aws-sdk-kms 1.53.0 → 1.56.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -415,7 +415,7 @@ module Aws::KMS
415
415
  # key_id: "KeyIdType", # required
416
416
  # grantee_principal: "PrincipalIdType", # required
417
417
  # retiring_principal: "PrincipalIdType",
418
- # operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext
418
+ # operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateMac, VerifyMac
419
419
  # constraints: {
420
420
  # encryption_context_subset: {
421
421
  # "EncryptionContextKey" => "EncryptionContextValue",
@@ -491,12 +491,13 @@ module Aws::KMS
491
491
  # @!attribute [rw] operations
492
492
  # A list of operations that the grant permits.
493
493
  #
494
- # The operation must be supported on the KMS key. For example, you
495
- # cannot create a grant for a symmetric KMS key that allows the Sign
496
- # operation, or a grant for an asymmetric KMS key that allows the
497
- # GenerateDataKey operation. If you try, KMS returns a
498
- # `ValidationError` exception. For details, see [Grant operations][1]
499
- # in the *Key Management Service Developer Guide*.
494
+ # This list must include only operations that are permitted in a
495
+ # grant. Also, the operation must be supported on the KMS key. For
496
+ # example, you cannot create a grant for a symmetric encryption KMS
497
+ # key that allows the Sign operation, or a grant for an asymmetric KMS
498
+ # key that allows the GenerateDataKey operation. If you try, KMS
499
+ # returns a `ValidationError` exception. For details, see [Grant
500
+ # operations][1] in the *Key Management Service Developer Guide*.
500
501
  #
501
502
  #
502
503
  #
@@ -509,27 +510,39 @@ module Aws::KMS
509
510
  # KMS supports the `EncryptionContextEquals` and
510
511
  # `EncryptionContextSubset` grant constraints. Each constraint value
511
512
  # can include up to 8 encryption context pairs. The encryption context
512
- # value in each constraint cannot exceed 384 characters.
513
+ # value in each constraint cannot exceed 384 characters. For
514
+ # information about grant constraints, see [Using grant
515
+ # constraints][1] in the *Key Management Service Developer Guide*. For
516
+ # more information about encryption context, see [Encryption
517
+ # context][2] in the <i> <i>Key Management Service Developer Guide</i>
518
+ # </i>.
513
519
  #
514
- # These grant constraints allow the permissions in the grant only when
515
- # the encryption context in the request matches
520
+ # The encryption context grant constraints allow the permissions in
521
+ # the grant only when the encryption context in the request matches
516
522
  # (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
517
- # the encryption context specified in this structure. For information
518
- # about grant constraints, see [Using grant constraints][1] in the
519
- # *Key Management Service Developer Guide*. For more information about
520
- # encryption context, see [Encryption Context][2] in the <i> <i>Key
521
- # Management Service Developer Guide</i> </i>.
523
+ # the encryption context specified in this structure.
522
524
  #
523
525
  # The encryption context grant constraints are supported only on
524
- # operations that include an encryption context. You cannot use an
525
- # encryption context grant constraint for cryptographic operations
526
- # with asymmetric KMS keys or for management operations, such as
527
- # DescribeKey or RetireGrant.
526
+ # [grant operations][3] that include an `EncryptionContext` parameter,
527
+ # such as cryptographic operations on symmetric encryption KMS keys.
528
+ # Grants with grant constraints can include the DescribeKey and
529
+ # RetireGrant operations, but the constraint doesn't apply to these
530
+ # operations. If a grant with a grant constraint includes the
531
+ # `CreateGrant` operation, the constraint requires that any grants
532
+ # created with the `CreateGrant` permission have an equally strict or
533
+ # stricter encryption context constraint.
534
+ #
535
+ # You cannot use an encryption context grant constraint for
536
+ # cryptographic operations with asymmetric KMS keys or HMAC KMS keys.
537
+ # These keys don't support an encryption context.
538
+ #
539
+ #
528
540
  #
529
541
  #
530
542
  #
531
543
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
532
544
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
545
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
533
546
  # @return [Types::GrantConstraints]
534
547
  #
535
548
  # @!attribute [rw] grant_tokens
@@ -613,9 +626,9 @@ module Aws::KMS
613
626
  # {
614
627
  # policy: "PolicyType",
615
628
  # description: "DescriptionType",
616
- # key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT
617
- # customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
618
- # key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
629
+ # key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC
630
+ # customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512
631
+ # key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512
619
632
  # origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
620
633
  # custom_key_store_id: "CustomKeyStoreIdType",
621
634
  # bypass_policy_lockout_safety_check: false,
@@ -683,14 +696,17 @@ module Aws::KMS
683
696
  # @!attribute [rw] key_usage
684
697
  # Determines the [cryptographic operations][1] for which you can use
685
698
  # the KMS key. The default value is `ENCRYPT_DECRYPT`. This parameter
686
- # is required only for asymmetric KMS keys. You can't change the
687
- # `KeyUsage` value after the KMS key is created.
699
+ # is optional when you are creating a symmetric encryption KMS key;
700
+ # otherwise, it is required. You can't change the `KeyUsage` value
701
+ # after the KMS key is created.
688
702
  #
689
703
  # Select only one valid value.
690
704
  #
691
- # * For symmetric KMS keys, omit the parameter or specify
705
+ # * For symmetric encryption KMS keys, omit the parameter or specify
692
706
  # `ENCRYPT_DECRYPT`.
693
707
  #
708
+ # * For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
709
+ #
694
710
  # * For asymmetric KMS keys with RSA key material, specify
695
711
  # `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
696
712
  #
@@ -715,33 +731,40 @@ module Aws::KMS
715
731
  # Specifies the type of KMS key to create. The default value,
716
732
  # `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit symmetric key
717
733
  # for encryption and decryption. For help choosing a key spec for your
718
- # KMS key, see [How to Choose Your KMS key Configuration][1] in the
719
- # <i> <i>Key Management Service Developer Guide</i> </i>.
734
+ # KMS key, see [Choosing a KMS key type][1] in the <i> <i>Key
735
+ # Management Service Developer Guide</i> </i>.
720
736
  #
721
737
  # The `KeySpec` determines whether the KMS key contains a symmetric
722
- # key or an asymmetric key pair. It also determines the encryption
723
- # algorithms or signing algorithms that the KMS key supports. You
724
- # can't change the `KeySpec` after the KMS key is created. To further
725
- # restrict the algorithms that can be used with the KMS key, use a
726
- # condition key in its key policy or IAM policy. For more information,
727
- # see [kms:EncryptionAlgorithm][2] or [kms:Signing Algorithm][3] in
728
- # the <i> <i>Key Management Service Developer Guide</i> </i>.
729
- #
730
- # [Amazon Web Services services that are integrated with KMS][4] use
731
- # symmetric KMS keys to protect your data. These services do not
732
- # support asymmetric KMS keys. For help determining whether a KMS key
733
- # is symmetric or asymmetric, see [Identifying Symmetric and
734
- # Asymmetric KMS keys][5] in the *Key Management Service Developer
735
- # Guide*.
