aws-sdk-kms 1.52.0 → 1.72.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -61,13 +61,6 @@ module Aws::KMS
61
61
  include Aws::Structure
62
62
  end
63
63
 
64
- # @note When making an API call, you may pass CancelKeyDeletionRequest
65
- # data as a hash:
66
- #
67
- # {
68
- # key_id: "KeyIdType", # required
69
- # }
70
- #
71
64
  # @!attribute [rw] key_id
72
65
  # Identifies the KMS key whose deletion is being canceled.
73
66
  #
@@ -110,14 +103,14 @@ module Aws::KMS
110
103
  end
111
104
 
112
105
  # The request was rejected because the specified CloudHSM cluster is
113
- # already associated with a custom key store or it shares a backup
114
- # history with a cluster that is associated with a custom key store.
115
- # Each custom key store must be associated with a different CloudHSM
116
- # cluster.
106
+ # already associated with an CloudHSM key store in the account, or it
107
+ # shares a backup history with an CloudHSM key store in the account.
108
+ # Each CloudHSM key store in the account must be associated with a
109
+ # different CloudHSM cluster.
117
110
  #
118
- # Clusters that share a backup history have the same cluster
119
- # certificate. To view the cluster certificate of a cluster, use the
120
- # [DescribeClusters][1] operation.
111
+ # CloudHSM clusters that share a backup history have the same cluster
112
+ # certificate. To view the cluster certificate of an CloudHSM cluster,
113
+ # use the [DescribeClusters][1] operation.
121
114
  #
122
115
  #
123
116
  #
@@ -135,22 +128,23 @@ module Aws::KMS
135
128
  end
136
129
 
137
130
  # The request was rejected because the associated CloudHSM cluster did
138
- # not meet the configuration requirements for a custom key store.
131
+ # not meet the configuration requirements for an CloudHSM key store.
139
132
  #
140
- # * The cluster must be configured with private subnets in at least two
141
- # different Availability Zones in the Region.
133
+ # * The CloudHSM cluster must be configured with private subnets in at
134
+ # least two different Availability Zones in the Region.
142
135
  #
143
136
  # * The [security group for the cluster][1]
144
137
  # (cloudhsm-cluster-*<cluster-id>*-sg) must include inbound
145
138
  # rules and outbound rules that allow TCP traffic on ports 2223-2225.
146
139
  # The **Source** in the inbound rules and the **Destination** in the
147
140
  # outbound rules must match the security group ID. These rules are set
148
- # by default when you create the cluster. Do not delete or change
149
- # them. To get information about a particular security group, use the
150
- # [DescribeSecurityGroups][2] operation.
141
+ # by default when you create the CloudHSM cluster. Do not delete or
142
+ # change them. To get information about a particular security group,
143
+ # use the [DescribeSecurityGroups][2] operation.
151
144
  #
152
- # * The cluster must contain at least as many HSMs as the operation
153
- # requires. To add HSMs, use the CloudHSM [CreateHsm][3] operation.
145
+ # * The CloudHSM cluster must contain at least as many HSMs as the
146
+ # operation requires. To add HSMs, use the CloudHSM [CreateHsm][3]
147
+ # operation.
154
148
  #
155
149
  # For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
156
150
  # operations, the CloudHSM cluster must have at least two active HSMs,
@@ -158,7 +152,7 @@ module Aws::KMS
158
152
  # operation, the CloudHSM must contain at least one active HSM.
159
153
  #
160
154
  # For information about the requirements for an CloudHSM cluster that is
161
- # associated with a custom key store, see [Assemble the
155
+ # associated with an CloudHSM key store, see [Assemble the
162
156
  # Prerequisites][4] in the *Key Management Service Developer Guide*. For
163
157
  # information about creating a private subnet for an CloudHSM cluster,
164
158
  # see [Create a Private Subnet][5] in the *CloudHSM User Guide*. For
@@ -184,10 +178,10 @@ module Aws::KMS
184
178
  include Aws::Structure
185
179
  end
186
180
 
187
- # The request was rejected because the CloudHSM cluster that is
188
- # associated with the custom key store is not active. Initialize and
189
- # activate the cluster and try the command again. For detailed
190
- # instructions, see [Getting Started][1] in the *CloudHSM User Guide*.
181
+ # The request was rejected because the CloudHSM cluster associated with
182
+ # the CloudHSM key store is not active. Initialize and activate the
183
+ # cluster and try the command again. For detailed instructions, see
184
+ # [Getting Started][1] in the *CloudHSM User Guide*.
191
185
  #
192
186
  #
193
187
  #
@@ -221,16 +215,17 @@ module Aws::KMS
221
215
 
222
216
  # The request was rejected because the specified CloudHSM cluster has a
223
217
  # different cluster certificate than the original cluster. You cannot
224
- # use the operation to specify an unrelated cluster.
218
+ # use the operation to specify an unrelated cluster for an CloudHSM key
219
+ # store.
225
220
  #
226
- # Specify a cluster that shares a backup history with the original
227
- # cluster. This includes clusters that were created from a backup of the
228
- # current cluster, and clusters that were created from the same backup
229
- # that produced the current cluster.
221
+ # Specify an CloudHSM cluster that shares a backup history with the
222
+ # original cluster. This includes clusters that were created from a
223
+ # backup of the current cluster, and clusters that were created from the
224
+ # same backup that produced the current cluster.
230
225
  #
231
- # Clusters that share a backup history have the same cluster
232
- # certificate. To view the cluster certificate of a cluster, use the
233
- # [DescribeClusters][1] operation.
226
+ # CloudHSM clusters that share a backup history have the same cluster
227
+ # certificate. To view the cluster certificate of an CloudHSM cluster,
228
+ # use the [DescribeClusters][1] operation.
234
229
  #
235
230
  #
236
231
  #
@@ -247,13 +242,6 @@ module Aws::KMS
247
242
  include Aws::Structure
248
243
  end
249
244
 
250
- # @note When making an API call, you may pass ConnectCustomKeyStoreRequest
251
- # data as a hash:
252
- #
253
- # {
254
- # custom_key_store_id: "CustomKeyStoreIdType", # required
255
- # }
256
- #
257
245
  # @!attribute [rw] custom_key_store_id
258
246
  # Enter the key store ID of the custom key store that you want to
259
247
  # connect. To find the ID of a custom key store, use the
@@ -272,18 +260,14 @@ module Aws::KMS
272
260
  #
273
261
  class ConnectCustomKeyStoreResponse < Aws::EmptyStructure; end
274
262
 
275
- # @note When making an API call, you may pass CreateAliasRequest
276
- # data as a hash:
277
- #
278
- # {
279
- # alias_name: "AliasNameType", # required
280
- # target_key_id: "KeyIdType", # required
281
- # }
282
- #
283
263
  # @!attribute [rw] alias_name
284
264
  # Specifies the alias name. This value must begin with `alias/`
285
265
  # followed by a name, such as `alias/ExampleAlias`.
286
266
  #
267
+ # Do not include confidential or sensitive information in this field.
268
+ # This field may be displayed in plaintext in CloudTrail logs and
269
+ # other output.
270
+ #
287
271
  # The `AliasName` value must be string of 1-256 characters. It can
288
272
  # contain only alphanumeric characters, forward slashes (/),
289
273
  # underscores (\_), and dashes (-). The alias name cannot begin with
@@ -333,26 +317,24 @@ module Aws::KMS
333
317
  include Aws::Structure
334
318
  end
335
319
 
336
- # @note When making an API call, you may pass CreateCustomKeyStoreRequest
337
- # data as a hash:
338
- #
339
- # {
340
- # custom_key_store_name: "CustomKeyStoreNameType", # required
341
- # cloud_hsm_cluster_id: "CloudHsmClusterIdType", # required
342
- # trust_anchor_certificate: "TrustAnchorCertificateType", # required
343
- # key_store_password: "KeyStorePasswordType", # required
344
- # }
345
- #
346
320
  # @!attribute [rw] custom_key_store_name
347
321
  # Specifies a friendly name for the custom key store. The name must be
348
- # unique in your Amazon Web Services account.
322
+ # unique in your Amazon Web Services account and Region. This
323
+ # parameter is required for all custom key stores.
324
+ #
325
+ # Do not include confidential or sensitive information in this field.
326
+ # This field may be displayed in plaintext in CloudTrail logs and
327
+ # other output.
349
328
  # @return [String]
350
329
  #
351
330
  # @!attribute [rw] cloud_hsm_cluster_id
352
- # Identifies the CloudHSM cluster for the custom key store. Enter the
353
- # cluster ID of any active CloudHSM cluster that is not already
354
- # associated with a custom key store. To find the cluster ID, use the
355
- # [DescribeClusters][1] operation.
331
+ # Identifies the CloudHSM cluster for an CloudHSM key store. This
332
+ # parameter is required for custom key stores with
333
+ # `CustomKeyStoreType` of `AWS_CLOUDHSM`.
334
+ #
335
+ # Enter the cluster ID of any active CloudHSM cluster that is not
336
+ # already associated with a custom key store. To find the cluster ID,
337
+ # use the [DescribeClusters][1] operation.
356
338
  #
357
339
  #
358
340
  #
@@ -360,9 +342,13 @@ module Aws::KMS
360
342
  # @return [String]
361
343
  #
362
344
  # @!attribute [rw] trust_anchor_certificate
363
- # Enter the content of the trust anchor certificate for the cluster.
364
- # This is the content of the `customerCA.crt` file that you created
365
- # when you [initialized the cluster][1].
345
+ # Specifies the certificate for an CloudHSM key store. This parameter
346
+ # is required for custom key stores with a `CustomKeyStoreType` of
347
+ # `AWS_CLOUDHSM`.
348
+ #
349
+ # Enter the content of the trust anchor certificate for the CloudHSM
350
+ # cluster. This is the content of the `customerCA.crt` file that you
351
+ # created when you [initialized the cluster][1].
366
352
  #
367
353
  #
368
354
  #
@@ -370,6 +356,10 @@ module Aws::KMS
370
356
  # @return [String]
371
357
  #
372
358
  # @!attribute [rw] key_store_password
359
+ # Specifies the `kmsuser` password for an CloudHSM key store. This
360
+ # parameter is required for custom key stores with a
361
+ # `CustomKeyStoreType` of `AWS_CLOUDHSM`.
362
+ #
373
363
  # Enter the password of the [ `kmsuser` crypto user (CU) account][1]
374
364
  # in the specified CloudHSM cluster. KMS logs into the cluster as this
375
365
  # user to manage key material on your behalf.
@@ -385,13 +375,167 @@ module Aws::KMS
385
375
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
386
376
  # @return [String]
387
377
  #
378
+ # @!attribute [rw] custom_key_store_type
379
+ # Specifies the type of custom key store. The default value is
380
+ # `AWS_CLOUDHSM`.
381
+ #
382
+ # For a custom key store backed by an CloudHSM cluster, omit the
383
+ # parameter or enter `AWS_CLOUDHSM`. For a custom key store backed by
384
+ # an external key manager outside of Amazon Web Services, enter
385
+ # `EXTERNAL_KEY_STORE`. You cannot change this property after the key
386
+ # store is created.
387
+ # @return [String]
388
+ #
389
+ # @!attribute [rw] xks_proxy_uri_endpoint
390
+ # Specifies the endpoint that KMS uses to send requests to the
391
+ # external key store proxy (XKS proxy). This parameter is required for
392
+ # custom key stores with a `CustomKeyStoreType` of
393
+ # `EXTERNAL_KEY_STORE`.
394
+ #
395
+ # The protocol must be HTTPS. KMS communicates on port 443. Do not
396
+ # specify the port in the `XksProxyUriEndpoint` value.
397
+ #
398
+ # For external key stores with `XksProxyConnectivity` value of
399
+ # `VPC_ENDPOINT_SERVICE`, specify `https://` followed by the private
400
+ # DNS name of the VPC endpoint service.
401
+ #
402
+ # For external key stores with `PUBLIC_ENDPOINT` connectivity, this
403
+ # endpoint must be reachable before you create the custom key store.
404
+ # KMS connects to the external key store proxy while creating the
405
+ # custom key store. For external key stores with
406
+ # `VPC_ENDPOINT_SERVICE` connectivity, KMS connects when you call the
407
+ # ConnectCustomKeyStore operation.
408
+ #
409
+ # The value of this parameter must begin with `https://`. The
410
+ # remainder can contain upper and lower case letters (A-Z and a-z),
411
+ # numbers (0-9), dots (`.`), and hyphens (`-`). Additional slashes
412
+ # (`/` and ``) are not permitted.
413
+ #
414
+ # <b>Uniqueness requirements: </b>
415
+ #
416
+ # * The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values
417
+ # must be unique in the Amazon Web Services account and Region.
418
+ #
419
+ # * An external key store with `PUBLIC_ENDPOINT` connectivity cannot
420
+ # use the same `XksProxyUriEndpoint` value as an external key store
421
+ # with `VPC_ENDPOINT_SERVICE` connectivity in the same Amazon Web
422
+ # Services Region.
423
+ #
424
+ # * Each external key store with `VPC_ENDPOINT_SERVICE` connectivity
425
+ # must have its own private DNS name. The `XksProxyUriEndpoint`
426
+ # value for external key stores with `VPC_ENDPOINT_SERVICE`
427
+ # connectivity (private DNS name) must be unique in the Amazon Web
428
+ # Services account and Region.
429
+ # @return [String]
430
+ #
431
+ # @!attribute [rw] xks_proxy_uri_path
432
+ # Specifies the base path to the proxy APIs for this external key
433
+ # store. To find this value, see the documentation for your external
434
+ # key store proxy. This parameter is required for all custom key
435
+ # stores with a `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
436
+ #
437
+ # The value must start with `/` and must end with `/kms/xks/v1` where
438
+ # `v1` represents the version of the KMS external key store proxy API.
439
+ # This path can include an optional prefix between the required
440
+ # elements such as `/prefix/kms/xks/v1`.
441
+ #
442
+ # <b>Uniqueness requirements: </b>
443
+ #
444
+ # * The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values
445
+ # must be unique in the Amazon Web Services account and Region.
446
+ #
447
+ # ^
448
+ # @return [String]
449
+ #
450
+ # @!attribute [rw] xks_proxy_vpc_endpoint_service_name
451
+ # Specifies the name of the Amazon VPC endpoint service for interface
452
+ # endpoints that is used to communicate with your external key store
453
+ # proxy (XKS proxy). This parameter is required when the value of
454
+ # `CustomKeyStoreType` is `EXTERNAL_KEY_STORE` and the value of
455
+ # `XksProxyConnectivity` is `VPC_ENDPOINT_SERVICE`.
456
+ #
457
+ # The Amazon VPC endpoint service must [fulfill all requirements][1]
458
+ # for use with an external key store.
459
+ #
460
+ # **Uniqueness requirements:**
461
+ #
462
+ # * External key stores with `VPC_ENDPOINT_SERVICE` connectivity can
463
+ # share an Amazon VPC, but each external key store must have its own
464
+ # VPC endpoint service and private DNS name.
465
+ #
466
+ # ^
467
+ #
468
+ #
469
+ #
470
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirements
471
+ # @return [String]
472
+ #
473
+ # @!attribute [rw] xks_proxy_authentication_credential
474
+ # Specifies an authentication credential for the external key store
475
+ # proxy (XKS proxy). This parameter is required for all custom key
476
+ # stores with a `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
477
+ #
478
+ # The `XksProxyAuthenticationCredential` has two required elements:
479
+ # `RawSecretAccessKey`, a secret key, and `AccessKeyId`, a unique
480
+ # identifier for the `RawSecretAccessKey`. For character requirements,
481
+ # see
482
+ # [XksProxyAuthenticationCredentialType](kms/latest/APIReference/API_XksProxyAuthenticationCredentialType.html).
483
+ #
484
+ # KMS uses this authentication credential to sign requests to the
485
+ # external key store proxy on your behalf. This credential is
486
+ # unrelated to Identity and Access Management (IAM) and Amazon Web
487
+ # Services credentials.
488
+ #
489
+ # This parameter doesn't set or change the authentication credentials
490
+ # on the XKS proxy. It just tells KMS the credential that you
491
+ # established on your external key store proxy. If you rotate your
492
+ # proxy authentication credential, use the UpdateCustomKeyStore
493
+ # operation to provide the new credential to KMS.
494
+ # @return [Types::XksProxyAuthenticationCredentialType]
495
+ #
496
+ # @!attribute [rw] xks_proxy_connectivity
497
+ # Indicates how KMS communicates with the external key store proxy.
498
+ # This parameter is required for custom key stores with a
499
+ # `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
500
+ #
501
+ # If the external key store proxy uses a public endpoint, specify
502
+ # `PUBLIC_ENDPOINT`. If the external key store proxy uses a Amazon VPC
503
+ # endpoint service for communication with KMS, specify
504
+ # `VPC_ENDPOINT_SERVICE`. For help making this choice, see [Choosing a
505
+ # connectivity option][1] in the *Key Management Service Developer
506
+ # Guide*.
507
+ #
508
+ # An Amazon VPC endpoint service keeps your communication with KMS in
509
+ # a private address space entirely within Amazon Web Services, but it
510
+ # requires more configuration, including establishing a Amazon VPC
511
+ # with multiple subnets, a VPC endpoint service, a network load
512
+ # balancer, and a verified private DNS name. A public endpoint is
513
+ # simpler to set up, but it might be slower and might not fulfill your
514
+ # security requirements. You might consider testing with a public
515
+ # endpoint, and then establishing a VPC endpoint service for
516
+ # production tasks. Note that this choice does not determine the
517
+ # location of the external key store proxy. Even if you choose a VPC
518
+ # endpoint service, the proxy can be hosted within the VPC or outside
519
+ # of Amazon Web Services such as in your corporate data center.
520
+ #
521
+ #
522
+ #
523
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/plan-xks-keystore.html#choose-xks-connectivity
524
+ # @return [String]
525
+ #
388
526
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStoreRequest AWS API Documentation
389
527
  #
390
528
  class CreateCustomKeyStoreRequest < Struct.new(
391
529
  :custom_key_store_name,
392
530
  :cloud_hsm_cluster_id,
393
531
  :trust_anchor_certificate,
394
- :key_store_password)
532
+ :key_store_password,
533
+ :custom_key_store_type,
534
+ :xks_proxy_uri_endpoint,
535
+ :xks_proxy_uri_path,
536
+ :xks_proxy_vpc_endpoint_service_name,
537
+ :xks_proxy_authentication_credential,
538
+ :xks_proxy_connectivity)
395
539
  SENSITIVE = [:key_store_password]
396
540
  include Aws::Structure
397
541
  end
@@ -408,26 +552,6 @@ module Aws::KMS
408
552
  include Aws::Structure
409
553
  end
410
554
 
411
- # @note When making an API call, you may pass CreateGrantRequest
412
- # data as a hash:
413
- #
414
- # {
415
- # key_id: "KeyIdType", # required
416
- # grantee_principal: "PrincipalIdType", # required
417
- # retiring_principal: "PrincipalIdType",
418
- # operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext
419
- # constraints: {
420
- # encryption_context_subset: {
421
- # "EncryptionContextKey" => "EncryptionContextValue",
422
- # },
423
- # encryption_context_equals: {
424
- # "EncryptionContextKey" => "EncryptionContextValue",
425
- # },
426
- # },
427
- # grant_tokens: ["GrantTokenType"],
428
- # name: "GrantNameType",
429
- # }
430
- #
431
555
  # @!attribute [rw] key_id
432
556
  # Identifies the KMS key for the grant. The grant gives principals
433
557
  # permission to use this KMS key.
@@ -450,18 +574,16 @@ module Aws::KMS
450
574
  # @!attribute [rw] grantee_principal
451
575
  # The identity that gets the permissions specified in the grant.
452
576
  #
453
- # To specify the principal, use the [Amazon Resource Name (ARN)][1] of
454
- # an Amazon Web Services principal. Valid Amazon Web Services
455
- # principals include Amazon Web Services accounts (root), IAM users,
456
- # IAM roles, federated users, and assumed role users. For examples of
457
- # the ARN syntax to use for specifying a principal, see [Amazon Web
458
- # Services Identity and Access Management (IAM)][2] in the Example
459
- # ARNs section of the *Amazon Web Services General Reference*.
577
+ # To specify the grantee principal, use the Amazon Resource Name (ARN)
578
+ # of an Amazon Web Services principal. Valid principals include Amazon
579
+ # Web Services accounts, IAM users, IAM roles, federated users, and
580
+ # assumed role users. For help with the ARN syntax for a principal,
581
+ # see [IAM ARNs][1] in the <i> <i>Identity and Access Management User
582
+ # Guide</i> </i>.
460
583
  #
461
584
  #
462
585
  #
463
- # [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
464
- # [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
586
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
465
587
  # @return [String]
466
588
  #
467
589
  # @!attribute [rw] retiring_principal
@@ -469,12 +591,11 @@ module Aws::KMS
469
591
  # to retire the grant.
470
592
  #
471
593
  # To specify the principal, use the [Amazon Resource Name (ARN)][1] of
472
- # an Amazon Web Services principal. Valid Amazon Web Services
473
- # principals include Amazon Web Services accounts (root), IAM users,
474
- # federated users, and assumed role users. For examples of the ARN
475
- # syntax to use for specifying a principal, see [Amazon Web Services
476
- # Identity and Access Management (IAM)][2] in the Example ARNs section
477
- # of the *Amazon Web Services General Reference*.
594
+ # an Amazon Web Services principal. Valid principals include Amazon
595
+ # Web Services accounts, IAM users, IAM roles, federated users, and
596
+ # assumed role users. For help with the ARN syntax for a principal,
597
+ # see [IAM ARNs][2] in the <i> <i>Identity and Access Management User
598
+ # Guide</i> </i>.
478
599
  #
479
600
  # The grant determines the retiring principal. Other principals might
480
601
  # have permission to retire the grant or revoke the grant. For
@@ -484,19 +605,20 @@ module Aws::KMS
484
605
  #
485
606
  #
486
607
  # [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
487
- # [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
608
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
488
609
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete
489
610
  # @return [String]
490
611
  #
491
612
  # @!attribute [rw] operations
492
613
  # A list of operations that the grant permits.
493
614
  #
494
- # The operation must be supported on the KMS key. For example, you
495
- # cannot create a grant for a symmetric KMS key that allows the Sign
496
- # operation, or a grant for an asymmetric KMS key that allows the
497
- # GenerateDataKey operation. If you try, KMS returns a
498
- # `ValidationError` exception. For details, see [Grant operations][1]
499
- # in the *Key Management Service Developer Guide*.
615
+ # This list must include only operations that are permitted in a
616
+ # grant. Also, the operation must be supported on the KMS key. For
617
+ # example, you cannot create a grant for a symmetric encryption KMS
618
+ # key that allows the Sign operation, or a grant for an asymmetric KMS
619
+ # key that allows the GenerateDataKey operation. If you try, KMS
620
+ # returns a `ValidationError` exception. For details, see [Grant
621
+ # operations][1] in the *Key Management Service Developer Guide*.
500
622
  #
501
623
  #
502
624
  #
@@ -506,30 +628,44 @@ module Aws::KMS
506
628
  # @!attribute [rw] constraints
507
629
  # Specifies a grant constraint.
508
630
  #
631
+ # Do not include confidential or sensitive information in this field.
632
+ # This field may be displayed in plaintext in CloudTrail logs and
633
+ # other output.
634
+ #
509
635
  # KMS supports the `EncryptionContextEquals` and
510
- # `EncryptionContextSubset` grant constraints. Each constraint value
511
- # can include up to 8 encryption context pairs. The encryption context
512
- # value in each constraint cannot exceed 384 characters.
513
- #
514
- # These grant constraints allow the permissions in the grant only when
515
- # the encryption context in the request matches
516
- # (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
517
- # the encryption context specified in this structure. For information
518
- # about grant constraints, see [Using grant constraints][1] in the
519
- # *Key Management Service Developer Guide*. For more information about
520
- # encryption context, see [Encryption Context][2] in the <i> <i>Key
521
- # Management Service Developer Guide</i> </i>.
636
+ # `EncryptionContextSubset` grant constraints, which allow the
637
+ # permissions in the grant only when the encryption context in the
638
+ # request matches (`EncryptionContextEquals`) or includes
639
+ # (`EncryptionContextSubset`) the encryption context specified in the
640
+ # constraint.
522
641
  #
523
642
  # The encryption context grant constraints are supported only on
524
- # operations that include an encryption context. You cannot use an
525
- # encryption context grant constraint for cryptographic operations
526
- # with asymmetric KMS keys or for management operations, such as
527
- # DescribeKey or RetireGrant.
643
+ # [grant operations][1] that include an `EncryptionContext` parameter,
644
+ # such as cryptographic operations on symmetric encryption KMS keys.
645
+ # Grants with grant constraints can include the DescribeKey and
646
+ # RetireGrant operations, but the constraint doesn't apply to these
647
+ # operations. If a grant with a grant constraint includes the
648
+ # `CreateGrant` operation, the constraint requires that any grants
649
+ # created with the `CreateGrant` permission have an equally strict or
650
+ # stricter encryption context constraint.
528
651
  #
652
+ # You cannot use an encryption context grant constraint for
653
+ # cryptographic operations with asymmetric KMS keys or HMAC KMS keys.
654
+ # Operations with these keys don't support an encryption context.
529
655
  #
656
+ # Each constraint value can include up to 8 encryption context pairs.
657
+ # The encryption context value in each constraint cannot exceed 384
658
+ # characters. For information about grant constraints, see [Using
659
+ # grant constraints][2] in the *Key Management Service Developer
660
+ # Guide*. For more information about encryption context, see
661
+ # [Encryption context][3] in the <i> <i>Key Management Service
662
+ # Developer Guide</i> </i>.
530
663
  #
531
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
532
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
664
+ #
665
+ #
666
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
667
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
668
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
533
669
  # @return [Types::GrantConstraints]
534
670
  #
535
671
  # @!attribute [rw] grant_tokens
@@ -550,6 +686,10 @@ module Aws::KMS
550
686
  # A friendly name for the grant. Use this value to prevent the
551
687
  # unintended creation of duplicate grants when retrying this request.
552
688
  #
689
+ # Do not include confidential or sensitive information in this field.
690
+ # This field may be displayed in plaintext in CloudTrail logs and
691
+ # other output.
692
+ #
553
693
  # When this value is absent, all `CreateGrant` requests result in a
554
694
  # new grant with a unique `GrantId` even if all the supplied
555
695
  # parameters are identical. This can result in unintended duplicates
@@ -563,6 +703,18 @@ module Aws::KMS
563
703
  # the same grant ID can be used interchangeably.
564
704
  # @return [String]
565
705
  #
706
+ # @!attribute [rw] dry_run
707
+ # Checks if your request will succeed. `DryRun` is an optional
708
+ # parameter.
709
+ #
710
+ # To learn more about how to use this parameter, see [Testing your KMS
711
+ # API calls][1] in the *Key Management Service Developer Guide*.
712
+ #
713
+ #
714
+ #
715
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
716
+ # @return [Boolean]
717
+ #
566
718
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrantRequest AWS API Documentation
567
719
  #
568
720
  class CreateGrantRequest < Struct.new(
@@ -572,7 +724,8 @@ module Aws::KMS
572
724
  :operations,
573
725
  :constraints,
574
726
  :grant_tokens,
575
- :name)
727
+ :name,
728
+ :dry_run)
576
729
  SENSITIVE = []
577
730
  include Aws::Structure
578
731
  end
@@ -607,53 +760,30 @@ module Aws::KMS
607
760
  include Aws::Structure
608
761
  end
609
762
 
