # For example:
4343
4502
  #
@@ -4538,6 +4697,10 @@ module Aws::KMS
4538
4697
  #
4539
4698
  # **Related operations:**
4540
4699
  #
4700
+ # * CreateKey
4701
+ #
4702
+ # * ReplicateKey
4703
+ #
4541
4704
  # * TagResource
4542
4705
  #
4543
4706
  # * UntagResource
@@ -4549,9 +4712,9 @@ module Aws::KMS
4549
4712
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
4550
4713
  #
4551
4714
  # @option params [required, String] :key_id
4552
- # A unique identifier for the customer master key (CMK).
4715
+ # Gets tags on the specified customer master key (CMK).
4553
4716
  #
4554
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
4717
+ # Specify the key ID or key ARN of the CMK.
4555
4718
  #
4556
4719
  # For example:
4557
4720
  #
@@ -4637,8 +4800,10 @@ module Aws::KMS
4637
4800
  req.send_request(options)
4638
4801
  end
4639
4802
 
4640
- # Returns all grants in which the specified principal is the
4641
- # `RetiringPrincipal` in the grant.
4803
+ # Returns information about all grants in the AWS account and Region
4804
+ # that have the specified retiring principal. For more information about
4805
+ # grants, see [Grants][1] in the <i> <i>AWS Key Management Service
4806
+ # Developer Guide</i> </i>.
4642
4807
  #
4643
4808
  # You can specify any principal in your AWS account. The grants that are
4644
4809
  # returned include grants for CMKs in your AWS account and other AWS
@@ -4652,7 +4817,7 @@ module Aws::KMS
4652
4817
  # You do not need `kms:ListRetirableGrants` permission (or any other
4653
4818
  # additional permission) in any AWS account other than your own.
4654
4819
  #
4655
- # **Required permissions**\: [kms:ListRetirableGrants][1] (IAM policy)
4820
+ # **Required permissions**\: [kms:ListRetirableGrants][2] (IAM policy)
4656
4821
  # in your AWS account.
4657
4822
  #
4658
4823
  # **Related operations:**
@@ -4667,7 +4832,8 @@ module Aws::KMS
4667
4832
  #
4668
4833
  #
4669
4834
  #
4670
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
4835
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
4836
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
4671
4837
  #
4672
4838
  # @option params [Integer] :limit
4673
4839
  # Use this parameter to specify the maximum number of items to return.
@@ -4792,9 +4958,9 @@ module Aws::KMS
4792
4958
  # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
4793
4959
  #
4794
4960
  # @option params [required, String] :key_id
4795
- # A unique identifier for the customer master key (CMK).
4961
+ # Sets the key policy on the specified customer master key (CMK).
4796
4962
  #
4797
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
4963
+ # Specify the key ID or key ARN of the CMK.
4798
4964
  #
4799
4965
  # For example:
4800
4966
  #
@@ -4947,8 +5113,8 @@ module Aws::KMS
4947
5113
  # asymmetric key ciphertext does not include configurable fields.
4948
5114
  #
4949
5115
  # The CMK that you use for this operation must be in a compatible key
4950
- # state. For details, see [How Key State Affects Use of a Customer
4951
- # Master Key][6] in the *AWS Key Management Service Developer Guide*.
5116
+ # state. For details, see [Key state: Effect on your CMK][6] in the *AWS
5117
+ # Key Management Service Developer Guide*.
4952
5118
  #
4953
5119
  # **Cross-account use**\: Yes. The source CMK and destination CMK can be
4954
5120
  # in different AWS accounts. Either or both CMKs can be in a different
@@ -5021,10 +5187,9 @@ module Aws::KMS
5021
5187
  # However, it is always recommended as a best practice. This practice
5022
5188
  # ensures that you use the CMK that you intend.
5023
5189
  #
5024
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
5025
- # name, or alias ARN. When using an alias name, prefix it with
5026
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
5027
- # the key ARN or alias ARN.
5190
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
5191
+ # When using an alias name, prefix it with `"alias/"`. To specify a CMK
5192
+ # in a different AWS account, you must use the key ARN or alias ARN.
5028
5193
  #
5029
5194
  # For example:
5030
5195
  #
@@ -5046,10 +5211,9 @@ module Aws::KMS
5046
5211
  # `ENCRYPT_DECRYPT`. To find the `KeyUsage` value of a CMK, use the
5047
5212
  # DescribeKey operation.
5048
5213
  #
5049
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
5050
- # name, or alias ARN. When using an alias name, prefix it with
5051
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
5052
- # the key ARN or alias ARN.
5214
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
5215
+ # When using an alias name, prefix it with `"alias/"`. To specify a CMK
5216
+ # in a different AWS account, you must use the key ARN or alias ARN.
5053
5217
  #
5054
5218
  # For example:
5055
5219
  #
@@ -5110,7 +5274,9 @@ module Aws::KMS
5110
5274
  # @option params [Array<String>] :grant_tokens
5111
5275
  # A list of grant tokens.
5112
5276
  #
5113
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
5277
+ # Use a grant token when your permission to call this operation comes
5278
+ # from a new grant that has not yet achieved *eventual consistency*. For
5279
+ # more information, see [Grant token][1] in the *AWS Key Management
5114
5280
  # Service Developer Guide*.
5115
5281
  #
5116
5282
  #
@@ -5176,31 +5342,331 @@ module Aws::KMS
5176
5342
  req.send_request(options)
5177
5343
  end
5178
5344
 
5179
- # Retires a grant. To clean up, you can retire a grant when you're done
5180
- # using it. You should revoke a grant when you intend to actively deny
5181
- # operations that depend on it. The following are permitted to call this
5182
- # API:
5345
+ # Replicates a multi-Region key into the specified Region. This
5346
+ # operation creates a multi-Region replica key based on a multi-Region
5347
+ # primary key in a different Region of the same AWS partition. You can
5348
+ # create multiple replicas of a primary key, but each must be in a
5349
+ # different Region. To create a multi-Region primary key, use the
5350
+ # CreateKey operation.
5351
+ #
5352
+ # This operation supports *multi-Region keys*, an AWS KMS feature that
5353
+ # lets you create multiple interoperable CMKs in different AWS Regions.
5354
+ # Because these CMKs have the same key ID, key material, and other
5355
+ # metadata, you can use them to encrypt data in one AWS Region and
5356
+ # decrypt it in a different AWS Region without making a cross-Region
5357
+ # call or exposing the plaintext data. For more information about
5358
+ # multi-Region keys, see [Using multi-Region keys][1] in the *AWS Key
5359
+ # Management Service Developer Guide*.