738
+ # key or an asymmetric key pair. It also determines the algorithms
739
+ # that the KMS key supports. You can't change the `KeySpec` after the
740
+ # KMS key is created. To further restrict the algorithms that can be
741
+ # used with the KMS key, use a condition key in its key policy or IAM
742
+ # policy. For more information, see [kms:EncryptionAlgorithm][2],
743
+ # [kms:MacAlgorithm][3] or [kms:Signing Algorithm][4] in the <i>
744
+ # <i>Key Management Service Developer Guide</i> </i>.
745
+ #
746
+ # [Amazon Web Services services that are integrated with KMS][5] use
747
+ # symmetric encryption KMS keys to protect your data. These services
748
+ # do not support asymmetric KMS keys or HMAC KMS keys.
736
749
  #
737
750
  # KMS supports the following key specs for KMS keys:
738
751
  #
739
- # * Symmetric key (default)
752
+ # * Symmetric encryption key (default)
740
753
  #
741
754
  # * `SYMMETRIC_DEFAULT` (AES-256-GCM)
742
755
  #
743
756
  # ^
744
757
  #
758
+ # * HMAC keys (symmetric)
759
+ #
760
+ # * `HMAC_224`
761
+ #
762
+ # * `HMAC_256`
763
+ #
764
+ # * `HMAC_384`
765
+ #
766
+ # * `HMAC_512`
767
+ #
745
768
  # * Asymmetric RSA key pairs
746
769
  #
747
770
  # * `RSA_2048`
@@ -767,11 +790,11 @@ module Aws::KMS
767
790
  #
768
791
  #
769
792
  #
770
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html
793
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose
771
794
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm
772
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm
773
- # [4]: http://aws.amazon.com/kms/features/#AWS_Service_Integration
774
- # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html
795
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-mac-algorithm
796
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm
797
+ # [5]: http://aws.amazon.com/kms/features/#AWS_Service_Integration
775
798
  # @return [String]
776
799
  #
777
800
  # @!attribute [rw] origin
@@ -783,13 +806,13 @@ module Aws::KMS
783
806
  # material), set the value to `EXTERNAL`. For more information about
784
807
  # importing key material into KMS, see [Importing Key Material][1] in
785
808
  # the *Key Management Service Developer Guide*. This value is valid
786
- # only for symmetric KMS keys.
809
+ # only for symmetric encryption KMS keys.
787
810
  #
788
811
  # To create a KMS key in an KMS [custom key store][2] and create its
789
812
  # key material in the associated CloudHSM cluster, set this value to
790
813
  # `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId` parameter
791
814
  # to identify the custom key store. This value is valid only for
792
- # symmetric KMS keys.
815
+ # symmetric encryption KMS keys.
793
816
  #
794
817
  #
795
818
  #
@@ -805,9 +828,9 @@ module Aws::KMS
805
828
  # associated with the custom key store must have at least two active
806
829
  # HSMs, each in a different Availability Zone in the Region.
807
830
  #
808
- # This parameter is valid only for symmetric KMS keys and regional KMS
809
- # keys. You cannot create an asymmetric KMS key or a multi-Region key
810
- # in a custom key store.
831
+ # This parameter is valid only for symmetric encryption KMS keys in a
832
+ # single Region. You cannot create any other type of KMS key in a
833
+ # custom key store.
811
834
  #
812
835
  # To find the ID of a custom key store, use the
813
836
  # DescribeCustomKeyStores operation.
@@ -853,8 +876,8 @@ module Aws::KMS
853
876
  # TagResource operation.
854
877
  #
855
878
  # <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
856
- # KMS key. For details, see [Using ABAC in KMS][1] in the *Key
857
- # Management Service Developer Guide*.
879
+ # KMS key. For details, see [ABAC in KMS][1] in the *Key Management
880
+ # Service Developer Guide*.
858
881
  #
859
882
  # </note>
860
883
  #
@@ -895,7 +918,7 @@ module Aws::KMS
895
918
  # to encrypt data in one Amazon Web Services Region and decrypt it in
896
919
  # a different Amazon Web Services Region without re-encrypting the
897
920
  # data or making a cross-Region call. For more information about
898
- # multi-Region keys, see [Using multi-Region keys][1] in the *Key
921
+ # multi-Region keys, see [Multi-Region keys in KMS][1] in the *Key
899
922
  # Management Service Developer Guide*.
900
923
  #
901
924
  # This value creates a *primary key*, not a replica. To create a
@@ -1170,17 +1193,20 @@ module Aws::KMS
1170
1193
  # @!attribute [rw] encryption_context
1171
1194
  # Specifies the encryption context to use when decrypting the data. An
1172
1195
  # encryption context is valid only for [cryptographic operations][1]
1173
- # with a symmetric KMS key. The standard asymmetric encryption
1174
- # algorithms that KMS uses do not support an encryption context.
1196
+ # with a symmetric encryption KMS key. The standard asymmetric
1197
+ # encryption algorithms and HMAC algorithms that KMS uses do not
1198
+ # support an encryption context.
1175
1199
  #
1176
1200
  # An *encryption context* is a collection of non-secret key-value
1177
- # pairs that represents additional authenticated data. When you use an
1201
+ # pairs that represent additional authenticated data. When you use an
1178
1202
  # encryption context to encrypt data, you must specify the same (an
1179
1203
  # exact case-sensitive match) encryption context to decrypt the data.
1180
- # An encryption context is optional when encrypting with a symmetric
1181
- # KMS key, but it is highly recommended.
1204
+ # An encryption context is supported only on operations with symmetric
1205
+ # encryption KMS keys. On operations with symmetric encryption KMS
1206
+ # keys, an encryption context is optional, but it is strongly
1207
+ # recommended.
1182
1208
  #
1183
- # For more information, see [Encryption Context][2] in the *Key
1209
+ # For more information, see [Encryption context][2] in the *Key
1184
1210
  # Management Service Developer Guide*.
1185
1211
  #
1186
1212
  #
@@ -1204,15 +1230,18 @@ module Aws::KMS
1204
1230
  # @return [Array<String>]
1205
1231
  #
1206
1232
  # @!attribute [rw] key_id
1207
- # Specifies the KMS key that KMS uses to decrypt the ciphertext. Enter
1208
- # a key ID of the KMS key that was used to encrypt the ciphertext.
1233
+ # Specifies the KMS key that KMS uses to decrypt the ciphertext.
1234
+ #
1235
+ # Enter a key ID of the KMS key that was used to encrypt the
1236
+ # ciphertext. If you identify a different KMS key, the `Decrypt`
1237
+ # operation throws an `IncorrectKeyException`.