610
- # @note When making an API call, you may pass CreateKeyRequest
611
- # data as a hash:
612
- #
613
- # {
614
- # policy: "PolicyType",
615
- # description: "DescriptionType",
616
- # key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT
617
- # customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
618
- # key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
619
- # origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
620
- # custom_key_store_id: "CustomKeyStoreIdType",
621
- # bypass_policy_lockout_safety_check: false,
622
- # tags: [
623
- # {
624
- # tag_key: "TagKeyType", # required
625
- # tag_value: "TagValueType", # required
626
- # },
627
- # ],
628
- # multi_region: false,
629
- # }
630
- #
631
763
  # @!attribute [rw] policy
632
764
  # The key policy to attach to the KMS key.
633
765
  #
634
766
  # If you provide a key policy, it must meet the following criteria:
635
767
  #
636
- # * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
637
- # key policy must allow the principal that is making the `CreateKey`
638
- # request to make a subsequent PutKeyPolicy request on the KMS key.
639
- # This reduces the risk that the KMS key becomes unmanageable. For
640
- # more information, refer to the scenario in the [Default Key
641
- # Policy][1] section of the <i> <i>Key Management Service Developer
642
- # Guide</i> </i>.
768
+ # * The key policy must allow the calling principal to make a
769
+ # subsequent `PutKeyPolicy` request on the KMS key. This reduces the
770
+ # risk that the KMS key becomes unmanageable. For more information,
771
+ # see [Default key policy][1] in the *Key Management Service
772
+ # Developer Guide*. (To omit this condition, set
773
+ # `BypassPolicyLockoutSafetyCheck` to true.)
643
774
  #
644
775
  # * Each statement in the key policy must contain one or more
645
776
  # principals. The principals in the key policy must exist and be
646
777
  # visible to KMS. When you create a new Amazon Web Services
647
- # principal (for example, an IAM user or role), you might need to
648
- # enforce a delay before including the new principal in a key policy
649
- # because the new principal might not be immediately visible to KMS.
650
- # For more information, see [Changes that I make are not always
651
- # immediately visible][2] in the *Amazon Web Services Identity and
652
- # Access Management User Guide*.
778
+ # principal, you might need to enforce a delay before including the
779
+ # new principal in a key policy because the new principal might not
780
+ # be immediately visible to KMS. For more information, see [Changes
781
+ # that I make are not always immediately visible][2] in the *Amazon
782
+ # Web Services Identity and Access Management User Guide*.
653
783
  #
654
784
  # If you do not provide a key policy, KMS attaches a default key
655
- # policy to the KMS key. For more information, see [Default Key
656
- # Policy][3] in the *Key Management Service Developer Guide*.
785
+ # policy to the KMS key. For more information, see [Default key
786
+ # policy][3] in the *Key Management Service Developer Guide*.
657
787
  #
658
788
  # The key policy size quota is 32 kilobytes (32768 bytes).
659
789
  #
@@ -663,18 +793,20 @@ module Aws::KMS
663
793
  #
664
794
  #
665
795
  #
666
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
796
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
667
797
  # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
668
798
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
669
799
  # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
670
800
  # @return [String]
671
801
  #
672
802
  # @!attribute [rw] description
673
- # A description of the KMS key.
803
+ # A description of the KMS key. Use a description that helps you
804
+ # decide whether the KMS key is appropriate for a task. The default
805
+ # value is an empty string (no description).
674
806
  #
675
- # Use a description that helps you decide whether the KMS key is
676
- # appropriate for a task. The default value is an empty string (no
677
- # description).
807
+ # Do not include confidential or sensitive information in this field.
808
+ # This field may be displayed in plaintext in CloudTrail logs and
809
+ # other output.
678
810
  #
679
811
  # To set or change the description after the key is created, use
680
812
  # UpdateKeyDescription.
@@ -683,20 +815,26 @@ module Aws::KMS
683
815
  # @!attribute [rw] key_usage
684
816
  # Determines the [cryptographic operations][1] for which you can use
685
817
  # the KMS key. The default value is `ENCRYPT_DECRYPT`. This parameter
686
- # is required only for asymmetric KMS keys. You can't change the
687
- # `KeyUsage` value after the KMS key is created.
818
+ # is optional when you are creating a symmetric encryption KMS key;
819
+ # otherwise, it is required. You can't change the `KeyUsage` value
820
+ # after the KMS key is created.
688
821
  #
689
822
  # Select only one valid value.
690
823
  #
691
- # * For symmetric KMS keys, omit the parameter or specify
824
+ # * For symmetric encryption KMS keys, omit the parameter or specify
692
825
  # `ENCRYPT_DECRYPT`.
693
826
  #
827
+ # * For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
828
+ #
694
829
  # * For asymmetric KMS keys with RSA key material, specify
695
830
  # `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
696
831
  #
697
832
  # * For asymmetric KMS keys with ECC key material, specify
698
833
  # `SIGN_VERIFY`.
699
834
  #
835
+ # * For asymmetric KMS keys with SM2 key material (China Regions
836
+ # only), specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
837
+ #
700
838
  #
701
839
  #
702
840
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
@@ -707,41 +845,50 @@ module Aws::KMS
707
845
  #
708
846
  # The `KeySpec` and `CustomerMasterKeySpec` parameters work the same
709
847
  # way. Only the names differ. We recommend that you use `KeySpec`
710
- # parameter in your code. However, to avoid breaking changes, KMS will
711
- # support both parameters.
848
+ # parameter in your code. However, to avoid breaking changes, KMS
849
+ # supports both parameters.
712
850
  # @return [String]
713
851
  #
714
852
  # @!attribute [rw] key_spec
715
853
  # Specifies the type of KMS key to create. The default value,
716
- # `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit symmetric key
717
- # for encryption and decryption. For help choosing a key spec for your
718
- # KMS key, see [How to Choose Your KMS key Configuration][1] in the
719
- # <i> <i>Key Management Service Developer Guide</i> </i>.
854
+ # `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit AES-GCM key
855
+ # that is used for encryption and decryption, except in China Regions,
856
+ # where it creates a 128-bit symmetric key that uses SM4 encryption.
857
+ # For help choosing a key spec for your KMS key, see [Choosing a KMS
858
+ # key type][1] in the <i> <i>Key Management Service Developer
859
+ # Guide</i> </i>.
720
860
  #
721
861
  # The `KeySpec` determines whether the KMS key contains a symmetric
722
- # key or an asymmetric key pair. It also determines the encryption
723
- # algorithms or signing algorithms that the KMS key supports. You
724
- # can't change the `KeySpec` after the KMS key is created. To further
725
- # restrict the algorithms that can be used with the KMS key, use a
726
- # condition key in its key policy or IAM policy. For more information,
727
- # see [kms:EncryptionAlgorithm][2] or [kms:Signing Algorithm][3] in
728
- # the <i> <i>Key Management Service Developer Guide</i> </i>.
729
- #
730
- # [Amazon Web Services services that are integrated with KMS][4] use
731
- # symmetric KMS keys to protect your data. These services do not
732
- # support asymmetric KMS keys. For help determining whether a KMS key
733
- # is symmetric or asymmetric, see [Identifying Symmetric and
734
- # Asymmetric KMS keys][5] in the *Key Management Service Developer
735
- # Guide*.
862
+ # key or an asymmetric key pair. It also determines the algorithms
863
+ # that the KMS key supports. You can't change the `KeySpec` after the
864
+ # KMS key is created. To further restrict the algorithms that can be
865
+ # used with the KMS key, use a condition key in its key policy or IAM
866
+ # policy. For more information, see [kms:EncryptionAlgorithm][2],
867
+ # [kms:MacAlgorithm][3] or [kms:Signing Algorithm][4] in the <i>
868
+ # <i>Key Management Service Developer Guide</i> </i>.
869
+ #
870
+ # [Amazon Web Services services that are integrated with KMS][5] use
871
+ # symmetric encryption KMS keys to protect your data. These services
872
+ # do not support asymmetric KMS keys or HMAC KMS keys.
736
873
  #
737
874
  # KMS supports the following key specs for KMS keys:
738
875
  #
739
- # * Symmetric key (default)
876
+ # * Symmetric encryption key (default)
740
877
  #
741
- # * `SYMMETRIC_DEFAULT` (AES-256-GCM)
878
+ # * `SYMMETRIC_DEFAULT`
742
879
  #
743
880
  # ^
744
881
  #
882
+ # * HMAC keys (symmetric)
883
+ #
884
+ # * `HMAC_224`
885
+ #
886
+ # * `HMAC_256`
887
+ #
888
+ # * `HMAC_384`
889
+ #
890
+ # * `HMAC_512`
891
+ #
745
892
  # * Asymmetric RSA key pairs
746
893
  #
747
894
  # * `RSA_2048`
@@ -765,13 +912,19 @@ module Aws::KMS
765
912
  #
766
913
  # ^
767
914
  #
915
+ # * SM2 key pairs (China Regions only)
916
+ #
917
+ # * `SM2`
918
+ #
919
+ # ^
920
+ #
768
921
  #
769
922
  #
770
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html
923
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose
771
924
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm
772
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm
773
- # [4]: http://aws.amazon.com/kms/features/#AWS_Service_Integration
774
- # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html
925
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-mac-algorithm
926
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm
927
+ # [5]: http://aws.amazon.com/kms/features/#AWS_Service_Integration
775
928
  # @return [String]
776
929
  #
777
930
  # @!attribute [rw] origin
@@ -779,45 +932,48 @@ module Aws::KMS
779
932
  # the origin after you create the KMS key. The default is `AWS_KMS`,
780
933
  # which means that KMS creates the key material.
781
934
  #
782
- # To create a KMS key with no key material (for imported key
783
- # material), set the value to `EXTERNAL`. For more information about
784
- # importing key material into KMS, see [Importing Key Material][1] in
785
- # the *Key Management Service Developer Guide*. This value is valid
786
- # only for symmetric KMS keys.
935
+ # To [create a KMS key with no key material][1] (for imported key
936
+ # material), set this value to `EXTERNAL`. For more information about
937
+ # importing key material into KMS, see [Importing Key Material][2] in
938
+ # the *Key Management Service Developer Guide*. The `EXTERNAL` origin
939
+ # value is valid only for symmetric KMS keys.
787
940
  #
788
- # To create a KMS key in an KMS [custom key store][2] and create its
789
- # key material in the associated CloudHSM cluster, set this value to
941
+ # To [create a KMS key in an CloudHSM key store][3] and create its key
942
+ # material in the associated CloudHSM cluster, set this value to
790
943
  # `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId` parameter
791
- # to identify the custom key store. This value is valid only for
792
- # symmetric KMS keys.
944
+ # to identify the CloudHSM key store. The `KeySpec` value must be
945
+ # `SYMMETRIC_DEFAULT`.
946
+ #
947
+ # To [create a KMS key in an external key store][4], set this value to
948
+ # `EXTERNAL_KEY_STORE`. You must also use the `CustomKeyStoreId`
949
+ # parameter to identify the external key store and the `XksKeyId`
950
+ # parameter to identify the associated external key. The `KeySpec`
951
+ # value must be `SYMMETRIC_DEFAULT`.
793
952
  #
794
953
  #
795
954
  #
796
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
797
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
955
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html
956
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
957
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html
958
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keys.html
798
959
  # @return [String]
799
960
  #
800
961
  # @!attribute [rw] custom_key_store_id
801
- # Creates the KMS key in the specified [custom key store][1] and the
802
- # key material in its associated CloudHSM cluster. To create a KMS key
803
- # in a custom key store, you must also specify the `Origin` parameter
804
- # with a value of `AWS_CLOUDHSM`. The CloudHSM cluster that is
805
- # associated with the custom key store must have at least two active
806
- # HSMs, each in a different Availability Zone in the Region.
807
- #
808
- # This parameter is valid only for symmetric KMS keys and regional KMS
809
- # keys. You cannot create an asymmetric KMS key or a multi-Region key
810
- # in a custom key store.
811
- #
812
- # To find the ID of a custom key store, use the
962
+ # Creates the KMS key in the specified [custom key store][1]. The
963
+ # `ConnectionState` of the custom key store must be `CONNECTED`. To
964
+ # find the CustomKeyStoreID and ConnectionState use the
813
965
  # DescribeCustomKeyStores operation.
814
966
  #
815
- # The response includes the custom key store ID and the ID of the
816
- # CloudHSM cluster.
967
+ # This parameter is valid only for symmetric encryption KMS keys in a
968
+ # single Region. You cannot create any other type of KMS key in a
969
+ # custom key store.
817
970
  #
818
- # This operation is part of the [Custom Key Store feature][1] feature
819
- # in KMS, which combines the convenience and extensive integration of
820
- # KMS with the isolation and control of a single-tenant key store.
971
+ # When you create a KMS key in an CloudHSM key store, KMS generates a
972
+ # non-exportable 256-bit symmetric key in its associated CloudHSM
973
+ # cluster and associates it with the KMS key. When you create a KMS
974
+ # key in an external key store, you must use the `XksKeyId` parameter
975
+ # to specify an external key that serves as key material for the KMS
976
+ # key.
821
977
  #
822
978
  #
823
979
  #
@@ -825,26 +981,23 @@ module Aws::KMS
825
981
  # @return [String]
826
982
  #
827
983
  # @!attribute [rw] bypass_policy_lockout_safety_check
828
- # A flag to indicate whether to bypass the key policy lockout safety
829
- # check.
984
+ # Skips ("bypasses") the key policy lockout safety check. The
985
+ # default value is false.
830
986
  #
831
987
  # Setting this value to true increases the risk that the KMS key
832
988
  # becomes unmanageable. Do not set this value to true
833
989
  # indiscriminately.
834
990
  #
835
- # For more information, refer to the scenario in the [Default Key
836
- # Policy][1] section in the <i> <i>Key Management Service Developer
837
- # Guide</i> </i>.
838
- #
839
- # Use this parameter only when you include a policy in the request and
840
- # you intend to prevent the principal that is making the request from
841
- # making a subsequent PutKeyPolicy request on the KMS key.
991
+ # For more information, see [Default key policy][1] in the *Key
992
+ # Management Service Developer Guide*.
842
993
  #
843
- # The default value is false.
994
+ # Use this parameter only when you intend to prevent the principal
995
+ # that is making the request from making a subsequent PutKeyPolicy
996
+ # request on the KMS key.
844
997
  #
845
998
  #
846
999
  #
847
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
1000
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
848
1001
  # @return [Boolean]
849
1002
  #
850
1003
  # @!attribute [rw] tags
@@ -852,9 +1005,13 @@ module Aws::KMS
852
1005
  # the KMS key when it is created. To tag an existing KMS key, use the
853
1006
  # TagResource operation.
854
1007
  #
1008
+ # Do not include confidential or sensitive information in this field.
1009
+ # This field may be displayed in plaintext in CloudTrail logs and
1010
+ # other output.
1011
+ #
855
1012
  # <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
856
- # KMS key. For details, see [Using ABAC in KMS][1] in the *Key
857
- # Management Service Developer Guide*.
1013
+ # KMS key. For details, see [ABAC for KMS][1] in the *Key Management
1014
+ # Service Developer Guide*.
858
1015
  #
859
1016
  # </note>
860
1017
  #
@@ -895,7 +1052,7 @@ module Aws::KMS
895
1052
  # to encrypt data in one Amazon Web Services Region and decrypt it in
896
1053
  # a different Amazon Web Services Region without re-encrypting the
897
1054
  # data or making a cross-Region call. For more information about
898
- # multi-Region keys, see [Using multi-Region keys][1] in the *Key
1055
+ # multi-Region keys, see [Multi-Region keys in KMS][1] in the *Key
899
1056
  # Management Service Developer Guide*.
900
1057
  #
901
1058
  # This value creates a *primary key*, not a replica. To create a
@@ -910,6 +1067,43 @@ module Aws::KMS
910
1067
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
911
1068
  # @return [Boolean]
912
1069
  #
1070
+ # @!attribute [rw] xks_key_id
1071
+ # Identifies the [external key][1] that serves as key material for the
1072
+ # KMS key in an [external key store][2]. Specify the ID that the
1073
+ # [external key store proxy][3] uses to refer to the external key. For
1074
+ # help, see the documentation for your external key store proxy.
1075
+ #
1076
+ # This parameter is required for a KMS key with an `Origin` value of
1077
+ # `EXTERNAL_KEY_STORE`. It is not valid for KMS keys with any other
1078
+ # `Origin` value.
1079
+ #
1080
+ # The external key must be an existing 256-bit AES symmetric
1081
+ # encryption key hosted outside of Amazon Web Services in an external
1082
+ # key manager associated with the external key store specified by the
1083
+ # `CustomKeyStoreId` parameter. This key must be enabled and
1084
+ # configured to perform encryption and decryption. Each KMS key in an
1085
+ # external key store must use a different external key. For details,
1086
+ # see [Requirements for a KMS key in an external key store][4] in the
1087
+ # *Key Management Service Developer Guide*.
1088
+ #
1089
+ # Each KMS key in an external key store is associated two backing
1090
+ # keys. One is key material that KMS generates. The other is the
1091
+ # external key specified by this parameter. When you use the KMS key
1092
+ # in an external key store to encrypt data, the encryption operation
1093
+ # is performed first by KMS using the KMS key material, and then by
1094
+ # the external key manager using the specified external key, a process
1095
+ # known as *double encryption*. For details, see [Double
1096
+ # encryption][5] in the *Key Management Service Developer Guide*.
1097
+ #
1098
+ #
1099
+ #
1100
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
1101
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html
1102
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-xks-proxy
1103
+ # [4]: https://docs.aws.amazon.com/create-xks-keys.html#xks-key-requirements
1104
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-double-encryption
1105
+ # @return [String]
1106
+ #
913
1107
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKeyRequest AWS API Documentation
914
1108
  #
915
1109
  class CreateKeyRequest < Struct.new(
@@ -922,7 +1116,8 @@ module Aws::KMS
922
1116
  :custom_key_store_id,
923
1117
  :bypass_policy_lockout_safety_check,
924
1118
  :tags,
925
- :multi_region)
1119
+ :multi_region,
1120
+ :xks_key_id)
926
1121
  SENSITIVE = []
927
1122
  include Aws::Structure
928
1123
  end
@@ -961,18 +1156,29 @@ module Aws::KMS
961
1156
  #
962
1157
  # This exception is thrown under the following conditions:
963
1158
  #
964
- # * You requested the CreateKey or GenerateRandom operation in a custom
965
- # key store that is not connected. These operations are valid only
966
- # when the custom key store `ConnectionState` is `CONNECTED`.
1159
+ # * You requested the ConnectCustomKeyStore operation on a custom key
1160
+ # store with a `ConnectionState` of `DISCONNECTING` or `FAILED`. This
1161
+ # operation is valid for all other `ConnectionState` values. To
1162
+ # reconnect a custom key store in a `FAILED` state, disconnect it
1163
+ # (DisconnectCustomKeyStore), then connect it
1164
+ # (`ConnectCustomKeyStore`).
1165
+ #
1166
+ # * You requested the CreateKey operation in a custom key store that is
1167
+ # not connected. This operations is valid only when the custom key
1168
+ # store `ConnectionState` is `CONNECTED`.
1169
+ #
1170
+ # * You requested the DisconnectCustomKeyStore operation on a custom key
1171
+ # store with a `ConnectionState` of `DISCONNECTING` or `DISCONNECTED`.
1172
+ # This operation is valid for all other `ConnectionState` values.
967
1173
  #
968
1174
  # * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore
969
1175
  # operation on a custom key store that is not disconnected. This
970
1176
  # operation is valid only when the custom key store `ConnectionState`
971
1177
  # is `DISCONNECTED`.
972
1178
  #
973
- # * You requested the ConnectCustomKeyStore operation on a custom key
974
- # store with a `ConnectionState` of `DISCONNECTING` or `FAILED`. This
975
- # operation is valid for all other `ConnectionState` values.
1179
+ # * You requested the GenerateRandom operation in an CloudHSM key store
1180
+ # that is not connected. This operation is valid only when the
1181
+ # CloudHSM key store `ConnectionState` is `CONNECTED`.
976
1182
  #
977
1183
  # @!attribute [rw] message
978
1184
  # @return [String]
@@ -1027,13 +1233,17 @@ module Aws::KMS
1027
1233
  #
1028
1234
  # @!attribute [rw] cloud_hsm_cluster_id
1029
1235
  # A unique identifier for the CloudHSM cluster that is associated with
1030
- # the custom key store.
1236
+ # an CloudHSM key store. This field appears only when the
1237
+ # `CustomKeyStoreType` is `AWS_CLOUDHSM`.
1031
1238
  # @return [String]
1032
1239
  #
1033
1240
  # @!attribute [rw] trust_anchor_certificate
1034
- # The trust anchor certificate of the associated CloudHSM cluster.
1035
- # When you [initialize the cluster][1], you create this certificate
1036
- # and save it in the `customerCA.crt` file.
1241
+ # The trust anchor certificate of the CloudHSM cluster associated with
1242
+ # an CloudHSM key store. When you [initialize the cluster][1], you
1243
+ # create this certificate and save it in the `customerCA.crt` file.
1244
+ #
1245
+ # This field appears only when the `CustomKeyStoreType` is
1246
+ # `AWS_CLOUDHSM`.
1037
1247
  #
1038
1248
  #
1039
1249
  #
@@ -1041,22 +1251,30 @@ module Aws::KMS
1041
1251
  # @return [String]
1042
1252
  #
1043
1253
  # @!attribute [rw] connection_state
1044
- # Indicates whether the custom key store is connected to its CloudHSM
1045
- # cluster.
1254
+ # Indicates whether the custom key store is connected to its backing
1255
+ # key store. For an CloudHSM key store, the `ConnectionState`
1256
+ # indicates whether it is connected to its CloudHSM cluster. For an
1257
+ # external key store, the `ConnectionState` indicates whether it is
1258
+ # connected to the external key store proxy that communicates with
1259
+ # your external key manager.
1046
1260
  #
1047
1261
  # You can create and use KMS keys in your custom key stores only when
1048
- # its connection state is `CONNECTED`.
1049
- #
1050
- # The value is `DISCONNECTED` if the key store has never been
1051
- # connected or you use the DisconnectCustomKeyStore operation to
1052
- # disconnect it. If the value is `CONNECTED` but you are having
1053
- # trouble using the custom key store, make sure that its associated
1054
- # CloudHSM cluster is active and contains at least one active HSM.
1262
+ # its `ConnectionState` is `CONNECTED`.
1263
+ #
1264
+ # The `ConnectionState` value is `DISCONNECTED` only if the key store
1265
+ # has never been connected or you use the DisconnectCustomKeyStore
1266
+ # operation to disconnect it. If the value is `CONNECTED` but you are
1267
+ # having trouble using the custom key store, make sure that the
1268
+ # backing key store is reachable and active. For an CloudHSM key
1269
+ # store, verify that its associated CloudHSM cluster is active and
1270
+ # contains at least one active HSM. For an external key store, verify
1271
+ # that the external key store proxy and external key manager are
1272
+ # connected and enabled.
1055
1273
  #
1056
1274
  # A value of `FAILED` indicates that an attempt to connect was
1057
1275
  # unsuccessful. The `ConnectionErrorCode` field in the response
1058
1276
  # indicates the cause of the failure. For help resolving a connection
1059
- # failure, see [Troubleshooting a Custom Key Store][1] in the *Key
1277
+ # failure, see [Troubleshooting a custom key store][1] in the *Key
1060
1278
  # Management Service Developer Guide*.
1061
1279
  #
1062
1280
  #
@@ -1066,35 +1284,52 @@ module Aws::KMS
1066
1284
  #
1067
1285
  # @!attribute [rw] connection_error_code
1068
1286
  # Describes the connection error. This field appears in the response
1069
- # only when the `ConnectionState` is `FAILED`. For help resolving
1070
- # these errors, see [How to Fix a Connection Failure][1] in *Key
1071
- # Management Service Developer Guide*.
1287
+ # only when the `ConnectionState` is `FAILED`.
1288
+ #
1289
+ # Many failures can be resolved by updating the properties of the
1290
+ # custom key store. To update a custom key store, disconnect it
1291
+ # (DisconnectCustomKeyStore), correct the errors
1292
+ # (UpdateCustomKeyStore), and try to connect again
1293
+ # (ConnectCustomKeyStore). For additional help resolving these errors,
1294
+ # see [How to Fix a Connection Failure][1] in *Key Management Service
1295
+ # Developer Guide*.
1296
+ #
1297
+ # **All custom key stores:**
1298
+ #
1299
+ # * `INTERNAL_ERROR` — KMS could not complete the request due to an
1300
+ # internal error. Retry the request. For `ConnectCustomKeyStore`
1301
+ # requests, disconnect the custom key store before trying to connect
1302
+ # again.
1303
+ #
1304
+ # * `NETWORK_ERRORS` — Network errors are preventing KMS from
1305
+ # connecting the custom key store to its backing key store.
1072
1306
  #
1073
- # Valid values are:
1307
+ # **CloudHSM key stores:**
1074
1308
  #
1075
- # * `CLUSTER_NOT_FOUND` - KMS cannot find the CloudHSM cluster with
1309
+ # * `CLUSTER_NOT_FOUND` KMS cannot find the CloudHSM cluster with
1076
1310
  # the specified cluster ID.
1077
1311
  #
1078
- # * `INSUFFICIENT_CLOUDHSM_HSMS` - The associated CloudHSM cluster
1312
+ # * `INSUFFICIENT_CLOUDHSM_HSMS` The associated CloudHSM cluster
1079
1313
  # does not contain any active HSMs. To connect a custom key store to
1080
1314
  # its CloudHSM cluster, the cluster must contain at least one active
1081
1315
  # HSM.
1082
1316
  #
1083
- # * `INTERNAL_ERROR` - KMS could not complete the request due to an
1084
- # internal error. Retry the request. For `ConnectCustomKeyStore`
1085
- # requests, disconnect the custom key store before trying to connect
1086
- # again.
1087
- #
1088
- # * `INVALID_CREDENTIALS` - KMS does not have the correct password for
1089
- # the `kmsuser` crypto user in the CloudHSM cluster. Before you can
1090
- # connect your custom key store to its CloudHSM cluster, you must
1091
- # change the `kmsuser` account password and update the key store
1092
- # password value for the custom key store.
1317
+ # * `INSUFFICIENT_FREE_ADDRESSES_IN_SUBNET` At least one private
1318
+ # subnet associated with the CloudHSM cluster doesn't have any
1319
+ # available IP addresses. A CloudHSM key store connection requires
1320
+ # one free IP address in each of the associated private subnets,
1321
+ # although two are preferable. For details, see [How to Fix a
1322
+ # Connection Failure][1] in the *Key Management Service Developer
1323
+ # Guide*.
1093
1324
  #
1094
- # * `NETWORK_ERRORS` - Network errors are preventing KMS from
1095
- # connecting to the custom key store.
1325
+ # * `INVALID_CREDENTIALS` The `KeyStorePassword` for the custom key
1326
+ # store doesn't match the current password of the `kmsuser` crypto
1327
+ # user in the CloudHSM cluster. Before you can connect your custom
1328
+ # key store to its CloudHSM cluster, you must change the `kmsuser`
1329
+ # account password and update the `KeyStorePassword` value for the
1330
+ # custom key store.
1096
1331
  #
1097
- # * `SUBNET_NOT_FOUND` - A subnet in the CloudHSM cluster
1332
+ # * `SUBNET_NOT_FOUND` A subnet in the CloudHSM cluster
1098
1333
  # configuration was deleted. If KMS cannot find all of the subnets
1099
1334
  # in the cluster configuration, attempts to connect the custom key
1100
1335
  # store to the CloudHSM cluster fail. To fix this error, create a
@@ -1104,13 +1339,13 @@ module Aws::KMS
1104
1339
  # Connection Failure][1] in the *Key Management Service Developer
1105
1340
  # Guide*.
1106
1341
  #
1107
- # * `USER_LOCKED_OUT` - The `kmsuser` CU account is locked out of the
1342
+ # * `USER_LOCKED_OUT` The `kmsuser` CU account is locked out of the
1108
1343
  # associated CloudHSM cluster due to too many failed password
1109
1344
  # attempts. Before you can connect your custom key store to its
1110
1345
  # CloudHSM cluster, you must change the `kmsuser` account password
1111
1346
  # and update the key store password value for the custom key store.
1112
1347
  #
1113
- # * `USER_LOGGED_IN` - The `kmsuser` CU account is logged into the the
1348
+ # * `USER_LOGGED_IN` The `kmsuser` CU account is logged into the
1114
1349
  # associated CloudHSM cluster. This prevents KMS from rotating the
1115
1350
  # `kmsuser` account password and logging into the cluster. Before
1116
1351
  # you can connect your custom key store to its CloudHSM cluster, you
@@ -1120,22 +1355,119 @@ module Aws::KMS
1120
1355
  # help, see [How to Log Out and Reconnect][2] in the *Key Management
1121
1356
  # Service Developer Guide*.
1122
1357
  #
1123
- # * `USER_NOT_FOUND` - KMS cannot find a `kmsuser` CU account in the
1358
+ # * `USER_NOT_FOUND` KMS cannot find a `kmsuser` CU account in the
1124
1359
  # associated CloudHSM cluster. Before you can connect your custom
1125
1360
  # key store to its CloudHSM cluster, you must create a `kmsuser` CU
1126
1361
  # account in the cluster, and then update the key store password
1127
1362
  # value for the custom key store.
1128
1363
  #
1364
+ # **External key stores:**
1365
+ #
1366
+ # * `INVALID_CREDENTIALS` — One or both of the
1367
+ # `XksProxyAuthenticationCredential` values is not valid on the
1368
+ # specified external key store proxy.
1369
+ #
1370
+ # * `XKS_PROXY_ACCESS_DENIED` — KMS requests are denied access to the
1371
+ # external key store proxy. If the external key store proxy has
1372
+ # authorization rules, verify that they permit KMS to communicate
1373
+ # with the proxy on your behalf.
1374
+ #
1375
+ # * `XKS_PROXY_INVALID_CONFIGURATION` — A configuration error is
1376
+ # preventing the external key store from connecting to its proxy.
1377
+ # Verify the value of the `XksProxyUriPath`.
1378
+ #
1379
+ # * `XKS_PROXY_INVALID_RESPONSE` — KMS cannot interpret the response
1380
+ # from the external key store proxy. If you see this connection
1381
+ # error code repeatedly, notify your external key store proxy
1382
+ # vendor.
1383
+ #
1384
+ # * `XKS_PROXY_INVALID_TLS_CONFIGURATION` — KMS cannot connect to the
1385
+ # external key store proxy because the TLS configuration is invalid.
1386
+ # Verify that the XKS proxy supports TLS 1.2 or 1.3. Also, verify
1387
+ # that the TLS certificate is not expired, and that it matches the
1388
+ # hostname in the `XksProxyUriEndpoint` value, and that it is signed
1389
+ # by a certificate authority included in the [Trusted Certificate
1390
+ # Authorities][3] list.
1391
+ #
1392
+ # * `XKS_PROXY_NOT_REACHABLE` — KMS can't communicate with your
1393
+ # external key store proxy. Verify that the `XksProxyUriEndpoint`
1394
+ # and `XksProxyUriPath` are correct. Use the tools for your external
1395
+ # key store proxy to verify that the proxy is active and available
1396
+ # on its network. Also, verify that your external key manager
1397
+ # instances are operating properly. Connection attempts fail with
1398
+ # this connection error code if the proxy reports that all external
1399
+ # key manager instances are unavailable.
1400
+ #
1401
+ # * `XKS_PROXY_TIMED_OUT` — KMS can connect to the external key store
1402
+ # proxy, but the proxy does not respond to KMS in the time allotted.
1403
+ # If you see this connection error code repeatedly, notify your
1404
+ # external key store proxy vendor.
1405
+ #
1406
+ # * `XKS_VPC_ENDPOINT_SERVICE_INVALID_CONFIGURATION` — The Amazon VPC
1407
+ # endpoint service configuration doesn't conform to the
1408
+ # requirements for an KMS external key store.
1409
+ #
1410
+ # * The VPC endpoint service must be an endpoint service for
1411
+ # interface endpoints in the caller's Amazon Web Services
1412
+ # account.
1413
+ #
1414
+ # * It must have a network load balancer (NLB) connected to at least
1415
+ # two subnets, each in a different Availability Zone.
1416
+ #
1417
+ # * The `Allow principals` list must include the KMS service
1418
+ # principal for the Region, `cks.kms.<region>.amazonaws.com`, such
1419
+ # as `cks.kms.us-east-1.amazonaws.com`.
1420
+ #
1421
+ # * It must *not* require [acceptance][4] of connection requests.
1422
+ #
1423
+ # * It must have a private DNS name. The private DNS name for an
1424
+ # external key store with `VPC_ENDPOINT_SERVICE` connectivity must
1425
+ # be unique in its Amazon Web Services Region.
1426
+ #
1427
+ # * The domain of the private DNS name must have a [verification
1428
+ # status][5] of `verified`.
1429
+ #
1430
+ # * The [TLS certificate][6] specifies the private DNS hostname at
1431
+ # which the endpoint is reachable.
1432
+ #
1433
+ # * `XKS_VPC_ENDPOINT_SERVICE_NOT_FOUND` — KMS can't find the VPC
1434
+ # endpoint service that it uses to communicate with the external key
1435
+ # store proxy. Verify that the `XksProxyVpcEndpointServiceName` is
1436
+ # correct and the KMS service principal has service consumer
1437
+ # permissions on the Amazon VPC endpoint service.
1438
+ #
1129
1439
  #
1130
1440
  #
1131
1441
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed
1132
1442
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#login-kmsuser-2
1443
+ # [3]: https://github.com/aws/aws-kms-xksproxy-api-spec/blob/main/TrustedCertificateAuthorities
1444
+ # [4]: https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html
1445
+ # [5]: https://docs.aws.amazon.com/vpc/latest/privatelink/verify-domains.html
1446
+ # [6]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html
1133
1447
  # @return [String]
1134
1448
  #
1135
1449
  # @!attribute [rw] creation_date
1136
1450
  # The date and time when the custom key store was created.
1137
1451
  # @return [Time]
1138
1452
  #
1453
+ # @!attribute [rw] custom_key_store_type
1454
+ # Indicates the type of the custom key store. `AWS_CLOUDHSM` indicates
1455
+ # a custom key store backed by an CloudHSM cluster.
1456
+ # `EXTERNAL_KEY_STORE` indicates a custom key store backed by an
1457
+ # external key store proxy and external key manager outside of Amazon
1458
+ # Web Services.
1459
+ # @return [String]
1460
+ #
1461
+ # @!attribute [rw] xks_proxy_configuration
1462
+ # Configuration settings for the external key store proxy (XKS proxy).
1463
+ # The external key store proxy translates KMS requests into a format
1464
+ # that your external key manager can understand. The proxy
1465
+ # configuration includes connection information that KMS requires.
1466
+ #
1467
+ # This field appears only when the `CustomKeyStoreType` is
1468
+ # `EXTERNAL_KEY_STORE`.
1469
+ # @return [Types::XksProxyConfigurationType]
1470
+ #
1139
1471
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CustomKeyStoresListEntry AWS API Documentation
1140
1472
  #
1141
1473
  class CustomKeyStoresListEntry < Struct.new(
@@ -1145,24 +1477,13 @@ module Aws::KMS
1145
1477
  :trust_anchor_certificate,
1146
1478
  :connection_state,
1147
1479
  :connection_error_code,
1148
- :creation_date)
1480
+ :creation_date,
1481
+ :custom_key_store_type,
1482
+ :xks_proxy_configuration)
1149
1483
  SENSITIVE = []
1150
1484
  include Aws::Structure
1151
1485
  end
1152
1486
 
