aws-sdk-kms 1.43.0 → 1.44.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -150,7 +150,12 @@ module Aws::KMS
150
150
  MalformedPolicyDocumentException = Shapes::StructureShape.new(name: 'MalformedPolicyDocumentException')
151
151
  MarkerType = Shapes::StringShape.new(name: 'MarkerType')
152
152
  MessageType = Shapes::StringShape.new(name: 'MessageType')
153
+ MultiRegionConfiguration = Shapes::StructureShape.new(name: 'MultiRegionConfiguration')
154
+ MultiRegionKey = Shapes::StructureShape.new(name: 'MultiRegionKey')
155
+ MultiRegionKeyList = Shapes::ListShape.new(name: 'MultiRegionKeyList')
156
+ MultiRegionKeyType = Shapes::StringShape.new(name: 'MultiRegionKeyType')
153
157
  NotFoundException = Shapes::StructureShape.new(name: 'NotFoundException')
158
+ NullableBooleanType = Shapes::BooleanShape.new(name: 'NullableBooleanType')
154
159
  NumberOfBytesType = Shapes::IntegerShape.new(name: 'NumberOfBytesType')
155
160
  OriginType = Shapes::StringShape.new(name: 'OriginType')
156
161
  PendingWindowInDaysType = Shapes::IntegerShape.new(name: 'PendingWindowInDaysType')
@@ -163,6 +168,9 @@ module Aws::KMS
163
168
  PutKeyPolicyRequest = Shapes::StructureShape.new(name: 'PutKeyPolicyRequest')
164
169
  ReEncryptRequest = Shapes::StructureShape.new(name: 'ReEncryptRequest')
165
170
  ReEncryptResponse = Shapes::StructureShape.new(name: 'ReEncryptResponse')
171
+ RegionType = Shapes::StringShape.new(name: 'RegionType')
172
+ ReplicateKeyRequest = Shapes::StructureShape.new(name: 'ReplicateKeyRequest')
173
+ ReplicateKeyResponse = Shapes::StructureShape.new(name: 'ReplicateKeyResponse')
166
174
  RetireGrantRequest = Shapes::StructureShape.new(name: 'RetireGrantRequest')
167
175
  RevokeGrantRequest = Shapes::StructureShape.new(name: 'RevokeGrantRequest')
168
176
  ScheduleKeyDeletionRequest = Shapes::StructureShape.new(name: 'ScheduleKeyDeletionRequest')
@@ -185,6 +193,7 @@ module Aws::KMS
185
193
  UpdateCustomKeyStoreRequest = Shapes::StructureShape.new(name: 'UpdateCustomKeyStoreRequest')
186
194
  UpdateCustomKeyStoreResponse = Shapes::StructureShape.new(name: 'UpdateCustomKeyStoreResponse')
187
195
  UpdateKeyDescriptionRequest = Shapes::StructureShape.new(name: 'UpdateKeyDescriptionRequest')
196
+ UpdatePrimaryRegionRequest = Shapes::StructureShape.new(name: 'UpdatePrimaryRegionRequest')
188
197
  VerifyRequest = Shapes::StructureShape.new(name: 'VerifyRequest')
189
198
  VerifyResponse = Shapes::StructureShape.new(name: 'VerifyResponse')
190
199
  WrappingKeySpec = Shapes::StringShape.new(name: 'WrappingKeySpec')
@@ -261,6 +270,7 @@ module Aws::KMS
261
270
  CreateKeyRequest.add_member(:custom_key_store_id, Shapes::ShapeRef.new(shape: CustomKeyStoreIdType, location_name: "CustomKeyStoreId"))
262
271
  CreateKeyRequest.add_member(:bypass_policy_lockout_safety_check, Shapes::ShapeRef.new(shape: BooleanType, location_name: "BypassPolicyLockoutSafetyCheck"))
263
272
  CreateKeyRequest.add_member(:tags, Shapes::ShapeRef.new(shape: TagList, location_name: "Tags"))
273
+ CreateKeyRequest.add_member(:multi_region, Shapes::ShapeRef.new(shape: NullableBooleanType, location_name: "MultiRegion"))
264
274
  CreateKeyRequest.struct_class = Types::CreateKeyRequest
265
275
 
266
276
  CreateKeyResponse.add_member(:key_metadata, Shapes::ShapeRef.new(shape: KeyMetadata, location_name: "KeyMetadata"))
@@ -560,6 +570,9 @@ module Aws::KMS
560
570
  KeyMetadata.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, location_name: "CustomerMasterKeySpec"))
561
571
  KeyMetadata.add_member(:encryption_algorithms, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpecList, location_name: "EncryptionAlgorithms"))
562
572
  KeyMetadata.add_member(:signing_algorithms, Shapes::ShapeRef.new(shape: SigningAlgorithmSpecList, location_name: "SigningAlgorithms"))
573
+ KeyMetadata.add_member(:multi_region, Shapes::ShapeRef.new(shape: NullableBooleanType, location_name: "MultiRegion"))
574
+ KeyMetadata.add_member(:multi_region_configuration, Shapes::ShapeRef.new(shape: MultiRegionConfiguration, location_name: "MultiRegionConfiguration"))
575
+ KeyMetadata.add_member(:pending_deletion_window_in_days, Shapes::ShapeRef.new(shape: PendingWindowInDaysType, location_name: "PendingDeletionWindowInDays"))
563
576
  KeyMetadata.struct_class = Types::KeyMetadata
564
577
 
565
578
  KeyUnavailableException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
@@ -627,6 +640,17 @@ module Aws::KMS
627
640
  MalformedPolicyDocumentException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
628
641
  MalformedPolicyDocumentException.struct_class = Types::MalformedPolicyDocumentException
629
642
 
643
+ MultiRegionConfiguration.add_member(:multi_region_key_type, Shapes::ShapeRef.new(shape: MultiRegionKeyType, location_name: "MultiRegionKeyType"))
644
+ MultiRegionConfiguration.add_member(:primary_key, Shapes::ShapeRef.new(shape: MultiRegionKey, location_name: "PrimaryKey"))
645
+ MultiRegionConfiguration.add_member(:replica_keys, Shapes::ShapeRef.new(shape: MultiRegionKeyList, location_name: "ReplicaKeys"))
646
+ MultiRegionConfiguration.struct_class = Types::MultiRegionConfiguration
647
+
648
+ MultiRegionKey.add_member(:arn, Shapes::ShapeRef.new(shape: ArnType, location_name: "Arn"))
649
+ MultiRegionKey.add_member(:region, Shapes::ShapeRef.new(shape: RegionType, location_name: "Region"))
650
+ MultiRegionKey.struct_class = Types::MultiRegionKey
651
+
652
+ MultiRegionKeyList.member = Shapes::ShapeRef.new(shape: MultiRegionKey)
653
+
630
654
  NotFoundException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
631
655
  NotFoundException.struct_class = Types::NotFoundException
632
656
 
@@ -655,6 +679,19 @@ module Aws::KMS
655
679
  ReEncryptResponse.add_member(:destination_encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "DestinationEncryptionAlgorithm"))
656
680
  ReEncryptResponse.struct_class = Types::ReEncryptResponse
657
681
 
682
+ ReplicateKeyRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
683
+ ReplicateKeyRequest.add_member(:replica_region, Shapes::ShapeRef.new(shape: RegionType, required: true, location_name: "ReplicaRegion"))
684
+ ReplicateKeyRequest.add_member(:policy, Shapes::ShapeRef.new(shape: PolicyType, location_name: "Policy"))
685
+ ReplicateKeyRequest.add_member(:bypass_policy_lockout_safety_check, Shapes::ShapeRef.new(shape: BooleanType, location_name: "BypassPolicyLockoutSafetyCheck"))
686
+ ReplicateKeyRequest.add_member(:description, Shapes::ShapeRef.new(shape: DescriptionType, location_name: "Description"))
687
+ ReplicateKeyRequest.add_member(:tags, Shapes::ShapeRef.new(shape: TagList, location_name: "Tags"))
688
+ ReplicateKeyRequest.struct_class = Types::ReplicateKeyRequest
689
+
690
+ ReplicateKeyResponse.add_member(:replica_key_metadata, Shapes::ShapeRef.new(shape: KeyMetadata, location_name: "ReplicaKeyMetadata"))
691
+ ReplicateKeyResponse.add_member(:replica_policy, Shapes::ShapeRef.new(shape: PolicyType, location_name: "ReplicaPolicy"))
692
+ ReplicateKeyResponse.add_member(:replica_tags, Shapes::ShapeRef.new(shape: TagList, location_name: "ReplicaTags"))
693
+ ReplicateKeyResponse.struct_class = Types::ReplicateKeyResponse
694
+
658
695
  RetireGrantRequest.add_member(:grant_token, Shapes::ShapeRef.new(shape: GrantTokenType, location_name: "GrantToken"))
659
696
  RetireGrantRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
660
697
  RetireGrantRequest.add_member(:grant_id, Shapes::ShapeRef.new(shape: GrantIdType, location_name: "GrantId"))
@@ -670,6 +707,8 @@ module Aws::KMS
670
707
 
671
708
  ScheduleKeyDeletionResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
672
709
  ScheduleKeyDeletionResponse.add_member(:deletion_date, Shapes::ShapeRef.new(shape: DateType, location_name: "DeletionDate"))
710
+ ScheduleKeyDeletionResponse.add_member(:key_state, Shapes::ShapeRef.new(shape: KeyState, location_name: "KeyState"))
711
+ ScheduleKeyDeletionResponse.add_member(:pending_window_in_days, Shapes::ShapeRef.new(shape: PendingWindowInDaysType, location_name: "PendingWindowInDays"))
673
712
  ScheduleKeyDeletionResponse.struct_class = Types::ScheduleKeyDeletionResponse
674
713
 
