aws-sdk-kms 1.43.0 → 1.45.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -150,7 +150,12 @@ module Aws::KMS
150
150
  MalformedPolicyDocumentException = Shapes::StructureShape.new(name: 'MalformedPolicyDocumentException')
151
151
  MarkerType = Shapes::StringShape.new(name: 'MarkerType')
152
152
  MessageType = Shapes::StringShape.new(name: 'MessageType')
153
+ MultiRegionConfiguration = Shapes::StructureShape.new(name: 'MultiRegionConfiguration')
154
+ MultiRegionKey = Shapes::StructureShape.new(name: 'MultiRegionKey')
155
+ MultiRegionKeyList = Shapes::ListShape.new(name: 'MultiRegionKeyList')
156
+ MultiRegionKeyType = Shapes::StringShape.new(name: 'MultiRegionKeyType')
153
157
  NotFoundException = Shapes::StructureShape.new(name: 'NotFoundException')
158
+ NullableBooleanType = Shapes::BooleanShape.new(name: 'NullableBooleanType')
154
159
  NumberOfBytesType = Shapes::IntegerShape.new(name: 'NumberOfBytesType')
155
160
  OriginType = Shapes::StringShape.new(name: 'OriginType')
156
161
  PendingWindowInDaysType = Shapes::IntegerShape.new(name: 'PendingWindowInDaysType')
@@ -163,6 +168,9 @@ module Aws::KMS
163
168
  PutKeyPolicyRequest = Shapes::StructureShape.new(name: 'PutKeyPolicyRequest')
164
169
  ReEncryptRequest = Shapes::StructureShape.new(name: 'ReEncryptRequest')
165
170
  ReEncryptResponse = Shapes::StructureShape.new(name: 'ReEncryptResponse')
171
+ RegionType = Shapes::StringShape.new(name: 'RegionType')
172
+ ReplicateKeyRequest = Shapes::StructureShape.new(name: 'ReplicateKeyRequest')
173
+ ReplicateKeyResponse = Shapes::StructureShape.new(name: 'ReplicateKeyResponse')
166
174
  RetireGrantRequest = Shapes::StructureShape.new(name: 'RetireGrantRequest')
167
175
  RevokeGrantRequest = Shapes::StructureShape.new(name: 'RevokeGrantRequest')
168
176
  ScheduleKeyDeletionRequest = Shapes::StructureShape.new(name: 'ScheduleKeyDeletionRequest')
@@ -185,6 +193,7 @@ module Aws::KMS
185
193
  UpdateCustomKeyStoreRequest = Shapes::StructureShape.new(name: 'UpdateCustomKeyStoreRequest')
186
194
  UpdateCustomKeyStoreResponse = Shapes::StructureShape.new(name: 'UpdateCustomKeyStoreResponse')
187
195
  UpdateKeyDescriptionRequest = Shapes::StructureShape.new(name: 'UpdateKeyDescriptionRequest')
196
+ UpdatePrimaryRegionRequest = Shapes::StructureShape.new(name: 'UpdatePrimaryRegionRequest')
188
197
  VerifyRequest = Shapes::StructureShape.new(name: 'VerifyRequest')
189
198
  VerifyResponse = Shapes::StructureShape.new(name: 'VerifyResponse')
190
199
  WrappingKeySpec = Shapes::StringShape.new(name: 'WrappingKeySpec')
@@ -261,6 +270,7 @@ module Aws::KMS
261
270
  CreateKeyRequest.add_member(:custom_key_store_id, Shapes::ShapeRef.new(shape: CustomKeyStoreIdType, location_name: "CustomKeyStoreId"))
262
271
  CreateKeyRequest.add_member(:bypass_policy_lockout_safety_check, Shapes::ShapeRef.new(shape: BooleanType, location_name: "BypassPolicyLockoutSafetyCheck"))
263
272
  CreateKeyRequest.add_member(:tags, Shapes::ShapeRef.new(shape: TagList, location_name: "Tags"))
273
+ CreateKeyRequest.add_member(:multi_region, Shapes::ShapeRef.new(shape: NullableBooleanType, location_name: "MultiRegion"))
264
274
  CreateKeyRequest.struct_class = Types::CreateKeyRequest
265
275
 
266
276
  CreateKeyResponse.add_member(:key_metadata, Shapes::ShapeRef.new(shape: KeyMetadata, location_name: "KeyMetadata"))
@@ -560,6 +570,9 @@ module Aws::KMS
560
570
  KeyMetadata.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, location_name: "CustomerMasterKeySpec"))
561
571
  KeyMetadata.add_member(:encryption_algorithms, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpecList, location_name: "EncryptionAlgorithms"))
562
572
  KeyMetadata.add_member(:signing_algorithms, Shapes::ShapeRef.new(shape: SigningAlgorithmSpecList, location_name: "SigningAlgorithms"))
573
+ KeyMetadata.add_member(:multi_region, Shapes::ShapeRef.new(shape: NullableBooleanType, location_name: "MultiRegion"))
574
+ KeyMetadata.add_member(:multi_region_configuration, Shapes::ShapeRef.new(shape: MultiRegionConfiguration, location_name: "MultiRegionConfiguration"))
575
+ KeyMetadata.add_member(:pending_deletion_window_in_days, Shapes::ShapeRef.new(shape: PendingWindowInDaysType, location_name: "PendingDeletionWindowInDays"))
563
576
  KeyMetadata.struct_class = Types::KeyMetadata
564
577
 
565
578
  KeyUnavailableException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
@@ -627,6 +640,17 @@ module Aws::KMS
627
640
  MalformedPolicyDocumentException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
628
641
  MalformedPolicyDocumentException.struct_class = Types::MalformedPolicyDocumentException
629
642
 
643
+ MultiRegionConfiguration.add_member(:multi_region_key_type, Shapes::ShapeRef.new(shape: MultiRegionKeyType, location_name: "MultiRegionKeyType"))
644
+ MultiRegionConfiguration.add_member(:primary_key, Shapes::ShapeRef.new(shape: MultiRegionKey, location_name: "PrimaryKey"))
645
+ MultiRegionConfiguration.add_member(:replica_keys, Shapes::ShapeRef.new(shape: MultiRegionKeyList, location_name: "ReplicaKeys"))
646
+ MultiRegionConfiguration.struct_class = Types::MultiRegionConfiguration
647
+
648
+ MultiRegionKey.add_member(:arn, Shapes::ShapeRef.new(shape: ArnType, location_name: "Arn"))
649
+ MultiRegionKey.add_member(:region, Shapes::ShapeRef.new(shape: RegionType, location_name: "Region"))
650
+ MultiRegionKey.struct_class = Types::MultiRegionKey
651
+
652
+ MultiRegionKeyList.member = Shapes::ShapeRef.new(shape: MultiRegionKey)
653
+
630
654
  NotFoundException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
631
655
  NotFoundException.struct_class = Types::NotFoundException
632
656
 
@@ -655,6 +679,19 @@ module Aws::KMS
655
679
  ReEncryptResponse.add_member(:destination_encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "DestinationEncryptionAlgorithm"))
656
680
  ReEncryptResponse.struct_class = Types::ReEncryptResponse
657
681
 
682
+ ReplicateKeyRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
683
+ ReplicateKeyRequest.add_member(:replica_region, Shapes::ShapeRef.new(shape: RegionType, required: true, location_name: "ReplicaRegion"))
684
+ ReplicateKeyRequest.add_member(:policy, Shapes::ShapeRef.new(shape: PolicyType, location_name: "Policy"))
685
+ ReplicateKeyRequest.add_member(:bypass_policy_lockout_safety_check, Shapes::ShapeRef.new(shape: BooleanType, location_name: "BypassPolicyLockoutSafetyCheck"))
686
+ ReplicateKeyRequest.add_member(:description, Shapes::ShapeRef.new(shape: DescriptionType, location_name: "Description"))
687
+ ReplicateKeyRequest.add_member(:tags, Shapes::ShapeRef.new(shape: TagList, location_name: "Tags"))
688
+ ReplicateKeyRequest.struct_class = Types::ReplicateKeyRequest
689
+
690
+ ReplicateKeyResponse.add_member(:replica_key_metadata, Shapes::ShapeRef.new(shape: KeyMetadata, location_name: "ReplicaKeyMetadata"))
691
+ ReplicateKeyResponse.add_member(:replica_policy, Shapes::ShapeRef.new(shape: PolicyType, location_name: "ReplicaPolicy"))
692
+ ReplicateKeyResponse.add_member(:replica_tags, Shapes::ShapeRef.new(shape: TagList, location_name: "ReplicaTags"))
693
+ ReplicateKeyResponse.struct_class = Types::ReplicateKeyResponse
694
+
658
695
  RetireGrantRequest.add_member(:grant_token, Shapes::ShapeRef.new(shape: GrantTokenType, location_name: "GrantToken"))
659
696
  RetireGrantRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
660
697
  RetireGrantRequest.add_member(:grant_id, Shapes::ShapeRef.new(shape: GrantIdType, location_name: "GrantId"))
@@ -670,6 +707,8 @@ module Aws::KMS
670
707
 
671
708
  ScheduleKeyDeletionResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
672
709
  ScheduleKeyDeletionResponse.add_member(:deletion_date, Shapes::ShapeRef.new(shape: DateType, location_name: "DeletionDate"))
710
+ ScheduleKeyDeletionResponse.add_member(:key_state, Shapes::ShapeRef.new(shape: KeyState, location_name: "KeyState"))
711
+ ScheduleKeyDeletionResponse.add_member(:pending_window_in_days, Shapes::ShapeRef.new(shape: PendingWindowInDaysType, location_name: "PendingWindowInDays"))
673
712
  ScheduleKeyDeletionResponse.struct_class = Types::ScheduleKeyDeletionResponse
674
713
 