5360
+ #
5361
+ # A *replica key* is a fully-functional CMK that can be used
5362
+ # independently of its primary and peer replica keys. A primary key and
5363
+ # its replica keys share properties that make them interoperable. They
5364
+ # have the same [key ID][2] and key material. They also have the same
5365
+ # [key spec][3], [key usage][4], [key material origin][5], and
5366
+ # [automatic key rotation status][6]. AWS KMS automatically synchronizes
5367
+ # these shared properties among related multi-Region keys. All other
5368
+ # properties of a replica key can differ, including its [key policy][7],
5369
+ # [tags][8], [aliases][9], and [key state][10]. AWS KMS pricing and
5370
+ # quotas for CMKs apply to each primary key and replica key.
5371
+ #
5372
+ # When this operation completes, the new replica key has a transient key
5373
+ # state of `Creating`. This key state changes to `Enabled` (or
5374
+ # `PendingImport`) after a few seconds when the process of creating the
5375
+ # new replica key is complete. While the key state is `Creating`, you
5376
+ # can manage key, but you cannot yet use it in cryptographic operations.
5377
+ # If you are creating and using the replica key programmatically, retry
5378
+ # on `KMSInvalidStateException` or call `DescribeKey` to check its
5379
+ # `KeyState` value before using it. For details about the `Creating` key
5380
+ # state, see [Key state: Effect on your
5381
+ # CMK](kms/latest/developerguide/key-state.html) in the *AWS Key
5382
+ # Management Service Developer Guide*.
5383
+ #
5384
+ # The AWS CloudTrail log of a `ReplicateKey` operation records a
5385
+ # `ReplicateKey` operation in the primary key's Region and a CreateKey
5386
+ # operation in the replica key's Region.
5387
+ #
5388
+ # If you replicate a multi-Region primary key with imported key
5389
+ # material, the replica key is created with no key material. You must
5390
+ # import the same key material that you imported into the primary key.
5391
+ # For details, see [Importing key material into multi-Region
5392
+ # keys](kms/latest/developerguide/multi-region-keys-import.html) in the
5393
+ # *AWS Key Management Service Developer Guide*.
5394
+ #
5395
+ # To convert a replica key to a primary key, use the UpdatePrimaryRegion
5396
+ # operation.
5397
+ #
5398
+ # <note markdown="1"> `ReplicateKey` uses different default values for the `KeyPolicy` and
5399
+ # `Tags` parameters than those used in the AWS KMS console. For details,
5400
+ # see the parameter descriptions.
5401
+ #
5402
+ # </note>
5403
+ #
5404
+ # **Cross-account use**\: No. You cannot use this operation to create a
5405
+ # CMK in a different AWS account.
5406
+ #
5407
+ # **Required permissions**\:
5408
+ #
5409
+ # * `kms:ReplicateKey` on the primary CMK (in the primary CMK's
5410
+ # Region). Include this permission in the primary CMK's key policy.
5411
+ #
5412
+ # * `kms:CreateKey` in an IAM policy in the replica Region.
5413
+ #
5414
+ # * To use the `Tags` parameter, `kms:TagResource` in an IAM policy in
5415
+ # the replica Region.
5416
+ #
5417
+ # **Related operations**
5418
+ #
5419
+ # * CreateKey
5420
+ #
5421
+ # * UpdatePrimaryRegion
5422
+ #
5423
+ #
5424
+ #
5425
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
5426
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id
5427
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec
5428
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage
5429
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin
5430
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
5431
+ # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
5432
+ # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
5433
+ # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html
5434
+ # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
5435
+ #
5436
+ # @option params [required, String] :key_id
5437
+ # Identifies the multi-Region primary key that is being replicated. To
5438
+ # determine whether a CMK is a multi-Region primary key, use the
5439
+ # DescribeKey operation to check the value of the `MultiRegionKeyType`
5440
+ # property.
5441
+ #
5442
+ # Specify the key ID or key ARN of a multi-Region primary key.
5443
+ #
5444
+ # For example:
5445
+ #
5446
+ # * Key ID: `mrk-1234abcd12ab34cd56ef1234567890ab`
5447
+ #
5448
+ # * Key ARN:
5449
+ # `arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab`
5450
+ #
5451
+ # To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
5452
+ #
5453
+ # @option params [required, String] :replica_region
5454
+ # The Region ID of the AWS Region for this replica key.
5455
+ #
5456
+ # Enter the Region ID, such as `us-east-1` or `ap-southeast-2`. For a
5457
+ # list of AWS Regions in which AWS KMS is supported, see [AWS KMS
5458
+ # service endpoints][1] in the *Amazon Web Services General Reference*.
5459
+ #
5460
+ # The replica must be in a different AWS Region than its primary key and
5461
+ # other replicas of that primary key, but in the same AWS partition. AWS
5462
+ # KMS must be available in the replica Region. If the Region is not
5463
+ # enabled by default, the AWS account must be enabled in the Region.
5464
+ #
5465
+ # For information about AWS partitions, see [Amazon Resource Names
5466
+ # (ARNs) in the *Amazon Web Services General Reference*.][2] For
5467
+ # information about enabling and disabling Regions, see [Enabling a
5468
+ # Region][3] and [Disabling a Region][4] in the *Amazon Web Services
5469
+ # General Reference*.
5470
+ #
5471
+ #
5472
+ #
5473
+ # [1]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region
5474
+ # [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
5475
+ # [3]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
5476
+ # [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
5477
+ #
5478
+ # @option params [String] :policy
5479
+ # The key policy to attach to the CMK. This parameter is optional. If
5480
+ # you do not provide a key policy, AWS KMS attaches the [default key
5481
+ # policy][1] to the CMK.
5482
+ #
5483
+ # The key policy is not a shared property of multi-Region keys. You can
5484
+ # specify the same key policy or a different key policy for each key in
5485
+ # a set of related multi-Region keys. AWS KMS does not synchronize this
5486
+ # property.
5487
+ #
5488
+ # If you provide a key policy, it must meet the following criteria:
5489
+ #
5490
+ # * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the key
5491
+ # policy must give the caller `kms:PutKeyPolicy` permission on the
5492
+ # replica CMK. This reduces the risk that the CMK becomes
5493
+ # unmanageable. For more information, refer to the scenario in the
5494
+ # [Default Key Policy][2] section of the <i> <i>AWS Key Management
5495
+ # Service Developer Guide</i> </i>.
5496
+ #
5497
+ # * Each statement in the key policy must contain one or more
5498
+ # principals. The principals in the key policy must exist and be
5499
+ # visible to AWS KMS. When you create a new AWS principal (for
5500
+ # example, an IAM user or role), you might need to enforce a delay
5501
+ # before including the new principal in a key policy because the new
5502
+ # principal might not be immediately visible to AWS KMS. For more
5503
+ # information, see [Changes that I make are not always immediately
5504
+ # visible][3] in the *AWS Identity and Access Management User Guide*.