675
714
  SignRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
@@ -724,6 +763,10 @@ module Aws::KMS
724
763
  UpdateKeyDescriptionRequest.add_member(:description, Shapes::ShapeRef.new(shape: DescriptionType, required: true, location_name: "Description"))
725
764
  UpdateKeyDescriptionRequest.struct_class = Types::UpdateKeyDescriptionRequest
726
765
 
766
+ UpdatePrimaryRegionRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
767
+ UpdatePrimaryRegionRequest.add_member(:primary_region, Shapes::ShapeRef.new(shape: RegionType, required: true, location_name: "PrimaryRegion"))
768
+ UpdatePrimaryRegionRequest.struct_class = Types::UpdatePrimaryRegionRequest
769
+
727
770
  VerifyRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
728
771
  VerifyRequest.add_member(:message, Shapes::ShapeRef.new(shape: PlaintextType, required: true, location_name: "Message"))
729
772
  VerifyRequest.add_member(:message_type, Shapes::ShapeRef.new(shape: MessageType, location_name: "MessageType"))
@@ -909,6 +952,7 @@ module Aws::KMS
909
952
  o.input = Shapes::ShapeRef.new(shape: DescribeCustomKeyStoresRequest)
910
953
  o.output = Shapes::ShapeRef.new(shape: DescribeCustomKeyStoresResponse)
911
954
  o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreNotFoundException)
955
+ o.errors << Shapes::ShapeRef.new(shape: InvalidMarkerException)
912
956
  o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
913
957
  end)
914
958
 
@@ -1302,6 +1346,24 @@ module Aws::KMS
1302
1346
  o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
1303
1347
  end)
1304
1348
 
1349
+ api.add_operation(:replicate_key, Seahorse::Model::Operation.new.tap do |o|
1350
+ o.name = "ReplicateKey"
1351
+ o.http_method = "POST"
1352
+ o.http_request_uri = "/"
1353
+ o.input = Shapes::ShapeRef.new(shape: ReplicateKeyRequest)
1354
+ o.output = Shapes::ShapeRef.new(shape: ReplicateKeyResponse)
1355
+ o.errors << Shapes::ShapeRef.new(shape: AlreadyExistsException)
1356
+ o.errors << Shapes::ShapeRef.new(shape: DisabledException)
1357
+ o.errors << Shapes::ShapeRef.new(shape: InvalidArnException)
1358
+ o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
1359
+ o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
1360
+ o.errors << Shapes::ShapeRef.new(shape: LimitExceededException)
1361
+ o.errors << Shapes::ShapeRef.new(shape: MalformedPolicyDocumentException)
1362
+ o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
1363
+ o.errors << Shapes::ShapeRef.new(shape: TagException)
1364
+ o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
1365
+ end)
1366
+
1305
1367
  api.add_operation(:retire_grant, Seahorse::Model::Operation.new.tap do |o|
1306
1368
  o.name = "RetireGrant"
1307
1369
  o.http_method = "POST"
@@ -1429,6 +1491,20 @@ module Aws::KMS
1429
1491
  o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
1430
1492
  end)
1431
1493
 
1494
+ api.add_operation(:update_primary_region, Seahorse::Model::Operation.new.tap do |o|
1495
+ o.name = "UpdatePrimaryRegion"
1496
+ o.http_method = "POST"
1497
+ o.http_request_uri = "/"
1498
+ o.input = Shapes::ShapeRef.new(shape: UpdatePrimaryRegionRequest)
1499
+ o.output = Shapes::ShapeRef.new(shape: Shapes::StructureShape.new(struct_class: Aws::EmptyStructure))
1500
+ o.errors << Shapes::ShapeRef.new(shape: DisabledException)
1501
+ o.errors << Shapes::ShapeRef.new(shape: InvalidArnException)
1502
+ o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
1503
+ o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
1504
+ o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
1505
+ o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
1506
+ end)
1507
+
1432
1508
  api.add_operation(:verify, Seahorse::Model::Operation.new.tap do |o|
1433
1509
  o.name = "Verify"
1434
1510
  o.http_method = "POST"
@@ -2,7 +2,7 @@
2
2
  # WARNING ABOUT GENERATED CODE
3
3
  #
4
4
  # This file is generated. See the contributing for info on making contributions:
5
- # https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
5
+ # https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
6
6
  #
7
7
  # WARNING ABOUT GENERATED CODE
8
8
 
