aws-sdk-kms 1.54.0 → 1.57.0

data/lib/aws-sdk-kms/client.rb

@@ -27,6 +27,7 @@ require 'aws-sdk-core/plugins/client_metrics_plugin.rb'
 require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
 require 'aws-sdk-core/plugins/transfer_encoding.rb'
 require 'aws-sdk-core/plugins/http_checksum.rb'
+require 'aws-sdk-core/plugins/checksum_algorithm.rb'
 require 'aws-sdk-core/plugins/defaults_mode.rb'
 require 'aws-sdk-core/plugins/recursion_detection.rb'
 require 'aws-sdk-core/plugins/signature_v4.rb'
@@ -75,6 +76,7 @@ module Aws::KMS
     add_plugin(Aws::Plugins::ClientMetricsSendPlugin)
     add_plugin(Aws::Plugins::TransferEncoding)
     add_plugin(Aws::Plugins::HttpChecksum)
+    add_plugin(Aws::Plugins::ChecksumAlgorithm)
     add_plugin(Aws::Plugins::DefaultsMode)
     add_plugin(Aws::Plugins::RecursionDetection)
     add_plugin(Aws::Plugins::SignatureV4)
@@ -368,8 +370,8 @@ module Aws::KMS
     # Developer Guide*.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][2] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][2] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
@@ -542,8 +544,8 @@ module Aws::KMS
     # Creates a friendly name for a KMS key.
     #
     # <note markdown="1"> Adding, deleting, or updating an alias can allow or deny permission to
-    # the KMS key. For details, see [Using ABAC in KMS][1] in the *Key
-    # Management Service Developer Guide*.
+    # the KMS key. For details, see [ABAC in KMS][1] in the *Key Management
+    # Service Developer Guide*.
     #
     #  </note>
     #
@@ -568,8 +570,8 @@ module Aws::KMS
     # created, use the ListAliases operation.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][4] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][4] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on an
     # alias in a different Amazon Web Services account.
@@ -810,7 +812,7 @@ module Aws::KMS
     # and delete it without changing your key policies or IAM policies.
     #
     # For detailed information about grants, including grant terminology,
-    # see [Using grants][1] in the <i> <i>Key Management Service Developer
+    # see [Grants in KMS][1] in the <i> <i>Key Management Service Developer
     # Guide</i> </i>. For examples of working with grants in several
     # programming languages, see [Programming grants][2].
     #
@@ -833,8 +835,8 @@ module Aws::KMS
     #   the ListGrants or ListRetirableGrants operations.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][4] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][4] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: Yes. To perform this operation on a KMS key in
     # a different Amazon Web Services account, specify the key ARN in the
@@ -919,12 +921,13 @@ module Aws::KMS
     # @option params [required, Array<String>] :operations
     #   A list of operations that the grant permits.
     #
-    #   The operation must be supported on the KMS key. For example, you
-    #   cannot create a grant for a symmetric KMS key that allows the Sign
-    #   operation, or a grant for an asymmetric KMS key that allows the
-    #   GenerateDataKey operation. If you try, KMS returns a `ValidationError`
-    #   exception. For details, see [Grant operations][1] in the *Key
-    #   Management Service Developer Guide*.
+    #   This list must include only operations that are permitted in a grant.
+    #   Also, the operation must be supported on the KMS key. For example, you
+    #   cannot create a grant for a symmetric encryption KMS key that allows
+    #   the Sign operation, or a grant for an asymmetric KMS key that allows
+    #   the GenerateDataKey operation. If you try, KMS returns a
+    #   `ValidationError` exception. For details, see [Grant operations][1] in
+    #   the *Key Management Service Developer Guide*.
     #
     #
     #
@@ -936,27 +939,38 @@ module Aws::KMS
     #   KMS supports the `EncryptionContextEquals` and
     #   `EncryptionContextSubset` grant constraints. Each constraint value can
     #   include up to 8 encryption context pairs. The encryption context value
-    #   in each constraint cannot exceed 384 characters.
-    #
-    #   These grant constraints allow the permissions in the grant only when
-    #   the encryption context in the request matches
-    #   (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
-    #   the encryption context specified in this structure. For information
-    #   about grant constraints, see [Using grant constraints][1] in the *Key
+    #   in each constraint cannot exceed 384 characters. For information about
+    #   grant constraints, see [Using grant constraints][1] in the *Key
     #   Management Service Developer Guide*. For more information about
-    #   encryption context, see [Encryption Context][2] in the <i> <i>Key
+    #   encryption context, see [Encryption context][2] in the <i> <i>Key
     #   Management Service Developer Guide</i> </i>.
     #
-    #   The encryption context grant constraints are supported only on
-    #   operations that include an encryption context. You cannot use an
-    #   encryption context grant constraint for cryptographic operations with
-    #   asymmetric KMS keys or for management operations, such as DescribeKey
-    #   or RetireGrant.
+    #   The encryption context grant constraints allow the permissions in the
+    #   grant only when the encryption context in the request matches
+    #   (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
+    #   the encryption context specified in this structure.
+    #
+    #   The encryption context grant constraints are supported only on [grant
+    #   operations][3] that include an `EncryptionContext` parameter, such as
+    #   cryptographic operations on symmetric encryption KMS keys. Grants with
+    #   grant constraints can include the DescribeKey and RetireGrant
+    #   operations, but the constraint doesn't apply to these operations. If
+    #   a grant with a grant constraint includes the `CreateGrant` operation,
+    #   the constraint requires that any grants created with the `CreateGrant`
+    #   permission have an equally strict or stricter encryption context
+    #   constraint.
+    #
+    #   You cannot use an encryption context grant constraint for
+    #   cryptographic operations with asymmetric KMS keys or HMAC KMS keys.
+    #   These keys don't support an encryption context.
+    #
+    #
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -1018,7 +1032,7 @@ module Aws::KMS
     #     key_id: "KeyIdType", # required
     #     grantee_principal: "PrincipalIdType", # required
     #     retiring_principal: "PrincipalIdType",
-    #     operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext
+    #     operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateMac, VerifyMac
     #     constraints: {
     #       encryption_context_subset: {
     #         "EncryptionContextKey" => "EncryptionContextValue",
@@ -1048,35 +1062,35 @@ module Aws::KMS
     # Creates a unique customer managed [KMS key][1] in your Amazon Web
     # Services account and Region.
     #
+    # In addition to the required parameters, you can use the optional
+    # parameters to specify a key policy, description, tags, and other
+    # useful elements for any key type.
+    #
     # <note markdown="1"> KMS is replacing the term *customer master key (CMK)* with *KMS key*
     # and *KMS key*. The concept has not changed. To prevent breaking
     # changes, KMS is keeping some variations of this term.
     #
     #  </note>
     #
-    # You can use the `CreateKey` operation to create symmetric or
-    # asymmetric KMS keys.
+    # To create different types of KMS keys, use the following guidance:
     #
-    # * **Symmetric KMS keys** contain a 256-bit symmetric key that never
-    #   leaves KMS unencrypted. To use the KMS key, you must call KMS. You
-    #   can use a symmetric KMS key to encrypt and decrypt small amounts of
-    #   data, but they are typically used to generate [data keys][2] and
-    #   [data keys pairs][3]. For details, see GenerateDataKey and
-    #   GenerateDataKeyPair.
+    # Symmetric encryption KMS key
     #
-    # * **Asymmetric KMS keys** can contain an RSA key pair or an Elliptic
-    #   Curve (ECC) key pair. The private key in an asymmetric KMS key never
-    #   leaves KMS unencrypted. However, you can use the GetPublicKey
-    #   operation to download the public key so it can be used outside of
-    #   KMS. KMS keys with RSA key pairs can be used to encrypt or decrypt
-    #   data or sign and verify messages (but not both). KMS keys with ECC
-    #   key pairs can be used only to sign and verify messages.
+    # : To create a symmetric encryption KMS key, you aren't required to
+    #   specify any parameters. The default value for `KeySpec`,
+    #   `SYMMETRIC_DEFAULT`, and the default value for `KeyUsage`,
+    #   `ENCRYPT_DECRYPT`, create a symmetric encryption KMS key.
+    #
+    #   If you need a key for basic encryption and decryption or you are
+    #   creating a KMS key to protect your resources in an Amazon Web
+    #   Services service, create a symmetric encryption KMS key. The key
+    #   material in a symmetric encryption key never leaves KMS unencrypted.
+    #   You can use a symmetric encryption KMS key to encrypt and decrypt
+    #   data up to 4,096 bytes, but they are typically used to generate data
+    #   keys and data keys pairs. For details, see GenerateDataKey and
+    #   GenerateDataKeyPair.
     #
-    # For information about symmetric and asymmetric KMS keys, see [Using
-    # Symmetric and Asymmetric KMS keys][4] in the *Key Management Service
-    # Developer Guide*.
     #
-    # To create different types of KMS keys, use the following guidance:
     #
     # Asymmetric KMS keys
     #
@@ -1086,14 +1100,37 @@ module Aws::KMS
     #   to encrypt and decrypt or sign and verify. You can't change these
     #   properties after the KMS key is created.
     #
+    #   Asymmetric KMS keys contain an RSA key pair or an Elliptic Curve
+    #   (ECC) key pair. The private key in an asymmetric KMS key never
+    #   leaves KMS unencrypted. However, you can use the GetPublicKey
+    #   operation to download the public key so it can be used outside of
+    #   KMS. KMS keys with RSA key pairs can be used to encrypt or decrypt
+    #   data or sign and verify messages (but not both). KMS keys with ECC
+    #   key pairs can be used only to sign and verify messages. For
+    #   information about asymmetric KMS keys, see [Asymmetric KMS keys][2]
+    #   in the *Key Management Service Developer Guide*.
     #
     #
-    # Symmetric KMS keys
     #
-    # : When creating a symmetric KMS key, you don't need to specify the
-    #   `KeySpec` or `KeyUsage` parameters. The default value for `KeySpec`,
-    #   `SYMMETRIC_DEFAULT`, and the default value for `KeyUsage`,
-    #   `ENCRYPT_DECRYPT`, are the only valid values for symmetric KMS keys.
+    # HMAC KMS key
+    #
+    # : To create an HMAC KMS key, set the `KeySpec` parameter to a key spec
+    #   value for HMAC KMS keys. Then set the `KeyUsage` parameter to
+    #   `GENERATE_VERIFY_MAC`. You must set the key usage even though
+    #   `GENERATE_VERIFY_MAC` is the only valid key usage value for HMAC KMS
+    #   keys. You can't change these properties after the KMS key is
+    #   created.
+    #
+    #   HMAC KMS keys are symmetric keys that never leave KMS unencrypted.
+    #   You can use HMAC keys to generate (GenerateMac) and verify
+    #   (VerifyMac) HMAC codes for messages up to 4096 bytes.
+    #
+    #   HMAC KMS keys are not supported in all Amazon Web Services Regions.
+    #   If you try to create an HMAC KMS key in an Amazon Web Services
+    #   Region in which HMAC keys are not supported, the `CreateKey`
+    #   operation returns an `UnsupportedOperationException`. For a list of
+    #   Regions in which HMAC KMS keys are supported, see [HMAC keys in
+    #   KMS][3] in the *Key Management Service Developer Guide*.
     #
     #
     #
@@ -1108,6 +1145,12 @@ module Aws::KMS
     #   operation. To change a replica key to a primary key, and its primary
     #   key to a replica key, use the UpdatePrimaryRegion operation.
     #
+    #   You can create multi-Region KMS keys for all supported KMS key
+    #   types: symmetric encryption KMS keys, HMAC KMS keys, asymmetric
+    #   encryption KMS keys, and asymmetric signing KMS keys. You can also
+    #   create multi-Region keys with imported key material. However, you
+    #   can't create multi-Region keys in a custom key store.
+    #
     #   This operation supports *multi-Region keys*, an KMS feature that
     #   lets you create multiple interoperable KMS keys in different Amazon
     #   Web Services Regions. Because these KMS keys have the same key ID,
@@ -1115,57 +1158,57 @@ module Aws::KMS
     #   to encrypt data in one Amazon Web Services Region and decrypt it in
     #   a different Amazon Web Services Region without re-encrypting the
     #   data or making a cross-Region call. For more information about
-    #   multi-Region keys, see [Using multi-Region keys][5] in the *Key
+    #   multi-Region keys, see [Multi-Region keys in KMS][4] in the *Key
     #   Management Service Developer Guide*.
     #
-    #   You can create symmetric and asymmetric multi-Region keys and
-    #   multi-Region keys with imported key material. You cannot create
-    #   multi-Region keys in a custom key store.
-    #
     #
     #
-    # : To import your own key material, begin by creating a symmetric KMS
-    #   key with no key material. To do this, use the `Origin` parameter of
-    #   `CreateKey` with a value of `EXTERNAL`. Next, use
-    #   GetParametersForImport operation to get a public key and import
+    # : To import your own key material, begin by creating a symmetric
+    #   encryption KMS key with no key material. To do this, use the
+    #   `Origin` parameter of `CreateKey` with a value of `EXTERNAL`. Next,
+    #   use GetParametersForImport operation to get a public key and import
     #   token, and use the public key to encrypt your key material. Then,
     #   use ImportKeyMaterial with your import token to import the key
     #   material. For step-by-step instructions, see [Importing Key
-    #   Material][6] in the <i> <i>Key Management Service Developer
-    #   Guide</i> </i>. You cannot import the key material into an
-    #   asymmetric KMS key.
+    #   Material][5] in the <i> <i>Key Management Service Developer
+    #   Guide</i> </i>.
+    #
+    #   This feature supports only symmetric encryption KMS keys, including
+    #   multi-Region symmetric encryption KMS keys. You cannot import key
+    #   material into any other type of KMS key.
     #
     #   To create a multi-Region primary key with imported key material, use
     #   the `Origin` parameter of `CreateKey` with a value of `EXTERNAL` and
     #   the `MultiRegion` parameter with a value of `True`. To create
     #   replicas of the multi-Region primary key, use the ReplicateKey
-    #   operation. For more information about multi-Region keys, see [Using
-    #   multi-Region keys][5] in the *Key Management Service Developer
-    #   Guide*.