1209
1238
  #
1210
1239
  # This parameter is required only when the ciphertext was encrypted
1211
- # under an asymmetric KMS key. If you used a symmetric KMS key, KMS
1212
- # can get the KMS key from metadata that it adds to the symmetric
1213
- # ciphertext blob. However, it is always recommended as a best
1214
- # practice. This practice ensures that you use the KMS key that you
1215
- # intend.
1240
+ # under an asymmetric KMS key. If you used a symmetric encryption KMS
1241
+ # key, KMS can get the KMS key from metadata that it adds to the
1242
+ # symmetric ciphertext blob. However, it is always recommended as a
1243
+ # best practice. This practice ensures that you use the KMS key that
1244
+ # you intend.
1216
1245
  #
1217
1246
  # To specify a KMS key, use its key ID, key ARN, alias name, or alias
1218
1247
  # ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -1243,7 +1272,7 @@ module Aws::KMS
1243
1272
  # This parameter is required only when the ciphertext was encrypted
1244
1273
  # under an asymmetric KMS key. The default value, `SYMMETRIC_DEFAULT`,
1245
1274
  # represents the only supported algorithm that is valid for symmetric
1246
- # KMS keys.
1275
+ # encryption KMS keys.
1247
1276
  # @return [String]
1248
1277
  #
1249
1278
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptRequest AWS API Documentation
@@ -1570,9 +1599,10 @@ module Aws::KMS
1570
1599
  # }
1571
1600
  #
1572
1601
  # @!attribute [rw] key_id
1573
- # Identifies a symmetric KMS key. You cannot enable or disable
1574
- # automatic rotation of [asymmetric KMS keys][1], KMS keys with
1575
- # [imported key material][2], or KMS keys in a [custom key store][3].
1602
+ # Identifies a symmetric encryption KMS key. You cannot enable or
1603
+ # disable automatic rotation of [asymmetric KMS keys][1], [HMAC KMS
1604
+ # keys][2], KMS keys with [imported key material][3], or KMS keys in a
1605
+ # [custom key store][4].
1576
1606
  #
1577
1607
  # Specify the key ID or key ARN of the KMS key.
1578
1608
  #
@@ -1589,8 +1619,9 @@ module Aws::KMS
1589
1619
  #
1590
1620
  #
1591
1621
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks
1592
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1593
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1622
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
1623
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1624
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1594
1625
  # @return [String]
1595
1626
  #
1596
1627
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotationRequest AWS API Documentation
@@ -1678,11 +1709,11 @@ module Aws::KMS
1678
1709
  # }
1679
1710
  #
1680
1711
  # @!attribute [rw] key_id
1681
- # Identifies a symmetric KMS key. You cannot enable automatic rotation
1682
- # of [asymmetric KMS keys][1], KMS keys with [imported key
1683
- # material][2], or KMS keys in a [custom key store][3]. To enable or
1684
- # disable automatic rotation of a set of related [multi-Region
1685
- # keys][4], set the property on the primary key.
1712
+ # Identifies a symmetric encryption KMS key. You cannot enable
1713
+ # automatic rotation of [asymmetric KMS keys][1], [HMAC KMS keys][2],
1714
+ # KMS keys with [imported key material][3], or KMS keys in a [custom
1715
+ # key store][4]. To enable or disable automatic rotation of a set of
1716
+ # related [multi-Region keys][5], set the property on the primary key.
1686
1717
  #
1687
1718
  # Specify the key ID or key ARN of the KMS key.
1688
1719
  #
@@ -1698,10 +1729,11 @@ module Aws::KMS
1698
1729
  #
1699
1730
  #
1700
1731
  #
1701
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
1702
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1703
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1704
- # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
1732
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
1733
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
1734
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1735
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1736
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
1705
1737
  # @return [String]
1706
1738
  #
1707
1739
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotationRequest AWS API Documentation
@@ -1726,7 +1758,9 @@ module Aws::KMS
1726
1758
  # }
1727
1759
  #
1728
1760
  # @!attribute [rw] key_id
1729
- # Identifies the KMS key to use in the encryption operation.
1761
+ # Identifies the KMS key to use in the encryption operation. The KMS
1762
+ # key must have a `KeyUsage` of `ENCRYPT_DECRYPT`. To find the
1763
+ # `KeyUsage` of a KMS key, use the DescribeKey operation.
1730
1764
  #
1731
1765
  # To specify a KMS key, use its key ID, key ARN, alias name, or alias
1732
1766
  # ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -1755,18 +1789,20 @@ module Aws::KMS
1755
1789
  # @!attribute [rw] encryption_context
1756
1790
  # Specifies the encryption context that will be used to encrypt the
1757
1791
  # data. An encryption context is valid only for [cryptographic
1758
- # operations][1] with a symmetric KMS key. The standard asymmetric
1759
- # encryption algorithms that KMS uses do not support an encryption
1760
- # context.
1792
+ # operations][1] with a symmetric encryption KMS key. The standard
1793
+ # asymmetric encryption algorithms and HMAC algorithms that KMS uses
1794
+ # do not support an encryption context.
1761
1795
  #
1762
1796
  # An *encryption context* is a collection of non-secret key-value
1763
- # pairs that represents additional authenticated data. When you use an
1797
+ # pairs that represent additional authenticated data. When you use an
1764
1798
  # encryption context to encrypt data, you must specify the same (an
1765
1799
  # exact case-sensitive match) encryption context to decrypt the data.
1766
- # An encryption context is optional when encrypting with a symmetric
1767
- # KMS key, but it is highly recommended.
1800
+ # An encryption context is supported only on operations with symmetric
1801
+ # encryption KMS keys. On operations with symmetric encryption KMS
1802
+ # keys, an encryption context is optional, but it is strongly
1803
+ # recommended.
1768
1804
  #
1769
- # For more information, see [Encryption Context][2] in the *Key
1805
+ # For more information, see [Encryption context][2] in the *Key
1770
1806
  # Management Service Developer Guide*.
1771
1807
  #
1772
1808
  #
@@ -1795,9 +1831,9 @@ module Aws::KMS
1795
1831
  # that you specify.
1796
1832
  #
1797
1833
  # This parameter is required only for asymmetric KMS keys. The default
1798
- # value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric KMS
1799
- # keys. If you are using an asymmetric KMS key, we recommend
1800
- # RSAES\_OAEP\_SHA\_256.
1834
+ # value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
1835
+ # encryption KMS keys. If you are using an asymmetric KMS key, we
1836
+ # recommend RSAES\_OAEP\_SHA\_256.
1801
1837
  # @return [String]
1802
1838
  #
1803
1839
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptRequest AWS API Documentation
@@ -1874,13 +1910,15 @@ module Aws::KMS
1874
1910
  # the private key in the data key pair.
1875
1911
  #
1876
1912
  # An *encryption context* is a collection of non-secret key-value
1877
- # pairs that represents additional authenticated data. When you use an
1913
+ # pairs that represent additional authenticated data. When you use an
1878
1914
  # encryption context to encrypt data, you must specify the same (an
1879
1915
  # exact case-sensitive match) encryption context to decrypt the data.
1880
- # An encryption context is optional when encrypting with a symmetric
1881
- # KMS key, but it is highly recommended.