@@ -21,13 +21,18 @@ module Aws::KMS
21
21
  # @return [String]
22
22
  #
23
23
  # @!attribute [rw] target_key_id
24
- # String that contains the key identifier referred to by the alias.
24
+ # String that contains the key identifier of the CMK associated with
25
+ # the alias.
25
26
  # @return [String]
26
27
  #
27
28
  # @!attribute [rw] creation_date
29
+ # Date and time that the alias was most recently created in the
30
+ # account and Region. Formatted as Unix time.
28
31
  # @return [Time]
29
32
  #
30
33
  # @!attribute [rw] last_updated_date
34
+ # Date and time that the alias was most recently associated with a CMK
35
+ # in the account and Region. Formatted as Unix time.
31
36
  # @return [Time]
32
37
  #
33
38
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/AliasListEntry AWS API Documentation
@@ -64,10 +69,10 @@ module Aws::KMS
64
69
  # }
65
70
  #
66
71
  # @!attribute [rw] key_id
67
- # The unique identifier for the customer master key (CMK) for which to
68
- # cancel deletion.
72
+ # Identifies the customer master key (CMK) whose deletion is being
73
+ # canceled.
69
74
  #
70
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
75
+ # Specify the key ID or key ARN of the CMK.
71
76
  #
72
77
  # For example:
73
78
  #
@@ -305,7 +310,7 @@ module Aws::KMS
305
310
  # For help finding the key ID and ARN, see [Finding the Key ID and
306
311
  # ARN][2] in the *AWS Key Management Service Developer Guide*.
307
312
  #
308
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
313
+ # Specify the key ID or key ARN of the CMK.
309
314
  #
310
315
  # For example:
311
316
  #
@@ -428,11 +433,11 @@ module Aws::KMS
428
433
  # }
429
434
  #
430
435
  # @!attribute [rw] key_id
431
- # The unique identifier for the customer master key (CMK) that the
432
- # grant applies to.
436
+ # Identifies the customer master key (CMK) for the grant. The grant
437
+ # gives principals permission to use this CMK.
433
438
  #
434
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
435
- # specify a CMK in a different AWS account, you must use the key ARN.
439
+ # Specify the key ID or key ARN of the CMK. To specify a CMK in a
440
+ # different AWS account, you must use the key ARN.
436
441
  #
437
442
  # For example:
438
443
  #
@@ -446,8 +451,7 @@ module Aws::KMS
446
451
  # @return [String]
447
452
  #
448
453
  # @!attribute [rw] grantee_principal
449
- # The principal that is given permission to perform the operations
450
- # that the grant permits.
454
+ # The identity that gets the permissions specified in the grant.
451
455
  #
452
456
  # To specify the principal, use the [Amazon Resource Name (ARN)][1] of
453
457
  # an AWS principal. Valid AWS principals include AWS accounts (root),
@@ -481,30 +485,55 @@ module Aws::KMS
481
485
  #
482
486
  # @!attribute [rw] operations
483
487
  # A list of operations that the grant permits.
488
+ #
489
+ # The operation must be supported on the CMK. For example, you cannot
490
+ # create a grant for a symmetric CMK that allows the Sign operation,
491
+ # or a grant for an asymmetric CMK that allows the GenerateDataKey
492
+ # operation. If you try, AWS KMS returns a `ValidationError`
493
+ # exception. For details, see [Grant operations][1] in the *AWS Key
494
+ # Management Service Developer Guide*.
495
+ #
496
+ #
497
+ #
498
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
484
499
  # @return [Array<String>]
485
500
  #
486
501
  # @!attribute [rw] constraints
487
- # Allows a [cryptographic operation][1] only when the encryption
488
- # context matches or includes the encryption context specified in this
489
- # structure. For more information about encryption context, see
490
- # [Encryption Context][2] in the <i> <i>AWS Key Management Service
491
- # Developer Guide</i> </i>.
502
+ # Specifies a grant constraint.
503
+ #
504
+ # AWS KMS supports the `EncryptionContextEquals` and
505
+ # `EncryptionContextSubset` grant constraints. Each constraint value
506
+ # can include up to 8 encryption context pairs. The encryption context
507
+ # value in each constraint cannot exceed 384 characters.
492
508
  #
493
- # Grant constraints are not applied to operations that do not support
494
- # an encryption context, such as cryptographic operations with
495
- # asymmetric CMKs and management operations, such as DescribeKey or
496
- # RetireGrant.
509
+ # These grant constraints allow a [cryptographic operation][1] only
510
+ # when the encryption context in the request matches
511
+ # (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
512
+ # the encryption context specified in this structure. For more
513
+ # information about encryption context, see [Encryption Context][2] in
514
+ # the <i> <i>AWS Key Management Service Developer Guide</i> </i>. For
515
+ # information about grant constraints, see [Using grant
516
+ # constraints][3] in the *AWS Key Management Service Developer Guide*.
517
+ #
518
+ # The encryption context grant constraints are supported only on
519
+ # operations that include an encryption context. You cannot use an
520
+ # encryption context grant constraint for cryptographic operations
521
+ # with asymmetric CMKs or for management operations, such as
522
+ # DescribeKey or RetireGrant.
497
523
  #
498
524
  #
499
525
  #
500
526
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
501
527
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
528
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
502
529
  # @return [Types::GrantConstraints]
503
530
  #
504
531
  # @!attribute [rw] grant_tokens
505
532
  # A list of grant tokens.
506
533
  #
507
- # For more information, see [Grant Tokens][1] in the *AWS Key
534
+ # Use a grant token when your permission to call this operation comes
535
+ # from a new grant that has not yet achieved *eventual consistency*.
536
+ # For more information, see [Grant token][1] in the *AWS Key
508
537
  # Management Service Developer Guide*.
509
538
  #
510
539
  #
@@ -546,7 +575,9 @@ module Aws::KMS
546
575
  # @!attribute [rw] grant_token
547
576
  # The grant token.
548
577
  #
549
- # For more information, see [Grant Tokens][1] in the *AWS Key
578
+ # Use a grant token when your permission to call this operation comes
579
+ # from a new grant that has not yet achieved *eventual consistency*.
580
+ # For more information, see [Grant token][1] in the *AWS Key
550
581
  # Management Service Developer Guide*.
551
582
  #
552
583
  #
@@ -587,6 +618,7 @@ module Aws::KMS
587
618
  # tag_value: "TagValueType", # required
588
619
  # },
589
620
  # ],
621
+ # multi_region: false,
590
622
  # }
591
623
  #
592
624
  # @!attribute [rw] policy
@@ -633,7 +665,8 @@ module Aws::KMS
633
665
  # A description of the CMK.
634
666
  #
635
667
  # Use a description that helps you decide whether the CMK is
636
- # appropriate for a task.
668
+ # appropriate for a task. The default value is an empty string (no
669
+ # description).
637
670
  # @return [String]
638
671
  #
639
672
  # @!attribute [rw] key_usage
@@ -722,20 +755,19 @@ module Aws::KMS
722
755
  # @!attribute [rw] origin
723
756
  # The source of the key material for the CMK. You cannot change the
724
757
  # origin after you create the CMK. The default is `AWS_KMS`, which
725
- # means AWS KMS creates the key material.
758
+ # means that AWS KMS creates the key material.
726
759
  #
727
- # When the parameter value is `EXTERNAL`, AWS KMS creates a CMK
728
- # without key material so that you can import key material from your
729
- # existing key management infrastructure. For more information about
730
- # importing key material into AWS KMS, see [Importing Key Material][1]
731
- # in the *AWS Key Management Service Developer Guide*. This value is
732
- # valid only for symmetric CMKs.
760
+ # To create a CMK with no key material (for imported key material),
761
+ # set the value to `EXTERNAL`. For more information about importing
762
+ # key material into AWS KMS, see [Importing Key Material][1] in the
763
+ # *AWS Key Management Service Developer Guide*. This value is valid
764
+ # only for symmetric CMKs.
733
765
  #
734
- # When the parameter value is `AWS_CLOUDHSM`, AWS KMS creates the CMK
735
- # in an AWS KMS [custom key store][2] and creates its key material in
736
- # the associated AWS CloudHSM cluster. You must also use the
737
- # `CustomKeyStoreId` parameter to identify the custom key store. This
738
- # value is valid only for symmetric CMKs.
766
+ # To create a CMK in an AWS KMS [custom key store][2] and create its
767
+ # key material in the associated AWS CloudHSM cluster, set this value
768
+ # to `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId`
769
+ # parameter to identify the custom key store. This value is valid only
770
+ # for symmetric CMKs.
739
771
  #
740
772
  #
741
773
  #
@@ -751,8 +783,9 @@ module Aws::KMS
751
783
  # associated with the custom key store must have at least two active
752
784
  # HSMs, each in a different Availability Zone in the Region.
753
785
  #
754
- # This parameter is valid only for symmetric CMKs. You cannot create
755
- # an asymmetric CMK in a custom key store.
786
+ # This parameter is valid only for symmetric CMKs and regional CMKs.
787
+ # You cannot create an asymmetric CMK or a multi-Region CMK in a
788
+ # custom key store.
756
789
  #
757
790
  # To find the ID of a custom key store, use the
758
791
  # DescribeCustomKeyStores operation.
@@ -793,27 +826,66 @@ module Aws::KMS
793
826
  # @return [Boolean]
794
827
  #
795
828
  # @!attribute [rw] tags
796
- # One or more tags. Each tag consists of a tag key and a tag value.
797
- # Both the tag key and the tag value are required, but the tag value
798
- # can be an empty (null) string.
829
+ # Assigns one or more tags to the CMK. Use this parameter to tag the
830
+ # CMK when it is created. To tag an existing CMK, use the TagResource
831
+ # operation.
799
832
  #
800
- # When you add tags to an AWS resource, AWS generates a cost
801
- # allocation report with usage and costs aggregated by tags. For
802
- # information about adding, changing, deleting and listing tags for
803
- # CMKs, see [Tagging Keys][1].
833
+ # <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
834
+ # For details, see [Using ABAC in AWS KMS][1] in the *AWS Key
835
+ # Management Service Developer Guide*.
804
836
  #
805
- # Use this parameter to tag the CMK when it is created. To add tags to
806
- # an existing CMK, use the TagResource operation.
837
+ # </note>
807
838
  #
808
839
  # To use this parameter, you must have [kms:TagResource][2] permission
809
840
  # in an IAM policy.
810
841
  #
842
+ # Each tag consists of a tag key and a tag value. Both the tag key and
843
+ # the tag value are required, but the tag value can be an empty (null)
844
+ # string. You cannot have more than one tag on a CMK with the same tag
845
+ # key. If you specify an existing tag key with a different tag value,
846
+ # AWS KMS replaces the current tag value with the specified one.
847
+ #
848
+ # When you assign tags to an AWS resource, AWS generates a cost
849
+ # allocation report with usage and costs aggregated by tags. Tags can
850
+ # also be used to control access to a CMK. For details, see [Tagging
851
+ # Keys][3].
811
852
  #
812
853
  #
813
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
854
+ #
855
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
814
856
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
857
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
815
858
  # @return [Array<Types::Tag>]
816
859
  #
860
+ # @!attribute [rw] multi_region
861
+ # Creates a multi-Region primary key that you can replicate into other
