aws-sdk-kms 1.43.0 → 1.47.0

data/lib/aws-sdk-kms/client_api.rb

@@ -130,6 +130,7 @@ module Aws::KMS
     KeyListEntry = Shapes::StructureShape.new(name: 'KeyListEntry')
     KeyManagerType = Shapes::StringShape.new(name: 'KeyManagerType')
     KeyMetadata = Shapes::StructureShape.new(name: 'KeyMetadata')
+    KeySpec = Shapes::StringShape.new(name: 'KeySpec')
     KeyState = Shapes::StringShape.new(name: 'KeyState')
     KeyStorePasswordType = Shapes::StringShape.new(name: 'KeyStorePasswordType')
     KeyUnavailableException = Shapes::StructureShape.new(name: 'KeyUnavailableException')
@@ -150,7 +151,12 @@ module Aws::KMS
     MalformedPolicyDocumentException = Shapes::StructureShape.new(name: 'MalformedPolicyDocumentException')
     MarkerType = Shapes::StringShape.new(name: 'MarkerType')
     MessageType = Shapes::StringShape.new(name: 'MessageType')
+    MultiRegionConfiguration = Shapes::StructureShape.new(name: 'MultiRegionConfiguration')
+    MultiRegionKey = Shapes::StructureShape.new(name: 'MultiRegionKey')
+    MultiRegionKeyList = Shapes::ListShape.new(name: 'MultiRegionKeyList')
+    MultiRegionKeyType = Shapes::StringShape.new(name: 'MultiRegionKeyType')
     NotFoundException = Shapes::StructureShape.new(name: 'NotFoundException')
+    NullableBooleanType = Shapes::BooleanShape.new(name: 'NullableBooleanType')
     NumberOfBytesType = Shapes::IntegerShape.new(name: 'NumberOfBytesType')
     OriginType = Shapes::StringShape.new(name: 'OriginType')
     PendingWindowInDaysType = Shapes::IntegerShape.new(name: 'PendingWindowInDaysType')
@@ -163,6 +169,9 @@ module Aws::KMS
     PutKeyPolicyRequest = Shapes::StructureShape.new(name: 'PutKeyPolicyRequest')
     ReEncryptRequest = Shapes::StructureShape.new(name: 'ReEncryptRequest')
     ReEncryptResponse = Shapes::StructureShape.new(name: 'ReEncryptResponse')
+    RegionType = Shapes::StringShape.new(name: 'RegionType')
+    ReplicateKeyRequest = Shapes::StructureShape.new(name: 'ReplicateKeyRequest')
+    ReplicateKeyResponse = Shapes::StructureShape.new(name: 'ReplicateKeyResponse')
     RetireGrantRequest = Shapes::StructureShape.new(name: 'RetireGrantRequest')
     RevokeGrantRequest = Shapes::StructureShape.new(name: 'RevokeGrantRequest')
     ScheduleKeyDeletionRequest = Shapes::StructureShape.new(name: 'ScheduleKeyDeletionRequest')
@@ -185,6 +194,7 @@ module Aws::KMS
     UpdateCustomKeyStoreRequest = Shapes::StructureShape.new(name: 'UpdateCustomKeyStoreRequest')
     UpdateCustomKeyStoreResponse = Shapes::StructureShape.new(name: 'UpdateCustomKeyStoreResponse')
     UpdateKeyDescriptionRequest = Shapes::StructureShape.new(name: 'UpdateKeyDescriptionRequest')
+    UpdatePrimaryRegionRequest = Shapes::StructureShape.new(name: 'UpdatePrimaryRegionRequest')
     VerifyRequest = Shapes::StructureShape.new(name: 'VerifyRequest')
     VerifyResponse = Shapes::StructureShape.new(name: 'VerifyResponse')
     WrappingKeySpec = Shapes::StringShape.new(name: 'WrappingKeySpec')
@@ -256,11 +266,13 @@ module Aws::KMS
     CreateKeyRequest.add_member(:policy, Shapes::ShapeRef.new(shape: PolicyType, location_name: "Policy"))
     CreateKeyRequest.add_member(:description, Shapes::ShapeRef.new(shape: DescriptionType, location_name: "Description"))
     CreateKeyRequest.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsageType, location_name: "KeyUsage"))
-    CreateKeyRequest.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, location_name: "CustomerMasterKeySpec"))
+    CreateKeyRequest.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, deprecated: true, location_name: "CustomerMasterKeySpec", metadata: {"deprecatedMessage"=>"This parameter has been deprecated. Instead, use the KeySpec parameter."}))
+    CreateKeyRequest.add_member(:key_spec, Shapes::ShapeRef.new(shape: KeySpec, location_name: "KeySpec"))
     CreateKeyRequest.add_member(:origin, Shapes::ShapeRef.new(shape: OriginType, location_name: "Origin"))
     CreateKeyRequest.add_member(:custom_key_store_id, Shapes::ShapeRef.new(shape: CustomKeyStoreIdType, location_name: "CustomKeyStoreId"))
     CreateKeyRequest.add_member(:bypass_policy_lockout_safety_check, Shapes::ShapeRef.new(shape: BooleanType, location_name: "BypassPolicyLockoutSafetyCheck"))
     CreateKeyRequest.add_member(:tags, Shapes::ShapeRef.new(shape: TagList, location_name: "Tags"))
+    CreateKeyRequest.add_member(:multi_region, Shapes::ShapeRef.new(shape: NullableBooleanType, location_name: "MultiRegion"))
     CreateKeyRequest.struct_class = Types::CreateKeyRequest
 
     CreateKeyResponse.add_member(:key_metadata, Shapes::ShapeRef.new(shape: KeyMetadata, location_name: "KeyMetadata"))
@@ -458,7 +470,8 @@ module Aws::KMS
 
     GetPublicKeyResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
     GetPublicKeyResponse.add_member(:public_key, Shapes::ShapeRef.new(shape: PublicKeyType, location_name: "PublicKey"))
-    GetPublicKeyResponse.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, location_name: "CustomerMasterKeySpec"))
+    GetPublicKeyResponse.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, deprecated: true, location_name: "CustomerMasterKeySpec", metadata: {"deprecatedMessage"=>"This field has been deprecated. Instead, use the KeySpec field."}))
+    GetPublicKeyResponse.add_member(:key_spec, Shapes::ShapeRef.new(shape: KeySpec, location_name: "KeySpec"))
     GetPublicKeyResponse.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsageType, location_name: "KeyUsage"))
     GetPublicKeyResponse.add_member(:encryption_algorithms, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpecList, location_name: "EncryptionAlgorithms"))
     GetPublicKeyResponse.add_member(:signing_algorithms, Shapes::ShapeRef.new(shape: SigningAlgorithmSpecList, location_name: "SigningAlgorithms"))
@@ -557,9 +570,13 @@ module Aws::KMS
     KeyMetadata.add_member(:cloud_hsm_cluster_id, Shapes::ShapeRef.new(shape: CloudHsmClusterIdType, location_name: "CloudHsmClusterId"))
     KeyMetadata.add_member(:expiration_model, Shapes::ShapeRef.new(shape: ExpirationModelType, location_name: "ExpirationModel"))
     KeyMetadata.add_member(:key_manager, Shapes::ShapeRef.new(shape: KeyManagerType, location_name: "KeyManager"))
-    KeyMetadata.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, location_name: "CustomerMasterKeySpec"))
+    KeyMetadata.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, deprecated: true, location_name: "CustomerMasterKeySpec", metadata: {"deprecatedMessage"=>"This field has been deprecated. Instead, use the KeySpec field."}))
+    KeyMetadata.add_member(:key_spec, Shapes::ShapeRef.new(shape: KeySpec, location_name: "KeySpec"))
     KeyMetadata.add_member(:encryption_algorithms, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpecList, location_name: "EncryptionAlgorithms"))
     KeyMetadata.add_member(:signing_algorithms, Shapes::ShapeRef.new(shape: SigningAlgorithmSpecList, location_name: "SigningAlgorithms"))
+    KeyMetadata.add_member(:multi_region, Shapes::ShapeRef.new(shape: NullableBooleanType, location_name: "MultiRegion"))
+    KeyMetadata.add_member(:multi_region_configuration, Shapes::ShapeRef.new(shape: MultiRegionConfiguration, location_name: "MultiRegionConfiguration"))
+    KeyMetadata.add_member(:pending_deletion_window_in_days, Shapes::ShapeRef.new(shape: PendingWindowInDaysType, location_name: "PendingDeletionWindowInDays"))
     KeyMetadata.struct_class = Types::KeyMetadata
 
     KeyUnavailableException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
@@ -627,6 +644,17 @@ module Aws::KMS
     MalformedPolicyDocumentException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
     MalformedPolicyDocumentException.struct_class = Types::MalformedPolicyDocumentException
 
+    MultiRegionConfiguration.add_member(:multi_region_key_type, Shapes::ShapeRef.new(shape: MultiRegionKeyType, location_name: "MultiRegionKeyType"))
+    MultiRegionConfiguration.add_member(:primary_key, Shapes::ShapeRef.new(shape: MultiRegionKey, location_name: "PrimaryKey"))
+    MultiRegionConfiguration.add_member(:replica_keys, Shapes::ShapeRef.new(shape: MultiRegionKeyList, location_name: "ReplicaKeys"))
+    MultiRegionConfiguration.struct_class = Types::MultiRegionConfiguration
+
+    MultiRegionKey.add_member(:arn, Shapes::ShapeRef.new(shape: ArnType, location_name: "Arn"))
+    MultiRegionKey.add_member(:region, Shapes::ShapeRef.new(shape: RegionType, location_name: "Region"))
+    MultiRegionKey.struct_class = Types::MultiRegionKey
+
+    MultiRegionKeyList.member = Shapes::ShapeRef.new(shape: MultiRegionKey)
+
     NotFoundException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
     NotFoundException.struct_class = Types::NotFoundException
 
@@ -655,6 +683,19 @@ module Aws::KMS
     ReEncryptResponse.add_member(:destination_encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "DestinationEncryptionAlgorithm"))
     ReEncryptResponse.struct_class = Types::ReEncryptResponse
 
+    ReplicateKeyRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
+    ReplicateKeyRequest.add_member(:replica_region, Shapes::ShapeRef.new(shape: RegionType, required: true, location_name: "ReplicaRegion"))
+    ReplicateKeyRequest.add_member(:policy, Shapes::ShapeRef.new(shape: PolicyType, location_name: "Policy"))
+    ReplicateKeyRequest.add_member(:bypass_policy_lockout_safety_check, Shapes::ShapeRef.new(shape: BooleanType, location_name: "BypassPolicyLockoutSafetyCheck"))
+    ReplicateKeyRequest.add_member(:description, Shapes::ShapeRef.new(shape: DescriptionType, location_name: "Description"))
+    ReplicateKeyRequest.add_member(:tags, Shapes::ShapeRef.new(shape: TagList, location_name: "Tags"))
+    ReplicateKeyRequest.struct_class = Types::ReplicateKeyRequest
+
+    ReplicateKeyResponse.add_member(:replica_key_metadata, Shapes::ShapeRef.new(shape: KeyMetadata, location_name: "ReplicaKeyMetadata"))
+    ReplicateKeyResponse.add_member(:replica_policy, Shapes::ShapeRef.new(shape: PolicyType, location_name: "ReplicaPolicy"))
+    ReplicateKeyResponse.add_member(:replica_tags, Shapes::ShapeRef.new(shape: TagList, location_name: "ReplicaTags"))
+    ReplicateKeyResponse.struct_class = Types::ReplicateKeyResponse
+
     RetireGrantRequest.add_member(:grant_token, Shapes::ShapeRef.new(shape: GrantTokenType, location_name: "GrantToken"))
     RetireGrantRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
     RetireGrantRequest.add_member(:grant_id, Shapes::ShapeRef.new(shape: GrantIdType, location_name: "GrantId"))
@@ -670,6 +711,8 @@ module Aws::KMS
 
     ScheduleKeyDeletionResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
     ScheduleKeyDeletionResponse.add_member(:deletion_date, Shapes::ShapeRef.new(shape: DateType, location_name: "DeletionDate"))
+    ScheduleKeyDeletionResponse.add_member(:key_state, Shapes::ShapeRef.new(shape: KeyState, location_name: "KeyState"))
+    ScheduleKeyDeletionResponse.add_member(:pending_window_in_days, Shapes::ShapeRef.new(shape: PendingWindowInDaysType, location_name: "PendingWindowInDays"))
     ScheduleKeyDeletionResponse.struct_class = Types::ScheduleKeyDeletionResponse
 
     SignRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
@@ -724,6 +767,10 @@ module Aws::KMS
     UpdateKeyDescriptionRequest.add_member(:description, Shapes::ShapeRef.new(shape: DescriptionType, required: true, location_name: "Description"))
     UpdateKeyDescriptionRequest.struct_class = Types::UpdateKeyDescriptionRequest
 
+    UpdatePrimaryRegionRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
+    UpdatePrimaryRegionRequest.add_member(:primary_region, Shapes::ShapeRef.new(shape: RegionType, required: true, location_name: "PrimaryRegion"))
+    UpdatePrimaryRegionRequest.struct_class = Types::UpdatePrimaryRegionRequest
+
     VerifyRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
     VerifyRequest.add_member(:message, Shapes::ShapeRef.new(shape: PlaintextType, required: true, location_name: "Message"))
     VerifyRequest.add_member(:message_type, Shapes::ShapeRef.new(shape: MessageType, location_name: "MessageType"))
@@ -909,6 +956,7 @@ module Aws::KMS
         o.input = Shapes::ShapeRef.new(shape: DescribeCustomKeyStoresRequest)
         o.output = Shapes::ShapeRef.new(shape: DescribeCustomKeyStoresResponse)
         o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidMarkerException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
       end)
 
@@ -1302,6 +1350,24 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
       end)
 
+      api.add_operation(:replicate_key, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "ReplicateKey"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: ReplicateKeyRequest)
+        o.output = Shapes::ShapeRef.new(shape: ReplicateKeyResponse)
+        o.errors << Shapes::ShapeRef.new(shape: AlreadyExistsException)
+        o.errors << Shapes::ShapeRef.new(shape: DisabledException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidArnException)
+        o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
+        o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
+        o.errors << Shapes::ShapeRef.new(shape: LimitExceededException)
+        o.errors << Shapes::ShapeRef.new(shape: MalformedPolicyDocumentException)
+        o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: TagException)
+        o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
+      end)
+
       api.add_operation(:retire_grant, Seahorse::Model::Operation.new.tap do |o|
         o.name = "RetireGrant"
         o.http_method = "POST"
@@ -1429,6 +1495,20 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
       end)
 
+      api.add_operation(:update_primary_region, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "UpdatePrimaryRegion"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: UpdatePrimaryRegionRequest)
+        o.output = Shapes::ShapeRef.new(shape: Shapes::StructureShape.new(struct_class: Aws::EmptyStructure))
+        o.errors << Shapes::ShapeRef.new(shape: DisabledException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidArnException)
+        o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
+        o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
+        o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
+      end)
+
       api.add_operation(:verify, Seahorse::Model::Operation.new.tap do |o|
         o.name = "Verify"
         o.http_method = "POST"

data/lib/aws-sdk-kms/customizations.rb

@@ -2,7 +2,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing for info on making contributions:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 

data/lib/aws-sdk-kms/types.rb

@@ -21,13 +21,18 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] target_key_id
-    #   String that contains the key identifier referred to by the alias.
+    #   String that contains the key identifier of the KMS key associated
+    #   with the alias.
     #   @return [String]
     #
     # @!attribute [rw] creation_date
+    #   Date and time that the alias was most recently created in the
+    #   account and Region. Formatted as Unix time.
     #   @return [Time]
     #
     # @!attribute [rw] last_updated_date
+    #   Date and time that the alias was most recently associated with a KMS
+    #   key in the account and Region. Formatted as Unix time.
     #   @return [Time]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/AliasListEntry AWS API Documentation
@@ -64,10 +69,9 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   The unique identifier for the customer master key (CMK) for which to
-    #   cancel deletion.
+    #   Identifies the KMS key whose deletion is being canceled.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the KMS key.
     #
     #   For example:
     #
@@ -76,7 +80,7 @@ module Aws::KMS
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #   @return [String]
     #
@@ -89,8 +93,8 @@ module Aws::KMS
     end
 
