aws-sdk-kms 1.52.0 → 1.72.0

data/lib/aws-sdk-kms/types.rb

@@ -61,13 +61,6 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass CancelKeyDeletionRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #       }
-    #
     # @!attribute [rw] key_id
     #   Identifies the KMS key whose deletion is being canceled.
     #
@@ -110,14 +103,14 @@ module Aws::KMS
     end
 
     # The request was rejected because the specified CloudHSM cluster is
-    # already associated with a custom key store or it shares a backup
-    # history with a cluster that is associated with a custom key store.
-    # Each custom key store must be associated with a different CloudHSM
-    # cluster.
+    # already associated with an CloudHSM key store in the account, or it
+    # shares a backup history with an CloudHSM key store in the account.
+    # Each CloudHSM key store in the account must be associated with a
+    # different CloudHSM cluster.
     #
-    # Clusters that share a backup history have the same cluster
-    # certificate. To view the cluster certificate of a cluster, use the
-    # [DescribeClusters][1] operation.
+    # CloudHSM clusters that share a backup history have the same cluster
+    # certificate. To view the cluster certificate of an CloudHSM cluster,
+    # use the [DescribeClusters][1] operation.
     #
     #
     #
@@ -135,22 +128,23 @@ module Aws::KMS
     end
 
     # The request was rejected because the associated CloudHSM cluster did
-    # not meet the configuration requirements for a custom key store.
+    # not meet the configuration requirements for an CloudHSM key store.
     #
-    # * The cluster must be configured with private subnets in at least two
-    #   different Availability Zones in the Region.
+    # * The CloudHSM cluster must be configured with private subnets in at
+    #   least two different Availability Zones in the Region.
     #
     # * The [security group for the cluster][1]
     #   (cloudhsm-cluster-*<cluster-id>*-sg) must include inbound
     #   rules and outbound rules that allow TCP traffic on ports 2223-2225.
     #   The **Source** in the inbound rules and the **Destination** in the
     #   outbound rules must match the security group ID. These rules are set
-    #   by default when you create the cluster. Do not delete or change
-    #   them. To get information about a particular security group, use the
-    #   [DescribeSecurityGroups][2] operation.
+    #   by default when you create the CloudHSM cluster. Do not delete or
+    #   change them. To get information about a particular security group,
+    #   use the [DescribeSecurityGroups][2] operation.
     #
-    # * The cluster must contain at least as many HSMs as the operation
-    #   requires. To add HSMs, use the CloudHSM [CreateHsm][3] operation.
+    # * The CloudHSM cluster must contain at least as many HSMs as the
+    #   operation requires. To add HSMs, use the CloudHSM [CreateHsm][3]
+    #   operation.
     #
     #   For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
     #   operations, the CloudHSM cluster must have at least two active HSMs,
@@ -158,7 +152,7 @@ module Aws::KMS
     #   operation, the CloudHSM must contain at least one active HSM.
     #
     # For information about the requirements for an CloudHSM cluster that is
-    # associated with a custom key store, see [Assemble the
+    # associated with an CloudHSM key store, see [Assemble the
     # Prerequisites][4] in the *Key Management Service Developer Guide*. For
     # information about creating a private subnet for an CloudHSM cluster,
     # see [Create a Private Subnet][5] in the *CloudHSM User Guide*. For
@@ -184,10 +178,10 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # The request was rejected because the CloudHSM cluster that is
-    # associated with the custom key store is not active. Initialize and
-    # activate the cluster and try the command again. For detailed
-    # instructions, see [Getting Started][1] in the *CloudHSM User Guide*.
+    # The request was rejected because the CloudHSM cluster associated with
+    # the CloudHSM key store is not active. Initialize and activate the
+    # cluster and try the command again. For detailed instructions, see
+    # [Getting Started][1] in the *CloudHSM User Guide*.
     #
     #
     #
@@ -221,16 +215,17 @@ module Aws::KMS
 
     # The request was rejected because the specified CloudHSM cluster has a
     # different cluster certificate than the original cluster. You cannot
-    # use the operation to specify an unrelated cluster.
+    # use the operation to specify an unrelated cluster for an CloudHSM key
+    # store.
     #
-    # Specify a cluster that shares a backup history with the original
-    # cluster. This includes clusters that were created from a backup of the
-    # current cluster, and clusters that were created from the same backup
-    # that produced the current cluster.
+    # Specify an CloudHSM cluster that shares a backup history with the
+    # original cluster. This includes clusters that were created from a
+    # backup of the current cluster, and clusters that were created from the
+    # same backup that produced the current cluster.
     #
-    # Clusters that share a backup history have the same cluster
-    # certificate. To view the cluster certificate of a cluster, use the
-    # [DescribeClusters][1] operation.
+    # CloudHSM clusters that share a backup history have the same cluster
+    # certificate. To view the cluster certificate of an CloudHSM cluster,
+    # use the [DescribeClusters][1] operation.
     #
     #
     #
@@ -247,13 +242,6 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass ConnectCustomKeyStoreRequest
-    #   data as a hash:
-    #
-    #       {
-    #         custom_key_store_id: "CustomKeyStoreIdType", # required
-    #       }
-    #
     # @!attribute [rw] custom_key_store_id
     #   Enter the key store ID of the custom key store that you want to
     #   connect. To find the ID of a custom key store, use the
@@ -272,18 +260,14 @@ module Aws::KMS
     #
     class ConnectCustomKeyStoreResponse < Aws::EmptyStructure; end
 
-    # @note When making an API call, you may pass CreateAliasRequest
-    #   data as a hash:
-    #
-    #       {
-    #         alias_name: "AliasNameType", # required
-    #         target_key_id: "KeyIdType", # required
-    #       }
-    #
     # @!attribute [rw] alias_name
     #   Specifies the alias name. This value must begin with `alias/`
     #   followed by a name, such as `alias/ExampleAlias`.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
+    #
     #   The `AliasName` value must be string of 1-256 characters. It can
     #   contain only alphanumeric characters, forward slashes (/),
     #   underscores (\_), and dashes (-). The alias name cannot begin with
@@ -333,26 +317,24 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass CreateCustomKeyStoreRequest
-    #   data as a hash:
-    #
-    #       {
-    #         custom_key_store_name: "CustomKeyStoreNameType", # required
-    #         cloud_hsm_cluster_id: "CloudHsmClusterIdType", # required
-    #         trust_anchor_certificate: "TrustAnchorCertificateType", # required
-    #         key_store_password: "KeyStorePasswordType", # required
-    #       }
-    #
     # @!attribute [rw] custom_key_store_name
     #   Specifies a friendly name for the custom key store. The name must be
-    #   unique in your Amazon Web Services account.
+    #   unique in your Amazon Web Services account and Region. This
+    #   parameter is required for all custom key stores.
+    #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
     #   @return [String]
     #
     # @!attribute [rw] cloud_hsm_cluster_id
-    #   Identifies the CloudHSM cluster for the custom key store. Enter the
-    #   cluster ID of any active CloudHSM cluster that is not already
-    #   associated with a custom key store. To find the cluster ID, use the
-    #   [DescribeClusters][1] operation.
+    #   Identifies the CloudHSM cluster for an CloudHSM key store. This
+    #   parameter is required for custom key stores with
+    #   `CustomKeyStoreType` of `AWS_CLOUDHSM`.
+    #
+    #   Enter the cluster ID of any active CloudHSM cluster that is not
+    #   already associated with a custom key store. To find the cluster ID,
+    #   use the [DescribeClusters][1] operation.
     #
     #
     #
@@ -360,9 +342,13 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] trust_anchor_certificate
-    #   Enter the content of the trust anchor certificate for the cluster.
-    #   This is the content of the `customerCA.crt` file that you created
-    #   when you [initialized the cluster][1].
+    #   Specifies the certificate for an CloudHSM key store. This parameter
+    #   is required for custom key stores with a `CustomKeyStoreType` of
+    #   `AWS_CLOUDHSM`.
+    #
+    #   Enter the content of the trust anchor certificate for the CloudHSM
+    #   cluster. This is the content of the `customerCA.crt` file that you
+    #   created when you [initialized the cluster][1].
     #
     #
     #
@@ -370,6 +356,10 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_store_password
+    #   Specifies the `kmsuser` password for an CloudHSM key store. This
+    #   parameter is required for custom key stores with a
+    #   `CustomKeyStoreType` of `AWS_CLOUDHSM`.
+    #
     #   Enter the password of the [ `kmsuser` crypto user (CU) account][1]
     #   in the specified CloudHSM cluster. KMS logs into the cluster as this
     #   user to manage key material on your behalf.
@@ -385,13 +375,167 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
     #   @return [String]
     #
+    # @!attribute [rw] custom_key_store_type
+    #   Specifies the type of custom key store. The default value is
+    #   `AWS_CLOUDHSM`.
+    #
+    #   For a custom key store backed by an CloudHSM cluster, omit the
+    #   parameter or enter `AWS_CLOUDHSM`. For a custom key store backed by
+    #   an external key manager outside of Amazon Web Services, enter
+    #   `EXTERNAL_KEY_STORE`. You cannot change this property after the key
+    #   store is created.
+    #   @return [String]
+    #
+    # @!attribute [rw] xks_proxy_uri_endpoint
+    #   Specifies the endpoint that KMS uses to send requests to the
+    #   external key store proxy (XKS proxy). This parameter is required for
+    #   custom key stores with a `CustomKeyStoreType` of
+    #   `EXTERNAL_KEY_STORE`.
+    #
+    #   The protocol must be HTTPS. KMS communicates on port 443. Do not
+    #   specify the port in the `XksProxyUriEndpoint` value.
+    #
+    #   For external key stores with `XksProxyConnectivity` value of
+    #   `VPC_ENDPOINT_SERVICE`, specify `https://` followed by the private
+    #   DNS name of the VPC endpoint service.
+    #
+    #   For external key stores with `PUBLIC_ENDPOINT` connectivity, this
+    #   endpoint must be reachable before you create the custom key store.
+    #   KMS connects to the external key store proxy while creating the
+    #   custom key store. For external key stores with
+    #   `VPC_ENDPOINT_SERVICE` connectivity, KMS connects when you call the
+    #   ConnectCustomKeyStore operation.
+    #
+    #   The value of this parameter must begin with `https://`. The
+    #   remainder can contain upper and lower case letters (A-Z and a-z),
+    #   numbers (0-9), dots (`.`), and hyphens (`-`). Additional slashes
+    #   (`/` and ``) are not permitted.
+    #
+    #   <b>Uniqueness requirements: </b>
+    #
+    #   * The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values
+    #     must be unique in the Amazon Web Services account and Region.
+    #
+    #   * An external key store with `PUBLIC_ENDPOINT` connectivity cannot
+    #     use the same `XksProxyUriEndpoint` value as an external key store
+    #     with `VPC_ENDPOINT_SERVICE` connectivity in the same Amazon Web
+    #     Services Region.
+    #
+    #   * Each external key store with `VPC_ENDPOINT_SERVICE` connectivity
+    #     must have its own private DNS name. The `XksProxyUriEndpoint`
+    #     value for external key stores with `VPC_ENDPOINT_SERVICE`
+    #     connectivity (private DNS name) must be unique in the Amazon Web
+    #     Services account and Region.
+    #   @return [String]
+    #
+    # @!attribute [rw] xks_proxy_uri_path
+    #   Specifies the base path to the proxy APIs for this external key
+    #   store. To find this value, see the documentation for your external
+    #   key store proxy. This parameter is required for all custom key
+    #   stores with a `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
+    #
+    #   The value must start with `/` and must end with `/kms/xks/v1` where
+    #   `v1` represents the version of the KMS external key store proxy API.
+    #   This path can include an optional prefix between the required
+    #   elements such as `/prefix/kms/xks/v1`.
+    #
+    #   <b>Uniqueness requirements: </b>
+    #
+    #   * The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values
+    #     must be unique in the Amazon Web Services account and Region.
+    #
+    #   ^
+    #   @return [String]
+    #
+    # @!attribute [rw] xks_proxy_vpc_endpoint_service_name
+    #   Specifies the name of the Amazon VPC endpoint service for interface
+    #   endpoints that is used to communicate with your external key store
+    #   proxy (XKS proxy). This parameter is required when the value of
+    #   `CustomKeyStoreType` is `EXTERNAL_KEY_STORE` and the value of
+    #   `XksProxyConnectivity` is `VPC_ENDPOINT_SERVICE`.
+    #
+    #   The Amazon VPC endpoint service must [fulfill all requirements][1]
+    #   for use with an external key store.
+    #
+    #   **Uniqueness requirements:**
+    #
+    #   * External key stores with `VPC_ENDPOINT_SERVICE` connectivity can
+    #     share an Amazon VPC, but each external key store must have its own
+    #     VPC endpoint service and private DNS name.
+    #
+    #   ^
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirements
+    #   @return [String]
+    #
+    # @!attribute [rw] xks_proxy_authentication_credential
+    #   Specifies an authentication credential for the external key store
+    #   proxy (XKS proxy). This parameter is required for all custom key
+    #   stores with a `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
+    #
+    #   The `XksProxyAuthenticationCredential` has two required elements:
+    #   `RawSecretAccessKey`, a secret key, and `AccessKeyId`, a unique
+    #   identifier for the `RawSecretAccessKey`. For character requirements,
+    #   see
+    #   [XksProxyAuthenticationCredentialType](kms/latest/APIReference/API_XksProxyAuthenticationCredentialType.html).
+    #
+    #   KMS uses this authentication credential to sign requests to the
+    #   external key store proxy on your behalf. This credential is
+    #   unrelated to Identity and Access Management (IAM) and Amazon Web
+    #   Services credentials.
+    #
+    #   This parameter doesn't set or change the authentication credentials
+    #   on the XKS proxy. It just tells KMS the credential that you
+    #   established on your external key store proxy. If you rotate your
+    #   proxy authentication credential, use the UpdateCustomKeyStore
+    #   operation to provide the new credential to KMS.
+    #   @return [Types::XksProxyAuthenticationCredentialType]
+    #
+    # @!attribute [rw] xks_proxy_connectivity
+    #   Indicates how KMS communicates with the external key store proxy.
+    #   This parameter is required for custom key stores with a
+    #   `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
+    #
+    #   If the external key store proxy uses a public endpoint, specify
+    #   `PUBLIC_ENDPOINT`. If the external key store proxy uses a Amazon VPC
+    #   endpoint service for communication with KMS, specify
+    #   `VPC_ENDPOINT_SERVICE`. For help making this choice, see [Choosing a
+    #   connectivity option][1] in the *Key Management Service Developer
+    #   Guide*.
+    #
+    #   An Amazon VPC endpoint service keeps your communication with KMS in
+    #   a private address space entirely within Amazon Web Services, but it
+    #   requires more configuration, including establishing a Amazon VPC
+    #   with multiple subnets, a VPC endpoint service, a network load
+    #   balancer, and a verified private DNS name. A public endpoint is
+    #   simpler to set up, but it might be slower and might not fulfill your
+    #   security requirements. You might consider testing with a public
+    #   endpoint, and then establishing a VPC endpoint service for
+    #   production tasks. Note that this choice does not determine the
+    #   location of the external key store proxy. Even if you choose a VPC
+    #   endpoint service, the proxy can be hosted within the VPC or outside
+    #   of Amazon Web Services such as in your corporate data center.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/plan-xks-keystore.html#choose-xks-connectivity
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStoreRequest AWS API Documentation
     #
     class CreateCustomKeyStoreRequest < Struct.new(
       :custom_key_store_name,
       :cloud_hsm_cluster_id,
       :trust_anchor_certificate,
-      :key_store_password)
+      :key_store_password,
+      :custom_key_store_type,
+      :xks_proxy_uri_endpoint,
+      :xks_proxy_uri_path,
+      :xks_proxy_vpc_endpoint_service_name,
+      :xks_proxy_authentication_credential,
+      :xks_proxy_connectivity)
       SENSITIVE = [:key_store_password]
       include Aws::Structure
     end
@@ -408,26 +552,6 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass CreateGrantRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #         grantee_principal: "PrincipalIdType", # required
-    #         retiring_principal: "PrincipalIdType",
-    #         operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext
-    #         constraints: {
-    #           encryption_context_subset: {
-    #             "EncryptionContextKey" => "EncryptionContextValue",
-    #           },
-    #           encryption_context_equals: {
-    #             "EncryptionContextKey" => "EncryptionContextValue",
-    #           },
-    #         },
-    #         grant_tokens: ["GrantTokenType"],
-    #         name: "GrantNameType",
-    #       }
-    #
     # @!attribute [rw] key_id
     #   Identifies the KMS key for the grant. The grant gives principals
     #   permission to use this KMS key.
@@ -450,18 +574,16 @@ module Aws::KMS
     # @!attribute [rw] grantee_principal
     #   The identity that gets the permissions specified in the grant.
     #
-    #   To specify the principal, use the [Amazon Resource Name (ARN)][1] of
-    #   an Amazon Web Services principal. Valid Amazon Web Services
-    #   principals include Amazon Web Services accounts (root), IAM users,
-    #   IAM roles, federated users, and assumed role users. For examples of
-    #   the ARN syntax to use for specifying a principal, see [Amazon Web
-    #   Services Identity and Access Management (IAM)][2] in the Example
-    #   ARNs section of the *Amazon Web Services General Reference*.
+    #   To specify the grantee principal, use the Amazon Resource Name (ARN)
+    #   of an Amazon Web Services principal. Valid principals include Amazon
+    #   Web Services accounts, IAM users, IAM roles, federated users, and
+    #   assumed role users. For help with the ARN syntax for a principal,
+    #   see [IAM ARNs][1] in the <i> <i>Identity and Access Management User
+    #   Guide</i> </i>.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
-    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
     #   @return [String]
     #
     # @!attribute [rw] retiring_principal
@@ -469,12 +591,11 @@ module Aws::KMS
     #   to retire the grant.
     #
     #   To specify the principal, use the [Amazon Resource Name (ARN)][1] of
-    #   an Amazon Web Services principal. Valid Amazon Web Services
-    #   principals include Amazon Web Services accounts (root), IAM users,
-    #   federated users, and assumed role users. For examples of the ARN
-    #   syntax to use for specifying a principal, see [Amazon Web Services
-    #   Identity and Access Management (IAM)][2] in the Example ARNs section
-    #   of the *Amazon Web Services General Reference*.
+    #   an Amazon Web Services principal. Valid principals include Amazon
+    #   Web Services accounts, IAM users, IAM roles, federated users, and
+    #   assumed role users. For help with the ARN syntax for a principal,
+    #   see [IAM ARNs][2] in the <i> <i>Identity and Access Management User
+    #   Guide</i> </i>.
     #
     #   The grant determines the retiring principal. Other principals might
     #   have permission to retire the grant or revoke the grant. For
@@ -484,19 +605,20 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
-    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
     #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete
     #   @return [String]
     #
     # @!attribute [rw] operations
     #   A list of operations that the grant permits.
     #
-    #   The operation must be supported on the KMS key. For example, you
-    #   cannot create a grant for a symmetric KMS key that allows the Sign
-    #   operation, or a grant for an asymmetric KMS key that allows the
-    #   GenerateDataKey operation. If you try, KMS returns a
-    #   `ValidationError` exception. For details, see [Grant operations][1]
-    #   in the *Key Management Service Developer Guide*.