862
+ # AWS Regions. You cannot change this value after you create the CMK.
863
+ #
864
+ # For a multi-Region key, set this parameter to `True`. For a
865
+ # single-Region CMK, omit this parameter or set it to `False`. The
866
+ # default value is `False`.
867
+ #
868
+ # This operation supports *multi-Region keys*, an AWS KMS feature that
869
+ # lets you create multiple interoperable CMKs in different AWS
870
+ # Regions. Because these CMKs have the same key ID, key material, and
871
+ # other metadata, you can use them to encrypt data in one AWS Region
872
+ # and decrypt it in a different AWS Region without making a
873
+ # cross-Region call or exposing the plaintext data. For more
874
+ # information about multi-Region keys, see [Using multi-Region
875
+ # keys][1] in the *AWS Key Management Service Developer Guide*.
876
+ #
877
+ # This value creates a *primary key*, not a replica. To create a
878
+ # *replica key*, use the ReplicateKey operation.
879
+ #
880
+ # You can create a symmetric or asymmetric multi-Region CMK, and you
881
+ # can create a multi-Region CMK with imported key material. However,
882
+ # you cannot create a multi-Region CMK in a custom key store.
883
+ #
884
+ #
885
+ #
886
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
887
+ # @return [Boolean]
888
+ #
817
889
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKeyRequest AWS API Documentation
818
890
  #
819
891
  class CreateKeyRequest < Struct.new(
@@ -824,7 +896,8 @@ module Aws::KMS
824
896
  :origin,
825
897
  :custom_key_store_id,
826
898
  :bypass_policy_lockout_safety_check,
827
- :tags)
899
+ :tags,
900
+ :multi_region)
828
901
  SENSITIVE = []
829
902
  include Aws::Structure
830
903
  end
@@ -1094,8 +1167,12 @@ module Aws::KMS
1094
1167
  # @!attribute [rw] grant_tokens
1095
1168
  # A list of grant tokens.
1096
1169
  #
1097
- # For more information, see [Grant Tokens][1] in the *AWS Key
1098
- # Management Service Developer Guide*.
1170
+ # Use a grant token when your permission to call this operation comes
1171
+ # from a newly created grant that has not yet achieved eventual
1172
+ # consistency. Use a grant token when your permission to call this
1173
+ # operation comes from a new grant that has not yet achieved *eventual
1174
+ # consistency*. For more information, see [Grant token][1] in the *AWS
1175
+ # Key Management Service Developer Guide*.
1099
1176
  #
1100
1177
  #
1101
1178
  #
@@ -1113,10 +1190,10 @@ module Aws::KMS
1113
1190
  # blob. However, it is always recommended as a best practice. This
1114
1191
  # practice ensures that you use the CMK that you intend.
1115
1192
  #
1116
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1117
- # name, or alias ARN. When using an alias name, prefix it with
1118
- # `"alias/"`. To specify a CMK in a different AWS account, you must
1119
- # use the key ARN or alias ARN.
1193
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
1194
+ # When using an alias name, prefix it with `"alias/"`. To specify a
1195
+ # CMK in a different AWS account, you must use the key ARN or alias
1196
+ # ARN.
1120
1197
  #
1121
1198
  # For example:
1122
1199
  #
@@ -1240,7 +1317,7 @@ module Aws::KMS
1240
1317
  # Identifies the CMK from which you are deleting imported key
1241
1318
  # material. The `Origin` of the CMK must be `EXTERNAL`.
1242
1319
  #
1243
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
1320
+ # Specify the key ID or key ARN of the CMK.
1244
1321
  #
1245
1322
  # For example:
1246
1323
  #
@@ -1290,7 +1367,7 @@ module Aws::KMS
1290
1367
  # the key store ID.
1291
1368
  #
1292
1369
  # By default, this operation gets information about all custom key
1293
- # stores in the account and region. To limit the output to a
1370
+ # stores in the account and Region. To limit the output to a
1294
1371
  # particular custom key store, you can use either the
1295
1372
  # `CustomKeyStoreId` or `CustomKeyStoreName` parameter, but not both.
1296
1373
  # @return [String]
@@ -1300,7 +1377,7 @@ module Aws::KMS
1300
1377
  # the friendly name of the custom key store.
1301
1378
  #
1302
1379
  # By default, this operation gets information about all custom key
1303
- # stores in the account and region. To limit the output to a
1380
+ # stores in the account and Region. To limit the output to a
1304
1381
  # particular custom key store, you can use either the
1305
1382
  # `CustomKeyStoreId` or `CustomKeyStoreName` parameter, but not both.
1306
1383
  # @return [String]
@@ -1369,10 +1446,10 @@ module Aws::KMS
1369
1446
  # KMS associates the alias with an [AWS managed CMK][1] and returns
1370
1447
  # its `KeyId` and `Arn` in the response.
1371
1448
  #
1372
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1373
- # name, or alias ARN. When using an alias name, prefix it with
1374
- # `"alias/"`. To specify a CMK in a different AWS account, you must
1375
- # use the key ARN or alias ARN.
1449
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
1450
+ # When using an alias name, prefix it with `"alias/"`. To specify a
1451
+ # CMK in a different AWS account, you must use the key ARN or alias
1452
+ # ARN.
1376
1453
  #
1377
1454
  # For example:
1378
1455
  #
@@ -1396,7 +1473,9 @@ module Aws::KMS
1396
1473
  # @!attribute [rw] grant_tokens
1397
1474
  # A list of grant tokens.
1398
1475
  #
1399
- # For more information, see [Grant Tokens][1] in the *AWS Key
1476
+ # Use a grant token when your permission to call this operation comes
1477
+ # from a new grant that has not yet achieved *eventual consistency*.
1478
+ # For more information, see [Grant token][1] in the *AWS Key
1400
1479
  # Management Service Developer Guide*.
1401
1480
  #
1402
1481
  #
@@ -1433,9 +1512,9 @@ module Aws::KMS
1433
1512
  # }
1434
1513
  #
1435
1514
  # @!attribute [rw] key_id
1436
- # A unique identifier for the customer master key (CMK).
1515
+ # Identifies the customer master key (CMK) to disable.
1437
1516
  #
1438
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
1517
+ # Specify the key ID or key ARN of the CMK.
1439
1518
  #
1440
1519
  # For example:
1441
1520
  #
@@ -1468,7 +1547,7 @@ module Aws::KMS
1468
1547
  # or disable automatic rotation of [asymmetric CMKs][1], CMKs with
1469
1548
  # [imported key material][2], or CMKs in a [custom key store][3].
1470
1549
  #
1471
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
1550
+ # Specify the key ID or key ARN of the CMK.
1472
1551
  #
1473
1552
  # For example:
1474
1553
  #
@@ -1541,9 +1620,9 @@ module Aws::KMS
1541
1620
  # }
1542
1621
  #
1543
1622
  # @!attribute [rw] key_id
1544
- # A unique identifier for the customer master key (CMK).
1623
+ # Identifies the customer master key (CMK) to enable.
1545
1624
  #
1546
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
1625
+ # Specify the key ID or key ARN of the CMK.
1547
1626
  #
1548
1627
  # For example:
1549
1628
  #
@@ -1573,10 +1652,12 @@ module Aws::KMS
1573
1652
  #
1574
1653
  # @!attribute [rw] key_id
1575
1654
  # Identifies a symmetric customer master key (CMK). You cannot enable
1576
- # automatic rotation of asymmetric CMKs, CMKs with imported key
1577
- # material, or CMKs in a [custom key store][1].
1655
+ # automatic rotation of [asymmetric CMKs][1], CMKs with [imported key
1656
+ # material][2], or CMKs in a [custom key store][3]. To enable or
1657
+ # disable automatic rotation of a set of related [multi-Region
1658
+ # keys][4], set the property on the primary key.
1578
1659
  #
1579
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
1660
+ # Specify the key ID or key ARN of the CMK.
1580
1661
  #
1581
1662
  # For example:
1582
1663
  #
@@ -1590,7 +1671,10 @@ module Aws::KMS
1590
1671
  #
1591
1672
  #
1592
1673
  #
1593
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1674
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
1675
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1676
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1677
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
1594
1678
  # @return [String]
1595
1679
  #
1596
1680
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotationRequest AWS API Documentation
@@ -1615,12 +1699,13 @@ module Aws::KMS
1615
1699
  # }
1616
1700
  #
1617
1701
  # @!attribute [rw] key_id
1618
- # A unique identifier for the customer master key (CMK).
1702
+ # Identifies the customer master key (CMK) to use in the encryption
1703
+ # operation.
1619
1704
  #
1620
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1621
- # name, or alias ARN. When using an alias name, prefix it with
1622
- # `"alias/"`. To specify a CMK in a different AWS account, you must
1623
- # use the key ARN or alias ARN.
1705
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
1706
+ # When using an alias name, prefix it with `"alias/"`. To specify a
1707
+ # CMK in a different AWS account, you must use the key ARN or alias
1708
+ # ARN.
1624
1709
  #
1625
1710
  # For example:
1626
1711
  #
@@ -1667,7 +1752,9 @@ module Aws::KMS
1667
1752
  # @!attribute [rw] grant_tokens
1668
1753
  # A list of grant tokens.
1669
1754
  #
1670
- # For more information, see [Grant Tokens][1] in the *AWS Key
1755
+ # Use a grant token when your permission to call this operation comes
1756
+ # from a new grant that has not yet achieved *eventual consistency*.
1757
+ # For more information, see [Grant token][1] in the *AWS Key
1671
1758
  # Management Service Developer Guide*.
1672
1759
  #
1673
1760
  #
@@ -1779,10 +1866,10 @@ module Aws::KMS
1779
1866
  # custom key store. To get the type and origin of your CMK, use the
1780
1867
  # DescribeKey operation.
1781
1868
  #
1782
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1783
- # name, or alias ARN. When using an alias name, prefix it with
1784
- # `"alias/"`. To specify a CMK in a different AWS account, you must
1785
- # use the key ARN or alias ARN.
1869
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
1870
+ # When using an alias name, prefix it with `"alias/"`. To specify a
1871
+ # CMK in a different AWS account, you must use the key ARN or alias
1872
+ # ARN.
1786
1873
  #
1787
1874
  # For example:
1788
1875
  #
@@ -1811,7 +1898,9 @@ module Aws::KMS
1811
1898
  # @!attribute [rw] grant_tokens
1812
1899
  # A list of grant tokens.
1813
1900
  #
1814
- # For more information, see [Grant Tokens][1] in the *AWS Key
1901
+ # Use a grant token when your permission to call this operation comes
1902
+ # from a new grant that has not yet achieved *eventual consistency*.
1903
+ # For more information, see [Grant token][1] in the *AWS Key
1815
1904
  # Management Service Developer Guide*.
1816
1905
  #
1817
1906
  #
@@ -1908,10 +1997,10 @@ module Aws::KMS
1908
1997
  # CMK or a CMK in a custom key store. To get the type and origin of
1909
1998
  # your CMK, use the DescribeKey operation.
1910
1999
  #
1911
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1912
- # name, or alias ARN. When using an alias name, prefix it with
1913
- # `"alias/"`. To specify a CMK in a different AWS account, you must
1914
- # use the key ARN or alias ARN.
2000
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
2001
+ # When using an alias name, prefix it with `"alias/"`. To specify a
2002
+ # CMK in a different AWS account, you must use the key ARN or alias
2003
+ # ARN.
1915
2004
  #
1916
2005
  # For example:
1917
2006
  #
@@ -1940,7 +2029,9 @@ module Aws::KMS
1940
2029
  # @!attribute [rw] grant_tokens
1941
2030
  # A list of grant tokens.
1942
2031
  #
1943
- # For more information, see [Grant Tokens][1] in the *AWS Key
2032
+ # Use a grant token when your permission to call this operation comes