1916
+ # An encryption context is supported only on operations with symmetric
1917
+ # encryption KMS keys. On operations with symmetric encryption KMS
1918
+ # keys, an encryption context is optional, but it is strongly
1919
+ # recommended.
1882
1920
  #
1883
- # For more information, see [Encryption Context][1] in the *Key
1921
+ # For more information, see [Encryption context][1] in the *Key
1884
1922
  # Management Service Developer Guide*.
1885
1923
  #
1886
1924
  #
@@ -1889,10 +1927,10 @@ module Aws::KMS
1889
1927
  # @return [Hash<String,String>]
1890
1928
  #
1891
1929
  # @!attribute [rw] key_id
1892
- # Specifies the symmetric KMS key that encrypts the private key in the
1893
- # data key pair. You cannot specify an asymmetric KMS key or a KMS key
1894
- # in a custom key store. To get the type and origin of your KMS key,
1895
- # use the DescribeKey operation.
1930
+ # Specifies the symmetric encryption KMS key that encrypts the private
1931
+ # key in the data key pair. You cannot specify an asymmetric KMS key
1932
+ # or a KMS key in a custom key store. To get the type and origin of
1933
+ # your KMS key, use the DescribeKey operation.
1896
1934
  #
1897
1935
  # To specify a KMS key, use its key ID, key ARN, alias name, or alias
1898
1936
  # ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -1961,7 +1999,9 @@ module Aws::KMS
1961
1999
  # @return [String]
1962
2000
  #
1963
2001
  # @!attribute [rw] public_key
1964
- # The public key (in plaintext).
2002
+ # The public key (in plaintext). When you use the HTTP API or the
2003
+ # Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it
2004
+ # is not Base64-encoded.
1965
2005
  # @return [String]
1966
2006
  #
1967
2007
  # @!attribute [rw] key_id
@@ -2006,13 +2046,15 @@ module Aws::KMS
2006
2046
  # the private key in the data key pair.
2007
2047
  #
2008
2048
  # An *encryption context* is a collection of non-secret key-value
2009
- # pairs that represents additional authenticated data. When you use an
2049
+ # pairs that represent additional authenticated data. When you use an
2010
2050
  # encryption context to encrypt data, you must specify the same (an
2011
2051
  # exact case-sensitive match) encryption context to decrypt the data.
2012
- # An encryption context is optional when encrypting with a symmetric
2013
- # KMS key, but it is highly recommended.
2052
+ # An encryption context is supported only on operations with symmetric
2053
+ # encryption KMS keys. On operations with symmetric encryption KMS
2054
+ # keys, an encryption context is optional, but it is strongly
2055
+ # recommended.
2014
2056
  #
2015
- # For more information, see [Encryption Context][1] in the *Key
2057
+ # For more information, see [Encryption context][1] in the *Key
2016
2058
  # Management Service Developer Guide*.
2017
2059
  #
2018
2060
  #
@@ -2021,10 +2063,10 @@ module Aws::KMS
2021
2063
  # @return [Hash<String,String>]
2022
2064
  #
2023
2065
  # @!attribute [rw] key_id
2024
- # Specifies the KMS key that encrypts the private key in the data key
2025
- # pair. You must specify a symmetric KMS key. You cannot use an
2026
- # asymmetric KMS key or a KMS key in a custom key store. To get the
2027
- # type and origin of your KMS key, use the DescribeKey operation.
2066
+ # Specifies the symmetric encryption KMS key that encrypts the private
2067
+ # key in the data key pair. You cannot specify an asymmetric KMS key
2068
+ # or a KMS key in a custom key store. To get the type and origin of
2069
+ # your KMS key, use the DescribeKey operation.
2028
2070
  #
2029
2071
  # To specify a KMS key, use its key ID, key ARN, alias name, or alias
2030
2072
  # ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -2087,7 +2129,9 @@ module Aws::KMS
2087
2129
  # @return [String]
2088
2130
  #
2089
2131
  # @!attribute [rw] public_key
2090
- # The public key (in plaintext).
2132
+ # The public key (in plaintext). When you use the HTTP API or the
2133
+ # Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it
2134
+ # is not Base64-encoded.
2091
2135
  # @return [String]
2092
2136
  #
2093
2137
  # @!attribute [rw] key_id
@@ -2128,7 +2172,10 @@ module Aws::KMS
2128
2172
  # }
2129
2173
  #
2130
2174
  # @!attribute [rw] key_id
2131
- # Identifies the symmetric KMS key that encrypts the data key.
2175
+ # Specifies the symmetric encryption KMS key that encrypts the data
2176
+ # key. You cannot specify an asymmetric KMS key or a KMS key in a
2177
+ # custom key store. To get the type and origin of your KMS key, use
2178
+ # the DescribeKey operation.
2132
2179
  #
2133
2180
  # To specify a KMS key, use its key ID, key ARN, alias name, or alias
2134
2181
  # ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -2155,13 +2202,15 @@ module Aws::KMS
2155
2202
  # the data key.
2156
2203
  #
2157
2204
  # An *encryption context* is a collection of non-secret key-value
2158
- # pairs that represents additional authenticated data. When you use an
2205
+ # pairs that represent additional authenticated data. When you use an
2159
2206
  # encryption context to encrypt data, you must specify the same (an
2160
2207
  # exact case-sensitive match) encryption context to decrypt the data.
2161
- # An encryption context is optional when encrypting with a symmetric
2162
- # KMS key, but it is highly recommended.
2208
+ # An encryption context is supported only on operations with symmetric
2209
+ # encryption KMS keys. On operations with symmetric encryption KMS
2210
+ # keys, an encryption context is optional, but it is strongly
2211
+ # recommended.
2163
2212
  #
2164
- # For more information, see [Encryption Context][1] in the *Key
2213
+ # For more information, see [Encryption context][1] in the *Key
2165
2214
  # Management Service Developer Guide*.
2166
2215
  #
2167
2216
  #
@@ -2260,7 +2309,10 @@ module Aws::KMS
2260
2309
  # }
2261
2310
  #
2262
2311
  # @!attribute [rw] key_id
2263
- # The identifier of the symmetric KMS key that encrypts the data key.
2312
+ # Specifies the symmetric encryption KMS key that encrypts the data
2313
+ # key. You cannot specify an asymmetric KMS key or a KMS key in a
2314
+ # custom key store. To get the type and origin of your KMS key, use
2315
+ # the DescribeKey operation.