+    #   This list must include only operations that are permitted in a
+    #   grant. Also, the operation must be supported on the KMS key. For
+    #   example, you cannot create a grant for a symmetric encryption KMS
+    #   key that allows the Sign operation, or a grant for an asymmetric KMS
+    #   key that allows the GenerateDataKey operation. If you try, KMS
+    #   returns a `ValidationError` exception. For details, see [Grant
+    #   operations][1] in the *Key Management Service Developer Guide*.
     #
     #
     #
@@ -506,30 +628,44 @@ module Aws::KMS
     # @!attribute [rw] constraints
     #   Specifies a grant constraint.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
+    #
     #   KMS supports the `EncryptionContextEquals` and
-    #   `EncryptionContextSubset` grant constraints. Each constraint value
-    #   can include up to 8 encryption context pairs. The encryption context
-    #   value in each constraint cannot exceed 384 characters.
-    #
-    #   These grant constraints allow the permissions in the grant only when
-    #   the encryption context in the request matches
-    #   (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
-    #   the encryption context specified in this structure. For information
-    #   about grant constraints, see [Using grant constraints][1] in the
-    #   *Key Management Service Developer Guide*. For more information about
-    #   encryption context, see [Encryption Context][2] in the <i> <i>Key
-    #   Management Service Developer Guide</i> </i>.
+    #   `EncryptionContextSubset` grant constraints, which allow the
+    #   permissions in the grant only when the encryption context in the
+    #   request matches (`EncryptionContextEquals`) or includes
+    #   (`EncryptionContextSubset`) the encryption context specified in the
+    #   constraint.
     #
     #   The encryption context grant constraints are supported only on
-    #   operations that include an encryption context. You cannot use an
-    #   encryption context grant constraint for cryptographic operations
-    #   with asymmetric KMS keys or for management operations, such as
-    #   DescribeKey or RetireGrant.
+    #   [grant operations][1] that include an `EncryptionContext` parameter,
+    #   such as cryptographic operations on symmetric encryption KMS keys.
+    #   Grants with grant constraints can include the DescribeKey and
+    #   RetireGrant operations, but the constraint doesn't apply to these
+    #   operations. If a grant with a grant constraint includes the
+    #   `CreateGrant` operation, the constraint requires that any grants
+    #   created with the `CreateGrant` permission have an equally strict or
+    #   stricter encryption context constraint.
     #
+    #   You cannot use an encryption context grant constraint for
+    #   cryptographic operations with asymmetric KMS keys or HMAC KMS keys.
+    #   Operations with these keys don't support an encryption context.
     #
+    #   Each constraint value can include up to 8 encryption context pairs.
+    #   The encryption context value in each constraint cannot exceed 384
+    #   characters. For information about grant constraints, see [Using
+    #   grant constraints][2] in the *Key Management Service Developer
+    #   Guide*. For more information about encryption context, see
+    #   [Encryption context][3] in the <i> <i>Key Management Service
+    #   Developer Guide</i> </i>.
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #   @return [Types::GrantConstraints]
     #
     # @!attribute [rw] grant_tokens
@@ -550,6 +686,10 @@ module Aws::KMS
     #   A friendly name for the grant. Use this value to prevent the
     #   unintended creation of duplicate grants when retrying this request.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
+    #
     #   When this value is absent, all `CreateGrant` requests result in a
     #   new grant with a unique `GrantId` even if all the supplied
     #   parameters are identical. This can result in unintended duplicates
@@ -563,6 +703,18 @@ module Aws::KMS
     #   the same grant ID can be used interchangeably.
     #   @return [String]
     #
+    # @!attribute [rw] dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrantRequest AWS API Documentation
     #
     class CreateGrantRequest < Struct.new(
@@ -572,7 +724,8 @@ module Aws::KMS
       :operations,
       :constraints,
       :grant_tokens,
-      :name)
+      :name,
+      :dry_run)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -607,53 +760,30 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass CreateKeyRequest
-    #   data as a hash:
-    #
-    #       {
-    #         policy: "PolicyType",
-    #         description: "DescriptionType",
-    #         key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT
-    #         customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
-    #         key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
-    #         origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
-    #         custom_key_store_id: "CustomKeyStoreIdType",
-    #         bypass_policy_lockout_safety_check: false,
-    #         tags: [
-    #           {
-    #             tag_key: "TagKeyType", # required
-    #             tag_value: "TagValueType", # required
-    #           },
-    #         ],
-    #         multi_region: false,
-    #       }
-    #
     # @!attribute [rw] policy
     #   The key policy to attach to the KMS key.
     #
     #   If you provide a key policy, it must meet the following criteria:
     #
-    #   * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
-    #     key policy must allow the principal that is making the `CreateKey`
-    #     request to make a subsequent PutKeyPolicy request on the KMS key.
-    #     This reduces the risk that the KMS key becomes unmanageable. For
-    #     more information, refer to the scenario in the [Default Key
-    #     Policy][1] section of the <i> <i>Key Management Service Developer
-    #     Guide</i> </i>.
+    #   * The key policy must allow the calling principal to make a
+    #     subsequent `PutKeyPolicy` request on the KMS key. This reduces the
+    #     risk that the KMS key becomes unmanageable. For more information,
+    #     see [Default key policy][1] in the *Key Management Service
+    #     Developer Guide*. (To omit this condition, set
+    #     `BypassPolicyLockoutSafetyCheck` to true.)
     #
     #   * Each statement in the key policy must contain one or more
     #     principals. The principals in the key policy must exist and be
     #     visible to KMS. When you create a new Amazon Web Services
-    #     principal (for example, an IAM user or role), you might need to
-    #     enforce a delay before including the new principal in a key policy
-    #     because the new principal might not be immediately visible to KMS.
-    #     For more information, see [Changes that I make are not always
-    #     immediately visible][2] in the *Amazon Web Services Identity and
-    #     Access Management User Guide*.
+    #     principal, you might need to enforce a delay before including the
+    #     new principal in a key policy because the new principal might not
+    #     be immediately visible to KMS. For more information, see [Changes
+    #     that I make are not always immediately visible][2] in the *Amazon
+    #     Web Services Identity and Access Management User Guide*.
     #
     #   If you do not provide a key policy, KMS attaches a default key
-    #   policy to the KMS key. For more information, see [Default Key
-    #   Policy][3] in the *Key Management Service Developer Guide*.
+    #   policy to the KMS key. For more information, see [Default key
+    #   policy][3] in the *Key Management Service Developer Guide*.
     #
     #   The key policy size quota is 32 kilobytes (32768 bytes).
     #
@@ -663,18 +793,20 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
     #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
     #   [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A description of the KMS key.
+    #   A description of the KMS key. Use a description that helps you
+    #   decide whether the KMS key is appropriate for a task. The default
+    #   value is an empty string (no description).
     #
-    #   Use a description that helps you decide whether the KMS key is
-    #   appropriate for a task. The default value is an empty string (no
-    #   description).
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
     #
     #   To set or change the description after the key is created, use
     #   UpdateKeyDescription.
@@ -683,20 +815,26 @@ module Aws::KMS
     # @!attribute [rw] key_usage
     #   Determines the [cryptographic operations][1] for which you can use
     #   the KMS key. The default value is `ENCRYPT_DECRYPT`. This parameter
-    #   is required only for asymmetric KMS keys. You can't change the
-    #   `KeyUsage` value after the KMS key is created.
+    #   is optional when you are creating a symmetric encryption KMS key;
+    #   otherwise, it is required. You can't change the `KeyUsage` value
+    #   after the KMS key is created.
     #
     #   Select only one valid value.
     #
-    #   * For symmetric KMS keys, omit the parameter or specify
+    #   * For symmetric encryption KMS keys, omit the parameter or specify
     #     `ENCRYPT_DECRYPT`.
     #
+    #   * For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
+    #
     #   * For asymmetric KMS keys with RSA key material, specify
     #     `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
     #
     #   * For asymmetric KMS keys with ECC key material, specify
     #     `SIGN_VERIFY`.
     #
+    #   * For asymmetric KMS keys with SM2 key material (China Regions
+    #     only), specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
+    #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
@@ -707,41 +845,50 @@ module Aws::KMS
     #
     #   The `KeySpec` and `CustomerMasterKeySpec` parameters work the same
     #   way. Only the names differ. We recommend that you use `KeySpec`
-    #   parameter in your code. However, to avoid breaking changes, KMS will
-    #   support both parameters.
+    #   parameter in your code. However, to avoid breaking changes, KMS
+    #   supports both parameters.
     #   @return [String]
     #
     # @!attribute [rw] key_spec
     #   Specifies the type of KMS key to create. The default value,
-    #   `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit symmetric key
-    #   for encryption and decryption. For help choosing a key spec for your
-    #   KMS key, see [How to Choose Your KMS key Configuration][1] in the
-    #   <i> <i>Key Management Service Developer Guide</i> </i>.
+    #   `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit AES-GCM key
+    #   that is used for encryption and decryption, except in China Regions,
+    #   where it creates a 128-bit symmetric key that uses SM4 encryption.
+    #   For help choosing a key spec for your KMS key, see [Choosing a KMS
+    #   key type][1] in the <i> <i>Key Management Service Developer
+    #   Guide</i> </i>.
     #
     #   The `KeySpec` determines whether the KMS key contains a symmetric
-    #   key or an asymmetric key pair. It also determines the encryption
-    #   algorithms or signing algorithms that the KMS key supports. You
-    #   can't change the `KeySpec` after the KMS key is created. To further
-    #   restrict the algorithms that can be used with the KMS key, use a
-    #   condition key in its key policy or IAM policy. For more information,
-    #   see [kms:EncryptionAlgorithm][2] or [kms:Signing Algorithm][3] in
-    #   the <i> <i>Key Management Service Developer Guide</i> </i>.
-    #
-    #   [Amazon Web Services services that are integrated with KMS][4] use
-    #   symmetric KMS keys to protect your data. These services do not
-    #   support asymmetric KMS keys. For help determining whether a KMS key
-    #   is symmetric or asymmetric, see [Identifying Symmetric and
-    #   Asymmetric KMS keys][5] in the *Key Management Service Developer
-    #   Guide*.
+    #   key or an asymmetric key pair. It also determines the algorithms
+    #   that the KMS key supports. You can't change the `KeySpec` after the
+    #   KMS key is created. To further restrict the algorithms that can be
+    #   used with the KMS key, use a condition key in its key policy or IAM
+    #   policy. For more information, see [kms:EncryptionAlgorithm][2],
+    #   [kms:MacAlgorithm][3] or [kms:Signing Algorithm][4] in the <i>
+    #   <i>Key Management Service Developer Guide</i> </i>.
+    #
+    #   [Amazon Web Services services that are integrated with KMS][5] use
+    #   symmetric encryption KMS keys to protect your data. These services
+    #   do not support asymmetric KMS keys or HMAC KMS keys.
     #
     #   KMS supports the following key specs for KMS keys:
     #
-    #   * Symmetric key (default)
+    #   * Symmetric encryption key (default)
     #
-    #     * `SYMMETRIC_DEFAULT` (AES-256-GCM)
+    #     * `SYMMETRIC_DEFAULT`
     #
     #     ^
     #
+    #   * HMAC keys (symmetric)
+    #
+    #     * `HMAC_224`
+    #
+    #     * `HMAC_256`
+    #
+    #     * `HMAC_384`
+    #
+    #     * `HMAC_512`
+    #
     #   * Asymmetric RSA key pairs
     #
     #     * `RSA_2048`
@@ -765,13 +912,19 @@ module Aws::KMS
     #
     #     ^
     #
+    #   * SM2 key pairs (China Regions only)
+    #
+    #     * `SM2`
+    #
+    #     ^
+    #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm
-    #   [4]: http://aws.amazon.com/kms/features/#AWS_Service_Integration
-    #   [5]: https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-mac-algorithm
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm
+    #   [5]: http://aws.amazon.com/kms/features/#AWS_Service_Integration
     #   @return [String]
     #
     # @!attribute [rw] origin
@@ -779,45 +932,48 @@ module Aws::KMS
     #   the origin after you create the KMS key. The default is `AWS_KMS`,
     #   which means that KMS creates the key material.
     #
-    #   To create a KMS key with no key material (for imported key
-    #   material), set the value to `EXTERNAL`. For more information about
-    #   importing key material into KMS, see [Importing Key Material][1] in
-    #   the *Key Management Service Developer Guide*. This value is valid
-    #   only for symmetric KMS keys.
+    #   To [create a KMS key with no key material][1] (for imported key
+    #   material), set this value to `EXTERNAL`. For more information about
+    #   importing key material into KMS, see [Importing Key Material][2] in
+    #   the *Key Management Service Developer Guide*. The `EXTERNAL` origin
+    #   value is valid only for symmetric KMS keys.
     #
-    #   To create a KMS key in an KMS [custom key store][2] and create its
-    #   key material in the associated CloudHSM cluster, set this value to
+    #   To [create a KMS key in an CloudHSM key store][3] and create its key
+    #   material in the associated CloudHSM cluster, set this value to
     #   `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId` parameter
-    #   to identify the custom key store. This value is valid only for
-    #   symmetric KMS keys.
+    #   to identify the CloudHSM key store. The `KeySpec` value must be
+    #   `SYMMETRIC_DEFAULT`.
+    #
+    #   To [create a KMS key in an external key store][4], set this value to
+    #   `EXTERNAL_KEY_STORE`. You must also use the `CustomKeyStoreId`
+    #   parameter to identify the external key store and the `XksKeyId`
+    #   parameter to identify the associated external key. The `KeySpec`
+    #   value must be `SYMMETRIC_DEFAULT`.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keys.html
     #   @return [String]
     #
     # @!attribute [rw] custom_key_store_id
-    #   Creates the KMS key in the specified [custom key store][1] and the
-    #   key material in its associated CloudHSM cluster. To create a KMS key
-    #   in a custom key store, you must also specify the `Origin` parameter
-    #   with a value of `AWS_CLOUDHSM`. The CloudHSM cluster that is
-    #   associated with the custom key store must have at least two active
-    #   HSMs, each in a different Availability Zone in the Region.
-    #
-    #   This parameter is valid only for symmetric KMS keys and regional KMS
-    #   keys. You cannot create an asymmetric KMS key or a multi-Region key
-    #   in a custom key store.
-    #
-    #   To find the ID of a custom key store, use the
+    #   Creates the KMS key in the specified [custom key store][1]. The
+    #   `ConnectionState` of the custom key store must be `CONNECTED`. To
+    #   find the CustomKeyStoreID and ConnectionState use the
     #   DescribeCustomKeyStores operation.
     #
-    #   The response includes the custom key store ID and the ID of the
-    #   CloudHSM cluster.
+    #   This parameter is valid only for symmetric encryption KMS keys in a
+    #   single Region. You cannot create any other type of KMS key in a
+    #   custom key store.
     #
-    #   This operation is part of the [Custom Key Store feature][1] feature
-    #   in KMS, which combines the convenience and extensive integration of
-    #   KMS with the isolation and control of a single-tenant key store.
+    #   When you create a KMS key in an CloudHSM key store, KMS generates a
+    #   non-exportable 256-bit symmetric key in its associated CloudHSM
+    #   cluster and associates it with the KMS key. When you create a KMS
+    #   key in an external key store, you must use the `XksKeyId` parameter
+    #   to specify an external key that serves as key material for the KMS
+    #   key.
     #
     #
     #
@@ -825,26 +981,23 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] bypass_policy_lockout_safety_check
-    #   A flag to indicate whether to bypass the key policy lockout safety
-    #   check.
+    #   Skips ("bypasses") the key policy lockout safety check. The
+    #   default value is false.
     #
     #   Setting this value to true increases the risk that the KMS key
     #   becomes unmanageable. Do not set this value to true
     #   indiscriminately.
     #
-    #    For more information, refer to the scenario in the [Default Key
-    #   Policy][1] section in the <i> <i>Key Management Service Developer
-    #   Guide</i> </i>.
-    #
-    #   Use this parameter only when you include a policy in the request and
-    #   you intend to prevent the principal that is making the request from
-    #   making a subsequent PutKeyPolicy request on the KMS key.
+    #    For more information, see [Default key policy][1] in the *Key
+    #   Management Service Developer Guide*.
     #
-    #   The default value is false.
+    #   Use this parameter only when you intend to prevent the principal
+    #   that is making the request from making a subsequent PutKeyPolicy
+    #   request on the KMS key.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   @return [Boolean]
     #
     # @!attribute [rw] tags
@@ -852,9 +1005,13 @@ module Aws::KMS
     #   the KMS key when it is created. To tag an existing KMS key, use the
     #   TagResource operation.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
+    #
     #   <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
-    #   KMS key. For details, see [Using ABAC in KMS][1] in the *Key
-    #   Management Service Developer Guide*.
+    #   KMS key. For details, see [ABAC for KMS][1] in the *Key Management
+    #   Service Developer Guide*.
     #
     #    </note>
     #
@@ -895,7 +1052,7 @@ module Aws::KMS
     #   to encrypt data in one Amazon Web Services Region and decrypt it in
     #   a different Amazon Web Services Region without re-encrypting the
     #   data or making a cross-Region call. For more information about
-    #   multi-Region keys, see [Using multi-Region keys][1] in the *Key
+    #   multi-Region keys, see [Multi-Region keys in KMS][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #   This value creates a *primary key*, not a replica. To create a
@@ -910,6 +1067,43 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
     #   @return [Boolean]
     #
+    # @!attribute [rw] xks_key_id
+    #   Identifies the [external key][1] that serves as key material for the
+    #   KMS key in an [external key store][2]. Specify the ID that the
+    #   [external key store proxy][3] uses to refer to the external key. For
+    #   help, see the documentation for your external key store proxy.
+    #
+    #   This parameter is required for a KMS key with an `Origin` value of
+    #   `EXTERNAL_KEY_STORE`. It is not valid for KMS keys with any other
+    #   `Origin` value.
+    #
+    #   The external key must be an existing 256-bit AES symmetric
+    #   encryption key hosted outside of Amazon Web Services in an external
+    #   key manager associated with the external key store specified by the
+    #   `CustomKeyStoreId` parameter. This key must be enabled and
+    #   configured to perform encryption and decryption. Each KMS key in an
+    #   external key store must use a different external key. For details,
+    #   see [Requirements for a KMS key in an external key store][4] in the
+    #   *Key Management Service Developer Guide*.
+    #
+    #   Each KMS key in an external key store is associated two backing
+    #   keys. One is key material that KMS generates. The other is the
+    #   external key specified by this parameter. When you use the KMS key
+    #   in an external key store to encrypt data, the encryption operation
+    #   is performed first by KMS using the KMS key material, and then by
+    #   the external key manager using the specified external key, a process
+    #   known as *double encryption*. For details, see [Double
+    #   encryption][5] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-xks-proxy
+    #   [4]: https://docs.aws.amazon.com/create-xks-keys.html#xks-key-requirements
+    #   [5]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-double-encryption
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKeyRequest AWS API Documentation
     #
     class CreateKeyRequest < Struct.new(
@@ -922,7 +1116,8 @@ module Aws::KMS
       :custom_key_store_id,
       :bypass_policy_lockout_safety_check,
       :tags,
-      :multi_region)
+      :multi_region,
+      :xks_key_id)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -961,18 +1156,29 @@ module Aws::KMS
     #
     # This exception is thrown under the following conditions:
     #
-    # * You requested the CreateKey or GenerateRandom operation in a custom
-    #   key store that is not connected. These operations are valid only
-    #   when the custom key store `ConnectionState` is `CONNECTED`.
+    # * You requested the ConnectCustomKeyStore operation on a custom key
+    #   store with a `ConnectionState` of `DISCONNECTING` or `FAILED`. This
+    #   operation is valid for all other `ConnectionState` values. To
+    #   reconnect a custom key store in a `FAILED` state, disconnect it
+    #   (DisconnectCustomKeyStore), then connect it
+    #   (`ConnectCustomKeyStore`).