675
714
  SignRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
@@ -724,6 +763,10 @@ module Aws::KMS
724
763
  UpdateKeyDescriptionRequest.add_member(:description, Shapes::ShapeRef.new(shape: DescriptionType, required: true, location_name: "Description"))
725
764
  UpdateKeyDescriptionRequest.struct_class = Types::UpdateKeyDescriptionRequest
726
765
 
766
+ UpdatePrimaryRegionRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
767
+ UpdatePrimaryRegionRequest.add_member(:primary_region, Shapes::ShapeRef.new(shape: RegionType, required: true, location_name: "PrimaryRegion"))
768
+ UpdatePrimaryRegionRequest.struct_class = Types::UpdatePrimaryRegionRequest
769
+
727
770
  VerifyRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
728
771
  VerifyRequest.add_member(:message, Shapes::ShapeRef.new(shape: PlaintextType, required: true, location_name: "Message"))
729
772
  VerifyRequest.add_member(:message_type, Shapes::ShapeRef.new(shape: MessageType, location_name: "MessageType"))
@@ -909,6 +952,7 @@ module Aws::KMS
909
952
  o.input = Shapes::ShapeRef.new(shape: DescribeCustomKeyStoresRequest)
910
953
  o.output = Shapes::ShapeRef.new(shape: DescribeCustomKeyStoresResponse)
911
954
  o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreNotFoundException)
955
+ o.errors << Shapes::ShapeRef.new(shape: InvalidMarkerException)
912
956
  o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
913
957
  end)
914
958
 
@@ -1302,6 +1346,24 @@ module Aws::KMS
1302
1346
  o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
1303
1347
  end)
1304
1348
 
1349
+ api.add_operation(:replicate_key, Seahorse::Model::Operation.new.tap do |o|
1350
+ o.name = "ReplicateKey"
1351
+ o.http_method = "POST"
1352
+ o.http_request_uri = "/"
1353
+ o.input = Shapes::ShapeRef.new(shape: ReplicateKeyRequest)
1354
+ o.output = Shapes::ShapeRef.new(shape: ReplicateKeyResponse)
1355
+ o.errors << Shapes::ShapeRef.new(shape: AlreadyExistsException)
1356
+ o.errors << Shapes::ShapeRef.new(shape: DisabledException)
1357
+ o.errors << Shapes::ShapeRef.new(shape: InvalidArnException)
1358
+ o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
1359
+ o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
1360
+ o.errors << Shapes::ShapeRef.new(shape: LimitExceededException)
1361
+ o.errors << Shapes::ShapeRef.new(shape: MalformedPolicyDocumentException)
1362
+ o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
1363
+ o.errors << Shapes::ShapeRef.new(shape: TagException)
1364
+ o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
1365
+ end)
1366
+
1305
1367
  api.add_operation(:retire_grant, Seahorse::Model::Operation.new.tap do |o|
1306
1368
  o.name = "RetireGrant"
1307
1369
  o.http_method = "POST"
@@ -1429,6 +1491,20 @@ module Aws::KMS
1429
1491
  o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
1430
1492
  end)
1431
1493
 
1494
+ api.add_operation(:update_primary_region, Seahorse::Model::Operation.new.tap do |o|
1495
+ o.name = "UpdatePrimaryRegion"
1496
+ o.http_method = "POST"
1497
+ o.http_request_uri = "/"
1498
+ o.input = Shapes::ShapeRef.new(shape: UpdatePrimaryRegionRequest)
1499
+ o.output = Shapes::ShapeRef.new(shape: Shapes::StructureShape.new(struct_class: Aws::EmptyStructure))
1500
+ o.errors << Shapes::ShapeRef.new(shape: DisabledException)
1501
+ o.errors << Shapes::ShapeRef.new(shape: InvalidArnException)
1502
+ o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
1503
+ o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
1504
+ o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
1505
+ o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
1506
+ end)
1507
+
1432
1508
  api.add_operation(:verify, Seahorse::Model::Operation.new.tap do |o|
1433
1509
  o.name = "Verify"
1434
1510
  o.http_method = "POST"
@@ -2,7 +2,7 @@
2
2
  # WARNING ABOUT GENERATED CODE
3
3
  #
4
4
  # This file is generated. See the contributing for info on making contributions:
5
- # https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
5
+ # https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
6
6
  #
7
7
  # WARNING ABOUT GENERATED CODE
8
8
 