+    #   operation. For more information about multi-Region keys, see
+    #   [Multi-Region keys in KMS][4] in the *Key Management Service
+    #   Developer Guide*.
     #
     #
     #
     # Custom key store
     #
-    # : To create a symmetric KMS key in a [custom key store][7], use the
-    #   `CustomKeyStoreId` parameter to specify the custom key store. You
-    #   must also use the `Origin` parameter with a value of `AWS_CLOUDHSM`.
-    #   The CloudHSM cluster that is associated with the custom key store
-    #   must have at least two active HSMs in different Availability Zones
-    #   in the Amazon Web Services Region.
+    # : To create a symmetric encryption KMS key in a [custom key store][6],
+    #   use the `CustomKeyStoreId` parameter to specify the custom key
+    #   store. You must also use the `Origin` parameter with a value of
+    #   `AWS_CLOUDHSM`. The CloudHSM cluster that is associated with the
+    #   custom key store must have at least two active HSMs in different
+    #   Availability Zones in the Amazon Web Services Region.
     #
-    #   You cannot create an asymmetric KMS key in a custom key store. For
-    #   information about custom key stores in KMS see [Using Custom Key
-    #   Stores][7] in the <i> <i>Key Management Service Developer Guide</i>
-    #   </i>.
+    #   Custom key stores support only symmetric encryption KMS keys. You
+    #   cannot create an HMAC KMS key or an asymmetric KMS key in a custom
+    #   key store. For information about custom key stores in KMS see
+    #   [Custom key stores in KMS][6] in the <i> <i>Key Management Service
+    #   Developer Guide</i> </i>.
     #
     # **Cross-account use**\: No. You cannot use this operation to create a
     # KMS key in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:CreateKey][8] (IAM policy). To use the
-    # `Tags` parameter, [kms:TagResource][8] (IAM policy). For examples and
+    # **Required permissions**\: [kms:CreateKey][7] (IAM policy). To use the
+    # `Tags` parameter, [kms:TagResource][7] (IAM policy). For examples and
     # information about related permissions, see [Allow a user to create KMS
-    # keys][9] in the *Key Management Service Developer Guide*.
+    # keys][8] in the *Key Management Service Developer Guide*.
     #
     # **Related operations:**
     #
@@ -1178,26 +1221,28 @@ module Aws::KMS
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys
-    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys
-    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-key-pairs
-    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
-    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
-    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
-    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
-    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key
     #
     # @option params [String] :policy
-    #   The key policy to attach to the KMS key.
+    #   The key policy to attach to the KMS key. If you do not specify a key
+    #   policy, KMS attaches a default key policy to the KMS key. For more
+    #   information, see [Default key policy][1] in the *Key Management
+    #   Service Developer Guide*.
     #
     #   If you provide a key policy, it must meet the following criteria:
     #
-    #   * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the key
-    #     policy must allow the principal that is making the `CreateKey`
+    #   * If you don't set `BypassPolicyLockoutSafetyCheck` to `True`, the
+    #     key policy must allow the principal that is making the `CreateKey`
     #     request to make a subsequent PutKeyPolicy request on the KMS key.
     #     This reduces the risk that the KMS key becomes unmanageable. For
     #     more information, refer to the scenario in the [Default Key
-    #     Policy][1] section of the <i> <i>Key Management Service Developer
+    #     Policy][2] section of the <i> <i>Key Management Service Developer
     #     Guide</i> </i>.
     #
     #   * Each statement in the key policy must contain one or more
@@ -1207,14 +1252,23 @@ module Aws::KMS
     #     delay before including the new principal in a key policy because the
     #     new principal might not be immediately visible to KMS. For more
     #     information, see [Changes that I make are not always immediately
-    #     visible][2] in the *Amazon Web Services Identity and Access
+    #     visible][3] in the *Amazon Web Services Identity and Access
     #     Management User Guide*.
     #
-    #   If you do not provide a key policy, KMS attaches a default key policy
-    #   to the KMS key. For more information, see [Default Key Policy][3] in
-    #   the *Key Management Service Developer Guide*.
+    #   A key policy document must conform to the following rules.
     #
-    #   The key policy size quota is 32 kilobytes (32768 bytes).
+    #   * Up to 32 kilobytes (32768 bytes)
+    #
+    #   * Must be UTF-8 encoded
+    #
+    #   * The only Unicode characters that are permitted in a key policy
+    #     document are the horizontal tab (U+0009), linefeed (U+000A),
+    #     carriage return (U+000D), and characters in the range U+0020 to
+    #     U+00FF.
+    #
+    #   * The `Sid` element in a key policy statement can include spaces.
+    #     (Spaces are prohibited in the `Sid` element of an IAM policy
+    #     document.)
     #
     #   For help writing and formatting a JSON policy document, see the [IAM
     #   JSON Policy Reference][4] in the <i> <i>Identity and Access Management
@@ -1222,9 +1276,9 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
-    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
     #   [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
     #
     # @option params [String] :description
@@ -1240,14 +1294,17 @@ module Aws::KMS
     # @option params [String] :key_usage
     #   Determines the [cryptographic operations][1] for which you can use the
     #   KMS key. The default value is `ENCRYPT_DECRYPT`. This parameter is
-    #   required only for asymmetric KMS keys. You can't change the
-    #   `KeyUsage` value after the KMS key is created.
+    #   optional when you are creating a symmetric encryption KMS key;
+    #   otherwise, it is required. You can't change the `KeyUsage` value
+    #   after the KMS key is created.
     #
     #   Select only one valid value.
     #
-    #   * For symmetric KMS keys, omit the parameter or specify
+    #   * For symmetric encryption KMS keys, omit the parameter or specify
     #     `ENCRYPT_DECRYPT`.
     #
+    #   * For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
+    #
     #   * For asymmetric KMS keys with RSA key material, specify
     #     `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
     #
@@ -1270,32 +1327,40 @@ module Aws::KMS
     #   Specifies the type of KMS key to create. The default value,
     #   `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit symmetric key
     #   for encryption and decryption. For help choosing a key spec for your
-    #   KMS key, see [How to Choose Your KMS key Configuration][1] in the <i>
-    #   <i>Key Management Service Developer Guide</i> </i>.
+    #   KMS key, see [Choosing a KMS key type][1] in the <i> <i>Key Management
+    #   Service Developer Guide</i> </i>.
     #
     #   The `KeySpec` determines whether the KMS key contains a symmetric key
-    #   or an asymmetric key pair. It also determines the encryption
-    #   algorithms or signing algorithms that the KMS key supports. You can't
-    #   change the `KeySpec` after the KMS key is created. To further restrict
-    #   the algorithms that can be used with the KMS key, use a condition key
-    #   in its key policy or IAM policy. For more information, see
-    #   [kms:EncryptionAlgorithm][2] or [kms:Signing Algorithm][3] in the <i>
-    #   <i>Key Management Service Developer Guide</i> </i>.
-    #
-    #   [Amazon Web Services services that are integrated with KMS][4] use
-    #   symmetric KMS keys to protect your data. These services do not support
-    #   asymmetric KMS keys. For help determining whether a KMS key is
-    #   symmetric or asymmetric, see [Identifying Symmetric and Asymmetric KMS
-    #   keys][5] in the *Key Management Service Developer Guide*.
+    #   or an asymmetric key pair. It also determines the cryptographic
+    #   algorithms that the KMS key supports. You can't change the `KeySpec`
+    #   after the KMS key is created. To further restrict the algorithms that
+    #   can be used with the KMS key, use a condition key in its key policy or
+    #   IAM policy. For more information, see [kms:EncryptionAlgorithm][2],
+    #   [kms:MacAlgorithm][3] or [kms:Signing Algorithm][4] in the <i> <i>Key
+    #   Management Service Developer Guide</i> </i>.
+    #
+    #   [Amazon Web Services services that are integrated with KMS][5] use
+    #   symmetric encryption KMS keys to protect your data. These services do
+    #   not support asymmetric KMS keys or HMAC KMS keys.
     #
     #   KMS supports the following key specs for KMS keys:
     #
-    #   * Symmetric key (default)
+    #   * Symmetric encryption key (default)
     #
     #     * `SYMMETRIC_DEFAULT` (AES-256-GCM)
     #
     #     ^
     #
+    #   * HMAC keys (symmetric)
+    #
+    #     * `HMAC_224`
+    #
+    #     * `HMAC_256`
+    #
+    #     * `HMAC_384`
+    #
+    #     * `HMAC_512`
+    #
     #   * Asymmetric RSA key pairs
     #
     #     * `RSA_2048`
@@ -1320,11 +1385,11 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm
-    #   [4]: http://aws.amazon.com/kms/features/#AWS_Service_Integration
-    #   [5]: https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-mac-algorithm
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm
+    #   [5]: http://aws.amazon.com/kms/features/#AWS_Service_Integration
     #
     # @option params [String] :origin
     #   The source of the key material for the KMS key. You cannot change the
@@ -1335,13 +1400,13 @@ module Aws::KMS
     #   set the value to `EXTERNAL`. For more information about importing key
     #   material into KMS, see [Importing Key Material][1] in the *Key
     #   Management Service Developer Guide*. This value is valid only for
-    #   symmetric KMS keys.
+    #   symmetric encryption KMS keys.
     #
     #   To create a KMS key in an KMS [custom key store][2] and create its key
     #   material in the associated CloudHSM cluster, set this value to
     #   `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId` parameter to
     #   identify the custom key store. This value is valid only for symmetric
-    #   KMS keys.
+    #   encryption KMS keys.
     #
     #
     #
@@ -1356,9 +1421,9 @@ module Aws::KMS
     #   the custom key store must have at least two active HSMs, each in a
     #   different Availability Zone in the Region.
     #
-    #   This parameter is valid only for symmetric KMS keys and regional KMS
-    #   keys. You cannot create an asymmetric KMS key or a multi-Region key in
-    #   a custom key store.
+    #   This parameter is valid only for symmetric encryption KMS keys in a
+    #   single Region. You cannot create any other type of KMS key in a custom
+    #   key store.
     #
     #   To find the ID of a custom key store, use the DescribeCustomKeyStores
     #   operation.
@@ -1401,8 +1466,8 @@ module Aws::KMS
     #   TagResource operation.
     #
     #   <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the KMS
-    #   key. For details, see [Using ABAC in KMS][1] in the *Key Management
-    #   Service Developer Guide*.
+    #   key. For details, see [ABAC in KMS][1] in the *Key Management Service
+    #   Developer Guide*.
     #
     #    </note>
     #
@@ -1442,15 +1507,16 @@ module Aws::KMS
     #   encrypt data in one Amazon Web Services Region and decrypt it in a
     #   different Amazon Web Services Region without re-encrypting the data or
     #   making a cross-Region call. For more information about multi-Region
-    #   keys, see [Using multi-Region keys][1] in the *Key Management Service
+    #   keys, see [Multi-Region keys in KMS][1] in the *Key Management Service
     #   Developer Guide*.
     #
     #   This value creates a *primary key*, not a replica. To create a
     #   *replica key*, use the ReplicateKey operation.
     #
-    #   You can create a symmetric or asymmetric multi-Region key, and you can
-    #   create a multi-Region key with imported key material. However, you
-    #   cannot create a multi-Region key in a custom key store.
+    #   You can create a multi-Region version of a symmetric encryption KMS
+    #   key, an HMAC KMS key, an asymmetric KMS key, or a KMS key with
+    #   imported key material. However, you cannot create a multi-Region key
+    #   in a custom key store.
     #
     #
     #
@@ -1663,14 +1729,46 @@ module Aws::KMS
     #     }, # Detailed information about the KMS key that this operation creates.
     #   }
     #
+    # @example Example: To create an HMAC KMS key
+    #
+    #   # This example creates a 384-bit symmetric HMAC KMS key. The GENERATE_VERIFY_MAC key usage value is required even though
+    #   # it's the only valid value for HMAC KMS keys. The key spec and key usage can't be changed after the key is created. 
+    #
+    #   resp = client.create_key({
+    #     key_spec: "HMAC_384", # Describes the type of key material in the KMS key.
+    #     key_usage: "GENERATE_VERIFY_MAC", # The cryptographic operations for which you can use the KMS key.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     key_metadata: {
+    #       aws_account_id: "111122223333", 
+    #       arn: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", 
+    #       creation_date: Time.parse("2022-04-05T14:04:55-07:00"), 
+    #       customer_master_key_spec: "HMAC_384", 
+    #       description: "", 
+    #       enabled: true, 
+    #       key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", 
+    #       key_manager: "CUSTOMER", 
+    #       key_spec: "HMAC_384", 
+    #       key_state: "Enabled", 
+    #       key_usage: "GENERATE_VERIFY_MAC", 
+    #       mac_algorithms: [
+    #         "HMAC_SHA_384", 
+    #       ], 
+    #       multi_region: false, 
+    #       origin: "AWS_KMS", 
+    #     }, # Detailed information about the KMS key that this operation creates.
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.create_key({
     #     policy: "PolicyType",
     #     description: "DescriptionType",
-    #     key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT
-    #     customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
-    #     key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
+    #     key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC
+    #     customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512
+    #     key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512
     #     origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
     #     custom_key_store_id: "CustomKeyStoreIdType",
     #     bypass_policy_lockout_safety_check: false,
@@ -1691,7 +1789,7 @@ module Aws::KMS
     #   resp.key_metadata.creation_date #=> Time
     #   resp.key_metadata.enabled #=> Boolean
     #   resp.key_metadata.description #=> String
-    #   resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
+    #   resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
     #   resp.key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
     #   resp.key_metadata.deletion_date #=> Time
     #   resp.key_metadata.valid_to #=> Time
@@ -1700,8 +1798,8 @@ module Aws::KMS
     #   resp.key_metadata.cloud_hsm_cluster_id #=> String
     #   resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
     #   resp.key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
-    #   resp.key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
-    #   resp.key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
+    #   resp.key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512"
+    #   resp.key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512"
     #   resp.key_metadata.encryption_algorithms #=> Array
     #   resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
     #   resp.key_metadata.signing_algorithms #=> Array
@@ -1714,6 +1812,8 @@ module Aws::KMS
     #   resp.key_metadata.multi_region_configuration.replica_keys[0].arn #=> String
     #   resp.key_metadata.multi_region_configuration.replica_keys[0].region #=> String
     #   resp.key_metadata.pending_deletion_window_in_days #=> Integer
+    #   resp.key_metadata.mac_algorithms #=> Array
+    #   resp.key_metadata.mac_algorithms[0] #=> String, one of "HMAC_SHA_224", "HMAC_SHA_256", "HMAC_SHA_384", "HMAC_SHA_512"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey AWS API Documentation
     #
@@ -1738,29 +1838,30 @@ module Aws::KMS
     # * GenerateDataKeyPairWithoutPlaintext
     #
     # You can use this operation to decrypt ciphertext that was encrypted
-    # under a symmetric or asymmetric KMS key. When the KMS key is
-    # asymmetric, you must specify the KMS key and the encryption algorithm
-    # that was used to encrypt the ciphertext. For information about
-    # symmetric and asymmetric KMS keys, see [Using Symmetric and Asymmetric
-    # KMS keys][1] in the *Key Management Service Developer Guide*.