2264
2316
  #
2265
2317
  # To specify a KMS key, use its key ID, key ARN, alias name, or alias
2266
2318
  # ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -2287,13 +2339,15 @@ module Aws::KMS
2287
2339
  # the data key.
2288
2340
  #
2289
2341
  # An *encryption context* is a collection of non-secret key-value
2290
- # pairs that represents additional authenticated data. When you use an
2342
+ # pairs that represent additional authenticated data. When you use an
2291
2343
  # encryption context to encrypt data, you must specify the same (an
2292
2344
  # exact case-sensitive match) encryption context to decrypt the data.
2293
- # An encryption context is optional when encrypting with a symmetric
2294
- # KMS key, but it is highly recommended.
2345
+ # An encryption context is supported only on operations with symmetric
2346
+ # encryption KMS keys. On operations with symmetric encryption KMS
2347
+ # keys, an encryption context is optional, but it is strongly
2348
+ # recommended.
2295
2349
  #
2296
- # For more information, see [Encryption Context][1] in the *Key
2350
+ # For more information, see [Encryption context][1] in the *Key
2297
2351
  # Management Service Developer Guide*.
2298
2352
  #
2299
2353
  #
@@ -2363,6 +2417,93 @@ module Aws::KMS
2363
2417
  include Aws::Structure
2364
2418
  end
2365
2419
 
2420
+ # @note When making an API call, you may pass GenerateMacRequest
2421
+ # data as a hash:
2422
+ #
2423
+ # {
2424
+ # message: "data", # required
2425
+ # key_id: "KeyIdType", # required
2426
+ # mac_algorithm: "HMAC_SHA_224", # required, accepts HMAC_SHA_224, HMAC_SHA_256, HMAC_SHA_384, HMAC_SHA_512
2427
+ # grant_tokens: ["GrantTokenType"],
2428
+ # }
2429
+ #
2430
+ # @!attribute [rw] message
2431
+ # The message to be hashed. Specify a message of up to 4,096 bytes.
2432
+ #
2433
+ # `GenerateMac` and VerifyMac do not provide special handling for
2434
+ # message digests. If you generate an HMAC for a hash digest of a
2435
+ # message, you must verify the HMAC of the same hash digest.
2436
+ # @return [String]
2437
+ #
2438
+ # @!attribute [rw] key_id
2439
+ # The HMAC KMS key to use in the operation. The MAC algorithm computes
2440
+ # the HMAC for the message and the key as described in [RFC 2104][1].
2441
+ #
2442
+ # To identify an HMAC KMS key, use the DescribeKey operation and see
2443
+ # the `KeySpec` field in the response.
2444
+ #
2445
+ #
2446
+ #
2447
+ # [1]: https://datatracker.ietf.org/doc/html/rfc2104
2448
+ # @return [String]
2449
+ #
2450
+ # @!attribute [rw] mac_algorithm
2451
+ # The MAC algorithm used in the operation.
2452
+ #
2453
+ # The algorithm must be compatible with the HMAC KMS key that you
2454
+ # specify. To find the MAC algorithms that your HMAC KMS key supports,
2455
+ # use the DescribeKey operation and see the `MacAlgorithms` field in
2456
+ # the `DescribeKey` response.
2457
+ # @return [String]
2458
+ #
2459
+ # @!attribute [rw] grant_tokens
2460
+ # A list of grant tokens.
2461
+ #
2462
+ # Use a grant token when your permission to call this operation comes
2463
+ # from a new grant that has not yet achieved *eventual consistency*.
2464
+ # For more information, see [Grant token][1] and [Using a grant
2465
+ # token][2] in the *Key Management Service Developer Guide*.
2466
+ #
2467
+ #
2468
+ #
2469
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
2470
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
2471
+ # @return [Array<String>]
2472
+ #
2473
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMacRequest AWS API Documentation
2474
+ #
2475
+ class GenerateMacRequest < Struct.new(
2476
+ :message,
2477
+ :key_id,
2478
+ :mac_algorithm,
2479
+ :grant_tokens)
2480
+ SENSITIVE = [:message]
2481
+ include Aws::Structure
2482
+ end
2483
+
2484
+ # @!attribute [rw] mac
2485
+ # The hash-based message authentication code (HMAC) for the given
2486
+ # message, key, and MAC algorithm.
2487
+ # @return [String]
2488
+ #
2489
+ # @!attribute [rw] mac_algorithm
2490
+ # The MAC algorithm that was used to generate the HMAC.
2491
+ # @return [String]
2492
+ #
2493
+ # @!attribute [rw] key_id
2494
+ # The HMAC KMS key used in the operation.
2495
+ # @return [String]
2496
+ #
2497
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMacResponse AWS API Documentation
2498
+ #
2499
+ class GenerateMacResponse < Struct.new(
2500
+ :mac,
2501
+ :mac_algorithm,
2502
+ :key_id)
2503
+ SENSITIVE = []
2504
+ include Aws::Structure
2505
+ end
2506
+
2366
2507
  # @note When making an API call, you may pass GenerateRandomRequest
2367
2508
  # data as a hash:
2368
2509
  #
@@ -2513,8 +2654,9 @@ module Aws::KMS
2513
2654
  # }
2514
2655
  #
2515
2656
  # @!attribute [rw] key_id
2516
- # The identifier of the symmetric KMS key into which you will import
2517
- # key material. The `Origin` of the KMS key must be `EXTERNAL`.
2657
+ # The identifier of the symmetric encryption KMS key into which you
2658
+ # will import key material. The `Origin` of the KMS key must be
2659
+ # `EXTERNAL`.
2518
2660
  #
2519
2661
  # Specify the key ID or key ARN of the KMS key.
2520
2662
  #
@@ -2729,10 +2871,11 @@ module Aws::KMS
2729
2871
  #
2730
2872
  # KMS applies the grant constraints only to cryptographic operations
2731
2873
  # that support an encryption context, that is, all cryptographic
2732
- # operations with a [symmetric KMS key][3]. Grant constraints are not
2733
- # applied to operations that do not support an encryption context, such
2734
- # as cryptographic operations with asymmetric KMS keys and management
2735
- # operations, such as DescribeKey or RetireGrant.
2874
+ # operations with a [symmetric encryption KMS key][3]. Grant constraints
2875
+ # are not applied to operations that do not support an encryption
2876
+ # context, such as cryptographic operations with HMAC KMS keys or
2877
+ # asymmetric KMS keys, and management operations, such as DescribeKey or
2878
+ # RetireGrant.
2736
2879
  #
2737
2880
  # In a cryptographic operation, the encryption context in the decryption
2738
2881
  # operation must be an exact, case-sensitive match for the keys and
@@ -2880,10 +3023,13 @@ module Aws::KMS
2880
3023
  # }
2881
3024
  #
2882
3025
  # @!attribute [rw] key_id
2883
- # The identifier of the symmetric KMS key that receives the imported
2884
- # key material. The KMS key's `Origin` must be `EXTERNAL`. This must
2885
- # be the same KMS key specified in the `KeyID` parameter of the
2886
- # corresponding GetParametersForImport request.