     # @!attribute [rw] key_id
-    #   The Amazon Resource Name ([key ARN][1]) of the CMK whose deletion is
-    #   canceled.
+    #   The Amazon Resource Name ([key ARN][1]) of the KMS key whose
+    #   deletion is canceled.
     #
     #
     #
@@ -105,10 +109,10 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # The request was rejected because the specified AWS CloudHSM cluster is
+    # The request was rejected because the specified CloudHSM cluster is
     # already associated with a custom key store or it shares a backup
     # history with a cluster that is associated with a custom key store.
-    # Each custom key store must be associated with a different AWS CloudHSM
+    # Each custom key store must be associated with a different CloudHSM
     # cluster.
     #
     # Clusters that share a backup history have the same cluster
@@ -130,8 +134,8 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # The request was rejected because the associated AWS CloudHSM cluster
-    # did not meet the configuration requirements for a custom key store.
+    # The request was rejected because the associated CloudHSM cluster did
+    # not meet the configuration requirements for a custom key store.
     #
     # * The cluster must be configured with private subnets in at least two
     #   different Availability Zones in the Region.
@@ -146,23 +150,20 @@ module Aws::KMS
     #   [DescribeSecurityGroups][2] operation.
     #
     # * The cluster must contain at least as many HSMs as the operation
-    #   requires. To add HSMs, use the AWS CloudHSM [CreateHsm][3]
-    #   operation.
+    #   requires. To add HSMs, use the CloudHSM [CreateHsm][3] operation.
     #
     #   For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
-    #   operations, the AWS CloudHSM cluster must have at least two active
-    #   HSMs, each in a different Availability Zone. For the
-    #   ConnectCustomKeyStore operation, the AWS CloudHSM must contain at
-    #   least one active HSM.
+    #   operations, the CloudHSM cluster must have at least two active HSMs,
+    #   each in a different Availability Zone. For the ConnectCustomKeyStore
+    #   operation, the CloudHSM must contain at least one active HSM.
     #
-    # For information about the requirements for an AWS CloudHSM cluster
-    # that is associated with a custom key store, see [Assemble the
-    # Prerequisites][4] in the *AWS Key Management Service Developer Guide*.
-    # For information about creating a private subnet for an AWS CloudHSM
-    # cluster, see [Create a Private Subnet][5] in the *AWS CloudHSM User
-    # Guide*. For information about cluster security groups, see [Configure
-    # a Default Security Group][1] in the <i> <i>AWS CloudHSM User Guide</i>
-    # </i>.
+    # For information about the requirements for an CloudHSM cluster that is
+    # associated with a custom key store, see [Assemble the
+    # Prerequisites][4] in the *Key Management Service Developer Guide*. For
+    # information about creating a private subnet for an CloudHSM cluster,
+    # see [Create a Private Subnet][5] in the *CloudHSM User Guide*. For
+    # information about cluster security groups, see [Configure a Default
+    # Security Group][1] in the <i> <i>CloudHSM User Guide</i> </i>.
     #
     #
     #
@@ -183,11 +184,10 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # The request was rejected because the AWS CloudHSM cluster that is
+    # The request was rejected because the CloudHSM cluster that is
     # associated with the custom key store is not active. Initialize and
     # activate the cluster and try the command again. For detailed
-    # instructions, see [Getting Started][1] in the *AWS CloudHSM User
-    # Guide*.
+    # instructions, see [Getting Started][1] in the *CloudHSM User Guide*.
     #
     #
     #
@@ -204,9 +204,9 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # The request was rejected because AWS KMS cannot find the AWS CloudHSM
-    # cluster with the specified cluster ID. Retry the request with a
-    # different cluster ID.
+    # The request was rejected because KMS cannot find the CloudHSM cluster
+    # with the specified cluster ID. Retry the request with a different
+    # cluster ID.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -219,9 +219,9 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # The request was rejected because the specified AWS CloudHSM cluster
-    # has a different cluster certificate than the original cluster. You
-    # cannot use the operation to specify an unrelated cluster.
+    # The request was rejected because the specified CloudHSM cluster has a
+    # different cluster certificate than the original cluster. You cannot
+    # use the operation to specify an unrelated cluster.
     #
     # Specify a cluster that shares a backup history with the original
     # cluster. This includes clusters that were created from a backup of the
@@ -287,8 +287,8 @@ module Aws::KMS
     #   The `AliasName` value must be string of 1-256 characters. It can
     #   contain only alphanumeric characters, forward slashes (/),
     #   underscores (\_), and dashes (-). The alias name cannot begin with
-    #   `alias/aws/`. The `alias/aws/` prefix is reserved for [AWS managed
-    #   CMKs][1].
+    #   `alias/aws/`. The `alias/aws/` prefix is reserved for [Amazon Web
+    #   Services managed keys][1].
     #
     #
     #
@@ -296,16 +296,17 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] target_key_id
-    #   Associates the alias with the specified [customer managed CMK][1].
-    #   The CMK must be in the same AWS Region.
+    #   Associates the alias with the specified [customer managed key][1].
+    #   The KMS key must be in the same Amazon Web Services Region.
     #
-    #   A valid CMK ID is required. If you supply a null or empty string
+    #   A valid key ID is required. If you supply a null or empty string
     #   value, this operation returns an error.
     #
     #   For help finding the key ID and ARN, see [Finding the Key ID and
-    #   ARN][2] in the *AWS Key Management Service Developer Guide*.
+    #   ARN][2] in the <i> <i>Key Management Service Developer Guide</i>
+    #   </i>.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the KMS key.
     #
     #   For example:
     #
@@ -314,7 +315,7 @@ module Aws::KMS
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #
     #
@@ -344,14 +345,14 @@ module Aws::KMS
     #
     # @!attribute [rw] custom_key_store_name
     #   Specifies a friendly name for the custom key store. The name must be
-    #   unique in your AWS account.
+    #   unique in your Amazon Web Services account.
     #   @return [String]
     #
     # @!attribute [rw] cloud_hsm_cluster_id
-    #   Identifies the AWS CloudHSM cluster for the custom key store. Enter
-    #   the cluster ID of any active AWS CloudHSM cluster that is not
-    #   already associated with a custom key store. To find the cluster ID,
-    #   use the [DescribeClusters][1] operation.
+    #   Identifies the CloudHSM cluster for the custom key store. Enter the
+    #   cluster ID of any active CloudHSM cluster that is not already
+    #   associated with a custom key store. To find the cluster ID, use the
+    #   [DescribeClusters][1] operation.
     #
     #
     #
@@ -370,14 +371,14 @@ module Aws::KMS
     #
     # @!attribute [rw] key_store_password
     #   Enter the password of the [ `kmsuser` crypto user (CU) account][1]
-    #   in the specified AWS CloudHSM cluster. AWS KMS logs into the cluster
-    #   as this user to manage key material on your behalf.
+    #   in the specified CloudHSM cluster. KMS logs into the cluster as this
+    #   user to manage key material on your behalf.
     #
     #   The password must be a string of 7 to 32 characters. Its value is
     #   case sensitive.
     #
-    #   This parameter tells AWS KMS the `kmsuser` account password; it does
-    #   not change the password in the AWS CloudHSM cluster.
+    #   This parameter tells KMS the `kmsuser` account password; it does not
+    #   change the password in the CloudHSM cluster.
     #
     #
     #
@@ -428,11 +429,12 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   The unique identifier for the customer master key (CMK) that the
-    #   grant applies to.
+    #   Identifies the KMS key for the grant. The grant gives principals
+    #   permission to use this KMS key.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
-    #   specify a CMK in a different AWS account, you must use the key ARN.
+    #   Specify the key ID or key ARN of the KMS key. To specify a KMS key
+    #   in a different Amazon Web Services account, you must use the key
+    #   ARN.
     #
     #   For example:
     #
@@ -441,20 +443,20 @@ module Aws::KMS
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #   @return [String]
     #
     # @!attribute [rw] grantee_principal
-    #   The principal that is given permission to perform the operations
-    #   that the grant permits.
+    #   The identity that gets the permissions specified in the grant.
     #
     #   To specify the principal, use the [Amazon Resource Name (ARN)][1] of
-    #   an AWS principal. Valid AWS principals include AWS accounts (root),
-    #   IAM users, IAM roles, federated users, and assumed role users. For
-    #   examples of the ARN syntax to use for specifying a principal, see
-    #   [AWS Identity and Access Management (IAM)][2] in the Example ARNs
-    #   section of the *AWS General Reference*.
+    #   an Amazon Web Services principal. Valid Amazon Web Services
+    #   principals include Amazon Web Services accounts (root), IAM users,
+    #   IAM roles, federated users, and assumed role users. For examples of
+    #   the ARN syntax to use for specifying a principal, see [Amazon Web
+    #   Services Identity and Access Management (IAM)][2] in the Example
+    #   ARNs section of the *Amazon Web Services General Reference*.
     #
     #
     #
@@ -463,53 +465,85 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] retiring_principal
-    #   The principal that is given permission to retire the grant by using
-    #   RetireGrant operation.
+    #   The principal that has permission to use the RetireGrant operation
+    #   to retire the grant.
     #
     #   To specify the principal, use the [Amazon Resource Name (ARN)][1] of
-    #   an AWS principal. Valid AWS principals include AWS accounts (root),
-    #   IAM users, federated users, and assumed role users. For examples of
-    #   the ARN syntax to use for specifying a principal, see [AWS Identity
-    #   and Access Management (IAM)][2] in the Example ARNs section of the
-    #   *AWS General Reference*.
+    #   an Amazon Web Services principal. Valid Amazon Web Services
+    #   principals include Amazon Web Services accounts (root), IAM users,
+    #   federated users, and assumed role users. For examples of the ARN
+    #   syntax to use for specifying a principal, see [Amazon Web Services
+    #   Identity and Access Management (IAM)][2] in the Example ARNs section
+    #   of the *Amazon Web Services General Reference*.
+    #
+    #   The grant determines the retiring principal. Other principals might
+    #   have permission to retire the grant or revoke the grant. For
+    #   details, see RevokeGrant and [Retiring and revoking grants][3] in
+    #   the *Key Management Service Developer Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
     #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete
     #   @return [String]
     #
     # @!attribute [rw] operations
     #   A list of operations that the grant permits.
+    #
+    #   The operation must be supported on the KMS key. For example, you
+    #   cannot create a grant for a symmetric KMS key that allows the Sign
+    #   operation, or a grant for an asymmetric KMS key that allows the
+    #   GenerateDataKey operation. If you try, KMS returns a
+    #   `ValidationError` exception. For details, see [Grant operations][1]
+    #   in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
     #   @return [Array<String>]
     #
     # @!attribute [rw] constraints
-    #   Allows a [cryptographic operation][1] only when the encryption
-    #   context matches or includes the encryption context specified in this
-    #   structure. For more information about encryption context, see
-    #   [Encryption Context][2] in the <i> <i>AWS Key Management Service
-    #   Developer Guide</i> </i>.
+    #   Specifies a grant constraint.
     #
-    #   Grant constraints are not applied to operations that do not support
-    #   an encryption context, such as cryptographic operations with
-    #   asymmetric CMKs and management operations, such as DescribeKey or
-    #   RetireGrant.
+    #   KMS supports the `EncryptionContextEquals` and
+    #   `EncryptionContextSubset` grant constraints. Each constraint value
+    #   can include up to 8 encryption context pairs. The encryption context
+    #   value in each constraint cannot exceed 384 characters.
     #
+    #   These grant constraints allow the permissions in the grant only when
+    #   the encryption context in the request matches
+    #   (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
+    #   the encryption context specified in this structure. For information
+    #   about grant constraints, see [Using grant constraints][1] in the
+    #   *Key Management Service Developer Guide*. For more information about
+    #   encryption context, see [Encryption Context][2] in the <i> <i>Key
+    #   Management Service Developer Guide</i> </i>.
     #
+    #   The encryption context grant constraints are supported only on
+    #   operations that include an encryption context. You cannot use an
+    #   encryption context grant constraint for cryptographic operations
+    #   with asymmetric KMS keys or for management operations, such as
+    #   DescribeKey or RetireGrant.
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #   @return [Types::GrantConstraints]
     #
     # @!attribute [rw] grant_tokens
     #   A list of grant tokens.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
-    #   Management Service Developer Guide*.
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] and [Using a grant
+    #   token][2] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #   @return [Array<String>]
     #
     # @!attribute [rw] name
@@ -546,12 +580,15 @@ module Aws::KMS
     # @!attribute [rw] grant_token
     #   The grant token.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
-    #   Management Service Developer Guide*.
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] and [Using a grant
+    #   token][2] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #   @return [String]
     #
     # @!attribute [rw] grant_id
@@ -578,6 +615,7 @@ module Aws::KMS
     #         description: "DescriptionType",
     #         key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT
     #         customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
+    #         key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
     #         origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
     #         custom_key_store_id: "CustomKeyStoreIdType",
     #         bypass_policy_lockout_safety_check: false,
@@ -587,39 +625,41 @@ module Aws::KMS
     #             tag_value: "TagValueType", # required
     #           },
     #         ],
+    #         multi_region: false,
     #       }
     #
     # @!attribute [rw] policy
-    #   The key policy to attach to the CMK.
+    #   The key policy to attach to the KMS key.
     #
     #   If you provide a key policy, it must meet the following criteria:
     #
     #   * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
     #     key policy must allow the principal that is making the `CreateKey`
-    #     request to make a subsequent PutKeyPolicy request on the CMK. This
-    #     reduces the risk that the CMK becomes unmanageable. For more
-    #     information, refer to the scenario in the [Default Key Policy][1]
-    #     section of the <i> <i>AWS Key Management Service Developer
+    #     request to make a subsequent PutKeyPolicy request on the KMS key.
+    #     This reduces the risk that the KMS key becomes unmanageable. For
+    #     more information, refer to the scenario in the [Default Key
+    #     Policy][1] section of the <i> <i>Key Management Service Developer
     #     Guide</i> </i>.
     #
     #   * Each statement in the key policy must contain one or more
     #     principals. The principals in the key policy must exist and be
-    #     visible to AWS KMS. When you create a new AWS principal (for
-    #     example, an IAM user or role), you might need to enforce a delay
-    #     before including the new principal in a key policy because the new
-    #     principal might not be immediately visible to AWS KMS. For more
-    #     information, see [Changes that I make are not always immediately
-    #     visible][2] in the *AWS Identity and Access Management User
-    #     Guide*.
-    #
-    #   If you do not provide a key policy, AWS KMS attaches a default key
-    #   policy to the CMK. For more information, see [Default Key Policy][3]
-    #   in the *AWS Key Management Service Developer Guide*.
+    #     visible to KMS. When you create a new Amazon Web Services
+    #     principal (for example, an IAM user or role), you might need to
+    #     enforce a delay before including the new principal in a key policy
+    #     because the new principal might not be immediately visible to KMS.
+    #     For more information, see [Changes that I make are not always
+    #     immediately visible][2] in the *Amazon Web Services Identity and
+    #     Access Management User Guide*.
+    #
+    #   If you do not provide a key policy, KMS attaches a default key
+    #   policy to the KMS key. For more information, see [Default Key
+    #   Policy][3] in the *Key Management Service Developer Guide*.
     #
     #   The key policy size quota is 32 kilobytes (32768 bytes).
     #
     #   For help writing and formatting a JSON policy document, see the [IAM
-    #   JSON Policy Reference][4] in the <i> <i>IAM User Guide</i> </i>.
+    #   JSON Policy Reference][4] in the <i> <i>Identity and Access
+    #   Management User Guide</i> </i>.
     #
     #
     #
@@ -630,27 +670,32 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A description of the CMK.
+    #   A description of the KMS key.
+    #
+    #   Use a description that helps you decide whether the KMS key is
+    #   appropriate for a task. The default value is an empty string (no
+    #   description).
     #
-    #   Use a description that helps you decide whether the CMK is
-    #   appropriate for a task.
+    #   To set or change the description after the key is created, use
+    #   UpdateKeyDescription.
     #   @return [String]
     #
     # @!attribute [rw] key_usage
     #   Determines the [cryptographic operations][1] for which you can use
-    #   the CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
-    #   required only for asymmetric CMKs. You can't change the `KeyUsage`
-    #   value after the CMK is created.
+    #   the KMS key. The default value is `ENCRYPT_DECRYPT`. This parameter
+    #   is required only for asymmetric KMS keys. You can't change the
+    #   `KeyUsage` value after the KMS key is created.
     #
     #   Select only one valid value.
     #
-    #   * For symmetric CMKs, omit the parameter or specify
+    #   * For symmetric KMS keys, omit the parameter or specify
     #     `ENCRYPT_DECRYPT`.
     #
-    #   * For asymmetric CMKs with RSA key material, specify
+    #   * For asymmetric KMS keys with RSA key material, specify
     #     `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
     #
-    #   * For asymmetric CMKs with ECC key material, specify `SIGN_VERIFY`.
+    #   * For asymmetric KMS keys with ECC key material, specify
+    #     `SIGN_VERIFY`.
     #
     #
     #
@@ -658,28 +703,38 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] customer_master_key_spec
-    #   Specifies the type of CMK to create. The default value,
-    #   `SYMMETRIC_DEFAULT`, creates a CMK with a 256-bit symmetric key for
-    #   encryption and decryption. For help choosing a key spec for your
-    #   CMK, see [How to Choose Your CMK Configuration][1] in the *AWS Key
-    #   Management Service Developer Guide*.
+    #   Instead, use the `KeySpec` parameter.
     #
-    #   The `CustomerMasterKeySpec` determines whether the CMK contains a
-    #   symmetric key or an asymmetric key pair. It also determines the
-    #   encryption algorithms or signing algorithms that the CMK supports.
-    #   You can't change the `CustomerMasterKeySpec` after the CMK is
-    #   created. To further restrict the algorithms that can be used with
-    #   the CMK, use a condition key in its key policy or IAM policy. For
-    #   more information, see [kms:EncryptionAlgorithm][2] or [kms:Signing
-    #   Algorithm][3] in the *AWS Key Management Service Developer Guide*.
-    #
-    #   [AWS services that are integrated with AWS KMS][4] use symmetric
-    #   CMKs to protect your data. These services do not support asymmetric
-    #   CMKs. For help determining whether a CMK is symmetric or asymmetric,
-    #   see [Identifying Symmetric and Asymmetric CMKs][5] in the *AWS Key
-    #   Management Service Developer Guide*.
+    #   The `KeySpec` and `CustomerMasterKeySpec` parameters work the same
+    #   way. Only the names differ. We recommend that you use `KeySpec`
+    #   parameter in your code. However, to avoid breaking changes, KMS will
+    #   support both parameters.
+    #   @return [String]
     #
-    #   AWS KMS supports the following key specs for CMKs:
+    # @!attribute [rw] key_spec
+    #   Specifies the type of KMS key to create. The default value,
+    #   `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit symmetric key
+    #   for encryption and decryption. For help choosing a key spec for your
+    #   KMS key, see [How to Choose Your KMS key Configuration][1] in the
+    #   <i> <i>Key Management Service Developer Guide</i> </i>.
+    #
+    #   The `KeySpec` determines whether the KMS key contains a symmetric
+    #   key or an asymmetric key pair. It also determines the encryption
+    #   algorithms or signing algorithms that the KMS key supports. You
+    #   can't change the `KeySpec` after the KMS key is created. To further
+    #   restrict the algorithms that can be used with the KMS key, use a
+    #   condition key in its key policy or IAM policy. For more information,
+    #   see [kms:EncryptionAlgorithm][2] or [kms:Signing Algorithm][3] in
+    #   the <i> <i>Key Management Service Developer Guide</i> </i>.
+    #
+    #   [Amazon Web Services services that are integrated with KMS][4] use
+    #   symmetric KMS keys to protect your data. These services do not
+    #   support asymmetric KMS keys. For help determining whether a KMS key
+    #   is symmetric or asymmetric, see [Identifying Symmetric and
+    #   Asymmetric KMS keys][5] in the *Key Management Service Developer
+    #   Guide*.
+    #
+    #   KMS supports the following key specs for KMS keys:
     #
     #   * Symmetric key (default)
     #
@@ -720,22 +775,21 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] origin
-    #   The source of the key material for the CMK. You cannot change the
-    #   origin after you create the CMK. The default is `AWS_KMS`, which
-    #   means AWS KMS creates the key material.
+    #   The source of the key material for the KMS key. You cannot change
+    #   the origin after you create the KMS key. The default is `AWS_KMS`,
+    #   which means that KMS creates the key material.
     #
-    #   When the parameter value is `EXTERNAL`, AWS KMS creates a CMK
-    #   without key material so that you can import key material from your
-    #   existing key management infrastructure. For more information about
-    #   importing key material into AWS KMS, see [Importing Key Material][1]
-    #   in the *AWS Key Management Service Developer Guide*. This value is
-    #   valid only for symmetric CMKs.
+    #   To create a KMS key with no key material (for imported key
+    #   material), set the value to `EXTERNAL`. For more information about
+    #   importing key material into KMS, see [Importing Key Material][1] in
+    #   the *Key Management Service Developer Guide*. This value is valid
+    #   only for symmetric KMS keys.
     #
-    #   When the parameter value is `AWS_CLOUDHSM`, AWS KMS creates the CMK
-    #   in an AWS KMS [custom key store][2] and creates its key material in
-    #   the associated AWS CloudHSM cluster. You must also use the
-    #   `CustomKeyStoreId` parameter to identify the custom key store. This
-    #   value is valid only for symmetric CMKs.
+    #   To create a KMS key in an KMS [custom key store][2] and create its
+    #   key material in the associated CloudHSM cluster, set this value to
+    #   `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId` parameter
+    #   to identify the custom key store. This value is valid only for
+    #   symmetric KMS keys.
     #
     #
     #
@@ -744,26 +798,26 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] custom_key_store_id
-    #   Creates the CMK in the specified [custom key store][1] and the key
-    #   material in its associated AWS CloudHSM cluster. To create a CMK in
-    #   a custom key store, you must also specify the `Origin` parameter
-    #   with a value of `AWS_CLOUDHSM`. The AWS CloudHSM cluster that is
+    #   Creates the KMS key in the specified [custom key store][1] and the
+    #   key material in its associated CloudHSM cluster. To create a KMS key
+    #   in a custom key store, you must also specify the `Origin` parameter
+    #   with a value of `AWS_CLOUDHSM`. The CloudHSM cluster that is
     #   associated with the custom key store must have at least two active
     #   HSMs, each in a different Availability Zone in the Region.
     #
-    #   This parameter is valid only for symmetric CMKs. You cannot create
-    #   an asymmetric CMK in a custom key store.
+    #   This parameter is valid only for symmetric KMS keys and regional KMS
+    #   keys. You cannot create an asymmetric KMS key or a multi-Region key
+    #   in a custom key store.
     #
     #   To find the ID of a custom key store, use the
     #   DescribeCustomKeyStores operation.
     #
-    #   The response includes the custom key store ID and the ID of the AWS
+    #   The response includes the custom key store ID and the ID of the
     #   CloudHSM cluster.
     #
     #   This operation is part of the [Custom Key Store feature][1] feature
-    #   in AWS KMS, which combines the convenience and extensive integration
-    #   of AWS KMS with the isolation and control of a single-tenant key
-    #   store.
+    #   in KMS, which combines the convenience and extensive integration of
+    #   KMS with the isolation and control of a single-tenant key store.
     #
     #
     #
@@ -774,16 +828,17 @@ module Aws::KMS
     #   A flag to indicate whether to bypass the key policy lockout safety
     #   check.
     #
-    #   Setting this value to true increases the risk that the CMK becomes
-    #   unmanageable. Do not set this value to true indiscriminately.
+    #   Setting this value to true increases the risk that the KMS key
+    #   becomes unmanageable. Do not set this value to true
+    #   indiscriminately.
     #
     #    For more information, refer to the scenario in the [Default Key
-    #   Policy][1] section in the <i> <i>AWS Key Management Service
-    #   Developer Guide</i> </i>.
+    #   Policy][1] section in the <i> <i>Key Management Service Developer
+    #   Guide</i> </i>.
     #
     #   Use this parameter only when you include a policy in the request and
     #   you intend to prevent the principal that is making the request from
-    #   making a subsequent PutKeyPolicy request on the CMK.
+    #   making a subsequent PutKeyPolicy request on the KMS key.
     #
     #   The default value is false.
     #
@@ -793,27 +848,68 @@ module Aws::KMS
     #   @return [Boolean]
     #
     # @!attribute [rw] tags
-    #   One or more tags. Each tag consists of a tag key and a tag value.
-    #   Both the tag key and the tag value are required, but the tag value
-    #   can be an empty (null) string.
+    #   Assigns one or more tags to the KMS key. Use this parameter to tag
+    #   the KMS key when it is created. To tag an existing KMS key, use the
+    #   TagResource operation.
     #
-    #   When you add tags to an AWS resource, AWS generates a cost
-    #   allocation report with usage and costs aggregated by tags. For
-    #   information about adding, changing, deleting and listing tags for
-    #   CMKs, see [Tagging Keys][1].
+    #   <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
+    #   KMS key. For details, see [Using ABAC in KMS][1] in the *Key
+    #   Management Service Developer Guide*.
     #
-    #   Use this parameter to tag the CMK when it is created. To add tags to
-    #   an existing CMK, use the TagResource operation.
+    #    </note>
     #
     #   To use this parameter, you must have [kms:TagResource][2] permission
     #   in an IAM policy.
     #
+    #   Each tag consists of a tag key and a tag value. Both the tag key and
+    #   the tag value are required, but the tag value can be an empty (null)
+    #   string. You cannot have more than one tag on a KMS key with the same
+    #   tag key. If you specify an existing tag key with a different tag
+    #   value, KMS replaces the current tag value with the specified one.
     #
+    #   When you add tags to an Amazon Web Services resource, Amazon Web
+    #   Services generates a cost allocation report with usage and costs
+    #   aggregated by tags. Tags can also be used to control access to a KMS
+    #   key. For details, see [Tagging Keys][3].
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
     #   @return [Array<Types::Tag>]
     #
+    # @!attribute [rw] multi_region
+    #   Creates a multi-Region primary key that you can replicate into other
+    #   Amazon Web Services Regions. You cannot change this value after you
+    #   create the KMS key.
+    #
+    #   For a multi-Region key, set this parameter to `True`. For a
+    #   single-Region KMS key, omit this parameter or set it to `False`. The
+    #   default value is `False`.
+    #
+    #   This operation supports *multi-Region keys*, an KMS feature that
+    #   lets you create multiple interoperable KMS keys in different Amazon
+    #   Web Services Regions. Because these KMS keys have the same key ID,
+    #   key material, and other metadata, you can use them interchangeably
+    #   to encrypt data in one Amazon Web Services Region and decrypt it in
+    #   a different Amazon Web Services Region without re-encrypting the
+    #   data or making a cross-Region call. For more information about
+    #   multi-Region keys, see [Using multi-Region keys][1] in the *Key
+    #   Management Service Developer Guide*.
+    #
+    #   This value creates a *primary key*, not a replica. To create a
+    #   *replica key*, use the ReplicateKey operation.
+    #
+    #   You can create a symmetric or asymmetric multi-Region key, and you
+    #   can create a multi-Region key with imported key material. However,
+    #   you cannot create a multi-Region key in a custom key store.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKeyRequest AWS API Documentation
     #
     class CreateKeyRequest < Struct.new(
@@ -821,16 +917,18 @@ module Aws::KMS
       :description,
       :key_usage,
       :customer_master_key_spec,
+      :key_spec,
       :origin,
       :custom_key_store_id,
       :bypass_policy_lockout_safety_check,
-      :tags)
+      :tags,
+      :multi_region)
       SENSITIVE = []
       include Aws::Structure
     end
 