@@ -21,13 +21,18 @@ module Aws::KMS
21
21
  # @return [String]
22
22
  #
23
23
  # @!attribute [rw] target_key_id
24
- # String that contains the key identifier referred to by the alias.
24
+ # String that contains the key identifier of the CMK associated with
25
+ # the alias.
25
26
  # @return [String]
26
27
  #
27
28
  # @!attribute [rw] creation_date
29
+ # Date and time that the alias was most recently created in the
30
+ # account and Region. Formatted as Unix time.
28
31
  # @return [Time]
29
32
  #
30
33
  # @!attribute [rw] last_updated_date
34
+ # Date and time that the alias was most recently associated with a CMK
35
+ # in the account and Region. Formatted as Unix time.
31
36
  # @return [Time]
32
37
  #
33
38
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/AliasListEntry AWS API Documentation
@@ -64,10 +69,10 @@ module Aws::KMS
64
69
  # }
65
70
  #
66
71
  # @!attribute [rw] key_id
67
- # The unique identifier for the customer master key (CMK) for which to
68
- # cancel deletion.
72
+ # Identifies the customer master key (CMK) whose deletion is being
73
+ # canceled.
69
74
  #
70
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
75
+ # Specify the key ID or key ARN of the CMK.
71
76
  #
72
77
  # For example:
73
78
  #
@@ -305,7 +310,7 @@ module Aws::KMS
305
310
  # For help finding the key ID and ARN, see [Finding the Key ID and
306
311
  # ARN][2] in the *AWS Key Management Service Developer Guide*.
307
312
  #
308
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
313
+ # Specify the key ID or key ARN of the CMK.
309
314
  #
310
315
  # For example:
311
316
  #
@@ -428,11 +433,11 @@ module Aws::KMS
428
433
  # }
429
434
  #
430
435
  # @!attribute [rw] key_id
431
- # The unique identifier for the customer master key (CMK) that the
432
- # grant applies to.
436
+ # Identifies the customer master key (CMK) for the grant. The grant
437
+ # gives principals permission to use this CMK.
433
438
  #
434
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
435
- # specify a CMK in a different AWS account, you must use the key ARN.
439
+ # Specify the key ID or key ARN of the CMK. To specify a CMK in a
440
+ # different AWS account, you must use the key ARN.
436
441
  #
437
442
  # For example:
438
443
  #
@@ -446,8 +451,7 @@ module Aws::KMS
446
451
  # @return [String]
447
452
  #
448
453
  # @!attribute [rw] grantee_principal
449
- # The principal that is given permission to perform the operations
450
- # that the grant permits.
454
+ # The identity that gets the permissions specified in the grant.
451
455
  #
452
456
  # To specify the principal, use the [Amazon Resource Name (ARN)][1] of
453
457
  # an AWS principal. Valid AWS principals include AWS accounts (root),
@@ -481,30 +485,55 @@ module Aws::KMS
481
485
  #
482
486
  # @!attribute [rw] operations
483
487
  # A list of operations that the grant permits.
488
+ #
489
+ # The operation must be supported on the CMK. For example, you cannot
490
+ # create a grant for a symmetric CMK that allows the Sign operation,
491
+ # or a grant for an asymmetric CMK that allows the GenerateDataKey
492
+ # operation. If you try, AWS KMS returns a `ValidationError`
493
+ # exception. For details, see [Grant operations][1] in the *AWS Key
494
+ # Management Service Developer Guide*.
495
+ #
496
+ #
497
+ #
498
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
484
499
  # @return [Array<String>]
485
500
  #
486
501
  # @!attribute [rw] constraints
487
- # Allows a [cryptographic operation][1] only when the encryption
488
- # context matches or includes the encryption context specified in this
489
- # structure. For more information about encryption context, see
490
- # [Encryption Context][2] in the <i> <i>AWS Key Management Service
491
- # Developer Guide</i> </i>.
502
+ # Specifies a grant constraint.
503
+ #
504
+ # AWS KMS supports the `EncryptionContextEquals` and
505
+ # `EncryptionContextSubset` grant constraints. Each constraint value
506
+ # can include up to 8 encryption context pairs. The encryption context
507
+ # value in each constraint cannot exceed 384 characters.
492
508
  #
493
- # Grant constraints are not applied to operations that do not support
494
- # an encryption context, such as cryptographic operations with
495
- # asymmetric CMKs and management operations, such as DescribeKey or
496
- # RetireGrant.
509
+ # These grant constraints allow a [cryptographic operation][1] only
510
+ # when the encryption context in the request matches
511
+ # (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
512
+ # the encryption context specified in this structure. For more
513
+ # information about encryption context, see [Encryption Context][2] in
514
+ # the <i> <i>AWS Key Management Service Developer Guide</i> </i>. For
515
+ # information about grant constraints, see [Using grant
516
+ # constraints][3] in the *AWS Key Management Service Developer Guide*.
517
+ #
518
+ # The encryption context grant constraints are supported only on
519
+ # operations that include an encryption context. You cannot use an
520
+ # encryption context grant constraint for cryptographic operations
521
+ # with asymmetric CMKs or for management operations, such as
522
+ # DescribeKey or RetireGrant.
497
523
  #
498
524
  #
499
525
  #
500
526
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
501
527
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
528
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
502
529
  # @return [Types::GrantConstraints]
503
530
  #
504
531
  # @!attribute [rw] grant_tokens
505
532
  # A list of grant tokens.
506
533
  #
507
- # For more information, see [Grant Tokens][1] in the *AWS Key
534
+ # Use a grant token when your permission to call this operation comes
535
+ # from a new grant that has not yet achieved *eventual consistency*.
536
+ # For more information, see [Grant token][1] in the *AWS Key
508
537
  # Management Service Developer Guide*.
509
538
  #
510
539
  #
@@ -546,7 +575,9 @@ module Aws::KMS
546
575
  # @!attribute [rw] grant_token
547
576
  # The grant token.
548
577
  #
549
- # For more information, see [Grant Tokens][1] in the *AWS Key
578
+ # Use a grant token when your permission to call this operation comes
579
+ # from a new grant that has not yet achieved *eventual consistency*.
580
+ # For more information, see [Grant token][1] in the *AWS Key
550
581
  # Management Service Developer Guide*.
551
582
  #
552
583
  #
@@ -587,6 +618,7 @@ module Aws::KMS
587
618
  # tag_value: "TagValueType", # required
588
619
  # },
589
620
  # ],
621
+ # multi_region: false,
590
622
  # }
591
623
  #
592
624
  # @!attribute [rw] policy
@@ -633,7 +665,8 @@ module Aws::KMS
633
665
  # A description of the CMK.
634
666
  #
635
667
  # Use a description that helps you decide whether the CMK is
636
- # appropriate for a task.
668
+ # appropriate for a task. The default value is an empty string (no
669
+ # description).
637
670
  # @return [String]
638
671
  #
639
672
  # @!attribute [rw] key_usage
@@ -722,20 +755,19 @@ module Aws::KMS
722
755
  # @!attribute [rw] origin
723
756
  # The source of the key material for the CMK. You cannot change the
724
757
  # origin after you create the CMK. The default is `AWS_KMS`, which
725
- # means AWS KMS creates the key material.
758
+ # means that AWS KMS creates the key material.
726
759
  #
727
- # When the parameter value is `EXTERNAL`, AWS KMS creates a CMK
728
- # without key material so that you can import key material from your
729
- # existing key management infrastructure. For more information about
730
- # importing key material into AWS KMS, see [Importing Key Material][1]
731
- # in the *AWS Key Management Service Developer Guide*. This value is
732
- # valid only for symmetric CMKs.
760
+ # To create a CMK with no key material (for imported key material),
761
+ # set the value to `EXTERNAL`. For more information about importing
762
+ # key material into AWS KMS, see [Importing Key Material][1] in the
763
+ # *AWS Key Management Service Developer Guide*. This value is valid
764
+ # only for symmetric CMKs.
733
765
  #
734
- # When the parameter value is `AWS_CLOUDHSM`, AWS KMS creates the CMK
735
- # in an AWS KMS [custom key store][2] and creates its key material in
736
- # the associated AWS CloudHSM cluster. You must also use the
737
- # `CustomKeyStoreId` parameter to identify the custom key store. This
738
- # value is valid only for symmetric CMKs.
766
+ # To create a CMK in an AWS KMS [custom key store][2] and create its
767
+ # key material in the associated AWS CloudHSM cluster, set this value
768
+ # to `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId`
769
+ # parameter to identify the custom key store. This value is valid only
770
+ # for symmetric CMKs.
739
771
  #
740
772
  #
741
773
  #
@@ -751,8 +783,9 @@ module Aws::KMS
751
783
  # associated with the custom key store must have at least two active
752
784
  # HSMs, each in a different Availability Zone in the Region.
753
785
  #
754
- # This parameter is valid only for symmetric CMKs. You cannot create
755
- # an asymmetric CMK in a custom key store.
786
+ # This parameter is valid only for symmetric CMKs and regional CMKs.
787
+ # You cannot create an asymmetric CMK or a multi-Region CMK in a
788
+ # custom key store.
756
789
  #
757
790
  # To find the ID of a custom key store, use the
758
791
  # DescribeCustomKeyStores operation.
@@ -793,27 +826,66 @@ module Aws::KMS
793
826
  # @return [Boolean]
794
827
  #
795
828
  # @!attribute [rw] tags
796
- # One or more tags. Each tag consists of a tag key and a tag value.
797
- # Both the tag key and the tag value are required, but the tag value
798
- # can be an empty (null) string.
829
+ # Assigns one or more tags to the CMK. Use this parameter to tag the
830
+ # CMK when it is created. To tag an existing CMK, use the TagResource
831
+ # operation.
799
832
  #
800
- # When you add tags to an AWS resource, AWS generates a cost
801
- # allocation report with usage and costs aggregated by tags. For
802
- # information about adding, changing, deleting and listing tags for
803
- # CMKs, see [Tagging Keys][1].
833
+ # <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
834
+ # For details, see [Using ABAC in AWS KMS][1] in the *AWS Key
835
+ # Management Service Developer Guide*.
804
836
  #
805
- # Use this parameter to tag the CMK when it is created. To add tags to
806
- # an existing CMK, use the TagResource operation.
837
+ # </note>
807
838
  #
808
839
  # To use this parameter, you must have [kms:TagResource][2] permission
809
840
  # in an IAM policy.
810
841
  #
842
+ # Each tag consists of a tag key and a tag value. Both the tag key and
843
+ # the tag value are required, but the tag value can be an empty (null)
844
+ # string. You cannot have more than one tag on a CMK with the same tag
845
+ # key. If you specify an existing tag key with a different tag value,
846
+ # AWS KMS replaces the current tag value with the specified one.
847
+ #
848
+ # When you assign tags to an AWS resource, AWS generates a cost
849
+ # allocation report with usage and costs aggregated by tags. Tags can
850
+ # also be used to control access to a CMK. For details, see [Tagging
851
+ # Keys][3].
811
852
  #
812
853
  #
813
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
854
+ #
855
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
814
856
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
857
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
815
858
  # @return [Array<Types::Tag>]
816
859
  #
860
+ # @!attribute [rw] multi_region
861
+ # Creates a multi-Region primary key that you can replicate into other