+    # under a symmetric encryption KMS key or an asymmetric encryption KMS
+    # key. When the KMS key is asymmetric, you must specify the KMS key and
+    # the encryption algorithm that was used to encrypt the ciphertext. For
+    # information about asymmetric KMS keys, see [Asymmetric KMS keys][1] in
+    # the *Key Management Service Developer Guide*.
     #
-    # The Decrypt operation also decrypts ciphertext that was encrypted
+    # The `Decrypt` operation also decrypts ciphertext that was encrypted
     # outside of KMS by the public key in an KMS asymmetric KMS key.
     # However, it cannot decrypt ciphertext produced by other libraries,
     # such as the [Amazon Web Services Encryption SDK][2] or [Amazon S3
     # client-side encryption][3]. These libraries return a ciphertext format
     # that is incompatible with KMS.
     #
-    # If the ciphertext was encrypted under a symmetric KMS key, the `KeyId`
-    # parameter is optional. KMS can get this information from metadata that
-    # it adds to the symmetric ciphertext blob. This feature adds durability
-    # to your implementation by ensuring that authorized users can decrypt
-    # ciphertext decades after it was encrypted, even if they've lost track
-    # of the key ID. However, specifying the KMS key is always recommended
-    # as a best practice. When you use the `KeyId` parameter to specify a
-    # KMS key, KMS only uses the KMS key you specify. If the ciphertext was
-    # encrypted under a different KMS key, the `Decrypt` operation fails.
-    # This practice ensures that you use the KMS key that you intend.
+    # If the ciphertext was encrypted under a symmetric encryption KMS key,
+    # the `KeyId` parameter is optional. KMS can get this information from
+    # metadata that it adds to the symmetric ciphertext blob. This feature
+    # adds durability to your implementation by ensuring that authorized
+    # users can decrypt ciphertext decades after it was encrypted, even if
+    # they've lost track of the key ID. However, specifying the KMS key is
+    # always recommended as a best practice. When you use the `KeyId`
+    # parameter to specify a KMS key, KMS only uses the KMS key you specify.
+    # If the ciphertext was encrypted under a different KMS key, the
+    # `Decrypt` operation fails. This practice ensures that you use the KMS
+    # key that you intend.
     #
     # Whenever possible, use key policies to give users permission to call
     # the `Decrypt` operation on a particular KMS key, instead of using IAM
@@ -1779,8 +1880,8 @@ module Aws::KMS
     # Service Developer Guide*.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][7] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][7] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
@@ -1815,17 +1916,19 @@ module Aws::KMS
     # @option params [Hash<String,String>] :encryption_context
     #   Specifies the encryption context to use when decrypting the data. An
     #   encryption context is valid only for [cryptographic operations][1]
-    #   with a symmetric KMS key. The standard asymmetric encryption
-    #   algorithms that KMS uses do not support an encryption context.
+    #   with a symmetric encryption KMS key. The standard asymmetric
+    #   encryption algorithms and HMAC algorithms that KMS uses do not support
+    #   an encryption context.
     #
     #   An *encryption context* is a collection of non-secret key-value pairs
-    #   that represents additional authenticated data. When you use an
+    #   that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data. An
-    #   encryption context is optional when encrypting with a symmetric KMS
-    #   key, but it is highly recommended.
+    #   encryption context is supported only on operations with symmetric
+    #   encryption KMS keys. On operations with symmetric encryption KMS keys,
+    #   an encryption context is optional, but it is strongly recommended.
     #
-    #   For more information, see [Encryption Context][2] in the *Key
+    #   For more information, see [Encryption context][2] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -1847,14 +1950,18 @@ module Aws::KMS
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #
     # @option params [String] :key_id
-    #   Specifies the KMS key that KMS uses to decrypt the ciphertext. Enter a
-    #   key ID of the KMS key that was used to encrypt the ciphertext.
+    #   Specifies the KMS key that KMS uses to decrypt the ciphertext.
+    #
+    #   Enter a key ID of the KMS key that was used to encrypt the ciphertext.
+    #   If you identify a different KMS key, the `Decrypt` operation throws an
+    #   `IncorrectKeyException`.
     #
     #   This parameter is required only when the ciphertext was encrypted
-    #   under an asymmetric KMS key. If you used a symmetric KMS key, KMS can
-    #   get the KMS key from metadata that it adds to the symmetric ciphertext
-    #   blob. However, it is always recommended as a best practice. This
-    #   practice ensures that you use the KMS key that you intend.
+    #   under an asymmetric KMS key. If you used a symmetric encryption KMS
+    #   key, KMS can get the KMS key from metadata that it adds to the
+    #   symmetric ciphertext blob. However, it is always recommended as a best
+    #   practice. This practice ensures that you use the KMS key that you
+    #   intend.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify a
@@ -1884,7 +1991,7 @@ module Aws::KMS
     #   This parameter is required only when the ciphertext was encrypted
     #   under an asymmetric KMS key. The default value, `SYMMETRIC_DEFAULT`,
     #   represents the only supported algorithm that is valid for symmetric
-    #   KMS keys.
+    #   encryption KMS keys.
     #
     # @return [Types::DecryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -1938,8 +2045,8 @@ module Aws::KMS
     # Deletes the specified alias.
     #
     # <note markdown="1"> Adding, deleting, or updating an alias can allow or deny permission to
-    # the KMS key. For details, see [Using ABAC in KMS][1] in the *Key
-    # Management Service Developer Guide*.
+    # the KMS key. For details, see [ABAC in KMS][1] in the *Key Management
+    # Service Developer Guide*.
     #
     #  </note>
     #
@@ -2114,8 +2221,8 @@ module Aws::KMS
     # reimport the same key material into the KMS key.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][2] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][2] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
@@ -2341,14 +2448,13 @@ module Aws::KMS
     # This detailed information includes the key ARN, creation date (and
     # deletion date, if applicable), the key state, and the origin and
     # expiration date (if any) of the key material. It includes fields, like
-    # `KeySpec`, that help you distinguish symmetric from asymmetric KMS
-    # keys. It also provides information that is particularly important to
-    # asymmetric keys, such as the key usage (encryption or signing) and the
-    # encryption algorithms or signing algorithms that the KMS key supports.
-    # For KMS keys in custom key stores, it includes information about the
-    # custom key store, such as the key store ID and the CloudHSM cluster
-    # ID. For multi-Region keys, it displays the primary key and all related
-    # replica keys.
+    # `KeySpec`, that help you distinguish different types of KMS keys. It
+    # also displays the key usage (encryption, signing, or generating and
+    # verifying MACs) and the algorithms that the KMS key supports. For KMS
+    # keys in custom key stores, it includes information about the custom
+    # key store, such as the key store ID and the CloudHSM cluster ID. For
+    # multi-Region keys, it displays the primary key and all related replica
+    # keys.
     #
     # `DescribeKey` does not return the following information:
     #
@@ -2366,11 +2472,10 @@ module Aws::KMS
     # * Key policies and grants on the KMS key. To get this information, use
     #   GetKeyPolicy and ListGrants.
     #
-    # If you call the `DescribeKey` operation on a *predefined Amazon Web
-    # Services alias*, that is, an Amazon Web Services alias with no key ID,
-    # KMS creates an [Amazon Web Services managed key][2]. Then, it
-    # associates the alias with the new KMS key, and returns the `KeyId` and
-    # `Arn` of the new KMS key in the response.
+    # In general, `DescribeKey` is a non-mutating operation. It returns data
+    # about KMS keys, but doesn't change them. However, Amazon Web Services
+    # services use `DescribeKey` to create [Amazon Web Services managed
+    # keys][2] from a *predefined Amazon Web Services alias* with no key ID.
     #
     # **Cross-account use**\: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
@@ -2452,10 +2557,10 @@ module Aws::KMS
     #
     # @example Example: To get details about a KMS key
     #
-    #   # The following example gets metadata about a symmetric KMS key.
+    #   # The following example gets metadata for a symmetric encryption KMS key.
     #
     #   resp = client.describe_key({
-    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key that you want information about. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
+    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # An identifier for the KMS key. You can use the key ID, key ARN, alias name, alias ARN of the KMS key.
     #   })
     #
     #   resp.to_h outputs the following:
@@ -2480,6 +2585,121 @@ module Aws::KMS
     #     }, # An object that contains information about the specified KMS key.
     #   }
     #
+    # @example Example: To get details about an RSA asymmetric KMS key
+    #
+    #   # The following example gets metadata for an asymmetric RSA KMS key used for signing and verification.
+    #
+    #   resp = client.describe_key({
+    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # An identifier for the KMS key. You can use the key ID, key ARN, alias name, alias ARN of the KMS key.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     key_metadata: {
+    #       aws_account_id: "111122223333", 
+    #       arn: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", 
+    #       creation_date: Time.parse(1571767572.317), 
+    #       customer_master_key_spec: "RSA_2048", 
+    #       description: "", 
+    #       enabled: false, 
+    #       key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", 
+    #       key_manager: "CUSTOMER", 
+    #       key_spec: "RSA_2048", 
+    #       key_state: "Disabled", 
+    #       key_usage: "SIGN_VERIFY", 
+    #       multi_region: false, 
+    #       origin: "AWS_KMS", 
+    #       signing_algorithms: [
+    #         "RSASSA_PKCS1_V1_5_SHA_256", 
+    #         "RSASSA_PKCS1_V1_5_SHA_384", 
+    #         "RSASSA_PKCS1_V1_5_SHA_512", 
+    #         "RSASSA_PSS_SHA_256", 
+    #         "RSASSA_PSS_SHA_384", 
+    #         "RSASSA_PSS_SHA_512", 
+    #       ], 
+    #     }, # An object that contains information about the specified KMS key.
+    #   }
+    #
+    # @example Example: To get details about a multi-Region key
+    #
+    #   # The following example gets metadata for a multi-Region replica key. This multi-Region key is a symmetric encryption key.
+    #   # DescribeKey returns information about the primary key and all of its replicas.
+    #
+    #   resp = client.describe_key({
+    #     key_id: "arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", # An identifier for the KMS key. You can use the key ID, key ARN, alias name, alias ARN of the KMS key.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     key_metadata: {
+    #       aws_account_id: "111122223333", 
+    #       arn: "arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", 
+    #       creation_date: Time.parse(1586329200.918), 
+    #       customer_master_key_spec: "SYMMETRIC_DEFAULT", 
+    #       description: "", 
+    #       enabled: true, 
+    #       encryption_algorithms: [
+    #         "SYMMETRIC_DEFAULT", 
+    #       ], 
+    #       key_id: "mrk-1234abcd12ab34cd56ef1234567890ab", 
+    #       key_manager: "CUSTOMER", 
+    #       key_state: "Enabled", 
+    #       key_usage: "ENCRYPT_DECRYPT", 
+    #       multi_region: true, 
+    #       multi_region_configuration: {
+    #         multi_region_key_type: "PRIMARY", 
+    #         primary_key: {
+    #           arn: "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", 
+    #           region: "us-west-2", 
+    #         }, 
+    #         replica_keys: [
+    #           {
+    #             arn: "arn:aws:kms:eu-west-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", 
+    #             region: "eu-west-1", 
+    #           }, 
+    #           {
+    #             arn: "arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", 
+    #             region: "ap-northeast-1", 
+    #           }, 
+    #           {
+    #             arn: "arn:aws:kms:sa-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", 
+    #             region: "sa-east-1", 
+    #           }, 
+    #         ], 
+    #       }, 
+    #       origin: "AWS_KMS", 
+    #     }, # An object that contains information about the specified KMS key.
+    #   }
+    #
+    # @example Example: To get details about an HMAC KMS key
+    #
+    #   # The following example gets the metadata of an HMAC KMS key. 
+    #
+    #   resp = client.describe_key({
+    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # An identifier for the KMS key. You can use the key ID, key ARN, alias name, alias ARN of the KMS key.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     key_metadata: {
+    #       aws_account_id: "123456789012", 
+    #       arn: "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", 
+    #       creation_date: Time.parse(1566160362.664), 
+    #       customer_master_key_spec: "HMAC_256", 
+    #       description: "Development test key", 
+    #       enabled: true, 
+    #       key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", 
+    #       key_manager: "CUSTOMER", 
+    #       key_state: "Enabled", 
+    #       key_usage: "GENERATE_VERIFY_MAC", 
+    #       mac_algorithms: [
+    #         "HMAC_SHA_256", 
+    #       ], 
+    #       multi_region: false, 
+    #       origin: "AWS_KMS", 
+    #     }, # An object that contains information about the specified KMS key.