     # @!attribute [rw] key_metadata
-    #   Metadata associated with the CMK.
+    #   Metadata associated with the KMS key.
     #   @return [Types::KeyMetadata]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKeyResponse AWS API Documentation
@@ -841,10 +939,10 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # The request was rejected because the custom key store contains AWS KMS
-    # customer master keys (CMKs). After verifying that you do not need to
-    # use the CMKs, use the ScheduleKeyDeletion operation to delete the
-    # CMKs. After they are deleted, you can delete the custom key store.
+    # The request was rejected because the custom key store contains KMS
+    # keys. After verifying that you do not need to use the KMS keys, use
+    # the ScheduleKeyDeletion operation to delete the KMS keys. After they
+    # are deleted, you can delete the custom key store.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -902,8 +1000,8 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # The request was rejected because AWS KMS cannot find a custom key
-    # store with the specified key store name or ID.
+    # The request was rejected because KMS cannot find a custom key store
+    # with the specified key store name or ID.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -928,12 +1026,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] cloud_hsm_cluster_id
-    #   A unique identifier for the AWS CloudHSM cluster that is associated
-    #   with the custom key store.
+    #   A unique identifier for the CloudHSM cluster that is associated with
+    #   the custom key store.
     #   @return [String]
     #
     # @!attribute [rw] trust_anchor_certificate
-    #   The trust anchor certificate of the associated AWS CloudHSM cluster.
+    #   The trust anchor certificate of the associated CloudHSM cluster.
     #   When you [initialize the cluster][1], you create this certificate
     #   and save it in the `customerCA.crt` file.
     #
@@ -943,22 +1041,22 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] connection_state
-    #   Indicates whether the custom key store is connected to its AWS
-    #   CloudHSM cluster.
+    #   Indicates whether the custom key store is connected to its CloudHSM
+    #   cluster.
     #
-    #   You can create and use CMKs in your custom key stores only when its
-    #   connection state is `CONNECTED`.
+    #   You can create and use KMS keys in your custom key stores only when
+    #   its connection state is `CONNECTED`.
     #
     #   The value is `DISCONNECTED` if the key store has never been
     #   connected or you use the DisconnectCustomKeyStore operation to
     #   disconnect it. If the value is `CONNECTED` but you are having
     #   trouble using the custom key store, make sure that its associated
-    #   AWS CloudHSM cluster is active and contains at least one active HSM.
+    #   CloudHSM cluster is active and contains at least one active HSM.
     #
     #   A value of `FAILED` indicates that an attempt to connect was
     #   unsuccessful. The `ConnectionErrorCode` field in the response
     #   indicates the cause of the failure. For help resolving a connection
-    #   failure, see [Troubleshooting a Custom Key Store][1] in the *AWS Key
+    #   failure, see [Troubleshooting a Custom Key Store][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -969,64 +1067,64 @@ module Aws::KMS
     # @!attribute [rw] connection_error_code
     #   Describes the connection error. This field appears in the response
     #   only when the `ConnectionState` is `FAILED`. For help resolving
-    #   these errors, see [How to Fix a Connection Failure][1] in *AWS Key
+    #   these errors, see [How to Fix a Connection Failure][1] in *Key
     #   Management Service Developer Guide*.
     #
     #   Valid values are:
     #
-    #   * `CLUSTER_NOT_FOUND` - AWS KMS cannot find the AWS CloudHSM cluster
-    #     with the specified cluster ID.
+    #   * `CLUSTER_NOT_FOUND` - KMS cannot find the CloudHSM cluster with
+    #     the specified cluster ID.
     #
-    #   * `INSUFFICIENT_CLOUDHSM_HSMS` - The associated AWS CloudHSM cluster
+    #   * `INSUFFICIENT_CLOUDHSM_HSMS` - The associated CloudHSM cluster
     #     does not contain any active HSMs. To connect a custom key store to
-    #     its AWS CloudHSM cluster, the cluster must contain at least one
-    #     active HSM.
+    #     its CloudHSM cluster, the cluster must contain at least one active
+    #     HSM.
     #
-    #   * `INTERNAL_ERROR` - AWS KMS could not complete the request due to
-    #     an internal error. Retry the request. For `ConnectCustomKeyStore`
+    #   * `INTERNAL_ERROR` - KMS could not complete the request due to an
+    #     internal error. Retry the request. For `ConnectCustomKeyStore`
     #     requests, disconnect the custom key store before trying to connect
     #     again.
     #
-    #   * `INVALID_CREDENTIALS` - AWS KMS does not have the correct password
-    #     for the `kmsuser` crypto user in the AWS CloudHSM cluster. Before
-    #     you can connect your custom key store to its AWS CloudHSM cluster,
-    #     you must change the `kmsuser` account password and update the key
-    #     store password value for the custom key store.
+    #   * `INVALID_CREDENTIALS` - KMS does not have the correct password for
+    #     the `kmsuser` crypto user in the CloudHSM cluster. Before you can
+    #     connect your custom key store to its CloudHSM cluster, you must
+    #     change the `kmsuser` account password and update the key store
+    #     password value for the custom key store.
     #
-    #   * `NETWORK_ERRORS` - Network errors are preventing AWS KMS from
+    #   * `NETWORK_ERRORS` - Network errors are preventing KMS from
     #     connecting to the custom key store.
     #
-    #   * `SUBNET_NOT_FOUND` - A subnet in the AWS CloudHSM cluster
-    #     configuration was deleted. If AWS KMS cannot find all of the
-    #     subnets in the cluster configuration, attempts to connect the
-    #     custom key store to the AWS CloudHSM cluster fail. To fix this
-    #     error, create a cluster from a recent backup and associate it with
-    #     your custom key store. (This process creates a new cluster
-    #     configuration with a VPC and private subnets.) For details, see
-    #     [How to Fix a Connection Failure][1] in the *AWS Key Management
-    #     Service Developer Guide*.
+    #   * `SUBNET_NOT_FOUND` - A subnet in the CloudHSM cluster
+    #     configuration was deleted. If KMS cannot find all of the subnets
+    #     in the cluster configuration, attempts to connect the custom key
+    #     store to the CloudHSM cluster fail. To fix this error, create a
+    #     cluster from a recent backup and associate it with your custom key
+    #     store. (This process creates a new cluster configuration with a
+    #     VPC and private subnets.) For details, see [How to Fix a
+    #     Connection Failure][1] in the *Key Management Service Developer
+    #     Guide*.
     #
     #   * `USER_LOCKED_OUT` - The `kmsuser` CU account is locked out of the
-    #     associated AWS CloudHSM cluster due to too many failed password
-    #     attempts. Before you can connect your custom key store to its AWS
+    #     associated CloudHSM cluster due to too many failed password
+    #     attempts. Before you can connect your custom key store to its
     #     CloudHSM cluster, you must change the `kmsuser` account password
     #     and update the key store password value for the custom key store.
     #
     #   * `USER_LOGGED_IN` - The `kmsuser` CU account is logged into the the
-    #     associated AWS CloudHSM cluster. This prevents AWS KMS from
-    #     rotating the `kmsuser` account password and logging into the
-    #     cluster. Before you can connect your custom key store to its AWS
-    #     CloudHSM cluster, you must log the `kmsuser` CU out of the
-    #     cluster. If you changed the `kmsuser` password to log into the
-    #     cluster, you must also and update the key store password value for
-    #     the custom key store. For help, see [How to Log Out and
-    #     Reconnect][2] in the *AWS Key Management Service Developer Guide*.
-    #
-    #   * `USER_NOT_FOUND` - AWS KMS cannot find a `kmsuser` CU account in
-    #     the associated AWS CloudHSM cluster. Before you can connect your
-    #     custom key store to its AWS CloudHSM cluster, you must create a
-    #     `kmsuser` CU account in the cluster, and then update the key store
-    #     password value for the custom key store.
+    #     associated CloudHSM cluster. This prevents KMS from rotating the
+    #     `kmsuser` account password and logging into the cluster. Before
+    #     you can connect your custom key store to its CloudHSM cluster, you
+    #     must log the `kmsuser` CU out of the cluster. If you changed the
+    #     `kmsuser` password to log into the cluster, you must also and
+    #     update the key store password value for the custom key store. For
+    #     help, see [How to Log Out and Reconnect][2] in the *Key Management
+    #     Service Developer Guide*.
+    #
+    #   * `USER_NOT_FOUND` - KMS cannot find a `kmsuser` CU account in the
+    #     associated CloudHSM cluster. Before you can connect your custom
+    #     key store to its CloudHSM cluster, you must create a `kmsuser` CU
+    #     account in the cluster, and then update the key store password
+    #     value for the custom key store.
     #
     #
     #
@@ -1072,17 +1170,17 @@ module Aws::KMS
     # @!attribute [rw] encryption_context
     #   Specifies the encryption context to use when decrypting the data. An
     #   encryption context is valid only for [cryptographic operations][1]
-    #   with a symmetric CMK. The standard asymmetric encryption algorithms
-    #   that AWS KMS uses do not support an encryption context.
+    #   with a symmetric KMS key. The standard asymmetric encryption
+    #   algorithms that KMS uses do not support an encryption context.
     #
     #   An *encryption context* is a collection of non-secret key-value
     #   pairs that represents additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data.
     #   An encryption context is optional when encrypting with a symmetric
-    #   CMK, but it is highly recommended.
+    #   KMS key, but it is highly recommended.
     #
-    #   For more information, see [Encryption Context][2] in the *AWS Key
+    #   For more information, see [Encryption Context][2] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -1094,29 +1192,32 @@ module Aws::KMS
     # @!attribute [rw] grant_tokens
     #   A list of grant tokens.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
-    #   Management Service Developer Guide*.
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] and [Using a grant
+    #   token][2] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #   @return [Array<String>]
     #
     # @!attribute [rw] key_id
-    #   Specifies the customer master key (CMK) that AWS KMS uses to decrypt
-    #   the ciphertext. Enter a key ID of the CMK that was used to encrypt
-    #   the ciphertext.
+    #   Specifies the KMS key that KMS uses to decrypt the ciphertext. Enter
+    #   a key ID of the KMS key that was used to encrypt the ciphertext.
     #
     #   This parameter is required only when the ciphertext was encrypted
-    #   under an asymmetric CMK. If you used a symmetric CMK, AWS KMS can
-    #   get the CMK from metadata that it adds to the symmetric ciphertext
-    #   blob. However, it is always recommended as a best practice. This
-    #   practice ensures that you use the CMK that you intend.
+    #   under an asymmetric KMS key. If you used a symmetric KMS key, KMS
+    #   can get the KMS key from metadata that it adds to the symmetric
+    #   ciphertext blob. However, it is always recommended as a best
+    #   practice. This practice ensures that you use the KMS key that you
+    #   intend.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`. To specify a CMK in a different AWS account, you must
-    #   use the key ARN or alias ARN.
+    #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
+    #   ARN. When using an alias name, prefix it with `"alias/"`. To specify
+    #   a KMS key in a different Amazon Web Services account, you must use
+    #   the key ARN or alias ARN.
     #
     #   For example:
     #
@@ -1129,7 +1230,7 @@ module Aws::KMS
     #
     #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
     #   @return [String]
     #
@@ -1140,9 +1241,9 @@ module Aws::KMS
     #   fails.
     #
     #   This parameter is required only when the ciphertext was encrypted
-    #   under an asymmetric CMK. The default value, `SYMMETRIC_DEFAULT`,
+    #   under an asymmetric KMS key. The default value, `SYMMETRIC_DEFAULT`,
     #   represents the only supported algorithm that is valid for symmetric
-    #   CMKs.
+    #   KMS keys.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptRequest AWS API Documentation
@@ -1158,8 +1259,8 @@ module Aws::KMS
     end
 