862
+ # AWS Regions. You cannot change this value after you create the CMK.
863
+ #
864
+ # For a multi-Region key, set this parameter to `True`. For a
865
+ # single-Region CMK, omit this parameter or set it to `False`. The
866
+ # default value is `False`.
867
+ #
868
+ # This operation supports *multi-Region keys*, an AWS KMS feature that
869
+ # lets you create multiple interoperable CMKs in different AWS
870
+ # Regions. Because these CMKs have the same key ID, key material, and
871
+ # other metadata, you can use them to encrypt data in one AWS Region
872
+ # and decrypt it in a different AWS Region without making a
873
+ # cross-Region call or exposing the plaintext data. For more
874
+ # information about multi-Region keys, see [Using multi-Region
875
+ # keys][1] in the *AWS Key Management Service Developer Guide*.
876
+ #
877
+ # This value creates a *primary key*, not a replica. To create a
878
+ # *replica key*, use the ReplicateKey operation.
879
+ #
880
+ # You can create a symmetric or asymmetric multi-Region CMK, and you
881
+ # can create a multi-Region CMK with imported key material. However,
882
+ # you cannot create a multi-Region CMK in a custom key store.
883
+ #
884
+ #
885
+ #
886
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
887
+ # @return [Boolean]
888
+ #
817
889
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKeyRequest AWS API Documentation
818
890
  #
819
891
  class CreateKeyRequest < Struct.new(
@@ -824,7 +896,8 @@ module Aws::KMS
824
896
  :origin,
825
897
  :custom_key_store_id,
826
898
  :bypass_policy_lockout_safety_check,
827
- :tags)
899
+ :tags,
900
+ :multi_region)
828
901
  SENSITIVE = []
829
902
  include Aws::Structure
830
903
  end
@@ -1094,8 +1167,12 @@ module Aws::KMS
1094
1167
  # @!attribute [rw] grant_tokens
1095
1168
  # A list of grant tokens.
1096
1169
  #
1097
- # For more information, see [Grant Tokens][1] in the *AWS Key
1098
- # Management Service Developer Guide*.
1170
+ # Use a grant token when your permission to call this operation comes
1171
+ # from a newly created grant that has not yet achieved eventual
1172
+ # consistency. Use a grant token when your permission to call this
1173
+ # operation comes from a new grant that has not yet achieved *eventual
1174
+ # consistency*. For more information, see [Grant token][1] in the *AWS
1175
+ # Key Management Service Developer Guide*.
1099
1176
  #
1100
1177
  #
1101
1178
  #
@@ -1113,10 +1190,10 @@ module Aws::KMS
1113
1190
  # blob. However, it is always recommended as a best practice. This
1114
1191
  # practice ensures that you use the CMK that you intend.
1115
1192
  #
1116
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1117
- # name, or alias ARN. When using an alias name, prefix it with
1118
- # `"alias/"`. To specify a CMK in a different AWS account, you must
1119
- # use the key ARN or alias ARN.
1193
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
1194
+ # When using an alias name, prefix it with `"alias/"`. To specify a
1195
+ # CMK in a different AWS account, you must use the key ARN or alias
1196
+ # ARN.
1120
1197
  #
1121
1198
  # For example:
1122
1199
  #
@@ -1240,7 +1317,7 @@ module Aws::KMS
1240
1317
  # Identifies the CMK from which you are deleting imported key
1241
1318
  # material. The `Origin` of the CMK must be `EXTERNAL`.
1242
1319
  #
1243
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
1320
+ # Specify the key ID or key ARN of the CMK.
1244
1321
  #
1245
1322
  # For example:
1246
1323
  #
@@ -1290,7 +1367,7 @@ module Aws::KMS
1290
1367
  # the key store ID.
1291
1368
  #
1292
1369
  # By default, this operation gets information about all custom key
1293
- # stores in the account and region. To limit the output to a
1370
+ # stores in the account and Region. To limit the output to a
1294
1371
  # particular custom key store, you can use either the
1295
1372
  # `CustomKeyStoreId` or `CustomKeyStoreName` parameter, but not both.
1296
1373
  # @return [String]
@@ -1300,7 +1377,7 @@ module Aws::KMS
1300
1377
  # the friendly name of the custom key store.
1301
1378
  #
1302
1379
  # By default, this operation gets information about all custom key
1303
- # stores in the account and region. To limit the output to a
1380
+ # stores in the account and Region. To limit the output to a
1304
1381
  # particular custom key store, you can use either the
1305
1382
  # `CustomKeyStoreId` or `CustomKeyStoreName` parameter, but not both.
1306
1383
  # @return [String]
@@ -1369,10 +1446,10 @@ module Aws::KMS
1369
1446
  # KMS associates the alias with an [AWS managed CMK][1] and returns
1370
1447
  # its `KeyId` and `Arn` in the response.
1371
1448
  #
1372
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1373
- # name, or alias ARN. When using an alias name, prefix it with
1374
- # `"alias/"`. To specify a CMK in a different AWS account, you must
1375
- # use the key ARN or alias ARN.
1449
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
1450
+ # When using an alias name, prefix it with `"alias/"`. To specify a
1451
+ # CMK in a different AWS account, you must use the key ARN or alias
1452
+ # ARN.
1376
1453
  #
1377
1454
  # For example:
1378
1455
  #
@@ -1396,7 +1473,9 @@ module Aws::KMS
1396
1473
  # @!attribute [rw] grant_tokens
1397
1474
  # A list of grant tokens.
1398
1475
  #
1399
- # For more information, see [Grant Tokens][1] in the *AWS Key
1476
+ # Use a grant token when your permission to call this operation comes
1477
+ # from a new grant that has not yet achieved *eventual consistency*.
1478
+ # For more information, see [Grant token][1] in the *AWS Key
1400
1479
  # Management Service Developer Guide*.
1401
1480
  #
1402
1481
  #
@@ -1433,9 +1512,9 @@ module Aws::KMS
1433
1512
  # }
1434
1513
  #
1435
1514
  # @!attribute [rw] key_id
1436
- # A unique identifier for the customer master key (CMK).
1515
+ # Identifies the customer master key (CMK) to disable.
1437
1516
  #
1438
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
1517
+ # Specify the key ID or key ARN of the CMK.
1439
1518
  #
1440
1519
  # For example:
1441
1520
  #
@@ -1468,7 +1547,7 @@ module Aws::KMS
1468
1547
  # or disable automatic rotation of [asymmetric CMKs][1], CMKs with
1469
1548
  # [imported key material][2], or CMKs in a [custom key store][3].
1470
1549
  #
1471
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
1550
+ # Specify the key ID or key ARN of the CMK.
1472
1551
  #
1473
1552
  # For example:
1474
1553
  #
@@ -1541,9 +1620,9 @@ module Aws::KMS
1541
1620
  # }
1542
1621
  #
1543
1622
  # @!attribute [rw] key_id
1544
- # A unique identifier for the customer master key (CMK).
1623
+ # Identifies the customer master key (CMK) to enable.
1545
1624
  #
1546
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
1625
+ # Specify the key ID or key ARN of the CMK.
1547
1626
  #
1548
1627
  # For example:
1549
1628
  #
@@ -1573,10 +1652,12 @@ module Aws::KMS
1573
1652
  #
1574
1653
  # @!attribute [rw] key_id
1575
1654
  # Identifies a symmetric customer master key (CMK). You cannot enable
1576
- # automatic rotation of asymmetric CMKs, CMKs with imported key
1577
- # material, or CMKs in a [custom key store][1].
1655
+ # automatic rotation of [asymmetric CMKs][1], CMKs with [imported key
1656
+ # material][2], or CMKs in a [custom key store][3]. To enable or
1657
+ # disable automatic rotation of a set of related [multi-Region
1658
+ # keys][4], set the property on the primary key.
1578
1659
  #
1579
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
1660
+ # Specify the key ID or key ARN of the CMK.
1580
1661
  #
1581
1662
  # For example:
1582
1663
  #
@@ -1590,7 +1671,10 @@ module Aws::KMS
1590
1671
  #
1591
1672
  #
1592
1673
  #
1593
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1674
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
1675
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1676
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1677
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
1594
1678
  # @return [String]
1595
1679
  #
1596
1680
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotationRequest AWS API Documentation
@@ -1615,12 +1699,13 @@ module Aws::KMS
1615
1699
  # }
1616
1700
  #
1617
1701
  # @!attribute [rw] key_id
1618
- # A unique identifier for the customer master key (CMK).
1702
+ # Identifies the customer master key (CMK) to use in the encryption
1703
+ # operation.
1619
1704
  #
1620
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1621
- # name, or alias ARN. When using an alias name, prefix it with
1622
- # `"alias/"`. To specify a CMK in a different AWS account, you must
1623
- # use the key ARN or alias ARN.
1705
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
1706
+ # When using an alias name, prefix it with `"alias/"`. To specify a
1707
+ # CMK in a different AWS account, you must use the key ARN or alias
1708
+ # ARN.
1624
1709
  #
1625
1710
  # For example:
1626
1711
  #
@@ -1667,7 +1752,9 @@ module Aws::KMS
1667
1752
  # @!attribute [rw] grant_tokens
1668
1753
  # A list of grant tokens.
1669
1754
  #
1670
- # For more information, see [Grant Tokens][1] in the *AWS Key
1755
+ # Use a grant token when your permission to call this operation comes
1756
+ # from a new grant that has not yet achieved *eventual consistency*.
1757
+ # For more information, see [Grant token][1] in the *AWS Key
1671
1758
  # Management Service Developer Guide*.
1672
1759
  #
1673
1760
  #
@@ -1779,10 +1866,10 @@ module Aws::KMS
1779
1866
  # custom key store. To get the type and origin of your CMK, use the
1780
1867
  # DescribeKey operation.
1781
1868
  #
1782
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1783
- # name, or alias ARN. When using an alias name, prefix it with
1784
- # `"alias/"`. To specify a CMK in a different AWS account, you must
1785
- # use the key ARN or alias ARN.
1869
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
1870
+ # When using an alias name, prefix it with `"alias/"`. To specify a
1871
+ # CMK in a different AWS account, you must use the key ARN or alias
1872
+ # ARN.
1786
1873
  #
1787
1874
  # For example:
1788
1875
  #
@@ -1811,7 +1898,9 @@ module Aws::KMS
1811
1898
  # @!attribute [rw] grant_tokens
1812
1899
  # A list of grant tokens.
1813
1900
  #
1814
- # For more information, see [Grant Tokens][1] in the *AWS Key
1901
+ # Use a grant token when your permission to call this operation comes
1902
+ # from a new grant that has not yet achieved *eventual consistency*.
1903
+ # For more information, see [Grant token][1] in the *AWS Key
1815
1904
  # Management Service Developer Guide*.
1816
1905
  #
1817
1906
  #
@@ -1908,10 +1997,10 @@ module Aws::KMS
1908
1997
  # CMK or a CMK in a custom key store. To get the type and origin of
1909
1998
  # your CMK, use the DescribeKey operation.
1910
1999
  #
1911
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1912
- # name, or alias ARN. When using an alias name, prefix it with
1913
- # `"alias/"`. To specify a CMK in a different AWS account, you must
1914
- # use the key ARN or alias ARN.
2000
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
2001
+ # When using an alias name, prefix it with `"alias/"`. To specify a
2002
+ # CMK in a different AWS account, you must use the key ARN or alias
2003
+ # ARN.
1915
2004
  #
1916
2005
  # For example:
1917
2006
  #
@@ -1940,7 +2029,9 @@ module Aws::KMS
1940
2029
  # @!attribute [rw] grant_tokens
1941
2030
  # A list of grant tokens.
1942
2031
  #
1943
- # For more information, see [Grant Tokens][1] in the *AWS Key
2032
+ # Use a grant token when your permission to call this operation comes