1153
- # @note When making an API call, you may pass DecryptRequest
1154
- # data as a hash:
1155
- #
1156
- # {
1157
- # ciphertext_blob: "data", # required
1158
- # encryption_context: {
1159
- # "EncryptionContextKey" => "EncryptionContextValue",
1160
- # },
1161
- # grant_tokens: ["GrantTokenType"],
1162
- # key_id: "KeyIdType",
1163
- # encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
1164
- # }
1165
- #
1166
1487
  # @!attribute [rw] ciphertext_blob
1167
1488
  # Ciphertext to be decrypted. The blob includes metadata.
1168
1489
  # @return [String]
@@ -1170,17 +1491,20 @@ module Aws::KMS
1170
1491
  # @!attribute [rw] encryption_context
1171
1492
  # Specifies the encryption context to use when decrypting the data. An
1172
1493
  # encryption context is valid only for [cryptographic operations][1]
1173
- # with a symmetric KMS key. The standard asymmetric encryption
1174
- # algorithms that KMS uses do not support an encryption context.
1494
+ # with a symmetric encryption KMS key. The standard asymmetric
1495
+ # encryption algorithms and HMAC algorithms that KMS uses do not
1496
+ # support an encryption context.
1175
1497
  #
1176
1498
  # An *encryption context* is a collection of non-secret key-value
1177
- # pairs that represents additional authenticated data. When you use an
1499
+ # pairs that represent additional authenticated data. When you use an
1178
1500
  # encryption context to encrypt data, you must specify the same (an
1179
1501
  # exact case-sensitive match) encryption context to decrypt the data.
1180
- # An encryption context is optional when encrypting with a symmetric
1181
- # KMS key, but it is highly recommended.
1502
+ # An encryption context is supported only on operations with symmetric
1503
+ # encryption KMS keys. On operations with symmetric encryption KMS
1504
+ # keys, an encryption context is optional, but it is strongly
1505
+ # recommended.
1182
1506
  #
1183
- # For more information, see [Encryption Context][2] in the *Key
1507
+ # For more information, see [Encryption context][2] in the *Key
1184
1508
  # Management Service Developer Guide*.
1185
1509
  #
1186
1510
  #
@@ -1204,15 +1528,18 @@ module Aws::KMS
1204
1528
  # @return [Array<String>]
1205
1529
  #
1206
1530
  # @!attribute [rw] key_id
1207
- # Specifies the KMS key that KMS uses to decrypt the ciphertext. Enter
1208
- # a key ID of the KMS key that was used to encrypt the ciphertext.
1531
+ # Specifies the KMS key that KMS uses to decrypt the ciphertext.
1532
+ #
1533
+ # Enter a key ID of the KMS key that was used to encrypt the
1534
+ # ciphertext. If you identify a different KMS key, the `Decrypt`
1535
+ # operation throws an `IncorrectKeyException`.
1209
1536
  #
1210
1537
  # This parameter is required only when the ciphertext was encrypted
1211
- # under an asymmetric KMS key. If you used a symmetric KMS key, KMS
1212
- # can get the KMS key from metadata that it adds to the symmetric
1213
- # ciphertext blob. However, it is always recommended as a best
1214
- # practice. This practice ensures that you use the KMS key that you
1215
- # intend.
1538
+ # under an asymmetric KMS key. If you used a symmetric encryption KMS
1539
+ # key, KMS can get the KMS key from metadata that it adds to the
1540
+ # symmetric ciphertext blob. However, it is always recommended as a
1541
+ # best practice. This practice ensures that you use the KMS key that
1542
+ # you intend.
1216
1543
  #
1217
1544
  # To specify a KMS key, use its key ID, key ARN, alias name, or alias
1218
1545
  # ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -1243,9 +1570,49 @@ module Aws::KMS
1243
1570
  # This parameter is required only when the ciphertext was encrypted
1244
1571
  # under an asymmetric KMS key. The default value, `SYMMETRIC_DEFAULT`,
1245
1572
  # represents the only supported algorithm that is valid for symmetric
1246
- # KMS keys.
1573
+ # encryption KMS keys.
1247
1574
  # @return [String]
1248
1575
  #
1576
+ # @!attribute [rw] recipient
1577
+ # A signed [attestation document][1] from an Amazon Web Services Nitro
1578
+ # enclave and the encryption algorithm to use with the enclave's
1579
+ # public key. The only valid encryption algorithm is
1580
+ # `RSAES_OAEP_SHA_256`.
1581
+ #
1582
+ # This parameter only supports attestation documents for Amazon Web
1583
+ # Services Nitro Enclaves. To include this parameter, use the [Amazon
1584
+ # Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
1585
+ #
1586
+ # When you use this parameter, instead of returning the plaintext
1587
+ # data, KMS encrypts the plaintext data with the public key in the
1588
+ # attestation document, and returns the resulting ciphertext in the
1589
+ # `CiphertextForRecipient` field in the response. This ciphertext can
1590
+ # be decrypted only with the private key in the enclave. The
1591
+ # `Plaintext` field in the response is null or empty.
1592
+ #
1593
+ # For information about the interaction between KMS and Amazon Web
1594
+ # Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
1595
+ # uses KMS][3] in the *Key Management Service Developer Guide*.
1596
+ #
1597
+ #
1598
+ #
1599
+ # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
1600
+ # [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
1601
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
1602
+ # @return [Types::RecipientInfo]
1603
+ #
1604
+ # @!attribute [rw] dry_run
1605
+ # Checks if your request will succeed. `DryRun` is an optional
1606
+ # parameter.
1607
+ #
1608
+ # To learn more about how to use this parameter, see [Testing your KMS
1609
+ # API calls][1] in the *Key Management Service Developer Guide*.
1610
+ #
1611
+ #
1612
+ #
1613
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
1614
+ # @return [Boolean]
1615
+ #
1249
1616
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptRequest AWS API Documentation
1250
1617
  #
1251
1618
  class DecryptRequest < Struct.new(
@@ -1253,7 +1620,9 @@ module Aws::KMS
1253
1620
  :encryption_context,
1254
1621
  :grant_tokens,
1255
1622
  :key_id,
1256
- :encryption_algorithm)
1623
+ :encryption_algorithm,
1624
+ :recipient,
1625
+ :dry_run)
1257
1626
  SENSITIVE = []
1258
1627
  include Aws::Structure
1259
1628
  end
@@ -1271,29 +1640,42 @@ module Aws::KMS
1271
1640
  # Decrypted plaintext data. When you use the HTTP API or the Amazon
1272
1641
  # Web Services CLI, the value is Base64-encoded. Otherwise, it is not
1273
1642
  # Base64-encoded.
1643
+ #
1644
+ # If the response includes the `CiphertextForRecipient` field, the
1645
+ # `Plaintext` field is null or empty.
1274
1646
  # @return [String]
1275
1647
  #
1276
1648
  # @!attribute [rw] encryption_algorithm
1277
1649
  # The encryption algorithm that was used to decrypt the ciphertext.
1278
1650
  # @return [String]
1279
1651
  #
1652
+ # @!attribute [rw] ciphertext_for_recipient
1653
+ # The plaintext data encrypted with the public key in the attestation
1654
+ # document.
1655
+ #
1656
+ # This field is included in the response only when the `Recipient`
1657
+ # parameter in the request includes a valid attestation document from
1658
+ # an Amazon Web Services Nitro enclave. For information about the
1659
+ # interaction between KMS and Amazon Web Services Nitro Enclaves, see
1660
+ # [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
1661
+ # Management Service Developer Guide*.
1662
+ #
1663
+ #
1664
+ #
1665
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
1666
+ # @return [String]
1667
+ #
1280
1668
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptResponse AWS API Documentation
1281
1669
  #
1282
1670
  class DecryptResponse < Struct.new(
1283
1671
  :key_id,
1284
1672
  :plaintext,
1285
- :encryption_algorithm)
1673
+ :encryption_algorithm,
1674
+ :ciphertext_for_recipient)
1286
1675
  SENSITIVE = [:plaintext]
1287
1676
  include Aws::Structure
1288
1677
  end
1289
1678
 
1290
- # @note When making an API call, you may pass DeleteAliasRequest
1291
- # data as a hash:
1292
- #
1293
- # {
1294
- # alias_name: "AliasNameType", # required
1295
- # }
1296
- #
1297
1679
  # @!attribute [rw] alias_name
1298
1680
  # The alias to be deleted. The alias name must begin with `alias/`
1299
1681
  # followed by the alias name, such as `alias/ExampleAlias`.
@@ -1307,13 +1689,6 @@ module Aws::KMS
1307
1689
  include Aws::Structure
1308
1690
  end
1309
1691
 
1310
- # @note When making an API call, you may pass DeleteCustomKeyStoreRequest
1311
- # data as a hash:
1312
- #
1313
- # {
1314
- # custom_key_store_id: "CustomKeyStoreIdType", # required
1315
- # }
1316
- #
1317
1692
  # @!attribute [rw] custom_key_store_id
1318
1693
  # Enter the ID of the custom key store you want to delete. To find the
1319
1694
  # ID of a custom key store, use the DescribeCustomKeyStores operation.
@@ -1331,13 +1706,6 @@ module Aws::KMS
1331
1706
  #
1332
1707
  class DeleteCustomKeyStoreResponse < Aws::EmptyStructure; end
1333
1708
 
1334
- # @note When making an API call, you may pass DeleteImportedKeyMaterialRequest
1335
- # data as a hash:
1336
- #
1337
- # {
1338
- # key_id: "KeyIdType", # required
1339
- # }
1340
- #
1341
1709
  # @!attribute [rw] key_id
1342
1710
  # Identifies the KMS key from which you are deleting imported key
1343
1711
  # material. The `Origin` of the KMS key must be `EXTERNAL`.
@@ -1363,8 +1731,8 @@ module Aws::KMS
1363
1731
  include Aws::Structure
1364
1732
  end
1365
1733
 
1366
- # The system timed out while trying to fulfill the request. The request
1367
- # can be retried.
1734
+ # The system timed out while trying to fulfill the request. You can
1735
+ # retry the request.
1368
1736
  #
1369
1737
  # @!attribute [rw] message
1370
1738
  # @return [String]
@@ -1377,24 +1745,14 @@ module Aws::KMS
1377
1745
  include Aws::Structure
1378
1746
  end
1379
1747
 
1380
- # @note When making an API call, you may pass DescribeCustomKeyStoresRequest
1381
- # data as a hash:
1382
- #
1383
- # {
1384
- # custom_key_store_id: "CustomKeyStoreIdType",
1385
- # custom_key_store_name: "CustomKeyStoreNameType",
1386
- # limit: 1,
1387
- # marker: "MarkerType",
1388
- # }
1389
- #
1390
1748
  # @!attribute [rw] custom_key_store_id
1391
1749
  # Gets only information about the specified custom key store. Enter
1392
1750
  # the key store ID.
1393
1751
  #
1394
1752
  # By default, this operation gets information about all custom key
1395
1753
  # stores in the account and Region. To limit the output to a
1396
- # particular custom key store, you can use either the
1397
- # `CustomKeyStoreId` or `CustomKeyStoreName` parameter, but not both.
1754
+ # particular custom key store, provide either the `CustomKeyStoreId`
1755
+ # or `CustomKeyStoreName` parameter, but not both.
1398
1756
  # @return [String]
1399
1757
  #
1400
1758
  # @!attribute [rw] custom_key_store_name
@@ -1403,8 +1761,8 @@ module Aws::KMS
1403
1761
  #
1404
1762
  # By default, this operation gets information about all custom key
1405
1763
  # stores in the account and Region. To limit the output to a
1406
- # particular custom key store, you can use either the
1407
- # `CustomKeyStoreId` or `CustomKeyStoreName` parameter, but not both.
1764
+ # particular custom key store, provide either the `CustomKeyStoreId`
1765
+ # or `CustomKeyStoreName` parameter, but not both.
1408
1766
  # @return [String]
1409
1767
  #
1410
1768
  # @!attribute [rw] limit
@@ -1456,14 +1814,6 @@ module Aws::KMS
1456
1814
  include Aws::Structure
1457
1815
  end
1458
1816
 
1459
- # @note When making an API call, you may pass DescribeKeyRequest
1460
- # data as a hash:
1461
- #
1462
- # {
1463
- # key_id: "KeyIdType", # required
1464
- # grant_tokens: ["GrantTokenType"],
1465
- # }
1466
- #
1467
1817
  # @!attribute [rw] key_id
1468
1818
  # Describes the specified KMS key.
1469
1819
  #
@@ -1531,13 +1881,6 @@ module Aws::KMS
1531
1881
  include Aws::Structure
1532
1882
  end
1533
1883
 
1534
- # @note When making an API call, you may pass DisableKeyRequest
1535
- # data as a hash:
1536
- #
1537
- # {
1538
- # key_id: "KeyIdType", # required
1539
- # }
1540
- #
1541
1884
  # @!attribute [rw] key_id
1542
1885
  # Identifies the KMS key to disable.
1543
1886
  #
@@ -1562,17 +1905,11 @@ module Aws::KMS
1562
1905
  include Aws::Structure
1563
1906
  end
1564
1907
 
1565
- # @note When making an API call, you may pass DisableKeyRotationRequest
1566
- # data as a hash:
1567
- #
1568
- # {
1569
- # key_id: "KeyIdType", # required
1570
- # }
1571
- #
1572
1908
  # @!attribute [rw] key_id
1573
- # Identifies a symmetric KMS key. You cannot enable or disable
1574
- # automatic rotation of [asymmetric KMS keys][1], KMS keys with
1575
- # [imported key material][2], or KMS keys in a [custom key store][3].
1909
+ # Identifies a symmetric encryption KMS key. You cannot enable or
1910
+ # disable automatic rotation of [asymmetric KMS keys][1], [HMAC KMS
1911
+ # keys][2], KMS keys with [imported key material][3], or KMS keys in a
1912
+ # [custom key store][4].
1576
1913
  #
1577
1914
  # Specify the key ID or key ARN of the KMS key.
1578
1915
  #
@@ -1589,8 +1926,9 @@ module Aws::KMS
1589
1926
  #
1590
1927
  #
1591
1928
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks
1592
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1593
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1929
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
1930
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1931
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1594
1932
  # @return [String]
1595
1933
  #
1596
1934
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotationRequest AWS API Documentation
@@ -1614,13 +1952,6 @@ module Aws::KMS
1614
1952
  include Aws::Structure
1615
1953
  end
1616
1954
 
1617
- # @note When making an API call, you may pass DisconnectCustomKeyStoreRequest
1618
- # data as a hash:
1619
- #
1620
- # {
1621
- # custom_key_store_id: "CustomKeyStoreIdType", # required
1622
- # }
1623
- #
1624
1955
  # @!attribute [rw] custom_key_store_id
1625
1956
  # Enter the ID of the custom key store you want to disconnect. To find
1626
1957
  # the ID of a custom key store, use the DescribeCustomKeyStores
@@ -1639,13 +1970,19 @@ module Aws::KMS
1639
1970
  #
1640
1971
  class DisconnectCustomKeyStoreResponse < Aws::EmptyStructure; end
1641
1972
 
1642
- # @note When making an API call, you may pass EnableKeyRequest
1643
- # data as a hash:
1973
+ # The request was rejected because the DryRun parameter was specified.
1644
1974
  #
1645
- # {
1646
- # key_id: "KeyIdType", # required
1647
- # }
1975
+ # @!attribute [rw] message
1976
+ # @return [String]
1648
1977
  #
1978
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DryRunOperationException AWS API Documentation
1979
+ #
1980
+ class DryRunOperationException < Struct.new(
1981
+ :message)
1982
+ SENSITIVE = []
1983
+ include Aws::Structure
1984
+ end
1985
+
1649
1986
  # @!attribute [rw] key_id
1650
1987
  # Identifies the KMS key to enable.
1651
1988
  #
@@ -1670,19 +2007,12 @@ module Aws::KMS
1670
2007
  include Aws::Structure
1671
2008
  end
1672
2009
 