2033
+ # from a new grant that has not yet achieved *eventual consistency*.
2034
+ # For more information, see [Grant token][1] in the *AWS Key
1944
2035
  # Management Service Developer Guide*.
1945
2036
  #
1946
2037
  #
@@ -2009,10 +2100,10 @@ module Aws::KMS
2009
2100
  # @!attribute [rw] key_id
2010
2101
  # Identifies the symmetric CMK that encrypts the data key.
2011
2102
  #
2012
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2013
- # name, or alias ARN. When using an alias name, prefix it with
2014
- # `"alias/"`. To specify a CMK in a different AWS account, you must
2015
- # use the key ARN or alias ARN.
2103
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
2104
+ # When using an alias name, prefix it with `"alias/"`. To specify a
2105
+ # CMK in a different AWS account, you must use the key ARN or alias
2106
+ # ARN.
2016
2107
  #
2017
2108
  # For example:
2018
2109
  #
@@ -2070,7 +2161,9 @@ module Aws::KMS
2070
2161
  # @!attribute [rw] grant_tokens
2071
2162
  # A list of grant tokens.
2072
2163
  #
2073
- # For more information, see [Grant Tokens][1] in the *AWS Key
2164
+ # Use a grant token when your permission to call this operation comes
2165
+ # from a new grant that has not yet achieved *eventual consistency*.
2166
+ # For more information, see [Grant token][1] in the *AWS Key
2074
2167
  # Management Service Developer Guide*.
2075
2168
  #
2076
2169
  #
@@ -2139,10 +2232,10 @@ module Aws::KMS
2139
2232
  # The identifier of the symmetric customer master key (CMK) that
2140
2233
  # encrypts the data key.
2141
2234
  #
2142
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2143
- # name, or alias ARN. When using an alias name, prefix it with
2144
- # `"alias/"`. To specify a CMK in a different AWS account, you must
2145
- # use the key ARN or alias ARN.
2235
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
2236
+ # When using an alias name, prefix it with `"alias/"`. To specify a
2237
+ # CMK in a different AWS account, you must use the key ARN or alias
2238
+ # ARN.
2146
2239
  #
2147
2240
  # For example:
2148
2241
  #
@@ -2193,7 +2286,9 @@ module Aws::KMS
2193
2286
  # @!attribute [rw] grant_tokens
2194
2287
  # A list of grant tokens.
2195
2288
  #
2196
- # For more information, see [Grant Tokens][1] in the *AWS Key
2289
+ # Use a grant token when your permission to call this operation comes
2290
+ # from a new grant that has not yet achieved *eventual consistency*.
2291
+ # For more information, see [Grant token][1] in the *AWS Key
2197
2292
  # Management Service Developer Guide*.
2198
2293
  #
2199
2294
  #
@@ -2289,9 +2384,9 @@ module Aws::KMS
2289
2384
  # }
2290
2385
  #
2291
2386
  # @!attribute [rw] key_id
2292
- # A unique identifier for the customer master key (CMK).
2387
+ # Gets the key policy for the specified customer master key (CMK).
2293
2388
  #
2294
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
2389
+ # Specify the key ID or key ARN of the CMK.
2295
2390
  #
2296
2391
  # For example:
2297
2392
  #
@@ -2338,10 +2433,11 @@ module Aws::KMS
2338
2433
  # }
2339
2434
  #
2340
2435
  # @!attribute [rw] key_id
2341
- # A unique identifier for the customer master key (CMK).
2436
+ # Gets the rotation status for the specified customer master key
2437
+ # (CMK).
2342
2438
  #
2343
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
2344
- # specify a CMK in a different AWS account, you must use the key ARN.
2439
+ # Specify the key ID or key ARN of the CMK. To specify a CMK in a
2440
+ # different AWS account, you must use the key ARN.
2345
2441
  #
2346
2442
  # For example:
2347
2443
  #
@@ -2387,7 +2483,7 @@ module Aws::KMS
2387
2483
  # The identifier of the symmetric CMK into which you will import key
2388
2484
  # material. The `Origin` of the CMK must be `EXTERNAL`.
2389
2485
  #
2390
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
2486
+ # Specify the key ID or key ARN of the CMK.
2391
2487
  #
2392
2488
  # For example:
2393
2489
  #
@@ -2474,10 +2570,10 @@ module Aws::KMS
2474
2570
  # @!attribute [rw] key_id
2475
2571
  # Identifies the asymmetric CMK that includes the public key.
2476
2572
  #
2477
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2478
- # name, or alias ARN. When using an alias name, prefix it with
2479
- # `"alias/"`. To specify a CMK in a different AWS account, you must
2480
- # use the key ARN or alias ARN.
2573
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
2574
+ # When using an alias name, prefix it with `"alias/"`. To specify a
2575
+ # CMK in a different AWS account, you must use the key ARN or alias
2576
+ # ARN.
2481
2577
  #
2482
2578
  # For example:
2483
2579
  #
@@ -2497,7 +2593,9 @@ module Aws::KMS
2497
2593
  # @!attribute [rw] grant_tokens
2498
2594
  # A list of grant tokens.
2499
2595
  #
2500
- # For more information, see [Grant Tokens][1] in the *AWS Key
2596
+ # Use a grant token when your permission to call this operation comes
2597
+ # from a new grant that has not yet achieved *eventual consistency*.
2598
+ # For more information, see [Grant token][1] in the *AWS Key
2501
2599
  # Management Service Developer Guide*.
2502
2600
  #
2503
2601
  #
@@ -2745,7 +2843,7 @@ module Aws::KMS
2745
2843
  # same CMK specified in the `KeyID` parameter of the corresponding
2746
2844
  # GetParametersForImport request.
2747
2845
  #
2748
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
2846
+ # Specify the key ID or key ARN of the CMK.
2749
2847
  #
2750
2848
  # For example:
2751
2849
  #
@@ -3115,8 +3213,14 @@ module Aws::KMS
3115
3213
  # @return [String]
3116
3214
  #
3117
3215
  # @!attribute [rw] deletion_date
3118
- # The date and time after which AWS KMS deletes the CMK. This value is
3119
- # present only when `KeyState` is `PendingDeletion`.
3216
+ # The date and time after which AWS KMS deletes this CMK. This value
3217
+ # is present only when the CMK is scheduled for deletion, that is,
3218
+ # when its `KeyState` is `PendingDeletion`.
3219
+ #
3220
+ # When the primary key in a multi-Region key is scheduled for deletion
3221
+ # but still has replica keys, its key state is
3222
+ # `PendingReplicaDeletion` and the length of its waiting period is
3223
+ # displayed in the `PendingDeletionWindowInDays` field.
3120
3224
  # @return [Time]
3121
3225
  #
3122
3226
  # @!attribute [rw] valid_to
@@ -3183,7 +3287,7 @@ module Aws::KMS
3183
3287
  # The encryption algorithms that the CMK supports. You cannot use the
3184
3288
  # CMK with other encryption algorithms within AWS KMS.
3185
3289
  #
3186
- # This field appears only when the `KeyUsage` of the CMK is
3290
+ # This value is present only when the `KeyUsage` of the CMK is
3187
3291
  # `ENCRYPT_DECRYPT`.
3188
3292
  # @return [Array<String>]
3189
3293
  #
@@ -3195,6 +3299,57 @@ module Aws::KMS
3195
3299
  # `SIGN_VERIFY`.
3196
3300
  # @return [Array<String>]
3197
3301
  #
3302
+ # @!attribute [rw] multi_region
3303
+ # Indicates whether the CMK is a multi-Region (`True`) or regional
3304
+ # (`False`) key. This value is `True` for multi-Region primary and
3305
+ # replica CMKs and `False` for regional CMKs.
3306
+ #
3307
+ # For more information about multi-Region keys, see [Using
3308
+ # multi-Region keys][1] in the *AWS Key Management Service Developer
3309
+ # Guide*.
3310
+ #
3311
+ #
3312
+ #
3313
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
3314
+ # @return [Boolean]
3315
+ #
3316
+ # @!attribute [rw] multi_region_configuration
3317
+ # Lists the primary and replica CMKs in same multi-Region CMK. This
3318
+ # field is present only when the value of the `MultiRegion` field is
3319
+ # `True`.
3320
+ #
3321
+ # For more information about any listed CMK, use the DescribeKey
3322
+ # operation.
3323
+ #
3324
+ # * `MultiRegionKeyType` indicates whether the CMK is a `PRIMARY` or
3325
+ # `REPLICA` key.
3326
+ #
3327
+ # * `PrimaryKey` displays the key ARN and Region of the primary key.
3328
+ # This field displays the current CMK if it is the primary key.
3329
+ #
3330
+ # * `ReplicaKeys` displays the key ARNs and Regions of all replica
3331
+ # keys. This field includes the current CMK if it is a replica key.
3332
+ # @return [Types::MultiRegionConfiguration]
3333
+ #
3334
+ # @!attribute [rw] pending_deletion_window_in_days
3335
+ # The waiting period before the primary key in a multi-Region key is
3336
+ # deleted. This waiting period begins when the last of its replica
3337
+ # keys is deleted. This value is present only when the `KeyState` of
3338
+ # the CMK is `PendingReplicaDeletion`. That indicates that the CMK is
3339
+ # the primary key in a multi-Region key, it is scheduled for deletion,
3340
+ # and it still has existing replica keys.
3341
+ #
3342
+ # When a regional CMK or a replica key in a multi-Region key is
3343
+ # scheduled for deletion, its deletion date is displayed in the
3344
+ # `DeletionDate` field. However, when the primary key in a
3345
+ # multi-Region key is scheduled for deletion, its waiting period
3346
+ # doesn't begin until all of its replica keys are deleted. This value
3347
+ # displays that waiting period. When the last replica key in the
3348
+ # multi-Region key is deleted, the `KeyState` of the scheduled primary
3349
+ # key changes from `PendingReplicaDeletion` to `PendingDeletion` and
3350
+ # the deletion date appears in the `DeletionDate` field.
3351
+ # @return [Integer]
3352
+ #
3198
3353
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
3199
3354
  #
3200
3355
  class KeyMetadata < Struct.new(
@@ -3215,7 +3370,10 @@ module Aws::KMS
3215
3370
  :key_manager,
3216
3371
  :customer_master_key_spec,
3217
3372
  :encryption_algorithms,
3218
- :signing_algorithms)
3373
+ :signing_algorithms,
3374
+ :multi_region,
3375
+ :multi_region_configuration,
3376
+ :pending_deletion_window_in_days)
3219
3377
  SENSITIVE = []
3220
3378
  include Aws::Structure
3221
3379
  end
@@ -3269,7 +3427,7 @@ module Aws::KMS
3269
3427
  # This parameter is optional. If you omit it, `ListAliases` returns
3270
3428
  # all aliases in the account and Region.
3271
3429
  #
3272
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
3430
+ # Specify the key ID or key ARN of the CMK.
3273
3431
  #
3274
3432
  # For example:
3275
3433
  #
@@ -3365,8 +3523,8 @@ module Aws::KMS
3365
3523
  # Returns only grants for the specified customer master key (CMK).
3366
3524
  # This parameter is required.
3367
3525
  #
3368
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
3369
- # specify a CMK in a different AWS account, you must use the key ARN.
3526
+ # Specify the key ID or key ARN of the CMK. To specify a CMK in a
3527
+ # different AWS account, you must use the key ARN.
3370
3528
  #
3371
3529
  # For example:
3372
3530
  #
@@ -3437,9 +3595,10 @@ module Aws::KMS
3437
3595
  # }
3438
3596
  #
3439
3597
  # @!attribute [rw] key_id
3440
- # A unique identifier for the customer master key (CMK).
3598
+ # Gets the names of key policies for the specified customer master key
3599
+ # (CMK).
3441
3600
  #
3442
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
3601
+ # Specify the key ID or key ARN of the CMK.
3443
3602
  #
3444
3603
  # For example:
3445
3604
  #
@@ -3575,9 +3734,9 @@ module Aws::KMS
3575
3734
  # }
3576
3735
  #
3577
3736
  # @!attribute [rw] key_id
3578
- # A unique identifier for the customer master key (CMK).
3737
+ # Gets tags on the specified customer master key (CMK).
3579
3738
  #
3580
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
3739
+ # Specify the key ID or key ARN of the CMK.
3581
3740
  #
3582
3741
  # For example:
3583
3742
  #
@@ -3620,6 +3779,16 @@ module Aws::KMS
3620
3779
 