2033
+ # from a new grant that has not yet achieved *eventual consistency*.
2034
+ # For more information, see [Grant token][1] in the *AWS Key
1944
2035
  # Management Service Developer Guide*.
1945
2036
  #
1946
2037
  #
@@ -2009,10 +2100,10 @@ module Aws::KMS
2009
2100
  # @!attribute [rw] key_id
2010
2101
  # Identifies the symmetric CMK that encrypts the data key.
2011
2102
  #
2012
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2013
- # name, or alias ARN. When using an alias name, prefix it with
2014
- # `"alias/"`. To specify a CMK in a different AWS account, you must
2015
- # use the key ARN or alias ARN.
2103
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
2104
+ # When using an alias name, prefix it with `"alias/"`. To specify a
2105
+ # CMK in a different AWS account, you must use the key ARN or alias
2106
+ # ARN.
2016
2107
  #
2017
2108
  # For example:
2018
2109
  #
@@ -2070,7 +2161,9 @@ module Aws::KMS
2070
2161
  # @!attribute [rw] grant_tokens
2071
2162
  # A list of grant tokens.
2072
2163
  #
2073
- # For more information, see [Grant Tokens][1] in the *AWS Key
2164
+ # Use a grant token when your permission to call this operation comes
2165
+ # from a new grant that has not yet achieved *eventual consistency*.
2166
+ # For more information, see [Grant token][1] in the *AWS Key
2074
2167
  # Management Service Developer Guide*.
2075
2168
  #
2076
2169
  #
@@ -2139,10 +2232,10 @@ module Aws::KMS
2139
2232
  # The identifier of the symmetric customer master key (CMK) that
2140
2233
  # encrypts the data key.
2141
2234
  #
2142
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2143
- # name, or alias ARN. When using an alias name, prefix it with
2144
- # `"alias/"`. To specify a CMK in a different AWS account, you must
2145
- # use the key ARN or alias ARN.
2235
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
2236
+ # When using an alias name, prefix it with `"alias/"`. To specify a
2237
+ # CMK in a different AWS account, you must use the key ARN or alias
2238
+ # ARN.
2146
2239
  #
2147
2240
  # For example:
2148
2241
  #
@@ -2193,7 +2286,9 @@ module Aws::KMS
2193
2286
  # @!attribute [rw] grant_tokens
2194
2287
  # A list of grant tokens.
2195
2288
  #
2196
- # For more information, see [Grant Tokens][1] in the *AWS Key
2289
+ # Use a grant token when your permission to call this operation comes
2290
+ # from a new grant that has not yet achieved *eventual consistency*.
2291
+ # For more information, see [Grant token][1] in the *AWS Key
2197
2292
  # Management Service Developer Guide*.
2198
2293
  #
2199
2294
  #
@@ -2289,9 +2384,9 @@ module Aws::KMS
2289
2384
  # }
2290
2385
  #
2291
2386
  # @!attribute [rw] key_id
2292
- # A unique identifier for the customer master key (CMK).
2387
+ # Gets the key policy for the specified customer master key (CMK).
2293
2388
  #
2294
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
2389
+ # Specify the key ID or key ARN of the CMK.
2295
2390
  #
2296
2391
  # For example:
2297
2392
  #
@@ -2338,10 +2433,11 @@ module Aws::KMS
2338
2433
  # }
2339
2434
  #
2340
2435
  # @!attribute [rw] key_id
2341
- # A unique identifier for the customer master key (CMK).
2436
+ # Gets the rotation status for the specified customer master key
2437
+ # (CMK).
2342
2438
  #
2343
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
2344
- # specify a CMK in a different AWS account, you must use the key ARN.
2439
+ # Specify the key ID or key ARN of the CMK. To specify a CMK in a
2440
+ # different AWS account, you must use the key ARN.
2345
2441
  #
2346
2442
  # For example:
2347
2443
  #
@@ -2387,7 +2483,7 @@ module Aws::KMS
2387
2483
  # The identifier of the symmetric CMK into which you will import key
2388
2484
  # material. The `Origin` of the CMK must be `EXTERNAL`.
2389
2485
  #
2390
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
2486
+ # Specify the key ID or key ARN of the CMK.
2391
2487
  #
2392
2488
  # For example:
2393
2489
  #
@@ -2474,10 +2570,10 @@ module Aws::KMS
2474
2570
  # @!attribute [rw] key_id
2475
2571
  # Identifies the asymmetric CMK that includes the public key.
2476
2572
  #
2477
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2478
- # name, or alias ARN. When using an alias name, prefix it with
2479
- # `"alias/"`. To specify a CMK in a different AWS account, you must
2480
- # use the key ARN or alias ARN.
2573
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
2574
+ # When using an alias name, prefix it with `"alias/"`. To specify a
2575
+ # CMK in a different AWS account, you must use the key ARN or alias
2576
+ # ARN.
2481
2577
  #
2482
2578
  # For example:
2483
2579
  #
@@ -2497,7 +2593,9 @@ module Aws::KMS
2497
2593
  # @!attribute [rw] grant_tokens
2498
2594
  # A list of grant tokens.
2499
2595
  #
2500
- # For more information, see [Grant Tokens][1] in the *AWS Key
2596
+ # Use a grant token when your permission to call this operation comes
2597
+ # from a new grant that has not yet achieved *eventual consistency*.
2598
+ # For more information, see [Grant token][1] in the *AWS Key
2501
2599
  # Management Service Developer Guide*.
2502
2600
  #
2503
2601
  #
@@ -2745,7 +2843,7 @@ module Aws::KMS
2745
2843
  # same CMK specified in the `KeyID` parameter of the corresponding
2746
2844
  # GetParametersForImport request.
2747
2845
  #
2748
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
2846
+ # Specify the key ID or key ARN of the CMK.
2749
2847
  #
2750
2848
  # For example:
2751
2849
  #
@@ -3115,8 +3213,14 @@ module Aws::KMS
3115
3213
  # @return [String]
3116
3214
  #
3117
3215
  # @!attribute [rw] deletion_date
3118
- # The date and time after which AWS KMS deletes the CMK. This value is
3119
- # present only when `KeyState` is `PendingDeletion`.
3216
+ # The date and time after which AWS KMS deletes this CMK. This value
3217
+ # is present only when the CMK is scheduled for deletion, that is,
3218
+ # when its `KeyState` is `PendingDeletion`.
3219
+ #
3220
+ # When the primary key in a multi-Region key is scheduled for deletion
3221
+ # but still has replica keys, its key state is
3222
+ # `PendingReplicaDeletion` and the length of its waiting period is
3223
+ # displayed in the `PendingDeletionWindowInDays` field.
3120
3224
  # @return [Time]
3121
3225
  #
3122
3226
  # @!attribute [rw] valid_to
@@ -3183,7 +3287,7 @@ module Aws::KMS
3183
3287
  # The encryption algorithms that the CMK supports. You cannot use the
3184
3288
  # CMK with other encryption algorithms within AWS KMS.
3185
3289
  #
3186
- # This field appears only when the `KeyUsage` of the CMK is
3290
+ # This value is present only when the `KeyUsage` of the CMK is
3187
3291
  # `ENCRYPT_DECRYPT`.
3188
3292
  # @return [Array<String>]
3189
3293
  #
@@ -3195,6 +3299,57 @@ module Aws::KMS
3195
3299
  # `SIGN_VERIFY`.
3196
3300
  # @return [Array<String>]
3197
3301
  #
3302
+ # @!attribute [rw] multi_region
3303
+ # Indicates whether the CMK is a multi-Region (`True`) or regional
3304
+ # (`False`) key. This value is `True` for multi-Region primary and
3305
+ # replica CMKs and `False` for regional CMKs.
3306
+ #
3307
+ # For more information about multi-Region keys, see [Using
3308
+ # multi-Region keys][1] in the *AWS Key Management Service Developer
3309
+ # Guide*.
3310
+ #
3311
+ #
3312
+ #
3313
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
3314
+ # @return [Boolean]
3315
+ #
3316
+ # @!attribute [rw] multi_region_configuration
3317
+ # Lists the primary and replica CMKs in same multi-Region CMK. This
3318
+ # field is present only when the value of the `MultiRegion` field is
3319
+ # `True`.
3320
+ #
3321
+ # For more information about any listed CMK, use the DescribeKey
3322
+ # operation.
3323
+ #
3324
+ # * `MultiRegionKeyType` indicates whether the CMK is a `PRIMARY` or
3325
+ # `REPLICA` key.
3326
+ #
3327
+ # * `PrimaryKey` displays the key ARN and Region of the primary key.
3328
+ # This field displays the current CMK if it is the primary key.
3329
+ #
3330
+ # * `ReplicaKeys` displays the key ARNs and Regions of all replica
3331
+ # keys. This field includes the current CMK if it is a replica key.
3332
+ # @return [Types::MultiRegionConfiguration]
3333
+ #
3334
+ # @!attribute [rw] pending_deletion_window_in_days
3335
+ # The waiting period before the primary key in a multi-Region key is
3336
+ # deleted. This waiting period begins when the last of its replica
3337
+ # keys is deleted. This value is present only when the `KeyState` of
3338
+ # the CMK is `PendingReplicaDeletion`. That indicates that the CMK is
3339
+ # the primary key in a multi-Region key, it is scheduled for deletion,
3340
+ # and it still has existing replica keys.
3341
+ #
3342
+ # When a regional CMK or a replica key in a multi-Region key is
3343
+ # scheduled for deletion, its deletion date is displayed in the
3344
+ # `DeletionDate` field. However, when the primary key in a
3345
+ # multi-Region key is scheduled for deletion, its waiting period
3346
+ # doesn't begin until all of its replica keys are deleted. This value
3347
+ # displays that waiting period. When the last replica key in the
3348
+ # multi-Region key is deleted, the `KeyState` of the scheduled primary
3349
+ # key changes from `PendingReplicaDeletion` to `PendingDeletion` and
3350
+ # the deletion date appears in the `DeletionDate` field.
3351
+ # @return [Integer]
3352
+ #
3198
3353
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
3199
3354
  #
3200
3355
  class KeyMetadata < Struct.new(
@@ -3215,7 +3370,10 @@ module Aws::KMS
3215
3370
  :key_manager,
3216
3371
  :customer_master_key_spec,
3217
3372
  :encryption_algorithms,
3218
- :signing_algorithms)
3373
+ :signing_algorithms,
3374
+ :multi_region,
3375
+ :multi_region_configuration,
3376
+ :pending_deletion_window_in_days)
3219
3377
  SENSITIVE = []
3220
3378
  include Aws::Structure
3221
3379
  end
@@ -3269,7 +3427,7 @@ module Aws::KMS
3269
3427
  # This parameter is optional. If you omit it, `ListAliases` returns
3270
3428
  # all aliases in the account and Region.
3271
3429
  #
3272
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
3430
+ # Specify the key ID or key ARN of the CMK.
3273
3431
  #
3274
3432
  # For example:
3275
3433
  #
@@ -3365,8 +3523,8 @@ module Aws::KMS
3365
3523
  # Returns only grants for the specified customer master key (CMK).
3366
3524
  # This parameter is required.
3367
3525
  #
3368
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
3369
- # specify a CMK in a different AWS account, you must use the key ARN.
3526
+ # Specify the key ID or key ARN of the CMK. To specify a CMK in a
3527
+ # different AWS account, you must use the key ARN.
3370
3528
  #
3371
3529
  # For example:
3372
3530
  #
@@ -3437,9 +3595,10 @@ module Aws::KMS
3437
3595
  # }
3438
3596
  #
3439
3597
  # @!attribute [rw] key_id
3440
- # A unique identifier for the customer master key (CMK).
3598
+ # Gets the names of key policies for the specified customer master key
3599
+ # (CMK).
3441
3600
  #
3442
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
3601
+ # Specify the key ID or key ARN of the CMK.
3443
3602
  #
3444
3603
  # For example:
3445
3604
  #
@@ -3575,9 +3734,9 @@ module Aws::KMS
3575
3734
  # }
3576
3735
  #
3577
3736
  # @!attribute [rw] key_id
3578
- # A unique identifier for the customer master key (CMK).
3737
+ # Gets tags on the specified customer master key (CMK).
3579
3738
  #
3580
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
3739
+ # Specify the key ID or key ARN of the CMK.
3581
3740
  #
3582
3741
  # For example:
3583
3742
  #
@@ -3620,6 +3779,16 @@ module Aws::KMS
3620
3779
 