1673
- # @note When making an API call, you may pass EnableKeyRotationRequest
1674
- # data as a hash:
1675
- #
1676
- # {
1677
- # key_id: "KeyIdType", # required
1678
- # }
1679
- #
1680
2010
  # @!attribute [rw] key_id
1681
- # Identifies a symmetric KMS key. You cannot enable automatic rotation
1682
- # of [asymmetric KMS keys][1], KMS keys with [imported key
1683
- # material][2], or KMS keys in a [custom key store][3]. To enable or
1684
- # disable automatic rotation of a set of related [multi-Region
1685
- # keys][4], set the property on the primary key.
2011
+ # Identifies a symmetric encryption KMS key. You cannot enable
2012
+ # automatic rotation of [asymmetric KMS keys][1], [HMAC KMS keys][2],
2013
+ # KMS keys with [imported key material][3], or KMS keys in a [custom
2014
+ # key store][4]. To enable or disable automatic rotation of a set of
2015
+ # related [multi-Region keys][5], set the property on the primary key.
1686
2016
  #
1687
2017
  # Specify the key ID or key ARN of the KMS key.
1688
2018
  #
@@ -1698,10 +2028,11 @@ module Aws::KMS
1698
2028
  #
1699
2029
  #
1700
2030
  #
1701
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
1702
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1703
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1704
- # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
2031
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
2032
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
2033
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
2034
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
2035
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
1705
2036
  # @return [String]
1706
2037
  #
1707
2038
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotationRequest AWS API Documentation
@@ -1712,21 +2043,10 @@ module Aws::KMS
1712
2043
  include Aws::Structure
1713
2044
  end
1714
2045
 
1715
- # @note When making an API call, you may pass EncryptRequest
1716
- # data as a hash:
1717
- #
1718
- # {
1719
- # key_id: "KeyIdType", # required
1720
- # plaintext: "data", # required
1721
- # encryption_context: {
1722
- # "EncryptionContextKey" => "EncryptionContextValue",
1723
- # },
1724
- # grant_tokens: ["GrantTokenType"],
1725
- # encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
1726
- # }
1727
- #
1728
2046
  # @!attribute [rw] key_id
1729
- # Identifies the KMS key to use in the encryption operation.
2047
+ # Identifies the KMS key to use in the encryption operation. The KMS
2048
+ # key must have a `KeyUsage` of `ENCRYPT_DECRYPT`. To find the
2049
+ # `KeyUsage` of a KMS key, use the DescribeKey operation.
1730
2050
  #
1731
2051
  # To specify a KMS key, use its key ID, key ARN, alias name, or alias
1732
2052
  # ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -1755,18 +2075,24 @@ module Aws::KMS
1755
2075
  # @!attribute [rw] encryption_context
1756
2076
  # Specifies the encryption context that will be used to encrypt the
1757
2077
  # data. An encryption context is valid only for [cryptographic
1758
- # operations][1] with a symmetric KMS key. The standard asymmetric
1759
- # encryption algorithms that KMS uses do not support an encryption
1760
- # context.
2078
+ # operations][1] with a symmetric encryption KMS key. The standard
2079
+ # asymmetric encryption algorithms and HMAC algorithms that KMS uses
2080
+ # do not support an encryption context.
2081
+ #
2082
+ # Do not include confidential or sensitive information in this field.
2083
+ # This field may be displayed in plaintext in CloudTrail logs and
2084
+ # other output.
1761
2085
  #
1762
2086
  # An *encryption context* is a collection of non-secret key-value
1763
- # pairs that represents additional authenticated data. When you use an
2087
+ # pairs that represent additional authenticated data. When you use an
1764
2088
  # encryption context to encrypt data, you must specify the same (an
1765
2089
  # exact case-sensitive match) encryption context to decrypt the data.
1766
- # An encryption context is optional when encrypting with a symmetric
1767
- # KMS key, but it is highly recommended.
2090
+ # An encryption context is supported only on operations with symmetric
2091
+ # encryption KMS keys. On operations with symmetric encryption KMS
2092
+ # keys, an encryption context is optional, but it is strongly
2093
+ # recommended.
1768
2094
  #
1769
- # For more information, see [Encryption Context][2] in the *Key
2095
+ # For more information, see [Encryption context][2] in the *Key
1770
2096
  # Management Service Developer Guide*.
1771
2097
  #
1772
2098
  #
@@ -1795,11 +2121,25 @@ module Aws::KMS
1795
2121
  # that you specify.
1796
2122
  #
1797
2123
  # This parameter is required only for asymmetric KMS keys. The default
1798
- # value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric KMS
1799
- # keys. If you are using an asymmetric KMS key, we recommend
1800
- # RSAES\_OAEP\_SHA\_256.
2124
+ # value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
2125
+ # encryption KMS keys. If you are using an asymmetric KMS key, we
2126
+ # recommend RSAES\_OAEP\_SHA\_256.
2127
+ #
2128
+ # The SM2PKE algorithm is only available in China Regions.
1801
2129
  # @return [String]
1802
2130
  #
2131
+ # @!attribute [rw] dry_run
2132
+ # Checks if your request will succeed. `DryRun` is an optional
2133
+ # parameter.
2134
+ #
2135
+ # To learn more about how to use this parameter, see [Testing your KMS
2136
+ # API calls][1] in the *Key Management Service Developer Guide*.
2137
+ #
2138
+ #
2139
+ #
2140
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
2141
+ # @return [Boolean]
2142
+ #
1803
2143
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptRequest AWS API Documentation
1804
2144
  #
1805
2145
  class EncryptRequest < Struct.new(
@@ -1807,7 +2147,8 @@ module Aws::KMS
1807
2147
  :plaintext,
1808
2148
  :encryption_context,
1809
2149
  :grant_tokens,
1810
- :encryption_algorithm)
2150
+ :encryption_algorithm,
2151
+ :dry_run)
1811
2152
  SENSITIVE = [:plaintext]
1812
2153
  include Aws::Structure
1813
2154
  end
@@ -1857,30 +2198,24 @@ module Aws::KMS
1857
2198
  include Aws::Structure
1858
2199
  end
1859
2200
 
1860
- # @note When making an API call, you may pass GenerateDataKeyPairRequest
1861
- # data as a hash:
1862
- #
1863
- # {
1864
- # encryption_context: {
1865
- # "EncryptionContextKey" => "EncryptionContextValue",
1866
- # },
1867
- # key_id: "KeyIdType", # required
1868
- # key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
1869
- # grant_tokens: ["GrantTokenType"],
1870
- # }
1871
- #
1872
2201
  # @!attribute [rw] encryption_context
1873
2202
  # Specifies the encryption context that will be used when encrypting
1874
2203
  # the private key in the data key pair.
1875
2204
  #
2205
+ # Do not include confidential or sensitive information in this field.
2206
+ # This field may be displayed in plaintext in CloudTrail logs and
2207
+ # other output.
2208
+ #
1876
2209
  # An *encryption context* is a collection of non-secret key-value
1877
- # pairs that represents additional authenticated data. When you use an
2210
+ # pairs that represent additional authenticated data. When you use an
1878
2211
  # encryption context to encrypt data, you must specify the same (an
1879
2212
  # exact case-sensitive match) encryption context to decrypt the data.
1880
- # An encryption context is optional when encrypting with a symmetric
1881
- # KMS key, but it is highly recommended.
2213
+ # An encryption context is supported only on operations with symmetric
2214
+ # encryption KMS keys. On operations with symmetric encryption KMS
2215
+ # keys, an encryption context is optional, but it is strongly
2216
+ # recommended.
1882
2217
  #
1883
- # For more information, see [Encryption Context][1] in the *Key
2218
+ # For more information, see [Encryption context][1] in the *Key
1884
2219
  # Management Service Developer Guide*.
1885
2220
  #
1886
2221
  #
@@ -1889,10 +2224,10 @@ module Aws::KMS
1889
2224
  # @return [Hash<String,String>]
1890
2225
  #
1891
2226
  # @!attribute [rw] key_id
1892
- # Specifies the symmetric KMS key that encrypts the private key in the
1893
- # data key pair. You cannot specify an asymmetric KMS key or a KMS key
1894
- # in a custom key store. To get the type and origin of your KMS key,
1895
- # use the DescribeKey operation.
2227
+ # Specifies the symmetric encryption KMS key that encrypts the private
2228
+ # key in the data key pair. You cannot specify an asymmetric KMS key
2229
+ # or a KMS key in a custom key store. To get the type and origin of
2230
+ # your KMS key, use the DescribeKey operation.
1896
2231
  #
1897
2232
  # To specify a KMS key, use its key ID, key ARN, alias name, or alias
1898
2233
  # ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -1917,10 +2252,11 @@ module Aws::KMS
1917
2252
  # @!attribute [rw] key_pair_spec
1918
2253
  # Determines the type of data key pair that is generated.
1919
2254
  #
1920
- # The KMS rule that restricts the use of asymmetric RSA KMS keys to
1921
- # encrypt and decrypt or to sign and verify (but not both), and the
1922
- # rule that permits you to use ECC KMS keys only to sign and verify,
1923
- # are not effective on data key pairs, which are used outside of KMS.
2255
+ # The KMS rule that restricts the use of asymmetric RSA and SM2 KMS
2256
+ # keys to encrypt and decrypt or to sign and verify (but not both),
2257
+ # and the rule that permits you to use ECC KMS keys only to sign and
2258
+ # verify, are not effective on data key pairs, which are used outside
2259
+ # of KMS. The SM2 key spec is only available in China Regions.
1924
2260
  # @return [String]
1925
2261
  #
1926
2262
  # @!attribute [rw] grant_tokens
@@ -1937,13 +2273,58 @@ module Aws::KMS
1937
2273
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
1938
2274
  # @return [Array<String>]
1939
2275
  #
2276
+ # @!attribute [rw] recipient
2277
+ # A signed [attestation document][1] from an Amazon Web Services Nitro
2278
+ # enclave and the encryption algorithm to use with the enclave's
2279
+ # public key. The only valid encryption algorithm is
2280
+ # `RSAES_OAEP_SHA_256`.
2281
+ #
2282
+ # This parameter only supports attestation documents for Amazon Web
2283
+ # Services Nitro Enclaves. To include this parameter, use the [Amazon
2284
+ # Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
2285
+ #
2286
+ # When you use this parameter, instead of returning a plaintext copy
2287
+ # of the private data key, KMS encrypts the plaintext private data key
2288
+ # under the public key in the attestation document, and returns the
2289
+ # resulting ciphertext in the `CiphertextForRecipient` field in the
2290
+ # response. This ciphertext can be decrypted only with the private key
2291
+ # in the enclave. The `CiphertextBlob` field in the response contains
2292
+ # a copy of the private data key encrypted under the KMS key specified
2293
+ # by the `KeyId` parameter. The `PrivateKeyPlaintext` field in the
2294
+ # response is null or empty.
2295
+ #
2296
+ # For information about the interaction between KMS and Amazon Web
2297
+ # Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
2298
+ # uses KMS][3] in the *Key Management Service Developer Guide*.
2299
+ #
2300
+ #
2301
+ #
2302
+ # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
2303
+ # [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
2304
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
2305
+ # @return [Types::RecipientInfo]
2306
+ #
2307
+ # @!attribute [rw] dry_run
2308
+ # Checks if your request will succeed. `DryRun` is an optional
2309
+ # parameter.
2310
+ #
2311
+ # To learn more about how to use this parameter, see [Testing your KMS
2312
+ # API calls][1] in the *Key Management Service Developer Guide*.
2313
+ #
2314
+ #
2315
+ #
2316
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
2317
+ # @return [Boolean]
2318
+ #
1940
2319
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairRequest AWS API Documentation
1941
2320
  #
1942
2321
  class GenerateDataKeyPairRequest < Struct.new(
1943
2322
  :encryption_context,
1944
2323
  :key_id,
1945
2324
  :key_pair_spec,
1946
- :grant_tokens)
2325
+ :grant_tokens,
2326
+ :recipient,
2327
+ :dry_run)
1947
2328
  SENSITIVE = []
1948
2329
  include Aws::Structure
1949
2330
  end
@@ -1958,10 +2339,15 @@ module Aws::KMS
1958
2339
  # The plaintext copy of the private key. When you use the HTTP API or
1959
2340
  # the Amazon Web Services CLI, the value is Base64-encoded. Otherwise,
1960
2341
  # it is not Base64-encoded.
2342
+ #
2343
+ # If the response includes the `CiphertextForRecipient` field, the
2344
+ # `PrivateKeyPlaintext` field is null or empty.
1961
2345
  # @return [String]
1962
2346
  #
1963
2347
  # @!attribute [rw] public_key
1964
- # The public key (in plaintext).
2348
+ # The public key (in plaintext). When you use the HTTP API or the
2349
+ # Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it
2350
+ # is not Base64-encoded.
1965
2351
  # @return [String]
1966
2352
  #
1967
2353
  # @!attribute [rw] key_id
@@ -1977,6 +2363,23 @@ module Aws::KMS
1977
2363
  # The type of data key pair that was generated.
1978
2364
  # @return [String]
1979
2365
  #
2366
+ # @!attribute [rw] ciphertext_for_recipient
2367
+ # The plaintext private data key encrypted with the public key from
2368
+ # the Nitro enclave. This ciphertext can be decrypted only by using a
2369
+ # private key in the Nitro enclave.
2370
+ #
2371
+ # This field is included in the response only when the `Recipient`
2372
+ # parameter in the request includes a valid attestation document from
2373
+ # an Amazon Web Services Nitro enclave. For information about the
2374
+ # interaction between KMS and Amazon Web Services Nitro Enclaves, see
2375
+ # [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
2376
+ # Management Service Developer Guide*.
2377
+ #
2378
+ #
2379
+ #
2380
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
2381
+ # @return [String]
2382
+ #
1980
2383
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairResponse AWS API Documentation
1981
2384
  #
1982
2385
  class GenerateDataKeyPairResponse < Struct.new(
@@ -1984,35 +2387,30 @@ module Aws::KMS
1984
2387
  :private_key_plaintext,
1985
2388
  :public_key,
1986
2389
  :key_id,
1987
- :key_pair_spec)
2390
+ :key_pair_spec,
2391
+ :ciphertext_for_recipient)
1988
2392
  SENSITIVE = [:private_key_plaintext]
1989
2393
  include Aws::Structure
1990
2394
  end
1991
2395
 
1992
- # @note When making an API call, you may pass GenerateDataKeyPairWithoutPlaintextRequest
1993
- # data as a hash:
1994
- #
1995
- # {
1996
- # encryption_context: {
1997
- # "EncryptionContextKey" => "EncryptionContextValue",
1998
- # },
1999
- # key_id: "KeyIdType", # required
2000
- # key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
2001
- # grant_tokens: ["GrantTokenType"],
2002
- # }
2003
- #
2004
2396
  # @!attribute [rw] encryption_context
2005
2397
  # Specifies the encryption context that will be used when encrypting
2006
2398
  # the private key in the data key pair.
2007
2399
  #
2400
+ # Do not include confidential or sensitive information in this field.
2401
+ # This field may be displayed in plaintext in CloudTrail logs and
2402
+ # other output.
2403
+ #
2008
2404
  # An *encryption context* is a collection of non-secret key-value
2009
- # pairs that represents additional authenticated data. When you use an
2405
+ # pairs that represent additional authenticated data. When you use an
2010
2406
  # encryption context to encrypt data, you must specify the same (an
2011
2407
  # exact case-sensitive match) encryption context to decrypt the data.
2012
- # An encryption context is optional when encrypting with a symmetric
2013
- # KMS key, but it is highly recommended.
2408
+ # An encryption context is supported only on operations with symmetric
2409
+ # encryption KMS keys. On operations with symmetric encryption KMS
2410
+ # keys, an encryption context is optional, but it is strongly
2411
+ # recommended.
2014
2412
  #
2015
- # For more information, see [Encryption Context][1] in the *Key
2413
+ # For more information, see [Encryption context][1] in the *Key
2016
2414
  # Management Service Developer Guide*.
2017
2415
  #
2018
2416
  #
@@ -2021,10 +2419,10 @@ module Aws::KMS
2021
2419
  # @return [Hash<String,String>]
2022
2420
  #
2023
2421
  # @!attribute [rw] key_id
2024
- # Specifies the KMS key that encrypts the private key in the data key
2025
- # pair. You must specify a symmetric KMS key. You cannot use an
2026
- # asymmetric KMS key or a KMS key in a custom key store. To get the
2027
- # type and origin of your KMS key, use the DescribeKey operation.
2422
+ # Specifies the symmetric encryption KMS key that encrypts the private
2423
+ # key in the data key pair. You cannot specify an asymmetric KMS key
2424
+ # or a KMS key in a custom key store. To get the type and origin of
2425
+ # your KMS key, use the DescribeKey operation.
2028
2426
  #
2029
2427
  # To specify a KMS key, use its key ID, key ARN, alias name, or alias
2030
2428
  # ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -2049,10 +2447,11 @@ module Aws::KMS
2049
2447
  # @!attribute [rw] key_pair_spec
2050
2448
  # Determines the type of data key pair that is generated.
2051
2449
  #
2052
- # The KMS rule that restricts the use of asymmetric RSA KMS keys to
2053
- # encrypt and decrypt or to sign and verify (but not both), and the
2054
- # rule that permits you to use ECC KMS keys only to sign and verify,
2055
- # are not effective on data key pairs, which are used outside of KMS.
2450
+ # The KMS rule that restricts the use of asymmetric RSA and SM2 KMS
2451
+ # keys to encrypt and decrypt or to sign and verify (but not both),
2452
+ # and the rule that permits you to use ECC KMS keys only to sign and
2453
+ # verify, are not effective on data key pairs, which are used outside
2454
+ # of KMS. The SM2 key spec is only available in China Regions.
2056
2455
  # @return [String]
2057
2456
  #
2058
2457
  # @!attribute [rw] grant_tokens
@@ -2069,13 +2468,26 @@ module Aws::KMS
2069
2468
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
2070
2469
  # @return [Array<String>]
2071
2470
  #
2471
+ # @!attribute [rw] dry_run
2472
+ # Checks if your request will succeed. `DryRun` is an optional
2473
+ # parameter.
2474
+ #
2475
+ # To learn more about how to use this parameter, see [Testing your KMS
2476
+ # API calls][1] in the *Key Management Service Developer Guide*.
2477
+ #
2478
+ #
2479
+ #
2480
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
2481
+ # @return [Boolean]
2482
+ #
2072
2483
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintextRequest AWS API Documentation
2073
2484
  #
2074
2485
  class GenerateDataKeyPairWithoutPlaintextRequest < Struct.new(
2075
2486
  :encryption_context,
2076
2487
  :key_id,
2077
2488
  :key_pair_spec,
2078
- :grant_tokens)
2489
+ :grant_tokens,
2490
+ :dry_run)
2079
2491
  SENSITIVE = []
2080
2492
  include Aws::Structure
2081
2493
  end
@@ -2087,7 +2499,9 @@ module Aws::KMS
2087
2499
  # @return [String]
2088
2500
  #
2089
2501
  # @!attribute [rw] public_key
2090
- # The public key (in plaintext).
2502
+ # The public key (in plaintext). When you use the HTTP API or the
2503
+ # Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it
2504
+ # is not Base64-encoded.
2091
2505
  # @return [String]
2092
2506
  #
2093
2507
  # @!attribute [rw] key_id
@@ -2114,21 +2528,11 @@ module Aws::KMS
2114
2528
  include Aws::Structure
2115
2529
  end
2116
2530
 
2117
- # @note When making an API call, you may pass GenerateDataKeyRequest
2118
- # data as a hash:
2119
- #
2120
- # {
2121
- # key_id: "KeyIdType", # required
2122
- # encryption_context: {
2123
- # "EncryptionContextKey" => "EncryptionContextValue",
2124
- # },
2125
- # number_of_bytes: 1,
2126
- # key_spec: "AES_256", # accepts AES_256, AES_128
2127
- # grant_tokens: ["GrantTokenType"],
2128
- # }
2129
- #
2130
2531
  # @!attribute [rw] key_id
2131
- # Identifies the symmetric KMS key that encrypts the data key.
2532
+ # Specifies the symmetric encryption KMS key that encrypts the data
2533
+ # key. You cannot specify an asymmetric KMS key or a KMS key in a
2534
+ # custom key store. To get the type and origin of your KMS key, use
2535
+ # the DescribeKey operation.
2132
2536
  #
2133
2537
  # To specify a KMS key, use its key ID, key ARN, alias name, or alias
2134
2538
  # ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -2154,14 +2558,20 @@ module Aws::KMS
2154
2558
  # Specifies the encryption context that will be used when encrypting
2155
2559
  # the data key.
2156
2560
  #
2561
+ # Do not include confidential or sensitive information in this field.
2562
+ # This field may be displayed in plaintext in CloudTrail logs and
2563
+ # other output.
2564
+ #
2157
2565
  # An *encryption context* is a collection of non-secret key-value
2158
- # pairs that represents additional authenticated data. When you use an
2566
+ # pairs that represent additional authenticated data. When you use an
2159
2567
  # encryption context to encrypt data, you must specify the same (an
2160
2568
  # exact case-sensitive match) encryption context to decrypt the data.
2161
- # An encryption context is optional when encrypting with a symmetric
2162
- # KMS key, but it is highly recommended.
2569
+ # An encryption context is supported only on operations with symmetric
2570
+ # encryption KMS keys. On operations with symmetric encryption KMS
2571
+ # keys, an encryption context is optional, but it is strongly
2572
+ # recommended.
2163
2573
  #
2164
- # For more information, see [Encryption Context][1] in the *Key
2574
+ # For more information, see [Encryption context][1] in the *Key
2165
2575
  # Management Service Developer Guide*.
2166
2576
  #
2167
2577
  #
@@ -2202,6 +2612,48 @@ module Aws::KMS
2202
2612
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
2203
2613
  # @return [Array<String>]
2204
2614
  #
2615
+ # @!attribute [rw] recipient
2616
+ # A signed [attestation document][1] from an Amazon Web Services Nitro
2617
+ # enclave and the encryption algorithm to use with the enclave's
2618
+ # public key. The only valid encryption algorithm is
2619
+ # `RSAES_OAEP_SHA_256`.
2620
+ #
2621
+ # This parameter only supports attestation documents for Amazon Web
2622
+ # Services Nitro Enclaves. To include this parameter, use the [Amazon
2623
+ # Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
2624
+ #
2625
+ # When you use this parameter, instead of returning the plaintext data
2626
+ # key, KMS encrypts the plaintext data key under the public key in the
2627
+ # attestation document, and returns the resulting ciphertext in the
2628
+ # `CiphertextForRecipient` field in the response. This ciphertext can
2629
+ # be decrypted only with the private key in the enclave. The
2630
+ # `CiphertextBlob` field in the response contains a copy of the data
2631
+ # key encrypted under the KMS key specified by the `KeyId` parameter.
2632
+ # The `Plaintext` field in the response is null or empty.
2633
+ #
2634
+ # For information about the interaction between KMS and Amazon Web
2635
+ # Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
2636
+ # uses KMS][3] in the *Key Management Service Developer Guide*.
2637
+ #
2638
+ #
2639
+ #
2640
+ # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
2641
+ # [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
2642
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
2643
+ # @return [Types::RecipientInfo]
2644
+ #
2645
+ # @!attribute [rw] dry_run
2646
+ # Checks if your request will succeed. `DryRun` is an optional
2647
+ # parameter.
2648
+ #
2649
+ # To learn more about how to use this parameter, see [Testing your KMS
2650
+ # API calls][1] in the *Key Management Service Developer Guide*.
2651
+ #
2652
+ #
2653
+ #
2654
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
2655
+ # @return [Boolean]
2656
+ #
2205
2657
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyRequest AWS API Documentation
2206
2658
  #
2207
2659
  class GenerateDataKeyRequest < Struct.new(
@@ -2209,7 +2661,9 @@ module Aws::KMS
2209
2661
  :encryption_context,
2210
2662
  :number_of_bytes,
2211
2663
  :key_spec,
2212
- :grant_tokens)
2664
+ :grant_tokens,
2665
+ :recipient,
2666
+ :dry_run)
2213
2667
  SENSITIVE = []
2214
2668
  include Aws::Structure
2215
2669
  end
@@ -2225,6 +2679,9 @@ module Aws::KMS
2225
2679
  # Services CLI, the value is Base64-encoded. Otherwise, it is not
2226
2680
  # Base64-encoded. Use this data key to encrypt your data outside of
2227
2681
  # KMS. Then, remove it from memory as soon as possible.
2682
+ #
2683
+ # If the response includes the `CiphertextForRecipient` field, the
2684
+ # `Plaintext` field is null or empty.
2228
2685
  # @return [String]
2229
2686
  #
2230
2687
  # @!attribute [rw] key_id
@@ -2236,31 +2693,39 @@ module Aws::KMS
2236
2693
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
2237
2694
  # @return [String]
2238
2695
  #
2696
+ # @!attribute [rw] ciphertext_for_recipient
2697
+ # The plaintext data key encrypted with the public key from the Nitro
2698
+ # enclave. This ciphertext can be decrypted only by using a private
2699
+ # key in the Nitro enclave.
2700
+ #
2701
+ # This field is included in the response only when the `Recipient`
2702
+ # parameter in the request includes a valid attestation document from
2703
+ # an Amazon Web Services Nitro enclave. For information about the
2704
+ # interaction between KMS and Amazon Web Services Nitro Enclaves, see
2705
+ # [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
2706
+ # Management Service Developer Guide*.
2707
+ #
2708
+ #
2709
+ #
2710
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
2711
+ # @return [String]
2712
+ #
2239
2713
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyResponse AWS API Documentation
2240
2714
  #
2241
2715
  class GenerateDataKeyResponse < Struct.new(
2242
2716
  :ciphertext_blob,
2243
2717
  :plaintext,
2244
- :key_id)
2718
+ :key_id,
2719
+ :ciphertext_for_recipient)
2245
2720
  SENSITIVE = [:plaintext]
2246
2721
  include Aws::Structure
2247
2722
  end
2248
2723
 