5505
+ #
5506
+ # * The key policy size quota is 32 kilobytes (32768 bytes).
5507
+ #
5508
+ #
5509
+ #
5510
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
5511
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
5512
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
5513
+ #
5514
+ # @option params [Boolean] :bypass_policy_lockout_safety_check
5515
+ # A flag to indicate whether to bypass the key policy lockout safety
5516
+ # check.
5517
+ #
5518
+ # Setting this value to true increases the risk that the CMK becomes
5519
+ # unmanageable. Do not set this value to true indiscriminately.
5520
+ #
5521
+ # For more information, refer to the scenario in the [Default Key
5522
+ # Policy][1] section in the *AWS Key Management Service Developer
5523
+ # Guide*.
5524
+ #
5525
+ # Use this parameter only when you intend to prevent the principal that
5526
+ # is making the request from making a subsequent `PutKeyPolicy` request
5527
+ # on the CMK.
5528
+ #
5529
+ # The default value is false.
5183
5530
  #
5184
- # * The AWS account (root user) under which the grant was created
5185
5531
  #
5186
- # * The `RetiringPrincipal`, if present in the grant
5187
5532
  #
5188
- # * The `GranteePrincipal`, if `RetireGrant` is an operation specified
5189
- # in the grant
5533
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
5534
+ #
5535
+ # @option params [String] :description
5536
+ # A description of the CMK. Use a description that helps you decide
5537
+ # whether the CMK is appropriate for a task. The default value is an
5538
+ # empty string (no description).
5539
+ #
5540
+ # The description is not a shared property of multi-Region keys. You can
5541
+ # specify the same description or a different description for each key
5542
+ # in a set of related multi-Region keys. AWS KMS does not synchronize
5543
+ # this property.
5544
+ #
5545
+ # @option params [Array<Types::Tag>] :tags
5546
+ # Assigns one or more tags to the replica key. Use this parameter to tag
5547
+ # the CMK when it is created. To tag an existing CMK, use the
5548
+ # TagResource operation.
5549
+ #
5550
+ # <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
5551
+ # For details, see [Using ABAC in AWS KMS][1] in the *AWS Key Management
5552
+ # Service Developer Guide*.
5190
5553
  #
5191
- # You must identify the grant to retire by its grant token or by a
5192
- # combination of the grant ID and the Amazon Resource Name (ARN) of the
5193
- # customer master key (CMK). A grant token is a unique variable-length
5194
- # base64-encoded string. A grant ID is a 64 character unique identifier
5195
- # of a grant. The CreateGrant operation returns both.
5554
+ # </note>
5555
+ #
5556
+ # To use this parameter, you must have [kms:TagResource][2] permission
5557
+ # in an IAM policy.
5558
+ #
5559
+ # Tags are not a shared property of multi-Region keys. You can specify
5560
+ # the same tags or different tags for each key in a set of related
5561
+ # multi-Region keys. AWS KMS does not synchronize this property.
5562
+ #
5563
+ # Each tag consists of a tag key and a tag value. Both the tag key and
5564
+ # the tag value are required, but the tag value can be an empty (null)
5565
+ # string. You cannot have more than one tag on a CMK with the same tag
5566
+ # key. If you specify an existing tag key with a different tag value,
5567
+ # AWS KMS replaces the current tag value with the specified one.
5568
+ #
5569
+ # When you assign tags to an AWS resource, AWS generates a cost
5570
+ # allocation report with usage and costs aggregated by tags. Tags can
5571
+ # also be used to control access to a CMK. For details, see [Tagging
5572
+ # Keys][3].
5573
+ #
5574
+ #
5575
+ #
5576
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
5577
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
5578
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
5579
+ #
5580
+ # @return [Types::ReplicateKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
5581
+ #
5582
+ # * {Types::ReplicateKeyResponse#replica_key_metadata #replica_key_metadata} => Types::KeyMetadata
5583
+ # * {Types::ReplicateKeyResponse#replica_policy #replica_policy} => String
5584
+ # * {Types::ReplicateKeyResponse#replica_tags #replica_tags} => Array&lt;Types::Tag&gt;
5585
+ #
5586
+ # @example Request syntax with placeholder values
5587
+ #
5588
+ # resp = client.replicate_key({
5589
+ # key_id: "KeyIdType", # required
5590
+ # replica_region: "RegionType", # required
5591
+ # policy: "PolicyType",
5592
+ # bypass_policy_lockout_safety_check: false,
5593
+ # description: "DescriptionType",
5594
+ # tags: [
5595
+ # {
5596
+ # tag_key: "TagKeyType", # required
5597
+ # tag_value: "TagValueType", # required
5598
+ # },
5599
+ # ],
5600
+ # })
5601
+ #
5602
+ # @example Response structure
5603
+ #
5604
+ # resp.replica_key_metadata.aws_account_id #=> String
5605
+ # resp.replica_key_metadata.key_id #=> String
5606
+ # resp.replica_key_metadata.arn #=> String
5607
+ # resp.replica_key_metadata.creation_date #=> Time
5608
+ # resp.replica_key_metadata.enabled #=> Boolean
5609
+ # resp.replica_key_metadata.description #=> String
5610
+ # resp.replica_key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
5611
+ # resp.replica_key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
5612
+ # resp.replica_key_metadata.deletion_date #=> Time
5613
+ # resp.replica_key_metadata.valid_to #=> Time
5614
+ # resp.replica_key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL", "AWS_CLOUDHSM"
5615
+ # resp.replica_key_metadata.custom_key_store_id #=> String
5616
+ # resp.replica_key_metadata.cloud_hsm_cluster_id #=> String
5617
+ # resp.replica_key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
5618
+ # resp.replica_key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
5619
+ # resp.replica_key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
5620
+ # resp.replica_key_metadata.encryption_algorithms #=> Array
5621
+ # resp.replica_key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
5622
+ # resp.replica_key_metadata.signing_algorithms #=> Array
5623
+ # resp.replica_key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
5624
+ # resp.replica_key_metadata.multi_region #=> Boolean
5625
+ # resp.replica_key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
5626
+ # resp.replica_key_metadata.multi_region_configuration.primary_key.arn #=> String
5627
+ # resp.replica_key_metadata.multi_region_configuration.primary_key.region #=> String
5628
+ # resp.replica_key_metadata.multi_region_configuration.replica_keys #=> Array
5629
+ # resp.replica_key_metadata.multi_region_configuration.replica_keys[0].arn #=> String
5630
+ # resp.replica_key_metadata.multi_region_configuration.replica_keys[0].region #=> String
5631
+ # resp.replica_key_metadata.pending_deletion_window_in_days #=> Integer
5632
+ # resp.replica_policy #=> String
5633
+ # resp.replica_tags #=> Array
5634
+ # resp.replica_tags[0].tag_key #=> String
5635
+ # resp.replica_tags[0].tag_value #=> String
5636
+ #
5637
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKey AWS API Documentation
5638
+ #
5639
+ # @overload replicate_key(params = {})
5640
+ # @param [Hash] params ({})
5641
+ def replicate_key(params = {}, options = {})
5642
+ req = build_request(:replicate_key, params)
5643
+ req.send_request(options)
5644
+ end
5645
+
5646
+ # Deletes a grant. Typically, you retire a grant when you no longer need
5647
+ # its permissions. To identify the grant to retire, use a [grant
5648
+ # token][1], or both the grant ID and a key identifier (key ID or key
5649
+ # ARN) of the customer master key (CMK). The CreateGrant operation
5650
+ # returns both values.