3621
3780
  # @!attribute [rw] tags
3622
3781
  # A list of tags. Each tag consists of a tag key and a tag value.
3782
+ #
3783
+ # <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
3784
+ # For details, see [Using ABAC in AWS KMS][1] in the *AWS Key
3785
+ # Management Service Developer Guide*.
3786
+ #
3787
+ # </note>
3788
+ #
3789
+ #
3790
+ #
3791
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
3623
3792
  # @return [Array<Types::Tag>]
3624
3793
  #
3625
3794
  # @!attribute [rw] next_marker
@@ -3712,6 +3881,58 @@ module Aws::KMS
3712
3881
  include Aws::Structure
3713
3882
  end
3714
3883
 
3884
+ # Describes the configuration of this multi-Region CMK. This field
3885
+ # appears only when the CMK is a primary or replica of a multi-Region
3886
+ # CMK.
3887
+ #
3888
+ # For more information about any listed CMK, use the DescribeKey
3889
+ # operation.
3890
+ #
3891
+ # @!attribute [rw] multi_region_key_type
3892
+ # Indicates whether the CMK is a `PRIMARY` or `REPLICA` key.
3893
+ # @return [String]
3894
+ #
3895
+ # @!attribute [rw] primary_key
3896
+ # Displays the key ARN and Region of the primary key. This field
3897
+ # includes the current CMK if it is the primary key.
3898
+ # @return [Types::MultiRegionKey]
3899
+ #
3900
+ # @!attribute [rw] replica_keys
3901
+ # displays the key ARNs and Regions of all replica keys. This field
3902
+ # includes the current CMK if it is a replica key.
3903
+ # @return [Array<Types::MultiRegionKey>]
3904
+ #
3905
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/MultiRegionConfiguration AWS API Documentation
3906
+ #
3907
+ class MultiRegionConfiguration < Struct.new(
3908
+ :multi_region_key_type,
3909
+ :primary_key,
3910
+ :replica_keys)
3911
+ SENSITIVE = []
3912
+ include Aws::Structure
3913
+ end
3914
+
3915
+ # Describes the primary or replica key in a multi-Region key.
3916
+ #
3917
+ # @!attribute [rw] arn
3918
+ # Displays the key ARN of a primary or replica key of a multi-Region
3919
+ # key.
3920
+ # @return [String]
3921
+ #
3922
+ # @!attribute [rw] region
3923
+ # Displays the AWS Region of a primary or replica key in a
3924
+ # multi-Region key.
3925
+ # @return [String]
3926
+ #
3927
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/MultiRegionKey AWS API Documentation
3928
+ #
3929
+ class MultiRegionKey < Struct.new(
3930
+ :arn,
3931
+ :region)
3932
+ SENSITIVE = []
3933
+ include Aws::Structure
3934
+ end
3935
+
3715
3936
  # The request was rejected because the specified entity or resource
3716
3937
  # could not be found.
3717
3938
  #
@@ -3737,9 +3958,9 @@ module Aws::KMS
3737
3958
  # }
3738
3959
  #
3739
3960
  # @!attribute [rw] key_id
3740
- # A unique identifier for the customer master key (CMK).
3961
+ # Sets the key policy on the specified customer master key (CMK).
3741
3962
  #
3742
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
3963
+ # Specify the key ID or key ARN of the CMK.
3743
3964
  #
3744
3965
  # For example:
3745
3966
  #
@@ -3876,10 +4097,10 @@ module Aws::KMS
3876
4097
  # blob. However, it is always recommended as a best practice. This
3877
4098
  # practice ensures that you use the CMK that you intend.
3878
4099
  #
3879
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
3880
- # name, or alias ARN. When using an alias name, prefix it with
3881
- # `"alias/"`. To specify a CMK in a different AWS account, you must
3882
- # use the key ARN or alias ARN.
4100
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
4101
+ # When using an alias name, prefix it with `"alias/"`. To specify a
4102
+ # CMK in a different AWS account, you must use the key ARN or alias
4103
+ # ARN.
3883
4104
  #
3884
4105
  # For example:
3885
4106
  #
@@ -3902,10 +4123,10 @@ module Aws::KMS
3902
4123
  # `ENCRYPT_DECRYPT`. To find the `KeyUsage` value of a CMK, use the
3903
4124
  # DescribeKey operation.
3904
4125
  #
3905
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
3906
- # name, or alias ARN. When using an alias name, prefix it with
3907
- # `"alias/"`. To specify a CMK in a different AWS account, you must
3908
- # use the key ARN or alias ARN.
4126
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
4127
+ # When using an alias name, prefix it with `"alias/"`. To specify a
4128
+ # CMK in a different AWS account, you must use the key ARN or alias
4129
+ # ARN.
3909
4130
  #
3910
4131
  # For example:
3911
4132
  #
@@ -3971,7 +4192,9 @@ module Aws::KMS
3971
4192
  # @!attribute [rw] grant_tokens
3972
4193
  # A list of grant tokens.
3973
4194
  #
3974
- # For more information, see [Grant Tokens][1] in the *AWS Key
4195
+ # Use a grant token when your permission to call this operation comes
4196
+ # from a new grant that has not yet achieved *eventual consistency*.
4197
+ # For more information, see [Grant token][1] in the *AWS Key
3975
4198
  # Management Service Developer Guide*.
3976
4199
  #
3977
4200
  #
@@ -4033,6 +4256,221 @@ module Aws::KMS
4033
4256
  include Aws::Structure
4034
4257
  end
4035
4258
 