2249
- # @note When making an API call, you may pass GenerateDataKeyWithoutPlaintextRequest
2250
- # data as a hash:
2251
- #
2252
- # {
2253
- # key_id: "KeyIdType", # required
2254
- # encryption_context: {
2255
- # "EncryptionContextKey" => "EncryptionContextValue",
2256
- # },
2257
- # key_spec: "AES_256", # accepts AES_256, AES_128
2258
- # number_of_bytes: 1,
2259
- # grant_tokens: ["GrantTokenType"],
2260
- # }
2261
- #
2262
2724
  # @!attribute [rw] key_id
2263
- # The identifier of the symmetric KMS key that encrypts the data key.
2725
+ # Specifies the symmetric encryption KMS key that encrypts the data
2726
+ # key. You cannot specify an asymmetric KMS key or a KMS key in a
2727
+ # custom key store. To get the type and origin of your KMS key, use
2728
+ # the DescribeKey operation.
2264
2729
  #
2265
2730
  # To specify a KMS key, use its key ID, key ARN, alias name, or alias
2266
2731
  # ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -2286,14 +2751,20 @@ module Aws::KMS
2286
2751
  # Specifies the encryption context that will be used when encrypting
2287
2752
  # the data key.
2288
2753
  #
2754
+ # Do not include confidential or sensitive information in this field.
2755
+ # This field may be displayed in plaintext in CloudTrail logs and
2756
+ # other output.
2757
+ #
2289
2758
  # An *encryption context* is a collection of non-secret key-value
2290
- # pairs that represents additional authenticated data. When you use an
2759
+ # pairs that represent additional authenticated data. When you use an
2291
2760
  # encryption context to encrypt data, you must specify the same (an
2292
2761
  # exact case-sensitive match) encryption context to decrypt the data.
2293
- # An encryption context is optional when encrypting with a symmetric
2294
- # KMS key, but it is highly recommended.
2762
+ # An encryption context is supported only on operations with symmetric
2763
+ # encryption KMS keys. On operations with symmetric encryption KMS
2764
+ # keys, an encryption context is optional, but it is strongly
2765
+ # recommended.
2295
2766
  #
2296
- # For more information, see [Encryption Context][1] in the *Key
2767
+ # For more information, see [Encryption context][1] in the *Key
2297
2768
  # Management Service Developer Guide*.
2298
2769
  #
2299
2770
  #
@@ -2327,6 +2798,18 @@ module Aws::KMS
2327
2798
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
2328
2799
  # @return [Array<String>]
2329
2800
  #
2801
+ # @!attribute [rw] dry_run
2802
+ # Checks if your request will succeed. `DryRun` is an optional
2803
+ # parameter.
2804
+ #
2805
+ # To learn more about how to use this parameter, see [Testing your KMS
2806
+ # API calls][1] in the *Key Management Service Developer Guide*.
2807
+ #
2808
+ #
2809
+ #
2810
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
2811
+ # @return [Boolean]
2812
+ #
2330
2813
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextRequest AWS API Documentation
2331
2814
  #
2332
2815
  class GenerateDataKeyWithoutPlaintextRequest < Struct.new(
@@ -2334,7 +2817,8 @@ module Aws::KMS
2334
2817
  :encryption_context,
2335
2818
  :key_spec,
2336
2819
  :number_of_bytes,
2337
- :grant_tokens)
2820
+ :grant_tokens,
2821
+ :dry_run)
2338
2822
  SENSITIVE = []
2339
2823
  include Aws::Structure
2340
2824
  end
@@ -2363,33 +2847,150 @@ module Aws::KMS
2363
2847
  include Aws::Structure
2364
2848
  end
2365
2849
 
2366
- # @note When making an API call, you may pass GenerateRandomRequest
2367
- # data as a hash:
2850
+ # @!attribute [rw] message
2851
+ # The message to be hashed. Specify a message of up to 4,096 bytes.
2852
+ #
2853
+ # `GenerateMac` and VerifyMac do not provide special handling for
2854
+ # message digests. If you generate an HMAC for a hash digest of a
2855
+ # message, you must verify the HMAC of the same hash digest.
2856
+ # @return [String]
2857
+ #
2858
+ # @!attribute [rw] key_id
2859
+ # The HMAC KMS key to use in the operation. The MAC algorithm computes
2860
+ # the HMAC for the message and the key as described in [RFC 2104][1].
2861
+ #
2862
+ # To identify an HMAC KMS key, use the DescribeKey operation and see
2863
+ # the `KeySpec` field in the response.
2864
+ #
2865
+ #
2866
+ #
2867
+ # [1]: https://datatracker.ietf.org/doc/html/rfc2104
2868
+ # @return [String]
2869
+ #
2870
+ # @!attribute [rw] mac_algorithm
2871
+ # The MAC algorithm used in the operation.
2872
+ #
2873
+ # The algorithm must be compatible with the HMAC KMS key that you
2874
+ # specify. To find the MAC algorithms that your HMAC KMS key supports,
2875
+ # use the DescribeKey operation and see the `MacAlgorithms` field in
2876
+ # the `DescribeKey` response.
2877
+ # @return [String]
2878
+ #
2879
+ # @!attribute [rw] grant_tokens
2880
+ # A list of grant tokens.
2881
+ #
2882
+ # Use a grant token when your permission to call this operation comes
2883
+ # from a new grant that has not yet achieved *eventual consistency*.
2884
+ # For more information, see [Grant token][1] and [Using a grant
2885
+ # token][2] in the *Key Management Service Developer Guide*.
2886
+ #
2887
+ #
2888
+ #
2889
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
2890
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
2891
+ # @return [Array<String>]
2892
+ #
2893
+ # @!attribute [rw] dry_run
2894
+ # Checks if your request will succeed. `DryRun` is an optional
2895
+ # parameter.
2896
+ #
2897
+ # To learn more about how to use this parameter, see [Testing your KMS
2898
+ # API calls][1] in the *Key Management Service Developer Guide*.
2899
+ #
2900
+ #
2901
+ #
2902
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
2903
+ # @return [Boolean]
2904
+ #
2905
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMacRequest AWS API Documentation
2906
+ #
2907
+ class GenerateMacRequest < Struct.new(
2908
+ :message,
2909
+ :key_id,
2910
+ :mac_algorithm,
2911
+ :grant_tokens,
2912
+ :dry_run)
2913
+ SENSITIVE = [:message]
2914
+ include Aws::Structure
2915
+ end
2916
+
2917
+ # @!attribute [rw] mac
2918
+ # The hash-based message authentication code (HMAC) that was generated
2919
+ # for the specified message, HMAC KMS key, and MAC algorithm.
2920
+ #
2921
+ # This is the standard, raw HMAC defined in [RFC 2104][1].
2922
+ #
2923
+ #
2924
+ #
2925
+ # [1]: https://datatracker.ietf.org/doc/html/rfc2104
2926
+ # @return [String]
2927
+ #
2928
+ # @!attribute [rw] mac_algorithm
2929
+ # The MAC algorithm that was used to generate the HMAC.
2930
+ # @return [String]
2368
2931
  #
2369
- # {
2370
- # number_of_bytes: 1,
2371
- # custom_key_store_id: "CustomKeyStoreIdType",
2372
- # }
2932
+ # @!attribute [rw] key_id
2933
+ # The HMAC KMS key used in the operation.
2934
+ # @return [String]
2373
2935
  #
2936
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMacResponse AWS API Documentation
2937
+ #
2938
+ class GenerateMacResponse < Struct.new(
2939
+ :mac,
2940
+ :mac_algorithm,
2941
+ :key_id)
2942
+ SENSITIVE = []
2943
+ include Aws::Structure
2944
+ end
2945
+
2374
2946
  # @!attribute [rw] number_of_bytes
2375
- # The length of the byte string.
2947
+ # The length of the random byte string. This parameter is required.
2376
2948
  # @return [Integer]
2377
2949
  #
2378
2950
  # @!attribute [rw] custom_key_store_id
2379
2951
  # Generates the random byte string in the CloudHSM cluster that is
2380
- # associated with the specified [custom key store][1]. To find the ID
2381
- # of a custom key store, use the DescribeCustomKeyStores operation.
2952
+ # associated with the specified CloudHSM key store. To find the ID of
2953
+ # a custom key store, use the DescribeCustomKeyStores operation.
2382
2954
  #
2955
+ # External key store IDs are not valid for this parameter. If you
2956
+ # specify the ID of an external key store, `GenerateRandom` throws an
2957
+ # `UnsupportedOperationException`.
2958
+ # @return [String]
2383
2959
  #
2960
+ # @!attribute [rw] recipient
2961
+ # A signed [attestation document][1] from an Amazon Web Services Nitro
2962
+ # enclave and the encryption algorithm to use with the enclave's
2963
+ # public key. The only valid encryption algorithm is
2964
+ # `RSAES_OAEP_SHA_256`.
2384
2965
  #
2385
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
2386
- # @return [String]
2966
+ # This parameter only supports attestation documents for Amazon Web
2967
+ # Services Nitro Enclaves. To include this parameter, use the [Amazon
2968
+ # Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
2969
+ #
2970
+ # When you use this parameter, instead of returning plaintext bytes,
2971
+ # KMS encrypts the plaintext bytes under the public key in the
2972
+ # attestation document, and returns the resulting ciphertext in the
2973
+ # `CiphertextForRecipient` field in the response. This ciphertext can
2974
+ # be decrypted only with the private key in the enclave. The
2975
+ # `Plaintext` field in the response is null or empty.
2976
+ #
2977
+ # For information about the interaction between KMS and Amazon Web
2978
+ # Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
2979
+ # uses KMS][3] in the *Key Management Service Developer Guide*.
2980
+ #
2981
+ #
2982
+ #
2983
+ # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
2984
+ # [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
2985
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
2986
+ # @return [Types::RecipientInfo]
2387
2987
  #
2388
2988
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomRequest AWS API Documentation
2389
2989
  #
2390
2990
  class GenerateRandomRequest < Struct.new(
2391
2991
  :number_of_bytes,
2392
- :custom_key_store_id)
2992
+ :custom_key_store_id,
2993
+ :recipient)
2393
2994
  SENSITIVE = []
2394
2995
  include Aws::Structure
2395
2996
  end
@@ -2398,24 +2999,37 @@ module Aws::KMS
2398
2999
  # The random byte string. When you use the HTTP API or the Amazon Web
2399
3000
  # Services CLI, the value is Base64-encoded. Otherwise, it is not
2400
3001
  # Base64-encoded.
3002
+ #
3003
+ # If the response includes the `CiphertextForRecipient` field, the
3004
+ # `Plaintext` field is null or empty.
3005
+ # @return [String]
3006
+ #
3007
+ # @!attribute [rw] ciphertext_for_recipient
3008
+ # The plaintext random bytes encrypted with the public key from the
3009
+ # Nitro enclave. This ciphertext can be decrypted only by using a
3010
+ # private key in the Nitro enclave.
3011
+ #
3012
+ # This field is included in the response only when the `Recipient`
3013
+ # parameter in the request includes a valid attestation document from
3014
+ # an Amazon Web Services Nitro enclave. For information about the
3015
+ # interaction between KMS and Amazon Web Services Nitro Enclaves, see
3016
+ # [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
3017
+ # Management Service Developer Guide*.
3018
+ #
3019
+ #
3020
+ #
3021
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
2401
3022
  # @return [String]
2402
3023
  #
2403
3024
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomResponse AWS API Documentation
2404
3025
  #
2405
3026
  class GenerateRandomResponse < Struct.new(
2406
- :plaintext)
3027
+ :plaintext,
3028
+ :ciphertext_for_recipient)
2407
3029
  SENSITIVE = [:plaintext]
2408
3030
  include Aws::Structure
2409
3031
  end
2410
3032
 
2411
- # @note When making an API call, you may pass GetKeyPolicyRequest
2412
- # data as a hash:
2413
- #
2414
- # {
2415
- # key_id: "KeyIdType", # required
2416
- # policy_name: "PolicyNameType", # required
2417
- # }
2418
- #
2419
3033
  # @!attribute [rw] key_id
2420
3034
  # Gets the key policy for the specified KMS key.
2421
3035
  #
@@ -2458,13 +3072,6 @@ module Aws::KMS
2458
3072
  include Aws::Structure
2459
3073
  end
2460
3074
 
2461
- # @note When making an API call, you may pass GetKeyRotationStatusRequest
2462
- # data as a hash:
2463
- #
2464
- # {
2465
- # key_id: "KeyIdType", # required
2466
- # }
2467
- #
2468
3075
  # @!attribute [rw] key_id
2469
3076
  # Gets the rotation status for the specified KMS key.
2470
3077
  #
@@ -2503,18 +3110,14 @@ module Aws::KMS
2503
3110
  include Aws::Structure
2504
3111
  end
2505
3112
 
2506
- # @note When making an API call, you may pass GetParametersForImportRequest
2507
- # data as a hash:
2508
- #
2509
- # {
2510
- # key_id: "KeyIdType", # required
2511
- # wrapping_algorithm: "RSAES_PKCS1_V1_5", # required, accepts RSAES_PKCS1_V1_5, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
2512
- # wrapping_key_spec: "RSA_2048", # required, accepts RSA_2048
2513
- # }
2514
- #
2515
3113
  # @!attribute [rw] key_id
2516
- # The identifier of the symmetric KMS key into which you will import
2517
- # key material. The `Origin` of the KMS key must be `EXTERNAL`.
3114
+ # The identifier of the KMS key that will be associated with the
3115
+ # imported key material. The `Origin` of the KMS key must be
3116
+ # `EXTERNAL`.
3117
+ #
3118
+ # All KMS key types are supported, including multi-Region keys.
3119
+ # However, you cannot import key material into a KMS key in a custom
3120
+ # key store.
2518
3121
  #
2519
3122
  # Specify the key ID or key ARN of the KMS key.
2520
3123
  #
@@ -2530,19 +3133,54 @@ module Aws::KMS
2530
3133
  # @return [String]
2531
3134
  #
2532
3135
  # @!attribute [rw] wrapping_algorithm
2533
- # The algorithm you will use to encrypt the key material before
2534
- # importing it with ImportKeyMaterial. For more information, see
2535
- # [Encrypt the Key Material][1] in the *Key Management Service
2536
- # Developer Guide*.
3136
+ # The algorithm you will use with the RSA public key (`PublicKey`) in
3137
+ # the response to protect your key material during import. For more
3138
+ # information, see [Select a wrapping
3139
+ # algorithm](kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
3140
+ # in the *Key Management Service Developer Guide*.
3141
+ #
3142
+ # For RSA\_AES wrapping algorithms, you encrypt your key material with
3143
+ # an AES key that you generate, then encrypt your AES key with the RSA
3144
+ # public key from KMS. For RSAES wrapping algorithms, you encrypt your
3145
+ # key material directly with the RSA public key from KMS.
3146
+ #
3147
+ # The wrapping algorithms that you can use depend on the type of key
3148
+ # material that you are importing. To import an RSA private key, you
3149
+ # must use an RSA\_AES wrapping algorithm.
3150
+ #
3151
+ # * **RSA\_AES\_KEY\_WRAP\_SHA\_256** — Supported for wrapping RSA and
3152
+ # ECC key material.
3153
+ #
3154
+ # * **RSA\_AES\_KEY\_WRAP\_SHA\_1** — Supported for wrapping RSA and
3155
+ # ECC key material.
2537
3156
  #
3157
+ # * **RSAES\_OAEP\_SHA\_256** — Supported for all types of key
3158
+ # material, except RSA key material (private key).
2538
3159
  #
3160
+ # You cannot use the RSAES\_OAEP\_SHA\_256 wrapping algorithm with
3161
+ # the RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key
3162
+ # material.
2539
3163
  #
2540
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html
3164
+ # * **RSAES\_OAEP\_SHA\_1** — Supported for all types of key material,
3165
+ # except RSA key material (private key).
3166
+ #
3167
+ # You cannot use the RSAES\_OAEP\_SHA\_1 wrapping algorithm with the
3168
+ # RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key material.
3169
+ #
3170
+ # * **RSAES\_PKCS1\_V1\_5** (Deprecated) — Supported only for
3171
+ # symmetric encryption key material (and only in legacy mode).
2541
3172
  # @return [String]
2542
3173
  #
2543
3174
  # @!attribute [rw] wrapping_key_spec
2544
- # The type of wrapping key (public key) to return in the response.
2545
- # Only 2048-bit RSA public keys are supported.
3175
+ # The type of RSA public key to return in the response. You will use
3176
+ # this wrapping key with the specified wrapping algorithm to protect
3177
+ # your key material during import.
3178
+ #
3179
+ # Use the longest RSA wrapping key that is practical.
3180
+ #
3181
+ # You cannot use an RSA\_2048 public key to directly wrap an
3182
+ # ECC\_NIST\_P521 private key. Instead, use an RSA\_AES wrapping
3183
+ # algorithm or choose a longer RSA public key.
2546
3184
  # @return [String]
2547
3185
  #
2548
3186
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImportRequest AWS API Documentation
@@ -2592,14 +3230,6 @@ module Aws::KMS
2592
3230
  include Aws::Structure
2593
3231
  end
2594
3232
 
2595
- # @note When making an API call, you may pass GetPublicKeyRequest
2596
- # data as a hash:
2597
- #
2598
- # {
2599
- # key_id: "KeyIdType", # required
2600
- # grant_tokens: ["GrantTokenType"],
2601
- # }
2602
- #
2603
3233
  # @!attribute [rw] key_id
2604
3234
  # Identifies the asymmetric KMS key that includes the public key.
2605
3235
  #
@@ -2675,7 +3305,7 @@ module Aws::KMS
2675
3305
  #
2676
3306
  # The `KeySpec` and `CustomerMasterKeySpec` fields have the same
2677
3307
  # value. We recommend that you use the `KeySpec` field in your code.
2678
- # However, to avoid breaking changes, KMS will support both fields.
3308
+ # However, to avoid breaking changes, KMS supports both fields.
2679
3309
  # @return [String]
2680
3310
  #
2681
3311
  # @!attribute [rw] key_spec
@@ -2756,18 +3386,6 @@ module Aws::KMS
2756
3386
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks
2757
3387
  # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context
2758
3388
  #
2759
- # @note When making an API call, you may pass GrantConstraints
2760
- # data as a hash:
2761
- #
2762
- # {
2763
- # encryption_context_subset: {
2764
- # "EncryptionContextKey" => "EncryptionContextValue",
2765
- # },
2766
- # encryption_context_equals: {
2767
- # "EncryptionContextKey" => "EncryptionContextValue",
2768
- # },
2769
- # }
2770
- #
2771
3389
  # @!attribute [rw] encryption_context_subset
2772
3390
  # A list of key-value pairs that must be included in the encryption
2773
3391
  # context of the [cryptographic operation][1] request. The grant
@@ -2868,22 +3486,20 @@ module Aws::KMS
2868
3486
  include Aws::Structure
2869
3487
  end
2870
3488
 
2871
- # @note When making an API call, you may pass ImportKeyMaterialRequest
2872
- # data as a hash:
2873
- #
2874
- # {
2875
- # key_id: "KeyIdType", # required
2876
- # import_token: "data", # required
2877
- # encrypted_key_material: "data", # required
2878
- # valid_to: Time.now,
2879
- # expiration_model: "KEY_MATERIAL_EXPIRES", # accepts KEY_MATERIAL_EXPIRES, KEY_MATERIAL_DOES_NOT_EXPIRE
2880
- # }
2881
- #
2882
3489
  # @!attribute [rw] key_id
2883
- # The identifier of the symmetric KMS key that receives the imported
2884
- # key material. The KMS key's `Origin` must be `EXTERNAL`. This must
2885
- # be the same KMS key specified in the `KeyID` parameter of the
2886
- # corresponding GetParametersForImport request.
3490
+ # The identifier of the KMS key that will be associated with the
3491
+ # imported key material. This must be the same KMS key specified in
3492
+ # the `KeyID` parameter of the corresponding GetParametersForImport
3493
+ # request. The `Origin` of the KMS key must be `EXTERNAL` and its
3494
+ # `KeyState` must be `PendingImport`.
3495
+ #
3496
+ # The KMS key can be a symmetric encryption KMS key, HMAC KMS key,
3497
+ # asymmetric encryption KMS key, or asymmetric signing KMS key,
3498
+ # including a [multi-Region
3499
+ # key](kms/latest/developerguide/multi-region-keys-overview.html) of
3500
+ # any supported type. You cannot perform this operation on a KMS key
3501
+ # in a custom key store, or on a KMS key in a different Amazon Web
3502
+ # Services account.
2887
3503
  #
2888
3504
  # Specify the key ID or key ARN of the KMS key.
2889
3505
  #
@@ -2907,25 +3523,47 @@ module Aws::KMS
2907
3523
  #
2908
3524
  # @!attribute [rw] encrypted_key_material
2909
3525
  # The encrypted key material to import. The key material must be
2910
- # encrypted with the public wrapping key that GetParametersForImport
3526
+ # encrypted under the public wrapping key that GetParametersForImport
2911
3527
  # returned, using the wrapping algorithm that you specified in the
2912
3528
  # same `GetParametersForImport` request.
2913
3529
  # @return [String]
2914
3530
  #
2915
3531
  # @!attribute [rw] valid_to
2916
- # The time at which the imported key material expires. When the key
2917
- # material expires, KMS deletes the key material and the KMS key
2918
- # becomes unusable. You must omit this parameter when the
2919
- # `ExpirationModel` parameter is set to
2920
- # `KEY_MATERIAL_DOES_NOT_EXPIRE`. Otherwise it is required.
3532
+ # The date and time when the imported key material expires. This
3533
+ # parameter is required when the value of the `ExpirationModel`
3534
+ # parameter is `KEY_MATERIAL_EXPIRES`. Otherwise it is not valid.
3535
+ #
3536
+ # The value of this parameter must be a future date and time. The
3537
+ # maximum value is 365 days from the request date.
3538
+ #
3539
+ # When the key material expires, KMS deletes the key material from the
3540
+ # KMS key. Without its key material, the KMS key is unusable. To use
3541
+ # the KMS key in cryptographic operations, you must reimport the same
3542
+ # key material.
3543
+ #
3544
+ # You cannot change the `ExpirationModel` or `ValidTo` values for the
3545
+ # current import after the request completes. To change either value,
3546
+ # you must delete (DeleteImportedKeyMaterial) and reimport the key
3547
+ # material.
2921
3548
  # @return [Time]
2922
3549
  #
2923
3550
  # @!attribute [rw] expiration_model
2924
3551
  # Specifies whether the key material expires. The default is
2925
- # `KEY_MATERIAL_EXPIRES`, in which case you must include the `ValidTo`
2926
- # parameter. When this parameter is set to
3552
+ # `KEY_MATERIAL_EXPIRES`. For help with this choice, see [Setting an
3553
+ # expiration time][1] in the *Key Management Service Developer Guide*.
3554
+ #
3555
+ # When the value of `ExpirationModel` is `KEY_MATERIAL_EXPIRES`, you
3556
+ # must specify a value for the `ValidTo` parameter. When value is
2927
3557
  # `KEY_MATERIAL_DOES_NOT_EXPIRE`, you must omit the `ValidTo`
2928
3558
  # parameter.
3559
+ #
3560
+ # You cannot change the `ExpirationModel` or `ValidTo` values for the
3561
+ # current import after the request completes. To change either value,
3562
+ # you must reimport the key material.
3563
+ #
3564
+ #
3565
+ #
3566
+ # [1]: https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration
2929
3567
  # @return [String]
2930
3568
  #
2931
3569
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterialRequest AWS API Documentation
@@ -2976,11 +3614,11 @@ module Aws::KMS
2976
3614
  end
2977
3615
 
2978
3616
  # The request was rejected because the trust anchor certificate in the
2979
- # request is not the trust anchor certificate for the specified CloudHSM
2980
- # cluster.
3617
+ # request to create an CloudHSM key store is not the trust anchor
3618
+ # certificate for the specified CloudHSM cluster.
2981
3619
  #
2982
- # When you [initialize the cluster][1], you create the trust anchor
2983
- # certificate and save it in the `customerCA.crt` file.
3620
+ # When you [initialize the CloudHSM cluster][1], you create the trust
3621
+ # anchor certificate and save it in the `customerCA.crt` file.
2984
3622
  #
2985
3623
  #
2986
3624
  #
@@ -3095,9 +3733,11 @@ module Aws::KMS
3095
3733
  # key `(KeySpec`).
3096
3734
  #
3097
3735
  # For encrypting, decrypting, re-encrypting, and generating data keys,
3098
- # the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying,
3099
- # the `KeyUsage` must be `SIGN_VERIFY`. To find the `KeyUsage` of a KMS
3100
- # key, use the DescribeKey operation.
3736
+ # the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying
3737
+ # messages, the `KeyUsage` must be `SIGN_VERIFY`. For generating and
3738
+ # verifying message authentication codes (MACs), the `KeyUsage` must be
3739
+ # `GENERATE_VERIFY_MAC`. To find the `KeyUsage` of a KMS key, use the
3740
+ # DescribeKey operation.
3101
3741
  #
3102
3742
  # To find the encryption or signing algorithms supported for a
3103
3743
  # particular KMS key, use the DescribeKey operation.
@@ -3141,6 +3781,22 @@ module Aws::KMS
3141
3781
  include Aws::Structure
3142
3782
  end
3143
3783
 
3784
+ # The request was rejected because the HMAC verification failed. HMAC
3785
+ # verification fails when the HMAC computed by using the specified
3786
+ # message, HMAC KMS key, and MAC algorithm does not match the HMAC
3787
+ # specified in the request.
3788
+ #
3789
+ # @!attribute [rw] message
3790
+ # @return [String]
3791
+ #
3792
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KMSInvalidMacException AWS API Documentation
3793
+ #
3794
+ class KMSInvalidMacException < Struct.new(
3795
+ :message)
3796
+ SENSITIVE = []
3797
+ include Aws::Structure
3798
+ end
3799
+
3144
3800
  # The request was rejected because the signature verification failed.
3145
3801
  # Signature verification fails when it cannot confirm that signature was
3146
3802
  # produced by signing the specified message with the specified KMS key
@@ -3160,9 +3816,19 @@ module Aws::KMS
3160
3816
  # The request was rejected because the state of the specified resource
3161
3817
  # is not valid for this request.
3162
3818
  #
3163
- # For more information about how key state affects the use of a KMS key,
3164
- # see [Key state: Effect on your KMS key][1] in the <i> <i>Key
3165
- # Management Service Developer Guide</i> </i>.
3819
+ # This exceptions means one of the following:
3820
+ #
3821
+ # * The key state of the KMS key is not compatible with the operation.
3822
+ #
3823
+ # To find the key state, use the DescribeKey operation. For more
3824
+ # information about which key states are compatible with each KMS
3825
+ # operation, see [Key states of KMS keys][1] in the <i> <i>Key
3826
+ # Management Service Developer Guide</i> </i>.
3827
+ #
3828
+ # * For cryptographic operations on KMS keys in custom key stores, this
3829
+ # exception represents a general failure with many possible causes. To
3830
+ # identify the cause, see the error message that accompanies the
3831
+ # exception.
3166
3832
  #
3167
3833
  #
3168
3834
  #
@@ -3200,8 +3866,8 @@ module Aws::KMS
3200
3866
 