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.describe_key({
@@ -2495,7 +2715,7 @@ module Aws::KMS
     #   resp.key_metadata.creation_date #=> Time
     #   resp.key_metadata.enabled #=> Boolean
     #   resp.key_metadata.description #=> String
-    #   resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
+    #   resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
     #   resp.key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
     #   resp.key_metadata.deletion_date #=> Time
     #   resp.key_metadata.valid_to #=> Time
@@ -2504,8 +2724,8 @@ module Aws::KMS
     #   resp.key_metadata.cloud_hsm_cluster_id #=> String
     #   resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
     #   resp.key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
-    #   resp.key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
-    #   resp.key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
+    #   resp.key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512"
+    #   resp.key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512"
     #   resp.key_metadata.encryption_algorithms #=> Array
     #   resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
     #   resp.key_metadata.signing_algorithms #=> Array
@@ -2518,6 +2738,8 @@ module Aws::KMS
     #   resp.key_metadata.multi_region_configuration.replica_keys[0].arn #=> String
     #   resp.key_metadata.multi_region_configuration.replica_keys[0].region #=> String
     #   resp.key_metadata.pending_deletion_window_in_days #=> Integer
+    #   resp.key_metadata.mac_algorithms #=> Array
+    #   resp.key_metadata.mac_algorithms[0] #=> String, one of "HMAC_SHA_224", "HMAC_SHA_256", "HMAC_SHA_384", "HMAC_SHA_512"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey AWS API Documentation
     #
@@ -2532,12 +2754,12 @@ module Aws::KMS
     # prevents use of the KMS key for [cryptographic operations][1].
     #
     # For more information about how key state affects the use of a KMS key,
-    # see [Key state: Effect on your KMS key][2] in the <i> <i>Key
-    # Management Service Developer Guide</i> </i>.
+    # see [Key states of KMS keys][2] in the <i> <i>Key Management Service
+    # Developer Guide</i> </i>.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][2] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][2] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
@@ -2593,22 +2815,37 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Disables [automatic rotation of the key material][1] for the specified
-    # symmetric KMS key.
+    # Disables [automatic rotation of the key material][1] of the specified
+    # symmetric encryption KMS key.
+    #
+    # Automatic key rotation is supported only on symmetric encryption KMS
+    # keys. You cannot enable or disable automatic rotation of [asymmetric
+    # KMS keys][2], [HMAC KMS keys][3], KMS keys with [imported key
+    # material][4], or KMS keys in a [custom key store][5]. The key rotation
+    # status of these KMS keys is always `false`. To enable or disable
+    # automatic rotation of a set of related [multi-Region keys][6], set the
+    # property on the primary key.
+    #
+    # You can enable (EnableKeyRotation) and disable automatic rotation of
+    # the key material in [customer managed KMS keys][7]. Key material
+    # rotation of [Amazon Web Services managed KMS keys][8] is not
+    # configurable. KMS always rotates the key material for every year.
+    # Rotation of [Amazon Web Services owned KMS keys][9] varies.
+    #
+    # <note markdown="1"> In May 2022, KMS changed the rotation schedule for Amazon Web Services
+    # managed keys from every three years to every year. For details, see
+    # EnableKeyRotation.
     #
-    # You cannot enable automatic rotation of [asymmetric KMS keys][2], KMS
-    # keys with [imported key material][3], or KMS keys in a [custom key
-    # store][4]. To enable or disable automatic rotation of a set of related
-    # [multi-Region keys][5], set the property on the primary key.
+    #  </note>
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][6] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][10] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:DisableKeyRotation][7] (key policy)
+    # **Required permissions**\: [kms:DisableKeyRotation][11] (key policy)
     #
     # **Related operations:**
     #
@@ -2619,17 +2856,22 @@ module Aws::KMS
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
-    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
-    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
-    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
-    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
-    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
+    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
+    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
+    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     #
     # @option params [required, String] :key_id
-    #   Identifies a symmetric KMS key. You cannot enable or disable automatic
-    #   rotation of [asymmetric KMS keys][1], KMS keys with [imported key
-    #   material][2], or KMS keys in a [custom key store][3].
+    #   Identifies a symmetric encryption KMS key. You cannot enable or
+    #   disable automatic rotation of [asymmetric KMS keys][1], [HMAC KMS
+    #   keys][2], KMS keys with [imported key material][3], or KMS keys in a
+    #   [custom key store][4].
     #
     #   Specify the key ID or key ARN of the KMS key.
     #
@@ -2646,8 +2888,9 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -2765,8 +3008,8 @@ module Aws::KMS
     # KMS key for [cryptographic operations][1].
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][2] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][2] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
@@ -2822,22 +3065,49 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Enables [automatic rotation of the key material][1] for the specified
-    # symmetric KMS key.
+    # Enables [automatic rotation of the key material][1] of the specified
+    # symmetric encryption KMS key.
+    #
+    # When you enable automatic rotation of a[customer managed KMS key][2],
+    # KMS rotates the key material of the KMS key one year (approximately
+    # 365 days) from the enable date and every year thereafter. You can
+    # monitor rotation of the key material for your KMS keys in CloudTrail
+    # and Amazon CloudWatch. To disable rotation of the key material in a
+    # customer managed KMS key, use the DisableKeyRotation operation.
+    #
+    # Automatic key rotation is supported only on [symmetric encryption KMS
+    # keys][3]. You cannot enable or disable automatic rotation of
+    # [asymmetric KMS keys][4], [HMAC KMS keys][5], KMS keys with [imported
+    # key material][6], or KMS keys in a [custom key store][7]. The key
+    # rotation status of these KMS keys is always `false`. To enable or
+    # disable automatic rotation of a set of related [multi-Region keys][8],
+    # set the property on the primary key.
+    #
+    # You cannot enable or disable automatic rotation [Amazon Web Services
+    # managed KMS keys][9]. KMS always rotates the key material of Amazon
+    # Web Services managed keys every year. Rotation of [Amazon Web Services
+    # owned KMS keys][10] varies.
+    #
+    # <note markdown="1"> In May 2022, KMS changed the rotation schedule for Amazon Web Services
+    # managed keys from every three years (approximately 1,095 days) to
+    # every year (approximately 365 days).
+    #
+    #  New Amazon Web Services managed keys are automatically rotated one
+    # year after they are created, and approximately every year thereafter.
+    #
+    #  Existing Amazon Web Services managed keys are automatically rotated
+    # one year after their most recent rotation, and every year thereafter.
     #
-    # You cannot enable automatic rotation of [asymmetric KMS keys][2], KMS
-    # keys with [imported key material][3], or KMS keys in a [custom key
-    # store][4]. To enable or disable automatic rotation of a set of related
-    # [multi-Region keys][5], set the property on the primary key.
+    #  </note>
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][6] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][11] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:EnableKeyRotation][7] (key policy)
+    # **Required permissions**\: [kms:EnableKeyRotation][12] (key policy)
     #
     # **Related operations:**
     #
@@ -2848,19 +3118,25 @@ module Aws::KMS
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
-    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
-    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
-    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
-    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
-    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
+    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
+    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
+    # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [12]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     #
     # @option params [required, String] :key_id
-    #   Identifies a symmetric KMS key. You cannot enable automatic rotation
-    #   of [asymmetric KMS keys][1], KMS keys with [imported key material][2],
-    #   or KMS keys in a [custom key store][3]. To enable or disable automatic
-    #   rotation of a set of related [multi-Region keys][4], set the property
-    #   on the primary key.
+    #   Identifies a symmetric encryption KMS key. You cannot enable or
+    #   disable automatic rotation of [asymmetric KMS keys][1], [HMAC KMS
+    #   keys][2], KMS keys with [imported key material][3], or KMS keys in a
+    #   [custom key store][4]. The key rotation status of these KMS keys is
+    #   always `false`. To enable or disable automatic rotation of a set of
+    #   related [multi-Region keys][5], set the property on the primary key.
     #
     #   Specify the key ID or key ARN of the KMS key.
     #
@@ -2876,10 +3152,11 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
-    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    #   [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -2907,36 +3184,22 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Encrypts plaintext into ciphertext by using a KMS key. The `Encrypt`
-    # operation has two primary use cases:
-    #
-    # * You can encrypt small amounts of arbitrary data, such as a personal
-    #   identifier or database password, or other sensitive information.
-    #
-    # * You can use the `Encrypt` operation to move encrypted data from one
-    #   Amazon Web Services Region to another. For example, in Region A,
-    #   generate a data key and use the plaintext key to encrypt your data.
-    #   Then, in Region A, use the `Encrypt` operation to encrypt the
-    #   plaintext data key under a KMS key in Region B. Now, you can move
-    #   the encrypted data and the encrypted data key to Region B. When
-    #   necessary, you can decrypt the encrypted data key and the encrypted
-    #   data entirely within in Region B.
-    #
-    # You don't need to use the `Encrypt` operation to encrypt a data key.
-    # The GenerateDataKey and GenerateDataKeyPair operations return a
-    # plaintext data key and an encrypted copy of that data key.
-    #
-    # When you encrypt data, you must specify a symmetric or asymmetric KMS
-    # key to use in the encryption operation. The KMS key must have a
-    # `KeyUsage` value of `ENCRYPT_DECRYPT.` To find the `KeyUsage` of a KMS
-    # key, use the DescribeKey operation.
-    #
-    # If you use a symmetric KMS key, you can use an encryption context to
-    # add additional security to your encryption operation. If you specify
-    # an `EncryptionContext` when encrypting data, you must specify the same
-    # encryption context (a case-sensitive exact match) when decrypting the
-    # data. Otherwise, the request to decrypt fails with an
-    # `InvalidCiphertextException`. For more information, see [Encryption
+    # Encrypts plaintext of up to 4,096 bytes using a KMS key. You can use a
+    # symmetric or asymmetric KMS key with a `KeyUsage` of
+    # `ENCRYPT_DECRYPT`.
+    #
+    # You can use this operation to encrypt small amounts of arbitrary data,
+    # such as a personal identifier or database password, or other sensitive
+    # information. You don't need to use the `Encrypt` operation to encrypt
+    # a data key. The GenerateDataKey and GenerateDataKeyPair operations
+    # return a plaintext data key and an encrypted copy of that data key.
+    #
+    # If you use a symmetric encryption KMS key, you can use an encryption
+    # context to add additional security to your encryption operation. If
+    # you specify an `EncryptionContext` when encrypting data, you must
+    # specify the same encryption context (a case-sensitive exact match)
+    # when decrypting the data. Otherwise, the request to decrypt fails with
+    # an `InvalidCiphertextException`. For more information, see [Encryption
     # Context][1] in the *Key Management Service Developer Guide*.
     #
     # If you specify an asymmetric KMS key, you must also specify the
@@ -2951,15 +3214,15 @@ module Aws::KMS
     # fails.
     #
     #  You are not required to supply the key ID and encryption algorithm
-    # when you decrypt with symmetric KMS keys because KMS stores this
-    # information in the ciphertext blob. KMS cannot store metadata in
+    # when you decrypt with symmetric encryption KMS keys because KMS stores
+    # this information in the ciphertext blob. KMS cannot store metadata in
     # ciphertext generated with asymmetric keys. The standard format for
     # asymmetric key ciphertext does not include configurable fields.
     #
     # The maximum size of the data that you can encrypt varies with the type
     # of KMS key and the encryption algorithm that you choose.
     #
-    # * Symmetric KMS keys
+    # * Symmetric encryption KMS keys
     #
     #   * `SYMMETRIC_DEFAULT`\: 4096 bytes
     #
@@ -2984,8 +3247,8 @@ module Aws::KMS
     #   * `RSAES_OAEP_SHA_256`\: 446 bytes
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][2] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][2] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
@@ -3008,7 +3271,9 @@ module Aws::KMS
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     #
     # @option params [required, String] :key_id
-    #   Identifies the KMS key to use in the encryption operation.
+    #   Identifies the KMS key to use in the encryption operation. The KMS key
+    #   must have a `KeyUsage` of `ENCRYPT_DECRYPT`. To find the `KeyUsage` of
+    #   a KMS key, use the DescribeKey operation.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify a
@@ -3035,18 +3300,19 @@ module Aws::KMS
     # @option params [Hash<String,String>] :encryption_context
     #   Specifies the encryption context that will be used to encrypt the
     #   data. An encryption context is valid only for [cryptographic
-    #   operations][1] with a symmetric KMS key. The standard asymmetric
-    #   encryption algorithms that KMS uses do not support an encryption
-    #   context.
+    #   operations][1] with a symmetric encryption KMS key. The standard
+    #   asymmetric encryption algorithms and HMAC algorithms that KMS uses do
+    #   not support an encryption context.
     #
     #   An *encryption context* is a collection of non-secret key-value pairs
-    #   that represents additional authenticated data. When you use an
+    #   that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data. An
-    #   encryption context is optional when encrypting with a symmetric KMS
-    #   key, but it is highly recommended.
+    #   encryption context is supported only on operations with symmetric
+    #   encryption KMS keys. On operations with symmetric encryption KMS keys,
+    #   an encryption context is optional, but it is strongly recommended.
     #
-    #   For more information, see [Encryption Context][2] in the *Key
+    #   For more information, see [Encryption context][2] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -3073,9 +3339,9 @@ module Aws::KMS
     #   that you specify.
     #
     #   This parameter is required only for asymmetric KMS keys. The default
-    #   value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric KMS
-    #   keys. If you are using an asymmetric KMS key, we recommend
-    #   RSAES\_OAEP\_SHA\_256.
+    #   value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
+    #   encryption KMS keys. If you are using an asymmetric KMS key, we
+    #   recommend RSAES\_OAEP\_SHA\_256.
     #
     # @return [Types::EncryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -3126,19 +3392,17 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Generates a unique symmetric data key for client-side encryption. This
+    # Returns a unique symmetric data key for use outside of KMS. This
     # operation returns a plaintext copy of the data key and a copy that is
-    # encrypted under a KMS key that you specify. You can use the plaintext
-    # key to encrypt your data outside of KMS and store the encrypted data
-    # key with the encrypted data.
-    #
-    # `GenerateDataKey` returns a unique data key for each request. The
-    # bytes in the plaintext key are not related to the caller or the KMS
-    # key.
-    #
-    # To generate a data key, specify the symmetric KMS key that will be
-    # used to encrypt the data key. You cannot use an asymmetric KMS key to
-    # generate data keys. To get the type of your KMS key, use the
+    # encrypted under a symmetric encryption KMS key that you specify. The
+    # bytes in the plaintext key are random; they are not related to the
+    # caller or the KMS key. You can use the plaintext key to encrypt your
+    # data outside of KMS and store the encrypted data key with the
+    # encrypted data.