5651
+ #
5652
+ # This operation can be called by the *retiring principal* for a grant,
5653
+ # by the *grantee principal* if the grant allows the `RetireGrant`
5654
+ # operation, and by the AWS account (root user) in which the grant is
5655
+ # created. It can also be called by principals to whom permission for
5656
+ # retiring a grant is delegated. For details, see [Retiring and revoking
5657
+ # grants][2] in the *AWS Key Management Service Developer Guide*.
5658
+ #
5659
+ # For detailed information about grants, including grant terminology,
5660
+ # see [Using grants][3] in the <i> <i>AWS Key Management Service
5661
+ # Developer Guide</i> </i>. For examples of working with grants in
5662
+ # several programming languages, see [Programming grants][4].
5196
5663
  #
5197
5664
  # **Cross-account use**\: Yes. You can retire a grant on a CMK in a
5198
5665
  # different AWS account.
5199
5666
  #
5200
- # **Required permissions:**\: Permission to retire a grant is specified
5201
- # in the grant. You cannot control access to this operation in a policy.
5202
- # For more information, see [Using grants][1] in the *AWS Key Management
5203
- # Service Developer Guide*.
5667
+ # **Required permissions:**\:Permission to retire a grant is determined
5668
+ # primarily by the grant. For details, see [Retiring and revoking
5669
+ # grants][2] in the *AWS Key Management Service Developer Guide*.
5204
5670
  #
5205
5671
  # **Related operations:**
5206
5672
  #
@@ -5214,20 +5680,34 @@ module Aws::KMS
5214
5680
  #
5215
5681
  #
5216
5682
  #
5217
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
5683
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
5684
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete
5685
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
5686
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html
5218
5687
  #
5219
5688
  # @option params [String] :grant_token
5220
- # Token that identifies the grant to be retired.
5689
+ # Identifies the grant to be retired. You can use a grant token to
5690
+ # identify a new grant even before it has achieved eventual consistency.
5691
+ #
5692
+ # Only the CreateGrant operation returns a grant token. For details, see
5693
+ # [Grant token][1] and [Eventual consistency][2] in the *AWS Key
5694
+ # Management Service Developer Guide*.
5695
+ #
5696
+ #
5697
+ #
5698
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
5699
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency
5221
5700
  #
5222
5701
  # @option params [String] :key_id
5223
- # The Amazon Resource Name (ARN) of the CMK associated with the grant.
5702
+ # The key ARN CMK associated with the grant. To find the key ARN, use
5703
+ # the ListKeys operation.
5224
5704
  #
5225
5705
  # For example:
5226
5706
  # `arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab`
5227
5707
  #
5228
5708
  # @option params [String] :grant_id
5229
- # Unique identifier of the grant to retire. The grant ID is returned in
5230
- # the response to a `CreateGrant` operation.
5709
+ # Identifies the grant to retire. To get the grant ID, use CreateGrant,
5710
+ # ListGrants, or ListRetirableGrants.
5231
5711
  #
5232
5712
  # * Grant ID Example -
5233
5713
  # 0123456789012345678901234567890123456789012345678901234567890123
@@ -5263,15 +5743,22 @@ module Aws::KMS
5263
5743
  req.send_request(options)
5264
5744
  end
5265
5745
 
5266
- # Revokes the specified grant for the specified customer master key
5267
- # (CMK). You can revoke a grant to actively deny operations that depend
5268
- # on it.
5746
+ # Deletes the specified grant. You revoke a grant to terminate the
5747
+ # permissions that the grant allows. For more information, see [Retiring
5748
+ # and revoking grants][1] in the <i> <i>AWS Key Management Service
5749
+ # Developer Guide</i> </i>.
5750
+ #
5751
+ # When you create, retire, or revoke a grant, there might be a brief
5752
+ # delay, usually less than five minutes, until the grant is available
5753
+ # throughout AWS KMS. This state is known as *eventual consistency*. For
5754
+ # details, see [Eventual consistency][2] in the <i> <i>AWS Key
5755
+ # Management Service Developer Guide</i> </i>.
5269
5756
  #
5270
5757
  # **Cross-account use**\: Yes. To perform this operation on a CMK in a
5271
5758
  # different AWS account, specify the key ARN in the value of the `KeyId`
5272
5759
  # parameter.
5273
5760
  #
5274
- # **Required permissions**\: [kms:RevokeGrant][1] (key policy)
5761
+ # **Required permissions**\: [kms:RevokeGrant][3] (key policy).
5275
5762
  #
5276
5763
  # **Related operations:**
5277
5764
  #
@@ -5285,14 +5772,17 @@ module Aws::KMS
5285
5772
  #
5286
5773
  #
5287
5774
  #
5288
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
5775
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/managing-grants.html#grant-delete
5776
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency
5777
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
5289
5778
  #
5290
5779
  # @option params [required, String] :key_id
5291
- # A unique identifier for the customer master key associated with the
5292
- # grant.
5780
+ # A unique identifier for the customer master key (CMK) associated with
5781
+ # the grant. To get the key ID and key ARN for a CMK, use ListKeys or
5782
+ # DescribeKey.
5293
5783
  #
5294
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
5295
- # specify a CMK in a different AWS account, you must use the key ARN.
5784
+ # Specify the key ID or key ARN of the CMK. To specify a CMK in a
5785
+ # different AWS account, you must use the key ARN.
5296
5786
  #
5297
5787
  # For example:
5298
5788
  #
@@ -5304,7 +5794,8 @@ module Aws::KMS
5304
5794
  # To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
5305
5795
  #
5306
5796
  # @option params [required, String] :grant_id
5307
- # Identifier of the grant to be revoked.