+    #
+    # * You requested the CreateKey operation in a custom key store that is
+    #   not connected. This operations is valid only when the custom key
+    #   store `ConnectionState` is `CONNECTED`.
+    #
+    # * You requested the DisconnectCustomKeyStore operation on a custom key
+    #   store with a `ConnectionState` of `DISCONNECTING` or `DISCONNECTED`.
+    #   This operation is valid for all other `ConnectionState` values.
     #
     # * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore
     #   operation on a custom key store that is not disconnected. This
     #   operation is valid only when the custom key store `ConnectionState`
     #   is `DISCONNECTED`.
     #
-    # * You requested the ConnectCustomKeyStore operation on a custom key
-    #   store with a `ConnectionState` of `DISCONNECTING` or `FAILED`. This
-    #   operation is valid for all other `ConnectionState` values.
+    # * You requested the GenerateRandom operation in an CloudHSM key store
+    #   that is not connected. This operation is valid only when the
+    #   CloudHSM key store `ConnectionState` is `CONNECTED`.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -1027,13 +1233,17 @@ module Aws::KMS
     #
     # @!attribute [rw] cloud_hsm_cluster_id
     #   A unique identifier for the CloudHSM cluster that is associated with
-    #   the custom key store.
+    #   an CloudHSM key store. This field appears only when the
+    #   `CustomKeyStoreType` is `AWS_CLOUDHSM`.
     #   @return [String]
     #
     # @!attribute [rw] trust_anchor_certificate
-    #   The trust anchor certificate of the associated CloudHSM cluster.
-    #   When you [initialize the cluster][1], you create this certificate
-    #   and save it in the `customerCA.crt` file.
+    #   The trust anchor certificate of the CloudHSM cluster associated with
+    #   an CloudHSM key store. When you [initialize the cluster][1], you
+    #   create this certificate and save it in the `customerCA.crt` file.
+    #
+    #   This field appears only when the `CustomKeyStoreType` is
+    #   `AWS_CLOUDHSM`.
     #
     #
     #
@@ -1041,22 +1251,30 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] connection_state
-    #   Indicates whether the custom key store is connected to its CloudHSM
-    #   cluster.
+    #   Indicates whether the custom key store is connected to its backing
+    #   key store. For an CloudHSM key store, the `ConnectionState`
+    #   indicates whether it is connected to its CloudHSM cluster. For an
+    #   external key store, the `ConnectionState` indicates whether it is
+    #   connected to the external key store proxy that communicates with
+    #   your external key manager.
     #
     #   You can create and use KMS keys in your custom key stores only when
-    #   its connection state is `CONNECTED`.
-    #
-    #   The value is `DISCONNECTED` if the key store has never been
-    #   connected or you use the DisconnectCustomKeyStore operation to
-    #   disconnect it. If the value is `CONNECTED` but you are having
-    #   trouble using the custom key store, make sure that its associated
-    #   CloudHSM cluster is active and contains at least one active HSM.
+    #   its `ConnectionState` is `CONNECTED`.
+    #
+    #   The `ConnectionState` value is `DISCONNECTED` only if the key store
+    #   has never been connected or you use the DisconnectCustomKeyStore
+    #   operation to disconnect it. If the value is `CONNECTED` but you are
+    #   having trouble using the custom key store, make sure that the
+    #   backing key store is reachable and active. For an CloudHSM key
+    #   store, verify that its associated CloudHSM cluster is active and
+    #   contains at least one active HSM. For an external key store, verify
+    #   that the external key store proxy and external key manager are
+    #   connected and enabled.
     #
     #   A value of `FAILED` indicates that an attempt to connect was
     #   unsuccessful. The `ConnectionErrorCode` field in the response
     #   indicates the cause of the failure. For help resolving a connection
-    #   failure, see [Troubleshooting a Custom Key Store][1] in the *Key
+    #   failure, see [Troubleshooting a custom key store][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -1066,35 +1284,52 @@ module Aws::KMS
     #
     # @!attribute [rw] connection_error_code
     #   Describes the connection error. This field appears in the response
-    #   only when the `ConnectionState` is `FAILED`. For help resolving
-    #   these errors, see [How to Fix a Connection Failure][1] in *Key
-    #   Management Service Developer Guide*.
+    #   only when the `ConnectionState` is `FAILED`.
+    #
+    #   Many failures can be resolved by updating the properties of the
+    #   custom key store. To update a custom key store, disconnect it
+    #   (DisconnectCustomKeyStore), correct the errors
+    #   (UpdateCustomKeyStore), and try to connect again
+    #   (ConnectCustomKeyStore). For additional help resolving these errors,
+    #   see [How to Fix a Connection Failure][1] in *Key Management Service
+    #   Developer Guide*.
+    #
+    #   **All custom key stores:**
+    #
+    #   * `INTERNAL_ERROR` — KMS could not complete the request due to an
+    #     internal error. Retry the request. For `ConnectCustomKeyStore`
+    #     requests, disconnect the custom key store before trying to connect
+    #     again.
+    #
+    #   * `NETWORK_ERRORS` — Network errors are preventing KMS from
+    #     connecting the custom key store to its backing key store.
     #
-    #   Valid values are:
+    #   **CloudHSM key stores:**
     #
-    #   * `CLUSTER_NOT_FOUND` - KMS cannot find the CloudHSM cluster with
+    #   * `CLUSTER_NOT_FOUND` — KMS cannot find the CloudHSM cluster with
     #     the specified cluster ID.
     #
-    #   * `INSUFFICIENT_CLOUDHSM_HSMS` - The associated CloudHSM cluster
+    #   * `INSUFFICIENT_CLOUDHSM_HSMS` — The associated CloudHSM cluster
     #     does not contain any active HSMs. To connect a custom key store to
     #     its CloudHSM cluster, the cluster must contain at least one active
     #     HSM.
     #
-    #   * `INTERNAL_ERROR` - KMS could not complete the request due to an
-    #     internal error. Retry the request. For `ConnectCustomKeyStore`
-    #     requests, disconnect the custom key store before trying to connect
-    #     again.
-    #
-    #   * `INVALID_CREDENTIALS` - KMS does not have the correct password for
-    #     the `kmsuser` crypto user in the CloudHSM cluster. Before you can
-    #     connect your custom key store to its CloudHSM cluster, you must
-    #     change the `kmsuser` account password and update the key store
-    #     password value for the custom key store.
+    #   * `INSUFFICIENT_FREE_ADDRESSES_IN_SUBNET` — At least one private
+    #     subnet associated with the CloudHSM cluster doesn't have any
+    #     available IP addresses. A CloudHSM key store connection requires
+    #     one free IP address in each of the associated private subnets,
+    #     although two are preferable. For details, see [How to Fix a
+    #     Connection Failure][1] in the *Key Management Service Developer
+    #     Guide*.
     #
-    #   * `NETWORK_ERRORS` - Network errors are preventing KMS from
-    #     connecting to the custom key store.
+    #   * `INVALID_CREDENTIALS` — The `KeyStorePassword` for the custom key
+    #     store doesn't match the current password of the `kmsuser` crypto
+    #     user in the CloudHSM cluster. Before you can connect your custom
+    #     key store to its CloudHSM cluster, you must change the `kmsuser`
+    #     account password and update the `KeyStorePassword` value for the
+    #     custom key store.
     #
-    #   * `SUBNET_NOT_FOUND` - A subnet in the CloudHSM cluster
+    #   * `SUBNET_NOT_FOUND` — A subnet in the CloudHSM cluster
     #     configuration was deleted. If KMS cannot find all of the subnets
     #     in the cluster configuration, attempts to connect the custom key
     #     store to the CloudHSM cluster fail. To fix this error, create a
@@ -1104,13 +1339,13 @@ module Aws::KMS
     #     Connection Failure][1] in the *Key Management Service Developer
     #     Guide*.
     #
-    #   * `USER_LOCKED_OUT` - The `kmsuser` CU account is locked out of the
+    #   * `USER_LOCKED_OUT` — The `kmsuser` CU account is locked out of the
     #     associated CloudHSM cluster due to too many failed password
     #     attempts. Before you can connect your custom key store to its
     #     CloudHSM cluster, you must change the `kmsuser` account password
     #     and update the key store password value for the custom key store.
     #
-    #   * `USER_LOGGED_IN` - The `kmsuser` CU account is logged into the the
+    #   * `USER_LOGGED_IN` — The `kmsuser` CU account is logged into the
     #     associated CloudHSM cluster. This prevents KMS from rotating the
     #     `kmsuser` account password and logging into the cluster. Before
     #     you can connect your custom key store to its CloudHSM cluster, you
@@ -1120,22 +1355,119 @@ module Aws::KMS
     #     help, see [How to Log Out and Reconnect][2] in the *Key Management
     #     Service Developer Guide*.
     #
-    #   * `USER_NOT_FOUND` - KMS cannot find a `kmsuser` CU account in the
+    #   * `USER_NOT_FOUND` — KMS cannot find a `kmsuser` CU account in the
     #     associated CloudHSM cluster. Before you can connect your custom
     #     key store to its CloudHSM cluster, you must create a `kmsuser` CU
     #     account in the cluster, and then update the key store password
     #     value for the custom key store.
     #
+    #   **External key stores:**
+    #
+    #   * `INVALID_CREDENTIALS` — One or both of the
+    #     `XksProxyAuthenticationCredential` values is not valid on the
+    #     specified external key store proxy.
+    #
+    #   * `XKS_PROXY_ACCESS_DENIED` — KMS requests are denied access to the
+    #     external key store proxy. If the external key store proxy has
+    #     authorization rules, verify that they permit KMS to communicate
+    #     with the proxy on your behalf.
+    #
+    #   * `XKS_PROXY_INVALID_CONFIGURATION` — A configuration error is
+    #     preventing the external key store from connecting to its proxy.
+    #     Verify the value of the `XksProxyUriPath`.
+    #
+    #   * `XKS_PROXY_INVALID_RESPONSE` — KMS cannot interpret the response
+    #     from the external key store proxy. If you see this connection
+    #     error code repeatedly, notify your external key store proxy
+    #     vendor.
+    #
+    #   * `XKS_PROXY_INVALID_TLS_CONFIGURATION` — KMS cannot connect to the
+    #     external key store proxy because the TLS configuration is invalid.
+    #     Verify that the XKS proxy supports TLS 1.2 or 1.3. Also, verify
+    #     that the TLS certificate is not expired, and that it matches the
+    #     hostname in the `XksProxyUriEndpoint` value, and that it is signed
+    #     by a certificate authority included in the [Trusted Certificate
+    #     Authorities][3] list.
+    #
+    #   * `XKS_PROXY_NOT_REACHABLE` — KMS can't communicate with your
+    #     external key store proxy. Verify that the `XksProxyUriEndpoint`
+    #     and `XksProxyUriPath` are correct. Use the tools for your external
+    #     key store proxy to verify that the proxy is active and available
+    #     on its network. Also, verify that your external key manager
+    #     instances are operating properly. Connection attempts fail with
+    #     this connection error code if the proxy reports that all external
+    #     key manager instances are unavailable.
+    #
+    #   * `XKS_PROXY_TIMED_OUT` — KMS can connect to the external key store
+    #     proxy, but the proxy does not respond to KMS in the time allotted.
+    #     If you see this connection error code repeatedly, notify your
+    #     external key store proxy vendor.
+    #
+    #   * `XKS_VPC_ENDPOINT_SERVICE_INVALID_CONFIGURATION` — The Amazon VPC
+    #     endpoint service configuration doesn't conform to the
+    #     requirements for an KMS external key store.
+    #
+    #     * The VPC endpoint service must be an endpoint service for
+    #       interface endpoints in the caller's Amazon Web Services
+    #       account.
+    #
+    #     * It must have a network load balancer (NLB) connected to at least
+    #       two subnets, each in a different Availability Zone.
+    #
+    #     * The `Allow principals` list must include the KMS service
+    #       principal for the Region, `cks.kms.<region>.amazonaws.com`, such
+    #       as `cks.kms.us-east-1.amazonaws.com`.
+    #
+    #     * It must *not* require [acceptance][4] of connection requests.
+    #
+    #     * It must have a private DNS name. The private DNS name for an
+    #       external key store with `VPC_ENDPOINT_SERVICE` connectivity must
+    #       be unique in its Amazon Web Services Region.
+    #
+    #     * The domain of the private DNS name must have a [verification
+    #       status][5] of `verified`.
+    #
+    #     * The [TLS certificate][6] specifies the private DNS hostname at
+    #       which the endpoint is reachable.
+    #
+    #   * `XKS_VPC_ENDPOINT_SERVICE_NOT_FOUND` — KMS can't find the VPC
+    #     endpoint service that it uses to communicate with the external key
+    #     store proxy. Verify that the `XksProxyVpcEndpointServiceName` is
+    #     correct and the KMS service principal has service consumer
+    #     permissions on the Amazon VPC endpoint service.
+    #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#login-kmsuser-2
+    #   [3]: https://github.com/aws/aws-kms-xksproxy-api-spec/blob/main/TrustedCertificateAuthorities
+    #   [4]: https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html
+    #   [5]: https://docs.aws.amazon.com/vpc/latest/privatelink/verify-domains.html
+    #   [6]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html
     #   @return [String]
     #
     # @!attribute [rw] creation_date
     #   The date and time when the custom key store was created.
     #   @return [Time]
     #
+    # @!attribute [rw] custom_key_store_type
+    #   Indicates the type of the custom key store. `AWS_CLOUDHSM` indicates
+    #   a custom key store backed by an CloudHSM cluster.
+    #   `EXTERNAL_KEY_STORE` indicates a custom key store backed by an
+    #   external key store proxy and external key manager outside of Amazon
+    #   Web Services.
+    #   @return [String]
+    #
+    # @!attribute [rw] xks_proxy_configuration
+    #   Configuration settings for the external key store proxy (XKS proxy).
+    #   The external key store proxy translates KMS requests into a format
+    #   that your external key manager can understand. The proxy
+    #   configuration includes connection information that KMS requires.
+    #
+    #   This field appears only when the `CustomKeyStoreType` is
+    #   `EXTERNAL_KEY_STORE`.
+    #   @return [Types::XksProxyConfigurationType]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CustomKeyStoresListEntry AWS API Documentation
     #
     class CustomKeyStoresListEntry < Struct.new(
@@ -1145,24 +1477,13 @@ module Aws::KMS
       :trust_anchor_certificate,
       :connection_state,
       :connection_error_code,
-      :creation_date)
+      :creation_date,
+      :custom_key_store_type,
+      :xks_proxy_configuration)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass DecryptRequest
-    #   data as a hash:
-    #
-    #       {
-    #         ciphertext_blob: "data", # required
-    #         encryption_context: {
-    #           "EncryptionContextKey" => "EncryptionContextValue",
-    #         },
-    #         grant_tokens: ["GrantTokenType"],
-    #         key_id: "KeyIdType",
-    #         encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
-    #       }
-    #
     # @!attribute [rw] ciphertext_blob
     #   Ciphertext to be decrypted. The blob includes metadata.
     #   @return [String]
@@ -1170,17 +1491,20 @@ module Aws::KMS
     # @!attribute [rw] encryption_context
     #   Specifies the encryption context to use when decrypting the data. An
     #   encryption context is valid only for [cryptographic operations][1]
-    #   with a symmetric KMS key. The standard asymmetric encryption
-    #   algorithms that KMS uses do not support an encryption context.
+    #   with a symmetric encryption KMS key. The standard asymmetric
+    #   encryption algorithms and HMAC algorithms that KMS uses do not
+    #   support an encryption context.
     #
     #   An *encryption context* is a collection of non-secret key-value
-    #   pairs that represents additional authenticated data. When you use an
+    #   pairs that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data.
-    #   An encryption context is optional when encrypting with a symmetric
-    #   KMS key, but it is highly recommended.
+    #   An encryption context is supported only on operations with symmetric
+    #   encryption KMS keys. On operations with symmetric encryption KMS
+    #   keys, an encryption context is optional, but it is strongly
+    #   recommended.
     #
-    #   For more information, see [Encryption Context][2] in the *Key
+    #   For more information, see [Encryption context][2] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -1204,15 +1528,18 @@ module Aws::KMS
     #   @return [Array<String>]
     #
     # @!attribute [rw] key_id
-    #   Specifies the KMS key that KMS uses to decrypt the ciphertext. Enter
-    #   a key ID of the KMS key that was used to encrypt the ciphertext.
+    #   Specifies the KMS key that KMS uses to decrypt the ciphertext.
+    #
+    #   Enter a key ID of the KMS key that was used to encrypt the
+    #   ciphertext. If you identify a different KMS key, the `Decrypt`
+    #   operation throws an `IncorrectKeyException`.
     #
     #   This parameter is required only when the ciphertext was encrypted
-    #   under an asymmetric KMS key. If you used a symmetric KMS key, KMS
-    #   can get the KMS key from metadata that it adds to the symmetric
-    #   ciphertext blob. However, it is always recommended as a best
-    #   practice. This practice ensures that you use the KMS key that you
-    #   intend.
+    #   under an asymmetric KMS key. If you used a symmetric encryption KMS
+    #   key, KMS can get the KMS key from metadata that it adds to the
+    #   symmetric ciphertext blob. However, it is always recommended as a
+    #   best practice. This practice ensures that you use the KMS key that
+    #   you intend.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -1243,9 +1570,49 @@ module Aws::KMS
     #   This parameter is required only when the ciphertext was encrypted
     #   under an asymmetric KMS key. The default value, `SYMMETRIC_DEFAULT`,
     #   represents the only supported algorithm that is valid for symmetric
-    #   KMS keys.
+    #   encryption KMS keys.
     #   @return [String]
     #
+    # @!attribute [rw] recipient
+    #   A signed [attestation document][1] from an Amazon Web Services Nitro
+    #   enclave and the encryption algorithm to use with the enclave's
+    #   public key. The only valid encryption algorithm is
+    #   `RSAES_OAEP_SHA_256`.
+    #
+    #   This parameter only supports attestation documents for Amazon Web
+    #   Services Nitro Enclaves. To include this parameter, use the [Amazon
+    #   Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
+    #
+    #   When you use this parameter, instead of returning the plaintext
+    #   data, KMS encrypts the plaintext data with the public key in the
+    #   attestation document, and returns the resulting ciphertext in the
+    #   `CiphertextForRecipient` field in the response. This ciphertext can
+    #   be decrypted only with the private key in the enclave. The
+    #   `Plaintext` field in the response is null or empty.
+    #
+    #   For information about the interaction between KMS and Amazon Web
+    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
+    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
+    #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   @return [Types::RecipientInfo]
+    #
+    # @!attribute [rw] dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptRequest AWS API Documentation
     #
     class DecryptRequest < Struct.new(
@@ -1253,7 +1620,9 @@ module Aws::KMS
       :encryption_context,
       :grant_tokens,
       :key_id,
-      :encryption_algorithm)
+      :encryption_algorithm,
+      :recipient,
+      :dry_run)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1271,29 +1640,42 @@ module Aws::KMS
     #   Decrypted plaintext data. When you use the HTTP API or the Amazon
     #   Web Services CLI, the value is Base64-encoded. Otherwise, it is not
     #   Base64-encoded.
+    #
+    #   If the response includes the `CiphertextForRecipient` field, the
+    #   `Plaintext` field is null or empty.