3201
3867
  # Contains metadata about a KMS key.
3202
3868
  #
3203
- # This data type is used as a response element for the CreateKey and
3204
- # DescribeKey operations.
3869
+ # This data type is used as a response element for the CreateKey,
3870
+ # DescribeKey, and ReplicateKey operations.
3205
3871
  #
3206
3872
  # @!attribute [rw] aws_account_id
3207
3873
  # The twelve-digit account ID of the Amazon Web Services account that
@@ -3247,8 +3913,8 @@ module Aws::KMS
3247
3913
  # The current status of the KMS key.
3248
3914
  #
3249
3915
  # For more information about how key state affects the use of a KMS
3250
- # key, see [Key state: Effect on your KMS key][1] in the *Key
3251
- # Management Service Developer Guide*.
3916
+ # key, see [Key states of KMS keys][1] in the *Key Management Service
3917
+ # Developer Guide*.
3252
3918
  #
3253
3919
  #
3254
3920
  #
@@ -3285,7 +3951,7 @@ module Aws::KMS
3285
3951
  #
3286
3952
  # @!attribute [rw] custom_key_store_id
3287
3953
  # A unique identifier for the [custom key store][1] that contains the
3288
- # KMS key. This value is present only when the KMS key is created in a
3954
+ # KMS key. This field is present only when the KMS key is created in a
3289
3955
  # custom key store.
3290
3956
  #
3291
3957
  #
@@ -3295,10 +3961,10 @@ module Aws::KMS
3295
3961
  #
3296
3962
  # @!attribute [rw] cloud_hsm_cluster_id
3297
3963
  # The cluster ID of the CloudHSM cluster that contains the key
3298
- # material for the KMS key. When you create a KMS key in a [custom key
3299
- # store][1], KMS creates the key material for the KMS key in the
3300
- # associated CloudHSM cluster. This value is present only when the KMS
3301
- # key is created in a custom key store.
3964
+ # material for the KMS key. When you create a KMS key in an CloudHSM
3965
+ # [custom key store][1], KMS creates the key material for the KMS key
3966
+ # in the associated CloudHSM cluster. This field is present only when
3967
+ # the KMS key is created in an CloudHSM key store.
3302
3968
  #
3303
3969
  #
3304
3970
  #
@@ -3327,7 +3993,7 @@ module Aws::KMS
3327
3993
  #
3328
3994
  # The `KeySpec` and `CustomerMasterKeySpec` fields have the same
3329
3995
  # value. We recommend that you use the `KeySpec` field in your code.
3330
- # However, to avoid breaking changes, KMS will support both fields.
3996
+ # However, to avoid breaking changes, KMS supports both fields.
3331
3997
  # @return [String]
3332
3998
  #
3333
3999
  # @!attribute [rw] key_spec
@@ -3355,9 +4021,8 @@ module Aws::KMS
3355
4021
  # (`False`) key. This value is `True` for multi-Region primary and
3356
4022
  # replica keys and `False` for regional KMS keys.
3357
4023
  #
3358
- # For more information about multi-Region keys, see [Using
3359
- # multi-Region keys][1] in the *Key Management Service Developer
3360
- # Guide*.
4024
+ # For more information about multi-Region keys, see [Multi-Region keys
4025
+ # in KMS][1] in the *Key Management Service Developer Guide*.
3361
4026
  #
3362
4027
  #
3363
4028
  #
@@ -3402,6 +4067,26 @@ module Aws::KMS
3402
4067
  # the deletion date appears in the `DeletionDate` field.
3403
4068
  # @return [Integer]
3404
4069
  #
4070
+ # @!attribute [rw] mac_algorithms
4071
+ # The message authentication code (MAC) algorithm that the HMAC KMS
4072
+ # key supports.
4073
+ #
4074
+ # This value is present only when the `KeyUsage` of the KMS key is
4075
+ # `GENERATE_VERIFY_MAC`.
4076
+ # @return [Array<String>]
4077
+ #
4078
+ # @!attribute [rw] xks_key_configuration
4079
+ # Information about the external key that is associated with a KMS key
4080
+ # in an external key store.
4081
+ #
4082
+ # For more information, see [External key][1] in the *Key Management
4083
+ # Service Developer Guide*.
4084
+ #
4085
+ #
4086
+ #
4087
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
4088
+ # @return [Types::XksKeyConfigurationType]
4089
+ #
3405
4090
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
3406
4091
  #
3407
4092
  class KeyMetadata < Struct.new(
@@ -3426,7 +4111,9 @@ module Aws::KMS
3426
4111
  :signing_algorithms,
3427
4112
  :multi_region,
3428
4113
  :multi_region_configuration,
3429
- :pending_deletion_window_in_days)
4114
+ :pending_deletion_window_in_days,
4115
+ :mac_algorithms,
4116
+ :xks_key_configuration)
3430
4117
  SENSITIVE = []
3431
4118
  include Aws::Structure
3432
4119
  end
@@ -3464,15 +4151,6 @@ module Aws::KMS
3464
4151
  include Aws::Structure
3465
4152
  end
3466
4153
 
3467
- # @note When making an API call, you may pass ListAliasesRequest
3468
- # data as a hash:
3469
- #
3470
- # {
3471
- # key_id: "KeyIdType",
3472
- # limit: 1,
3473
- # marker: "MarkerType",
3474
- # }
3475
- #
3476
4154
  # @!attribute [rw] key_id
3477
4155
  # Lists only aliases that are associated with the specified KMS key.
3478
4156
  # Enter a KMS key in your Amazon Web Services account.
@@ -3545,17 +4223,6 @@ module Aws::KMS
3545
4223
  include Aws::Structure
3546
4224
  end
3547
4225
 
3548
- # @note When making an API call, you may pass ListGrantsRequest
3549
- # data as a hash:
3550
- #
3551
- # {
3552
- # limit: 1,
3553
- # marker: "MarkerType",
3554
- # key_id: "KeyIdType", # required
3555
- # grant_id: "GrantIdType",
3556
- # grantee_principal: "PrincipalIdType",
3557
- # }
3558
- #
3559
4226
  # @!attribute [rw] limit
3560
4227
  # Use this parameter to specify the maximum number of items to return.
3561
4228
  # When this value is present, KMS does not return more than the
@@ -3639,15 +4306,6 @@ module Aws::KMS
3639
4306
  include Aws::Structure
3640
4307
  end
3641
4308
 
3642
- # @note When making an API call, you may pass ListKeyPoliciesRequest
3643
- # data as a hash:
3644
- #
3645
- # {
3646
- # key_id: "KeyIdType", # required
3647
- # limit: 1,
3648
- # marker: "MarkerType",
3649
- # }
3650
- #
3651
4309
  # @!attribute [rw] key_id
3652
4310
  # Gets the names of key policies for the specified KMS key.
3653
4311
  #
@@ -3718,14 +4376,6 @@ module Aws::KMS
3718
4376
  include Aws::Structure
3719
4377
  end
3720
4378
 
3721
- # @note When making an API call, you may pass ListKeysRequest
3722
- # data as a hash:
3723
- #
3724
- # {
3725
- # limit: 1,
3726
- # marker: "MarkerType",
3727
- # }
3728
- #
3729
4379
  # @!attribute [rw] limit
3730
4380
  # Use this parameter to specify the maximum number of items to return.
3731
4381
  # When this value is present, KMS does not return more than the
@@ -3777,15 +4427,6 @@ module Aws::KMS
3777
4427
  include Aws::Structure
3778
4428
  end
3779
4429
 
3780
- # @note When making an API call, you may pass ListResourceTagsRequest
3781
- # data as a hash:
3782
- #
3783
- # {
3784
- # key_id: "KeyIdType", # required
3785
- # limit: 1,
3786
- # marker: "MarkerType",
3787
- # }
3788
- #
3789
4430
  # @!attribute [rw] key_id
3790
4431
  # Gets tags on the specified KMS key.
3791
4432
  #
@@ -3834,8 +4475,8 @@ module Aws::KMS
3834
4475
  # A list of tags. Each tag consists of a tag key and a tag value.
3835
4476
  #
3836
4477
  # <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
3837
- # KMS key. For details, see [Using ABAC in KMS][1] in the *Key
3838
- # Management Service Developer Guide*.
4478
+ # KMS key. For details, see [ABAC for KMS][1] in the *Key Management
4479
+ # Service Developer Guide*.
3839
4480
  #
3840
4481
  # </note>
3841
4482
  #
@@ -3868,15 +4509,6 @@ module Aws::KMS
3868
4509
  include Aws::Structure
3869
4510
  end
3870
4511
 
3871
- # @note When making an API call, you may pass ListRetirableGrantsRequest
3872
- # data as a hash:
3873
- #
3874
- # {
3875
- # limit: 1,
3876
- # marker: "MarkerType",
3877
- # retiring_principal: "PrincipalIdType", # required
3878
- # }
3879
- #
3880
4512
  # @!attribute [rw] limit
3881
4513
  # Use this parameter to specify the maximum number of items to return.
3882
4514
  # When this value is present, KMS does not return more than the
@@ -3898,17 +4530,16 @@ module Aws::KMS
3898
4530
  # in your Amazon Web Services account.
3899
4531
  #
3900
4532
  # To specify the retiring principal, use the [Amazon Resource Name
3901
- # (ARN)][1] of an Amazon Web Services principal. Valid Amazon Web
3902
- # Services principals include Amazon Web Services accounts (root), IAM
3903
- # users, federated users, and assumed role users. For examples of the
3904
- # ARN syntax for specifying a principal, see [Amazon Web Services
3905
- # Identity and Access Management (IAM)][2] in the Example ARNs section
3906
- # of the *Amazon Web Services General Reference*.
4533
+ # (ARN)][1] of an Amazon Web Services principal. Valid principals
4534
+ # include Amazon Web Services accounts, IAM users, IAM roles,
4535
+ # federated users, and assumed role users. For help with the ARN
4536
+ # syntax for a principal, see [IAM ARNs][2] in the <i> <i>Identity and
4537
+ # Access Management User Guide</i> </i>.
3907
4538
  #
3908
4539
  #
3909
4540
  #
3910
4541
  # [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
3911
- # [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
4542
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
3912
4543
  # @return [String]
3913
4544
  #
3914
4545
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrantsRequest AWS API Documentation
@@ -4001,16 +4632,6 @@ module Aws::KMS
4001
4632
  include Aws::Structure
4002
4633
  end
4003
4634
 
4004
- # @note When making an API call, you may pass PutKeyPolicyRequest
4005
- # data as a hash:
4006
- #
4007
- # {
4008
- # key_id: "KeyIdType", # required
4009
- # policy_name: "PolicyNameType", # required
4010
- # policy: "PolicyType", # required
4011
- # bypass_policy_lockout_safety_check: false,
4012
- # }
4013
- #
4014
4635
  # @!attribute [rw] key_id
4015
4636
  # Sets the key policy on the specified KMS key.
4016
4637
  #
@@ -4036,55 +4657,65 @@ module Aws::KMS
4036
4657
  #
4037
4658
  # The key policy must meet the following criteria:
4038
4659
  #
4039
- # * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
4040
- # key policy must allow the principal that is making the
4041
- # `PutKeyPolicy` request to make a subsequent `PutKeyPolicy` request
4042
- # on the KMS key. This reduces the risk that the KMS key becomes
4043
- # unmanageable. For more information, refer to the scenario in the
4044
- # [Default Key Policy][1] section of the *Key Management Service
4045
- # Developer Guide*.
4660
+ # * The key policy must allow the calling principal to make a
4661
+ # subsequent `PutKeyPolicy` request on the KMS key. This reduces the
4662
+ # risk that the KMS key becomes unmanageable. For more information,
4663
+ # see [Default key policy][1] in the *Key Management Service
4664
+ # Developer Guide*. (To omit this condition, set
4665
+ # `BypassPolicyLockoutSafetyCheck` to true.)
4046
4666
  #
4047
4667
  # * Each statement in the key policy must contain one or more
4048
4668
  # principals. The principals in the key policy must exist and be
4049
4669
  # visible to KMS. When you create a new Amazon Web Services
4050
- # principal (for example, an IAM user or role), you might need to
4051
- # enforce a delay before including the new principal in a key policy
4052
- # because the new principal might not be immediately visible to KMS.
4053
- # For more information, see [Changes that I make are not always
4054
- # immediately visible][2] in the *Amazon Web Services Identity and
4055
- # Access Management User Guide*.
4056
- #
4057
- # The key policy cannot exceed 32 kilobytes (32768 bytes). For more
4058
- # information, see [Resource Quotas][3] in the *Key Management Service
4059
- # Developer Guide*.
4670
+ # principal, you might need to enforce a delay before including the
4671
+ # new principal in a key policy because the new principal might not
4672
+ # be immediately visible to KMS. For more information, see [Changes
4673
+ # that I make are not always immediately visible][2] in the *Amazon
4674
+ # Web Services Identity and Access Management User Guide*.
4675
+ #
4676
+ # A key policy document can include only the following characters:
4060
4677
  #
4678
+ # * Printable ASCII characters from the space character (`\u0020`)
4679
+ # through the end of the ASCII character range.
4061
4680
  #
4681
+ # * Printable characters in the Basic Latin and Latin-1 Supplement
4682
+ # character set (through `\u00FF`).
4062
4683
  #
4063
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
4684
+ # * The tab (`\u0009`), line feed (`\u000A`), and carriage return
4685
+ # (`\u000D`) special characters
4686
+ #
4687
+ # For information about key policies, see [Key policies in KMS][3] in
4688
+ # the *Key Management Service Developer Guide*.For help writing and
4689
+ # formatting a JSON policy document, see the [IAM JSON Policy
4690
+ # Reference][4] in the <i> <i>Identity and Access Management User
4691
+ # Guide</i> </i>.
4692
+ #
4693
+ #
4694
+ #
4695
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
4064
4696
  # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
4065
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/resource-limits.html
4697
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
4698
+ # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
4066
4699
  # @return [String]
4067
4700
  #
4068
4701
  # @!attribute [rw] bypass_policy_lockout_safety_check
4069
- # A flag to indicate whether to bypass the key policy lockout safety
4070
- # check.
4702
+ # Skips ("bypasses") the key policy lockout safety check. The
4703
+ # default value is false.
4071
4704
  #
4072
4705
  # Setting this value to true increases the risk that the KMS key
4073
4706
  # becomes unmanageable. Do not set this value to true
4074
4707
  # indiscriminately.
4075
4708
  #
4076
- # For more information, refer to the scenario in the [Default Key
4077
- # Policy][1] section in the *Key Management Service Developer Guide*.
4709
+ # For more information, see [Default key policy][1] in the *Key
4710
+ # Management Service Developer Guide*.
4078
4711
  #
4079
4712
  # Use this parameter only when you intend to prevent the principal
4080
- # that is making the request from making a subsequent `PutKeyPolicy`
4713
+ # that is making the request from making a subsequent PutKeyPolicy
4081
4714
  # request on the KMS key.
4082
4715
  #
4083
- # The default value is false.
4084
- #
4085
4716
  #
4086
4717
  #
4087
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
4718
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
4088
4719
  # @return [Boolean]
4089
4720
  #
4090
4721
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicyRequest AWS API Documentation
@@ -4098,24 +4729,6 @@ module Aws::KMS
4098
4729
  include Aws::Structure
4099
4730
  end
4100
4731
 
4101
- # @note When making an API call, you may pass ReEncryptRequest
4102
- # data as a hash:
4103
- #
4104
- # {
4105
- # ciphertext_blob: "data", # required
4106
- # source_encryption_context: {
4107
- # "EncryptionContextKey" => "EncryptionContextValue",
4108
- # },
4109
- # source_key_id: "KeyIdType",
4110
- # destination_key_id: "KeyIdType", # required
4111
- # destination_encryption_context: {
4112
- # "EncryptionContextKey" => "EncryptionContextValue",
4113
- # },
4114
- # source_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
4115
- # destination_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
4116
- # grant_tokens: ["GrantTokenType"],
4117
- # }
4118
- #
4119
4732
  # @!attribute [rw] ciphertext_blob
4120
4733
  # Ciphertext of the data to reencrypt.
4121
4734
  # @return [String]
@@ -4126,13 +4739,15 @@ module Aws::KMS
4126
4739
  # ciphertext.
4127
4740
  #
4128
4741
  # An *encryption context* is a collection of non-secret key-value
4129
- # pairs that represents additional authenticated data. When you use an
4742
+ # pairs that represent additional authenticated data. When you use an
4130
4743
  # encryption context to encrypt data, you must specify the same (an
4131
4744
  # exact case-sensitive match) encryption context to decrypt the data.
4132
- # An encryption context is optional when encrypting with a symmetric
4133
- # KMS key, but it is highly recommended.
4745
+ # An encryption context is supported only on operations with symmetric
4746
+ # encryption KMS keys. On operations with symmetric encryption KMS
4747
+ # keys, an encryption context is optional, but it is strongly
4748
+ # recommended.
4134
4749
  #
4135
- # For more information, see [Encryption Context][1] in the *Key
4750
+ # For more information, see [Encryption context][1] in the *Key
4136
4751
  # Management Service Developer Guide*.
4137
4752
  #
4138
4753
  #
@@ -4142,15 +4757,18 @@ module Aws::KMS
4142
4757
  #
4143
4758
  # @!attribute [rw] source_key_id
4144
4759
  # Specifies the KMS key that KMS will use to decrypt the ciphertext
4145
- # before it is re-encrypted. Enter a key ID of the KMS key that was
4146
- # used to encrypt the ciphertext.
4760
+ # before it is re-encrypted.
4761
+ #
4762
+ # Enter a key ID of the KMS key that was used to encrypt the
4763
+ # ciphertext. If you identify a different KMS key, the `ReEncrypt`
4764
+ # operation throws an `IncorrectKeyException`.
4147
4765
  #
4148
4766
  # This parameter is required only when the ciphertext was encrypted
4149
- # under an asymmetric KMS key. If you used a symmetric KMS key, KMS
4150
- # can get the KMS key from metadata that it adds to the symmetric
4151
- # ciphertext blob. However, it is always recommended as a best
4152
- # practice. This practice ensures that you use the KMS key that you
4153
- # intend.
4767
+ # under an asymmetric KMS key. If you used a symmetric encryption KMS
4768
+ # key, KMS can get the KMS key from metadata that it adds to the
4769
+ # symmetric ciphertext blob. However, it is always recommended as a
4770
+ # best practice. This practice ensures that you use the KMS key that
4771
+ # you intend.
4154
4772
  #
4155
4773
  # To specify a KMS key, use its key ID, key ARN, alias name, or alias
4156
4774
  # ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -4174,9 +4792,9 @@ module Aws::KMS
4174
4792
  #
4175
4793
  # @!attribute [rw] destination_key_id
4176
4794
  # A unique identifier for the KMS key that is used to reencrypt the
4177
- # data. Specify a symmetric or asymmetric KMS key with a `KeyUsage`
4178
- # value of `ENCRYPT_DECRYPT`. To find the `KeyUsage` value of a KMS
4179
- # key, use the DescribeKey operation.
4795
+ # data. Specify a symmetric encryption KMS key or an asymmetric KMS
4796
+ # key with a `KeyUsage` value of `ENCRYPT_DECRYPT`. To find the
4797
+ # `KeyUsage` value of a KMS key, use the DescribeKey operation.
4180
4798
  #
4181
4799
  # To specify a KMS key, use its key ID, key ARN, alias name, or alias
4182
4800
  # ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -4202,18 +4820,24 @@ module Aws::KMS
4202
4820
  # Specifies that encryption context to use when the reencrypting the
4203
4821
  # data.
4204
4822
  #
4823
+ # Do not include confidential or sensitive information in this field.
4824
+ # This field may be displayed in plaintext in CloudTrail logs and
4825
+ # other output.
4826
+ #
4205
4827
  # A destination encryption context is valid only when the destination
4206
- # KMS key is a symmetric KMS key. The standard ciphertext format for
4207
- # asymmetric KMS keys does not include fields for metadata.
4828
+ # KMS key is a symmetric encryption KMS key. The standard ciphertext
4829
+ # format for asymmetric KMS keys does not include fields for metadata.
4208
4830
  #
4209
4831
  # An *encryption context* is a collection of non-secret key-value
4210
- # pairs that represents additional authenticated data. When you use an
4832
+ # pairs that represent additional authenticated data. When you use an
4211
4833
  # encryption context to encrypt data, you must specify the same (an
4212
4834
  # exact case-sensitive match) encryption context to decrypt the data.
4213
- # An encryption context is optional when encrypting with a symmetric
4214
- # KMS key, but it is highly recommended.
4835
+ # An encryption context is supported only on operations with symmetric
4836
+ # encryption KMS keys. On operations with symmetric encryption KMS
4837
+ # keys, an encryption context is optional, but it is strongly
4838
+ # recommended.
4215
4839
  #
4216
- # For more information, see [Encryption Context][1] in the *Key
4840
+ # For more information, see [Encryption context][1] in the *Key
4217
4841
  # Management Service Developer Guide*.
4218
4842
  #
4219
4843
  #
@@ -4224,8 +4848,8 @@ module Aws::KMS
4224
4848
  # @!attribute [rw] source_encryption_algorithm
4225
4849
  # Specifies the encryption algorithm that KMS will use to decrypt the
4226
4850
  # ciphertext before it is reencrypted. The default value,
4227
- # `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric KMS
4228
- # keys.
4851
+ # `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric
4852
+ # encryption KMS keys.
4229
4853
  #
4230
4854
  # Specify the same algorithm that was used to encrypt the ciphertext.
4231
4855
  # If you specify a different algorithm, the decrypt attempt fails.
@@ -4238,7 +4862,7 @@ module Aws::KMS
4238
4862
  # Specifies the encryption algorithm that KMS will use to reecrypt the
4239
4863
  # data after it has decrypted it. The default value,
4240
4864
  # `SYMMETRIC_DEFAULT`, represents the encryption algorithm used for
4241
- # symmetric KMS keys.
4865
+ # symmetric encryption KMS keys.
4242
4866
  #
4243
4867
  # This parameter is required only when the destination KMS key is an
4244
4868
  # asymmetric KMS key.
@@ -4258,6 +4882,18 @@ module Aws::KMS
4258
4882
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
4259
4883
  # @return [Array<String>]
4260
4884
  #
4885
+ # @!attribute [rw] dry_run
4886
+ # Checks if your request will succeed. `DryRun` is an optional
4887
+ # parameter.
4888
+ #
4889
+ # To learn more about how to use this parameter, see [Testing your KMS
4890
+ # API calls][1] in the *Key Management Service Developer Guide*.
4891
+ #
4892
+ #
4893
+ #
4894
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
4895
+ # @return [Boolean]
4896
+ #
4261
4897
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncryptRequest AWS API Documentation
4262
4898
  #
4263
4899
  class ReEncryptRequest < Struct.new(
@@ -4268,7 +4904,8 @@ module Aws::KMS
4268
4904
  :destination_encryption_context,
4269
4905
  :source_encryption_algorithm,
4270
4906
  :destination_encryption_algorithm,
4271
- :grant_tokens)
4907
+ :grant_tokens,
4908
+ :dry_run)
4272
4909
  SENSITIVE = []
4273
4910
  include Aws::Structure
4274
4911
  end
@@ -4314,23 +4951,39 @@ module Aws::KMS
4314
4951
  include Aws::Structure
4315
4952
  end
4316
4953
 