5797
+ # Identifies the grant to revoke. To get the grant ID, use CreateGrant,
5798
+ # ListGrants, or ListRetirableGrants.
5308
5799
  #
5309
5800
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
5310
5801
  #
@@ -5334,19 +5825,21 @@ module Aws::KMS
5334
5825
  req.send_request(options)
5335
5826
  end
5336
5827
 
5337
- # Schedules the deletion of a customer master key (CMK). You may provide
5338
- # a waiting period, specified in days, before deletion occurs. If you do
5339
- # not provide a waiting period, the default period of 30 days is used.
5340
- # When this operation is successful, the key state of the CMK changes to
5341
- # `PendingDeletion`. Before the waiting period ends, you can use
5342
- # CancelKeyDeletion to cancel the deletion of the CMK. After the waiting
5343
- # period ends, AWS KMS deletes the CMK and all AWS KMS data associated
5344
- # with it, including all aliases that refer to it.
5828
+ # Schedules the deletion of a customer master key (CMK). By default, AWS
5829
+ # KMS applies a waiting period of 30 days, but you can specify a waiting
5830
+ # period of 7-30 days. When this operation is successful, the key state
5831
+ # of the CMK changes to `PendingDeletion` and the key can't be used in
5832
+ # any cryptographic operations. It remains in this state for the
5833
+ # duration of the waiting period. Before the waiting period ends, you
5834
+ # can use CancelKeyDeletion to cancel the deletion of the CMK. After the
5835
+ # waiting period ends, AWS KMS deletes the CMK, its key material, and
5836
+ # all AWS KMS data associated with it, including all aliases that refer
5837
+ # to it.
5345
5838
  #
5346
5839
  # Deleting a CMK is a destructive and potentially dangerous operation.
5347
5840
  # When a CMK is deleted, all data that was encrypted under the CMK is
5348
- # unrecoverable. To prevent the use of a CMK without deleting it, use
5349
- # DisableKey.
5841
+ # unrecoverable. (The only exception is a multi-Region replica key.) To
5842
+ # prevent the use of a CMK without deleting it, use DisableKey.
5350
5843
  #
5351
5844
  # If you schedule deletion of a CMK from a [custom key store][1], when
5352
5845
  # the waiting period expires, `ScheduleKeyDeletion` deletes the CMK from
@@ -5355,18 +5848,30 @@ module Aws::KMS
5355
5848
  # manually [delete the orphaned key material][2] from the cluster and
5356
5849
  # its backups.
5357
5850
  #
5851
+ # You can schedule the deletion of a multi-Region primary key and its
5852
+ # replica keys at any time. However, AWS KMS will not delete a
5853
+ # multi-Region primary key with existing replica keys. If you schedule
5854
+ # the deletion of a primary key with replicas, its key state changes to
5855
+ # `PendingReplicaDeletion` and it cannot be replicated or used in
5856
+ # cryptographic operations. This status can continue indefinitely. When
5857
+ # the last of its replicas keys is deleted (not just scheduled), the key
5858
+ # state of the primary key changes to `PendingDeletion` and its waiting
5859
+ # period (`PendingWindowInDays`) begins. For details, see [Deleting
5860
+ # multi-Region keys][3] in the *AWS Key Management Service Developer
5861
+ # Guide*.
5862
+ #
5358
5863
  # For more information about scheduling a CMK for deletion, see
5359
- # [Deleting Customer Master Keys][3] in the *AWS Key Management Service
5864
+ # [Deleting Customer Master Keys][4] in the *AWS Key Management Service
5360
5865
  # Developer Guide*.
5361
5866
  #
5362
5867
  # The CMK that you use for this operation must be in a compatible key
5363
- # state. For details, see [How Key State Affects Use of a Customer
5364
- # Master Key][4] in the *AWS Key Management Service Developer Guide*.
5868
+ # state. For details, see [Key state: Effect on your CMK][5] in the *AWS
5869
+ # Key Management Service Developer Guide*.
5365
5870
  #
5366
5871
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
5367
5872
  # in a different AWS account.
5368
5873
  #
5369
- # **Required permissions**\: [kms:ScheduleKeyDeletion][5] (key policy)
5874
+ # **Required permissions**\: kms:ScheduleKeyDeletion (key policy)
5370
5875
  #
5371
5876
  # **Related operations**
5372
5877
  #
@@ -5378,14 +5883,14 @@ module Aws::KMS
5378
5883
  #
5379
5884
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
5380
5885
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
5381
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
5382
- # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
5383
- # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
5886
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html
5887
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
5888
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
5384
5889
  #
5385
5890
  # @option params [required, String] :key_id
5386
5891
  # The unique identifier of the customer master key (CMK) to delete.
5387
5892
  #
5388
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
5893
+ # Specify the key ID or key ARN of the CMK.
5389
5894
  #
5390
5895
  # For example:
5391
5896
  #
@@ -5400,6 +5905,10 @@ module Aws::KMS
5400
5905
  # The waiting period, specified in number of days. After the waiting
5401
5906
  # period ends, AWS KMS deletes the customer master key (CMK).
5402
5907
  #
5908
+ # If the CMK is a multi-Region primary key with replicas, the waiting
5909
+ # period begins when the last of its replica keys is deleted. Otherwise,
5910
+ # the waiting period begins immediately.
5911
+ #
5403
5912
  # This value is optional. If you include a value, it must be between 7
5404
5913
  # and 30, inclusive. If you do not include a value, it defaults to 30.
5405
5914
  #
@@ -5407,6 +5916,8 @@ module Aws::KMS
5407
5916
  #
5408
5917
  # * {Types::ScheduleKeyDeletionResponse#key_id #key_id} => String
5409
5918
  # * {Types::ScheduleKeyDeletionResponse#deletion_date #deletion_date} => Time
5919
+ # * {Types::ScheduleKeyDeletionResponse#key_state #key_state} => String
5920
+ # * {Types::ScheduleKeyDeletionResponse#pending_window_in_days #pending_window_in_days} => Integer
5410
5921
  #
5411
5922
  #
5412
5923
  # @example Example: To schedule a customer master key (CMK) for deletion
@@ -5435,6 +5946,8 @@ module Aws::KMS
5435
5946
  #
5436
5947
  # resp.key_id #=> String
5437
5948
  # resp.deletion_date #=> Time
5949
+ # resp.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
5950
+ # resp.pending_window_in_days #=> Integer
5438
5951
  #
5439
5952
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletion AWS API Documentation
5440
5953
  #
@@ -5484,8 +5997,8 @@ module Aws::KMS
5484
5997
  # KMS.
5485
5998
  #
5486
5999
  # The CMK that you use for this operation must be in a compatible key
5487
- # state. For details, see [How Key State Affects Use of a Customer
5488
- # Master Key][3] in the *AWS Key Management Service Developer Guide*.