     #   @return [String]
     #
     # @!attribute [rw] encryption_algorithm
     #   The encryption algorithm that was used to decrypt the ciphertext.
     #   @return [String]
     #
+    # @!attribute [rw] ciphertext_for_recipient
+    #   The plaintext data encrypted with the public key in the attestation
+    #   document.
+    #
+    #   This field is included in the response only when the `Recipient`
+    #   parameter in the request includes a valid attestation document from
+    #   an Amazon Web Services Nitro enclave. For information about the
+    #   interaction between KMS and Amazon Web Services Nitro Enclaves, see
+    #   [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
+    #   Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptResponse AWS API Documentation
     #
     class DecryptResponse < Struct.new(
       :key_id,
       :plaintext,
-      :encryption_algorithm)
+      :encryption_algorithm,
+      :ciphertext_for_recipient)
       SENSITIVE = [:plaintext]
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass DeleteAliasRequest
-    #   data as a hash:
-    #
-    #       {
-    #         alias_name: "AliasNameType", # required
-    #       }
-    #
     # @!attribute [rw] alias_name
     #   The alias to be deleted. The alias name must begin with `alias/`
     #   followed by the alias name, such as `alias/ExampleAlias`.
@@ -1307,13 +1689,6 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass DeleteCustomKeyStoreRequest
-    #   data as a hash:
-    #
-    #       {
-    #         custom_key_store_id: "CustomKeyStoreIdType", # required
-    #       }
-    #
     # @!attribute [rw] custom_key_store_id
     #   Enter the ID of the custom key store you want to delete. To find the
     #   ID of a custom key store, use the DescribeCustomKeyStores operation.
@@ -1331,13 +1706,6 @@ module Aws::KMS
     #
     class DeleteCustomKeyStoreResponse < Aws::EmptyStructure; end
 
-    # @note When making an API call, you may pass DeleteImportedKeyMaterialRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #       }
-    #
     # @!attribute [rw] key_id
     #   Identifies the KMS key from which you are deleting imported key
     #   material. The `Origin` of the KMS key must be `EXTERNAL`.
@@ -1363,8 +1731,8 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # The system timed out while trying to fulfill the request. The request
-    # can be retried.
+    # The system timed out while trying to fulfill the request. You can
+    # retry the request.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -1377,24 +1745,14 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass DescribeCustomKeyStoresRequest
-    #   data as a hash:
-    #
-    #       {
-    #         custom_key_store_id: "CustomKeyStoreIdType",
-    #         custom_key_store_name: "CustomKeyStoreNameType",
-    #         limit: 1,
-    #         marker: "MarkerType",
-    #       }
-    #
     # @!attribute [rw] custom_key_store_id
     #   Gets only information about the specified custom key store. Enter
     #   the key store ID.
     #
     #   By default, this operation gets information about all custom key
     #   stores in the account and Region. To limit the output to a
-    #   particular custom key store, you can use either the
-    #   `CustomKeyStoreId` or `CustomKeyStoreName` parameter, but not both.
+    #   particular custom key store, provide either the `CustomKeyStoreId`
+    #   or `CustomKeyStoreName` parameter, but not both.
     #   @return [String]
     #
     # @!attribute [rw] custom_key_store_name
@@ -1403,8 +1761,8 @@ module Aws::KMS
     #
     #   By default, this operation gets information about all custom key
     #   stores in the account and Region. To limit the output to a
-    #   particular custom key store, you can use either the
-    #   `CustomKeyStoreId` or `CustomKeyStoreName` parameter, but not both.
+    #   particular custom key store, provide either the `CustomKeyStoreId`
+    #   or `CustomKeyStoreName` parameter, but not both.
     #   @return [String]
     #
     # @!attribute [rw] limit
@@ -1456,14 +1814,6 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass DescribeKeyRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #         grant_tokens: ["GrantTokenType"],
-    #       }
-    #
     # @!attribute [rw] key_id
     #   Describes the specified KMS key.
     #
@@ -1531,13 +1881,6 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass DisableKeyRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #       }
-    #
     # @!attribute [rw] key_id
     #   Identifies the KMS key to disable.
     #
@@ -1562,17 +1905,11 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass DisableKeyRotationRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #       }
-    #
     # @!attribute [rw] key_id
-    #   Identifies a symmetric KMS key. You cannot enable or disable
-    #   automatic rotation of [asymmetric KMS keys][1], KMS keys with
-    #   [imported key material][2], or KMS keys in a [custom key store][3].
+    #   Identifies a symmetric encryption KMS key. You cannot enable or
+    #   disable automatic rotation of [asymmetric KMS keys][1], [HMAC KMS
+    #   keys][2], KMS keys with [imported key material][3], or KMS keys in a
+    #   [custom key store][4].
     #
     #   Specify the key ID or key ARN of the KMS key.
     #
@@ -1589,8 +1926,9 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotationRequest AWS API Documentation
@@ -1614,13 +1952,6 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass DisconnectCustomKeyStoreRequest
-    #   data as a hash:
-    #
-    #       {
-    #         custom_key_store_id: "CustomKeyStoreIdType", # required
-    #       }
-    #
     # @!attribute [rw] custom_key_store_id
     #   Enter the ID of the custom key store you want to disconnect. To find
     #   the ID of a custom key store, use the DescribeCustomKeyStores
@@ -1639,13 +1970,19 @@ module Aws::KMS
     #
     class DisconnectCustomKeyStoreResponse < Aws::EmptyStructure; end
 
-    # @note When making an API call, you may pass EnableKeyRequest
-    #   data as a hash:
+    # The request was rejected because the DryRun parameter was specified.
     #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #       }
+    # @!attribute [rw] message
+    #   @return [String]
     #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DryRunOperationException AWS API Documentation
+    #
+    class DryRunOperationException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] key_id
     #   Identifies the KMS key to enable.
     #
@@ -1670,19 +2007,12 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass EnableKeyRotationRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #       }
-    #
     # @!attribute [rw] key_id
-    #   Identifies a symmetric KMS key. You cannot enable automatic rotation
-    #   of [asymmetric KMS keys][1], KMS keys with [imported key
-    #   material][2], or KMS keys in a [custom key store][3]. To enable or
-    #   disable automatic rotation of a set of related [multi-Region
-    #   keys][4], set the property on the primary key.
+    #   Identifies a symmetric encryption KMS key. You cannot enable
+    #   automatic rotation of [asymmetric KMS keys][1], [HMAC KMS keys][2],
+    #   KMS keys with [imported key material][3], or KMS keys in a [custom
+    #   key store][4]. To enable or disable automatic rotation of a set of
+    #   related [multi-Region keys][5], set the property on the primary key.
     #
     #   Specify the key ID or key ARN of the KMS key.
     #
@@ -1698,10 +2028,11 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
-    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    #   [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotationRequest AWS API Documentation
@@ -1712,21 +2043,10 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass EncryptRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #         plaintext: "data", # required
-    #         encryption_context: {
-    #           "EncryptionContextKey" => "EncryptionContextValue",
-    #         },
-    #         grant_tokens: ["GrantTokenType"],
-    #         encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
-    #       }
-    #
     # @!attribute [rw] key_id
-    #   Identifies the KMS key to use in the encryption operation.
+    #   Identifies the KMS key to use in the encryption operation. The KMS
+    #   key must have a `KeyUsage` of `ENCRYPT_DECRYPT`. To find the
+    #   `KeyUsage` of a KMS key, use the DescribeKey operation.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -1755,18 +2075,24 @@ module Aws::KMS
     # @!attribute [rw] encryption_context
     #   Specifies the encryption context that will be used to encrypt the
     #   data. An encryption context is valid only for [cryptographic
-    #   operations][1] with a symmetric KMS key. The standard asymmetric
-    #   encryption algorithms that KMS uses do not support an encryption
-    #   context.
+    #   operations][1] with a symmetric encryption KMS key. The standard
+    #   asymmetric encryption algorithms and HMAC algorithms that KMS uses
+    #   do not support an encryption context.
+    #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
     #
     #   An *encryption context* is a collection of non-secret key-value
-    #   pairs that represents additional authenticated data. When you use an
+    #   pairs that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data.
-    #   An encryption context is optional when encrypting with a symmetric
-    #   KMS key, but it is highly recommended.
+    #   An encryption context is supported only on operations with symmetric
+    #   encryption KMS keys. On operations with symmetric encryption KMS
+    #   keys, an encryption context is optional, but it is strongly
+    #   recommended.
     #
-    #   For more information, see [Encryption Context][2] in the *Key
+    #   For more information, see [Encryption context][2] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -1795,11 +2121,25 @@ module Aws::KMS
     #   that you specify.
     #
     #   This parameter is required only for asymmetric KMS keys. The default
-    #   value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric KMS
-    #   keys. If you are using an asymmetric KMS key, we recommend
-    #   RSAES\_OAEP\_SHA\_256.
+    #   value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
+    #   encryption KMS keys. If you are using an asymmetric KMS key, we
+    #   recommend RSAES\_OAEP\_SHA\_256.
+    #
+    #   The SM2PKE algorithm is only available in China Regions.
     #   @return [String]
     #
+    # @!attribute [rw] dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptRequest AWS API Documentation
     #
     class EncryptRequest < Struct.new(
@@ -1807,7 +2147,8 @@ module Aws::KMS
       :plaintext,
       :encryption_context,
       :grant_tokens,
-      :encryption_algorithm)
+      :encryption_algorithm,
+      :dry_run)
       SENSITIVE = [:plaintext]
       include Aws::Structure
     end
@@ -1857,30 +2198,24 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass GenerateDataKeyPairRequest
-    #   data as a hash:
-    #
-    #       {
-    #         encryption_context: {
-    #           "EncryptionContextKey" => "EncryptionContextValue",
-    #         },
-    #         key_id: "KeyIdType", # required
-    #         key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
-    #         grant_tokens: ["GrantTokenType"],
-    #       }
-    #
     # @!attribute [rw] encryption_context
     #   Specifies the encryption context that will be used when encrypting
     #   the private key in the data key pair.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
+    #
     #   An *encryption context* is a collection of non-secret key-value
-    #   pairs that represents additional authenticated data. When you use an
+    #   pairs that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data.
-    #   An encryption context is optional when encrypting with a symmetric
-    #   KMS key, but it is highly recommended.
+    #   An encryption context is supported only on operations with symmetric
+    #   encryption KMS keys. On operations with symmetric encryption KMS
+    #   keys, an encryption context is optional, but it is strongly
+    #   recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *Key
+    #   For more information, see [Encryption context][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -1889,10 +2224,10 @@ module Aws::KMS
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] key_id
-    #   Specifies the symmetric KMS key that encrypts the private key in the
-    #   data key pair. You cannot specify an asymmetric KMS key or a KMS key
-    #   in a custom key store. To get the type and origin of your KMS key,
-    #   use the DescribeKey operation.
+    #   Specifies the symmetric encryption KMS key that encrypts the private
+    #   key in the data key pair. You cannot specify an asymmetric KMS key
+    #   or a KMS key in a custom key store. To get the type and origin of
+    #   your KMS key, use the DescribeKey operation.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -1917,10 +2252,11 @@ module Aws::KMS
     # @!attribute [rw] key_pair_spec
     #   Determines the type of data key pair that is generated.
     #
-    #   The KMS rule that restricts the use of asymmetric RSA KMS keys to
-    #   encrypt and decrypt or to sign and verify (but not both), and the
-    #   rule that permits you to use ECC KMS keys only to sign and verify,
-    #   are not effective on data key pairs, which are used outside of KMS.
+    #   The KMS rule that restricts the use of asymmetric RSA and SM2 KMS
+    #   keys to encrypt and decrypt or to sign and verify (but not both),
+    #   and the rule that permits you to use ECC KMS keys only to sign and
+    #   verify, are not effective on data key pairs, which are used outside
+    #   of KMS. The SM2 key spec is only available in China Regions.
     #   @return [String]
     #
     # @!attribute [rw] grant_tokens
@@ -1937,13 +2273,58 @@ module Aws::KMS
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #   @return [Array<String>]
     #
+    # @!attribute [rw] recipient
+    #   A signed [attestation document][1] from an Amazon Web Services Nitro
+    #   enclave and the encryption algorithm to use with the enclave's
+    #   public key. The only valid encryption algorithm is
+    #   `RSAES_OAEP_SHA_256`.
+    #
+    #   This parameter only supports attestation documents for Amazon Web
+    #   Services Nitro Enclaves. To include this parameter, use the [Amazon
+    #   Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
+    #
+    #   When you use this parameter, instead of returning a plaintext copy
+    #   of the private data key, KMS encrypts the plaintext private data key
+    #   under the public key in the attestation document, and returns the
+    #   resulting ciphertext in the `CiphertextForRecipient` field in the
+    #   response. This ciphertext can be decrypted only with the private key
+    #   in the enclave. The `CiphertextBlob` field in the response contains
+    #   a copy of the private data key encrypted under the KMS key specified
+    #   by the `KeyId` parameter. The `PrivateKeyPlaintext` field in the
+    #   response is null or empty.
+    #
+    #   For information about the interaction between KMS and Amazon Web
+    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
+    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
+    #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   @return [Types::RecipientInfo]
+    #
+    # @!attribute [rw] dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairRequest AWS API Documentation
     #
     class GenerateDataKeyPairRequest < Struct.new(
       :encryption_context,
       :key_id,
       :key_pair_spec,
-      :grant_tokens)
+      :grant_tokens,
+      :recipient,
+      :dry_run)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1958,10 +2339,15 @@ module Aws::KMS
     #   The plaintext copy of the private key. When you use the HTTP API or
     #   the Amazon Web Services CLI, the value is Base64-encoded. Otherwise,
     #   it is not Base64-encoded.
+    #
+    #   If the response includes the `CiphertextForRecipient` field, the
+    #   `PrivateKeyPlaintext` field is null or empty.
     #   @return [String]
     #
     # @!attribute [rw] public_key
-    #   The public key (in plaintext).
+    #   The public key (in plaintext). When you use the HTTP API or the
+    #   Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it
+    #   is not Base64-encoded.
     #   @return [String]
     #
     # @!attribute [rw] key_id
@@ -1977,6 +2363,23 @@ module Aws::KMS
     #   The type of data key pair that was generated.
     #   @return [String]
     #
+    # @!attribute [rw] ciphertext_for_recipient
+    #   The plaintext private data key encrypted with the public key from
+    #   the Nitro enclave. This ciphertext can be decrypted only by using a
+    #   private key in the Nitro enclave.
+    #
+    #   This field is included in the response only when the `Recipient`
+    #   parameter in the request includes a valid attestation document from
+    #   an Amazon Web Services Nitro enclave. For information about the
+    #   interaction between KMS and Amazon Web Services Nitro Enclaves, see
+    #   [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
+    #   Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairResponse AWS API Documentation
     #
     class GenerateDataKeyPairResponse < Struct.new(
@@ -1984,35 +2387,30 @@ module Aws::KMS
       :private_key_plaintext,
       :public_key,
       :key_id,
-      :key_pair_spec)
+      :key_pair_spec,
+      :ciphertext_for_recipient)
       SENSITIVE = [:private_key_plaintext]
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass GenerateDataKeyPairWithoutPlaintextRequest
-    #   data as a hash:
-    #
-    #       {
-    #         encryption_context: {
-    #           "EncryptionContextKey" => "EncryptionContextValue",
-    #         },
-    #         key_id: "KeyIdType", # required
-    #         key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
-    #         grant_tokens: ["GrantTokenType"],
-    #       }
-    #
     # @!attribute [rw] encryption_context
     #   Specifies the encryption context that will be used when encrypting
     #   the private key in the data key pair.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
+    #
     #   An *encryption context* is a collection of non-secret key-value
-    #   pairs that represents additional authenticated data. When you use an
+    #   pairs that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data.
-    #   An encryption context is optional when encrypting with a symmetric
-    #   KMS key, but it is highly recommended.
+    #   An encryption context is supported only on operations with symmetric
+    #   encryption KMS keys. On operations with symmetric encryption KMS
+    #   keys, an encryption context is optional, but it is strongly
+    #   recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *Key
+    #   For more information, see [Encryption context][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -2021,10 +2419,10 @@ module Aws::KMS
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] key_id
-    #   Specifies the KMS key that encrypts the private key in the data key
-    #   pair. You must specify a symmetric KMS key. You cannot use an
-    #   asymmetric KMS key or a KMS key in a custom key store. To get the
-    #   type and origin of your KMS key, use the DescribeKey operation.
+    #   Specifies the symmetric encryption KMS key that encrypts the private
+    #   key in the data key pair. You cannot specify an asymmetric KMS key
+    #   or a KMS key in a custom key store. To get the type and origin of
+    #   your KMS key, use the DescribeKey operation.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -2049,10 +2447,11 @@ module Aws::KMS
     # @!attribute [rw] key_pair_spec
     #   Determines the type of data key pair that is generated.
     #
-    #   The KMS rule that restricts the use of asymmetric RSA KMS keys to
-    #   encrypt and decrypt or to sign and verify (but not both), and the
-    #   rule that permits you to use ECC KMS keys only to sign and verify,
-    #   are not effective on data key pairs, which are used outside of KMS.
+    #   The KMS rule that restricts the use of asymmetric RSA and SM2 KMS
+    #   keys to encrypt and decrypt or to sign and verify (but not both),
+    #   and the rule that permits you to use ECC KMS keys only to sign and
+    #   verify, are not effective on data key pairs, which are used outside
+    #   of KMS. The SM2 key spec is only available in China Regions.
     #   @return [String]
     #
     # @!attribute [rw] grant_tokens
@@ -2069,13 +2468,26 @@ module Aws::KMS
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #   @return [Array<String>]
     #
+    # @!attribute [rw] dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintextRequest AWS API Documentation
     #
     class GenerateDataKeyPairWithoutPlaintextRequest < Struct.new(
       :encryption_context,
       :key_id,
       :key_pair_spec,
-      :grant_tokens)
+      :grant_tokens,
+      :dry_run)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2087,7 +2499,9 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] public_key
-    #   The public key (in plaintext).
+    #   The public key (in plaintext). When you use the HTTP API or the
+    #   Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it
+    #   is not Base64-encoded.
     #   @return [String]
     #
     # @!attribute [rw] key_id
@@ -2114,21 +2528,11 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass GenerateDataKeyRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #         encryption_context: {
-    #           "EncryptionContextKey" => "EncryptionContextValue",
-    #         },
-    #         number_of_bytes: 1,
-    #         key_spec: "AES_256", # accepts AES_256, AES_128
-    #         grant_tokens: ["GrantTokenType"],
-    #       }
-    #
     # @!attribute [rw] key_id
-    #   Identifies the symmetric KMS key that encrypts the data key.
+    #   Specifies the symmetric encryption KMS key that encrypts the data
+    #   key. You cannot specify an asymmetric KMS key or a KMS key in a
+    #   custom key store. To get the type and origin of your KMS key, use
+    #   the DescribeKey operation.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -2154,14 +2558,20 @@ module Aws::KMS
     #   Specifies the encryption context that will be used when encrypting
     #   the data key.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
+    #
     #   An *encryption context* is a collection of non-secret key-value
-    #   pairs that represents additional authenticated data. When you use an
+    #   pairs that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data.
-    #   An encryption context is optional when encrypting with a symmetric
-    #   KMS key, but it is highly recommended.