     # @!attribute [rw] key_id
-    #   The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
-    #   decrypt the ciphertext.
+    #   The Amazon Resource Name ([key ARN][1]) of the KMS key that was used
+    #   to decrypt the ciphertext.
     #
     #
     #
@@ -1167,8 +1268,9 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] plaintext
-    #   Decrypted plaintext data. When you use the HTTP API or the AWS CLI,
-    #   the value is Base64-encoded. Otherwise, it is not Base64-encoded.
+    #   Decrypted plaintext data. When you use the HTTP API or the Amazon
+    #   Web Services CLI, the value is Base64-encoded. Otherwise, it is not
+    #   Base64-encoded.
     #   @return [String]
     #
     # @!attribute [rw] encryption_algorithm
@@ -1237,10 +1339,10 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   Identifies the CMK from which you are deleting imported key
-    #   material. The `Origin` of the CMK must be `EXTERNAL`.
+    #   Identifies the KMS key from which you are deleting imported key
+    #   material. The `Origin` of the KMS key must be `EXTERNAL`.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the KMS key.
     #
     #   For example:
     #
@@ -1249,7 +1351,7 @@ module Aws::KMS
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #   @return [String]
     #
@@ -1290,7 +1392,7 @@ module Aws::KMS
     #   the key store ID.
     #
     #   By default, this operation gets information about all custom key
-    #   stores in the account and region. To limit the output to a
+    #   stores in the account and Region. To limit the output to a
     #   particular custom key store, you can use either the
     #   `CustomKeyStoreId` or `CustomKeyStoreName` parameter, but not both.
     #   @return [String]
@@ -1300,14 +1402,14 @@ module Aws::KMS
     #   the friendly name of the custom key store.
     #
     #   By default, this operation gets information about all custom key
-    #   stores in the account and region. To limit the output to a
+    #   stores in the account and Region. To limit the output to a
     #   particular custom key store, you can use either the
     #   `CustomKeyStoreId` or `CustomKeyStoreName` parameter, but not both.
     #   @return [String]
     #
     # @!attribute [rw] limit
     #   Use this parameter to specify the maximum number of items to return.
-    #   When this value is present, AWS KMS does not return more than the
+    #   When this value is present, KMS does not return more than the
     #   specified number of items, but it might return fewer.
     #   @return [Integer]
     #
@@ -1363,16 +1465,17 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   Describes the specified customer master key (CMK).
+    #   Describes the specified KMS key.
     #
-    #   If you specify a predefined AWS alias (an AWS alias with no key ID),
-    #   KMS associates the alias with an [AWS managed CMK][1] and returns
-    #   its `KeyId` and `Arn` in the response.
+    #   If you specify a predefined Amazon Web Services alias (an Amazon Web
+    #   Services alias with no key ID), KMS associates the alias with an
+    #   [Amazon Web Services managed key][1] and returns its `KeyId` and
+    #   `Arn` in the response.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`. To specify a CMK in a different AWS account, you must
-    #   use the key ARN or alias ARN.
+    #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
+    #   ARN. When using an alias name, prefix it with `"alias/"`. To specify
+    #   a KMS key in a different Amazon Web Services account, you must use
+    #   the key ARN or alias ARN.
     #
     #   For example:
     #
@@ -1385,23 +1488,26 @@ module Aws::KMS
     #
     #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html##aws-managed-cmk
     #   @return [String]
     #
     # @!attribute [rw] grant_tokens
     #   A list of grant tokens.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
-    #   Management Service Developer Guide*.
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] and [Using a grant
+    #   token][2] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKeyRequest AWS API Documentation
@@ -1433,9 +1539,9 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   A unique identifier for the customer master key (CMK).
+    #   Identifies the KMS key to disable.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the KMS key.
     #
     #   For example:
     #
@@ -1444,7 +1550,7 @@ module Aws::KMS
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #   @return [String]
     #
@@ -1464,11 +1570,11 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   Identifies a symmetric customer master key (CMK). You cannot enable
-    #   or disable automatic rotation of [asymmetric CMKs][1], CMKs with
-    #   [imported key material][2], or CMKs in a [custom key store][3].
+    #   Identifies a symmetric KMS key. You cannot enable or disable
+    #   automatic rotation of [asymmetric KMS keys][1], KMS keys with
+    #   [imported key material][2], or KMS keys in a [custom key store][3].
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the KMS key.
     #
     #   For example:
     #
@@ -1477,7 +1583,7 @@ module Aws::KMS
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #
     #
@@ -1495,7 +1601,7 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # The request was rejected because the specified CMK is not enabled.
+    # The request was rejected because the specified KMS key is not enabled.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -1541,9 +1647,9 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   A unique identifier for the customer master key (CMK).
+    #   Identifies the KMS key to enable.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the KMS key.
     #
     #   For example:
     #
@@ -1552,7 +1658,7 @@ module Aws::KMS
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #   @return [String]
     #
@@ -1572,11 +1678,13 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   Identifies a symmetric customer master key (CMK). You cannot enable
-    #   automatic rotation of asymmetric CMKs, CMKs with imported key
-    #   material, or CMKs in a [custom key store][1].
+    #   Identifies a symmetric KMS key. You cannot enable automatic rotation
+    #   of [asymmetric KMS keys][1], KMS keys with [imported key
+    #   material][2], or KMS keys in a [custom key store][3]. To enable or
+    #   disable automatic rotation of a set of related [multi-Region
+    #   keys][4], set the property on the primary key.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the KMS key.
     #
     #   For example:
     #
@@ -1585,12 +1693,15 @@ module Aws::KMS
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotationRequest AWS API Documentation
@@ -1615,12 +1726,12 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   A unique identifier for the customer master key (CMK).
+    #   Identifies the KMS key to use in the encryption operation.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`. To specify a CMK in a different AWS account, you must
-    #   use the key ARN or alias ARN.
+    #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
+    #   ARN. When using an alias name, prefix it with `"alias/"`. To specify
+    #   a KMS key in a different Amazon Web Services account, you must use
+    #   the key ARN or alias ARN.
     #
     #   For example:
     #
@@ -1633,7 +1744,7 @@ module Aws::KMS
     #
     #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
     #   @return [String]
     #
@@ -1644,8 +1755,8 @@ module Aws::KMS
     # @!attribute [rw] encryption_context
     #   Specifies the encryption context that will be used to encrypt the
     #   data. An encryption context is valid only for [cryptographic
-    #   operations][1] with a symmetric CMK. The standard asymmetric
-    #   encryption algorithms that AWS KMS uses do not support an encryption
+    #   operations][1] with a symmetric KMS key. The standard asymmetric
+    #   encryption algorithms that KMS uses do not support an encryption
     #   context.
     #
     #   An *encryption context* is a collection of non-secret key-value
@@ -1653,9 +1764,9 @@ module Aws::KMS
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data.
     #   An encryption context is optional when encrypting with a symmetric
-    #   CMK, but it is highly recommended.
+    #   KMS key, but it is highly recommended.
     #
-    #   For more information, see [Encryption Context][2] in the *AWS Key
+    #   For more information, see [Encryption Context][2] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -1667,22 +1778,25 @@ module Aws::KMS
     # @!attribute [rw] grant_tokens
     #   A list of grant tokens.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
-    #   Management Service Developer Guide*.
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] and [Using a grant
+    #   token][2] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #   @return [Array<String>]
     #
     # @!attribute [rw] encryption_algorithm
-    #   Specifies the encryption algorithm that AWS KMS will use to encrypt
-    #   the plaintext message. The algorithm must be compatible with the CMK
+    #   Specifies the encryption algorithm that KMS will use to encrypt the
+    #   plaintext message. The algorithm must be compatible with the KMS key
     #   that you specify.
     #
-    #   This parameter is required only for asymmetric CMKs. The default
-    #   value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
-    #   CMKs. If you are using an asymmetric CMK, we recommend
+    #   This parameter is required only for asymmetric KMS keys. The default
+    #   value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric KMS
+    #   keys. If you are using an asymmetric KMS key, we recommend
     #   RSAES\_OAEP\_SHA\_256.
     #   @return [String]
     #
@@ -1699,13 +1813,14 @@ module Aws::KMS
     end
 
     # @!attribute [rw] ciphertext_blob
-    #   The encrypted plaintext. When you use the HTTP API or the AWS CLI,
-    #   the value is Base64-encoded. Otherwise, it is not Base64-encoded.
+    #   The encrypted plaintext. When you use the HTTP API or the Amazon Web
+    #   Services CLI, the value is Base64-encoded. Otherwise, it is not
+    #   Base64-encoded.
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
-    #   encrypt the plaintext.
+    #   The Amazon Resource Name ([key ARN][1]) of the KMS key that was used
+    #   to encrypt the plaintext.
     #
     #
     #
@@ -1763,9 +1878,9 @@ module Aws::KMS
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data.
     #   An encryption context is optional when encrypting with a symmetric
-    #   CMK, but it is highly recommended.
+    #   KMS key, but it is highly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *AWS Key
+    #   For more information, see [Encryption Context][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -1774,15 +1889,15 @@ module Aws::KMS
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] key_id
-    #   Specifies the symmetric CMK that encrypts the private key in the
-    #   data key pair. You cannot specify an asymmetric CMK or a CMK in a
-    #   custom key store. To get the type and origin of your CMK, use the
-    #   DescribeKey operation.
+    #   Specifies the symmetric KMS key that encrypts the private key in the
+    #   data key pair. You cannot specify an asymmetric KMS key or a KMS key
+    #   in a custom key store. To get the type and origin of your KMS key,
+    #   use the DescribeKey operation.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`. To specify a CMK in a different AWS account, you must
-    #   use the key ARN or alias ARN.
+    #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
+    #   ARN. When using an alias name, prefix it with `"alias/"`. To specify
+    #   a KMS key in a different Amazon Web Services account, you must use
+    #   the key ARN or alias ARN.
     #
     #   For example:
     #
@@ -1795,28 +1910,31 @@ module Aws::KMS
     #
     #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
     #   @return [String]
     #
     # @!attribute [rw] key_pair_spec
     #   Determines the type of data key pair that is generated.
     #
-    #   The AWS KMS rule that restricts the use of asymmetric RSA CMKs to
+    #   The KMS rule that restricts the use of asymmetric RSA KMS keys to
     #   encrypt and decrypt or to sign and verify (but not both), and the
-    #   rule that permits you to use ECC CMKs only to sign and verify, are
-    #   not effective outside of AWS KMS.
+    #   rule that permits you to use ECC KMS keys only to sign and verify,
+    #   are not effective on data key pairs, which are used outside of KMS.
     #   @return [String]
     #
     # @!attribute [rw] grant_tokens
     #   A list of grant tokens.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
-    #   Management Service Developer Guide*.
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] and [Using a grant
+    #   token][2] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairRequest AWS API Documentation
@@ -1832,14 +1950,14 @@ module Aws::KMS
 
     # @!attribute [rw] private_key_ciphertext_blob
     #   The encrypted copy of the private key. When you use the HTTP API or
-    #   the AWS CLI, the value is Base64-encoded. Otherwise, it is not
-    #   Base64-encoded.
+    #   the Amazon Web Services CLI, the value is Base64-encoded. Otherwise,
+    #   it is not Base64-encoded.
     #   @return [String]
     #
     # @!attribute [rw] private_key_plaintext
     #   The plaintext copy of the private key. When you use the HTTP API or
-    #   the AWS CLI, the value is Base64-encoded. Otherwise, it is not
-    #   Base64-encoded.
+    #   the Amazon Web Services CLI, the value is Base64-encoded. Otherwise,
+    #   it is not Base64-encoded.
     #   @return [String]
     #
     # @!attribute [rw] public_key
@@ -1847,8 +1965,8 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
-    #   the private key.
+    #   The Amazon Resource Name ([key ARN][1]) of the KMS key that
+    #   encrypted the private key.
     #
     #
     #
@@ -1892,9 +2010,9 @@ module Aws::KMS
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data.
     #   An encryption context is optional when encrypting with a symmetric
-    #   CMK, but it is highly recommended.
+    #   KMS key, but it is highly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *AWS Key
+    #   For more information, see [Encryption Context][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -1903,15 +2021,15 @@ module Aws::KMS
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] key_id
-    #   Specifies the CMK that encrypts the private key in the data key
-    #   pair. You must specify a symmetric CMK. You cannot use an asymmetric
-    #   CMK or a CMK in a custom key store. To get the type and origin of
-    #   your CMK, use the DescribeKey operation.
+    #   Specifies the KMS key that encrypts the private key in the data key
+    #   pair. You must specify a symmetric KMS key. You cannot use an
+    #   asymmetric KMS key or a KMS key in a custom key store. To get the
+    #   type and origin of your KMS key, use the DescribeKey operation.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`. To specify a CMK in a different AWS account, you must
-    #   use the key ARN or alias ARN.
+    #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
+    #   ARN. When using an alias name, prefix it with `"alias/"`. To specify
+    #   a KMS key in a different Amazon Web Services account, you must use
+    #   the key ARN or alias ARN.
     #
     #   For example:
     #
@@ -1924,28 +2042,31 @@ module Aws::KMS
     #
     #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
     #   @return [String]
     #
     # @!attribute [rw] key_pair_spec
     #   Determines the type of data key pair that is generated.
     #
-    #   The AWS KMS rule that restricts the use of asymmetric RSA CMKs to
+    #   The KMS rule that restricts the use of asymmetric RSA KMS keys to
     #   encrypt and decrypt or to sign and verify (but not both), and the
-    #   rule that permits you to use ECC CMKs only to sign and verify, are
-    #   not effective outside of AWS KMS.
+    #   rule that permits you to use ECC KMS keys only to sign and verify,
+    #   are not effective on data key pairs, which are used outside of KMS.
     #   @return [String]
     #
     # @!attribute [rw] grant_tokens
     #   A list of grant tokens.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
-    #   Management Service Developer Guide*.
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] and [Using a grant
+    #   token][2] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintextRequest AWS API Documentation
@@ -1961,8 +2082,8 @@ module Aws::KMS
 