4317
- # @note When making an API call, you may pass ReplicateKeyRequest
4318
- # data as a hash:
4954
+ # Contains information about the party that receives the response from
4955
+ # the API operation.
4956
+ #
4957
+ # This data type is designed to support Amazon Web Services Nitro
4958
+ # Enclaves, which lets you create an isolated compute environment in
4959
+ # Amazon EC2. For information about the interaction between KMS and
4960
+ # Amazon Web Services Nitro Enclaves, see [How Amazon Web Services Nitro
4961
+ # Enclaves uses KMS][1] in the *Key Management Service Developer Guide*.
4962
+ #
4963
+ #
4319
4964
  #
4320
- # {
4321
- # key_id: "KeyIdType", # required
4322
- # replica_region: "RegionType", # required
4323
- # policy: "PolicyType",
4324
- # bypass_policy_lockout_safety_check: false,
4325
- # description: "DescriptionType",
4326
- # tags: [
4327
- # {
4328
- # tag_key: "TagKeyType", # required
4329
- # tag_value: "TagValueType", # required
4330
- # },
4331
- # ],
4332
- # }
4965
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
4333
4966
  #
4967
+ # @!attribute [rw] key_encryption_algorithm
4968
+ # The encryption algorithm that KMS should use with the public key for
4969
+ # an Amazon Web Services Nitro Enclave to encrypt plaintext values for
4970
+ # the response. The only valid value is `RSAES_OAEP_SHA_256`.
4971
+ # @return [String]
4972
+ #
4973
+ # @!attribute [rw] attestation_document
4974
+ # The attestation document for an Amazon Web Services Nitro Enclave.
4975
+ # This document includes the enclave's public key.
4976
+ # @return [String]
4977
+ #
4978
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RecipientInfo AWS API Documentation
4979
+ #
4980
+ class RecipientInfo < Struct.new(
4981
+ :key_encryption_algorithm,
4982
+ :attestation_document)
4983
+ SENSITIVE = []
4984
+ include Aws::Structure
4985
+ end
4986
+
4334
4987
  # @!attribute [rw] key_id
4335
4988
  # Identifies the multi-Region primary key that is being replicated. To
4336
4989
  # determine whether a KMS key is a multi-Region primary key, use the
@@ -4359,24 +5012,33 @@ module Aws::KMS
4359
5012
  # [KMS service endpoints][1] in the *Amazon Web Services General
4360
5013
  # Reference*.
4361
5014
  #
5015
+ # <note markdown="1"> HMAC KMS keys are not supported in all Amazon Web Services Regions.
5016
+ # If you try to replicate an HMAC KMS key in an Amazon Web Services
5017
+ # Region in which HMAC keys are not supported, the `ReplicateKey`
5018
+ # operation returns an `UnsupportedOperationException`. For a list of
5019
+ # Regions in which HMAC KMS keys are supported, see [HMAC keys in
5020
+ # KMS][2] in the *Key Management Service Developer Guide*.
5021
+ #
5022
+ # </note>
5023
+ #
4362
5024
  # The replica must be in a different Amazon Web Services Region than
4363
5025
  # its primary key and other replicas of that primary key, but in the
4364
5026
  # same Amazon Web Services partition. KMS must be available in the
4365
5027
  # replica Region. If the Region is not enabled by default, the Amazon
4366
- # Web Services account must be enabled in the Region.
4367
- #
4368
- # For information about Amazon Web Services partitions, see [Amazon
4369
- # Resource Names (ARNs) in the *Amazon Web Services General
4370
- # Reference*.][2] For information about enabling and disabling
4371
- # Regions, see [Enabling a Region][3] and [Disabling a Region][4] in
4372
- # the *Amazon Web Services General Reference*.
5028
+ # Web Services account must be enabled in the Region. For information
5029
+ # about Amazon Web Services partitions, see [Amazon Resource Names
5030
+ # (ARNs)][3] in the *Amazon Web Services General Reference*. For
5031
+ # information about enabling and disabling Regions, see [Enabling a
5032
+ # Region][4] and [Disabling a Region][5] in the *Amazon Web Services
5033
+ # General Reference*.
4373
5034
  #
4374
5035
  #
4375
5036
  #
4376
5037
  # [1]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region
4377
- # [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
4378
- # [3]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
4379
- # [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
5038
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
5039
+ # [3]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
5040
+ # [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
5041
+ # [5]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
4380
5042
  # @return [String]
4381
5043
  #
4382
5044
  # @!attribute [rw] policy
@@ -4391,58 +5053,76 @@ module Aws::KMS
4391
5053
  #
4392
5054
  # If you provide a key policy, it must meet the following criteria:
4393
5055
  #
4394
- # * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
4395
- # key policy must give the caller `kms:PutKeyPolicy` permission on
4396
- # the replica key. This reduces the risk that the KMS key becomes
4397
- # unmanageable. For more information, refer to the scenario in the
4398
- # [Default Key Policy][2] section of the <i> <i>Key Management
4399
- # Service Developer Guide</i> </i>.
5056
+ # * The key policy must allow the calling principal to make a
5057
+ # subsequent `PutKeyPolicy` request on the KMS key. This reduces the
5058
+ # risk that the KMS key becomes unmanageable. For more information,
5059
+ # see [Default key policy][2] in the *Key Management Service
5060
+ # Developer Guide*. (To omit this condition, set
5061
+ # `BypassPolicyLockoutSafetyCheck` to true.)
4400
5062
  #
4401
5063
  # * Each statement in the key policy must contain one or more
4402
5064
  # principals. The principals in the key policy must exist and be
4403
5065
  # visible to KMS. When you create a new Amazon Web Services
4404
- # principal (for example, an IAM user or role), you might need to
4405
- # enforce a delay before including the new principal in a key policy
4406
- # because the new principal might not be immediately visible to KMS.
4407
- # For more information, see [Changes that I make are not always
4408
- # immediately visible][3] in the <i> <i>Identity and Access
4409
- # Management User Guide</i> </i>.
5066
+ # principal, you might need to enforce a delay before including the
5067
+ # new principal in a key policy because the new principal might not
5068
+ # be immediately visible to KMS. For more information, see [Changes
5069
+ # that I make are not always immediately visible][3] in the *Amazon
5070
+ # Web Services Identity and Access Management User Guide*.
5071
+ #
5072
+ # A key policy document can include only the following characters:
5073
+ #
5074
+ # * Printable ASCII characters from the space character (`\u0020`)
5075
+ # through the end of the ASCII character range.
5076
+ #
5077
+ # * Printable characters in the Basic Latin and Latin-1 Supplement
5078
+ # character set (through `\u00FF`).
4410
5079
  #
4411
- # * The key policy size quota is 32 kilobytes (32768 bytes).
5080
+ # * The tab (`\u0009`), line feed (`\u000A`), and carriage return
5081
+ # (`\u000D`) special characters
5082
+ #
5083
+ # For information about key policies, see [Key policies in KMS][4] in
5084
+ # the *Key Management Service Developer Guide*. For help writing and
5085
+ # formatting a JSON policy document, see the [IAM JSON Policy
5086
+ # Reference][5] in the <i> <i>Identity and Access Management User
5087
+ # Guide</i> </i>.
4412
5088
  #
4413
5089
  #
4414
5090
  #
4415
5091
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
4416
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
5092
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
4417
5093
  # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
5094
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
5095
+ # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
4418
5096
  # @return [String]
4419
5097
  #
4420
5098
  # @!attribute [rw] bypass_policy_lockout_safety_check
4421
- # A flag to indicate whether to bypass the key policy lockout safety
4422
- # check.
5099
+ # Skips ("bypasses") the key policy lockout safety check. The
5100
+ # default value is false.
4423
5101
  #
4424
5102
  # Setting this value to true increases the risk that the KMS key
4425
5103
  # becomes unmanageable. Do not set this value to true
4426
5104
  # indiscriminately.
4427
5105
  #
4428
- # For more information, refer to the scenario in the [Default Key
4429
- # Policy][1] section in the *Key Management Service Developer Guide*.
5106
+ # For more information, see [Default key policy][1] in the *Key
5107
+ # Management Service Developer Guide*.
4430
5108
  #
4431
5109
  # Use this parameter only when you intend to prevent the principal
4432
- # that is making the request from making a subsequent `PutKeyPolicy`
5110
+ # that is making the request from making a subsequent PutKeyPolicy
4433
5111
  # request on the KMS key.
4434
5112
  #
4435
- # The default value is false.
4436
- #
4437
5113
  #
4438
5114
  #
4439
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
5115
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
4440
5116
  # @return [Boolean]
4441
5117
  #
4442
5118
  # @!attribute [rw] description
4443
5119
  # A description of the KMS key. The default value is an empty string
4444
5120
  # (no description).
4445
5121
  #
5122
+ # Do not include confidential or sensitive information in this field.
5123
+ # This field may be displayed in plaintext in CloudTrail logs and
5124
+ # other output.
5125
+ #
4446
5126
  # The description is not a shared property of multi-Region keys. You
4447
5127
  # can specify the same description or a different description for each
4448
5128
  # key in a set of related multi-Region keys. KMS does not synchronize
@@ -4454,9 +5134,13 @@ module Aws::KMS
4454
5134
  # tag the KMS key when it is created. To tag an existing KMS key, use
4455
5135
  # the TagResource operation.
4456
5136
  #
5137
+ # Do not include confidential or sensitive information in this field.
5138
+ # This field may be displayed in plaintext in CloudTrail logs and
5139
+ # other output.
5140
+ #
4457
5141
  # <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
4458
- # KMS key. For details, see [Using ABAC in KMS][1] in the *Key
4459
- # Management Service Developer Guide*.
5142
+ # KMS key. For details, see [ABAC for KMS][1] in the *Key Management
5143
+ # Service Developer Guide*.
4460
5144
  #
4461
5145
  # </note>
4462
5146
  #
@@ -4500,9 +5184,9 @@ module Aws::KMS
4500
5184
 
4501
5185
  # @!attribute [rw] replica_key_metadata
4502
5186
  # Displays details about the new replica key, including its Amazon
4503
- # Resource Name ([key ARN][1]) and [key state][2]. It also includes
4504
- # the ARN and Amazon Web Services Region of its primary key and other
4505
- # replica keys.
5187
+ # Resource Name ([key ARN][1]) and [Key states of KMS keys][2]. It
5188
+ # also includes the ARN and Amazon Web Services Region of its primary
5189
+ # key and other replica keys.
4506
5190
  #
4507
5191
  #
4508
5192
  #
@@ -4530,15 +5214,6 @@ module Aws::KMS
4530
5214
  include Aws::Structure
4531
5215
  end
4532
5216
 
4533
- # @note When making an API call, you may pass RetireGrantRequest
4534
- # data as a hash:
4535
- #
4536
- # {
4537
- # grant_token: "GrantTokenType",
4538
- # key_id: "KeyIdType",
4539
- # grant_id: "GrantIdType",
4540
- # }
4541
- #
4542
5217
  # @!attribute [rw] grant_token
4543
5218
  # Identifies the grant to be retired. You can use a grant token to
4544
5219
  # identify a new grant even before it has achieved eventual
@@ -4572,24 +5247,29 @@ module Aws::KMS
4572
5247
  # ^
4573
5248
  # @return [String]
4574
5249
  #
5250
+ # @!attribute [rw] dry_run
5251
+ # Checks if your request will succeed. `DryRun` is an optional
5252
+ # parameter.
5253
+ #
5254
+ # To learn more about how to use this parameter, see [Testing your KMS
5255
+ # API calls][1] in the *Key Management Service Developer Guide*.
5256
+ #
5257
+ #
5258
+ #
5259
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
5260
+ # @return [Boolean]
5261
+ #
4575
5262
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrantRequest AWS API Documentation
4576
5263
  #
4577
5264
  class RetireGrantRequest < Struct.new(
4578
5265
  :grant_token,
4579
5266
  :key_id,
4580
- :grant_id)
5267
+ :grant_id,
5268
+ :dry_run)
4581
5269
  SENSITIVE = []
4582
5270
  include Aws::Structure
4583
5271
  end
4584
5272
 
4585
- # @note When making an API call, you may pass RevokeGrantRequest
4586
- # data as a hash:
4587
- #
4588
- # {
4589
- # key_id: "KeyIdType", # required
4590
- # grant_id: "GrantIdType", # required
4591
- # }
4592
- #
4593
5273
  # @!attribute [rw] key_id
4594
5274
  # A unique identifier for the KMS key associated with the grant. To
4595
5275
  # get the key ID and key ARN for a KMS key, use ListKeys or
@@ -4615,23 +5295,28 @@ module Aws::KMS
4615
5295
  # CreateGrant, ListGrants, or ListRetirableGrants.
4616
5296
  # @return [String]
4617
5297
  #
5298
+ # @!attribute [rw] dry_run
5299
+ # Checks if your request will succeed. `DryRun` is an optional
5300
+ # parameter.
5301
+ #
5302
+ # To learn more about how to use this parameter, see [Testing your KMS
5303
+ # API calls][1] in the *Key Management Service Developer Guide*.
5304
+ #
5305
+ #
5306
+ #
5307
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
5308
+ # @return [Boolean]
5309
+ #
4618
5310
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrantRequest AWS API Documentation
4619
5311
  #
4620
5312
  class RevokeGrantRequest < Struct.new(
4621
5313
  :key_id,
4622
- :grant_id)
5314
+ :grant_id,
5315
+ :dry_run)
4623
5316
  SENSITIVE = []
4624
5317
  include Aws::Structure
4625
5318
  end
4626
5319
 
4627
- # @note When making an API call, you may pass ScheduleKeyDeletionRequest
4628
- # data as a hash:
4629
- #
4630
- # {
4631
- # key_id: "KeyIdType", # required
4632
- # pending_window_in_days: 1,
4633
- # }
4634
- #
4635
5320
  # @!attribute [rw] key_id
4636
5321
  # The unique identifier of the KMS key to delete.
4637
5322
  #
@@ -4652,12 +5337,19 @@ module Aws::KMS
4652
5337
  # The waiting period, specified in number of days. After the waiting
4653
5338
  # period ends, KMS deletes the KMS key.
4654
5339
  #
4655
- # If the KMS key is a multi-Region primary key with replicas, the
5340
+ # If the KMS key is a multi-Region primary key with replica keys, the
4656
5341
  # waiting period begins when the last of its replica keys is deleted.
4657
5342
  # Otherwise, the waiting period begins immediately.
4658
5343
  #
4659
5344
  # This value is optional. If you include a value, it must be between 7
4660
5345
  # and 30, inclusive. If you do not include a value, it defaults to 30.
5346
+ # You can use the [ `kms:ScheduleKeyDeletionPendingWindowInDays` ][1]
5347
+ # condition key to further constrain the values that principals can
5348
+ # specify in the `PendingWindowInDays` parameter.
5349
+ #
5350
+ #
5351
+ #
5352
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-schedule-key-deletion-pending-window-in-days
4661
5353
  # @return [Integer]
4662
5354
  #
4663
5355
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletionRequest AWS API Documentation
@@ -4690,8 +5382,8 @@ module Aws::KMS
4690
5382
  # The current status of the KMS key.
4691
5383
  #
4692
5384
  # For more information about how key state affects the use of a KMS
4693
- # key, see [Key state: Effect on your KMS key][1] in the *Key
4694
- # Management Service Developer Guide*.
5385
+ # key, see [Key states of KMS keys][1] in the *Key Management Service
5386
+ # Developer Guide*.
4695
5387
  #
4696
5388
  #
4697
5389
  #
@@ -4717,17 +5409,6 @@ module Aws::KMS
4717
5409
  include Aws::Structure
4718
5410
  end
4719
5411
 
4720
- # @note When making an API call, you may pass SignRequest
4721
- # data as a hash:
4722
- #
4723
- # {
4724
- # key_id: "KeyIdType", # required
4725
- # message: "data", # required
4726
- # message_type: "RAW", # accepts RAW, DIGEST
4727
- # grant_tokens: ["GrantTokenType"],
4728
- # signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
4729
- # }
4730
- #
4731
5412
  # @!attribute [rw] key_id
4732
5413
  # Identifies an asymmetric KMS key. KMS uses the private key in the
4733
5414
  # asymmetric KMS key to sign the message. The `KeyUsage` type of the
@@ -4756,16 +5437,55 @@ module Aws::KMS
4756
5437
  #
4757
5438
  # @!attribute [rw] message
4758
5439
  # Specifies the message or message digest to sign. Messages can be
4759
- # 0-4096 bytes. To sign a larger message, provide the message digest.
5440
+ # 0-4096 bytes. To sign a larger message, provide a message digest.
4760
5441
  #
4761
- # If you provide a message, KMS generates a hash digest of the message
4762
- # and then signs it.
5442
+ # If you provide a message digest, use the `DIGEST` value of
5443
+ # `MessageType` to prevent the digest from being hashed again while
5444
+ # signing.
4763
5445
  # @return [String]
4764
5446
  #
4765
5447
  # @!attribute [rw] message_type
4766
- # Tells KMS whether the value of the `Message` parameter is a message
4767
- # or message digest. The default value, RAW, indicates a message. To
4768
- # indicate a message digest, enter `DIGEST`.
5448
+ # Tells KMS whether the value of the `Message` parameter should be
5449
+ # hashed as part of the signing algorithm. Use `RAW` for unhashed
5450
+ # messages; use `DIGEST` for message digests, which are already
5451
+ # hashed.
5452
+ #
5453
+ # When the value of `MessageType` is `RAW`, KMS uses the standard
5454
+ # signing algorithm, which begins with a hash function. When the value
5455
+ # is `DIGEST`, KMS skips the hashing step in the signing algorithm.
5456
+ #
5457
+ # Use the `DIGEST` value only when the value of the `Message`
5458
+ # parameter is a message digest. If you use the `DIGEST` value with an
5459
+ # unhashed message, the security of the signing operation can be
5460
+ # compromised.
5461
+ #
5462
+ # When the value of `MessageType`is `DIGEST`, the length of the
5463
+ # `Message` value must match the length of hashed messages for the
5464
+ # specified signing algorithm.
5465
+ #
5466
+ # You can submit a message digest and omit the `MessageType` or
5467
+ # specify `RAW` so the digest is hashed again while signing. However,
5468
+ # this can cause verification failures when verifying with a system
5469
+ # that assumes a single hash.
5470
+ #
5471
+ # The hashing algorithm in that `Sign` uses is based on the
5472
+ # `SigningAlgorithm` value.
5473
+ #
5474
+ # * Signing algorithms that end in SHA\_256 use the SHA\_256 hashing
5475
+ # algorithm.
5476
+ #
5477
+ # * Signing algorithms that end in SHA\_384 use the SHA\_384 hashing
5478
+ # algorithm.
5479
+ #
5480
+ # * Signing algorithms that end in SHA\_512 use the SHA\_512 hashing
5481
+ # algorithm.
5482
+ #
5483
+ # * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
5484
+ # verification with SM2 key pairs][1].
5485
+ #
5486
+ #
5487
+ #
5488
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
4769
5489
  # @return [String]
4770
5490
  #
4771
5491
  # @!attribute [rw] grant_tokens
@@ -4786,9 +5506,23 @@ module Aws::KMS
4786
5506
  # Specifies the signing algorithm to use when signing the message.
4787
5507
  #
4788
5508
  # Choose an algorithm that is compatible with the type and size of the
4789
- # specified asymmetric KMS key.
5509
+ # specified asymmetric KMS key. When signing with RSA key pairs,
5510
+ # RSASSA-PSS algorithms are preferred. We include RSASSA-PKCS1-v1\_5
5511
+ # algorithms for compatibility with existing applications.
4790
5512
  # @return [String]
4791
5513
  #
5514
+ # @!attribute [rw] dry_run
5515
+ # Checks if your request will succeed. `DryRun` is an optional
5516
+ # parameter.
5517
+ #
5518
+ # To learn more about how to use this parameter, see [Testing your KMS
5519
+ # API calls][1] in the *Key Management Service Developer Guide*.
5520
+ #
5521
+ #
5522
+ #
5523
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
5524
+ # @return [Boolean]
5525
+ #
4792
5526
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/SignRequest AWS API Documentation
4793
5527
  #
4794
5528
  class SignRequest < Struct.new(
@@ -4796,7 +5530,8 @@ module Aws::KMS
4796
5530
  :message,
4797
5531
  :message_type,
4798
5532
  :grant_tokens,
4799
- :signing_algorithm)
5533
+ :signing_algorithm,
5534
+ :dry_run)
4800
5535
  SENSITIVE = [:message]
4801
5536
  include Aws::Structure
4802
5537
  end
@@ -4818,7 +5553,7 @@ module Aws::KMS
4818
5553
  #
4819
5554
  # * When used with the `ECDSA_SHA_256`, `ECDSA_SHA_384`, or
4820
5555
  # `ECDSA_SHA_512` signing algorithms, this value is a DER-encoded
4821
- # object as defined by ANS X9.62–2005 and [RFC 3279 Section
5556
+ # object as defined by ANSI X9.62–2005 and [RFC 3279 Section
4822
5557
  # 2.2.3][2]. This is the most commonly used signature format and is
4823
5558
  # appropriate for most uses.
4824
5559
  #
@@ -4849,6 +5584,10 @@ module Aws::KMS
4849
5584
  # keys and tag values are both required, but tag values can be empty
4850
5585
  # (null) strings.
4851
5586
  #
5587
+ # Do not include confidential or sensitive information in this field.
5588
+ # This field may be displayed in plaintext in CloudTrail logs and other
5589
+ # output.
5590
+ #
4852
5591
  # For information about the rules that apply to tag keys and tag values,
4853
5592
  # see [User-Defined Tag Restrictions][1] in the *Amazon Web Services
4854
5593
  # Billing and Cost Management User Guide*.
@@ -4857,14 +5596,6 @@ module Aws::KMS
4857
5596
  #
4858
5597
  # [1]: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html
4859
5598
  #
4860
- # @note When making an API call, you may pass Tag
4861
- # data as a hash:
4862
- #
4863
- # {
4864
- # tag_key: "TagKeyType", # required
4865
- # tag_value: "TagValueType", # required
4866
- # }
4867
- #
4868
5599
  # @!attribute [rw] tag_key
4869
5600
  # The key of the tag.
4870
5601
  # @return [String]
@@ -4895,19 +5626,6 @@ module Aws::KMS
4895
5626
  include Aws::Structure
4896
5627
  end
4897
5628
 
4898
- # @note When making an API call, you may pass TagResourceRequest
4899
- # data as a hash:
4900
- #
4901
- # {
4902
- # key_id: "KeyIdType", # required
4903
- # tags: [ # required
4904
- # {
4905
- # tag_key: "TagKeyType", # required
4906
- # tag_value: "TagValueType", # required
4907
- # },
4908
- # ],
4909
- # }
4910
- #
4911
5629
  # @!attribute [rw] key_id
4912
5630
  # Identifies a customer managed key in the account and Region.
4913
5631
  #
@@ -4925,10 +5643,12 @@ module Aws::KMS
4925
5643
  # @return [String]
4926
5644
  #
4927
5645
  # @!attribute [rw] tags
4928
- # One or more tags.
5646
+ # One or more tags. Each tag consists of a tag key and a tag value.
5647
+ # The tag value can be an empty (null) string.
4929
5648
  #
4930
- # Each tag consists of a tag key and a tag value. The tag value can be
4931
- # an empty (null) string.
5649
+ # Do not include confidential or sensitive information in this field.
5650
+ # This field may be displayed in plaintext in CloudTrail logs and
5651
+ # other output.
4932
5652
  #
4933
5653
  # You cannot have more than one tag on a KMS key with the same tag
4934
5654
  # key. If you specify an existing tag key with a different tag value,
@@ -4958,14 +5678,6 @@ module Aws::KMS
4958
5678
  include Aws::Structure
4959
5679
  end
4960
5680
 
4961
- # @note When making an API call, you may pass UntagResourceRequest
4962
- # data as a hash:
4963
- #
4964
- # {
4965
- # key_id: "KeyIdType", # required
4966
- # tag_keys: ["TagKeyType"], # required
4967
- # }
4968
- #
4969
5681
  # @!attribute [rw] key_id
4970
5682
  # Identifies the KMS key from which you are removing tags.
4971
5683
  #
@@ -4995,19 +5707,15 @@ module Aws::KMS
4995
5707
  include Aws::Structure
4996
5708
  end
4997
5709
 
4998
- # @note When making an API call, you may pass UpdateAliasRequest
4999
- # data as a hash:
5000
- #
5001
- # {
5002
- # alias_name: "AliasNameType", # required
5003
- # target_key_id: "KeyIdType", # required
5004
- # }
5005
- #
5006
5710
  # @!attribute [rw] alias_name
5007
5711
  # Identifies the alias that is changing its KMS key. This value must
5008
5712
  # begin with `alias/` followed by the alias name, such as
5009
- # `alias/ExampleAlias`. You cannot use UpdateAlias to change the alias
5010
- # name.
5713
+ # `alias/ExampleAlias`. You cannot use `UpdateAlias` to change the
5714
+ # alias name.
5715
+ #
5716
+ # Do not include confidential or sensitive information in this field.
5717
+ # This field may be displayed in plaintext in CloudTrail logs and
5718
+ # other output.
5011
5719
  # @return [String]
5012
5720
  #
5013
5721
  # @!attribute [rw] target_key_id
@@ -5018,7 +5726,7 @@ module Aws::KMS
5018
5726
  # The KMS key must be in the same Amazon Web Services account and
5019
5727
  # Region as the alias. Also, the new target KMS key must be the same
5020
5728
  # type as the current target KMS key (both symmetric or both
5021
- # asymmetric) and they must have the same key usage.
5729
+ # asymmetric or both HMAC) and they must have the same key usage.
5022
5730
  #
5023
5731
  # Specify the key ID or key ARN of the KMS key.
5024
5732
  #
@@ -5050,16 +5758,6 @@ module Aws::KMS
5050
5758
  include Aws::Structure
5051
5759
  end
5052
5760
 
5053
- # @note When making an API call, you may pass UpdateCustomKeyStoreRequest
5054
- # data as a hash:
5055
- #
5056
- # {
5057
- # custom_key_store_id: "CustomKeyStoreIdType", # required
5058
- # new_custom_key_store_name: "CustomKeyStoreNameType",
5059
- # key_store_password: "KeyStorePasswordType",
5060
- # cloud_hsm_cluster_id: "CloudHsmClusterIdType",
5061
- # }
5062
- #
5063
5761
  # @!attribute [rw] custom_key_store_id
5064
5762
  # Identifies the custom key store that you want to update. Enter the
5065
5763
  # ID of the custom key store. To find the ID of a custom key store,
@@ -5070,19 +5768,32 @@ module Aws::KMS
5070
5768
  # Changes the friendly name of the custom key store to the value that
5071
5769
  # you specify. The custom key store name must be unique in the Amazon
5072
5770
  # Web Services account.
5771
+ #
5772
+ # Do not include confidential or sensitive information in this field.
5773
+ # This field may be displayed in plaintext in CloudTrail logs and
5774
+ # other output.
5775
+ #
5776
+ # To change this value, an CloudHSM key store must be disconnected. An
5777
+ # external key store can be connected or disconnected.
5073
5778
  # @return [String]
5074
5779
  #
5075
5780
  # @!attribute [rw] key_store_password
5076
5781
  # Enter the current password of the `kmsuser` crypto user (CU) in the
5077
- # CloudHSM cluster that is associated with the custom key store.
5782
+ # CloudHSM cluster that is associated with the custom key store. This
5783
+ # parameter is valid only for custom key stores with a
5784
+ # `CustomKeyStoreType` of `AWS_CLOUDHSM`.
5078
5785
  #
5079
5786
  # This parameter tells KMS the current password of the `kmsuser`
5080
5787
  # crypto user (CU). It does not set or change the password of any
5081
5788
  # users in the CloudHSM cluster.
5789
+ #
5790
+ # To change this value, the CloudHSM key store must be disconnected.
5082
5791
  # @return [String]
5083
5792
  #
5084
5793
  # @!attribute [rw] cloud_hsm_cluster_id
5085
5794
  # Associates the custom key store with a related CloudHSM cluster.
5795
+ # This parameter is valid only for custom key stores with a
5796
+ # `CustomKeyStoreType` of `AWS_CLOUDHSM`.
5086
5797
  #
5087
5798
  # Enter the cluster ID of the cluster that you used to create the
5088
5799
  # custom key store or a cluster that shares a backup history and has
@@ -5093,19 +5804,111 @@ module Aws::KMS
5093
5804
  # To view the cluster certificate of a cluster, use the
5094
5805
  # [DescribeClusters][2] operation.
5095
5806
  #
5807
+ # To change this value, the CloudHSM key store must be disconnected.
5808
+ #
5096
5809
  #
5097
5810
  #
5098
5811
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore
5099
5812
  # [2]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
5100
5813
  # @return [String]
5101
5814
  #
5815
+ # @!attribute [rw] xks_proxy_uri_endpoint
5816
+ # Changes the URI endpoint that KMS uses to connect to your external
5817
+ # key store proxy (XKS proxy). This parameter is valid only for custom
5818
+ # key stores with a `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
5819
+ #
5820
+ # For external key stores with an `XksProxyConnectivity` value of
5821
+ # `PUBLIC_ENDPOINT`, the protocol must be HTTPS.
5822
+ #
5823
+ # For external key stores with an `XksProxyConnectivity` value of
5824
+ # `VPC_ENDPOINT_SERVICE`, specify `https://` followed by the private
5825
+ # DNS name associated with the VPC endpoint service. Each external key
5826
+ # store must use a different private DNS name.
5827
+ #
5828
+ # The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values must
5829
+ # be unique in the Amazon Web Services account and Region.
5830
+ #
5831
+ # To change this value, the external key store must be disconnected.
5832
+ # @return [String]
5833
+ #
5834
+ # @!attribute [rw] xks_proxy_uri_path
5835
+ # Changes the base path to the proxy APIs for this external key store.
5836
+ # To find this value, see the documentation for your external key
5837
+ # manager and external key store proxy (XKS proxy). This parameter is
5838
+ # valid only for custom key stores with a `CustomKeyStoreType` of
5839
+ # `EXTERNAL_KEY_STORE`.
5840
+ #
5841
+ # The value must start with `/` and must end with `/kms/xks/v1`, where
5842
+ # `v1` represents the version of the KMS external key store proxy API.
5843
+ # You can include an optional prefix between the required elements
5844
+ # such as `/example/kms/xks/v1`.
5845
+ #
5846
+ # The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values must
5847
+ # be unique in the Amazon Web Services account and Region.
5848
+ #
5849
+ # You can change this value when the external key store is connected
5850
+ # or disconnected.
5851
+ # @return [String]
5852
+ #
5853
+ # @!attribute [rw] xks_proxy_vpc_endpoint_service_name
5854
+ # Changes the name that KMS uses to identify the Amazon VPC endpoint
5855
+ # service for your external key store proxy (XKS proxy). This
5856
+ # parameter is valid when the `CustomKeyStoreType` is
5857
+ # `EXTERNAL_KEY_STORE` and the `XksProxyConnectivity` is
5858
+ # `VPC_ENDPOINT_SERVICE`.
5859
+ #
5860
+ # To change this value, the external key store must be disconnected.
5861
+ # @return [String]
5862
+ #
5863
+ # @!attribute [rw] xks_proxy_authentication_credential
5864
+ # Changes the credentials that KMS uses to sign requests to the
5865
+ # external key store proxy (XKS proxy). This parameter is valid only
5866
+ # for custom key stores with a `CustomKeyStoreType` of
5867
+ # `EXTERNAL_KEY_STORE`.
5868
+ #
5869
+ # You must specify both the `AccessKeyId` and `SecretAccessKey` value
5870
+ # in the authentication credential, even if you are only updating one
5871
+ # value.
5872
+ #
5873
+ # This parameter doesn't establish or change your authentication
5874
+ # credentials on the proxy. It just tells KMS the credential that you
5875
+ # established with your external key store proxy. For example, if you
5876
+ # rotate the credential on your external key store proxy, you can use
5877
+ # this parameter to update the credential in KMS.
5878
+ #
5879
+ # You can change this value when the external key store is connected
5880
+ # or disconnected.
5881
+ # @return [Types::XksProxyAuthenticationCredentialType]
5882
+ #
5883
+ # @!attribute [rw] xks_proxy_connectivity
5884
+ # Changes the connectivity setting for the external key store. To
5885
+ # indicate that the external key store proxy uses a Amazon VPC
5886
+ # endpoint service to communicate with KMS, specify
5887
+ # `VPC_ENDPOINT_SERVICE`. Otherwise, specify `PUBLIC_ENDPOINT`.
5888
+ #
5889
+ # If you change the `XksProxyConnectivity` to `VPC_ENDPOINT_SERVICE`,
5890
+ # you must also change the `XksProxyUriEndpoint` and add an
5891
+ # `XksProxyVpcEndpointServiceName` value.
5892
+ #
5893
+ # If you change the `XksProxyConnectivity` to `PUBLIC_ENDPOINT`, you
5894
+ # must also change the `XksProxyUriEndpoint` and specify a null or
5895
+ # empty string for the `XksProxyVpcEndpointServiceName` value.
5896
+ #
5897
+ # To change this value, the external key store must be disconnected.
5898
+ # @return [String]
5899
+ #
5102
5900
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStoreRequest AWS API Documentation
5103
5901
  #
5104
5902
  class UpdateCustomKeyStoreRequest < Struct.new(
5105
5903
  :custom_key_store_id,
5106
5904
  :new_custom_key_store_name,
5107
5905
  :key_store_password,
5108
- :cloud_hsm_cluster_id)
5906
+ :cloud_hsm_cluster_id,
5907
+ :xks_proxy_uri_endpoint,
5908
+ :xks_proxy_uri_path,
5909
+ :xks_proxy_vpc_endpoint_service_name,
5910
+ :xks_proxy_authentication_credential,
5911
+ :xks_proxy_connectivity)
5109
5912
  SENSITIVE = [:key_store_password]
5110
5913
  include Aws::Structure
5111
5914
  end
@@ -5114,14 +5917,6 @@ module Aws::KMS
5114
5917
  #
5115
5918
  class UpdateCustomKeyStoreResponse < Aws::EmptyStructure; end
5116
5919
 