3621
3780
  # @!attribute [rw] tags
3622
3781
  # A list of tags. Each tag consists of a tag key and a tag value.
3782
+ #
3783
+ # <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
3784
+ # For details, see [Using ABAC in AWS KMS][1] in the *AWS Key
3785
+ # Management Service Developer Guide*.
3786
+ #
3787
+ # </note>
3788
+ #
3789
+ #
3790
+ #
3791
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
3623
3792
  # @return [Array<Types::Tag>]
3624
3793
  #
3625
3794
  # @!attribute [rw] next_marker
@@ -3712,6 +3881,58 @@ module Aws::KMS
3712
3881
  include Aws::Structure
3713
3882
  end
3714
3883
 
3884
+ # Describes the configuration of this multi-Region CMK. This field
3885
+ # appears only when the CMK is a primary or replica of a multi-Region
3886
+ # CMK.
3887
+ #
3888
+ # For more information about any listed CMK, use the DescribeKey
3889
+ # operation.
3890
+ #
3891
+ # @!attribute [rw] multi_region_key_type
3892
+ # Indicates whether the CMK is a `PRIMARY` or `REPLICA` key.
3893
+ # @return [String]
3894
+ #
3895
+ # @!attribute [rw] primary_key
3896
+ # Displays the key ARN and Region of the primary key. This field
3897
+ # includes the current CMK if it is the primary key.
3898
+ # @return [Types::MultiRegionKey]
3899
+ #
3900
+ # @!attribute [rw] replica_keys
3901
+ # displays the key ARNs and Regions of all replica keys. This field
3902
+ # includes the current CMK if it is a replica key.
3903
+ # @return [Array<Types::MultiRegionKey>]
3904
+ #
3905
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/MultiRegionConfiguration AWS API Documentation
3906
+ #
3907
+ class MultiRegionConfiguration < Struct.new(
3908
+ :multi_region_key_type,
3909
+ :primary_key,
3910
+ :replica_keys)
3911
+ SENSITIVE = []
3912
+ include Aws::Structure
3913
+ end
3914
+
3915
+ # Describes the primary or replica key in a multi-Region key.
3916
+ #
3917
+ # @!attribute [rw] arn
3918
+ # Displays the key ARN of a primary or replica key of a multi-Region
3919
+ # key.
3920
+ # @return [String]
3921
+ #
3922
+ # @!attribute [rw] region
3923
+ # Displays the AWS Region of a primary or replica key in a
3924
+ # multi-Region key.
3925
+ # @return [String]
3926
+ #
3927
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/MultiRegionKey AWS API Documentation
3928
+ #
3929
+ class MultiRegionKey < Struct.new(
3930
+ :arn,
3931
+ :region)
3932
+ SENSITIVE = []
3933
+ include Aws::Structure
3934
+ end
3935
+
3715
3936
  # The request was rejected because the specified entity or resource
3716
3937
  # could not be found.
3717
3938
  #
@@ -3737,9 +3958,9 @@ module Aws::KMS
3737
3958
  # }
3738
3959
  #
3739
3960
  # @!attribute [rw] key_id
3740
- # A unique identifier for the customer master key (CMK).
3961
+ # Sets the key policy on the specified customer master key (CMK).
3741
3962
  #
3742
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
3963
+ # Specify the key ID or key ARN of the CMK.
3743
3964
  #
3744
3965
  # For example:
3745
3966
  #
@@ -3876,10 +4097,10 @@ module Aws::KMS
3876
4097
  # blob. However, it is always recommended as a best practice. This
3877
4098
  # practice ensures that you use the CMK that you intend.
3878
4099
  #
3879
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
3880
- # name, or alias ARN. When using an alias name, prefix it with
3881
- # `"alias/"`. To specify a CMK in a different AWS account, you must
3882
- # use the key ARN or alias ARN.
4100
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
4101
+ # When using an alias name, prefix it with `"alias/"`. To specify a
4102
+ # CMK in a different AWS account, you must use the key ARN or alias
4103
+ # ARN.
3883
4104
  #
3884
4105
  # For example:
3885
4106
  #
@@ -3902,10 +4123,10 @@ module Aws::KMS
3902
4123
  # `ENCRYPT_DECRYPT`. To find the `KeyUsage` value of a CMK, use the
3903
4124
  # DescribeKey operation.
3904
4125
  #
3905
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
3906
- # name, or alias ARN. When using an alias name, prefix it with
3907
- # `"alias/"`. To specify a CMK in a different AWS account, you must
3908
- # use the key ARN or alias ARN.
4126
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
4127
+ # When using an alias name, prefix it with `"alias/"`. To specify a
4128
+ # CMK in a different AWS account, you must use the key ARN or alias
4129
+ # ARN.
3909
4130
  #
3910
4131
  # For example:
3911
4132
  #
@@ -3971,7 +4192,9 @@ module Aws::KMS
3971
4192
  # @!attribute [rw] grant_tokens
3972
4193
  # A list of grant tokens.
3973
4194
  #
3974
- # For more information, see [Grant Tokens][1] in the *AWS Key
4195
+ # Use a grant token when your permission to call this operation comes
4196
+ # from a new grant that has not yet achieved *eventual consistency*.
4197
+ # For more information, see [Grant token][1] in the *AWS Key
3975
4198
  # Management Service Developer Guide*.
3976
4199
  #
3977
4200
  #
@@ -4033,6 +4256,221 @@ module Aws::KMS
4033
4256
  include Aws::Structure
4034
4257
  end
4035
4258
 