     # @!attribute [rw] private_key_ciphertext_blob
     #   The encrypted copy of the private key. When you use the HTTP API or
-    #   the AWS CLI, the value is Base64-encoded. Otherwise, it is not
-    #   Base64-encoded.
+    #   the Amazon Web Services CLI, the value is Base64-encoded. Otherwise,
+    #   it is not Base64-encoded.
     #   @return [String]
     #
     # @!attribute [rw] public_key
@@ -1970,8 +2091,8 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
-    #   the private key.
+    #   The Amazon Resource Name ([key ARN][1]) of the KMS key that
+    #   encrypted the private key.
     #
     #
     #
@@ -2007,12 +2128,12 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   Identifies the symmetric CMK that encrypts the data key.
+    #   Identifies the symmetric KMS key that encrypts the data key.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`. To specify a CMK in a different AWS account, you must
-    #   use the key ARN or alias ARN.
+    #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
+    #   ARN. When using an alias name, prefix it with `"alias/"`. To specify
+    #   a KMS key in a different Amazon Web Services account, you must use
+    #   the key ARN or alias ARN.
     #
     #   For example:
     #
@@ -2025,7 +2146,7 @@ module Aws::KMS
     #
     #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
     #   @return [String]
     #
@@ -2038,9 +2159,9 @@ module Aws::KMS
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data.
     #   An encryption context is optional when encrypting with a symmetric
-    #   CMK, but it is highly recommended.
+    #   KMS key, but it is highly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *AWS Key
+    #   For more information, see [Encryption Context][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -2070,12 +2191,15 @@ module Aws::KMS
     # @!attribute [rw] grant_tokens
     #   A list of grant tokens.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
-    #   Management Service Developer Guide*.
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] and [Using a grant
+    #   token][2] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyRequest AWS API Documentation
@@ -2092,20 +2216,20 @@ module Aws::KMS
 
     # @!attribute [rw] ciphertext_blob
     #   The encrypted copy of the data key. When you use the HTTP API or the
-    #   AWS CLI, the value is Base64-encoded. Otherwise, it is not
-    #   Base64-encoded.
+    #   Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it
+    #   is not Base64-encoded.
     #   @return [String]
     #
     # @!attribute [rw] plaintext
-    #   The plaintext data key. When you use the HTTP API or the AWS CLI,
-    #   the value is Base64-encoded. Otherwise, it is not Base64-encoded.
-    #   Use this data key to encrypt your data outside of KMS. Then, remove
-    #   it from memory as soon as possible.
+    #   The plaintext data key. When you use the HTTP API or the Amazon Web
+    #   Services CLI, the value is Base64-encoded. Otherwise, it is not
+    #   Base64-encoded. Use this data key to encrypt your data outside of
+    #   KMS. Then, remove it from memory as soon as possible.
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
-    #   the data key.
+    #   The Amazon Resource Name ([key ARN][1]) of the KMS key that
+    #   encrypted the data key.
     #
     #
     #
@@ -2136,13 +2260,12 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   The identifier of the symmetric customer master key (CMK) that
-    #   encrypts the data key.
+    #   The identifier of the symmetric KMS key that encrypts the data key.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`. To specify a CMK in a different AWS account, you must
-    #   use the key ARN or alias ARN.
+    #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
+    #   ARN. When using an alias name, prefix it with `"alias/"`. To specify
+    #   a KMS key in a different Amazon Web Services account, you must use
+    #   the key ARN or alias ARN.
     #
     #   For example:
     #
@@ -2155,7 +2278,7 @@ module Aws::KMS
     #
     #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
     #   @return [String]
     #
@@ -2168,9 +2291,9 @@ module Aws::KMS
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data.
     #   An encryption context is optional when encrypting with a symmetric
-    #   CMK, but it is highly recommended.
+    #   KMS key, but it is highly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *AWS Key
+    #   For more information, see [Encryption Context][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -2193,12 +2316,15 @@ module Aws::KMS
     # @!attribute [rw] grant_tokens
     #   A list of grant tokens.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
-    #   Management Service Developer Guide*.
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] and [Using a grant
+    #   token][2] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextRequest AWS API Documentation
@@ -2214,13 +2340,14 @@ module Aws::KMS
     end
 
     # @!attribute [rw] ciphertext_blob
-    #   The encrypted data key. When you use the HTTP API or the AWS CLI,
-    #   the value is Base64-encoded. Otherwise, it is not Base64-encoded.
+    #   The encrypted data key. When you use the HTTP API or the Amazon Web
+    #   Services CLI, the value is Base64-encoded. Otherwise, it is not
+    #   Base64-encoded.
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
-    #   the data key.
+    #   The Amazon Resource Name ([key ARN][1]) of the KMS key that
+    #   encrypted the data key.
     #
     #
     #
@@ -2249,7 +2376,7 @@ module Aws::KMS
     #   @return [Integer]
     #
     # @!attribute [rw] custom_key_store_id
-    #   Generates the random byte string in the AWS CloudHSM cluster that is
+    #   Generates the random byte string in the CloudHSM cluster that is
     #   associated with the specified [custom key store][1]. To find the ID
     #   of a custom key store, use the DescribeCustomKeyStores operation.
     #
@@ -2268,8 +2395,9 @@ module Aws::KMS
     end
 
     # @!attribute [rw] plaintext
-    #   The random byte string. When you use the HTTP API or the AWS CLI,
-    #   the value is Base64-encoded. Otherwise, it is not Base64-encoded.
+    #   The random byte string. When you use the HTTP API or the Amazon Web
+    #   Services CLI, the value is Base64-encoded. Otherwise, it is not
+    #   Base64-encoded.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomResponse AWS API Documentation
@@ -2289,9 +2417,9 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   A unique identifier for the customer master key (CMK).
+    #   Gets the key policy for the specified KMS key.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the KMS key.
     #
     #   For example:
     #
@@ -2300,7 +2428,7 @@ module Aws::KMS
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #   @return [String]
     #
@@ -2338,10 +2466,11 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   A unique identifier for the customer master key (CMK).
+    #   Gets the rotation status for the specified KMS key.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
-    #   specify a CMK in a different AWS account, you must use the key ARN.
+    #   Specify the key ID or key ARN of the KMS key. To specify a KMS key
+    #   in a different Amazon Web Services account, you must use the key
+    #   ARN.
     #
     #   For example:
     #
@@ -2350,7 +2479,7 @@ module Aws::KMS
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #   @return [String]
     #
@@ -2384,10 +2513,10 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   The identifier of the symmetric CMK into which you will import key
-    #   material. The `Origin` of the CMK must be `EXTERNAL`.
+    #   The identifier of the symmetric KMS key into which you will import
+    #   key material. The `Origin` of the KMS key must be `EXTERNAL`.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the KMS key.
     #
     #   For example:
     #
@@ -2396,14 +2525,14 @@ module Aws::KMS
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #   @return [String]
     #
     # @!attribute [rw] wrapping_algorithm
     #   The algorithm you will use to encrypt the key material before
     #   importing it with ImportKeyMaterial. For more information, see
-    #   [Encrypt the Key Material][1] in the *AWS Key Management Service
+    #   [Encrypt the Key Material][1] in the *Key Management Service
     #   Developer Guide*.
     #
     #
@@ -2427,9 +2556,9 @@ module Aws::KMS
     end
 
     # @!attribute [rw] key_id
-    #   The Amazon Resource Name ([key ARN][1]) of the CMK to use in a
-    #   subsequent ImportKeyMaterial request. This is the same CMK specified
-    #   in the `GetParametersForImport` request.
+    #   The Amazon Resource Name ([key ARN][1]) of the KMS key to use in a
+    #   subsequent ImportKeyMaterial request. This is the same KMS key
+    #   specified in the `GetParametersForImport` request.
     #
     #
     #
@@ -2472,12 +2601,12 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   Identifies the asymmetric CMK that includes the public key.
+    #   Identifies the asymmetric KMS key that includes the public key.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`. To specify a CMK in a different AWS account, you must
-    #   use the key ARN or alias ARN.
+    #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
+    #   ARN. When using an alias name, prefix it with `"alias/"`. To specify
+    #   a KMS key in a different Amazon Web Services account, you must use
+    #   the key ARN or alias ARN.
     #
     #   For example:
     #
@@ -2490,19 +2619,22 @@ module Aws::KMS
     #
     #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
     #   @return [String]
     #
     # @!attribute [rw] grant_tokens
     #   A list of grant tokens.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
-    #   Management Service Developer Guide*.
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] and [Using a grant
+    #   token][2] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKeyRequest AWS API Documentation
@@ -2515,8 +2647,8 @@ module Aws::KMS
     end
 
     # @!attribute [rw] key_id
-    #   The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK from
-    #   which the public key was downloaded.
+    #   The Amazon Resource Name ([key ARN][1]) of the asymmetric KMS key
+    #   from which the public key was downloaded.
     #
     #
     #
@@ -2528,8 +2660,8 @@ module Aws::KMS
     #
     #   The value is a DER-encoded X.509 public key, also known as
     #   `SubjectPublicKeyInfo` (SPKI), as defined in [RFC 5280][1]. When you
-    #   use the HTTP API or the AWS CLI, the value is Base64-encoded.
-    #   Otherwise, it is not Base64-encoded.
+    #   use the HTTP API or the Amazon Web Services CLI, the value is
+    #   Base64-encoded. Otherwise, it is not Base64-encoded.
     #
     #
     #
@@ -2539,6 +2671,14 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] customer_master_key_spec
+    #   Instead, use the `KeySpec` field in the `GetPublicKey` response.
+    #
+    #   The `KeySpec` and `CustomerMasterKeySpec` fields have the same
+    #   value. We recommend that you use the `KeySpec` field in your code.
+    #   However, to avoid breaking changes, KMS will support both fields.
+    #   @return [String]
+    #
+    # @!attribute [rw] key_spec
     #   The type of the of the public key that was downloaded.
     #   @return [String]
     #
@@ -2547,23 +2687,23 @@ module Aws::KMS
     #   `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
     #
     #   This information is critical. If a public key with `SIGN_VERIFY` key
-    #   usage encrypts data outside of AWS KMS, the ciphertext cannot be
+    #   usage encrypts data outside of KMS, the ciphertext cannot be
     #   decrypted.
     #   @return [String]
     #
     # @!attribute [rw] encryption_algorithms
-    #   The encryption algorithms that AWS KMS supports for this key.
+    #   The encryption algorithms that KMS supports for this key.
     #
     #   This information is critical. If a public key encrypts data outside
-    #   of AWS KMS by using an unsupported encryption algorithm, the
-    #   ciphertext cannot be decrypted.
+    #   of KMS by using an unsupported encryption algorithm, the ciphertext
+    #   cannot be decrypted.
     #
     #   This field appears in the response only when the `KeyUsage` of the
     #   public key is `ENCRYPT_DECRYPT`.
     #   @return [Array<String>]
     #
     # @!attribute [rw] signing_algorithms
-    #   The signing algorithms that AWS KMS supports for this key.
+    #   The signing algorithms that KMS supports for this key.
     #
     #   This field appears in the response only when the `KeyUsage` of the
     #   public key is `SIGN_VERIFY`.
@@ -2575,6 +2715,7 @@ module Aws::KMS
       :key_id,
       :public_key,
       :customer_master_key_spec,
+      :key_spec,
       :key_usage,
       :encryption_algorithms,
       :signing_algorithms)
@@ -2586,11 +2727,11 @@ module Aws::KMS
     # only when the operation request includes the specified [encryption
     # context][2].
     #
-    # AWS KMS applies the grant constraints only to cryptographic operations
+    # KMS applies the grant constraints only to cryptographic operations
     # that support an encryption context, that is, all cryptographic
-    # operations with a [symmetric CMK][3]. Grant constraints are not
+    # operations with a [symmetric KMS key][3]. Grant constraints are not
     # applied to operations that do not support an encryption context, such
-    # as cryptographic operations with asymmetric CMKs and management
+    # as cryptographic operations with asymmetric KMS keys and management
     # operations, such as DescribeKey or RetireGrant.
     #
     # In a cryptographic operation, the encryption context in the decryption
@@ -2605,8 +2746,8 @@ module Aws::KMS
     # differ only by case. To require a fully case-sensitive encryption
     # context, use the `kms:EncryptionContext:` and
     # `kms:EncryptionContextKeys` conditions in an IAM or key policy. For
-    # details, see [kms:EncryptionContext:][4] in the <i> <i>AWS Key
-    # Management Service Developer Guide</i> </i>.
+    # details, see [kms:EncryptionContext:][4] in the <i> <i>Key Management
+    # Service Developer Guide</i> </i>.
     #
     #
     #
@@ -2662,8 +2803,7 @@ module Aws::KMS
     # Contains information about a grant.
     #
     # @!attribute [rw] key_id
-    #   The unique identifier for the customer master key (CMK) to which the
-    #   grant applies.
+    #   The unique identifier for the KMS key to which the grant applies.
     #   @return [String]
     #
     # @!attribute [rw] grant_id
@@ -2685,10 +2825,10 @@ module Aws::KMS
     #
     #   The `GranteePrincipal` field in the `ListGrants` response usually
     #   contains the user or role designated as the grantee principal in the
-    #   grant. However, when the grantee principal in the grant is an AWS
-    #   service, the `GranteePrincipal` field contains the [service
-    #   principal][1], which might represent several different grantee
-    #   principals.
+    #   grant. However, when the grantee principal in the grant is an Amazon
+    #   Web Services service, the `GranteePrincipal` field contains the
+    #   [service principal][1], which might represent several different
+    #   grantee principals.
     #
     #
     #
@@ -2700,7 +2840,7 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] issuing_account
-    #   The AWS account under which the grant was issued.
+    #   The Amazon Web Services account under which the grant was issued.
     #   @return [String]
     #
     # @!attribute [rw] operations
@@ -2740,12 +2880,12 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   The identifier of the symmetric CMK that receives the imported key
-    #   material. The CMK's `Origin` must be `EXTERNAL`. This must be the
-    #   same CMK specified in the `KeyID` parameter of the corresponding
-    #   GetParametersForImport request.
+    #   The identifier of the symmetric KMS key that receives the imported
+    #   key material. The KMS key's `Origin` must be `EXTERNAL`. This must
+    #   be the same KMS key specified in the `KeyID` parameter of the
+    #   corresponding GetParametersForImport request.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the KMS key.
     #
     #   For example:
     #
@@ -2754,7 +2894,7 @@ module Aws::KMS
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #   @return [String]
     #
@@ -2774,7 +2914,7 @@ module Aws::KMS
     #
     # @!attribute [rw] valid_to
     #   The time at which the imported key material expires. When the key
-    #   material expires, AWS KMS deletes the key material and the CMK
+    #   material expires, KMS deletes the key material and the KMS key
     #   becomes unusable. You must omit this parameter when the
     #   `ExpirationModel` parameter is set to
     #   `KEY_MATERIAL_DOES_NOT_EXPIRE`. Otherwise it is required.
@@ -2804,10 +2944,10 @@ module Aws::KMS
     #
     class ImportKeyMaterialResponse < Aws::EmptyStructure; end
 
-    # The request was rejected because the specified CMK cannot decrypt the
-    # data. The `KeyId` in a Decrypt request and the `SourceKeyId` in a
-    # ReEncrypt request must identify the same CMK that was used to encrypt
-    # the ciphertext.
+    # The request was rejected because the specified KMS key cannot decrypt
+    # the data. The `KeyId` in a Decrypt request and the `SourceKeyId` in a
+    # ReEncrypt request must identify the same KMS key that was used to
+    # encrypt the ciphertext.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -2822,7 +2962,7 @@ module Aws::KMS
 
     # The request was rejected because the key material in the request is,
     # expired, invalid, or is not the same key material that was previously
-    # imported into this customer master key (CMK).
+    # imported into this KMS key.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -2836,8 +2976,8 @@ module Aws::KMS
     end
 
     # The request was rejected because the trust anchor certificate in the
-    # request is not the trust anchor certificate for the specified AWS
-    # CloudHSM cluster.
+    # request is not the trust anchor certificate for the specified CloudHSM
+    # cluster.
     #
     # When you [initialize the cluster][1], you create the trust anchor
     # certificate and save it in the `customerCA.crt` file.
@@ -2891,7 +3031,7 @@ module Aws::KMS
     # corrupted, missing, or otherwise invalid.
     #
     # From the ImportKeyMaterial operation, the request was rejected because
-    # AWS KMS could not decrypt the encrypted (wrapped) key material.
+    # KMS could not decrypt the encrypted (wrapped) key material.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -2932,7 +3072,7 @@ module Aws::KMS
     end
 