5117
- # @note When making an API call, you may pass UpdateKeyDescriptionRequest
5118
- # data as a hash:
5119
- #
5120
- # {
5121
- # key_id: "KeyIdType", # required
5122
- # description: "DescriptionType", # required
5123
- # }
5124
- #
5125
5920
  # @!attribute [rw] key_id
5126
5921
  # Updates the description of the specified KMS key.
5127
5922
  #
@@ -5140,6 +5935,10 @@ module Aws::KMS
5140
5935
  #
5141
5936
  # @!attribute [rw] description
5142
5937
  # New description for the KMS key.
5938
+ #
5939
+ # Do not include confidential or sensitive information in this field.
5940
+ # This field may be displayed in plaintext in CloudTrail logs and
5941
+ # other output.
5143
5942
  # @return [String]
5144
5943
  #
5145
5944
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescriptionRequest AWS API Documentation
@@ -5151,14 +5950,6 @@ module Aws::KMS
5151
5950
  include Aws::Structure
5152
5951
  end
5153
5952
 
5154
- # @note When making an API call, you may pass UpdatePrimaryRegionRequest
5155
- # data as a hash:
5156
- #
5157
- # {
5158
- # key_id: "KeyIdType", # required
5159
- # primary_region: "RegionType", # required
5160
- # }
5161
- #
5162
5953
  # @!attribute [rw] key_id
5163
5954
  # Identifies the current primary key. When the operation completes,
5164
5955
  # this KMS key will be a replica key.
@@ -5194,18 +5985,102 @@ module Aws::KMS
5194
5985
  include Aws::Structure
5195
5986
  end
5196
5987
 
5197
- # @note When making an API call, you may pass VerifyRequest
5198
- # data as a hash:
5988
+ # @!attribute [rw] message
5989
+ # The message that will be used in the verification. Enter the same
5990
+ # message that was used to generate the HMAC.
5199
5991
  #
5200
- # {
5201
- # key_id: "KeyIdType", # required
5202
- # message: "data", # required
5203
- # message_type: "RAW", # accepts RAW, DIGEST
5204
- # signature: "data", # required
5205
- # signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
5206
- # grant_tokens: ["GrantTokenType"],
5207
- # }
5992
+ # GenerateMac and `VerifyMac` do not provide special handling for
5993
+ # message digests. If you generated an HMAC for a hash digest of a
5994
+ # message, you must verify the HMAC for the same hash digest.
5995
+ # @return [String]
5208
5996
  #
5997
+ # @!attribute [rw] key_id
5998
+ # The KMS key that will be used in the verification.
5999
+ #
6000
+ # Enter a key ID of the KMS key that was used to generate the HMAC. If
6001
+ # you identify a different KMS key, the `VerifyMac` operation fails.
6002
+ # @return [String]
6003
+ #
6004
+ # @!attribute [rw] mac_algorithm
6005
+ # The MAC algorithm that will be used in the verification. Enter the
6006
+ # same MAC algorithm that was used to compute the HMAC. This algorithm
6007
+ # must be supported by the HMAC KMS key identified by the `KeyId`
6008
+ # parameter.
6009
+ # @return [String]
6010
+ #
6011
+ # @!attribute [rw] mac
6012
+ # The HMAC to verify. Enter the HMAC that was generated by the
6013
+ # GenerateMac operation when you specified the same message, HMAC KMS
6014
+ # key, and MAC algorithm as the values specified in this request.
6015
+ # @return [String]
6016
+ #
6017
+ # @!attribute [rw] grant_tokens
6018
+ # A list of grant tokens.
6019
+ #
6020
+ # Use a grant token when your permission to call this operation comes
6021
+ # from a new grant that has not yet achieved *eventual consistency*.
6022
+ # For more information, see [Grant token][1] and [Using a grant
6023
+ # token][2] in the *Key Management Service Developer Guide*.
6024
+ #
6025
+ #
6026
+ #
6027
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
6028
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
6029
+ # @return [Array<String>]
6030
+ #
6031
+ # @!attribute [rw] dry_run
6032
+ # Checks if your request will succeed. `DryRun` is an optional
6033
+ # parameter.
6034
+ #
6035
+ # To learn more about how to use this parameter, see [Testing your KMS
6036
+ # API calls][1] in the *Key Management Service Developer Guide*.
6037
+ #
6038
+ #
6039
+ #
6040
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
6041
+ # @return [Boolean]
6042
+ #
6043
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMacRequest AWS API Documentation
6044
+ #
6045
+ class VerifyMacRequest < Struct.new(
6046
+ :message,
6047
+ :key_id,
6048
+ :mac_algorithm,
6049
+ :mac,
6050
+ :grant_tokens,
6051
+ :dry_run)
6052
+ SENSITIVE = [:message]
6053
+ include Aws::Structure
6054
+ end
6055
+
6056
+ # @!attribute [rw] key_id
6057
+ # The HMAC KMS key used in the verification.
6058
+ # @return [String]
6059
+ #
6060
+ # @!attribute [rw] mac_valid
6061
+ # A Boolean value that indicates whether the HMAC was verified. A
6062
+ # value of `True` indicates that the HMAC (`Mac`) was generated with
6063
+ # the specified `Message`, HMAC KMS key (`KeyID`) and `MacAlgorithm.`.
6064
+ #
6065
+ # If the HMAC is not verified, the `VerifyMac` operation fails with a
6066
+ # `KMSInvalidMacException` exception. This exception indicates that
6067
+ # one or more of the inputs changed since the HMAC was computed.
6068
+ # @return [Boolean]
6069
+ #
6070
+ # @!attribute [rw] mac_algorithm
6071
+ # The MAC algorithm used in the verification.
6072
+ # @return [String]
6073
+ #
6074
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMacResponse AWS API Documentation
6075
+ #
6076
+ class VerifyMacResponse < Struct.new(
6077
+ :key_id,
6078
+ :mac_valid,
6079
+ :mac_algorithm)
6080
+ SENSITIVE = []
6081
+ include Aws::Structure
6082
+ end
6083
+
5209
6084
  # @!attribute [rw] key_id
5210
6085
  # Identifies the asymmetric KMS key that will be used to verify the
5211
6086
  # signature. This must be the same KMS key that was used to generate
@@ -5243,14 +6118,48 @@ module Aws::KMS
5243
6118
  # @return [String]
5244
6119
  #
5245
6120
  # @!attribute [rw] message_type
5246
- # Tells KMS whether the value of the `Message` parameter is a message
5247
- # or message digest. The default value, RAW, indicates a message. To
5248
- # indicate a message digest, enter `DIGEST`.
6121
+ # Tells KMS whether the value of the `Message` parameter should be
6122
+ # hashed as part of the signing algorithm. Use `RAW` for unhashed
6123
+ # messages; use `DIGEST` for message digests, which are already
6124
+ # hashed.
6125
+ #
6126
+ # When the value of `MessageType` is `RAW`, KMS uses the standard
6127
+ # signing algorithm, which begins with a hash function. When the value
6128
+ # is `DIGEST`, KMS skips the hashing step in the signing algorithm.
5249
6129
  #
5250
6130
  # Use the `DIGEST` value only when the value of the `Message`
5251
- # parameter is a message digest. If you use the `DIGEST` value with a
5252
- # raw message, the security of the verification operation can be
6131
+ # parameter is a message digest. If you use the `DIGEST` value with an
6132
+ # unhashed message, the security of the verification operation can be
5253
6133
  # compromised.
6134
+ #
6135
+ # When the value of `MessageType`is `DIGEST`, the length of the
6136
+ # `Message` value must match the length of hashed messages for the
6137
+ # specified signing algorithm.
6138
+ #
6139
+ # You can submit a message digest and omit the `MessageType` or
6140
+ # specify `RAW` so the digest is hashed again while signing. However,
6141
+ # if the signed message is hashed once while signing, but twice while
6142
+ # verifying, verification fails, even when the message hasn't
6143
+ # changed.
6144
+ #
6145
+ # The hashing algorithm in that `Verify` uses is based on the
6146
+ # `SigningAlgorithm` value.
6147
+ #
6148
+ # * Signing algorithms that end in SHA\_256 use the SHA\_256 hashing
6149
+ # algorithm.
6150
+ #
6151
+ # * Signing algorithms that end in SHA\_384 use the SHA\_384 hashing
6152
+ # algorithm.
6153
+ #
6154
+ # * Signing algorithms that end in SHA\_512 use the SHA\_512 hashing
6155
+ # algorithm.
6156
+ #
6157
+ # * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
6158
+ # verification with SM2 key pairs][1].
6159
+ #
6160
+ #
6161
+ #
6162
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
5254
6163
  # @return [String]
5255
6164
  #
5256
6165
  # @!attribute [rw] signature
@@ -5276,6 +6185,18 @@ module Aws::KMS
5276
6185
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
5277
6186
  # @return [Array<String>]
5278
6187
  #
6188
+ # @!attribute [rw] dry_run
6189
+ # Checks if your request will succeed. `DryRun` is an optional
6190
+ # parameter.
6191
+ #
6192
+ # To learn more about how to use this parameter, see [Testing your KMS
6193
+ # API calls][1] in the *Key Management Service Developer Guide*.
6194
+ #
6195
+ #
6196
+ #
6197
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
6198
+ # @return [Boolean]
6199
+ #
5279
6200
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyRequest AWS API Documentation
5280
6201
  #
5281
6202
  class VerifyRequest < Struct.new(
@@ -5284,7 +6205,8 @@ module Aws::KMS
5284
6205
  :message_type,
5285
6206
  :signature,
5286
6207
  :signing_algorithm,
5287
- :grant_tokens)
6208
+ :grant_tokens,
6209
+ :dry_run)
5288
6210
  SENSITIVE = [:message]
5289
6211
  include Aws::Structure
5290
6212
  end
@@ -5320,5 +6242,324 @@ module Aws::KMS
5320
6242
  include Aws::Structure
5321
6243
  end
5322
6244
 
6245
+ # The request was rejected because the (`XksKeyId`) is already
6246
+ # associated with a KMS key in this external key store. Each KMS key in
6247
+ # an external key store must be associated with a different external
6248
+ # key.
6249
+ #
6250
+ # @!attribute [rw] message
6251
+ # @return [String]
6252
+ #
6253
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyAlreadyInUseException AWS API Documentation
6254
+ #
6255
+ class XksKeyAlreadyInUseException < Struct.new(
6256
+ :message)
6257
+ SENSITIVE = []
6258
+ include Aws::Structure
6259
+ end
6260
+
6261
+ # Information about the [external key ][1]that is associated with a KMS
6262
+ # key in an external key store.
6263
+ #
6264
+ # This element appears in a CreateKey or DescribeKey response only for a
6265
+ # KMS key in an external key store.
6266
+ #
6267
+ # The *external key* is a symmetric encryption key that is hosted by an
6268
+ # external key manager outside of Amazon Web Services. When you use the
6269
+ # KMS key in an external key store in a cryptographic operation, the
6270
+ # cryptographic operation is performed in the external key manager using
6271
+ # the specified external key. For more information, see [External
6272
+ # key][1] in the *Key Management Service Developer Guide*.
6273
+ #
6274
+ #
6275
+ #
6276
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
6277
+ #
6278
+ # @!attribute [rw] id
6279
+ # The ID of the external key in its external key manager. This is the
6280
+ # ID that the external key store proxy uses to identify the external
6281
+ # key.
6282
+ # @return [String]
6283
+ #
6284
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyConfigurationType AWS API Documentation
6285
+ #
6286
+ class XksKeyConfigurationType < Struct.new(
6287
+ :id)
6288
+ SENSITIVE = []
6289
+ include Aws::Structure
6290
+ end
6291
+
6292
+ # The request was rejected because the external key specified by the
6293
+ # `XksKeyId` parameter did not meet the configuration requirements for
6294
+ # an external key store.
6295
+ #
6296
+ # The external key must be an AES-256 symmetric key that is enabled and
6297
+ # performs encryption and decryption.
6298
+ #
6299
+ # @!attribute [rw] message
6300
+ # @return [String]
6301
+ #
6302
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyInvalidConfigurationException AWS API Documentation
6303
+ #
6304
+ class XksKeyInvalidConfigurationException < Struct.new(
6305
+ :message)
6306
+ SENSITIVE = []
6307
+ include Aws::Structure
6308
+ end
6309
+
6310
+ # The request was rejected because the external key store proxy could
6311
+ # not find the external key. This exception is thrown when the value of
6312
+ # the `XksKeyId` parameter doesn't identify a key in the external key
6313
+ # manager associated with the external key proxy.
6314
+ #
6315
+ # Verify that the `XksKeyId` represents an existing key in the external
6316
+ # key manager. Use the key identifier that the external key store proxy
6317
+ # uses to identify the key. For details, see the documentation provided
6318
+ # with your external key store proxy or key manager.
6319
+ #
6320
+ # @!attribute [rw] message
6321
+ # @return [String]
6322
+ #
6323
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyNotFoundException AWS API Documentation
6324
+ #
6325
+ class XksKeyNotFoundException < Struct.new(
6326
+ :message)
6327
+ SENSITIVE = []
6328
+ include Aws::Structure
6329
+ end
6330
+
6331
+ # KMS uses the authentication credential to sign requests that it sends
6332
+ # to the external key store proxy (XKS proxy) on your behalf. You
6333
+ # establish these credentials on your external key store proxy and
6334
+ # report them to KMS.
6335
+ #
6336
+ # The `XksProxyAuthenticationCredential` includes two required elements.
6337
+ #
6338
+ # @!attribute [rw] access_key_id
6339
+ # A unique identifier for the raw secret access key.
6340
+ # @return [String]
6341
+ #
6342
+ # @!attribute [rw] raw_secret_access_key
6343
+ # A secret string of 43-64 characters. Valid characters are a-z, A-Z,
6344
+ # 0-9, /, +, and =.
6345
+ # @return [String]
6346
+ #
6347
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyAuthenticationCredentialType AWS API Documentation
6348
+ #
6349
+ class XksProxyAuthenticationCredentialType < Struct.new(
6350
+ :access_key_id,
6351
+ :raw_secret_access_key)
6352
+ SENSITIVE = [:access_key_id, :raw_secret_access_key]
6353
+ include Aws::Structure
6354
+ end
6355
+
6356
+ # Detailed information about the external key store proxy (XKS proxy).
6357
+ # Your external key store proxy translates KMS requests into a format
6358
+ # that your external key manager can understand. These fields appear in
6359
+ # a DescribeCustomKeyStores response only when the `CustomKeyStoreType`
6360
+ # is `EXTERNAL_KEY_STORE`.
6361
+ #
6362
+ # @!attribute [rw] connectivity
6363
+ # Indicates whether the external key store proxy uses a public
6364
+ # endpoint or an Amazon VPC endpoint service to communicate with KMS.
6365
+ # @return [String]
6366
+ #
6367
+ # @!attribute [rw] access_key_id
6368
+ # The part of the external key store [proxy authentication
6369
+ # credential][1] that uniquely identifies the secret access key.
6370
+ #
6371
+ #
6372
+ #
6373
+ # [1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateCustomKeyStore.html#KMS-CreateCustomKeyStore-request-XksProxyAuthenticationCredential
6374
+ # @return [String]
6375
+ #
6376
+ # @!attribute [rw] uri_endpoint
6377
+ # The URI endpoint for the external key store proxy.
6378
+ #
6379
+ # If the external key store proxy has a public endpoint, it is
6380
+ # displayed here.
6381
+ #
6382
+ # If the external key store proxy uses an Amazon VPC endpoint service
6383
+ # name, this field displays the private DNS name associated with the
6384
+ # VPC endpoint service.
6385
+ # @return [String]
6386
+ #
6387
+ # @!attribute [rw] uri_path
6388
+ # The path to the external key store proxy APIs.
6389
+ # @return [String]
6390
+ #
6391
+ # @!attribute [rw] vpc_endpoint_service_name
6392
+ # The Amazon VPC endpoint service used to communicate with the
6393
+ # external key store proxy. This field appears only when the external
6394
+ # key store proxy uses an Amazon VPC endpoint service to communicate
6395
+ # with KMS.
6396
+ # @return [String]
6397
+ #
6398
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyConfigurationType AWS API Documentation
6399
+ #
6400
+ class XksProxyConfigurationType < Struct.new(
6401
+ :connectivity,
6402
+ :access_key_id,
6403
+ :uri_endpoint,
6404
+ :uri_path,
6405
+ :vpc_endpoint_service_name)
6406
+ SENSITIVE = [:access_key_id]
6407
+ include Aws::Structure
6408
+ end
6409
+
6410
+ # The request was rejected because the proxy credentials failed to
6411
+ # authenticate to the specified external key store proxy. The specified
6412
+ # external key store proxy rejected a status request from KMS due to
6413
+ # invalid credentials. This can indicate an error in the credentials or
6414
+ # in the identification of the external key store proxy.
6415
+ #
6416
+ # @!attribute [rw] message
6417
+ # @return [String]
6418
+ #
6419
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyIncorrectAuthenticationCredentialException AWS API Documentation
6420
+ #
6421
+ class XksProxyIncorrectAuthenticationCredentialException < Struct.new(
6422
+ :message)
6423
+ SENSITIVE = []
6424
+ include Aws::Structure
6425
+ end
6426
+
6427
+ # The request was rejected because the Amazon VPC endpoint service
6428
+ # configuration does not fulfill the requirements for an external key
6429
+ # store proxy. For details, see the exception message.
6430
+ #
6431
+ # @!attribute [rw] message
6432
+ # @return [String]
6433
+ #
6434
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyInvalidConfigurationException AWS API Documentation
6435
+ #
6436
+ class XksProxyInvalidConfigurationException < Struct.new(
6437
+ :message)
6438
+ SENSITIVE = []
6439
+ include Aws::Structure
6440
+ end
6441
+
6442
+ # KMS cannot interpret the response it received from the external key
6443
+ # store proxy. The problem might be a poorly constructed response, but
6444
+ # it could also be a transient network issue. If you see this error
6445
+ # repeatedly, report it to the proxy vendor.
6446
+ #
6447
+ # @!attribute [rw] message
6448
+ # @return [String]
6449
+ #
6450
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyInvalidResponseException AWS API Documentation
6451
+ #
6452
+ class XksProxyInvalidResponseException < Struct.new(
6453
+ :message)
6454
+ SENSITIVE = []
6455
+ include Aws::Structure
6456
+ end
6457
+
6458
+ # The request was rejected because the concatenation of the
6459
+ # `XksProxyUriEndpoint` is already associated with an external key store
6460
+ # in the Amazon Web Services account and Region. Each external key store
6461
+ # in an account and Region must use a unique external key store proxy
6462
+ # address.
6463
+ #
6464
+ # @!attribute [rw] message
6465
+ # @return [String]
6466
+ #
6467
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyUriEndpointInUseException AWS API Documentation
6468
+ #
6469
+ class XksProxyUriEndpointInUseException < Struct.new(
6470
+ :message)
6471
+ SENSITIVE = []
6472
+ include Aws::Structure
6473
+ end
6474
+
6475
+ # The request was rejected because the concatenation of the
6476
+ # `XksProxyUriEndpoint` and `XksProxyUriPath` is already associated with
6477
+ # an external key store in the Amazon Web Services account and Region.
6478
+ # Each external key store in an account and Region must use a unique
6479
+ # external key store proxy API address.
6480
+ #
6481
+ # @!attribute [rw] message
6482
+ # @return [String]
6483
+ #
6484
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyUriInUseException AWS API Documentation
6485
+ #
6486
+ class XksProxyUriInUseException < Struct.new(
6487
+ :message)
6488
+ SENSITIVE = []
6489
+ include Aws::Structure
6490
+ end
6491
+
6492
+ # KMS was unable to reach the specified `XksProxyUriPath`. The path must
6493
+ # be reachable before you create the external key store or update its
6494
+ # settings.
6495
+ #
6496
+ # This exception is also thrown when the external key store proxy
6497
+ # response to a `GetHealthStatus` request indicates that all external
6498
+ # key manager instances are unavailable.
6499
+ #
6500
+ # @!attribute [rw] message
6501
+ # @return [String]
6502
+ #
6503
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyUriUnreachableException AWS API Documentation
6504
+ #
6505
+ class XksProxyUriUnreachableException < Struct.new(
6506
+ :message)
6507
+ SENSITIVE = []
6508
+ include Aws::Structure
6509
+ end
6510
+
6511
+ # The request was rejected because the specified Amazon VPC endpoint
6512
+ # service is already associated with an external key store in the Amazon
6513
+ # Web Services account and Region. Each external key store in an Amazon
6514
+ # Web Services account and Region must use a different Amazon VPC
6515
+ # endpoint service.
6516
+ #
6517
+ # @!attribute [rw] message
6518
+ # @return [String]
6519
+ #
6520
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyVpcEndpointServiceInUseException AWS API Documentation
6521
+ #
6522
+ class XksProxyVpcEndpointServiceInUseException < Struct.new(
6523
+ :message)
6524
+ SENSITIVE = []
6525
+ include Aws::Structure
6526
+ end
6527
+
6528
+ # The request was rejected because the Amazon VPC endpoint service
6529
+ # configuration does not fulfill the requirements for an external key
6530
+ # store proxy. For details, see the exception message and [review the
6531
+ # requirements](kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements)
6532
+ # for Amazon VPC endpoint service connectivity for an external key
6533
+ # store.
6534
+ #
6535
+ # @!attribute [rw] message
6536
+ # @return [String]
6537
+ #
6538
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyVpcEndpointServiceInvalidConfigurationException AWS API Documentation
6539
+ #
6540
+ class XksProxyVpcEndpointServiceInvalidConfigurationException < Struct.new(
6541
+ :message)
6542
+ SENSITIVE = []
6543
+ include Aws::Structure
6544
+ end
6545
+
6546
+ # The request was rejected because KMS could not find the specified VPC
6547
+ # endpoint service. Use DescribeCustomKeyStores to verify the VPC
6548
+ # endpoint service name for the external key store. Also, confirm that
6549
+ # the `Allow principals` list for the VPC endpoint service includes the
6550
+ # KMS service principal for the Region, such as
6551
+ # `cks.kms.us-east-1.amazonaws.com`.
6552
+ #
6553
+ # @!attribute [rw] message
6554
+ # @return [String]
6555
+ #
6556
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyVpcEndpointServiceNotFoundException AWS API Documentation
6557
+ #
6558
+ class XksProxyVpcEndpointServiceNotFoundException < Struct.new(
6559
+ :message)
6560
+ SENSITIVE = []
6561
+ include Aws::Structure
6562
+ end
6563
+
5323
6564
  end
5324
6565
  end