3026
+ # The identifier of the symmetric encryption KMS key that receives the
3027
+ # imported key material. This must be the same KMS key specified in
3028
+ # the `KeyID` parameter of the corresponding GetParametersForImport
3029
+ # request. The `Origin` of the KMS key must be `EXTERNAL`. You cannot
3030
+ # perform this operation on an asymmetric KMS key, an HMAC KMS key, a
3031
+ # KMS key in a custom key store, or on a KMS key in a different Amazon
3032
+ # Web Services account
2887
3033
  #
2888
3034
  # Specify the key ID or key ARN of the KMS key.
2889
3035
  #
@@ -2945,8 +3091,8 @@ module Aws::KMS
2945
3091
  class ImportKeyMaterialResponse < Aws::EmptyStructure; end
2946
3092
 
2947
3093
  # The request was rejected because the specified KMS key cannot decrypt
2948
- # the data. The `KeyId` in a Decrypt request and the `SourceKeyId` in a
2949
- # ReEncrypt request must identify the same KMS key that was used to
3094
+ # the data. The `KeyId` in a `Decrypt` request and the `SourceKeyId` in
3095
+ # a `ReEncrypt` request must identify the same KMS key that was used to
2950
3096
  # encrypt the ciphertext.
2951
3097
  #
2952
3098
  # @!attribute [rw] message
@@ -3095,9 +3241,11 @@ module Aws::KMS
3095
3241
  # key `(KeySpec`).
3096
3242
  #
3097
3243
  # For encrypting, decrypting, re-encrypting, and generating data keys,
3098
- # the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying,
3099
- # the `KeyUsage` must be `SIGN_VERIFY`. To find the `KeyUsage` of a KMS
3100
- # key, use the DescribeKey operation.
3244
+ # the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying
3245
+ # messages, the `KeyUsage` must be `SIGN_VERIFY`. For generating and
3246
+ # verifying message authentication codes (MACs), the `KeyUsage` must be
3247
+ # `GENERATE_VERIFY_MAC`. To find the `KeyUsage` of a KMS key, use the
3248
+ # DescribeKey operation.
3101
3249
  #
3102
3250
  # To find the encryption or signing algorithms supported for a
3103
3251
  # particular KMS key, use the DescribeKey operation.
@@ -3141,6 +3289,22 @@ module Aws::KMS
3141
3289
  include Aws::Structure
3142
3290
  end
3143
3291
 
3292
+ # The request was rejected because the HMAC verification failed. HMAC
3293
+ # verification fails when the HMAC computed by using the specified
3294
+ # message, HMAC KMS key, and MAC algorithm does not match the HMAC
3295
+ # specified in the request.
3296
+ #
3297
+ # @!attribute [rw] message
3298
+ # @return [String]
3299
+ #
3300
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KMSInvalidMacException AWS API Documentation
3301
+ #
3302
+ class KMSInvalidMacException < Struct.new(
3303
+ :message)
3304
+ SENSITIVE = []
3305
+ include Aws::Structure
3306
+ end
3307
+
3144
3308
  # The request was rejected because the signature verification failed.
3145
3309
  # Signature verification fails when it cannot confirm that signature was
3146
3310
  # produced by signing the specified message with the specified KMS key
@@ -3161,8 +3325,8 @@ module Aws::KMS
3161
3325
  # is not valid for this request.
3162
3326
  #
3163
3327
  # For more information about how key state affects the use of a KMS key,
3164
- # see [Key state: Effect on your KMS key][1] in the <i> <i>Key
3165
- # Management Service Developer Guide</i> </i>.
3328
+ # see [Key states of KMS keys][1] in the <i> <i>Key Management Service
3329
+ # Developer Guide</i> </i>.
3166
3330
  #
3167
3331
  #
3168
3332
  #
@@ -3247,8 +3411,8 @@ module Aws::KMS
3247
3411
  # The current status of the KMS key.
3248
3412
  #
3249
3413
  # For more information about how key state affects the use of a KMS
3250
- # key, see [Key state: Effect on your KMS key][1] in the *Key
3251
- # Management Service Developer Guide*.
3414
+ # key, see [Key states of KMS keys][1] in the *Key Management Service
3415
+ # Developer Guide*.
3252
3416
  #
3253
3417
  #
3254
3418
  #
@@ -3355,9 +3519,8 @@ module Aws::KMS
3355
3519
  # (`False`) key. This value is `True` for multi-Region primary and
3356
3520
  # replica keys and `False` for regional KMS keys.
3357
3521
  #
3358
- # For more information about multi-Region keys, see [Using
3359
- # multi-Region keys][1] in the *Key Management Service Developer
3360
- # Guide*.
3522
+ # For more information about multi-Region keys, see [Multi-Region keys
3523
+ # in KMS][1] in the *Key Management Service Developer Guide*.
3361
3524
  #
3362
3525
  #
3363
3526
  #
@@ -3402,6 +3565,14 @@ module Aws::KMS
3402
3565
  # the deletion date appears in the `DeletionDate` field.
3403
3566
  # @return [Integer]
3404
3567
  #
3568
+ # @!attribute [rw] mac_algorithms
3569
+ # The message authentication code (MAC) algorithm that the HMAC KMS
3570
+ # key supports.
3571
+ #
3572
+ # This value is present only when the `KeyUsage` of the KMS key is
3573
+ # `GENERATE_VERIFY_MAC`.
3574
+ # @return [Array<String>]
3575
+ #
3405
3576
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
3406
3577
  #
3407
3578
  class KeyMetadata < Struct.new(
@@ -3426,7 +3597,8 @@ module Aws::KMS
3426
3597
  :signing_algorithms,
3427
3598
  :multi_region,
3428
3599
  :multi_region_configuration,
3429
- :pending_deletion_window_in_days)
3600
+ :pending_deletion_window_in_days,
3601
+ :mac_algorithms)
3430
3602
  SENSITIVE = []
3431
3603
  include Aws::Structure
3432
3604
  end
@@ -3834,8 +4006,8 @@ module Aws::KMS
3834
4006
  # A list of tags. Each tag consists of a tag key and a tag value.
3835
4007
  #
3836
4008
  # <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
3837
- # KMS key. For details, see [Using ABAC in KMS][1] in the *Key
3838
- # Management Service Developer Guide*.
4009
+ # KMS key. For details, see [ABAC in KMS][1] in the *Key Management
4010
+ # Service Developer Guide*.
3839
4011
  #
3840
4012
  # </note>
3841
4013
  #
@@ -4126,13 +4298,15 @@ module Aws::KMS
4126
4298
  # ciphertext.
4127
4299
  #
4128
4300
  # An *encryption context* is a collection of non-secret key-value
4129
- # pairs that represents additional authenticated data. When you use an
4301
+ # pairs that represent additional authenticated data. When you use an
4130
4302
  # encryption context to encrypt data, you must specify the same (an
4131
4303
  # exact case-sensitive match) encryption context to decrypt the data.
4132
- # An encryption context is optional when encrypting with a symmetric
4133
- # KMS key, but it is highly recommended.