6000
+ # state. For details, see [Key state: Effect on your CMK][3] in the *AWS
6001
+ # Key Management Service Developer Guide*.
5489
6002
  #
5490
6003
  # **Cross-account use**\: Yes. To perform this operation with a CMK in a
5491
6004
  # different AWS account, specify the key ARN or alias ARN in the value
@@ -5508,10 +6021,9 @@ module Aws::KMS
5508
6021
  # must be `SIGN_VERIFY`. To find the `KeyUsage` of a CMK, use the
5509
6022
  # DescribeKey operation.
5510
6023
  #
5511
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
5512
- # name, or alias ARN. When using an alias name, prefix it with
5513
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
5514
- # the key ARN or alias ARN.
6024
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
6025
+ # When using an alias name, prefix it with `"alias/"`. To specify a CMK
6026
+ # in a different AWS account, you must use the key ARN or alias ARN.
5515
6027
  #
5516
6028
  # For example:
5517
6029
  #
@@ -5542,7 +6054,9 @@ module Aws::KMS
5542
6054
  # @option params [Array<String>] :grant_tokens
5543
6055
  # A list of grant tokens.
5544
6056
  #
5545
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
6057
+ # Use a grant token when your permission to call this operation comes
6058
+ # from a new grant that has not yet achieved *eventual consistency*. For
6059
+ # more information, see [Grant token][1] in the *AWS Key Management
5546
6060
  # Service Developer Guide*.
5547
6061
  #
5548
6062
  #
@@ -5588,50 +6102,65 @@ module Aws::KMS
5588
6102
 
5589
6103
  # Adds or edits tags on a [customer managed CMK][1].
5590
6104
  #
6105
+ # <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
6106
+ # For details, see [Using ABAC in AWS KMS][2] in the *AWS Key Management
6107
+ # Service Developer Guide*.
6108
+ #
6109
+ # </note>
6110
+ #
5591
6111
  # Each tag consists of a tag key and a tag value, both of which are
5592
6112
  # case-sensitive strings. The tag value can be an empty (null) string.
5593
- #
5594
6113
  # To add a tag, specify a new tag key and a tag value. To edit a tag,
5595
6114
  # specify an existing tag key and a new tag value.
5596
6115
  #
5597
6116
  # You can use this operation to tag a [customer managed CMK][1], but you
5598
- # cannot tag an [AWS managed CMK][2], an [AWS owned CMK][3], or an
5599
- # alias.
6117
+ # cannot tag an [AWS managed CMK][3], an [AWS owned CMK][4], a [custom
6118
+ # key store][5], or an [alias][6].
5600
6119
  #
6120
+ # You can also add tags to a CMK while creating it (CreateKey) or
6121
+ # replicating it (ReplicateKey).
6122
+ #
6123
+ # For information about using tags in AWS KMS, see [Tagging keys][7].
5601
6124
  # For general information about tags, including the format and syntax,
5602
- # see [Tagging AWS resources][4] in the *Amazon Web Services General
5603
- # Reference*. For information about using tags in AWS KMS, see [Tagging
5604
- # keys][5].
6125
+ # see [Tagging AWS resources][8] in the *Amazon Web Services General
6126
+ # Reference*.
5605
6127
  #
5606
6128
  # The CMK that you use for this operation must be in a compatible key
5607
- # state. For details, see [How Key State Affects Use of a Customer
5608
- # Master Key][6] in the *AWS Key Management Service Developer Guide*.
6129
+ # state. For details, see [Key state: Effect on your CMK][9] in the *AWS
6130
+ # Key Management Service Developer Guide*.
5609
6131
  #
5610
6132
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
5611
6133
  # in a different AWS account.
5612
6134
  #
5613
- # **Required permissions**\: [kms:TagResource][7] (key policy)
6135
+ # **Required permissions**\: [kms:TagResource][10] (key policy)
5614
6136
  #
5615
6137
  # **Related operations**
5616
6138
  #
5617
- # * UntagResource
6139
+ # * CreateKey
5618
6140
  #
5619
6141
  # * ListResourceTags
5620
6142
  #
6143
+ # * ReplicateKey
6144
+ #
6145
+ # * UntagResource
6146
+ #
5621
6147
  #
5622
6148
  #
5623
6149
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
5624
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
5625
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
5626
- # [4]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
5627
- # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
5628
- # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
5629
- # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
6150
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
6151
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
6152
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
6153
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#keystore-concept
6154
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#alias-concept
6155
+ # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
6156
+ # [8]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
6157
+ # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
6158
+ # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
5630
6159
  #
5631
6160
  # @option params [required, String] :key_id
5632
6161
  # Identifies a customer managed CMK in the account and Region.
5633
6162
  #
5634
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
6163
+ # Specify the key ID or key ARN of the CMK.
5635
6164
  #
5636
6165
  # For example:
5637
6166
  #
@@ -5693,43 +6222,54 @@ module Aws::KMS
5693
6222
  # Deletes tags from a [customer managed CMK][1]. To delete a tag,
5694
6223
  # specify the tag key and the CMK.
5695
6224
  #
6225
+ # <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
6226
+ # For details, see [Using ABAC in AWS KMS][2] in the *AWS Key Management
6227
+ # Service Developer Guide*.
6228
+ #
6229
+ # </note>
6230
+ #
5696
6231
  # When it succeeds, the `UntagResource` operation doesn't return any
5697
6232
  # output. Also, if the specified tag key isn't found on the CMK, it
5698
6233
  # doesn't throw an exception or return a response. To confirm that the
5699
6234
  # operation worked, use the ListResourceTags operation.
5700
6235
  #
6236
+ # For information about using tags in AWS KMS, see [Tagging keys][3].
5701
6237
  # For general information about tags, including the format and syntax,
5702
- # see [Tagging AWS resources][2] in the *Amazon Web Services General
5703
- # Reference*. For information about using tags in AWS KMS, see [Tagging
5704
- # keys][3].
6238
+ # see [Tagging AWS resources][4] in the *Amazon Web Services General
6239
+ # Reference*.
5705
6240
  #
5706
6241
  # The CMK that you use for this operation must be in a compatible key
5707
- # state. For details, see [How Key State Affects Use of a Customer
5708
- # Master Key][4] in the *AWS Key Management Service Developer Guide*.
6242
+ # state. For details, see [Key state: Effect on your CMK][5] in the *AWS
6243
+ # Key Management Service Developer Guide*.