+    #
+    # To generate a data key, specify the symmetric encryption KMS key that
+    # will be used to encrypt the data key. You cannot use an asymmetric KMS
+    # key to encrypt data keys. To get the type of your KMS key, use the
     # DescribeKey operation. You must also specify the length of the data
     # key. Use either the `KeySpec` or `NumberOfBytes` parameters (but not
     # both). For 128-bit and 256-bit data keys, use the `KeySpec` parameter.
@@ -3149,7 +3413,7 @@ module Aws::KMS
     # GenerateDataKeyPairWithoutPlaintext operation. To get a
     # cryptographically secure random byte string, use GenerateRandom.
     #
-    # You can use the optional encryption context to add additional security
+    # You can use an optional encryption context to add additional security
     # to the encryption operation. If you specify an `EncryptionContext`,
     # you must specify the same encryption context (a case-sensitive exact
     # match) when decrypting the encrypted data key. Otherwise, the request
@@ -3164,8 +3428,8 @@ module Aws::KMS
     # Service Developer Guide*.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][4] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][4] in the *Key
+    # Management Service Developer Guide*.
     #
     # **How to use your data key**
     #
@@ -3224,7 +3488,10 @@ module Aws::KMS
     # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     #
     # @option params [required, String] :key_id
-    #   Identifies the symmetric KMS key that encrypts the data key.
+    #   Specifies the symmetric encryption KMS key that encrypts the data key.
+    #   You cannot specify an asymmetric KMS key or a KMS key in a custom key
+    #   store. To get the type and origin of your KMS key, use the DescribeKey
+    #   operation.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify a
@@ -3250,13 +3517,14 @@ module Aws::KMS
     #   data key.
     #
     #   An *encryption context* is a collection of non-secret key-value pairs
-    #   that represents additional authenticated data. When you use an
+    #   that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data. An
-    #   encryption context is optional when encrypting with a symmetric KMS
-    #   key, but it is highly recommended.
+    #   encryption context is supported only on operations with symmetric
+    #   encryption KMS keys. On operations with symmetric encryption KMS keys,
+    #   an encryption context is optional, but it is strongly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *Key
+    #   For more information, see [Encryption context][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -3344,11 +3612,13 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Generates a unique asymmetric data key pair. The `GenerateDataKeyPair`
+    # Returns a unique asymmetric data key pair for use outside of KMS. This
     # operation returns a plaintext public key, a plaintext private key, and
-    # a copy of the private key that is encrypted under the symmetric KMS
-    # key you specify. You can use the data key pair to perform asymmetric
-    # cryptography and implement digital signatures outside of KMS.
+    # a copy of the private key that is encrypted under the symmetric
+    # encryption KMS key you specify. You can use the data key pair to
+    # perform asymmetric cryptography and implement digital signatures
+    # outside of KMS. The bytes in the keys are random; they not related to
+    # the caller or to the KMS key that is used to encrypt the private key.
     #
     # You can use the public key that `GenerateDataKeyPair` returns to
     # encrypt data or verify a signature outside of KMS. Then, store the
@@ -3356,10 +3626,10 @@ module Aws::KMS
     # data or sign a message, you can use the Decrypt operation to decrypt
     # the encrypted private key.
     #
-    # To generate a data key pair, you must specify a symmetric KMS key to
-    # encrypt the private key in a data key pair. You cannot use an
-    # asymmetric KMS key or a KMS key in a custom key store. To get the type
-    # and origin of your KMS key, use the DescribeKey operation.
+    # To generate a data key pair, you must specify a symmetric encryption
+    # KMS key to encrypt the private key in a data key pair. You cannot use
+    # an asymmetric KMS key or a KMS key in a custom key store. To get the
+    # type and origin of your KMS key, use the DescribeKey operation.
     #
     # Use the `KeyPairSpec` parameter to choose an RSA or Elliptic Curve
     # (ECC) data key pair. KMS recommends that your use ECC key pairs for
@@ -3377,13 +3647,13 @@ module Aws::KMS
     # to decrypt the encrypted private key in the data key pair.
     #
     # `GenerateDataKeyPair` returns a unique data key pair for each request.
-    # The bytes in the keys are not related to the caller or the KMS key
-    # that is used to encrypt the private key. The public key is a
-    # DER-encoded X.509 SubjectPublicKeyInfo, as specified in [RFC 5280][1].
-    # The private key is a DER-encoded PKCS8 PrivateKeyInfo, as specified in
-    # [RFC 5958][2].
+    # The bytes in the keys are random; they are not related to the caller
+    # or the KMS key that is used to encrypt the private key. The public key
+    # is a DER-encoded X.509 SubjectPublicKeyInfo, as specified in [RFC
+    # 5280][1]. The private key is a DER-encoded PKCS8 PrivateKeyInfo, as
+    # specified in [RFC 5958][2].
     #
-    # You can use the optional encryption context to add additional security
+    # You can use an optional encryption context to add additional security
     # to the encryption operation. If you specify an `EncryptionContext`,
     # you must specify the same encryption context (a case-sensitive exact
     # match) when decrypting the encrypted data key. Otherwise, the request
@@ -3392,8 +3662,8 @@ module Aws::KMS
     # Service Developer Guide*.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][4] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][4] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
@@ -3426,13 +3696,14 @@ module Aws::KMS
     #   private key in the data key pair.
     #
     #   An *encryption context* is a collection of non-secret key-value pairs
-    #   that represents additional authenticated data. When you use an
+    #   that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data. An
-    #   encryption context is optional when encrypting with a symmetric KMS
-    #   key, but it is highly recommended.
+    #   encryption context is supported only on operations with symmetric
+    #   encryption KMS keys. On operations with symmetric encryption KMS keys,
+    #   an encryption context is optional, but it is strongly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *Key
+    #   For more information, see [Encryption context][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -3440,10 +3711,10 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #
     # @option params [required, String] :key_id
-    #   Specifies the symmetric KMS key that encrypts the private key in the
-    #   data key pair. You cannot specify an asymmetric KMS key or a KMS key
-    #   in a custom key store. To get the type and origin of your KMS key, use
-    #   the DescribeKey operation.
+    #   Specifies the symmetric encryption KMS key that encrypts the private
+    #   key in the data key pair. You cannot specify an asymmetric KMS key or
+    #   a KMS key in a custom key store. To get the type and origin of your
+    #   KMS key, use the DescribeKey operation.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify a
@@ -3497,16 +3768,16 @@ module Aws::KMS
     # @example Example: To generate an RSA key pair for encryption and decryption
     #
     #   # This example generates an RSA data key pair for encryption and decryption. The operation returns a plaintext public key
-    #   # and private key, and a copy of the private key that is encrypted under a symmetric KMS key that you specify.
+    #   # and private key, and a copy of the private key that is encrypted under a symmetric encryption KMS key that you specify.
     #
     #   resp = client.generate_data_key_pair({
-    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ID of the symmetric KMS key that encrypts the private RSA key in the data key pair.
+    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ID of the symmetric encryption KMS key that encrypts the private RSA key in the data key pair.
     #     key_pair_spec: "RSA_3072", # The requested key spec of the RSA data key pair.
     #   })
     #
     #   resp.to_h outputs the following:
     #   {
-    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ARN of the symmetric KMS key that was used to encrypt the private key.
+    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ARN of the symmetric encryption KMS key that was used to encrypt the private key.
     #     key_pair_spec: "RSA_3072", # The actual key spec of the RSA data key pair.
     #     private_key_ciphertext_blob: "<binary data>", # The encrypted private key of the RSA data key pair.
     #     private_key_plaintext: "<binary data>", # The plaintext private key of the RSA data key pair.
@@ -3541,11 +3812,12 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Generates a unique asymmetric data key pair. The
-    # `GenerateDataKeyPairWithoutPlaintext` operation returns a plaintext
-    # public key and a copy of the private key that is encrypted under the
-    # symmetric KMS key you specify. Unlike GenerateDataKeyPair, this
-    # operation does not return a plaintext private key.
+    # Returns a unique asymmetric data key pair for use outside of KMS. This
+    # operation returns a plaintext public key and a copy of the private key
+    # that is encrypted under the symmetric encryption KMS key you specify.
+    # Unlike GenerateDataKeyPair, this operation does not return a plaintext
+    # private key. The bytes in the keys are random; they are not related to
+    # the caller or to the KMS key that is used to encrypt the private key.
     #
     # You can use the public key that `GenerateDataKeyPairWithoutPlaintext`
     # returns to encrypt data or verify a signature outside of KMS. Then,
@@ -3553,10 +3825,10 @@ module Aws::KMS
     # decrypt data or sign a message, you can use the Decrypt operation to
     # decrypt the encrypted private key.
     #
-    # To generate a data key pair, you must specify a symmetric KMS key to
-    # encrypt the private key in a data key pair. You cannot use an
-    # asymmetric KMS key or a KMS key in a custom key store. To get the type
-    # and origin of your KMS key, use the DescribeKey operation.
+    # To generate a data key pair, you must specify a symmetric encryption
+    # KMS key to encrypt the private key in a data key pair. You cannot use
+    # an asymmetric KMS key or a KMS key in a custom key store. To get the
+    # type and origin of your KMS key, use the DescribeKey operation.
     #
     # Use the `KeyPairSpec` parameter to choose an RSA or Elliptic Curve
     # (ECC) data key pair. KMS recommends that your use ECC key pairs for
@@ -3570,7 +3842,7 @@ module Aws::KMS
     # a DER-encoded X.509 SubjectPublicKeyInfo, as specified in [RFC
     # 5280][1].
     #
-    # You can use the optional encryption context to add additional security
+    # You can use an optional encryption context to add additional security
     # to the encryption operation. If you specify an `EncryptionContext`,
     # you must specify the same encryption context (a case-sensitive exact
     # match) when decrypting the encrypted data key. Otherwise, the request
@@ -3579,8 +3851,8 @@ module Aws::KMS
     # Service Developer Guide*.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][3] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][3] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
@@ -3613,13 +3885,14 @@ module Aws::KMS
     #   private key in the data key pair.
     #
     #   An *encryption context* is a collection of non-secret key-value pairs
-    #   that represents additional authenticated data. When you use an
+    #   that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data. An
-    #   encryption context is optional when encrypting with a symmetric KMS
-    #   key, but it is highly recommended.
+    #   encryption context is supported only on operations with symmetric
+    #   encryption KMS keys. On operations with symmetric encryption KMS keys,
+    #   an encryption context is optional, but it is strongly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *Key
+    #   For more information, see [Encryption context][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -3627,10 +3900,10 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #
     # @option params [required, String] :key_id
-    #   Specifies the KMS key that encrypts the private key in the data key
-    #   pair. You must specify a symmetric KMS key. You cannot use an
-    #   asymmetric KMS key or a KMS key in a custom key store. To get the type
-    #   and origin of your KMS key, use the DescribeKey operation.
+    #   Specifies the symmetric encryption KMS key that encrypts the private
+    #   key in the data key pair. You cannot specify an asymmetric KMS key or
+    #   a KMS key in a custom key store. To get the type and origin of your
+    #   KMS key, use the DescribeKey operation.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify a
@@ -3683,16 +3956,16 @@ module Aws::KMS
     # @example Example: To generate an asymmetric data key pair without a plaintext key
     #
     #   # This example returns an asymmetric elliptic curve (ECC) data key pair. The private key is encrypted under the symmetric
-    #   # KMS key that you specify. This operation doesn't return a plaintext (unencrypted) private key.
+    #   # encryption KMS key that you specify. This operation doesn't return a plaintext (unencrypted) private key.
     #
     #   resp = client.generate_data_key_pair_without_plaintext({
-    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The symmetric KMS key that encrypts the private key of the ECC data key pair.
+    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The symmetric encryption KMS key that encrypts the private key of the ECC data key pair.
     #     key_pair_spec: "ECC_NIST_P521", # The requested key spec of the ECC asymmetric data key pair.
     #   })
     #
     #   resp.to_h outputs the following:
     #   {
-    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ARN of the symmetric KMS key that encrypted the private key in the ECC asymmetric data key pair.
+    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ARN of the symmetric encryption KMS key that encrypted the private key in the ECC asymmetric data key pair.
     #     key_pair_spec: "ECC_NIST_P521", # The actual key spec of the ECC asymmetric data key pair.
     #     private_key_ciphertext_blob: "<binary data>", # The encrypted private key of the asymmetric ECC data key pair.
     #     public_key: "<binary data>", # The public key (plaintext).
@@ -3725,13 +3998,15 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Generates a unique symmetric data key. This operation returns a data
-    # key that is encrypted under a KMS key that you specify. To request an
-    # asymmetric data key pair, use the GenerateDataKeyPair or
-    # GenerateDataKeyPairWithoutPlaintext operations.
+    # Returns a unique symmetric data key for use outside of KMS. This
+    # operation returns a data key that is encrypted under a symmetric
+    # encryption KMS key that you specify. The bytes in the key are random;
+    # they are not related to the caller or to the KMS key.
     #
     # `GenerateDataKeyWithoutPlaintext` is identical to the GenerateDataKey
-    # operation except that returns only the encrypted copy of the data key.
+    # operation except that it does not return a plaintext copy of the data
+    # key.
+    #
     # This operation is useful for systems that need to encrypt data at some
     # point, but not immediately. When you need to encrypt the data, you
     # call the Decrypt operation on the encrypted copy of the key.
@@ -3746,19 +4021,18 @@ module Aws::KMS
     # data key. In this system, the component that creates the containers
     # never sees the plaintext data key.
     #
-    # `GenerateDataKeyWithoutPlaintext` returns a unique data key for each
-    # request. The bytes in the keys are not related to the caller or KMS
-    # key that is used to encrypt the private key.
+    # To request an asymmetric data key pair, use the GenerateDataKeyPair or
+    # GenerateDataKeyPairWithoutPlaintext operations.
     #
-    # To generate a data key, you must specify the symmetric KMS key that is
-    # used to encrypt the data key. You cannot use an asymmetric KMS key to
-    # generate a data key. To get the type of your KMS key, use the
-    # DescribeKey operation.
+    # To generate a data key, you must specify the symmetric encryption KMS
+    # key that is used to encrypt the data key. You cannot use an asymmetric
+    # KMS key or a key in a custom key store to generate a data key. To get
+    # the type of your KMS key, use the DescribeKey operation.