4304
+ # An encryption context is supported only on operations with symmetric
4305
+ # encryption KMS keys. On operations with symmetric encryption KMS
4306
+ # keys, an encryption context is optional, but it is strongly
4307
+ # recommended.
4134
4308
  #
4135
- # For more information, see [Encryption Context][1] in the *Key
4309
+ # For more information, see [Encryption context][1] in the *Key
4136
4310
  # Management Service Developer Guide*.
4137
4311
  #
4138
4312
  #
@@ -4142,15 +4316,18 @@ module Aws::KMS
4142
4316
  #
4143
4317
  # @!attribute [rw] source_key_id
4144
4318
  # Specifies the KMS key that KMS will use to decrypt the ciphertext
4145
- # before it is re-encrypted. Enter a key ID of the KMS key that was
4146
- # used to encrypt the ciphertext.
4319
+ # before it is re-encrypted.
4320
+ #
4321
+ # Enter a key ID of the KMS key that was used to encrypt the
4322
+ # ciphertext. If you identify a different KMS key, the `ReEncrypt`
4323
+ # operation throws an `IncorrectKeyException`.
4147
4324
  #
4148
4325
  # This parameter is required only when the ciphertext was encrypted
4149
- # under an asymmetric KMS key. If you used a symmetric KMS key, KMS
4150
- # can get the KMS key from metadata that it adds to the symmetric
4151
- # ciphertext blob. However, it is always recommended as a best
4152
- # practice. This practice ensures that you use the KMS key that you
4153
- # intend.
4326
+ # under an asymmetric KMS key. If you used a symmetric encryption KMS
4327
+ # key, KMS can get the KMS key from metadata that it adds to the
4328
+ # symmetric ciphertext blob. However, it is always recommended as a
4329
+ # best practice. This practice ensures that you use the KMS key that
4330
+ # you intend.
4154
4331
  #
4155
4332
  # To specify a KMS key, use its key ID, key ARN, alias name, or alias
4156
4333
  # ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -4174,9 +4351,9 @@ module Aws::KMS
4174
4351
  #
4175
4352
  # @!attribute [rw] destination_key_id
4176
4353
  # A unique identifier for the KMS key that is used to reencrypt the
4177
- # data. Specify a symmetric or asymmetric KMS key with a `KeyUsage`
4178
- # value of `ENCRYPT_DECRYPT`. To find the `KeyUsage` value of a KMS
4179
- # key, use the DescribeKey operation.
4354
+ # data. Specify a symmetric encryption KMS key or an asymmetric KMS
4355
+ # key with a `KeyUsage` value of `ENCRYPT_DECRYPT`. To find the
4356
+ # `KeyUsage` value of a KMS key, use the DescribeKey operation.
4180
4357
  #
4181
4358
  # To specify a KMS key, use its key ID, key ARN, alias name, or alias
4182
4359
  # ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -4203,17 +4380,19 @@ module Aws::KMS
4203
4380
  # data.
4204
4381
  #
4205
4382
  # A destination encryption context is valid only when the destination
4206
- # KMS key is a symmetric KMS key. The standard ciphertext format for
4207
- # asymmetric KMS keys does not include fields for metadata.
4383
+ # KMS key is a symmetric encryption KMS key. The standard ciphertext
4384
+ # format for asymmetric KMS keys does not include fields for metadata.
4208
4385
  #
4209
4386
  # An *encryption context* is a collection of non-secret key-value
4210
- # pairs that represents additional authenticated data. When you use an
4387
+ # pairs that represent additional authenticated data. When you use an
4211
4388
  # encryption context to encrypt data, you must specify the same (an
4212
4389
  # exact case-sensitive match) encryption context to decrypt the data.
4213
- # An encryption context is optional when encrypting with a symmetric
4214
- # KMS key, but it is highly recommended.
4390
+ # An encryption context is supported only on operations with symmetric
4391
+ # encryption KMS keys. On operations with symmetric encryption KMS
4392
+ # keys, an encryption context is optional, but it is strongly
4393
+ # recommended.
4215
4394
  #
4216
- # For more information, see [Encryption Context][1] in the *Key
4395
+ # For more information, see [Encryption context][1] in the *Key
4217
4396
  # Management Service Developer Guide*.
4218
4397
  #
4219
4398
  #
@@ -4224,8 +4403,8 @@ module Aws::KMS
4224
4403
  # @!attribute [rw] source_encryption_algorithm
4225
4404
  # Specifies the encryption algorithm that KMS will use to decrypt the
4226
4405
  # ciphertext before it is reencrypted. The default value,
4227
- # `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric KMS
4228
- # keys.
4406
+ # `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric
4407
+ # encryption KMS keys.
4229
4408
  #
4230
4409
  # Specify the same algorithm that was used to encrypt the ciphertext.
4231
4410
  # If you specify a different algorithm, the decrypt attempt fails.
@@ -4238,7 +4417,7 @@ module Aws::KMS
4238
4417
  # Specifies the encryption algorithm that KMS will use to reecrypt the
4239
4418
  # data after it has decrypted it. The default value,
4240
4419
  # `SYMMETRIC_DEFAULT`, represents the encryption algorithm used for
4241
- # symmetric KMS keys.
4420
+ # symmetric encryption KMS keys.
4242
4421
  #
4243
4422
  # This parameter is required only when the destination KMS key is an
4244
4423
  # asymmetric KMS key.
@@ -4359,24 +4538,33 @@ module Aws::KMS
4359
4538
  # [KMS service endpoints][1] in the *Amazon Web Services General
4360
4539
  # Reference*.
4361
4540
  #
4541
+ # <note markdown="1"> HMAC KMS keys are not supported in all Amazon Web Services Regions.
4542
+ # If you try to replicate an HMAC KMS key in an Amazon Web Services
4543
+ # Region in which HMAC keys are not supported, the `ReplicateKey`
4544
+ # operation returns an `UnsupportedOperationException`. For a list of
4545
+ # Regions in which HMAC KMS keys are supported, see [HMAC keys in
4546
+ # KMS][2] in the *Key Management Service Developer Guide*.
4547
+ #
4548
+ # </note>
4549
+ #
4362
4550
  # The replica must be in a different Amazon Web Services Region than
4363
4551
  # its primary key and other replicas of that primary key, but in the
4364
4552
  # same Amazon Web Services partition. KMS must be available in the
4365
4553
  # replica Region. If the Region is not enabled by default, the Amazon
4366
- # Web Services account must be enabled in the Region.
4367
- #
4368
- # For information about Amazon Web Services partitions, see [Amazon
4369
- # Resource Names (ARNs) in the *Amazon Web Services General
4370
- # Reference*.][2] For information about enabling and disabling
4371
- # Regions, see [Enabling a Region][3] and [Disabling a Region][4] in
4372
- # the *Amazon Web Services General Reference*.