+    #   An encryption context is supported only on operations with symmetric
+    #   encryption KMS keys. On operations with symmetric encryption KMS
+    #   keys, an encryption context is optional, but it is strongly
+    #   recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *Key
+    #   For more information, see [Encryption context][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -2202,6 +2612,48 @@ module Aws::KMS
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #   @return [Array<String>]
     #
+    # @!attribute [rw] recipient
+    #   A signed [attestation document][1] from an Amazon Web Services Nitro
+    #   enclave and the encryption algorithm to use with the enclave's
+    #   public key. The only valid encryption algorithm is
+    #   `RSAES_OAEP_SHA_256`.
+    #
+    #   This parameter only supports attestation documents for Amazon Web
+    #   Services Nitro Enclaves. To include this parameter, use the [Amazon
+    #   Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
+    #
+    #   When you use this parameter, instead of returning the plaintext data
+    #   key, KMS encrypts the plaintext data key under the public key in the
+    #   attestation document, and returns the resulting ciphertext in the
+    #   `CiphertextForRecipient` field in the response. This ciphertext can
+    #   be decrypted only with the private key in the enclave. The
+    #   `CiphertextBlob` field in the response contains a copy of the data
+    #   key encrypted under the KMS key specified by the `KeyId` parameter.
+    #   The `Plaintext` field in the response is null or empty.
+    #
+    #   For information about the interaction between KMS and Amazon Web
+    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
+    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
+    #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   @return [Types::RecipientInfo]
+    #
+    # @!attribute [rw] dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyRequest AWS API Documentation
     #
     class GenerateDataKeyRequest < Struct.new(
@@ -2209,7 +2661,9 @@ module Aws::KMS
       :encryption_context,
       :number_of_bytes,
       :key_spec,
-      :grant_tokens)
+      :grant_tokens,
+      :recipient,
+      :dry_run)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2225,6 +2679,9 @@ module Aws::KMS
     #   Services CLI, the value is Base64-encoded. Otherwise, it is not
     #   Base64-encoded. Use this data key to encrypt your data outside of
     #   KMS. Then, remove it from memory as soon as possible.
+    #
+    #   If the response includes the `CiphertextForRecipient` field, the
+    #   `Plaintext` field is null or empty.
     #   @return [String]
     #
     # @!attribute [rw] key_id
@@ -2236,31 +2693,39 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
+    # @!attribute [rw] ciphertext_for_recipient
+    #   The plaintext data key encrypted with the public key from the Nitro
+    #   enclave. This ciphertext can be decrypted only by using a private
+    #   key in the Nitro enclave.
+    #
+    #   This field is included in the response only when the `Recipient`
+    #   parameter in the request includes a valid attestation document from
+    #   an Amazon Web Services Nitro enclave. For information about the
+    #   interaction between KMS and Amazon Web Services Nitro Enclaves, see
+    #   [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
+    #   Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyResponse AWS API Documentation
     #
     class GenerateDataKeyResponse < Struct.new(
       :ciphertext_blob,
       :plaintext,
-      :key_id)
+      :key_id,
+      :ciphertext_for_recipient)
       SENSITIVE = [:plaintext]
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass GenerateDataKeyWithoutPlaintextRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #         encryption_context: {
-    #           "EncryptionContextKey" => "EncryptionContextValue",
-    #         },
-    #         key_spec: "AES_256", # accepts AES_256, AES_128
-    #         number_of_bytes: 1,
-    #         grant_tokens: ["GrantTokenType"],
-    #       }
-    #
     # @!attribute [rw] key_id
-    #   The identifier of the symmetric KMS key that encrypts the data key.
+    #   Specifies the symmetric encryption KMS key that encrypts the data
+    #   key. You cannot specify an asymmetric KMS key or a KMS key in a
+    #   custom key store. To get the type and origin of your KMS key, use
+    #   the DescribeKey operation.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -2286,14 +2751,20 @@ module Aws::KMS
     #   Specifies the encryption context that will be used when encrypting
     #   the data key.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
+    #
     #   An *encryption context* is a collection of non-secret key-value
-    #   pairs that represents additional authenticated data. When you use an
+    #   pairs that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data.
-    #   An encryption context is optional when encrypting with a symmetric
-    #   KMS key, but it is highly recommended.
+    #   An encryption context is supported only on operations with symmetric
+    #   encryption KMS keys. On operations with symmetric encryption KMS
+    #   keys, an encryption context is optional, but it is strongly
+    #   recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *Key
+    #   For more information, see [Encryption context][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -2327,6 +2798,18 @@ module Aws::KMS
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #   @return [Array<String>]
     #
+    # @!attribute [rw] dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextRequest AWS API Documentation
     #
     class GenerateDataKeyWithoutPlaintextRequest < Struct.new(
@@ -2334,7 +2817,8 @@ module Aws::KMS
       :encryption_context,
       :key_spec,
       :number_of_bytes,
-      :grant_tokens)
+      :grant_tokens,
+      :dry_run)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2363,33 +2847,150 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass GenerateRandomRequest
-    #   data as a hash:
+    # @!attribute [rw] message
+    #   The message to be hashed. Specify a message of up to 4,096 bytes.
+    #
+    #   `GenerateMac` and VerifyMac do not provide special handling for
+    #   message digests. If you generate an HMAC for a hash digest of a
+    #   message, you must verify the HMAC of the same hash digest.
+    #   @return [String]
+    #
+    # @!attribute [rw] key_id
+    #   The HMAC KMS key to use in the operation. The MAC algorithm computes
+    #   the HMAC for the message and the key as described in [RFC 2104][1].
+    #
+    #   To identify an HMAC KMS key, use the DescribeKey operation and see
+    #   the `KeySpec` field in the response.
+    #
+    #
+    #
+    #   [1]: https://datatracker.ietf.org/doc/html/rfc2104
+    #   @return [String]
+    #
+    # @!attribute [rw] mac_algorithm
+    #   The MAC algorithm used in the operation.
+    #
+    #   The algorithm must be compatible with the HMAC KMS key that you
+    #   specify. To find the MAC algorithms that your HMAC KMS key supports,
+    #   use the DescribeKey operation and see the `MacAlgorithms` field in
+    #   the `DescribeKey` response.
+    #   @return [String]
+    #
+    # @!attribute [rw] grant_tokens
+    #   A list of grant tokens.
+    #
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] and [Using a grant
+    #   token][2] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   @return [Boolean]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMacRequest AWS API Documentation
+    #
+    class GenerateMacRequest < Struct.new(
+      :message,
+      :key_id,
+      :mac_algorithm,
+      :grant_tokens,
+      :dry_run)
+      SENSITIVE = [:message]
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] mac
+    #   The hash-based message authentication code (HMAC) that was generated
+    #   for the specified message, HMAC KMS key, and MAC algorithm.
+    #
+    #   This is the standard, raw HMAC defined in [RFC 2104][1].
+    #
+    #
+    #
+    #   [1]: https://datatracker.ietf.org/doc/html/rfc2104
+    #   @return [String]
+    #
+    # @!attribute [rw] mac_algorithm
+    #   The MAC algorithm that was used to generate the HMAC.
+    #   @return [String]
     #
-    #       {
-    #         number_of_bytes: 1,
-    #         custom_key_store_id: "CustomKeyStoreIdType",
-    #       }
+    # @!attribute [rw] key_id
+    #   The HMAC KMS key used in the operation.
+    #   @return [String]
     #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMacResponse AWS API Documentation
+    #
+    class GenerateMacResponse < Struct.new(
+      :mac,
+      :mac_algorithm,
+      :key_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] number_of_bytes
-    #   The length of the byte string.
+    #   The length of the random byte string. This parameter is required.
     #   @return [Integer]
     #
     # @!attribute [rw] custom_key_store_id
     #   Generates the random byte string in the CloudHSM cluster that is
-    #   associated with the specified [custom key store][1]. To find the ID
-    #   of a custom key store, use the DescribeCustomKeyStores operation.
+    #   associated with the specified CloudHSM key store. To find the ID of
+    #   a custom key store, use the DescribeCustomKeyStores operation.
     #
+    #   External key store IDs are not valid for this parameter. If you
+    #   specify the ID of an external key store, `GenerateRandom` throws an
+    #   `UnsupportedOperationException`.
+    #   @return [String]
     #
+    # @!attribute [rw] recipient
+    #   A signed [attestation document][1] from an Amazon Web Services Nitro
+    #   enclave and the encryption algorithm to use with the enclave's
+    #   public key. The only valid encryption algorithm is
+    #   `RSAES_OAEP_SHA_256`.
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
-    #   @return [String]
+    #   This parameter only supports attestation documents for Amazon Web
+    #   Services Nitro Enclaves. To include this parameter, use the [Amazon
+    #   Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
+    #
+    #   When you use this parameter, instead of returning plaintext bytes,
+    #   KMS encrypts the plaintext bytes under the public key in the
+    #   attestation document, and returns the resulting ciphertext in the
+    #   `CiphertextForRecipient` field in the response. This ciphertext can
+    #   be decrypted only with the private key in the enclave. The
+    #   `Plaintext` field in the response is null or empty.
+    #
+    #   For information about the interaction between KMS and Amazon Web
+    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
+    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
+    #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   @return [Types::RecipientInfo]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomRequest AWS API Documentation
     #
     class GenerateRandomRequest < Struct.new(
       :number_of_bytes,
-      :custom_key_store_id)
+      :custom_key_store_id,
+      :recipient)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2398,24 +2999,37 @@ module Aws::KMS
     #   The random byte string. When you use the HTTP API or the Amazon Web
     #   Services CLI, the value is Base64-encoded. Otherwise, it is not
     #   Base64-encoded.
+    #
+    #   If the response includes the `CiphertextForRecipient` field, the
+    #   `Plaintext` field is null or empty.
+    #   @return [String]
+    #
+    # @!attribute [rw] ciphertext_for_recipient
+    #   The plaintext random bytes encrypted with the public key from the
+    #   Nitro enclave. This ciphertext can be decrypted only by using a
+    #   private key in the Nitro enclave.
+    #
+    #   This field is included in the response only when the `Recipient`
+    #   parameter in the request includes a valid attestation document from
+    #   an Amazon Web Services Nitro enclave. For information about the
+    #   interaction between KMS and Amazon Web Services Nitro Enclaves, see
+    #   [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
+    #   Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomResponse AWS API Documentation
     #
     class GenerateRandomResponse < Struct.new(
-      :plaintext)
+      :plaintext,
+      :ciphertext_for_recipient)
       SENSITIVE = [:plaintext]
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass GetKeyPolicyRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #         policy_name: "PolicyNameType", # required
-    #       }
-    #
     # @!attribute [rw] key_id
     #   Gets the key policy for the specified KMS key.
     #
@@ -2458,13 +3072,6 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass GetKeyRotationStatusRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #       }
-    #
     # @!attribute [rw] key_id
     #   Gets the rotation status for the specified KMS key.
     #
@@ -2503,18 +3110,14 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass GetParametersForImportRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #         wrapping_algorithm: "RSAES_PKCS1_V1_5", # required, accepts RSAES_PKCS1_V1_5, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
-    #         wrapping_key_spec: "RSA_2048", # required, accepts RSA_2048
-    #       }
-    #
     # @!attribute [rw] key_id
-    #   The identifier of the symmetric KMS key into which you will import
-    #   key material. The `Origin` of the KMS key must be `EXTERNAL`.
+    #   The identifier of the KMS key that will be associated with the
+    #   imported key material. The `Origin` of the KMS key must be
+    #   `EXTERNAL`.
+    #
+    #   All KMS key types are supported, including multi-Region keys.
+    #   However, you cannot import key material into a KMS key in a custom
+    #   key store.
     #
     #   Specify the key ID or key ARN of the KMS key.
     #
@@ -2530,19 +3133,54 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] wrapping_algorithm
-    #   The algorithm you will use to encrypt the key material before
-    #   importing it with ImportKeyMaterial. For more information, see
-    #   [Encrypt the Key Material][1] in the *Key Management Service
-    #   Developer Guide*.
+    #   The algorithm you will use with the RSA public key (`PublicKey`) in
+    #   the response to protect your key material during import. For more
+    #   information, see [Select a wrapping
+    #   algorithm](kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
+    #   in the *Key Management Service Developer Guide*.
+    #
+    #   For RSA\_AES wrapping algorithms, you encrypt your key material with
+    #   an AES key that you generate, then encrypt your AES key with the RSA
+    #   public key from KMS. For RSAES wrapping algorithms, you encrypt your
+    #   key material directly with the RSA public key from KMS.
+    #
+    #   The wrapping algorithms that you can use depend on the type of key
+    #   material that you are importing. To import an RSA private key, you
+    #   must use an RSA\_AES wrapping algorithm.
+    #
+    #   * **RSA\_AES\_KEY\_WRAP\_SHA\_256** — Supported for wrapping RSA and
+    #     ECC key material.
+    #
+    #   * **RSA\_AES\_KEY\_WRAP\_SHA\_1** — Supported for wrapping RSA and
+    #     ECC key material.
     #
+    #   * **RSAES\_OAEP\_SHA\_256** — Supported for all types of key
+    #     material, except RSA key material (private key).
     #
+    #     You cannot use the RSAES\_OAEP\_SHA\_256 wrapping algorithm with
+    #     the RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key
+    #     material.
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html
+    #   * **RSAES\_OAEP\_SHA\_1** — Supported for all types of key material,
+    #     except RSA key material (private key).
+    #
+    #     You cannot use the RSAES\_OAEP\_SHA\_1 wrapping algorithm with the
+    #     RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key material.
+    #
+    #   * **RSAES\_PKCS1\_V1\_5** (Deprecated) — Supported only for
+    #     symmetric encryption key material (and only in legacy mode).
     #   @return [String]
     #
     # @!attribute [rw] wrapping_key_spec
-    #   The type of wrapping key (public key) to return in the response.
-    #   Only 2048-bit RSA public keys are supported.
+    #   The type of RSA public key to return in the response. You will use
+    #   this wrapping key with the specified wrapping algorithm to protect
+    #   your key material during import.
+    #
+    #   Use the longest RSA wrapping key that is practical.
+    #
+    #   You cannot use an RSA\_2048 public key to directly wrap an
+    #   ECC\_NIST\_P521 private key. Instead, use an RSA\_AES wrapping
+    #   algorithm or choose a longer RSA public key.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImportRequest AWS API Documentation
@@ -2592,14 +3230,6 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass GetPublicKeyRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #         grant_tokens: ["GrantTokenType"],
-    #       }
-    #
     # @!attribute [rw] key_id
     #   Identifies the asymmetric KMS key that includes the public key.
     #
@@ -2675,7 +3305,7 @@ module Aws::KMS
     #
     #   The `KeySpec` and `CustomerMasterKeySpec` fields have the same
     #   value. We recommend that you use the `KeySpec` field in your code.
-    #   However, to avoid breaking changes, KMS will support both fields.
+    #   However, to avoid breaking changes, KMS supports both fields.
     #   @return [String]
     #
     # @!attribute [rw] key_spec
@@ -2756,18 +3386,6 @@ module Aws::KMS
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context
     #
-    # @note When making an API call, you may pass GrantConstraints
-    #   data as a hash:
-    #
-    #       {
-    #         encryption_context_subset: {
-    #           "EncryptionContextKey" => "EncryptionContextValue",
-    #         },
-    #         encryption_context_equals: {
-    #           "EncryptionContextKey" => "EncryptionContextValue",
-    #         },
-    #       }
-    #
     # @!attribute [rw] encryption_context_subset
     #   A list of key-value pairs that must be included in the encryption
     #   context of the [cryptographic operation][1] request. The grant
@@ -2868,22 +3486,20 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass ImportKeyMaterialRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #         import_token: "data", # required
-    #         encrypted_key_material: "data", # required
-    #         valid_to: Time.now,
-    #         expiration_model: "KEY_MATERIAL_EXPIRES", # accepts KEY_MATERIAL_EXPIRES, KEY_MATERIAL_DOES_NOT_EXPIRE
-    #       }
-    #
     # @!attribute [rw] key_id
-    #   The identifier of the symmetric KMS key that receives the imported
-    #   key material. The KMS key's `Origin` must be `EXTERNAL`. This must
-    #   be the same KMS key specified in the `KeyID` parameter of the
-    #   corresponding GetParametersForImport request.
+    #   The identifier of the KMS key that will be associated with the
+    #   imported key material. This must be the same KMS key specified in
+    #   the `KeyID` parameter of the corresponding GetParametersForImport
+    #   request. The `Origin` of the KMS key must be `EXTERNAL` and its
+    #   `KeyState` must be `PendingImport`.
+    #
+    #   The KMS key can be a symmetric encryption KMS key, HMAC KMS key,
+    #   asymmetric encryption KMS key, or asymmetric signing KMS key,
+    #   including a [multi-Region
+    #   key](kms/latest/developerguide/multi-region-keys-overview.html) of
+    #   any supported type. You cannot perform this operation on a KMS key
+    #   in a custom key store, or on a KMS key in a different Amazon Web
+    #   Services account.
     #
     #   Specify the key ID or key ARN of the KMS key.
     #
@@ -2907,25 +3523,47 @@ module Aws::KMS
     #
     # @!attribute [rw] encrypted_key_material
     #   The encrypted key material to import. The key material must be
-    #   encrypted with the public wrapping key that GetParametersForImport
+    #   encrypted under the public wrapping key that GetParametersForImport
     #   returned, using the wrapping algorithm that you specified in the
     #   same `GetParametersForImport` request.
     #   @return [String]
     #
     # @!attribute [rw] valid_to
-    #   The time at which the imported key material expires. When the key
-    #   material expires, KMS deletes the key material and the KMS key
-    #   becomes unusable. You must omit this parameter when the
-    #   `ExpirationModel` parameter is set to
-    #   `KEY_MATERIAL_DOES_NOT_EXPIRE`. Otherwise it is required.
+    #   The date and time when the imported key material expires. This
+    #   parameter is required when the value of the `ExpirationModel`
+    #   parameter is `KEY_MATERIAL_EXPIRES`. Otherwise it is not valid.
+    #
+    #   The value of this parameter must be a future date and time. The
+    #   maximum value is 365 days from the request date.
+    #
+    #   When the key material expires, KMS deletes the key material from the
+    #   KMS key. Without its key material, the KMS key is unusable. To use
+    #   the KMS key in cryptographic operations, you must reimport the same
+    #   key material.
+    #
+    #   You cannot change the `ExpirationModel` or `ValidTo` values for the
+    #   current import after the request completes. To change either value,
+    #   you must delete (DeleteImportedKeyMaterial) and reimport the key
+    #   material.
     #   @return [Time]
     #
     # @!attribute [rw] expiration_model
     #   Specifies whether the key material expires. The default is
-    #   `KEY_MATERIAL_EXPIRES`, in which case you must include the `ValidTo`
-    #   parameter. When this parameter is set to
+    #   `KEY_MATERIAL_EXPIRES`. For help with this choice, see [Setting an
+    #   expiration time][1] in the *Key Management Service Developer Guide*.
+    #
+    #   When the value of `ExpirationModel` is `KEY_MATERIAL_EXPIRES`, you
+    #   must specify a value for the `ValidTo` parameter. When value is
     #   `KEY_MATERIAL_DOES_NOT_EXPIRE`, you must omit the `ValidTo`
     #   parameter.
+    #
+    #   You cannot change the `ExpirationModel` or `ValidTo` values for the
+    #   current import after the request completes. To change either value,
+    #   you must reimport the key material.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterialRequest AWS API Documentation
@@ -2976,11 +3614,11 @@ module Aws::KMS
     end
 
     # The request was rejected because the trust anchor certificate in the
-    # request is not the trust anchor certificate for the specified CloudHSM
-    # cluster.