     # The request was rejected because the provided import token is invalid
-    # or is associated with a different customer master key (CMK).
+    # or is associated with a different KMS key.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -2947,20 +3087,20 @@ module Aws::KMS
 
     # The request was rejected for one of the following reasons:
     #
-    # * The `KeyUsage` value of the CMK is incompatible with the API
+    # * The `KeyUsage` value of the KMS key is incompatible with the API
     #   operation.
     #
     # * The encryption algorithm or signing algorithm specified for the
-    #   operation is incompatible with the type of key material in the CMK
-    #   `(CustomerMasterKeySpec`).
+    #   operation is incompatible with the type of key material in the KMS
+    #   key `(KeySpec`).
     #
     # For encrypting, decrypting, re-encrypting, and generating data keys,
     # the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying,
-    # the `KeyUsage` must be `SIGN_VERIFY`. To find the `KeyUsage` of a CMK,
-    # use the DescribeKey operation.
+    # the `KeyUsage` must be `SIGN_VERIFY`. To find the `KeyUsage` of a KMS
+    # key, use the DescribeKey operation.
     #
     # To find the encryption or signing algorithms supported for a
-    # particular CMK, use the DescribeKey operation.
+    # particular KMS key, use the DescribeKey operation.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -3003,8 +3143,8 @@ module Aws::KMS
 
     # The request was rejected because the signature verification failed.
     # Signature verification fails when it cannot confirm that signature was
-    # produced by signing the specified message with the specified CMK and
-    # signing algorithm.
+    # produced by signing the specified message with the specified KMS key
+    # and signing algorithm.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -3020,9 +3160,9 @@ module Aws::KMS
     # The request was rejected because the state of the specified resource
     # is not valid for this request.
     #
-    # For more information about how key state affects the use of a CMK, see
-    # [How Key State Affects Use of a Customer Master Key][1] in the <i>
-    # <i>AWS Key Management Service Developer Guide</i> </i>.
+    # For more information about how key state affects the use of a KMS key,
+    # see [Key state: Effect on your KMS key][1] in the <i> <i>Key
+    # Management Service Developer Guide</i> </i>.
     #
     #
     #
@@ -3058,23 +3198,24 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # Contains metadata about a customer master key (CMK).
+    # Contains metadata about a KMS key.
     #
     # This data type is used as a response element for the CreateKey and
     # DescribeKey operations.
     #
     # @!attribute [rw] aws_account_id
-    #   The twelve-digit account ID of the AWS account that owns the CMK.
+    #   The twelve-digit account ID of the Amazon Web Services account that
+    #   owns the KMS key.
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   The globally unique identifier for the CMK.
+    #   The globally unique identifier for the KMS key.
     #   @return [String]
     #
     # @!attribute [rw] arn
-    #   The Amazon Resource Name (ARN) of the CMK. For examples, see [AWS
-    #   Key Management Service (AWS KMS)][1] in the Example ARNs section of
-    #   the *AWS General Reference*.
+    #   The Amazon Resource Name (ARN) of the KMS key. For examples, see
+    #   [Key Management Service (KMS)][1] in the Example ARNs section of the
+    #   *Amazon Web Services General Reference*.
     #
     #
     #
@@ -3082,20 +3223,20 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] creation_date
-    #   The date and time when the CMK was created.
+    #   The date and time when the KMS key was created.
     #   @return [Time]
     #
     # @!attribute [rw] enabled
-    #   Specifies whether the CMK is enabled. When `KeyState` is `Enabled`
-    #   this value is true, otherwise it is false.
+    #   Specifies whether the KMS key is enabled. When `KeyState` is
+    #   `Enabled` this value is true, otherwise it is false.
     #   @return [Boolean]
     #
     # @!attribute [rw] description
-    #   The description of the CMK.
+    #   The description of the KMS key.
     #   @return [String]
     #
     # @!attribute [rw] key_usage
-    #   The [cryptographic operations][1] for which you can use the CMK.
+    #   The [cryptographic operations][1] for which you can use the KMS key.
     #
     #
     #
@@ -3103,11 +3244,11 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_state
-    #   The current status of the CMK.
+    #   The current status of the KMS key.
     #
-    #   For more information about how key state affects the use of a CMK,
-    #   see [Key state: Effect on your CMK][1] in the *AWS Key Management
-    #   Service Developer Guide*.
+    #   For more information about how key state affects the use of a KMS
+    #   key, see [Key state: Effect on your KMS key][1] in the *Key
+    #   Management Service Developer Guide*.
     #
     #
     #
@@ -3115,31 +3256,37 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] deletion_date
-    #   The date and time after which AWS KMS deletes the CMK. This value is
-    #   present only when `KeyState` is `PendingDeletion`.
+    #   The date and time after which KMS deletes this KMS key. This value
+    #   is present only when the KMS key is scheduled for deletion, that is,
+    #   when its `KeyState` is `PendingDeletion`.
+    #
+    #   When the primary key in a multi-Region key is scheduled for deletion
+    #   but still has replica keys, its key state is
+    #   `PendingReplicaDeletion` and the length of its waiting period is
+    #   displayed in the `PendingDeletionWindowInDays` field.
     #   @return [Time]
     #
     # @!attribute [rw] valid_to
     #   The time at which the imported key material expires. When the key
-    #   material expires, AWS KMS deletes the key material and the CMK
-    #   becomes unusable. This value is present only for CMKs whose `Origin`
-    #   is `EXTERNAL` and whose `ExpirationModel` is `KEY_MATERIAL_EXPIRES`,
-    #   otherwise this value is omitted.
+    #   material expires, KMS deletes the key material and the KMS key
+    #   becomes unusable. This value is present only for KMS keys whose
+    #   `Origin` is `EXTERNAL` and whose `ExpirationModel` is
+    #   `KEY_MATERIAL_EXPIRES`, otherwise this value is omitted.
     #   @return [Time]
     #
     # @!attribute [rw] origin
-    #   The source of the CMK's key material. When this value is `AWS_KMS`,
-    #   AWS KMS created the key material. When this value is `EXTERNAL`, the
-    #   key material was imported from your existing key management
-    #   infrastructure or the CMK lacks key material. When this value is
-    #   `AWS_CLOUDHSM`, the key material was created in the AWS CloudHSM
-    #   cluster associated with a custom key store.
+    #   The source of the key material for the KMS key. When this value is
+    #   `AWS_KMS`, KMS created the key material. When this value is
+    #   `EXTERNAL`, the key material was imported or the KMS key doesn't
+    #   have any key material. When this value is `AWS_CLOUDHSM`, the key
+    #   material was created in the CloudHSM cluster associated with a
+    #   custom key store.
     #   @return [String]
     #
     # @!attribute [rw] custom_key_store_id
     #   A unique identifier for the [custom key store][1] that contains the
-    #   CMK. This value is present only when the CMK is created in a custom
-    #   key store.
+    #   KMS key. This value is present only when the KMS key is created in a
+    #   custom key store.
     #
     #
     #
@@ -3147,11 +3294,11 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] cloud_hsm_cluster_id
-    #   The cluster ID of the AWS CloudHSM cluster that contains the key
-    #   material for the CMK. When you create a CMK in a [custom key
-    #   store][1], AWS KMS creates the key material for the CMK in the
-    #   associated AWS CloudHSM cluster. This value is present only when the
-    #   CMK is created in a custom key store.
+    #   The cluster ID of the CloudHSM cluster that contains the key
+    #   material for the KMS key. When you create a KMS key in a [custom key
+    #   store][1], KMS creates the key material for the KMS key in the
+    #   associated CloudHSM cluster. This value is present only when the KMS
+    #   key is created in a custom key store.
     #
     #
     #
@@ -3159,42 +3306,102 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] expiration_model
-    #   Specifies whether the CMK's key material expires. This value is
+    #   Specifies whether the KMS key's key material expires. This value is
     #   present only when `Origin` is `EXTERNAL`, otherwise this value is
     #   omitted.
     #   @return [String]
     #
     # @!attribute [rw] key_manager
-    #   The manager of the CMK. CMKs in your AWS account are either customer
-    #   managed or AWS managed. For more information about the difference,
-    #   see [Customer Master Keys][1] in the *AWS Key Management Service
-    #   Developer Guide*.
+    #   The manager of the KMS key. KMS keys in your Amazon Web Services
+    #   account are either customer managed or Amazon Web Services managed.
+    #   For more information about the difference, see [KMS keys][1] in the
+    #   *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys
     #   @return [String]
     #
     # @!attribute [rw] customer_master_key_spec
-    #   Describes the type of key material in the CMK.
+    #   Instead, use the `KeySpec` field.
+    #
+    #   The `KeySpec` and `CustomerMasterKeySpec` fields have the same
+    #   value. We recommend that you use the `KeySpec` field in your code.
+    #   However, to avoid breaking changes, KMS will support both fields.
+    #   @return [String]
+    #
+    # @!attribute [rw] key_spec
+    #   Describes the type of key material in the KMS key.
     #   @return [String]
     #
     # @!attribute [rw] encryption_algorithms
-    #   The encryption algorithms that the CMK supports. You cannot use the
-    #   CMK with other encryption algorithms within AWS KMS.
+    #   The encryption algorithms that the KMS key supports. You cannot use
+    #   the KMS key with other encryption algorithms within KMS.
     #
-    #   This field appears only when the `KeyUsage` of the CMK is
+    #   This value is present only when the `KeyUsage` of the KMS key is
     #   `ENCRYPT_DECRYPT`.
     #   @return [Array<String>]
     #
     # @!attribute [rw] signing_algorithms
-    #   The signing algorithms that the CMK supports. You cannot use the CMK
-    #   with other signing algorithms within AWS KMS.
+    #   The signing algorithms that the KMS key supports. You cannot use the
+    #   KMS key with other signing algorithms within KMS.
     #
-    #   This field appears only when the `KeyUsage` of the CMK is
+    #   This field appears only when the `KeyUsage` of the KMS key is
     #   `SIGN_VERIFY`.
     #   @return [Array<String>]
     #
+    # @!attribute [rw] multi_region
+    #   Indicates whether the KMS key is a multi-Region (`True`) or regional
+    #   (`False`) key. This value is `True` for multi-Region primary and
+    #   replica keys and `False` for regional KMS keys.
+    #
+    #   For more information about multi-Region keys, see [Using
+    #   multi-Region keys][1] in the *Key Management Service Developer
+    #   Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] multi_region_configuration
+    #   Lists the primary and replica keys in same multi-Region key. This
+    #   field is present only when the value of the `MultiRegion` field is
+    #   `True`.
+    #
+    #   For more information about any listed KMS key, use the DescribeKey
+    #   operation.
+    #
+    #   * `MultiRegionKeyType` indicates whether the KMS key is a `PRIMARY`
+    #     or `REPLICA` key.
+    #
+    #   * `PrimaryKey` displays the key ARN and Region of the primary key.
+    #     This field displays the current KMS key if it is the primary key.
+    #
+    #   * `ReplicaKeys` displays the key ARNs and Regions of all replica
+    #     keys. This field includes the current KMS key if it is a replica
+    #     key.
+    #   @return [Types::MultiRegionConfiguration]
+    #
+    # @!attribute [rw] pending_deletion_window_in_days
+    #   The waiting period before the primary key in a multi-Region key is
+    #   deleted. This waiting period begins when the last of its replica
+    #   keys is deleted. This value is present only when the `KeyState` of
+    #   the KMS key is `PendingReplicaDeletion`. That indicates that the KMS
+    #   key is the primary key in a multi-Region key, it is scheduled for
+    #   deletion, and it still has existing replica keys.
+    #
+    #   When a single-Region KMS key or a multi-Region replica key is
+    #   scheduled for deletion, its deletion date is displayed in the
+    #   `DeletionDate` field. However, when the primary key in a
+    #   multi-Region key is scheduled for deletion, its waiting period
+    #   doesn't begin until all of its replica keys are deleted. This value
+    #   displays that waiting period. When the last replica key in the
+    #   multi-Region key is deleted, the `KeyState` of the scheduled primary
+    #   key changes from `PendingReplicaDeletion` to `PendingDeletion` and
+    #   the deletion date appears in the `DeletionDate` field.
+    #   @return [Integer]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
     #
     class KeyMetadata < Struct.new(
@@ -3214,14 +3421,18 @@ module Aws::KMS
       :expiration_model,
       :key_manager,
       :customer_master_key_spec,
+      :key_spec,
       :encryption_algorithms,
-      :signing_algorithms)
+      :signing_algorithms,
+      :multi_region,
+      :multi_region_configuration,
+      :pending_deletion_window_in_days)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # The request was rejected because the specified CMK was not available.
-    # You can retry the request.
+    # The request was rejected because the specified KMS key was not
+    # available. You can retry the request.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -3235,8 +3446,8 @@ module Aws::KMS
     end
 
     # The request was rejected because a quota was exceeded. For more
-    # information, see [Quotas][1] in the *AWS Key Management Service
-    # Developer Guide*.
+    # information, see [Quotas][1] in the *Key Management Service Developer
+    # Guide*.
     #
     #
     #
@@ -3263,13 +3474,13 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   Lists only aliases that are associated with the specified CMK. Enter
-    #   a CMK in your AWS account.
+    #   Lists only aliases that are associated with the specified KMS key.
+    #   Enter a KMS key in your Amazon Web Services account.
     #
     #   This parameter is optional. If you omit it, `ListAliases` returns
     #   all aliases in the account and Region.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the KMS key.
     #
     #   For example:
     #
@@ -3278,13 +3489,13 @@ module Aws::KMS
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #   @return [String]
     #
     # @!attribute [rw] limit
     #   Use this parameter to specify the maximum number of items to return.
-    #   When this value is present, AWS KMS does not return more than the
+    #   When this value is present, KMS does not return more than the
     #   specified number of items, but it might return fewer.
     #
     #   This value is optional. If you include a value, it must be between 1
@@ -3347,7 +3558,7 @@ module Aws::KMS
     #
     # @!attribute [rw] limit
     #   Use this parameter to specify the maximum number of items to return.
-    #   When this value is present, AWS KMS does not return more than the
+    #   When this value is present, KMS does not return more than the
     #   specified number of items, but it might return fewer.
     #
     #   This value is optional. If you include a value, it must be between 1
@@ -3362,11 +3573,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   Returns only grants for the specified customer master key (CMK).
-    #   This parameter is required.
+    #   Returns only grants for the specified KMS key. This parameter is
+    #   required.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
-    #   specify a CMK in a different AWS account, you must use the key ARN.
+    #   Specify the key ID or key ARN of the KMS key. To specify a KMS key
+    #   in a different Amazon Web Services account, you must use the key
+    #   ARN.
     #
     #   For example:
     #
@@ -3375,7 +3587,7 @@ module Aws::KMS
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #   @return [String]
     #
@@ -3437,9 +3649,9 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   A unique identifier for the customer master key (CMK).
+    #   Gets the names of key policies for the specified KMS key.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the KMS key.
     #
     #   For example:
     #
@@ -3448,13 +3660,13 @@ module Aws::KMS
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #   @return [String]
     #
     # @!attribute [rw] limit
     #   Use this parameter to specify the maximum number of items to return.
-    #   When this value is present, AWS KMS does not return more than the
+    #   When this value is present, KMS does not return more than the
     #   specified number of items, but it might return fewer.
     #
     #   This value is optional. If you include a value, it must be between 1
@@ -3516,7 +3728,7 @@ module Aws::KMS
     #
     # @!attribute [rw] limit
     #   Use this parameter to specify the maximum number of items to return.
-    #   When this value is present, AWS KMS does not return more than the
+    #   When this value is present, KMS does not return more than the
     #   specified number of items, but it might return fewer.
     #
     #   This value is optional. If you include a value, it must be between 1
@@ -3540,7 +3752,7 @@ module Aws::KMS
     end
 
     # @!attribute [rw] keys
-    #   A list of customer master keys (CMKs).
+    #   A list of KMS keys.
     #   @return [Array<Types::KeyListEntry>]
     #
     # @!attribute [rw] next_marker
@@ -3575,9 +3787,9 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   A unique identifier for the customer master key (CMK).
+    #   Gets tags on the specified KMS key.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the KMS key.
     #
     #   For example:
     #
@@ -3586,13 +3798,13 @@ module Aws::KMS
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #   @return [String]
     #
     # @!attribute [rw] limit
     #   Use this parameter to specify the maximum number of items to return.
-    #   When this value is present, AWS KMS does not return more than the
+    #   When this value is present, KMS does not return more than the
     #   specified number of items, but it might return fewer.
     #
     #   This value is optional. If you include a value, it must be between 1
@@ -3620,6 +3832,16 @@ module Aws::KMS
 