4554
+ # Web Services account must be enabled in the Region. For information
4555
+ # about Amazon Web Services partitions, see [Amazon Resource Names
4556
+ # (ARNs)][3] in the *Amazon Web Services General Reference*. For
4557
+ # information about enabling and disabling Regions, see [Enabling a
4558
+ # Region][4] and [Disabling a Region][5] in the *Amazon Web Services
4559
+ # General Reference*.
4373
4560
  #
4374
4561
  #
4375
4562
  #
4376
4563
  # [1]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region
4377
- # [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
4378
- # [3]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
4379
- # [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
4564
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
4565
+ # [3]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
4566
+ # [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
4567
+ # [5]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
4380
4568
  # @return [String]
4381
4569
  #
4382
4570
  # @!attribute [rw] policy
@@ -4455,8 +4643,8 @@ module Aws::KMS
4455
4643
  # the TagResource operation.
4456
4644
  #
4457
4645
  # <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
4458
- # KMS key. For details, see [Using ABAC in KMS][1] in the *Key
4459
- # Management Service Developer Guide*.
4646
+ # KMS key. For details, see [ABAC in KMS][1] in the *Key Management
4647
+ # Service Developer Guide*.
4460
4648
  #
4461
4649
  # </note>
4462
4650
  #
@@ -4500,9 +4688,9 @@ module Aws::KMS
4500
4688
 
4501
4689
  # @!attribute [rw] replica_key_metadata
4502
4690
  # Displays details about the new replica key, including its Amazon
4503
- # Resource Name ([key ARN][1]) and [key state][2]. It also includes
4504
- # the ARN and Amazon Web Services Region of its primary key and other
4505
- # replica keys.
4691
+ # Resource Name ([key ARN][1]) and [Key states of KMS keys][2]. It
4692
+ # also includes the ARN and Amazon Web Services Region of its primary
4693
+ # key and other replica keys.
4506
4694
  #
4507
4695
  #
4508
4696
  #
@@ -4690,8 +4878,8 @@ module Aws::KMS
4690
4878
  # The current status of the KMS key.
4691
4879
  #
4692
4880
  # For more information about how key state affects the use of a KMS
4693
- # key, see [Key state: Effect on your KMS key][1] in the *Key
4694
- # Management Service Developer Guide*.
4881
+ # key, see [Key states of KMS keys][1] in the *Key Management Service
4882
+ # Developer Guide*.
4695
4883
  #
4696
4884
  #
4697
4885
  #
@@ -5194,6 +5382,100 @@ module Aws::KMS
5194
5382
  include Aws::Structure
5195
5383
  end
5196
5384
 
5385
+ # @note When making an API call, you may pass VerifyMacRequest
5386
+ # data as a hash:
5387
+ #
5388
+ # {
5389
+ # message: "data", # required
5390
+ # key_id: "KeyIdType", # required
5391
+ # mac_algorithm: "HMAC_SHA_224", # required, accepts HMAC_SHA_224, HMAC_SHA_256, HMAC_SHA_384, HMAC_SHA_512
5392
+ # mac: "data", # required
5393
+ # grant_tokens: ["GrantTokenType"],
5394
+ # }
5395
+ #
5396
+ # @!attribute [rw] message
5397
+ # The message that will be used in the verification. Enter the same
5398
+ # message that was used to generate the HMAC.
5399
+ #
5400
+ # GenerateMac and `VerifyMac` do not provide special handling for
5401
+ # message digests. If you generated an HMAC for a hash digest of a
5402
+ # message, you must verify the HMAC for the same hash digest.
5403
+ # @return [String]
5404
+ #
5405
+ # @!attribute [rw] key_id
5406
+ # The KMS key that will be used in the verification.
5407
+ #
5408
+ # Enter a key ID of the KMS key that was used to generate the HMAC. If
5409
+ # you identify a different KMS key, the `VerifyMac` operation fails.
5410
+ # @return [String]
5411
+ #
5412
+ # @!attribute [rw] mac_algorithm
5413
+ # The MAC algorithm that will be used in the verification. Enter the
5414
+ # same MAC algorithm that was used to compute the HMAC. This algorithm
5415
+ # must be supported by the HMAC KMS key identified by the `KeyId`
5416
+ # parameter.
5417
+ # @return [String]
5418
+ #
5419
+ # @!attribute [rw] mac
5420
+ # The HMAC to verify. Enter the HMAC that was generated by the
5421
+ # GenerateMac operation when you specified the same message, HMAC KMS
5422
+ # key, and MAC algorithm as the values specified in this request.
5423
+ # @return [String]
5424
+ #
5425
+ # @!attribute [rw] grant_tokens
5426
+ # A list of grant tokens.
5427
+ #
5428
+ # Use a grant token when your permission to call this operation comes
5429
+ # from a new grant that has not yet achieved *eventual consistency*.
5430
+ # For more information, see [Grant token][1] and [Using a grant
5431
+ # token][2] in the *Key Management Service Developer Guide*.
5432
+ #
5433
+ #
5434
+ #
5435
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
5436
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
5437
+ # @return [Array<String>]
5438
+ #
5439
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMacRequest AWS API Documentation
5440
+ #
5441
+ class VerifyMacRequest < Struct.new(
5442
+ :message,
5443
+ :key_id,
5444
+ :mac_algorithm,
5445
+ :mac,
5446
+ :grant_tokens)
5447
+ SENSITIVE = [:message]
5448
+ include Aws::Structure
5449
+ end
5450
+
5451
+ # @!attribute [rw] key_id
5452
+ # The HMAC KMS key used in the verification.
5453
+ # @return [String]
5454
+ #
5455
+ # @!attribute [rw] mac_valid
5456
+ # A Boolean value that indicates whether the HMAC was verified. A
5457
+ # value of `True` indicates that the HMAC (`Mac`) was generated with
5458
+ # the specified `Message`, HMAC KMS key (`KeyID`) and `MacAlgorithm.`.
5459
+ #
5460
+ # If the HMAC is not verified, the `VerifyMac` operation fails with a
5461
+ # `KMSInvalidMacException` exception. This exception indicates that
5462
+ # one or more of the inputs changed since the HMAC was computed.
5463
+ # @return [Boolean]
5464
+ #
5465
+ # @!attribute [rw] mac_algorithm
5466
+ # The MAC algorithm used in the verification.
5467
+ # @return [String]
5468
+ #
5469
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMacResponse AWS API Documentation
5470
+ #
5471
+ class VerifyMacResponse < Struct.new(
5472
+ :key_id,
5473
+ :mac_valid,
5474
+ :mac_algorithm)
5475
+ SENSITIVE = []
5476
+ include Aws::Structure
5477
+ end
5478
+
5197
5479
  # @note When making an API call, you may pass VerifyRequest
5198
5480
  # data as a hash:
5199
5481
  #