     #
     # If the operation succeeds, you will find the encrypted copy of the
     # data key in the `CiphertextBlob` field.
     #
-    # You can use the optional encryption context to add additional security
+    # You can use an optional encryption context to add additional security
     # to the encryption operation. If you specify an `EncryptionContext`,
     # you must specify the same encryption context (a case-sensitive exact
     # match) when decrypting the encrypted data key. Otherwise, the request
@@ -3767,8 +4041,8 @@ module Aws::KMS
     # Service Developer Guide*.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][2] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][2] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
@@ -3796,7 +4070,10 @@ module Aws::KMS
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     #
     # @option params [required, String] :key_id
-    #   The identifier of the symmetric KMS key that encrypts the data key.
+    #   Specifies the symmetric encryption KMS key that encrypts the data key.
+    #   You cannot specify an asymmetric KMS key or a KMS key in a custom key
+    #   store. To get the type and origin of your KMS key, use the DescribeKey
+    #   operation.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify a
@@ -3822,13 +4099,14 @@ module Aws::KMS
     #   data key.
     #
     #   An *encryption context* is a collection of non-secret key-value pairs
-    #   that represents additional authenticated data. When you use an
+    #   that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data. An
-    #   encryption context is optional when encrypting with a symmetric KMS
-    #   key, but it is highly recommended.
+    #   encryption context is supported only on operations with symmetric
+    #   encryption KMS keys. On operations with symmetric encryption KMS keys,
+    #   an encryption context is optional, but it is strongly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *Key
+    #   For more information, see [Encryption context][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -3906,6 +4184,135 @@ module Aws::KMS
       req.send_request(options)
     end
 
+    # Generates a hash-based message authentication code (HMAC) for a
+    # message using an HMAC KMS key and a MAC algorithm that the key
+    # supports. The MAC algorithm computes the HMAC for the message and the
+    # key as described in [RFC 2104][1].
+    #
+    # You can use the HMAC that this operation generates with the VerifyMac
+    # operation to demonstrate that the original message has not changed.
+    # Also, because a secret key is used to create the hash, you can verify
+    # that the party that generated the hash has the required secret key.
+    # This operation is part of KMS support for HMAC KMS keys. For details,
+    # see [HMAC keys in KMS][2] in the <i> <i>Key Management Service
+    # Developer Guide</i> </i>.
+    #
+    # <note markdown="1"> Best practices recommend that you limit the time during which any
+    # signing mechanism, including an HMAC, is effective. This deters an
+    # attack where the actor uses a signed message to establish validity
+    # repeatedly or long after the message is superseded. HMAC tags do not
+    # include a timestamp, but you can include a timestamp in the token or
+    # message to help you detect when its time to refresh the HMAC.
+    #
+    #  </note>
+    #
+    # The KMS key that you use for this operation must be in a compatible
+    # key state. For details, see [Key states of KMS keys][3] in the *Key
+    # Management Service Developer Guide*.
+    #
+    # **Cross-account use**\: Yes. To perform this operation with a KMS key
+    # in a different Amazon Web Services account, specify the key ARN or
+    # alias ARN in the value of the `KeyId` parameter.
+    #
+    # **Required permissions**\: [kms:GenerateMac][4] (key policy)
+    #
+    # **Related operations**\: VerifyMac
+    #
+    #
+    #
+    # [1]: https://datatracker.ietf.org/doc/html/rfc2104
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    #
+    # @option params [required, String, StringIO, File] :message
+    #   The message to be hashed. Specify a message of up to 4,096 bytes.
+    #
+    #   `GenerateMac` and VerifyMac do not provide special handling for
+    #   message digests. If you generate an HMAC for a hash digest of a
+    #   message, you must verify the HMAC of the same hash digest.
+    #
+    # @option params [required, String] :key_id
+    #   The HMAC KMS key to use in the operation. The MAC algorithm computes
+    #   the HMAC for the message and the key as described in [RFC 2104][1].
+    #
+    #   To identify an HMAC KMS key, use the DescribeKey operation and see the
+    #   `KeySpec` field in the response.
+    #
+    #
+    #
+    #   [1]: https://datatracker.ietf.org/doc/html/rfc2104
+    #
+    # @option params [required, String] :mac_algorithm
+    #   The MAC algorithm used in the operation.
+    #
+    #   The algorithm must be compatible with the HMAC KMS key that you
+    #   specify. To find the MAC algorithms that your HMAC KMS key supports,
+    #   use the DescribeKey operation and see the `MacAlgorithms` field in the
+    #   `DescribeKey` response.
+    #
+    # @option params [Array<String>] :grant_tokens
+    #   A list of grant tokens.
+    #
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*. For
+    #   more information, see [Grant token][1] and [Using a grant token][2] in
+    #   the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
+    #
+    # @return [Types::GenerateMacResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GenerateMacResponse#mac #mac} => String
+    #   * {Types::GenerateMacResponse#mac_algorithm #mac_algorithm} => String
+    #   * {Types::GenerateMacResponse#key_id #key_id} => String
+    #
+    #
+    # @example Example: To generate an HMAC for a message
+    #
+    #   # This example generates an HMAC for a message, an HMAC KMS key, and a MAC algorithm. The algorithm must be supported by
+    #   # the specified HMAC KMS key.
+    #
+    #   resp = client.generate_mac({
+    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The HMAC KMS key input to the HMAC algorithm.
+    #     mac_algorithm: "HMAC_SHA_384", # The HMAC algorithm requested for the operation.
+    #     message: "Hello World", # The message input to the HMAC algorithm.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ARN of the HMAC KMS key used in the operation.
+    #     mac: "<HMAC_TAG>", # The HMAC tag that results from this operation.
+    #     mac_algorithm: "HMAC_SHA_384", # The HMAC algorithm used in the operation.
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.generate_mac({
+    #     message: "data", # required
+    #     key_id: "KeyIdType", # required
+    #     mac_algorithm: "HMAC_SHA_224", # required, accepts HMAC_SHA_224, HMAC_SHA_256, HMAC_SHA_384, HMAC_SHA_512
+    #     grant_tokens: ["GrantTokenType"],
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.mac #=> String
+    #   resp.mac_algorithm #=> String, one of "HMAC_SHA_224", "HMAC_SHA_256", "HMAC_SHA_384", "HMAC_SHA_512"
+    #   resp.key_id #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMac AWS API Documentation
+    #
+    # @overload generate_mac(params = {})
+    # @param [Hash] params ({})
+    def generate_mac(params = {}, options = {})
+      req = build_request(:generate_mac, params)
+      req.send_request(options)
+    end
+
     # Returns a random byte string that is cryptographically secure.
     #
     # By default, the random byte string is generated in KMS. To generate
@@ -4055,30 +4462,56 @@ module Aws::KMS
     # Gets a Boolean value that indicates whether [automatic rotation of the
     # key material][1] is enabled for the specified KMS key.
     #
-    # You cannot enable automatic rotation of [asymmetric KMS keys][2], KMS
-    # keys with [imported key material][3], or KMS keys in a [custom key
-    # store][4]. To enable or disable automatic rotation of a set of related
-    # [multi-Region keys][5], set the property on the primary key. The key
-    # rotation status for these KMS keys is always `false`.
+    # When you enable automatic rotation for [customer managed KMS keys][2],
+    # KMS rotates the key material of the KMS key one year (approximately
+    # 365 days) from the enable date and every year thereafter. You can
+    # monitor rotation of the key material for your KMS keys in CloudTrail
+    # and Amazon CloudWatch.
+    #
+    # Automatic key rotation is supported only on [symmetric encryption KMS
+    # keys][3]. You cannot enable or disable automatic rotation of
+    # [asymmetric KMS keys][4], [HMAC KMS keys][5], KMS keys with [imported
+    # key material][6], or KMS keys in a [custom key store][7]. The key
+    # rotation status of these KMS keys is always `false`. To enable or
+    # disable automatic rotation of a set of related [multi-Region keys][8],
+    # set the property on the primary key..
+    #
+    # You can enable (EnableKeyRotation) and disable automatic rotation
+    # (DisableKeyRotation) of the key material in customer managed KMS keys.
+    # Key material rotation of [Amazon Web Services managed KMS keys][9] is
+    # not configurable. KMS always rotates the key material in Amazon Web
+    # Services managed KMS keys every year. The key rotation status for
+    # Amazon Web Services managed KMS keys is always `true`.
+    #
+    # <note markdown="1"> In May 2022, KMS changed the rotation schedule for Amazon Web Services
+    # managed keys from every three years to every year. For details, see
+    # EnableKeyRotation.
+    #
+    #  </note>
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][6] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][10] in the *Key
+    # Management Service Developer Guide*.
     #
     # * Disabled: The key rotation status does not change when you disable a
     #   KMS key. However, while the KMS key is disabled, KMS does not rotate
-    #   the key material.
+    #   the key material. When you re-enable the KMS key, rotation resumes.
+    #   If the key material in the re-enabled KMS key hasn't been rotated
+    #   in one year, KMS rotates it immediately, and every year thereafter.
+    #   If it's been less than a year since the key material in the
+    #   re-enabled KMS key was rotated, the KMS key resumes its prior
+    #   rotation schedule.
     #
     # * Pending deletion: While a KMS key is pending deletion, its key
     #   rotation status is `false` and KMS does not rotate the key material.
-    #   If you cancel the deletion, the original key rotation status is
-    #   restored.
+    #   If you cancel the deletion, the original key rotation status returns
+    #   to `true`.
     #
     # **Cross-account use**\: Yes. To perform this operation on a KMS key in
     # a different Amazon Web Services account, specify the key ARN in the
     # value of the `KeyId` parameter.
     #
-    # **Required permissions**\: [kms:GetKeyRotationStatus][7] (key policy)
+    # **Required permissions**\: [kms:GetKeyRotationStatus][11] (key policy)
     #
     # **Related operations:**
     #
@@ -4089,12 +4522,16 @@ module Aws::KMS
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
-    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
-    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
-    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
-    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
-    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
+    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
+    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     #
     # @option params [required, String] :key_id
     #   Gets the rotation status for the specified KMS key.
@@ -4149,21 +4586,22 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Returns the items you need to import key material into a symmetric,
-    # customer managed KMS key. For more information about importing key
-    # material into KMS, see [Importing Key Material][1] in the *Key
-    # Management Service Developer Guide*.
+    # Returns the items you need to import key material into a symmetric
+    # encryption KMS key. For more information about importing key material
+    # into KMS, see [Importing key material][1] in the *Key Management
+    # Service Developer Guide*.
     #
     # This operation returns a public key and an import token. Use the
     # public key to encrypt the symmetric key material. Store the import
     # token to send with a subsequent ImportKeyMaterial request.
     #
-    # You must specify the key ID of the symmetric KMS key into which you
-    # will import key material. This KMS key's `Origin` must be `EXTERNAL`.
-    # You must also specify the wrapping algorithm and type of wrapping key
-    # (public key) that you will use to encrypt the key material. You cannot
-    # perform this operation on an asymmetric KMS key or on any KMS key in a
-    # different Amazon Web Services account.
+    # You must specify the key ID of the symmetric encryption KMS key into
+    # which you will import key material. This KMS key's `Origin` must be
+    # `EXTERNAL`. You must also specify the wrapping algorithm and type of
+    # wrapping key (public key) that you will use to encrypt the key
+    # material. You cannot perform this operation on an asymmetric KMS key,
+    # an HMAC KMS key, or on any KMS key in a different Amazon Web Services
+    # account.
     #
     # To import key material, you must use the public key and import token
     # from the same response. These items are valid for 24 hours. The
@@ -4173,8 +4611,8 @@ module Aws::KMS
     # `GetParametersForImport` request.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][2] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][2] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
@@ -4195,8 +4633,8 @@ module Aws::KMS
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     #
     # @option params [required, String] :key_id
-    #   The identifier of the symmetric KMS key into which you will import key
-    #   material. The `Origin` of the KMS key must be `EXTERNAL`.
+    #   The identifier of the symmetric encryption KMS key into which you will
+    #   import key material. The `Origin` of the KMS key must be `EXTERNAL`.
     #
     #   Specify the key ID or key ARN of the KMS key.
     #
@@ -4279,9 +4717,8 @@ module Aws::KMS
     # callers with `kms:GetPublicKey` permission can download the public key
     # of an asymmetric KMS key. You can share the public key to allow others
     # to encrypt messages and verify signatures outside of KMS. For
-    # information about symmetric and asymmetric KMS keys, see [Using
-    # Symmetric and Asymmetric KMS keys][1] in the *Key Management Service
-    # Developer Guide*.
+    # information about asymmetric KMS keys, see [Asymmetric KMS keys][1] in
+    # the *Key Management Service Developer Guide*.
     #
     # You do not need to download the public key. Instead, you can use the
     # public key within KMS by calling the Encrypt, ReEncrypt, or Verify
@@ -4313,8 +4750,8 @@ module Aws::KMS
     # in a verification operation.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][7] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][7] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
@@ -4414,9 +4851,9 @@ module Aws::KMS
     #
     #   resp.key_id #=> String
     #   resp.public_key #=> String
-    #   resp.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
-    #   resp.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
-    #   resp.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
+    #   resp.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512"
+    #   resp.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512"
+    #   resp.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
     #   resp.encryption_algorithms #=> Array
     #   resp.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
     #   resp.signing_algorithms #=> Array
@@ -4431,16 +4868,17 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Imports key material into an existing symmetric KMS KMS key that was
-    # created without key material. After you successfully import key
-    # material into a KMS key, you can [reimport the same key material][1]
-    # into that KMS key, but you cannot import different key material.
-    #
-    # You cannot perform this operation on an asymmetric KMS key or on any
-    # KMS key in a different Amazon Web Services account. For more
-    # information about creating KMS keys with no key material and then
-    # importing key material, see [Importing Key Material][2] in the *Key
-    # Management Service Developer Guide*.
+    # Imports key material into an existing symmetric encryption KMS key
+    # that was created without key material. After you successfully import
+    # key material into a KMS key, you can [reimport the same key
+    # material][1] into that KMS key, but you cannot import different key
+    # material.
+    #
+    # You cannot perform this operation on an asymmetric KMS key, an HMAC
+    # KMS key, or on any KMS key in a different Amazon Web Services account.