4259
+ # @note When making an API call, you may pass ReplicateKeyRequest
4260
+ # data as a hash:
4261
+ #
4262
+ # {
4263
+ # key_id: "KeyIdType", # required
4264
+ # replica_region: "RegionType", # required
4265
+ # policy: "PolicyType",
4266
+ # bypass_policy_lockout_safety_check: false,
4267
+ # description: "DescriptionType",
4268
+ # tags: [
4269
+ # {
4270
+ # tag_key: "TagKeyType", # required
4271
+ # tag_value: "TagValueType", # required
4272
+ # },
4273
+ # ],
4274
+ # }
4275
+ #
4276
+ # @!attribute [rw] key_id
4277
+ # Identifies the multi-Region primary key that is being replicated. To
4278
+ # determine whether a CMK is a multi-Region primary key, use the
4279
+ # DescribeKey operation to check the value of the `MultiRegionKeyType`
4280
+ # property.
4281
+ #
4282
+ # Specify the key ID or key ARN of a multi-Region primary key.
4283
+ #
4284
+ # For example:
4285
+ #
4286
+ # * Key ID: `mrk-1234abcd12ab34cd56ef1234567890ab`
4287
+ #
4288
+ # * Key ARN:
4289
+ # `arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab`
4290
+ #
4291
+ # To get the key ID and key ARN for a CMK, use ListKeys or
4292
+ # DescribeKey.
4293
+ # @return [String]
4294
+ #
4295
+ # @!attribute [rw] replica_region
4296
+ # The Region ID of the AWS Region for this replica key.
4297
+ #
4298
+ # Enter the Region ID, such as `us-east-1` or `ap-southeast-2`. For a
4299
+ # list of AWS Regions in which AWS KMS is supported, see [AWS KMS
4300
+ # service endpoints][1] in the *Amazon Web Services General
4301
+ # Reference*.
4302
+ #
4303
+ # The replica must be in a different AWS Region than its primary key
4304
+ # and other replicas of that primary key, but in the same AWS
4305
+ # partition. AWS KMS must be available in the replica Region. If the
4306
+ # Region is not enabled by default, the AWS account must be enabled in
4307
+ # the Region.
4308
+ #
4309
+ # For information about AWS partitions, see [Amazon Resource Names
4310
+ # (ARNs) in the *Amazon Web Services General Reference*.][2] For
4311
+ # information about enabling and disabling Regions, see [Enabling a
4312
+ # Region][3] and [Disabling a Region][4] in the *Amazon Web Services
4313
+ # General Reference*.
4314
+ #
4315
+ #
4316
+ #
4317
+ # [1]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region
4318
+ # [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
4319
+ # [3]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
4320
+ # [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
4321
+ # @return [String]
4322
+ #
4323
+ # @!attribute [rw] policy
4324
+ # The key policy to attach to the CMK. This parameter is optional. If
4325
+ # you do not provide a key policy, AWS KMS attaches the [default key
4326
+ # policy][1] to the CMK.
4327
+ #
4328
+ # The key policy is not a shared property of multi-Region keys. You
4329
+ # can specify the same key policy or a different key policy for each
4330
+ # key in a set of related multi-Region keys. AWS KMS does not
4331
+ # synchronize this property.
4332
+ #
4333
+ # If you provide a key policy, it must meet the following criteria:
4334
+ #
4335
+ # * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
4336
+ # key policy must give the caller `kms:PutKeyPolicy` permission on
4337
+ # the replica CMK. This reduces the risk that the CMK becomes
4338
+ # unmanageable. For more information, refer to the scenario in the
4339
+ # [Default Key Policy][2] section of the <i> <i>AWS Key Management
4340
+ # Service Developer Guide</i> </i>.
4341
+ #
4342
+ # * Each statement in the key policy must contain one or more
4343
+ # principals. The principals in the key policy must exist and be
4344
+ # visible to AWS KMS. When you create a new AWS principal (for
4345
+ # example, an IAM user or role), you might need to enforce a delay
4346
+ # before including the new principal in a key policy because the new
4347
+ # principal might not be immediately visible to AWS KMS. For more
4348
+ # information, see [Changes that I make are not always immediately
4349
+ # visible][3] in the *AWS Identity and Access Management User
4350
+ # Guide*.
4351
+ #
4352
+ # * The key policy size quota is 32 kilobytes (32768 bytes).
4353
+ #
4354
+ #
4355
+ #
4356
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
4357
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
4358
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
4359
+ # @return [String]
4360
+ #
4361
+ # @!attribute [rw] bypass_policy_lockout_safety_check
4362
+ # A flag to indicate whether to bypass the key policy lockout safety
4363
+ # check.
4364
+ #
4365
+ # Setting this value to true increases the risk that the CMK becomes
4366
+ # unmanageable. Do not set this value to true indiscriminately.
4367
+ #
4368
+ # For more information, refer to the scenario in the [Default Key
4369
+ # Policy][1] section in the *AWS Key Management Service Developer
4370
+ # Guide*.
4371
+ #
4372
+ # Use this parameter only when you intend to prevent the principal
4373
+ # that is making the request from making a subsequent `PutKeyPolicy`
4374
+ # request on the CMK.
4375
+ #
4376
+ # The default value is false.
4377
+ #
4378
+ #
4379
+ #
4380
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
4381
+ # @return [Boolean]
4382
+ #
4383
+ # @!attribute [rw] description
4384
+ # A description of the CMK. Use a description that helps you decide
4385
+ # whether the CMK is appropriate for a task. The default value is an
4386
+ # empty string (no description).
4387
+ #
4388
+ # The description is not a shared property of multi-Region keys. You
4389
+ # can specify the same description or a different description for each
4390
+ # key in a set of related multi-Region keys. AWS KMS does not
4391
+ # synchronize this property.
4392
+ # @return [String]
4393
+ #
4394
+ # @!attribute [rw] tags
4395
+ # Assigns one or more tags to the replica key. Use this parameter to
4396
+ # tag the CMK when it is created. To tag an existing CMK, use the
4397
+ # TagResource operation.
4398
+ #
4399
+ # <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
4400
+ # For details, see [Using ABAC in AWS KMS][1] in the *AWS Key
4401
+ # Management Service Developer Guide*.
4402
+ #
4403
+ # </note>
4404
+ #
4405
+ # To use this parameter, you must have [kms:TagResource][2] permission
4406
+ # in an IAM policy.
4407
+ #
4408
+ # Tags are not a shared property of multi-Region keys. You can specify
4409
+ # the same tags or different tags for each key in a set of related
4410
+ # multi-Region keys. AWS KMS does not synchronize this property.
4411
+ #
4412
+ # Each tag consists of a tag key and a tag value. Both the tag key and
4413
+ # the tag value are required, but the tag value can be an empty (null)
4414
+ # string. You cannot have more than one tag on a CMK with the same tag
4415
+ # key. If you specify an existing tag key with a different tag value,
4416
+ # AWS KMS replaces the current tag value with the specified one.
4417
+ #
4418
+ # When you assign tags to an AWS resource, AWS generates a cost
4419
+ # allocation report with usage and costs aggregated by tags. Tags can
4420
+ # also be used to control access to a CMK. For details, see [Tagging
4421
+ # Keys][3].
4422
+ #
4423
+ #
4424
+ #
4425
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
4426
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
4427
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
4428
+ # @return [Array<Types::Tag>]
4429
+ #
4430
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKeyRequest AWS API Documentation
4431
+ #
4432
+ class ReplicateKeyRequest < Struct.new(
4433
+ :key_id,
4434
+ :replica_region,
4435
+ :policy,
4436
+ :bypass_policy_lockout_safety_check,
4437
+ :description,
4438
+ :tags)
4439
+ SENSITIVE = []
4440
+ include Aws::Structure
4441
+ end
4442
+
4443
+ # @!attribute [rw] replica_key_metadata
4444
+ # Displays details about the new replica CMK, including its Amazon
4445
+ # Resource Name ([key ARN][1]) and [key state][2]. It also includes
4446
+ # the ARN and AWS Region of its primary key and other replica keys.
4447
+ #
4448
+ #
4449
+ #
4450
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
4451
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
4452
+ # @return [Types::KeyMetadata]
4453
+ #
4454
+ # @!attribute [rw] replica_policy
4455
+ # The key policy of the new replica key. The value is a key policy
4456
+ # document in JSON format.
4457
+ # @return [String]
4458
+ #
4459
+ # @!attribute [rw] replica_tags
4460
+ # The tags on the new replica key. The value is a list of tag key and
4461
+ # tag value pairs.
4462
+ # @return [Array<Types::Tag>]
4463
+ #
4464
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKeyResponse AWS API Documentation
4465
+ #
4466
+ class ReplicateKeyResponse < Struct.new(
4467
+ :replica_key_metadata,
4468
+ :replica_policy,
4469
+ :replica_tags)
4470
+ SENSITIVE = []
4471
+ include Aws::Structure
4472
+ end
4473
+
4036
4474
  # @note When making an API call, you may pass RetireGrantRequest
4037
4475
  # data as a hash:
4038
4476
  #
@@ -4043,19 +4481,31 @@ module Aws::KMS
4043
4481
  # }
4044
4482
  #
4045
4483
  # @!attribute [rw] grant_token
4046
- # Token that identifies the grant to be retired.
4484
+ # Identifies the grant to be retired. You can use a grant token to
4485
+ # identify a new grant even before it has achieved eventual
4486
+ # consistency.
4487
+ #
4488
+ # Only the CreateGrant operation returns a grant token. For details,
4489
+ # see [Grant token][1] and [Eventual consistency][2] in the *AWS Key
4490
+ # Management Service Developer Guide*.
4491
+ #
4492
+ #
4493
+ #
4494
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
4495
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency
4047
4496
  # @return [String]
4048
4497
  #
4049
4498
  # @!attribute [rw] key_id
4050
- # The Amazon Resource Name (ARN) of the CMK associated with the grant.
4499
+ # The key ARN CMK associated with the grant. To find the key ARN, use
4500
+ # the ListKeys operation.
4051
4501
  #
4052
4502
  # For example:
4053
4503
  # `arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab`
4054
4504
  # @return [String]
4055
4505
  #
4056
4506
  # @!attribute [rw] grant_id
4057
- # Unique identifier of the grant to retire. The grant ID is returned
4058
- # in the response to a `CreateGrant` operation.
4507
+ # Identifies the grant to retire. To get the grant ID, use
4508
+ # CreateGrant, ListGrants, or ListRetirableGrants.
4059
4509
  #
4060
4510
  # * Grant ID Example -
4061
4511
  # 0123456789012345678901234567890123456789012345678901234567890123
@@ -4082,11 +4532,12 @@ module Aws::KMS
4082
4532
  # }
4083
4533
  #
4084
4534
  # @!attribute [rw] key_id
4085
- # A unique identifier for the customer master key associated with the
4086
- # grant.
4535
+ # A unique identifier for the customer master key (CMK) associated
4536
+ # with the grant. To get the key ID and key ARN for a CMK, use
4537
+ # ListKeys or DescribeKey.
4087
4538
  #
4088
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
4089
- # specify a CMK in a different AWS account, you must use the key ARN.
4539
+ # Specify the key ID or key ARN of the CMK. To specify a CMK in a
4540
+ # different AWS account, you must use the key ARN.
4090
4541
  #
4091
4542
  # For example:
4092
4543
  #
@@ -4100,7 +4551,8 @@ module Aws::KMS
4100
4551
  # @return [String]
4101
4552
  #
4102
4553
  # @!attribute [rw] grant_id
4103
- # Identifier of the grant to be revoked.
4554
+ # Identifies the grant to revoke. To get the grant ID, use
4555
+ # CreateGrant, ListGrants, or ListRetirableGrants.
4104
4556
  # @return [String]
4105
4557
  #
4106
4558
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrantRequest AWS API Documentation
@@ -4123,7 +4575,7 @@ module Aws::KMS
4123
4575
  # @!attribute [rw] key_id
4124
4576
  # The unique identifier of the customer master key (CMK) to delete.
4125
4577
  #
4126
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
4578
+ # Specify the key ID or key ARN of the CMK.
4127
4579
  #
4128
4580
  # For example:
4129
4581
  #
@@ -4140,6 +4592,10 @@ module Aws::KMS
4140
4592
  # The waiting period, specified in number of days. After the waiting
4141
4593
  # period ends, AWS KMS deletes the customer master key (CMK).
4142
4594
  #
4595
+ # If the CMK is a multi-Region primary key with replicas, the waiting
4596
+ # period begins when the last of its replica keys is deleted.
4597
+ # Otherwise, the waiting period begins immediately.
4598
+ #
4143
4599
  # This value is optional. If you include a value, it must be between 7
4144
4600
  # and 30, inclusive. If you do not include a value, it defaults to 30.
4145
4601
  # @return [Integer]
@@ -4165,13 +4621,39 @@ module Aws::KMS
4165
4621
  # @!attribute [rw] deletion_date
4166
4622
  # The date and time after which AWS KMS deletes the customer master
4167
4623
  # key (CMK).
4624
+ #
4625
+ # If the CMK is a multi-Region primary key with replica keys, this
4626
+ # field does not appear. The deletion date for the primary key isn't
4627
+ # known until its last replica key is deleted.
4168
4628
  # @return [Time]
4169
4629
  #
4630
+ # @!attribute [rw] key_state
4631
+ # The current status of the CMK.
4632
+ #
4633
+ # For more information about how key state affects the use of a CMK,
4634
+ # see [Key state: Effect on your CMK][1] in the *AWS Key Management
4635
+ # Service Developer Guide*.
4636
+ #
4637
+ #
4638
+ #
4639
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
4640
+ # @return [String]
4641
+ #
4642
+ # @!attribute [rw] pending_window_in_days
4643
+ # The waiting period before the CMK is deleted.
4644
+ #
4645
+ # If the CMK is a multi-Region primary key with replicas, the waiting
4646
+ # period begins when the last of its replica keys is deleted.
4647
+ # Otherwise, the waiting period begins immediately.
4648
+ # @return [Integer]
4649
+ #
4170
4650
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletionResponse AWS API Documentation
4171
4651
  #
4172
4652
  class ScheduleKeyDeletionResponse < Struct.new(
4173
4653
  :key_id,
4174
- :deletion_date)
4654
+ :deletion_date,
4655
+ :key_state,
4656
+ :pending_window_in_days)
4175
4657
  SENSITIVE = []
4176
4658
  include Aws::Structure
4177
4659
  end
@@ -4193,10 +4675,10 @@ module Aws::KMS
4193
4675
  # must be `SIGN_VERIFY`. To find the `KeyUsage` of a CMK, use the
4194
4676
  # DescribeKey operation.
4195
4677
  #
4196
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
4197
- # name, or alias ARN. When using an alias name, prefix it with
4198
- # `"alias/"`. To specify a CMK in a different AWS account, you must
4199
- # use the key ARN or alias ARN.
4678
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
4679
+ # When using an alias name, prefix it with `"alias/"`. To specify a
4680
+ # CMK in a different AWS account, you must use the key ARN or alias
4681
+ # ARN.
4200
4682
  #
4201
4683
  # For example:
4202
4684
  #
@@ -4230,7 +4712,9 @@ module Aws::KMS
4230
4712
  # @!attribute [rw] grant_tokens
4231
4713
  # A list of grant tokens.
4232
4714
  #
4233
- # For more information, see [Grant Tokens][1] in the *AWS Key
4715
+ # Use a grant token when your permission to call this operation comes
4716
+ # from a new grant that has not yet achieved *eventual consistency*.
4717
+ # For more information, see [Grant token][1] in the *AWS Key
4234
4718
  # Management Service Developer Guide*.
4235
4719
  #
4236
4720
  #
@@ -4367,7 +4851,7 @@ module Aws::KMS
4367
4851
  # @!attribute [rw] key_id
4368
4852
  # Identifies a customer managed CMK in the account and Region.
4369
4853
  #
4370
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
4854
+ # Specify the key ID or key ARN of the CMK.
4371
4855
  #
4372
4856
  # For example:
4373
4857
  #
@@ -4425,7 +4909,7 @@ module Aws::KMS
4425
4909
  # @!attribute [rw] key_id
4426
4910
  # Identifies the CMK from which you are removing tags.
4427
4911
  #
4428
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
4912
+ # Specify the key ID or key ARN of the CMK.
4429
4913
  #
4430
4914
  # For example:
4431
4915
  #
@@ -4476,7 +4960,7 @@ module Aws::KMS
4476
4960
  # CMK (both symmetric or both asymmetric) and they must have the same
4477
4961
  # key usage.
4478
4962
  #
4479
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
4963
+ # Specify the key ID or key ARN of the CMK.
4480
4964
  #
4481
4965
  # For example:
4482
4966
  #
@@ -4579,9 +5063,9 @@ module Aws::KMS
4579
5063
  # }
4580
5064
  #
4581
5065
  # @!attribute [rw] key_id
4582
- # A unique identifier for the customer master key (CMK).
5066
+ # Updates the description of the specified customer master key (CMK).
4583
5067
  #
4584
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
5068
+ # Specify the key ID or key ARN of the CMK.
4585
5069
  #
4586
5070
  # For example:
4587
5071
  #
@@ -4607,6 +5091,49 @@ module Aws::KMS
4607
5091
  include Aws::Structure
4608
5092
  end
4609
5093
 