     # @!attribute [rw] tags
     #   A list of tags. Each tag consists of a tag key and a tag value.
+    #
+    #   <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
+    #   KMS key. For details, see [Using ABAC in KMS][1] in the *Key
+    #   Management Service Developer Guide*.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
     #   @return [Array<Types::Tag>]
     #
     # @!attribute [rw] next_marker
@@ -3657,7 +3879,7 @@ module Aws::KMS
     #
     # @!attribute [rw] limit
     #   Use this parameter to specify the maximum number of items to return.
-    #   When this value is present, AWS KMS does not return more than the
+    #   When this value is present, KMS does not return more than the
     #   specified number of items, but it might return fewer.
     #
     #   This value is optional. If you include a value, it must be between 1
@@ -3673,12 +3895,13 @@ module Aws::KMS
     #
     # @!attribute [rw] retiring_principal
     #   The retiring principal for which to list grants. Enter a principal
-    #   in your AWS account.
+    #   in your Amazon Web Services account.
     #
     #   To specify the retiring principal, use the [Amazon Resource Name
-    #   (ARN)][1] of an AWS principal. Valid AWS principals include AWS
-    #   accounts (root), IAM users, federated users, and assumed role users.
-    #   For examples of the ARN syntax for specifying a principal, see [AWS
+    #   (ARN)][1] of an Amazon Web Services principal. Valid Amazon Web
+    #   Services principals include Amazon Web Services accounts (root), IAM
+    #   users, federated users, and assumed role users. For examples of the
+    #   ARN syntax for specifying a principal, see [Amazon Web Services
     #   Identity and Access Management (IAM)][2] in the Example ARNs section
     #   of the *Amazon Web Services General Reference*.
     #
@@ -3712,6 +3935,58 @@ module Aws::KMS
       include Aws::Structure
     end
 
+    # Describes the configuration of this multi-Region key. This field
+    # appears only when the KMS key is a primary or replica of a
+    # multi-Region key.
+    #
+    # For more information about any listed KMS key, use the DescribeKey
+    # operation.
+    #
+    # @!attribute [rw] multi_region_key_type
+    #   Indicates whether the KMS key is a `PRIMARY` or `REPLICA` key.
+    #   @return [String]
+    #
+    # @!attribute [rw] primary_key
+    #   Displays the key ARN and Region of the primary key. This field
+    #   includes the current KMS key if it is the primary key.
+    #   @return [Types::MultiRegionKey]
+    #
+    # @!attribute [rw] replica_keys
+    #   displays the key ARNs and Regions of all replica keys. This field
+    #   includes the current KMS key if it is a replica key.
+    #   @return [Array<Types::MultiRegionKey>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/MultiRegionConfiguration AWS API Documentation
+    #
+    class MultiRegionConfiguration < Struct.new(
+      :multi_region_key_type,
+      :primary_key,
+      :replica_keys)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Describes the primary or replica key in a multi-Region key.
+    #
+    # @!attribute [rw] arn
+    #   Displays the key ARN of a primary or replica key of a multi-Region
+    #   key.
+    #   @return [String]
+    #
+    # @!attribute [rw] region
+    #   Displays the Amazon Web Services Region of a primary or replica key
+    #   in a multi-Region key.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/MultiRegionKey AWS API Documentation
+    #
+    class MultiRegionKey < Struct.new(
+      :arn,
+      :region)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # The request was rejected because the specified entity or resource
     # could not be found.
     #
@@ -3737,9 +4012,9 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   A unique identifier for the customer master key (CMK).
+    #   Sets the key policy on the specified KMS key.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the KMS key.
     #
     #   For example:
     #
@@ -3748,7 +4023,7 @@ module Aws::KMS
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #   @return [String]
     #
@@ -3757,31 +4032,31 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] policy
-    #   The key policy to attach to the CMK.
+    #   The key policy to attach to the KMS key.
     #
     #   The key policy must meet the following criteria:
     #
     #   * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
     #     key policy must allow the principal that is making the
     #     `PutKeyPolicy` request to make a subsequent `PutKeyPolicy` request
-    #     on the CMK. This reduces the risk that the CMK becomes
+    #     on the KMS key. This reduces the risk that the KMS key becomes
     #     unmanageable. For more information, refer to the scenario in the
-    #     [Default Key Policy][1] section of the *AWS Key Management Service
+    #     [Default Key Policy][1] section of the *Key Management Service
     #     Developer Guide*.
     #
     #   * Each statement in the key policy must contain one or more
     #     principals. The principals in the key policy must exist and be
-    #     visible to AWS KMS. When you create a new AWS principal (for
-    #     example, an IAM user or role), you might need to enforce a delay
-    #     before including the new principal in a key policy because the new
-    #     principal might not be immediately visible to AWS KMS. For more
-    #     information, see [Changes that I make are not always immediately
-    #     visible][2] in the *AWS Identity and Access Management User
-    #     Guide*.
+    #     visible to KMS. When you create a new Amazon Web Services
+    #     principal (for example, an IAM user or role), you might need to
+    #     enforce a delay before including the new principal in a key policy
+    #     because the new principal might not be immediately visible to KMS.
+    #     For more information, see [Changes that I make are not always
+    #     immediately visible][2] in the *Amazon Web Services Identity and
+    #     Access Management User Guide*.
     #
     #   The key policy cannot exceed 32 kilobytes (32768 bytes). For more
-    #   information, see [Resource Quotas][3] in the *AWS Key Management
-    #   Service Developer Guide*.
+    #   information, see [Resource Quotas][3] in the *Key Management Service
+    #   Developer Guide*.
     #
     #
     #
@@ -3794,16 +4069,16 @@ module Aws::KMS
     #   A flag to indicate whether to bypass the key policy lockout safety
     #   check.
     #
-    #   Setting this value to true increases the risk that the CMK becomes
-    #   unmanageable. Do not set this value to true indiscriminately.
+    #   Setting this value to true increases the risk that the KMS key
+    #   becomes unmanageable. Do not set this value to true
+    #   indiscriminately.
     #
     #    For more information, refer to the scenario in the [Default Key
-    #   Policy][1] section in the *AWS Key Management Service Developer
-    #   Guide*.
+    #   Policy][1] section in the *Key Management Service Developer Guide*.
     #
     #   Use this parameter only when you intend to prevent the principal
     #   that is making the request from making a subsequent `PutKeyPolicy`
-    #   request on the CMK.
+    #   request on the KMS key.
     #
     #   The default value is false.
     #
@@ -3855,9 +4130,9 @@ module Aws::KMS
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data.
     #   An encryption context is optional when encrypting with a symmetric
-    #   CMK, but it is highly recommended.
+    #   KMS key, but it is highly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *AWS Key
+    #   For more information, see [Encryption Context][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -3866,20 +4141,21 @@ module Aws::KMS
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] source_key_id
-    #   Specifies the customer master key (CMK) that AWS KMS will use to
-    #   decrypt the ciphertext before it is re-encrypted. Enter a key ID of
-    #   the CMK that was used to encrypt the ciphertext.
+    #   Specifies the KMS key that KMS will use to decrypt the ciphertext
+    #   before it is re-encrypted. Enter a key ID of the KMS key that was
+    #   used to encrypt the ciphertext.
     #
     #   This parameter is required only when the ciphertext was encrypted
-    #   under an asymmetric CMK. If you used a symmetric CMK, AWS KMS can
-    #   get the CMK from metadata that it adds to the symmetric ciphertext
-    #   blob. However, it is always recommended as a best practice. This
-    #   practice ensures that you use the CMK that you intend.
+    #   under an asymmetric KMS key. If you used a symmetric KMS key, KMS
+    #   can get the KMS key from metadata that it adds to the symmetric
+    #   ciphertext blob. However, it is always recommended as a best
+    #   practice. This practice ensures that you use the KMS key that you
+    #   intend.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`. To specify a CMK in a different AWS account, you must
-    #   use the key ARN or alias ARN.
+    #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
+    #   ARN. When using an alias name, prefix it with `"alias/"`. To specify
+    #   a KMS key in a different Amazon Web Services account, you must use
+    #   the key ARN or alias ARN.
     #
     #   For example:
     #
@@ -3892,20 +4168,20 @@ module Aws::KMS
     #
     #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
     #   @return [String]
     #
     # @!attribute [rw] destination_key_id
-    #   A unique identifier for the CMK that is used to reencrypt the data.
-    #   Specify a symmetric or asymmetric CMK with a `KeyUsage` value of
-    #   `ENCRYPT_DECRYPT`. To find the `KeyUsage` value of a CMK, use the
-    #   DescribeKey operation.
+    #   A unique identifier for the KMS key that is used to reencrypt the
+    #   data. Specify a symmetric or asymmetric KMS key with a `KeyUsage`
+    #   value of `ENCRYPT_DECRYPT`. To find the `KeyUsage` value of a KMS
+    #   key, use the DescribeKey operation.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`. To specify a CMK in a different AWS account, you must
-    #   use the key ARN or alias ARN.
+    #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
+    #   ARN. When using an alias name, prefix it with `"alias/"`. To specify
+    #   a KMS key in a different Amazon Web Services account, you must use
+    #   the key ARN or alias ARN.
     #
     #   For example:
     #
@@ -3918,7 +4194,7 @@ module Aws::KMS
     #
     #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
     #   @return [String]
     #
@@ -3927,17 +4203,17 @@ module Aws::KMS
     #   data.
     #
     #   A destination encryption context is valid only when the destination
-    #   CMK is a symmetric CMK. The standard ciphertext format for
-    #   asymmetric CMKs does not include fields for metadata.
+    #   KMS key is a symmetric KMS key. The standard ciphertext format for
+    #   asymmetric KMS keys does not include fields for metadata.
     #
     #   An *encryption context* is a collection of non-secret key-value
     #   pairs that represents additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data.
     #   An encryption context is optional when encrypting with a symmetric
-    #   CMK, but it is highly recommended.
+    #   KMS key, but it is highly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *AWS Key
+    #   For more information, see [Encryption Context][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -3946,37 +4222,40 @@ module Aws::KMS
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] source_encryption_algorithm
-    #   Specifies the encryption algorithm that AWS KMS will use to decrypt
-    #   the ciphertext before it is reencrypted. The default value,
-    #   `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric
-    #   CMKs.
+    #   Specifies the encryption algorithm that KMS will use to decrypt the
+    #   ciphertext before it is reencrypted. The default value,
+    #   `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric KMS
+    #   keys.
     #
     #   Specify the same algorithm that was used to encrypt the ciphertext.
     #   If you specify a different algorithm, the decrypt attempt fails.
     #
     #   This parameter is required only when the ciphertext was encrypted
-    #   under an asymmetric CMK.
+    #   under an asymmetric KMS key.
     #   @return [String]
     #
     # @!attribute [rw] destination_encryption_algorithm
-    #   Specifies the encryption algorithm that AWS KMS will use to reecrypt
-    #   the data after it has decrypted it. The default value,
+    #   Specifies the encryption algorithm that KMS will use to reecrypt the
+    #   data after it has decrypted it. The default value,
     #   `SYMMETRIC_DEFAULT`, represents the encryption algorithm used for
-    #   symmetric CMKs.
+    #   symmetric KMS keys.
     #
-    #   This parameter is required only when the destination CMK is an
-    #   asymmetric CMK.
+    #   This parameter is required only when the destination KMS key is an
+    #   asymmetric KMS key.
     #   @return [String]
     #
     # @!attribute [rw] grant_tokens
     #   A list of grant tokens.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
-    #   Management Service Developer Guide*.
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] and [Using a grant
+    #   token][2] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncryptRequest AWS API Documentation
@@ -3995,17 +4274,19 @@ module Aws::KMS
     end
 
     # @!attribute [rw] ciphertext_blob
-    #   The reencrypted data. When you use the HTTP API or the AWS CLI, the
-    #   value is Base64-encoded. Otherwise, it is not Base64-encoded.
+    #   The reencrypted data. When you use the HTTP API or the Amazon Web
+    #   Services CLI, the value is Base64-encoded. Otherwise, it is not
+    #   Base64-encoded.
     #   @return [String]
     #
     # @!attribute [rw] source_key_id
-    #   Unique identifier of the CMK used to originally encrypt the data.
+    #   Unique identifier of the KMS key used to originally encrypt the
+    #   data.
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
-    #   reencrypt the data.
+    #   The Amazon Resource Name ([key ARN][1]) of the KMS key that was used
+    #   to reencrypt the data.
     #
     #
     #
@@ -4033,6 +4314,222 @@ module Aws::KMS
       include Aws::Structure
     end
 
+    # @note When making an API call, you may pass ReplicateKeyRequest
+    #   data as a hash:
+    #
+    #       {
+    #         key_id: "KeyIdType", # required
+    #         replica_region: "RegionType", # required
+    #         policy: "PolicyType",
+    #         bypass_policy_lockout_safety_check: false,
+    #         description: "DescriptionType",
+    #         tags: [
+    #           {
+    #             tag_key: "TagKeyType", # required
+    #             tag_value: "TagValueType", # required
+    #           },
+    #         ],
+    #       }
+    #
+    # @!attribute [rw] key_id
+    #   Identifies the multi-Region primary key that is being replicated. To
+    #   determine whether a KMS key is a multi-Region primary key, use the
+    #   DescribeKey operation to check the value of the `MultiRegionKeyType`
+    #   property.
+    #
+    #   Specify the key ID or key ARN of a multi-Region primary key.
+    #
+    #   For example:
+    #
+    #   * Key ID: `mrk-1234abcd12ab34cd56ef1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab`
+    #
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
+    #   DescribeKey.
+    #   @return [String]
+    #
+    # @!attribute [rw] replica_region
+    #   The Region ID of the Amazon Web Services Region for this replica
+    #   key.
+    #
+    #   Enter the Region ID, such as `us-east-1` or `ap-southeast-2`. For a
+    #   list of Amazon Web Services Regions in which KMS is supported, see
+    #   [KMS service endpoints][1] in the *Amazon Web Services General
+    #   Reference*.
+    #
+    #   The replica must be in a different Amazon Web Services Region than
+    #   its primary key and other replicas of that primary key, but in the
+    #   same Amazon Web Services partition. KMS must be available in the
+    #   replica Region. If the Region is not enabled by default, the Amazon
+    #   Web Services account must be enabled in the Region.
+    #
+    #   For information about Amazon Web Services partitions, see [Amazon
+    #   Resource Names (ARNs) in the *Amazon Web Services General
+    #   Reference*.][2] For information about enabling and disabling
+    #   Regions, see [Enabling a Region][3] and [Disabling a Region][4] in
+    #   the *Amazon Web Services General Reference*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region
+    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    #   [3]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
+    #   [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
+    #   @return [String]
+    #
+    # @!attribute [rw] policy
+    #   The key policy to attach to the KMS key. This parameter is optional.
+    #   If you do not provide a key policy, KMS attaches the [default key
+    #   policy][1] to the KMS key.
+    #
+    #   The key policy is not a shared property of multi-Region keys. You
+    #   can specify the same key policy or a different key policy for each
+    #   key in a set of related multi-Region keys. KMS does not synchronize
+    #   this property.
+    #
+    #   If you provide a key policy, it must meet the following criteria:
+    #
+    #   * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
+    #     key policy must give the caller `kms:PutKeyPolicy` permission on
+    #     the replica key. This reduces the risk that the KMS key becomes
+    #     unmanageable. For more information, refer to the scenario in the
+    #     [Default Key Policy][2] section of the <i> <i>Key Management
+    #     Service Developer Guide</i> </i>.
+    #
+    #   * Each statement in the key policy must contain one or more
+    #     principals. The principals in the key policy must exist and be
+    #     visible to KMS. When you create a new Amazon Web Services
+    #     principal (for example, an IAM user or role), you might need to
+    #     enforce a delay before including the new principal in a key policy
+    #     because the new principal might not be immediately visible to KMS.
+    #     For more information, see [Changes that I make are not always
+    #     immediately visible][3] in the <i> <i>Identity and Access
+    #     Management User Guide</i> </i>.
+    #
+    #   * The key policy size quota is 32 kilobytes (32768 bytes).
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
+    #   @return [String]
+    #
+    # @!attribute [rw] bypass_policy_lockout_safety_check
+    #   A flag to indicate whether to bypass the key policy lockout safety
+    #   check.
+    #
+    #   Setting this value to true increases the risk that the KMS key
+    #   becomes unmanageable. Do not set this value to true
+    #   indiscriminately.
+    #
+    #    For more information, refer to the scenario in the [Default Key
+    #   Policy][1] section in the *Key Management Service Developer Guide*.
+    #
+    #   Use this parameter only when you intend to prevent the principal
+    #   that is making the request from making a subsequent `PutKeyPolicy`
+    #   request on the KMS key.
+    #
+    #   The default value is false.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] description
+    #   A description of the KMS key. The default value is an empty string
+    #   (no description).
+    #
+    #   The description is not a shared property of multi-Region keys. You
+    #   can specify the same description or a different description for each
+    #   key in a set of related multi-Region keys. KMS does not synchronize
+    #   this property.
+    #   @return [String]
+    #
+    # @!attribute [rw] tags
+    #   Assigns one or more tags to the replica key. Use this parameter to
+    #   tag the KMS key when it is created. To tag an existing KMS key, use
+    #   the TagResource operation.
+    #
+    #   <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
+    #   KMS key. For details, see [Using ABAC in KMS][1] in the *Key
+    #   Management Service Developer Guide*.
+    #
+    #    </note>
+    #
+    #   To use this parameter, you must have [kms:TagResource][2] permission
+    #   in an IAM policy.
+    #
+    #   Tags are not a shared property of multi-Region keys. You can specify
+    #   the same tags or different tags for each key in a set of related
+    #   multi-Region keys. KMS does not synchronize this property.
+    #
+    #   Each tag consists of a tag key and a tag value. Both the tag key and
+    #   the tag value are required, but the tag value can be an empty (null)
+    #   string. You cannot have more than one tag on a KMS key with the same
+    #   tag key. If you specify an existing tag key with a different tag
+    #   value, KMS replaces the current tag value with the specified one.
+    #
+    #   When you add tags to an Amazon Web Services resource, Amazon Web
+    #   Services generates a cost allocation report with usage and costs
+    #   aggregated by tags. Tags can also be used to control access to a KMS
+    #   key. For details, see [Tagging Keys][3].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
+    #   @return [Array<Types::Tag>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKeyRequest AWS API Documentation
+    #
+    class ReplicateKeyRequest < Struct.new(
+      :key_id,
+      :replica_region,
+      :policy,
+      :bypass_policy_lockout_safety_check,
+      :description,
+      :tags)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] replica_key_metadata
+    #   Displays details about the new replica key, including its Amazon
+    #   Resource Name ([key ARN][1]) and [key state][2]. It also includes
+    #   the ARN and Amazon Web Services Region of its primary key and other
+    #   replica keys.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    #   @return [Types::KeyMetadata]
+    #
+    # @!attribute [rw] replica_policy
+    #   The key policy of the new replica key. The value is a key policy
+    #   document in JSON format.
+    #   @return [String]
+    #
+    # @!attribute [rw] replica_tags
+    #   The tags on the new replica key. The value is a list of tag key and
+    #   tag value pairs.
+    #   @return [Array<Types::Tag>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKeyResponse AWS API Documentation
+    #
+    class ReplicateKeyResponse < Struct.new(
+      :replica_key_metadata,
+      :replica_policy,
+      :replica_tags)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass RetireGrantRequest
     #   data as a hash:
     #
@@ -4043,19 +4540,31 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] grant_token
-    #   Token that identifies the grant to be retired.
+    #   Identifies the grant to be retired. You can use a grant token to
+    #   identify a new grant even before it has achieved eventual
+    #   consistency.
+    #
+    #   Only the CreateGrant operation returns a grant token. For details,
+    #   see [Grant token][1] and [Eventual consistency][2] in the *Key
+    #   Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   The Amazon Resource Name (ARN) of the CMK associated with the grant.
+    #   The key ARN KMS key associated with the grant. To find the key ARN,
+    #   use the ListKeys operation.
     #
     #   For example:
     #   `arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #   @return [String]
     #
     # @!attribute [rw] grant_id
-    #   Unique identifier of the grant to retire. The grant ID is returned
-    #   in the response to a `CreateGrant` operation.
+    #   Identifies the grant to retire. To get the grant ID, use
+    #   CreateGrant, ListGrants, or ListRetirableGrants.
     #
     #   * Grant ID Example -
     #     0123456789012345678901234567890123456789012345678901234567890123
@@ -4082,11 +4591,13 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   A unique identifier for the customer master key associated with the
-    #   grant.
+    #   A unique identifier for the KMS key associated with the grant. To
+    #   get the key ID and key ARN for a KMS key, use ListKeys or
+    #   DescribeKey.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
-    #   specify a CMK in a different AWS account, you must use the key ARN.
+    #   Specify the key ID or key ARN of the KMS key. To specify a KMS key
+    #   in a different Amazon Web Services account, you must use the key
+    #   ARN.
     #
     #   For example:
     #
@@ -4095,12 +4606,13 @@ module Aws::KMS
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #   @return [String]
     #
     # @!attribute [rw] grant_id
-    #   Identifier of the grant to be revoked.
+    #   Identifies the grant to revoke. To get the grant ID, use
+    #   CreateGrant, ListGrants, or ListRetirableGrants.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrantRequest AWS API Documentation
@@ -4121,9 +4633,9 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   The unique identifier of the customer master key (CMK) to delete.
+    #   The unique identifier of the KMS key to delete.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the KMS key.
     #
     #   For example:
     #
@@ -4132,13 +4644,17 @@ module Aws::KMS
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #   @return [String]
     #
     # @!attribute [rw] pending_window_in_days
     #   The waiting period, specified in number of days. After the waiting
-    #   period ends, AWS KMS deletes the customer master key (CMK).
+    #   period ends, KMS deletes the KMS key.
+    #
+    #   If the KMS key is a multi-Region primary key with replicas, the
+    #   waiting period begins when the last of its replica keys is deleted.
+    #   Otherwise, the waiting period begins immediately.
     #
     #   This value is optional. If you include a value, it must be between 7
     #   and 30, inclusive. If you do not include a value, it defaults to 30.
@@ -4154,8 +4670,8 @@ module Aws::KMS
     end
 