5709
6244
  #
5710
6245
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
5711
6246
  # in a different AWS account.
5712
6247
  #
5713
- # **Required permissions**\: [kms:UntagResource][5] (key policy)
6248
+ # **Required permissions**\: [kms:UntagResource][6] (key policy)
5714
6249
  #
5715
6250
  # **Related operations**
5716
6251
  #
5717
- # * TagResource
6252
+ # * CreateKey
5718
6253
  #
5719
6254
  # * ListResourceTags
5720
6255
  #
6256
+ # * ReplicateKey
6257
+ #
6258
+ # * TagResource
6259
+ #
5721
6260
  #
5722
6261
  #
5723
6262
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
5724
- # [2]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
6263
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
5725
6264
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
5726
- # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
5727
- # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
6265
+ # [4]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
6266
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
6267
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
5728
6268
  #
5729
6269
  # @option params [required, String] :key_id
5730
6270
  # Identifies the CMK from which you are removing tags.
5731
6271
  #
5732
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
6272
+ # Specify the key ID or key ARN of the CMK.
5733
6273
  #
5734
6274
  # For example:
5735
6275
  #
@@ -5777,7 +6317,13 @@ module Aws::KMS
5777
6317
  # Associates an existing AWS KMS alias with a different customer master
5778
6318
  # key (CMK). Each alias is associated with only one CMK at a time,
5779
6319
  # although a CMK can have multiple aliases. The alias and the CMK must
5780
- # be in the same AWS account and region.
6320
+ # be in the same AWS account and Region.
6321
+ #
6322
+ # <note markdown="1"> Adding, deleting, or updating an alias can allow or deny permission to
6323
+ # the CMK. For details, see [Using ABAC in AWS KMS][1] in the *AWS Key
6324
+ # Management Service Developer Guide*.
6325
+ #
6326
+ # </note>
5781
6327
  #
5782
6328
  # The current and new CMK must be the same type (both symmetric or both
5783
6329
  # asymmetric), and they must have the same key usage (`ENCRYPT_DECRYPT`
@@ -5797,21 +6343,21 @@ module Aws::KMS
5797
6343
  # operation.
5798
6344
  #
5799
6345
  # The CMK that you use for this operation must be in a compatible key
5800
- # state. For details, see [How Key State Affects Use of a Customer
5801
- # Master Key][1] in the *AWS Key Management Service Developer Guide*.
6346
+ # state. For details, see [Key state: Effect on your CMK][2] in the *AWS
6347
+ # Key Management Service Developer Guide*.
5802
6348
  #
5803
6349
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
5804
6350
  # in a different AWS account.
5805
6351
  #
5806
6352
  # **Required permissions**
5807
6353
  #
5808
- # * [kms:UpdateAlias][2] on the alias (IAM policy).
6354
+ # * [kms:UpdateAlias][3] on the alias (IAM policy).
5809
6355
  #
5810
- # * [kms:UpdateAlias][2] on the current CMK (key policy).
6356
+ # * [kms:UpdateAlias][3] on the current CMK (key policy).
5811
6357
  #
5812
- # * [kms:UpdateAlias][2] on the new CMK (key policy).
6358
+ # * [kms:UpdateAlias][3] on the new CMK (key policy).
5813
6359
  #
5814
- # For details, see [Controlling access to aliases][3] in the *AWS Key
6360
+ # For details, see [Controlling access to aliases][4] in the *AWS Key
5815
6361
  # Management Service Developer Guide*.
5816
6362
  #
5817
6363
  # **Related operations:**
@@ -5824,9 +6370,10 @@ module Aws::KMS
5824
6370
  #
5825
6371
  #
5826
6372
  #
5827
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
5828
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
5829
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
6373
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
6374
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
6375
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
6376
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
5830
6377
  #
5831
6378
  # @option params [required, String] :alias_name
5832
6379
  # Identifies the alias that is changing its CMK. This value must begin
@@ -5844,7 +6391,7 @@ module Aws::KMS
5844
6391
  # (both symmetric or both asymmetric) and they must have the same key
5845
6392
  # usage.
5846
6393
  #
5847
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
6394
+ # Specify the key ID or key ARN of the CMK.
5848
6395
  #
5849
6396
  # For example:
5850
6397
  #
@@ -6015,8 +6562,8 @@ module Aws::KMS
6015
6562
  # description of a CMK, use DescribeKey.
6016
6563
  #
6017
6564
  # The CMK that you use for this operation must be in a compatible key
6018
- # state. For details, see [How Key State Affects Use of a Customer
6019
- # Master Key][1] in the *AWS Key Management Service Developer Guide*.
6565
+ # state. For details, see [Key state: Effect on your CMK][1] in the *AWS
6566
+ # Key Management Service Developer Guide*.
6020
6567
  #
6021
6568
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
6022
6569
  # in a different AWS account.
@@ -6035,9 +6582,9 @@ module Aws::KMS
6035
6582
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
6036
6583
  #
6037
6584
  # @option params [required, String] :key_id
6038
- # A unique identifier for the customer master key (CMK).
6585
+ # Updates the description of the specified customer master key (CMK).
6039
6586
  #
6040
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
6587
+ # Specify the key ID or key ARN of the CMK.
6041
6588
  #
6042
6589
  # For example:
6043
6590
  #
@@ -6079,6 +6626,128 @@ module Aws::KMS
6079
6626
  req.send_request(options)
6080
6627
  end
6081
6628
 
6629
+ # Changes the primary key of a multi-Region key.
6630
+ #
6631
+ # This operation changes the replica key in the specified Region to a
6632
+ # primary key and changes the former primary key to a replica key. For
6633
+ # example, suppose you have a primary key in `us-east-1` and a replica
6634
+ # key in `eu-west-2`. If you run `UpdatePrimaryRegion` with a
6635
+ # `PrimaryRegion` value of `eu-west-2`, the primary key is now the key
6636
+ # in `eu-west-2`, and the key in `us-east-1` becomes a replica key. For
6637
+ # details, see
6638
+ #
6639
+ # This operation supports *multi-Region keys*, an AWS KMS feature that
6640
+ # lets you create multiple interoperable CMKs in different AWS Regions.
6641
+ # Because these CMKs have the same key ID, key material, and other
6642
+ # metadata, you can use them to encrypt data in one AWS Region and
6643
+ # decrypt it in a different AWS Region without making a cross-Region
6644
+ # call or exposing the plaintext data. For more information about
6645
+ # multi-Region keys, see [Using multi-Region keys][1] in the *AWS Key
6646
+ # Management Service Developer Guide*.