5094
+ # @note When making an API call, you may pass UpdatePrimaryRegionRequest
5095
+ # data as a hash:
5096
+ #
5097
+ # {
5098
+ # key_id: "KeyIdType", # required
5099
+ # primary_region: "RegionType", # required
5100
+ # }
5101
+ #
5102
+ # @!attribute [rw] key_id
5103
+ # Identifies the current primary key. When the operation completes,
5104
+ # this CMK will be a replica key.
5105
+ #
5106
+ # Specify the key ID or key ARN of a multi-Region primary key.
5107
+ #
5108
+ # For example:
5109
+ #
5110
+ # * Key ID: `mrk-1234abcd12ab34cd56ef1234567890ab`
5111
+ #
5112
+ # * Key ARN:
5113
+ # `arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab`
5114
+ #
5115
+ # To get the key ID and key ARN for a CMK, use ListKeys or
5116
+ # DescribeKey.
5117
+ # @return [String]
5118
+ #
5119
+ # @!attribute [rw] primary_region
5120
+ # The AWS Region of the new primary key. Enter the Region ID, such as
5121
+ # `us-east-1` or `ap-southeast-2`. There must be an existing replica
5122
+ # key in this Region.
5123
+ #
5124
+ # When the operation completes, the multi-Region key in this Region
5125
+ # will be the primary key.
5126
+ # @return [String]
5127
+ #
5128
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdatePrimaryRegionRequest AWS API Documentation
5129
+ #
5130
+ class UpdatePrimaryRegionRequest < Struct.new(
5131
+ :key_id,
5132
+ :primary_region)
5133
+ SENSITIVE = []
5134
+ include Aws::Structure
5135
+ end
5136
+
4610
5137
  # @note When making an API call, you may pass VerifyRequest
4611
5138
  # data as a hash:
4612
5139
  #
@@ -4625,10 +5152,10 @@ module Aws::KMS
4625
5152
  # signature. If you specify a different CMK, the signature
4626
5153
  # verification fails.
4627
5154
  #
4628
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
4629
- # name, or alias ARN. When using an alias name, prefix it with
4630
- # `"alias/"`. To specify a CMK in a different AWS account, you must
4631
- # use the key ARN or alias ARN.
5155
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
5156
+ # When using an alias name, prefix it with `"alias/"`. To specify a
5157
+ # CMK in a different AWS account, you must use the key ARN or alias
5158
+ # ARN.
4632
5159
  #
4633
5160
  # For example:
4634
5161
  #
@@ -4678,7 +5205,9 @@ module Aws::KMS
4678
5205
  # @!attribute [rw] grant_tokens
4679
5206
  # A list of grant tokens.
4680
5207
  #
4681
- # For more information, see [Grant Tokens][1] in the *AWS Key
5208
+ # Use a grant token when your permission to call this operation comes
5209
+ # from a new grant that has not yet achieved *eventual consistency*.
5210
+ # For more information, see [Grant token][1] in the *AWS Key
4682
5211
  # Management Service Developer Guide*.
4683
5212
  #
4684
5213
  #