+    # request to create an CloudHSM key store is not the trust anchor
+    # certificate for the specified CloudHSM cluster.
     #
-    # When you [initialize the cluster][1], you create the trust anchor
-    # certificate and save it in the `customerCA.crt` file.
+    # When you [initialize the CloudHSM cluster][1], you create the trust
+    # anchor certificate and save it in the `customerCA.crt` file.
     #
     #
     #
@@ -3095,9 +3733,11 @@ module Aws::KMS
     #   key `(KeySpec`).
     #
     # For encrypting, decrypting, re-encrypting, and generating data keys,
-    # the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying,
-    # the `KeyUsage` must be `SIGN_VERIFY`. To find the `KeyUsage` of a KMS
-    # key, use the DescribeKey operation.
+    # the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying
+    # messages, the `KeyUsage` must be `SIGN_VERIFY`. For generating and
+    # verifying message authentication codes (MACs), the `KeyUsage` must be
+    # `GENERATE_VERIFY_MAC`. To find the `KeyUsage` of a KMS key, use the
+    # DescribeKey operation.
     #
     # To find the encryption or signing algorithms supported for a
     # particular KMS key, use the DescribeKey operation.
@@ -3141,6 +3781,22 @@ module Aws::KMS
       include Aws::Structure
     end
 
+    # The request was rejected because the HMAC verification failed. HMAC
+    # verification fails when the HMAC computed by using the specified
+    # message, HMAC KMS key, and MAC algorithm does not match the HMAC
+    # specified in the request.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KMSInvalidMacException AWS API Documentation
+    #
+    class KMSInvalidMacException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # The request was rejected because the signature verification failed.
     # Signature verification fails when it cannot confirm that signature was
     # produced by signing the specified message with the specified KMS key
@@ -3160,9 +3816,19 @@ module Aws::KMS
     # The request was rejected because the state of the specified resource
     # is not valid for this request.
     #
-    # For more information about how key state affects the use of a KMS key,
-    # see [Key state: Effect on your KMS key][1] in the <i> <i>Key
-    # Management Service Developer Guide</i> </i>.
+    # This exceptions means one of the following:
+    #
+    # * The key state of the KMS key is not compatible with the operation.
+    #
+    #   To find the key state, use the DescribeKey operation. For more
+    #   information about which key states are compatible with each KMS
+    #   operation, see [Key states of KMS keys][1] in the <i> <i>Key
+    #   Management Service Developer Guide</i> </i>.
+    #
+    # * For cryptographic operations on KMS keys in custom key stores, this
+    #   exception represents a general failure with many possible causes. To
+    #   identify the cause, see the error message that accompanies the
+    #   exception.
     #
     #
     #
@@ -3200,8 +3866,8 @@ module Aws::KMS
 
     # Contains metadata about a KMS key.
     #
-    # This data type is used as a response element for the CreateKey and
-    # DescribeKey operations.
+    # This data type is used as a response element for the CreateKey,
+    # DescribeKey, and ReplicateKey operations.
     #
     # @!attribute [rw] aws_account_id
     #   The twelve-digit account ID of the Amazon Web Services account that
@@ -3247,8 +3913,8 @@ module Aws::KMS
     #   The current status of the KMS key.
     #
     #   For more information about how key state affects the use of a KMS
-    #   key, see [Key state: Effect on your KMS key][1] in the *Key
-    #   Management Service Developer Guide*.
+    #   key, see [Key states of KMS keys][1] in the *Key Management Service
+    #   Developer Guide*.
     #
     #
     #
@@ -3285,7 +3951,7 @@ module Aws::KMS
     #
     # @!attribute [rw] custom_key_store_id
     #   A unique identifier for the [custom key store][1] that contains the
-    #   KMS key. This value is present only when the KMS key is created in a
+    #   KMS key. This field is present only when the KMS key is created in a
     #   custom key store.
     #
     #
@@ -3295,10 +3961,10 @@ module Aws::KMS
     #
     # @!attribute [rw] cloud_hsm_cluster_id
     #   The cluster ID of the CloudHSM cluster that contains the key
-    #   material for the KMS key. When you create a KMS key in a [custom key
-    #   store][1], KMS creates the key material for the KMS key in the
-    #   associated CloudHSM cluster. This value is present only when the KMS
-    #   key is created in a custom key store.
+    #   material for the KMS key. When you create a KMS key in an CloudHSM
+    #   [custom key store][1], KMS creates the key material for the KMS key
+    #   in the associated CloudHSM cluster. This field is present only when
+    #   the KMS key is created in an CloudHSM key store.
     #
     #
     #
@@ -3327,7 +3993,7 @@ module Aws::KMS
     #
     #   The `KeySpec` and `CustomerMasterKeySpec` fields have the same
     #   value. We recommend that you use the `KeySpec` field in your code.
-    #   However, to avoid breaking changes, KMS will support both fields.
+    #   However, to avoid breaking changes, KMS supports both fields.
     #   @return [String]
     #
     # @!attribute [rw] key_spec
@@ -3355,9 +4021,8 @@ module Aws::KMS
     #   (`False`) key. This value is `True` for multi-Region primary and
     #   replica keys and `False` for regional KMS keys.
     #
-    #   For more information about multi-Region keys, see [Using
-    #   multi-Region keys][1] in the *Key Management Service Developer
-    #   Guide*.
+    #   For more information about multi-Region keys, see [Multi-Region keys
+    #   in KMS][1] in the *Key Management Service Developer Guide*.
     #
     #
     #
@@ -3402,6 +4067,26 @@ module Aws::KMS
     #   the deletion date appears in the `DeletionDate` field.
     #   @return [Integer]
     #
+    # @!attribute [rw] mac_algorithms
+    #   The message authentication code (MAC) algorithm that the HMAC KMS
+    #   key supports.
+    #
+    #   This value is present only when the `KeyUsage` of the KMS key is
+    #   `GENERATE_VERIFY_MAC`.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] xks_key_configuration
+    #   Information about the external key that is associated with a KMS key
+    #   in an external key store.
+    #
+    #   For more information, see [External key][1] in the *Key Management
+    #   Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
+    #   @return [Types::XksKeyConfigurationType]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
     #
     class KeyMetadata < Struct.new(
@@ -3426,7 +4111,9 @@ module Aws::KMS
       :signing_algorithms,
       :multi_region,
       :multi_region_configuration,
-      :pending_deletion_window_in_days)
+      :pending_deletion_window_in_days,
+      :mac_algorithms,
+      :xks_key_configuration)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3464,15 +4151,6 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass ListAliasesRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType",
-    #         limit: 1,
-    #         marker: "MarkerType",
-    #       }
-    #
     # @!attribute [rw] key_id
     #   Lists only aliases that are associated with the specified KMS key.
     #   Enter a KMS key in your Amazon Web Services account.
@@ -3545,17 +4223,6 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass ListGrantsRequest
-    #   data as a hash:
-    #
-    #       {
-    #         limit: 1,
-    #         marker: "MarkerType",
-    #         key_id: "KeyIdType", # required
-    #         grant_id: "GrantIdType",
-    #         grantee_principal: "PrincipalIdType",
-    #       }
-    #
     # @!attribute [rw] limit
     #   Use this parameter to specify the maximum number of items to return.
     #   When this value is present, KMS does not return more than the
@@ -3639,15 +4306,6 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass ListKeyPoliciesRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #         limit: 1,
-    #         marker: "MarkerType",
-    #       }
-    #
     # @!attribute [rw] key_id
     #   Gets the names of key policies for the specified KMS key.
     #
@@ -3718,14 +4376,6 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass ListKeysRequest
-    #   data as a hash:
-    #
-    #       {
-    #         limit: 1,
-    #         marker: "MarkerType",
-    #       }
-    #
     # @!attribute [rw] limit
     #   Use this parameter to specify the maximum number of items to return.
     #   When this value is present, KMS does not return more than the
@@ -3777,15 +4427,6 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass ListResourceTagsRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #         limit: 1,
-    #         marker: "MarkerType",
-    #       }
-    #
     # @!attribute [rw] key_id
     #   Gets tags on the specified KMS key.
     #
@@ -3834,8 +4475,8 @@ module Aws::KMS
     #   A list of tags. Each tag consists of a tag key and a tag value.
     #
     #   <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
-    #   KMS key. For details, see [Using ABAC in KMS][1] in the *Key
-    #   Management Service Developer Guide*.
+    #   KMS key. For details, see [ABAC for KMS][1] in the *Key Management
+    #   Service Developer Guide*.
     #
     #    </note>
     #
@@ -3868,15 +4509,6 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass ListRetirableGrantsRequest
-    #   data as a hash:
-    #
-    #       {
-    #         limit: 1,
-    #         marker: "MarkerType",
-    #         retiring_principal: "PrincipalIdType", # required
-    #       }
-    #
     # @!attribute [rw] limit
     #   Use this parameter to specify the maximum number of items to return.
     #   When this value is present, KMS does not return more than the
@@ -3898,17 +4530,16 @@ module Aws::KMS
     #   in your Amazon Web Services account.
     #
     #   To specify the retiring principal, use the [Amazon Resource Name
-    #   (ARN)][1] of an Amazon Web Services principal. Valid Amazon Web
-    #   Services principals include Amazon Web Services accounts (root), IAM
-    #   users, federated users, and assumed role users. For examples of the
-    #   ARN syntax for specifying a principal, see [Amazon Web Services
-    #   Identity and Access Management (IAM)][2] in the Example ARNs section
-    #   of the *Amazon Web Services General Reference*.
+    #   (ARN)][1] of an Amazon Web Services principal. Valid principals
+    #   include Amazon Web Services accounts, IAM users, IAM roles,
+    #   federated users, and assumed role users. For help with the ARN
+    #   syntax for a principal, see [IAM ARNs][2] in the <i> <i>Identity and
+    #   Access Management User Guide</i> </i>.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
-    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrantsRequest AWS API Documentation
@@ -4001,16 +4632,6 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass PutKeyPolicyRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #         policy_name: "PolicyNameType", # required
-    #         policy: "PolicyType", # required
-    #         bypass_policy_lockout_safety_check: false,
-    #       }
-    #
     # @!attribute [rw] key_id
     #   Sets the key policy on the specified KMS key.
     #
@@ -4036,55 +4657,65 @@ module Aws::KMS
     #
     #   The key policy must meet the following criteria:
     #
-    #   * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
-    #     key policy must allow the principal that is making the
-    #     `PutKeyPolicy` request to make a subsequent `PutKeyPolicy` request
-    #     on the KMS key. This reduces the risk that the KMS key becomes
-    #     unmanageable. For more information, refer to the scenario in the
-    #     [Default Key Policy][1] section of the *Key Management Service
-    #     Developer Guide*.
+    #   * The key policy must allow the calling principal to make a
+    #     subsequent `PutKeyPolicy` request on the KMS key. This reduces the
+    #     risk that the KMS key becomes unmanageable. For more information,
+    #     see [Default key policy][1] in the *Key Management Service
+    #     Developer Guide*. (To omit this condition, set
+    #     `BypassPolicyLockoutSafetyCheck` to true.)
     #
     #   * Each statement in the key policy must contain one or more
     #     principals. The principals in the key policy must exist and be
     #     visible to KMS. When you create a new Amazon Web Services
-    #     principal (for example, an IAM user or role), you might need to
-    #     enforce a delay before including the new principal in a key policy
-    #     because the new principal might not be immediately visible to KMS.
-    #     For more information, see [Changes that I make are not always
-    #     immediately visible][2] in the *Amazon Web Services Identity and
-    #     Access Management User Guide*.
-    #
-    #   The key policy cannot exceed 32 kilobytes (32768 bytes). For more
-    #   information, see [Resource Quotas][3] in the *Key Management Service
-    #   Developer Guide*.
+    #     principal, you might need to enforce a delay before including the
+    #     new principal in a key policy because the new principal might not
+    #     be immediately visible to KMS. For more information, see [Changes
+    #     that I make are not always immediately visible][2] in the *Amazon
+    #     Web Services Identity and Access Management User Guide*.
+    #
+    #   A key policy document can include only the following characters:
     #
+    #   * Printable ASCII characters from the space character (`\u0020`)
+    #     through the end of the ASCII character range.
     #
+    #   * Printable characters in the Basic Latin and Latin-1 Supplement
+    #     character set (through `\u00FF`).
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   * The tab (`\u0009`), line feed (`\u000A`), and carriage return
+    #     (`\u000D`) special characters
+    #
+    #   For information about key policies, see [Key policies in KMS][3] in
+    #   the *Key Management Service Developer Guide*.For help writing and
+    #   formatting a JSON policy document, see the [IAM JSON Policy
+    #   Reference][4] in the <i> <i>Identity and Access Management User
+    #   Guide</i> </i>.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/resource-limits.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
+    #   [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
     #   @return [String]
     #
     # @!attribute [rw] bypass_policy_lockout_safety_check
-    #   A flag to indicate whether to bypass the key policy lockout safety
-    #   check.
+    #   Skips ("bypasses") the key policy lockout safety check. The
+    #   default value is false.
     #
     #   Setting this value to true increases the risk that the KMS key
     #   becomes unmanageable. Do not set this value to true
     #   indiscriminately.
     #
-    #    For more information, refer to the scenario in the [Default Key
-    #   Policy][1] section in the *Key Management Service Developer Guide*.
+    #    For more information, see [Default key policy][1] in the *Key
+    #   Management Service Developer Guide*.
     #
     #   Use this parameter only when you intend to prevent the principal
-    #   that is making the request from making a subsequent `PutKeyPolicy`
+    #   that is making the request from making a subsequent PutKeyPolicy
     #   request on the KMS key.
     #
-    #   The default value is false.
-    #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicyRequest AWS API Documentation
@@ -4098,24 +4729,6 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass ReEncryptRequest
-    #   data as a hash:
-    #
-    #       {
-    #         ciphertext_blob: "data", # required
-    #         source_encryption_context: {
-    #           "EncryptionContextKey" => "EncryptionContextValue",
-    #         },
-    #         source_key_id: "KeyIdType",
-    #         destination_key_id: "KeyIdType", # required
-    #         destination_encryption_context: {
-    #           "EncryptionContextKey" => "EncryptionContextValue",
-    #         },
-    #         source_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
-    #         destination_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
-    #         grant_tokens: ["GrantTokenType"],
-    #       }
-    #
     # @!attribute [rw] ciphertext_blob
     #   Ciphertext of the data to reencrypt.
     #   @return [String]
@@ -4126,13 +4739,15 @@ module Aws::KMS
     #   ciphertext.
     #
     #   An *encryption context* is a collection of non-secret key-value
-    #   pairs that represents additional authenticated data. When you use an
+    #   pairs that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data.
-    #   An encryption context is optional when encrypting with a symmetric
-    #   KMS key, but it is highly recommended.
+    #   An encryption context is supported only on operations with symmetric
+    #   encryption KMS keys. On operations with symmetric encryption KMS
+    #   keys, an encryption context is optional, but it is strongly
+    #   recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *Key
+    #   For more information, see [Encryption context][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -4142,15 +4757,18 @@ module Aws::KMS
     #
     # @!attribute [rw] source_key_id
     #   Specifies the KMS key that KMS will use to decrypt the ciphertext
-    #   before it is re-encrypted. Enter a key ID of the KMS key that was
-    #   used to encrypt the ciphertext.
+    #   before it is re-encrypted.
+    #
+    #   Enter a key ID of the KMS key that was used to encrypt the
+    #   ciphertext. If you identify a different KMS key, the `ReEncrypt`
+    #   operation throws an `IncorrectKeyException`.
     #
     #   This parameter is required only when the ciphertext was encrypted
-    #   under an asymmetric KMS key. If you used a symmetric KMS key, KMS
-    #   can get the KMS key from metadata that it adds to the symmetric
-    #   ciphertext blob. However, it is always recommended as a best
-    #   practice. This practice ensures that you use the KMS key that you
-    #   intend.
+    #   under an asymmetric KMS key. If you used a symmetric encryption KMS
+    #   key, KMS can get the KMS key from metadata that it adds to the
+    #   symmetric ciphertext blob. However, it is always recommended as a
+    #   best practice. This practice ensures that you use the KMS key that
+    #   you intend.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -4174,9 +4792,9 @@ module Aws::KMS
     #
     # @!attribute [rw] destination_key_id
     #   A unique identifier for the KMS key that is used to reencrypt the
-    #   data. Specify a symmetric or asymmetric KMS key with a `KeyUsage`
-    #   value of `ENCRYPT_DECRYPT`. To find the `KeyUsage` value of a KMS
-    #   key, use the DescribeKey operation.
+    #   data. Specify a symmetric encryption KMS key or an asymmetric KMS
+    #   key with a `KeyUsage` value of `ENCRYPT_DECRYPT`. To find the
+    #   `KeyUsage` value of a KMS key, use the DescribeKey operation.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -4202,18 +4820,24 @@ module Aws::KMS
     #   Specifies that encryption context to use when the reencrypting the
     #   data.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
+    #
     #   A destination encryption context is valid only when the destination
-    #   KMS key is a symmetric KMS key. The standard ciphertext format for
-    #   asymmetric KMS keys does not include fields for metadata.
+    #   KMS key is a symmetric encryption KMS key. The standard ciphertext
+    #   format for asymmetric KMS keys does not include fields for metadata.
     #
     #   An *encryption context* is a collection of non-secret key-value
-    #   pairs that represents additional authenticated data. When you use an
+    #   pairs that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data.
-    #   An encryption context is optional when encrypting with a symmetric
-    #   KMS key, but it is highly recommended.
+    #   An encryption context is supported only on operations with symmetric
+    #   encryption KMS keys. On operations with symmetric encryption KMS
+    #   keys, an encryption context is optional, but it is strongly
+    #   recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *Key
+    #   For more information, see [Encryption context][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -4224,8 +4848,8 @@ module Aws::KMS
     # @!attribute [rw] source_encryption_algorithm
     #   Specifies the encryption algorithm that KMS will use to decrypt the
     #   ciphertext before it is reencrypted. The default value,
-    #   `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric KMS
-    #   keys.
+    #   `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric
+    #   encryption KMS keys.
     #
     #   Specify the same algorithm that was used to encrypt the ciphertext.
     #   If you specify a different algorithm, the decrypt attempt fails.
@@ -4238,7 +4862,7 @@ module Aws::KMS
     #   Specifies the encryption algorithm that KMS will use to reecrypt the
     #   data after it has decrypted it. The default value,
     #   `SYMMETRIC_DEFAULT`, represents the encryption algorithm used for
-    #   symmetric KMS keys.
+    #   symmetric encryption KMS keys.
     #
     #   This parameter is required only when the destination KMS key is an
     #   asymmetric KMS key.
@@ -4258,6 +4882,18 @@ module Aws::KMS
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #   @return [Array<String>]
     #
+    # @!attribute [rw] dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncryptRequest AWS API Documentation
     #
     class ReEncryptRequest < Struct.new(
@@ -4268,7 +4904,8 @@ module Aws::KMS
       :destination_encryption_context,
       :source_encryption_algorithm,
       :destination_encryption_algorithm,
-      :grant_tokens)
+      :grant_tokens,
+      :dry_run)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -4314,23 +4951,39 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass ReplicateKeyRequest
-    #   data as a hash:
+    # Contains information about the party that receives the response from
+    # the API operation.
+    #
+    # This data type is designed to support Amazon Web Services Nitro
+    # Enclaves, which lets you create an isolated compute environment in
+    # Amazon EC2. For information about the interaction between KMS and
+    # Amazon Web Services Nitro Enclaves, see [How Amazon Web Services Nitro
+    # Enclaves uses KMS][1] in the *Key Management Service Developer Guide*.