     # @!attribute [rw] key_id
-    #   The Amazon Resource Name ([key ARN][1]) of the CMK whose deletion is
-    #   scheduled.
+    #   The Amazon Resource Name ([key ARN][1]) of the KMS key whose
+    #   deletion is scheduled.
     #
     #
     #
@@ -4163,15 +4679,40 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] deletion_date
-    #   The date and time after which AWS KMS deletes the customer master
-    #   key (CMK).
+    #   The date and time after which KMS deletes the KMS key.
+    #
+    #   If the KMS key is a multi-Region primary key with replica keys, this
+    #   field does not appear. The deletion date for the primary key isn't
+    #   known until its last replica key is deleted.
     #   @return [Time]
     #
+    # @!attribute [rw] key_state
+    #   The current status of the KMS key.
+    #
+    #   For more information about how key state affects the use of a KMS
+    #   key, see [Key state: Effect on your KMS key][1] in the *Key
+    #   Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    #   @return [String]
+    #
+    # @!attribute [rw] pending_window_in_days
+    #   The waiting period before the KMS key is deleted.
+    #
+    #   If the KMS key is a multi-Region primary key with replicas, the
+    #   waiting period begins when the last of its replica keys is deleted.
+    #   Otherwise, the waiting period begins immediately.
+    #   @return [Integer]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletionResponse AWS API Documentation
     #
     class ScheduleKeyDeletionResponse < Struct.new(
       :key_id,
-      :deletion_date)
+      :deletion_date,
+      :key_state,
+      :pending_window_in_days)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -4188,15 +4729,15 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   Identifies an asymmetric CMK. AWS KMS uses the private key in the
-    #   asymmetric CMK to sign the message. The `KeyUsage` type of the CMK
-    #   must be `SIGN_VERIFY`. To find the `KeyUsage` of a CMK, use the
-    #   DescribeKey operation.
+    #   Identifies an asymmetric KMS key. KMS uses the private key in the
+    #   asymmetric KMS key to sign the message. The `KeyUsage` type of the
+    #   KMS key must be `SIGN_VERIFY`. To find the `KeyUsage` of a KMS key,
+    #   use the DescribeKey operation.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`. To specify a CMK in a different AWS account, you must
-    #   use the key ARN or alias ARN.
+    #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
+    #   ARN. When using an alias name, prefix it with `"alias/"`. To specify
+    #   a KMS key in a different Amazon Web Services account, you must use
+    #   the key ARN or alias ARN.
     #
     #   For example:
     #
@@ -4209,7 +4750,7 @@ module Aws::KMS
     #
     #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
     #   @return [String]
     #
@@ -4217,32 +4758,35 @@ module Aws::KMS
     #   Specifies the message or message digest to sign. Messages can be
     #   0-4096 bytes. To sign a larger message, provide the message digest.
     #
-    #   If you provide a message, AWS KMS generates a hash digest of the
-    #   message and then signs it.
+    #   If you provide a message, KMS generates a hash digest of the message
+    #   and then signs it.
     #   @return [String]
     #
     # @!attribute [rw] message_type
-    #   Tells AWS KMS whether the value of the `Message` parameter is a
-    #   message or message digest. The default value, RAW, indicates a
-    #   message. To indicate a message digest, enter `DIGEST`.
+    #   Tells KMS whether the value of the `Message` parameter is a message
+    #   or message digest. The default value, RAW, indicates a message. To
+    #   indicate a message digest, enter `DIGEST`.
     #   @return [String]
     #
     # @!attribute [rw] grant_tokens
     #   A list of grant tokens.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
-    #   Management Service Developer Guide*.
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] and [Using a grant
+    #   token][2] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #   @return [Array<String>]
     #
     # @!attribute [rw] signing_algorithm
     #   Specifies the signing algorithm to use when signing the message.
     #
     #   Choose an algorithm that is compatible with the type and size of the
-    #   specified asymmetric CMK.
+    #   specified asymmetric KMS key.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/SignRequest AWS API Documentation
@@ -4258,8 +4802,8 @@ module Aws::KMS
     end
 
     # @!attribute [rw] key_id
-    #   The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK that
-    #   was used to sign the message.
+    #   The Amazon Resource Name ([key ARN][1]) of the asymmetric KMS key
+    #   that was used to sign the message.
     #
     #
     #
@@ -4278,8 +4822,8 @@ module Aws::KMS
     #     2.2.3][2]. This is the most commonly used signature format and is
     #     appropriate for most uses.
     #
-    #   When you use the HTTP API or the AWS CLI, the value is
-    #   Base64-encoded. Otherwise, it is not Base64-encoded.
+    #   When you use the HTTP API or the Amazon Web Services CLI, the value
+    #   is Base64-encoded. Otherwise, it is not Base64-encoded.
     #
     #
     #
@@ -4306,8 +4850,8 @@ module Aws::KMS
     # (null) strings.
     #
     # For information about the rules that apply to tag keys and tag values,
-    # see [User-Defined Tag Restrictions][1] in the *AWS Billing and Cost
-    # Management User Guide*.
+    # see [User-Defined Tag Restrictions][1] in the *Amazon Web Services
+    # Billing and Cost Management User Guide*.
     #
     #
     #
@@ -4365,9 +4909,9 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   Identifies a customer managed CMK in the account and Region.
+    #   Identifies a customer managed key in the account and Region.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the KMS key.
     #
     #   For example:
     #
@@ -4376,7 +4920,7 @@ module Aws::KMS
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #   @return [String]
     #
@@ -4386,9 +4930,9 @@ module Aws::KMS
     #   Each tag consists of a tag key and a tag value. The tag value can be
     #   an empty (null) string.
     #
-    #   You cannot have more than one tag on a CMK with the same tag key. If
-    #   you specify an existing tag key with a different tag value, AWS KMS
-    #   replaces the current tag value with the specified one.
+    #   You cannot have more than one tag on a KMS key with the same tag
+    #   key. If you specify an existing tag key with a different tag value,
+    #   KMS replaces the current tag value with the specified one.
     #   @return [Array<Types::Tag>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/TagResourceRequest AWS API Documentation
@@ -4423,9 +4967,9 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   Identifies the CMK from which you are removing tags.
+    #   Identifies the KMS key from which you are removing tags.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the KMS key.
     #
     #   For example:
     #
@@ -4434,7 +4978,7 @@ module Aws::KMS
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #   @return [String]
     #
@@ -4460,23 +5004,23 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] alias_name
-    #   Identifies the alias that is changing its CMK. This value must begin
-    #   with `alias/` followed by the alias name, such as
+    #   Identifies the alias that is changing its KMS key. This value must
+    #   begin with `alias/` followed by the alias name, such as
     #   `alias/ExampleAlias`. You cannot use UpdateAlias to change the alias
     #   name.
     #   @return [String]
     #
     # @!attribute [rw] target_key_id
-    #   Identifies the [customer managed CMK][1] to associate with the
-    #   alias. You don't have permission to associate an alias with an [AWS
-    #   managed CMK][2].
+    #   Identifies the [customer managed key][1] to associate with the
+    #   alias. You don't have permission to associate an alias with an
+    #   [Amazon Web Services managed key][2].
     #
-    #   The CMK must be in the same AWS account and Region as the alias.
-    #   Also, the new target CMK must be the same type as the current target
-    #   CMK (both symmetric or both asymmetric) and they must have the same
-    #   key usage.
+    #   The KMS key must be in the same Amazon Web Services account and
+    #   Region as the alias. Also, the new target KMS key must be the same
+    #   type as the current target KMS key (both symmetric or both
+    #   asymmetric) and they must have the same key usage.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the KMS key.
     #
     #   For example:
     #
@@ -4485,10 +5029,10 @@ module Aws::KMS
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #
-    #   To verify that the alias is mapped to the correct CMK, use
+    #   To verify that the alias is mapped to the correct KMS key, use
     #   ListAliases.
     #
     #
@@ -4524,21 +5068,21 @@ module Aws::KMS
     #
     # @!attribute [rw] new_custom_key_store_name
     #   Changes the friendly name of the custom key store to the value that
-    #   you specify. The custom key store name must be unique in the AWS
-    #   account.
+    #   you specify. The custom key store name must be unique in the Amazon
+    #   Web Services account.
     #   @return [String]
     #
     # @!attribute [rw] key_store_password
     #   Enter the current password of the `kmsuser` crypto user (CU) in the
-    #   AWS CloudHSM cluster that is associated with the custom key store.
+    #   CloudHSM cluster that is associated with the custom key store.
     #
-    #   This parameter tells AWS KMS the current password of the `kmsuser`
+    #   This parameter tells KMS the current password of the `kmsuser`
     #   crypto user (CU). It does not set or change the password of any
-    #   users in the AWS CloudHSM cluster.
+    #   users in the CloudHSM cluster.
     #   @return [String]
     #
     # @!attribute [rw] cloud_hsm_cluster_id
-    #   Associates the custom key store with a related AWS CloudHSM cluster.
+    #   Associates the custom key store with a related CloudHSM cluster.
     #
     #   Enter the cluster ID of the cluster that you used to create the
     #   custom key store or a cluster that shares a backup history and has
@@ -4579,9 +5123,9 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   A unique identifier for the customer master key (CMK).
+    #   Updates the description of the specified KMS key.
     #
-    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #   Specify the key ID or key ARN of the KMS key.
     #
     #   For example:
     #
@@ -4590,12 +5134,12 @@ module Aws::KMS
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   New description for the CMK.
+    #   New description for the KMS key.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescriptionRequest AWS API Documentation
@@ -4607,6 +5151,49 @@ module Aws::KMS
       include Aws::Structure
     end
 
+    # @note When making an API call, you may pass UpdatePrimaryRegionRequest
+    #   data as a hash:
+    #
+    #       {
+    #         key_id: "KeyIdType", # required
+    #         primary_region: "RegionType", # required
+    #       }
+    #
+    # @!attribute [rw] key_id
+    #   Identifies the current primary key. When the operation completes,
+    #   this KMS key will be a replica key.
+    #
+    #   Specify the key ID or key ARN of a multi-Region primary key.
+    #
+    #   For example:
+    #
+    #   * Key ID: `mrk-1234abcd12ab34cd56ef1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab`
+    #
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
+    #   DescribeKey.
+    #   @return [String]
+    #
+    # @!attribute [rw] primary_region
+    #   The Amazon Web Services Region of the new primary key. Enter the
+    #   Region ID, such as `us-east-1` or `ap-southeast-2`. There must be an
+    #   existing replica key in this Region.
+    #
+    #   When the operation completes, the multi-Region key in this Region
+    #   will be the primary key.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdatePrimaryRegionRequest AWS API Documentation
+    #
+    class UpdatePrimaryRegionRequest < Struct.new(
+      :key_id,
+      :primary_region)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass VerifyRequest
     #   data as a hash:
     #
@@ -4620,15 +5207,15 @@ module Aws::KMS
     #       }
     #
     # @!attribute [rw] key_id
-    #   Identifies the asymmetric CMK that will be used to verify the
-    #   signature. This must be the same CMK that was used to generate the
-    #   signature. If you specify a different CMK, the signature
+    #   Identifies the asymmetric KMS key that will be used to verify the
+    #   signature. This must be the same KMS key that was used to generate
+    #   the signature. If you specify a different KMS key, the signature
     #   verification fails.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`. To specify a CMK in a different AWS account, you must
-    #   use the key ARN or alias ARN.
+    #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
+    #   ARN. When using an alias name, prefix it with `"alias/"`. To specify
+    #   a KMS key in a different Amazon Web Services account, you must use
+    #   the key ARN or alias ARN.
     #
     #   For example:
     #
@@ -4641,7 +5228,7 @@ module Aws::KMS
     #
     #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
     #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
     #   @return [String]
     #
@@ -4656,9 +5243,9 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] message_type
-    #   Tells AWS KMS whether the value of the `Message` parameter is a
-    #   message or message digest. The default value, RAW, indicates a
-    #   message. To indicate a message digest, enter `DIGEST`.
+    #   Tells KMS whether the value of the `Message` parameter is a message
+    #   or message digest. The default value, RAW, indicates a message. To
+    #   indicate a message digest, enter `DIGEST`.
     #
     #   Use the `DIGEST` value only when the value of the `Message`
     #   parameter is a message digest. If you use the `DIGEST` value with a
@@ -4678,12 +5265,15 @@ module Aws::KMS
     # @!attribute [rw] grant_tokens
     #   A list of grant tokens.
     #
-    #   For more information, see [Grant Tokens][1] in the *AWS Key
-    #   Management Service Developer Guide*.
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] and [Using a grant
+    #   token][2] in the *Key Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyRequest AWS API Documentation
@@ -4700,8 +5290,8 @@ module Aws::KMS
     end
 
     # @!attribute [rw] key_id
-    #   The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK that
-    #   was used to verify the signature.
+    #   The Amazon Resource Name ([key ARN][1]) of the asymmetric KMS key
+    #   that was used to verify the signature.
     #
     #
     #