6647
+ #
6648
+ # The *primary key* of a multi-Region key is the source for properties
6649
+ # that are always shared by primary and replica keys, including the key
6650
+ # material, [key ID][2], [key spec][3], [key usage][4], [key material
6651
+ # origin][5], and [automatic key rotation][6]. It's the only key that
6652
+ # can be replicated. You cannot [delete the primary key][7] until all
6653
+ # replicas are deleted.
6654
+ #
6655
+ # The key ID and primary Region that you specify uniquely identify the
6656
+ # replica key that will become the primary key. The primary Region must
6657
+ # already have a replica key. This operation does not create a CMK in
6658
+ # the specified Region. To find the replica keys, use the DescribeKey
6659
+ # operation on the primary key or any replica key. To create a replica
6660
+ # key, use the ReplicateKey operation.
6661
+ #
6662
+ # You can run this operation while using the affected multi-Region keys
6663
+ # in cryptographic operations. This operation should not delay,
6664
+ # interrupt, or cause failures in cryptographic operations.
6665
+ #
6666
+ # Even after this operation completes, the process of updating the
6667
+ # primary Region might still be in progress for a few more seconds.
6668
+ # Operations such as `DescribeKey` might display both the old and new
6669
+ # primary keys as replicas. The old and new primary keys have a
6670
+ # transient key state of `Updating`. The original key state is restored
6671
+ # when the update is complete. While the key state is `Updating`, you
6672
+ # can use the keys in cryptographic operations, but you cannot replicate
6673
+ # the new primary key or perform certain management operations, such as
6674
+ # enabling or disabling these keys. For details about the `Updating` key
6675
+ # state, see [Key state: Effect on your
6676
+ # CMK](kms/latest/developerguide/key-state.html) in the *AWS Key
6677
+ # Management Service Developer Guide*.
6678
+ #
6679
+ # This operation does not return any output. To verify that primary key
6680
+ # is changed, use the DescribeKey operation.
6681
+ #
6682
+ # **Cross-account use**\: No. You cannot use this operation in a
6683
+ # different AWS account.
6684
+ #
6685
+ # **Required permissions**\:
6686
+ #
6687
+ # * `kms:UpdatePrimaryRegion` on the current primary CMK (in the primary
6688
+ # CMK's Region). Include this permission primary CMK's key policy.
6689
+ #
6690
+ # * `kms:UpdatePrimaryRegion` on the current replica CMK (in the replica
6691
+ # CMK's Region). Include this permission in the replica CMK's key
6692
+ # policy.
6693
+ #
6694
+ # **Related operations**
6695
+ #
6696
+ # * CreateKey
6697
+ #
6698
+ # * ReplicateKey
6699
+ #
6700
+ #
6701
+ #
6702
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
6703
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id
6704
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec
6705
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage
6706
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin
6707
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
6708
+ # [7]: https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html
6709
+ #
6710
+ # @option params [required, String] :key_id
6711
+ # Identifies the current primary key. When the operation completes, this
6712
+ # CMK will be a replica key.
6713
+ #
6714
+ # Specify the key ID or key ARN of a multi-Region primary key.
6715
+ #
6716
+ # For example:
6717
+ #
6718
+ # * Key ID: `mrk-1234abcd12ab34cd56ef1234567890ab`
6719
+ #
6720
+ # * Key ARN:
6721
+ # `arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab`
6722
+ #
6723
+ # To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
6724
+ #
6725
+ # @option params [required, String] :primary_region
6726
+ # The AWS Region of the new primary key. Enter the Region ID, such as
6727
+ # `us-east-1` or `ap-southeast-2`. There must be an existing replica key
6728
+ # in this Region.
6729
+ #
6730
+ # When the operation completes, the multi-Region key in this Region will
6731
+ # be the primary key.
6732
+ #
6733
+ # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
6734
+ #
6735
+ # @example Request syntax with placeholder values
6736
+ #
6737
+ # resp = client.update_primary_region({
6738
+ # key_id: "KeyIdType", # required
6739
+ # primary_region: "RegionType", # required
6740
+ # })
6741
+ #
6742
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdatePrimaryRegion AWS API Documentation
6743
+ #
6744
+ # @overload update_primary_region(params = {})
6745
+ # @param [Hash] params ({})
6746
+ def update_primary_region(params = {}, options = {})
6747
+ req = build_request(:update_primary_region, params)
6748
+ req.send_request(options)
6749
+ end
6750
+
6082
6751
  # Verifies a digital signature that was generated by the Sign operation.
6083
6752
  #
6084
6753
  #
@@ -6111,8 +6780,8 @@ module Aws::KMS
6111
6780
  # signatures.
6112
6781
  #
6113
6782
  # The CMK that you use for this operation must be in a compatible key
6114
- # state. For details, see [How Key State Affects Use of a Customer
6115
- # Master Key][2] in the *AWS Key Management Service Developer Guide*.
6783
+ # state. For details, see [Key state: Effect on your CMK][2] in the *AWS
6784
+ # Key Management Service Developer Guide*.
6116
6785
  #
6117
6786
  # **Cross-account use**\: Yes. To perform this operation with a CMK in a
6118
6787
  # different AWS account, specify the key ARN or alias ARN in the value
@@ -6134,10 +6803,9 @@ module Aws::KMS
6134
6803
  # signature. If you specify a different CMK, the signature verification
6135
6804
  # fails.
6136
6805
  #
6137
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
6138
- # name, or alias ARN. When using an alias name, prefix it with
6139
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
6140
- # the key ARN or alias ARN.
6806
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
6807
+ # When using an alias name, prefix it with `"alias/"`. To specify a CMK
6808
+ # in a different AWS account, you must use the key ARN or alias ARN.
6141
6809
  #
6142
6810
  # For example:
6143
6811
  #
@@ -6181,7 +6849,9 @@ module Aws::KMS
6181
6849
  # @option params [Array<String>] :grant_tokens
6182
6850
  # A list of grant tokens.
6183
6851
  #
6184
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
6852
+ # Use a grant token when your permission to call this operation comes
6853
+ # from a new grant that has not yet achieved *eventual consistency*. For
6854
+ # more information, see [Grant token][1] in the *AWS Key Management
6185
6855
  # Service Developer Guide*.
6186
6856
  #
6187
6857
  #
@@ -6233,7 +6903,7 @@ module Aws::KMS
6233
6903
  params: params,
6234
6904
  config: config)
6235
6905
  context[:gem_name] = 'aws-sdk-kms'
6236
- context[:gem_version] = '1.43.0'
6906
+ context[:gem_version] = '1.44.0'
6237
6907
  Seahorse::Client::Request.new(handlers, context)
6238
6908
  end
6239
6909