4259
+ # @note When making an API call, you may pass ReplicateKeyRequest
4260
+ # data as a hash:
4261
+ #
4262
+ # {
4263
+ # key_id: "KeyIdType", # required
4264
+ # replica_region: "RegionType", # required
4265
+ # policy: "PolicyType",
4266
+ # bypass_policy_lockout_safety_check: false,
4267
+ # description: "DescriptionType",
4268
+ # tags: [
4269
+ # {
4270
+ # tag_key: "TagKeyType", # required
4271
+ # tag_value: "TagValueType", # required
4272
+ # },
4273
+ # ],
4274
+ # }
4275
+ #
4276
+ # @!attribute [rw] key_id
4277
+ # Identifies the multi-Region primary key that is being replicated. To
4278
+ # determine whether a CMK is a multi-Region primary key, use the
4279
+ # DescribeKey operation to check the value of the `MultiRegionKeyType`
4280
+ # property.
4281
+ #
4282
+ # Specify the key ID or key ARN of a multi-Region primary key.
4283
+ #
4284
+ # For example:
4285
+ #
4286
+ # * Key ID: `mrk-1234abcd12ab34cd56ef1234567890ab`
4287
+ #
4288
+ # * Key ARN:
4289
+ # `arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab`
4290
+ #
4291
+ # To get the key ID and key ARN for a CMK, use ListKeys or
4292
+ # DescribeKey.
4293
+ # @return [String]
4294
+ #
4295
+ # @!attribute [rw] replica_region
4296
+ # The Region ID of the AWS Region for this replica key.
4297
+ #
4298
+ # Enter the Region ID, such as `us-east-1` or `ap-southeast-2`. For a
4299
+ # list of AWS Regions in which AWS KMS is supported, see [AWS KMS
4300
+ # service endpoints][1] in the *Amazon Web Services General
4301
+ # Reference*.
4302
+ #
4303
+ # The replica must be in a different AWS Region than its primary key
4304
+ # and other replicas of that primary key, but in the same AWS
4305
+ # partition. AWS KMS must be available in the replica Region. If the
4306
+ # Region is not enabled by default, the AWS account must be enabled in
4307
+ # the Region.
4308
+ #
4309
+ # For information about AWS partitions, see [Amazon Resource Names
4310
+ # (ARNs) in the *Amazon Web Services General Reference*.][2] For
4311
+ # information about enabling and disabling Regions, see [Enabling a
4312
+ # Region][3] and [Disabling a Region][4] in the *Amazon Web Services
4313
+ # General Reference*.
4314
+ #
4315
+ #
4316
+ #
4317
+ # [1]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region
4318
+ # [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
4319
+ # [3]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
4320
+ # [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
4321
+ # @return [String]
4322
+ #
4323
+ # @!attribute [rw] policy
4324
+ # The key policy to attach to the CMK. This parameter is optional. If
4325
+ # you do not provide a key policy, AWS KMS attaches the [default key
4326
+ # policy][1] to the CMK.
4327
+ #
4328
+ # The key policy is not a shared property of multi-Region keys. You
4329
+ # can specify the same key policy or a different key policy for each
4330
+ # key in a set of related multi-Region keys. AWS KMS does not
4331
+ # synchronize this property.
4332
+ #
4333
+ # If you provide a key policy, it must meet the following criteria:
4334
+ #
4335
+ # * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
4336
+ # key policy must give the caller `kms:PutKeyPolicy` permission on
4337
+ # the replica CMK. This reduces the risk that the CMK becomes
4338
+ # unmanageable. For more information, refer to the scenario in the
4339
+ # [Default Key Policy][2] section of the <i> <i>AWS Key Management
4340
+ # Service Developer Guide</i> </i>.
4341
+ #
4342
+ # * Each statement in the key policy must contain one or more
4343
+ # principals. The principals in the key policy must exist and be
4344
+ # visible to AWS KMS. When you create a new AWS principal (for
4345
+ # example, an IAM user or role), you might need to enforce a delay
4346
+ # before including the new principal in a key policy because the new
4347
+ # principal might not be immediately visible to AWS KMS. For more
4348
+ # information, see [Changes that I make are not always immediately
4349
+ # visible][3] in the *AWS Identity and Access Management User
4350
+ # Guide*.
4351
+ #
4352
+ # * The key policy size quota is 32 kilobytes (32768 bytes).
4353
+ #
4354
+ #
4355
+ #
4356
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
4357
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
4358
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
4359
+ # @return [String]
4360
+ #
4361
+ # @!attribute [rw] bypass_policy_lockout_safety_check
4362
+ # A flag to indicate whether to bypass the key policy lockout safety
4363
+ # check.
4364
+ #
4365
+ # Setting this value to true increases the risk that the CMK becomes
4366
+ # unmanageable. Do not set this value to true indiscriminately.
4367
+ #
4368
+ # For more information, refer to the scenario in the [Default Key
4369
+ # Policy][1] section in the *AWS Key Management Service Developer
4370
+ # Guide*.
4371
+ #
4372
+ # Use this parameter only when you intend to prevent the principal
4373
+ # that is making the request from making a subsequent `PutKeyPolicy`
4374
+ # request on the CMK.
4375
+ #
4376
+ # The default value is false.
4377
+ #
4378
+ #
4379
+ #
4380
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
4381
+ # @return [Boolean]
4382
+ #
4383
+ # @!attribute [rw] description
4384
+ # A description of the CMK. Use a description that helps you decide
4385
+ # whether the CMK is appropriate for a task. The default value is an
4386
+ # empty string (no description).
4387
+ #
4388
+ # The description is not a shared property of multi-Region keys. You
4389
+ # can specify the same description or a different description for each
4390
+ # key in a set of related multi-Region keys. AWS KMS does not
4391
+ # synchronize this property.
4392
+ # @return [String]
4393
+ #
4394
+ # @!attribute [rw] tags
4395
+ # Assigns one or more tags to the replica key. Use this parameter to
4396
+ # tag the CMK when it is created. To tag an existing CMK, use the
4397
+ # TagResource operation.
4398
+ #
4399
+ # <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
4400
+ # For details, see [Using ABAC in AWS KMS][1] in the *AWS Key
4401
+ # Management Service Developer Guide*.
4402
+ #
4403
+ # </note>
4404
+ #
4405
+ # To use this parameter, you must have [kms:TagResource][2] permission
4406
+ # in an IAM policy.
4407
+ #
4408
+ # Tags are not a shared property of multi-Region keys. You can specify
4409
+ # the same tags or different tags for each key in a set of related
4410
+ # multi-Region keys. AWS KMS does not synchronize this property.
4411
+ #
4412
+ # Each tag consists of a tag key and a tag value. Both the tag key and
4413
+ # the tag value are required, but the tag value can be an empty (null)
4414
+ # string. You cannot have more than one tag on a CMK with the same tag
4415
+ # key. If you specify an existing tag key with a different tag value,
4416
+ # AWS KMS replaces the current tag value with the specified one.
4417
+ #
4418
+ # When you assign tags to an AWS resource, AWS generates a cost
4419
+ # allocation report with usage and costs aggregated by tags. Tags can
4420
+ # also be used to control access to a CMK. For details, see [Tagging
4421
+ # Keys][3].
4422
+ #
4423
+ #
4424
+ #
4425
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
4426
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
4427
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
4428
+ # @return [Array<Types::Tag>]
4429
+ #
4430
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKeyRequest AWS API Documentation
4431
+ #
4432
+ class ReplicateKeyRequest < Struct.new(
4433
+ :key_id,
4434
+ :replica_region,
4435
+ :policy,
4436
+ :bypass_policy_lockout_safety_check,
4437
+ :description,
4438
+ :tags)
4439
+ SENSITIVE = []
4440
+ include Aws::Structure
4441
+ end
4442
+
4443
+ # @!attribute [rw] replica_key_metadata
4444
+ # Displays details about the new replica CMK, including its Amazon
4445
+ # Resource Name ([key ARN][1]) and [key state][2]. It also includes
4446
+ # the ARN and AWS Region of its primary key and other replica keys.
4447
+ #
4448
+ #
4449
+ #
4450
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
4451
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
4452
+ # @return [Types::KeyMetadata]
4453
+ #
4454
+ # @!attribute [rw] replica_policy
4455
+ # The key policy of the new replica key. The value is a key policy
4456
+ # document in JSON format.
4457
+ # @return [String]
4458
+ #
4459
+ # @!attribute [rw] replica_tags
4460
+ # The tags on the new replica key. The value is a list of tag key and
4461
+ # tag value pairs.
4462
+ # @return [Array<Types::Tag>]
4463
+ #
4464
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKeyResponse AWS API Documentation
4465
+ #
4466
+ class ReplicateKeyResponse < Struct.new(
4467
+ :replica_key_metadata,
4468
+ :replica_policy,
4469
+ :replica_tags)
4470
+ SENSITIVE = []
4471
+ include Aws::Structure
4472
+ end
4473
+
4036
4474
  # @note When making an API call, you may pass RetireGrantRequest
4037
4475
  # data as a hash:
4038
4476
  #
@@ -4043,19 +4481,31 @@ module Aws::KMS
4043
4481
  # }
4044
4482
  #
4045
4483
  # @!attribute [rw] grant_token
4046
- # Token that identifies the grant to be retired.
4484
+ # Identifies the grant to be retired. You can use a grant token to
4485
+ # identify a new grant even before it has achieved eventual
4486
+ # consistency.
4487
+ #
4488
+ # Only the CreateGrant operation returns a grant token. For details,
4489
+ # see [Grant token][1] and [Eventual consistency][2] in the *AWS Key
4490
+ # Management Service Developer Guide*.
4491
+ #
4492
+ #
4493
+ #
4494
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
4495
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency
4047
4496
  # @return [String]
4048
4497
  #
4049
4498
  # @!attribute [rw] key_id
4050
- # The Amazon Resource Name (ARN) of the CMK associated with the grant.
4499
+ # The key ARN CMK associated with the grant. To find the key ARN, use
4500
+ # the ListKeys operation.
4051
4501
  #
4052
4502
  # For example:
4053
4503
  # `arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab`
4054
4504
  # @return [String]
4055
4505
  #
4056
4506
  # @!attribute [rw] grant_id
4057
- # Unique identifier of the grant to retire. The grant ID is returned
4058
- # in the response to a `CreateGrant` operation.
4507
+ # Identifies the grant to retire. To get the grant ID, use
4508
+ # CreateGrant, ListGrants, or ListRetirableGrants.
4059
4509
  #
4060
4510
  # * Grant ID Example -
4061
4511
  # 0123456789012345678901234567890123456789012345678901234567890123
@@ -4082,11 +4532,12 @@ module Aws::KMS
4082
4532
  # }
4083
4533
  #
4084
4534
  # @!attribute [rw] key_id
4085
- # A unique identifier for the customer master key associated with the
4086
- # grant.
4535
+ # A unique identifier for the customer master key (CMK) associated
4536
+ # with the grant. To get the key ID and key ARN for a CMK, use
4537
+ # ListKeys or DescribeKey.
4087
4538
  #
4088
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
4089
- # specify a CMK in a different AWS account, you must use the key ARN.
4539
+ # Specify the key ID or key ARN of the CMK. To specify a CMK in a
4540
+ # different AWS account, you must use the key ARN.
4090
4541
  #
4091
4542
  # For example:
4092
4543
  #
@@ -4100,7 +4551,8 @@ module Aws::KMS
4100
4551
  # @return [String]
4101
4552
  #
4102
4553
  # @!attribute [rw] grant_id
4103
- # Identifier of the grant to be revoked.
4554
+ # Identifies the grant to revoke. To get the grant ID, use
4555
+ # CreateGrant, ListGrants, or ListRetirableGrants.
4104
4556
  # @return [String]
4105
4557
  #
4106
4558
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrantRequest AWS API Documentation
@@ -4123,7 +4575,7 @@ module Aws::KMS
4123
4575
  # @!attribute [rw] key_id
4124
4576
  # The unique identifier of the customer master key (CMK) to delete.
4125
4577
  #
4126
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
4578
+ # Specify the key ID or key ARN of the CMK.
4127
4579
  #
4128
4580
  # For example:
4129
4581
  #
@@ -4140,6 +4592,10 @@ module Aws::KMS
4140
4592
  # The waiting period, specified in number of days. After the waiting
4141
4593
  # period ends, AWS KMS deletes the customer master key (CMK).
4142
4594
  #
4595
+ # If the CMK is a multi-Region primary key with replicas, the waiting
4596
+ # period begins when the last of its replica keys is deleted.
4597
+ # Otherwise, the waiting period begins immediately.
4598
+ #
4143
4599
  # This value is optional. If you include a value, it must be between 7
4144
4600
  # and 30, inclusive. If you do not include a value, it defaults to 30.
4145
4601
  # @return [Integer]
@@ -4165,13 +4621,39 @@ module Aws::KMS
4165
4621
  # @!attribute [rw] deletion_date
4166
4622
  # The date and time after which AWS KMS deletes the customer master
4167
4623
  # key (CMK).
4624
+ #
4625
+ # If the CMK is a multi-Region primary key with replica keys, this
4626
+ # field does not appear. The deletion date for the primary key isn't
4627
+ # known until its last replica key is deleted.
4168
4628
  # @return [Time]
4169
4629
  #
4630
+ # @!attribute [rw] key_state
4631
+ # The current status of the CMK.
4632
+ #
4633
+ # For more information about how key state affects the use of a CMK,
4634
+ # see [Key state: Effect on your CMK][1] in the *AWS Key Management
4635
+ # Service Developer Guide*.
4636
+ #
4637
+ #
4638
+ #
4639
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
4640
+ # @return [String]
4641
+ #
4642
+ # @!attribute [rw] pending_window_in_days
4643
+ # The waiting period before the CMK is deleted.
4644
+ #
4645
+ # If the CMK is a multi-Region primary key with replicas, the waiting
4646
+ # period begins when the last of its replica keys is deleted.
4647
+ # Otherwise, the waiting period begins immediately.
4648
+ # @return [Integer]
4649
+ #
4170
4650
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletionResponse AWS API Documentation
4171
4651
  #
4172
4652
  class ScheduleKeyDeletionResponse < Struct.new(
4173
4653
  :key_id,
4174
- :deletion_date)
4654
+ :deletion_date,
4655
+ :key_state,
4656
+ :pending_window_in_days)
4175
4657
  SENSITIVE = []
4176
4658
  include Aws::Structure
4177
4659
  end
@@ -4193,10 +4675,10 @@ module Aws::KMS
4193
4675
  # must be `SIGN_VERIFY`. To find the `KeyUsage` of a CMK, use the
4194
4676
  # DescribeKey operation.
4195
4677
  #
4196
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
4197
- # name, or alias ARN. When using an alias name, prefix it with
4198
- # `"alias/"`. To specify a CMK in a different AWS account, you must
4199
- # use the key ARN or alias ARN.
4678
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
4679
+ # When using an alias name, prefix it with `"alias/"`. To specify a
4680
+ # CMK in a different AWS account, you must use the key ARN or alias
4681
+ # ARN.
4200
4682
  #
4201
4683
  # For example:
4202
4684
  #
@@ -4230,7 +4712,9 @@ module Aws::KMS
4230
4712
  # @!attribute [rw] grant_tokens
4231
4713
  # A list of grant tokens.
4232
4714
  #
4233
- # For more information, see [Grant Tokens][1] in the *AWS Key
4715
+ # Use a grant token when your permission to call this operation comes
4716
+ # from a new grant that has not yet achieved *eventual consistency*.
4717
+ # For more information, see [Grant token][1] in the *AWS Key
4234
4718
  # Management Service Developer Guide*.
4235
4719
  #
4236
4720
  #
@@ -4367,7 +4851,7 @@ module Aws::KMS
4367
4851
  # @!attribute [rw] key_id
4368
4852
  # Identifies a customer managed CMK in the account and Region.
4369
4853
  #
4370
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
4854
+ # Specify the key ID or key ARN of the CMK.
4371
4855
  #
4372
4856
  # For example:
4373
4857
  #
@@ -4425,7 +4909,7 @@ module Aws::KMS
4425
4909
  # @!attribute [rw] key_id
4426
4910
  # Identifies the CMK from which you are removing tags.
4427
4911
  #
4428
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
4912
+ # Specify the key ID or key ARN of the CMK.
4429
4913
  #
4430
4914
  # For example:
4431
4915
  #
@@ -4476,7 +4960,7 @@ module Aws::KMS
4476
4960
  # CMK (both symmetric or both asymmetric) and they must have the same
4477
4961
  # key usage.
4478
4962
  #
4479
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
4963
+ # Specify the key ID or key ARN of the CMK.
4480
4964
  #
4481
4965
  # For example:
4482
4966
  #
@@ -4579,9 +5063,9 @@ module Aws::KMS
4579
5063
  # }
4580
5064
  #
4581
5065
  # @!attribute [rw] key_id
4582
- # A unique identifier for the customer master key (CMK).
5066
+ # Updates the description of the specified customer master key (CMK).
4583
5067
  #
4584
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
5068
+ # Specify the key ID or key ARN of the CMK.
4585
5069
  #
4586
5070
  # For example:
4587
5071
  #
@@ -4607,6 +5091,49 @@ module Aws::KMS
4607
5091
  include Aws::Structure
4608
5092
  end
4609
5093
 