+    # For more information about creating KMS keys with no key material and
+    # then importing key material, see [Importing Key Material][2] in the
+    # *Key Management Service Developer Guide*.
     #
     # Before using this operation, call GetParametersForImport. Its response
     # includes a public key and an import token. Use the public key to
@@ -4482,8 +4920,8 @@ module Aws::KMS
     # Service Developer Guide*.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][4] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][4] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
@@ -4505,10 +4943,13 @@ module Aws::KMS
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     #
     # @option params [required, String] :key_id
-    #   The identifier of the symmetric KMS key that receives the imported key
-    #   material. The KMS key's `Origin` must be `EXTERNAL`. This must be the
-    #   same KMS key specified in the `KeyID` parameter of the corresponding
-    #   GetParametersForImport request.
+    #   The identifier of the symmetric encryption KMS key that receives the
+    #   imported key material. This must be the same KMS key specified in the
+    #   `KeyID` parameter of the corresponding GetParametersForImport request.
+    #   The `Origin` of the KMS key must be `EXTERNAL`. You cannot perform
+    #   this operation on an asymmetric KMS key, an HMAC KMS key, a KMS key in
+    #   a custom key store, or on a KMS key in a different Amazon Web Services
+    #   account
     #
     #   Specify the key ID or key ARN of the KMS key.
     #
@@ -4750,7 +5191,7 @@ module Aws::KMS
     # list by grant ID or grantee principal.
     #
     # For detailed information about grants, including grant terminology,
-    # see [Using grants][1] in the <i> <i>Key Management Service Developer
+    # see [Grants in KMS][1] in the <i> <i>Key Management Service Developer
     # Guide</i> </i>. For examples of working with grants in several
     # programming languages, see [Programming grants][2].
     #
@@ -4920,7 +5361,7 @@ module Aws::KMS
     #   resp.grants[0].retiring_principal #=> String
     #   resp.grants[0].issuing_account #=> String
     #   resp.grants[0].operations #=> Array
-    #   resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext"
+    #   resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateMac", "VerifyMac"
     #   resp.grants[0].constraints.encryption_context_subset #=> Hash
     #   resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
     #   resp.grants[0].constraints.encryption_context_equals #=> Hash
@@ -5276,7 +5717,7 @@ module Aws::KMS
     # a grant, use the RetireGrant operation.
     #
     # For detailed information about grants, including grant terminology,
-    # see [Using grants][1] in the <i> <i>Key Management Service Developer
+    # see [Grants in KMS][1] in the <i> <i>Key Management Service Developer
     # Guide</i> </i>. For examples of working with grants in several
     # programming languages, see [Programming grants][2].
     #
@@ -5388,7 +5829,7 @@ module Aws::KMS
     #   resp.grants[0].retiring_principal #=> String
     #   resp.grants[0].issuing_account #=> String
     #   resp.grants[0].operations #=> Array
-    #   resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext"
+    #   resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateMac", "VerifyMac"
     #   resp.grants[0].constraints.encryption_context_subset #=> Hash
     #   resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
     #   resp.grants[0].constraints.encryption_context_equals #=> Hash
@@ -5469,15 +5910,25 @@ module Aws::KMS
     #     visible][2] in the *Amazon Web Services Identity and Access
     #     Management User Guide*.
     #
-    #   The key policy cannot exceed 32 kilobytes (32768 bytes). For more
-    #   information, see [Resource Quotas][3] in the *Key Management Service
-    #   Developer Guide*.
+    #   A key policy document must conform to the following rules.
+    #
+    #   * Up to 32 kilobytes (32768 bytes)
+    #
+    #   * Must be UTF-8 encoded
+    #
+    #   * The only Unicode characters that are permitted in a key policy
+    #     document are the horizontal tab (U+0009), linefeed (U+000A),
+    #     carriage return (U+000D), and characters in the range U+0020 to
+    #     U+00FF.
+    #
+    #   * The `Sid` element in a key policy statement can include spaces.
+    #     (Spaces are prohibited in the `Sid` element of an IAM policy
+    #     document.)
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/resource-limits.html
     #
     # @option params [Boolean] :bypass_policy_lockout_safety_check
     #   A flag to indicate whether to bypass the key policy lockout safety
@@ -5538,7 +5989,7 @@ module Aws::KMS
     # [encryption context][2] of a ciphertext.
     #
     # The `ReEncrypt` operation can decrypt ciphertext that was encrypted by
-    # using an KMS KMS key in an KMS operation, such as Encrypt or
+    # using a KMS key in an KMS operation, such as Encrypt or
     # GenerateDataKey. It can also decrypt ciphertext that was encrypted by
     # using the public key of an [asymmetric KMS key][3] outside of KMS.
     # However, it cannot decrypt ciphertext produced by other libraries,
@@ -5556,25 +6007,24 @@ module Aws::KMS
     #   algorithm that was used. This information is required to decrypt the
     #   data.
     #
-    # * If your ciphertext was encrypted under a symmetric KMS key, the
-    #   `SourceKeyId` parameter is optional. KMS can get this information
-    #   from metadata that it adds to the symmetric ciphertext blob. This
-    #   feature adds durability to your implementation by ensuring that
-    #   authorized users can decrypt ciphertext decades after it was
-    #   encrypted, even if they've lost track of the key ID. However,
-    #   specifying the source KMS key is always recommended as a best
-    #   practice. When you use the `SourceKeyId` parameter to specify a KMS
-    #   key, KMS uses only the KMS key you specify. If the ciphertext was
-    #   encrypted under a different KMS key, the `ReEncrypt` operation
+    # * If your ciphertext was encrypted under a symmetric encryption KMS
+    #   key, the `SourceKeyId` parameter is optional. KMS can get this
+    #   information from metadata that it adds to the symmetric ciphertext
+    #   blob. This feature adds durability to your implementation by
+    #   ensuring that authorized users can decrypt ciphertext decades after
+    #   it was encrypted, even if they've lost track of the key ID.
+    #   However, specifying the source KMS key is always recommended as a
+    #   best practice. When you use the `SourceKeyId` parameter to specify a
+    #   KMS key, KMS uses only the KMS key you specify. If the ciphertext
+    #   was encrypted under a different KMS key, the `ReEncrypt` operation
     #   fails. This practice ensures that you use the KMS key that you
     #   intend.
     #
     # * To reencrypt the data, you must use the `DestinationKeyId` parameter
     #   specify the KMS key that re-encrypts the data after it is decrypted.
-    #   You can select a symmetric or asymmetric KMS key. If the destination
-    #   KMS key is an asymmetric KMS key, you must also provide the
-    #   encryption algorithm. The algorithm that you choose must be
-    #   compatible with the KMS key.
+    #   If the destination KMS key is an asymmetric KMS key, you must also
+    #   provide the encryption algorithm. The algorithm that you choose must
+    #   be compatible with the KMS key.
     #
     #   When you use an asymmetric KMS key to encrypt or reencrypt data, be
     #   sure to record the KMS key and encryption algorithm that you choose.
@@ -5584,14 +6034,15 @@ module Aws::KMS
     #   fails.
     #
     #    You are not required to supply the key ID and encryption algorithm
-    #   when you decrypt with symmetric KMS keys because KMS stores this
-    #   information in the ciphertext blob. KMS cannot store metadata in
-    #   ciphertext generated with asymmetric keys. The standard format for
-    #   asymmetric key ciphertext does not include configurable fields.
+    #   when you decrypt with symmetric encryption KMS keys because KMS
+    #   stores this information in the ciphertext blob. KMS cannot store
+    #   metadata in ciphertext generated with asymmetric keys. The standard
+    #   format for asymmetric key ciphertext does not include configurable
+    #   fields.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][6] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][6] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: Yes. The source KMS key and destination KMS
     # key can be in different Amazon Web Services accounts. Either or both
@@ -5642,13 +6093,14 @@ module Aws::KMS
     #   ciphertext.
     #
     #   An *encryption context* is a collection of non-secret key-value pairs
-    #   that represents additional authenticated data. When you use an
+    #   that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data. An
-    #   encryption context is optional when encrypting with a symmetric KMS
-    #   key, but it is highly recommended.
+    #   encryption context is supported only on operations with symmetric
+    #   encryption KMS keys. On operations with symmetric encryption KMS keys,
+    #   an encryption context is optional, but it is strongly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *Key
+    #   For more information, see [Encryption context][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -5657,14 +6109,18 @@ module Aws::KMS
     #
     # @option params [String] :source_key_id
     #   Specifies the KMS key that KMS will use to decrypt the ciphertext
-    #   before it is re-encrypted. Enter a key ID of the KMS key that was used
-    #   to encrypt the ciphertext.
+    #   before it is re-encrypted.
+    #
+    #   Enter a key ID of the KMS key that was used to encrypt the ciphertext.
+    #   If you identify a different KMS key, the `ReEncrypt` operation throws
+    #   an `IncorrectKeyException`.
     #
     #   This parameter is required only when the ciphertext was encrypted
-    #   under an asymmetric KMS key. If you used a symmetric KMS key, KMS can
-    #   get the KMS key from metadata that it adds to the symmetric ciphertext
-    #   blob. However, it is always recommended as a best practice. This
-    #   practice ensures that you use the KMS key that you intend.
+    #   under an asymmetric KMS key. If you used a symmetric encryption KMS
+    #   key, KMS can get the KMS key from metadata that it adds to the
+    #   symmetric ciphertext blob. However, it is always recommended as a best
+    #   practice. This practice ensures that you use the KMS key that you
+    #   intend.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify a
@@ -5687,9 +6143,9 @@ module Aws::KMS
     #
     # @option params [required, String] :destination_key_id
     #   A unique identifier for the KMS key that is used to reencrypt the
-    #   data. Specify a symmetric or asymmetric KMS key with a `KeyUsage`
-    #   value of `ENCRYPT_DECRYPT`. To find the `KeyUsage` value of a KMS key,
-    #   use the DescribeKey operation.
+    #   data. Specify a symmetric encryption KMS key or an asymmetric KMS key
+    #   with a `KeyUsage` value of `ENCRYPT_DECRYPT`. To find the `KeyUsage`
+    #   value of a KMS key, use the DescribeKey operation.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify a
@@ -5715,17 +6171,18 @@ module Aws::KMS
     #   data.
     #
     #   A destination encryption context is valid only when the destination
-    #   KMS key is a symmetric KMS key. The standard ciphertext format for
-    #   asymmetric KMS keys does not include fields for metadata.
+    #   KMS key is a symmetric encryption KMS key. The standard ciphertext
+    #   format for asymmetric KMS keys does not include fields for metadata.
     #
     #   An *encryption context* is a collection of non-secret key-value pairs
-    #   that represents additional authenticated data. When you use an
+    #   that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data. An
-    #   encryption context is optional when encrypting with a symmetric KMS
-    #   key, but it is highly recommended.
+    #   encryption context is supported only on operations with symmetric
+    #   encryption KMS keys. On operations with symmetric encryption KMS keys,
+    #   an encryption context is optional, but it is strongly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *Key
+    #   For more information, see [Encryption context][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -5735,8 +6192,8 @@ module Aws::KMS
     # @option params [String] :source_encryption_algorithm
     #   Specifies the encryption algorithm that KMS will use to decrypt the
     #   ciphertext before it is reencrypted. The default value,
-    #   `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric KMS
-    #   keys.
+    #   `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric
+    #   encryption KMS keys.
     #
     #   Specify the same algorithm that was used to encrypt the ciphertext. If
     #   you specify a different algorithm, the decrypt attempt fails.
@@ -5748,7 +6205,7 @@ module Aws::KMS
     #   Specifies the encryption algorithm that KMS will use to reecrypt the
     #   data after it has decrypted it. The default value,
     #   `SYMMETRIC_DEFAULT`, represents the encryption algorithm used for
-    #   symmetric KMS keys.
+    #   symmetric encryption KMS keys.
     #
     #   This parameter is required only when the destination KMS key is an
     #   asymmetric KMS key.
@@ -5839,7 +6296,7 @@ module Aws::KMS
     # encrypt data in one Amazon Web Services Region and decrypt it in a
     # different Amazon Web Services Region without re-encrypting the data or
     # making a cross-Region call. For more information about multi-Region
-    # keys, see [Using multi-Region keys][1] in the *Key Management Service
+    # keys, see [Multi-Region keys in KMS][1] in the *Key Management Service
     # Developer Guide*.
     #
     # A *replica key* is a fully-functional KMS key that can be used
@@ -5850,8 +6307,8 @@ module Aws::KMS
     # [automatic key rotation status][6]. KMS automatically synchronizes
     # these shared properties among related multi-Region keys. All other
     # properties of a replica key can differ, including its [key policy][7],
-    # [tags][8], [aliases][9], and [key state][10]. KMS pricing and quotas
-    # for KMS keys apply to each primary key and replica key.
+    # [tags][8], [aliases][9], and [Key states of KMS keys][10]. KMS pricing
+    # and quotas for KMS keys apply to each primary key and replica key.
     #
     # When this operation completes, the new replica key has a transient key
     # state of `Creating`. This key state changes to `Enabled` (or
@@ -5861,9 +6318,17 @@ module Aws::KMS
     # If you are creating and using the replica key programmatically, retry
     # on `KMSInvalidStateException` or call `DescribeKey` to check its
     # `KeyState` value before using it. For details about the `Creating` key
-    # state, see [Key state: Effect on your KMS
-    # key](kms/latest/developerguide/key-state.html) in the *Key Management
-    # Service Developer Guide*.
+    # state, see [Key states of KMS keys][10] in the *Key Management Service
+    # Developer Guide*.
+    #
+    # You cannot create more than one replica of a primary key in any
+    # Region. If the Region already includes a replica of the key you're
+    # trying to replicate, `ReplicateKey` returns an
+    # `AlreadyExistsException` error. If the key state of the existing
+    # replica is `PendingDeletion`, you can cancel the scheduled key
+    # deletion (CancelKeyDeletion) or wait for the key to be deleted. The
+    # new replica key you create will have the same [shared properties][11]
+    # as the original replica key.