+    #
+    #
     #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #         replica_region: "RegionType", # required
-    #         policy: "PolicyType",
-    #         bypass_policy_lockout_safety_check: false,
-    #         description: "DescriptionType",
-    #         tags: [
-    #           {
-    #             tag_key: "TagKeyType", # required
-    #             tag_value: "TagValueType", # required
-    #           },
-    #         ],
-    #       }
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
     #
+    # @!attribute [rw] key_encryption_algorithm
+    #   The encryption algorithm that KMS should use with the public key for
+    #   an Amazon Web Services Nitro Enclave to encrypt plaintext values for
+    #   the response. The only valid value is `RSAES_OAEP_SHA_256`.
+    #   @return [String]
+    #
+    # @!attribute [rw] attestation_document
+    #   The attestation document for an Amazon Web Services Nitro Enclave.
+    #   This document includes the enclave's public key.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RecipientInfo AWS API Documentation
+    #
+    class RecipientInfo < Struct.new(
+      :key_encryption_algorithm,
+      :attestation_document)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] key_id
     #   Identifies the multi-Region primary key that is being replicated. To
     #   determine whether a KMS key is a multi-Region primary key, use the
@@ -4359,24 +5012,33 @@ module Aws::KMS
     #   [KMS service endpoints][1] in the *Amazon Web Services General
     #   Reference*.
     #
+    #   <note markdown="1"> HMAC KMS keys are not supported in all Amazon Web Services Regions.
+    #   If you try to replicate an HMAC KMS key in an Amazon Web Services
+    #   Region in which HMAC keys are not supported, the `ReplicateKey`
+    #   operation returns an `UnsupportedOperationException`. For a list of
+    #   Regions in which HMAC KMS keys are supported, see [HMAC keys in
+    #   KMS][2] in the *Key Management Service Developer Guide*.
+    #
+    #    </note>
+    #
     #   The replica must be in a different Amazon Web Services Region than
     #   its primary key and other replicas of that primary key, but in the
     #   same Amazon Web Services partition. KMS must be available in the
     #   replica Region. If the Region is not enabled by default, the Amazon
-    #   Web Services account must be enabled in the Region.
-    #
-    #   For information about Amazon Web Services partitions, see [Amazon
-    #   Resource Names (ARNs) in the *Amazon Web Services General
-    #   Reference*.][2] For information about enabling and disabling
-    #   Regions, see [Enabling a Region][3] and [Disabling a Region][4] in
-    #   the *Amazon Web Services General Reference*.
+    #   Web Services account must be enabled in the Region. For information
+    #   about Amazon Web Services partitions, see [Amazon Resource Names
+    #   (ARNs)][3] in the *Amazon Web Services General Reference*. For
+    #   information about enabling and disabling Regions, see [Enabling a
+    #   Region][4] and [Disabling a Region][5] in the *Amazon Web Services
+    #   General Reference*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region
-    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
-    #   [3]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
-    #   [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
+    #   [3]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    #   [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
+    #   [5]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
     #   @return [String]
     #
     # @!attribute [rw] policy
@@ -4391,58 +5053,76 @@ module Aws::KMS
     #
     #   If you provide a key policy, it must meet the following criteria:
     #
-    #   * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
-    #     key policy must give the caller `kms:PutKeyPolicy` permission on
-    #     the replica key. This reduces the risk that the KMS key becomes
-    #     unmanageable. For more information, refer to the scenario in the
-    #     [Default Key Policy][2] section of the <i> <i>Key Management
-    #     Service Developer Guide</i> </i>.
+    #   * The key policy must allow the calling principal to make a
+    #     subsequent `PutKeyPolicy` request on the KMS key. This reduces the
+    #     risk that the KMS key becomes unmanageable. For more information,
+    #     see [Default key policy][2] in the *Key Management Service
+    #     Developer Guide*. (To omit this condition, set
+    #     `BypassPolicyLockoutSafetyCheck` to true.)
     #
     #   * Each statement in the key policy must contain one or more
     #     principals. The principals in the key policy must exist and be
     #     visible to KMS. When you create a new Amazon Web Services
-    #     principal (for example, an IAM user or role), you might need to
-    #     enforce a delay before including the new principal in a key policy
-    #     because the new principal might not be immediately visible to KMS.
-    #     For more information, see [Changes that I make are not always
-    #     immediately visible][3] in the <i> <i>Identity and Access
-    #     Management User Guide</i> </i>.
+    #     principal, you might need to enforce a delay before including the
+    #     new principal in a key policy because the new principal might not
+    #     be immediately visible to KMS. For more information, see [Changes
+    #     that I make are not always immediately visible][3] in the *Amazon
+    #     Web Services Identity and Access Management User Guide*.
+    #
+    #   A key policy document can include only the following characters:
+    #
+    #   * Printable ASCII characters from the space character (`\u0020`)
+    #     through the end of the ASCII character range.
+    #
+    #   * Printable characters in the Basic Latin and Latin-1 Supplement
+    #     character set (through `\u00FF`).
     #
-    #   * The key policy size quota is 32 kilobytes (32768 bytes).
+    #   * The tab (`\u0009`), line feed (`\u000A`), and carriage return
+    #     (`\u000D`) special characters
+    #
+    #   For information about key policies, see [Key policies in KMS][4] in
+    #   the *Key Management Service Developer Guide*. For help writing and
+    #   formatting a JSON policy document, see the [IAM JSON Policy
+    #   Reference][5] in the <i> <i>Identity and Access Management User
+    #   Guide</i> </i>.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
+    #   [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
     #   @return [String]
     #
     # @!attribute [rw] bypass_policy_lockout_safety_check
-    #   A flag to indicate whether to bypass the key policy lockout safety
-    #   check.
+    #   Skips ("bypasses") the key policy lockout safety check. The
+    #   default value is false.
     #
     #   Setting this value to true increases the risk that the KMS key
     #   becomes unmanageable. Do not set this value to true
     #   indiscriminately.
     #
-    #    For more information, refer to the scenario in the [Default Key
-    #   Policy][1] section in the *Key Management Service Developer Guide*.
+    #    For more information, see [Default key policy][1] in the *Key
+    #   Management Service Developer Guide*.
     #
     #   Use this parameter only when you intend to prevent the principal
-    #   that is making the request from making a subsequent `PutKeyPolicy`
+    #   that is making the request from making a subsequent PutKeyPolicy
     #   request on the KMS key.
     #
-    #   The default value is false.
-    #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   @return [Boolean]
     #
     # @!attribute [rw] description
     #   A description of the KMS key. The default value is an empty string
     #   (no description).
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
+    #
     #   The description is not a shared property of multi-Region keys. You
     #   can specify the same description or a different description for each
     #   key in a set of related multi-Region keys. KMS does not synchronize
@@ -4454,9 +5134,13 @@ module Aws::KMS
     #   tag the KMS key when it is created. To tag an existing KMS key, use
     #   the TagResource operation.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
+    #
     #   <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
-    #   KMS key. For details, see [Using ABAC in KMS][1] in the *Key
-    #   Management Service Developer Guide*.
+    #   KMS key. For details, see [ABAC for KMS][1] in the *Key Management
+    #   Service Developer Guide*.
     #
     #    </note>
     #
@@ -4500,9 +5184,9 @@ module Aws::KMS
 
     # @!attribute [rw] replica_key_metadata
     #   Displays details about the new replica key, including its Amazon
-    #   Resource Name ([key ARN][1]) and [key state][2]. It also includes
-    #   the ARN and Amazon Web Services Region of its primary key and other
-    #   replica keys.
+    #   Resource Name ([key ARN][1]) and [Key states of KMS keys][2]. It
+    #   also includes the ARN and Amazon Web Services Region of its primary
+    #   key and other replica keys.
     #
     #
     #
@@ -4530,15 +5214,6 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass RetireGrantRequest
-    #   data as a hash:
-    #
-    #       {
-    #         grant_token: "GrantTokenType",
-    #         key_id: "KeyIdType",
-    #         grant_id: "GrantIdType",
-    #       }
-    #
     # @!attribute [rw] grant_token
     #   Identifies the grant to be retired. You can use a grant token to
     #   identify a new grant even before it has achieved eventual
@@ -4572,24 +5247,29 @@ module Aws::KMS
     #   ^
     #   @return [String]
     #
+    # @!attribute [rw] dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrantRequest AWS API Documentation
     #
     class RetireGrantRequest < Struct.new(
       :grant_token,
       :key_id,
-      :grant_id)
+      :grant_id,
+      :dry_run)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass RevokeGrantRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #         grant_id: "GrantIdType", # required
-    #       }
-    #
     # @!attribute [rw] key_id
     #   A unique identifier for the KMS key associated with the grant. To
     #   get the key ID and key ARN for a KMS key, use ListKeys or
@@ -4615,23 +5295,28 @@ module Aws::KMS
     #   CreateGrant, ListGrants, or ListRetirableGrants.
     #   @return [String]
     #
+    # @!attribute [rw] dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrantRequest AWS API Documentation
     #
     class RevokeGrantRequest < Struct.new(
       :key_id,
-      :grant_id)
+      :grant_id,
+      :dry_run)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass ScheduleKeyDeletionRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #         pending_window_in_days: 1,
-    #       }
-    #
     # @!attribute [rw] key_id
     #   The unique identifier of the KMS key to delete.
     #
@@ -4652,12 +5337,19 @@ module Aws::KMS
     #   The waiting period, specified in number of days. After the waiting
     #   period ends, KMS deletes the KMS key.
     #
-    #   If the KMS key is a multi-Region primary key with replicas, the
+    #   If the KMS key is a multi-Region primary key with replica keys, the
     #   waiting period begins when the last of its replica keys is deleted.
     #   Otherwise, the waiting period begins immediately.
     #
     #   This value is optional. If you include a value, it must be between 7
     #   and 30, inclusive. If you do not include a value, it defaults to 30.
+    #   You can use the [ `kms:ScheduleKeyDeletionPendingWindowInDays` ][1]
+    #   condition key to further constrain the values that principals can
+    #   specify in the `PendingWindowInDays` parameter.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-schedule-key-deletion-pending-window-in-days
     #   @return [Integer]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletionRequest AWS API Documentation
@@ -4690,8 +5382,8 @@ module Aws::KMS
     #   The current status of the KMS key.
     #
     #   For more information about how key state affects the use of a KMS
-    #   key, see [Key state: Effect on your KMS key][1] in the *Key
-    #   Management Service Developer Guide*.
+    #   key, see [Key states of KMS keys][1] in the *Key Management Service
+    #   Developer Guide*.
     #
     #
     #
@@ -4717,17 +5409,6 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass SignRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #         message: "data", # required
-    #         message_type: "RAW", # accepts RAW, DIGEST
-    #         grant_tokens: ["GrantTokenType"],
-    #         signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
-    #       }
-    #
     # @!attribute [rw] key_id
     #   Identifies an asymmetric KMS key. KMS uses the private key in the
     #   asymmetric KMS key to sign the message. The `KeyUsage` type of the
@@ -4756,16 +5437,55 @@ module Aws::KMS
     #
     # @!attribute [rw] message
     #   Specifies the message or message digest to sign. Messages can be
-    #   0-4096 bytes. To sign a larger message, provide the message digest.
+    #   0-4096 bytes. To sign a larger message, provide a message digest.
     #
-    #   If you provide a message, KMS generates a hash digest of the message
-    #   and then signs it.
+    #   If you provide a message digest, use the `DIGEST` value of
+    #   `MessageType` to prevent the digest from being hashed again while
+    #   signing.
     #   @return [String]
     #
     # @!attribute [rw] message_type
-    #   Tells KMS whether the value of the `Message` parameter is a message
-    #   or message digest. The default value, RAW, indicates a message. To
-    #   indicate a message digest, enter `DIGEST`.
+    #   Tells KMS whether the value of the `Message` parameter should be
+    #   hashed as part of the signing algorithm. Use `RAW` for unhashed
+    #   messages; use `DIGEST` for message digests, which are already
+    #   hashed.
+    #
+    #   When the value of `MessageType` is `RAW`, KMS uses the standard
+    #   signing algorithm, which begins with a hash function. When the value
+    #   is `DIGEST`, KMS skips the hashing step in the signing algorithm.
+    #
+    #   Use the `DIGEST` value only when the value of the `Message`
+    #   parameter is a message digest. If you use the `DIGEST` value with an
+    #   unhashed message, the security of the signing operation can be
+    #   compromised.
+    #
+    #   When the value of `MessageType`is `DIGEST`, the length of the
+    #   `Message` value must match the length of hashed messages for the
+    #   specified signing algorithm.
+    #
+    #   You can submit a message digest and omit the `MessageType` or
+    #   specify `RAW` so the digest is hashed again while signing. However,
+    #   this can cause verification failures when verifying with a system
+    #   that assumes a single hash.
+    #
+    #   The hashing algorithm in that `Sign` uses is based on the
+    #   `SigningAlgorithm` value.
+    #
+    #   * Signing algorithms that end in SHA\_256 use the SHA\_256 hashing
+    #     algorithm.
+    #
+    #   * Signing algorithms that end in SHA\_384 use the SHA\_384 hashing
+    #     algorithm.
+    #
+    #   * Signing algorithms that end in SHA\_512 use the SHA\_512 hashing
+    #     algorithm.
+    #
+    #   * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
+    #     verification with SM2 key pairs][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
     #   @return [String]
     #
     # @!attribute [rw] grant_tokens
@@ -4786,9 +5506,23 @@ module Aws::KMS
     #   Specifies the signing algorithm to use when signing the message.
     #
     #   Choose an algorithm that is compatible with the type and size of the
-    #   specified asymmetric KMS key.
+    #   specified asymmetric KMS key. When signing with RSA key pairs,
+    #   RSASSA-PSS algorithms are preferred. We include RSASSA-PKCS1-v1\_5
+    #   algorithms for compatibility with existing applications.
     #   @return [String]
     #
+    # @!attribute [rw] dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/SignRequest AWS API Documentation
     #
     class SignRequest < Struct.new(
@@ -4796,7 +5530,8 @@ module Aws::KMS
       :message,
       :message_type,
       :grant_tokens,
-      :signing_algorithm)
+      :signing_algorithm,
+      :dry_run)
       SENSITIVE = [:message]
       include Aws::Structure
     end
@@ -4818,7 +5553,7 @@ module Aws::KMS
     #
     #   * When used with the `ECDSA_SHA_256`, `ECDSA_SHA_384`, or
     #     `ECDSA_SHA_512` signing algorithms, this value is a DER-encoded
-    #     object as defined by ANS X9.62–2005 and [RFC 3279 Section
+    #     object as defined by ANSI X9.62–2005 and [RFC 3279 Section
     #     2.2.3][2]. This is the most commonly used signature format and is
     #     appropriate for most uses.
     #
@@ -4849,6 +5584,10 @@ module Aws::KMS
     # keys and tag values are both required, but tag values can be empty
     # (null) strings.
     #
+    # Do not include confidential or sensitive information in this field.
+    # This field may be displayed in plaintext in CloudTrail logs and other
+    # output.
+    #
     # For information about the rules that apply to tag keys and tag values,
     # see [User-Defined Tag Restrictions][1] in the *Amazon Web Services
     # Billing and Cost Management User Guide*.
@@ -4857,14 +5596,6 @@ module Aws::KMS
     #
     # [1]: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html
     #
-    # @note When making an API call, you may pass Tag
-    #   data as a hash:
-    #
-    #       {
-    #         tag_key: "TagKeyType", # required
-    #         tag_value: "TagValueType", # required
-    #       }
-    #
     # @!attribute [rw] tag_key
     #   The key of the tag.
     #   @return [String]
@@ -4895,19 +5626,6 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass TagResourceRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #         tags: [ # required
-    #           {
-    #             tag_key: "TagKeyType", # required
-    #             tag_value: "TagValueType", # required
-    #           },
-    #         ],
-    #       }
-    #
     # @!attribute [rw] key_id
     #   Identifies a customer managed key in the account and Region.
     #
@@ -4925,10 +5643,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] tags
-    #   One or more tags.
+    #   One or more tags. Each tag consists of a tag key and a tag value.
+    #   The tag value can be an empty (null) string.
     #
-    #   Each tag consists of a tag key and a tag value. The tag value can be
-    #   an empty (null) string.
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
     #
     #   You cannot have more than one tag on a KMS key with the same tag
     #   key. If you specify an existing tag key with a different tag value,
@@ -4958,14 +5678,6 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass UntagResourceRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #         tag_keys: ["TagKeyType"], # required
-    #       }
-    #
     # @!attribute [rw] key_id
     #   Identifies the KMS key from which you are removing tags.
     #
@@ -4995,19 +5707,15 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass UpdateAliasRequest
-    #   data as a hash:
-    #
-    #       {
-    #         alias_name: "AliasNameType", # required
-    #         target_key_id: "KeyIdType", # required
-    #       }
-    #
     # @!attribute [rw] alias_name
     #   Identifies the alias that is changing its KMS key. This value must
     #   begin with `alias/` followed by the alias name, such as
-    #   `alias/ExampleAlias`. You cannot use UpdateAlias to change the alias
-    #   name.
+    #   `alias/ExampleAlias`. You cannot use `UpdateAlias` to change the
+    #   alias name.
+    #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
     #   @return [String]
     #
     # @!attribute [rw] target_key_id
@@ -5018,7 +5726,7 @@ module Aws::KMS
     #   The KMS key must be in the same Amazon Web Services account and
     #   Region as the alias. Also, the new target KMS key must be the same
     #   type as the current target KMS key (both symmetric or both
-    #   asymmetric) and they must have the same key usage.
+    #   asymmetric or both HMAC) and they must have the same key usage.
     #
     #   Specify the key ID or key ARN of the KMS key.
     #
@@ -5050,16 +5758,6 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass UpdateCustomKeyStoreRequest
-    #   data as a hash:
-    #
-    #       {
-    #         custom_key_store_id: "CustomKeyStoreIdType", # required
-    #         new_custom_key_store_name: "CustomKeyStoreNameType",
-    #         key_store_password: "KeyStorePasswordType",
-    #         cloud_hsm_cluster_id: "CloudHsmClusterIdType",
-    #       }
-    #
     # @!attribute [rw] custom_key_store_id
     #   Identifies the custom key store that you want to update. Enter the
     #   ID of the custom key store. To find the ID of a custom key store,
@@ -5070,19 +5768,32 @@ module Aws::KMS
     #   Changes the friendly name of the custom key store to the value that
     #   you specify. The custom key store name must be unique in the Amazon
     #   Web Services account.
+    #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
+    #
+    #   To change this value, an CloudHSM key store must be disconnected. An
+    #   external key store can be connected or disconnected.
     #   @return [String]
     #
     # @!attribute [rw] key_store_password
     #   Enter the current password of the `kmsuser` crypto user (CU) in the
-    #   CloudHSM cluster that is associated with the custom key store.
+    #   CloudHSM cluster that is associated with the custom key store. This
+    #   parameter is valid only for custom key stores with a
+    #   `CustomKeyStoreType` of `AWS_CLOUDHSM`.
     #
     #   This parameter tells KMS the current password of the `kmsuser`
     #   crypto user (CU). It does not set or change the password of any
     #   users in the CloudHSM cluster.
+    #
+    #   To change this value, the CloudHSM key store must be disconnected.
     #   @return [String]
     #
     # @!attribute [rw] cloud_hsm_cluster_id
     #   Associates the custom key store with a related CloudHSM cluster.
+    #   This parameter is valid only for custom key stores with a
+    #   `CustomKeyStoreType` of `AWS_CLOUDHSM`.