5094
+ # @note When making an API call, you may pass UpdatePrimaryRegionRequest
5095
+ # data as a hash:
5096
+ #
5097
+ # {
5098
+ # key_id: "KeyIdType", # required
5099
+ # primary_region: "RegionType", # required
5100
+ # }
5101
+ #
5102
+ # @!attribute [rw] key_id
5103
+ # Identifies the current primary key. When the operation completes,
5104
+ # this CMK will be a replica key.
5105
+ #
5106
+ # Specify the key ID or key ARN of a multi-Region primary key.
5107
+ #
5108
+ # For example:
5109
+ #
5110
+ # * Key ID: `mrk-1234abcd12ab34cd56ef1234567890ab`
5111
+ #
5112
+ # * Key ARN:
5113
+ # `arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab`
5114
+ #
5115
+ # To get the key ID and key ARN for a CMK, use ListKeys or
5116
+ # DescribeKey.
5117
+ # @return [String]
5118
+ #
5119
+ # @!attribute [rw] primary_region
5120
+ # The AWS Region of the new primary key. Enter the Region ID, such as
5121
+ # `us-east-1` or `ap-southeast-2`. There must be an existing replica
5122
+ # key in this Region.
5123
+ #
5124
+ # When the operation completes, the multi-Region key in this Region
5125
+ # will be the primary key.
5126
+ # @return [String]
5127
+ #
5128
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdatePrimaryRegionRequest AWS API Documentation
5129
+ #
5130
+ class UpdatePrimaryRegionRequest < Struct.new(
5131
+ :key_id,
5132
+ :primary_region)
5133
+ SENSITIVE = []
5134
+ include Aws::Structure
5135
+ end
5136
+
4610
5137
  # @note When making an API call, you may pass VerifyRequest
4611
5138
  # data as a hash:
4612
5139
  #
@@ -4625,10 +5152,10 @@ module Aws::KMS
4625
5152
  # signature. If you specify a different CMK, the signature
4626
5153
  # verification fails.
4627
5154
  #
4628
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
4629
- # name, or alias ARN. When using an alias name, prefix it with
4630
- # `"alias/"`. To specify a CMK in a different AWS account, you must
4631
- # use the key ARN or alias ARN.
5155
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
5156
+ # When using an alias name, prefix it with `"alias/"`. To specify a
5157
+ # CMK in a different AWS account, you must use the key ARN or alias
5158
+ # ARN.
4632
5159
  #
4633
5160
  # For example:
4634
5161
  #
@@ -4678,7 +5205,9 @@ module Aws::KMS
4678
5205
  # @!attribute [rw] grant_tokens
4679
5206
  # A list of grant tokens.
4680
5207
  #
4681
- # For more information, see [Grant Tokens][1] in the *AWS Key
5208
+ # Use a grant token when your permission to call this operation comes
5209
+ # from a new grant that has not yet achieved *eventual consistency*.
5210
+ # For more information, see [Grant token][1] in the *AWS Key
4682
5211
  # Management Service Developer Guide*.
4683
5212
  #
4684
5213
  #