     #
     #   Enter the cluster ID of the cluster that you used to create the
     #   custom key store or a cluster that shares a backup history and has
@@ -5093,19 +5804,111 @@ module Aws::KMS
     #   To view the cluster certificate of a cluster, use the
     #   [DescribeClusters][2] operation.
     #
+    #   To change this value, the CloudHSM key store must be disconnected.
+    #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore
     #   [2]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
     #   @return [String]
     #
+    # @!attribute [rw] xks_proxy_uri_endpoint
+    #   Changes the URI endpoint that KMS uses to connect to your external
+    #   key store proxy (XKS proxy). This parameter is valid only for custom
+    #   key stores with a `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
+    #
+    #   For external key stores with an `XksProxyConnectivity` value of
+    #   `PUBLIC_ENDPOINT`, the protocol must be HTTPS.
+    #
+    #   For external key stores with an `XksProxyConnectivity` value of
+    #   `VPC_ENDPOINT_SERVICE`, specify `https://` followed by the private
+    #   DNS name associated with the VPC endpoint service. Each external key
+    #   store must use a different private DNS name.
+    #
+    #   The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values must
+    #   be unique in the Amazon Web Services account and Region.
+    #
+    #   To change this value, the external key store must be disconnected.
+    #   @return [String]
+    #
+    # @!attribute [rw] xks_proxy_uri_path
+    #   Changes the base path to the proxy APIs for this external key store.
+    #   To find this value, see the documentation for your external key
+    #   manager and external key store proxy (XKS proxy). This parameter is
+    #   valid only for custom key stores with a `CustomKeyStoreType` of
+    #   `EXTERNAL_KEY_STORE`.
+    #
+    #   The value must start with `/` and must end with `/kms/xks/v1`, where
+    #   `v1` represents the version of the KMS external key store proxy API.
+    #   You can include an optional prefix between the required elements
+    #   such as `/example/kms/xks/v1`.
+    #
+    #   The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values must
+    #   be unique in the Amazon Web Services account and Region.
+    #
+    #   You can change this value when the external key store is connected
+    #   or disconnected.
+    #   @return [String]
+    #
+    # @!attribute [rw] xks_proxy_vpc_endpoint_service_name
+    #   Changes the name that KMS uses to identify the Amazon VPC endpoint
+    #   service for your external key store proxy (XKS proxy). This
+    #   parameter is valid when the `CustomKeyStoreType` is
+    #   `EXTERNAL_KEY_STORE` and the `XksProxyConnectivity` is
+    #   `VPC_ENDPOINT_SERVICE`.
+    #
+    #   To change this value, the external key store must be disconnected.
+    #   @return [String]
+    #
+    # @!attribute [rw] xks_proxy_authentication_credential
+    #   Changes the credentials that KMS uses to sign requests to the
+    #   external key store proxy (XKS proxy). This parameter is valid only
+    #   for custom key stores with a `CustomKeyStoreType` of
+    #   `EXTERNAL_KEY_STORE`.
+    #
+    #   You must specify both the `AccessKeyId` and `SecretAccessKey` value
+    #   in the authentication credential, even if you are only updating one
+    #   value.
+    #
+    #   This parameter doesn't establish or change your authentication
+    #   credentials on the proxy. It just tells KMS the credential that you
+    #   established with your external key store proxy. For example, if you
+    #   rotate the credential on your external key store proxy, you can use
+    #   this parameter to update the credential in KMS.
+    #
+    #   You can change this value when the external key store is connected
+    #   or disconnected.
+    #   @return [Types::XksProxyAuthenticationCredentialType]
+    #
+    # @!attribute [rw] xks_proxy_connectivity
+    #   Changes the connectivity setting for the external key store. To
+    #   indicate that the external key store proxy uses a Amazon VPC
+    #   endpoint service to communicate with KMS, specify
+    #   `VPC_ENDPOINT_SERVICE`. Otherwise, specify `PUBLIC_ENDPOINT`.
+    #
+    #   If you change the `XksProxyConnectivity` to `VPC_ENDPOINT_SERVICE`,
+    #   you must also change the `XksProxyUriEndpoint` and add an
+    #   `XksProxyVpcEndpointServiceName` value.
+    #
+    #   If you change the `XksProxyConnectivity` to `PUBLIC_ENDPOINT`, you
+    #   must also change the `XksProxyUriEndpoint` and specify a null or
+    #   empty string for the `XksProxyVpcEndpointServiceName` value.
+    #
+    #   To change this value, the external key store must be disconnected.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStoreRequest AWS API Documentation
     #
     class UpdateCustomKeyStoreRequest < Struct.new(
       :custom_key_store_id,
       :new_custom_key_store_name,
       :key_store_password,
-      :cloud_hsm_cluster_id)
+      :cloud_hsm_cluster_id,
+      :xks_proxy_uri_endpoint,
+      :xks_proxy_uri_path,
+      :xks_proxy_vpc_endpoint_service_name,
+      :xks_proxy_authentication_credential,
+      :xks_proxy_connectivity)
       SENSITIVE = [:key_store_password]
       include Aws::Structure
     end
@@ -5114,14 +5917,6 @@ module Aws::KMS
     #
     class UpdateCustomKeyStoreResponse < Aws::EmptyStructure; end
 
-    # @note When making an API call, you may pass UpdateKeyDescriptionRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #         description: "DescriptionType", # required
-    #       }
-    #
     # @!attribute [rw] key_id
     #   Updates the description of the specified KMS key.
     #
@@ -5140,6 +5935,10 @@ module Aws::KMS
     #
     # @!attribute [rw] description
     #   New description for the KMS key.
+    #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescriptionRequest AWS API Documentation
@@ -5151,14 +5950,6 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass UpdatePrimaryRegionRequest
-    #   data as a hash:
-    #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #         primary_region: "RegionType", # required
-    #       }
-    #
     # @!attribute [rw] key_id
     #   Identifies the current primary key. When the operation completes,
     #   this KMS key will be a replica key.
@@ -5194,18 +5985,102 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass VerifyRequest
-    #   data as a hash:
+    # @!attribute [rw] message
+    #   The message that will be used in the verification. Enter the same
+    #   message that was used to generate the HMAC.
     #
-    #       {
-    #         key_id: "KeyIdType", # required
-    #         message: "data", # required
-    #         message_type: "RAW", # accepts RAW, DIGEST
-    #         signature: "data", # required
-    #         signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
-    #         grant_tokens: ["GrantTokenType"],
-    #       }
+    #   GenerateMac and `VerifyMac` do not provide special handling for
+    #   message digests. If you generated an HMAC for a hash digest of a
+    #   message, you must verify the HMAC for the same hash digest.
+    #   @return [String]
     #
+    # @!attribute [rw] key_id
+    #   The KMS key that will be used in the verification.
+    #
+    #   Enter a key ID of the KMS key that was used to generate the HMAC. If
+    #   you identify a different KMS key, the `VerifyMac` operation fails.
+    #   @return [String]
+    #
+    # @!attribute [rw] mac_algorithm
+    #   The MAC algorithm that will be used in the verification. Enter the
+    #   same MAC algorithm that was used to compute the HMAC. This algorithm
+    #   must be supported by the HMAC KMS key identified by the `KeyId`
+    #   parameter.
+    #   @return [String]
+    #
+    # @!attribute [rw] mac
+    #   The HMAC to verify. Enter the HMAC that was generated by the
+    #   GenerateMac operation when you specified the same message, HMAC KMS
+    #   key, and MAC algorithm as the values specified in this request.
+    #   @return [String]
+    #
+    # @!attribute [rw] grant_tokens
+    #   A list of grant tokens.
+    #
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] and [Using a grant
+    #   token][2] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   @return [Boolean]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMacRequest AWS API Documentation
+    #
+    class VerifyMacRequest < Struct.new(
+      :message,
+      :key_id,
+      :mac_algorithm,
+      :mac,
+      :grant_tokens,
+      :dry_run)
+      SENSITIVE = [:message]
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] key_id
+    #   The HMAC KMS key used in the verification.
+    #   @return [String]
+    #
+    # @!attribute [rw] mac_valid
+    #   A Boolean value that indicates whether the HMAC was verified. A
+    #   value of `True` indicates that the HMAC (`Mac`) was generated with
+    #   the specified `Message`, HMAC KMS key (`KeyID`) and `MacAlgorithm.`.
+    #
+    #   If the HMAC is not verified, the `VerifyMac` operation fails with a
+    #   `KMSInvalidMacException` exception. This exception indicates that
+    #   one or more of the inputs changed since the HMAC was computed.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] mac_algorithm
+    #   The MAC algorithm used in the verification.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMacResponse AWS API Documentation
+    #
+    class VerifyMacResponse < Struct.new(
+      :key_id,
+      :mac_valid,
+      :mac_algorithm)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] key_id
     #   Identifies the asymmetric KMS key that will be used to verify the
     #   signature. This must be the same KMS key that was used to generate
@@ -5243,14 +6118,48 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] message_type
-    #   Tells KMS whether the value of the `Message` parameter is a message
-    #   or message digest. The default value, RAW, indicates a message. To
-    #   indicate a message digest, enter `DIGEST`.
+    #   Tells KMS whether the value of the `Message` parameter should be
+    #   hashed as part of the signing algorithm. Use `RAW` for unhashed
+    #   messages; use `DIGEST` for message digests, which are already
+    #   hashed.
+    #
+    #   When the value of `MessageType` is `RAW`, KMS uses the standard
+    #   signing algorithm, which begins with a hash function. When the value
+    #   is `DIGEST`, KMS skips the hashing step in the signing algorithm.
     #
     #   Use the `DIGEST` value only when the value of the `Message`
-    #   parameter is a message digest. If you use the `DIGEST` value with a
-    #   raw message, the security of the verification operation can be
+    #   parameter is a message digest. If you use the `DIGEST` value with an
+    #   unhashed message, the security of the verification operation can be
     #   compromised.
+    #
+    #   When the value of `MessageType`is `DIGEST`, the length of the
+    #   `Message` value must match the length of hashed messages for the
+    #   specified signing algorithm.
+    #
+    #   You can submit a message digest and omit the `MessageType` or
+    #   specify `RAW` so the digest is hashed again while signing. However,
+    #   if the signed message is hashed once while signing, but twice while
+    #   verifying, verification fails, even when the message hasn't
+    #   changed.
+    #
+    #   The hashing algorithm in that `Verify` uses is based on the
+    #   `SigningAlgorithm` value.
+    #
+    #   * Signing algorithms that end in SHA\_256 use the SHA\_256 hashing
+    #     algorithm.
+    #
+    #   * Signing algorithms that end in SHA\_384 use the SHA\_384 hashing
+    #     algorithm.
+    #
+    #   * Signing algorithms that end in SHA\_512 use the SHA\_512 hashing
+    #     algorithm.
+    #
+    #   * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
+    #     verification with SM2 key pairs][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
     #   @return [String]
     #
     # @!attribute [rw] signature
@@ -5276,6 +6185,18 @@ module Aws::KMS
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #   @return [Array<String>]
     #
+    # @!attribute [rw] dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyRequest AWS API Documentation
     #
     class VerifyRequest < Struct.new(
@@ -5284,7 +6205,8 @@ module Aws::KMS
       :message_type,
       :signature,
       :signing_algorithm,
-      :grant_tokens)
+      :grant_tokens,
+      :dry_run)
       SENSITIVE = [:message]
       include Aws::Structure
     end
@@ -5320,5 +6242,324 @@ module Aws::KMS
       include Aws::Structure
     end
 
+    # The request was rejected because the (`XksKeyId`) is already
+    # associated with a KMS key in this external key store. Each KMS key in
+    # an external key store must be associated with a different external
+    # key.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyAlreadyInUseException AWS API Documentation
+    #
+    class XksKeyAlreadyInUseException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Information about the [external key ][1]that is associated with a KMS
+    # key in an external key store.
+    #
+    # This element appears in a CreateKey or DescribeKey response only for a
+    # KMS key in an external key store.
+    #
+    # The *external key* is a symmetric encryption key that is hosted by an
+    # external key manager outside of Amazon Web Services. When you use the
+    # KMS key in an external key store in a cryptographic operation, the
+    # cryptographic operation is performed in the external key manager using
+    # the specified external key. For more information, see [External
+    # key][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
+    #
+    # @!attribute [rw] id
+    #   The ID of the external key in its external key manager. This is the
+    #   ID that the external key store proxy uses to identify the external
+    #   key.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyConfigurationType AWS API Documentation
+    #
+    class XksKeyConfigurationType < Struct.new(
+      :id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The request was rejected because the external key specified by the
+    # `XksKeyId` parameter did not meet the configuration requirements for
+    # an external key store.
+    #
+    # The external key must be an AES-256 symmetric key that is enabled and
+    # performs encryption and decryption.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyInvalidConfigurationException AWS API Documentation
+    #
+    class XksKeyInvalidConfigurationException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The request was rejected because the external key store proxy could
+    # not find the external key. This exception is thrown when the value of
+    # the `XksKeyId` parameter doesn't identify a key in the external key
+    # manager associated with the external key proxy.
+    #
+    # Verify that the `XksKeyId` represents an existing key in the external
+    # key manager. Use the key identifier that the external key store proxy
+    # uses to identify the key. For details, see the documentation provided
+    # with your external key store proxy or key manager.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyNotFoundException AWS API Documentation
+    #
+    class XksKeyNotFoundException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # KMS uses the authentication credential to sign requests that it sends
+    # to the external key store proxy (XKS proxy) on your behalf. You
+    # establish these credentials on your external key store proxy and
+    # report them to KMS.
+    #
+    # The `XksProxyAuthenticationCredential` includes two required elements.
+    #
+    # @!attribute [rw] access_key_id
+    #   A unique identifier for the raw secret access key.
+    #   @return [String]
+    #
+    # @!attribute [rw] raw_secret_access_key
+    #   A secret string of 43-64 characters. Valid characters are a-z, A-Z,
+    #   0-9, /, +, and =.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyAuthenticationCredentialType AWS API Documentation
+    #
+    class XksProxyAuthenticationCredentialType < Struct.new(
+      :access_key_id,
+      :raw_secret_access_key)
+      SENSITIVE = [:access_key_id, :raw_secret_access_key]
+      include Aws::Structure
+    end
+
+    # Detailed information about the external key store proxy (XKS proxy).
+    # Your external key store proxy translates KMS requests into a format
+    # that your external key manager can understand. These fields appear in
+    # a DescribeCustomKeyStores response only when the `CustomKeyStoreType`
+    # is `EXTERNAL_KEY_STORE`.
+    #
+    # @!attribute [rw] connectivity
+    #   Indicates whether the external key store proxy uses a public
+    #   endpoint or an Amazon VPC endpoint service to communicate with KMS.
+    #   @return [String]
+    #
+    # @!attribute [rw] access_key_id
+    #   The part of the external key store [proxy authentication
+    #   credential][1] that uniquely identifies the secret access key.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateCustomKeyStore.html#KMS-CreateCustomKeyStore-request-XksProxyAuthenticationCredential
+    #   @return [String]
+    #
+    # @!attribute [rw] uri_endpoint
+    #   The URI endpoint for the external key store proxy.
+    #
+    #   If the external key store proxy has a public endpoint, it is
+    #   displayed here.
+    #
+    #   If the external key store proxy uses an Amazon VPC endpoint service
+    #   name, this field displays the private DNS name associated with the
+    #   VPC endpoint service.
+    #   @return [String]
+    #
+    # @!attribute [rw] uri_path
+    #   The path to the external key store proxy APIs.
+    #   @return [String]
+    #
+    # @!attribute [rw] vpc_endpoint_service_name
+    #   The Amazon VPC endpoint service used to communicate with the
+    #   external key store proxy. This field appears only when the external
+    #   key store proxy uses an Amazon VPC endpoint service to communicate
+    #   with KMS.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyConfigurationType AWS API Documentation
+    #
+    class XksProxyConfigurationType < Struct.new(
+      :connectivity,
+      :access_key_id,
+      :uri_endpoint,
+      :uri_path,
+      :vpc_endpoint_service_name)
+      SENSITIVE = [:access_key_id]
+      include Aws::Structure
+    end
+
+    # The request was rejected because the proxy credentials failed to
+    # authenticate to the specified external key store proxy. The specified
+    # external key store proxy rejected a status request from KMS due to
+    # invalid credentials. This can indicate an error in the credentials or
+    # in the identification of the external key store proxy.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyIncorrectAuthenticationCredentialException AWS API Documentation
+    #
+    class XksProxyIncorrectAuthenticationCredentialException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The request was rejected because the Amazon VPC endpoint service
+    # configuration does not fulfill the requirements for an external key
+    # store proxy. For details, see the exception message.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyInvalidConfigurationException AWS API Documentation
+    #
+    class XksProxyInvalidConfigurationException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # KMS cannot interpret the response it received from the external key
+    # store proxy. The problem might be a poorly constructed response, but
+    # it could also be a transient network issue. If you see this error
+    # repeatedly, report it to the proxy vendor.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyInvalidResponseException AWS API Documentation
+    #
+    class XksProxyInvalidResponseException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The request was rejected because the concatenation of the
+    # `XksProxyUriEndpoint` is already associated with an external key store
+    # in the Amazon Web Services account and Region. Each external key store
+    # in an account and Region must use a unique external key store proxy
+    # address.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyUriEndpointInUseException AWS API Documentation
+    #
+    class XksProxyUriEndpointInUseException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The request was rejected because the concatenation of the
+    # `XksProxyUriEndpoint` and `XksProxyUriPath` is already associated with
+    # an external key store in the Amazon Web Services account and Region.
+    # Each external key store in an account and Region must use a unique
+    # external key store proxy API address.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyUriInUseException AWS API Documentation
+    #
+    class XksProxyUriInUseException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # KMS was unable to reach the specified `XksProxyUriPath`. The path must
+    # be reachable before you create the external key store or update its
+    # settings.
+    #
+    # This exception is also thrown when the external key store proxy
+    # response to a `GetHealthStatus` request indicates that all external
+    # key manager instances are unavailable.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyUriUnreachableException AWS API Documentation
+    #
+    class XksProxyUriUnreachableException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The request was rejected because the specified Amazon VPC endpoint
+    # service is already associated with an external key store in the Amazon
+    # Web Services account and Region. Each external key store in an Amazon
+    # Web Services account and Region must use a different Amazon VPC
+    # endpoint service.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyVpcEndpointServiceInUseException AWS API Documentation
+    #
+    class XksProxyVpcEndpointServiceInUseException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The request was rejected because the Amazon VPC endpoint service
+    # configuration does not fulfill the requirements for an external key
+    # store proxy. For details, see the exception message and [review the
+    # requirements](kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements)
+    # for Amazon VPC endpoint service connectivity for an external key
+    # store.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyVpcEndpointServiceInvalidConfigurationException AWS API Documentation
+    #
+    class XksProxyVpcEndpointServiceInvalidConfigurationException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The request was rejected because KMS could not find the specified VPC
+    # endpoint service. Use DescribeCustomKeyStores to verify the VPC
+    # endpoint service name for the external key store. Also, confirm that
+    # the `Allow principals` list for the VPC endpoint service includes the
+    # KMS service principal for the Region, such as
+    # `cks.kms.us-east-1.amazonaws.com`.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyVpcEndpointServiceNotFoundException AWS API Documentation
+    #
+    class XksProxyVpcEndpointServiceNotFoundException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
   end
 end