     #
     # The CloudTrail log of a `ReplicateKey` operation records a
     # `ReplicateKey` operation in the primary key's Region and a CreateKey
@@ -5916,6 +6381,7 @@ module Aws::KMS
     # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
     # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html
     # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-sync-properties
     #
     # @option params [required, String] :key_id
     #   Identifies the multi-Region primary key that is being replicated. To
@@ -5943,24 +6409,33 @@ module Aws::KMS
     #   [KMS service endpoints][1] in the *Amazon Web Services General
     #   Reference*.
     #
+    #   <note markdown="1"> HMAC KMS keys are not supported in all Amazon Web Services Regions. If
+    #   you try to replicate an HMAC KMS key in an Amazon Web Services Region
+    #   in which HMAC keys are not supported, the `ReplicateKey` operation
+    #   returns an `UnsupportedOperationException`. For a list of Regions in
+    #   which HMAC KMS keys are supported, see [HMAC keys in KMS][2] in the
+    #   *Key Management Service Developer Guide*.
+    #
+    #    </note>
+    #
     #   The replica must be in a different Amazon Web Services Region than its
     #   primary key and other replicas of that primary key, but in the same
     #   Amazon Web Services partition. KMS must be available in the replica
     #   Region. If the Region is not enabled by default, the Amazon Web
-    #   Services account must be enabled in the Region.
-    #
-    #   For information about Amazon Web Services partitions, see [Amazon
-    #   Resource Names (ARNs) in the *Amazon Web Services General
-    #   Reference*.][2] For information about enabling and disabling Regions,
-    #   see [Enabling a Region][3] and [Disabling a Region][4] in the *Amazon
-    #   Web Services General Reference*.
+    #   Services account must be enabled in the Region. For information about
+    #   Amazon Web Services partitions, see [Amazon Resource Names (ARNs)][3]
+    #   in the *Amazon Web Services General Reference*. For information about
+    #   enabling and disabling Regions, see [Enabling a Region][4] and
+    #   [Disabling a Region][5] in the *Amazon Web Services General
+    #   Reference*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region
-    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
-    #   [3]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
-    #   [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
+    #   [3]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    #   [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
+    #   [5]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
     #
     # @option params [String] :policy
     #   The key policy to attach to the KMS key. This parameter is optional.
@@ -5991,7 +6466,20 @@ module Aws::KMS
     #     visible][3] in the <i> <i>Identity and Access Management User
     #     Guide</i> </i>.
     #
-    #   * The key policy size quota is 32 kilobytes (32768 bytes).
+    #   A key policy document must conform to the following rules.
+    #
+    #   * Up to 32 kilobytes (32768 bytes)
+    #
+    #   * Must be UTF-8 encoded
+    #
+    #   * The only Unicode characters that are permitted in a key policy
+    #     document are the horizontal tab (U+0009), linefeed (U+000A),
+    #     carriage return (U+000D), and characters in the range U+0020 to
+    #     U+00FF.
+    #
+    #   * The `Sid` element in a key policy statement can include spaces.
+    #     (Spaces are prohibited in the `Sid` element of an IAM policy
+    #     document.)
     #
     #
     #
@@ -6034,8 +6522,8 @@ module Aws::KMS
     #   TagResource operation.
     #
     #   <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the KMS
-    #   key. For details, see [Using ABAC in KMS][1] in the *Key Management
-    #   Service Developer Guide*.
+    #   key. For details, see [ABAC in KMS][1] in the *Key Management Service
+    #   Developer Guide*.
     #
     #    </note>
     #
@@ -6140,7 +6628,7 @@ module Aws::KMS
     #   resp.replica_key_metadata.creation_date #=> Time
     #   resp.replica_key_metadata.enabled #=> Boolean
     #   resp.replica_key_metadata.description #=> String
-    #   resp.replica_key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
+    #   resp.replica_key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
     #   resp.replica_key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
     #   resp.replica_key_metadata.deletion_date #=> Time
     #   resp.replica_key_metadata.valid_to #=> Time
@@ -6149,8 +6637,8 @@ module Aws::KMS
     #   resp.replica_key_metadata.cloud_hsm_cluster_id #=> String
     #   resp.replica_key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
     #   resp.replica_key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
-    #   resp.replica_key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
-    #   resp.replica_key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
+    #   resp.replica_key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512"
+    #   resp.replica_key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512"
     #   resp.replica_key_metadata.encryption_algorithms #=> Array
     #   resp.replica_key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
     #   resp.replica_key_metadata.signing_algorithms #=> Array
@@ -6163,6 +6651,8 @@ module Aws::KMS
     #   resp.replica_key_metadata.multi_region_configuration.replica_keys[0].arn #=> String
     #   resp.replica_key_metadata.multi_region_configuration.replica_keys[0].region #=> String
     #   resp.replica_key_metadata.pending_deletion_window_in_days #=> Integer
+    #   resp.replica_key_metadata.mac_algorithms #=> Array
+    #   resp.replica_key_metadata.mac_algorithms[0] #=> String, one of "HMAC_SHA_224", "HMAC_SHA_256", "HMAC_SHA_384", "HMAC_SHA_512"
     #   resp.replica_policy #=> String
     #   resp.replica_tags #=> Array
     #   resp.replica_tags[0].tag_key #=> String
@@ -6184,14 +6674,13 @@ module Aws::KMS
     #
     # This operation can be called by the *retiring principal* for a grant,
     # by the *grantee principal* if the grant allows the `RetireGrant`
-    # operation, and by the Amazon Web Services account (root user) in which
-    # the grant is created. It can also be called by principals to whom
-    # permission for retiring a grant is delegated. For details, see
-    # [Retiring and revoking grants][2] in the *Key Management Service
-    # Developer Guide*.
+    # operation, and by the Amazon Web Services account in which the grant
+    # is created. It can also be called by principals to whom permission for
+    # retiring a grant is delegated. For details, see [Retiring and revoking
+    # grants][2] in the *Key Management Service Developer Guide*.
     #
     # For detailed information about grants, including grant terminology,
-    # see [Using grants][3] in the <i> <i>Key Management Service Developer
+    # see [Grants in KMS][3] in the <i> <i>Key Management Service Developer
     # Guide</i> </i>. For examples of working with grants in several
     # programming languages, see [Programming grants][4].
     #
@@ -6289,7 +6778,7 @@ module Aws::KMS
     # Service Developer Guide</i> </i>.
     #
     # For detailed information about grants, including grant terminology,
-    # see [Using grants][3] in the <i> <i>Key Management Service Developer
+    # see [Grants in KMS][3] in the <i> <i>Key Management Service Developer
     # Guide</i> </i>. For examples of working with grants in several
     # programming languages, see [Programming grants][4].
     #
@@ -6406,8 +6895,8 @@ module Aws::KMS
     # Guide*.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][5] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][5] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
@@ -6447,7 +6936,7 @@ module Aws::KMS
     #   The waiting period, specified in number of days. After the waiting
     #   period ends, KMS deletes the KMS key.
     #
-    #   If the KMS key is a multi-Region primary key with replicas, the
+    #   If the KMS key is a multi-Region primary key with replica keys, the
     #   waiting period begins when the last of its replica keys is deleted.
     #   Otherwise, the waiting period begins immediately.
     #
@@ -6501,11 +6990,11 @@ module Aws::KMS
     end
 
     # Creates a [digital signature][1] for a message or message digest by
-    # using the private key in an asymmetric KMS key. To verify the
+    # using the private key in an asymmetric signing KMS key. To verify the
     # signature, use the Verify operation, or use the public key in the same
-    # asymmetric KMS key outside of KMS. For information about symmetric and
-    # asymmetric KMS keys, see [Using Symmetric and Asymmetric KMS keys][2]
-    # in the *Key Management Service Developer Guide*.
+    # asymmetric KMS key outside of KMS. For information about asymmetric
+    # KMS keys, see [Asymmetric KMS keys][2] in the *Key Management Service
+    # Developer Guide*.
     #
     # Digital signatures are generated and verified by using asymmetric key
     # pair, such as an RSA or ECC pair that is represented by an asymmetric
@@ -6533,14 +7022,23 @@ module Aws::KMS
     # When signing a message, be sure to record the KMS key and the signing
     # algorithm. This information is required to verify the signature.
     #
+    # <note markdown="1"> Best practices recommend that you limit the time during which any
+    # signature is effective. This deters an attack where the actor uses a
+    # signed message to establish validity repeatedly or long after the
+    # message is superseded. Signatures do not include a timestamp, but you
+    # can include a timestamp in the signed message to help you detect when
+    # its time to refresh the signature.
+    #
+    #  </note>
+    #
     # To verify the signature that this operation generates, use the Verify
     # operation. Or use the GetPublicKey operation to download the public
     # key and then use the public key to verify the signature outside of
     # KMS.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][3] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][3] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
@@ -6667,8 +7165,8 @@ module Aws::KMS
     # Adds or edits tags on a [customer managed key][1].
     #
     # <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the KMS
-    # key. For details, see [Using ABAC in KMS][2] in the *Key Management
-    # Service Developer Guide*.
+    # key. For details, see [ABAC in KMS][2] in the *Key Management Service
+    # Developer Guide*.
     #
     #  </note>
     #
@@ -6690,8 +7188,8 @@ module Aws::KMS
     # General Reference*.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][9] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][9] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
@@ -6788,8 +7286,8 @@ module Aws::KMS
     # specify the tag key and the KMS key.
     #
     # <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the KMS
-    # key. For details, see [Using ABAC in KMS][2] in the *Key Management
-    # Service Developer Guide*.
+    # key. For details, see [ABAC in KMS][2] in the *Key Management Service
+    # Developer Guide*.
     #
     #  </note>
     #
@@ -6804,8 +7302,8 @@ module Aws::KMS
     # General Reference*.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][5] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][5] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
@@ -6886,8 +7384,8 @@ module Aws::KMS
     # Amazon Web Services account and Region.
     #
     # <note markdown="1"> Adding, deleting, or updating an alias can allow or deny permission to
-    # the KMS key. For details, see [Using ABAC in KMS][1] in the *Key
-    # Management Service Developer Guide*.
+    # the KMS key. For details, see [ABAC in KMS][1] in the *Key Management
+    # Service Developer Guide*.
     #
     #  </note>
     #
@@ -6909,8 +7407,8 @@ module Aws::KMS
     # ListAliases operation.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][2] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][2] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
@@ -7175,8 +7673,8 @@ module Aws::KMS
     # key, use DescribeKey.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][1] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][1] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
@@ -7258,7 +7756,7 @@ module Aws::KMS
     # encrypt data in one Amazon Web Services Region and decrypt it in a
     # different Amazon Web Services Region without re-encrypting the data or
     # making a cross-Region call. For more information about multi-Region
-    # keys, see [Using multi-Region keys][2] in the *Key Management Service
+    # keys, see [Multi-Region keys in KMS][2] in the *Key Management Service
     # Developer Guide*.
     #
     # The *primary key* of a multi-Region key is the source for properties
@@ -7288,9 +7786,8 @@ module Aws::KMS
     # can use the keys in cryptographic operations, but you cannot replicate
     # the new primary key or perform certain management operations, such as
     # enabling or disabling these keys. For details about the `Updating` key
-    # state, see [Key state: Effect on your KMS
-    # key](kms/latest/developerguide/key-state.html) in the *Key Management
-    # Service Developer Guide*.
+    # state, see [Key states of KMS keys][9] in the *Key Management Service
+    # Developer Guide*.
     #
     # This operation does not return any output. To verify that primary key
     # is changed, use the DescribeKey operation.
@@ -7323,6 +7820,7 @@ module Aws::KMS
     # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin
     # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
     # [8]: https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html
+    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :key_id
     #   Identifies the current primary key. When the operation completes, this
@@ -7379,9 +7877,9 @@ module Aws::KMS
     #
     # A digital signature is generated by using the private key in an
     # asymmetric KMS key. The signature is verified by using the public key
-    # in the same asymmetric KMS key. For information about symmetric and
-    # asymmetric KMS keys, see [Using Symmetric and Asymmetric KMS keys][1]
-    # in the *Key Management Service Developer Guide*.
+    # in the same asymmetric KMS key. For information about asymmetric KMS
+    # keys, see [Asymmetric KMS keys][1] in the *Key Management Service
+    # Developer Guide*.
     #
     # To verify a digital signature, you can use the `Verify` operation.
     # Specify the same asymmetric KMS key, message, and signing algorithm
@@ -7398,8 +7896,8 @@ module Aws::KMS
     # signatures.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][2] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][2] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
@@ -7501,7 +7999,7 @@ module Aws::KMS
     #   resp.to_h outputs the following:
     #   {
     #     key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ARN of the asymmetric KMS key that was used to verify the digital signature.
-    #     signature_valid: true, # Indicates whether the signature was verified (true) or failed verification (false).
+    #     signature_valid: true, # A value of 'true' Indicates that the signature was verified. If verification fails, the call to Verify fails.
     #     signing_algorithm: "ECDSA_SHA_384", # The signing algorithm that was used to verify the signature.
     #   }
     #
@@ -7531,6 +8029,128 @@ module Aws::KMS
       req.send_request(options)
     end
 
+    # Verifies the hash-based message authentication code (HMAC) for a
+    # specified message, HMAC KMS key, and MAC algorithm. To verify the
+    # HMAC, `VerifyMac` computes an HMAC using the message, HMAC KMS key,
+    # and MAC algorithm that you specify, and compares the computed HMAC to
+    # the HMAC that you specify. If the HMACs are identical, the
+    # verification succeeds; otherwise, it fails.
+    #
+    # Verification indicates that the message hasn't changed since the HMAC
+    # was calculated, and the specified key was used to generate and verify
+    # the HMAC.
+    #
+    # This operation is part of KMS support for HMAC KMS keys. For details,
+    # see [HMAC keys in KMS][1] in the *Key Management Service Developer
+    # Guide*.
+    #
+    # The KMS key that you use for this operation must be in a compatible
+    # key state. For details, see [Key states of KMS keys][2] in the *Key
+    # Management Service Developer Guide*.
+    #
+    # **Cross-account use**\: Yes. To perform this operation with a KMS key
+    # in a different Amazon Web Services account, specify the key ARN or
+    # alias ARN in the value of the `KeyId` parameter.
+    #
+    # **Required permissions**\: [kms:VerifyMac][3] (key policy)
+    #
+    # **Related operations**\: GenerateMac
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    #
+    # @option params [required, String, StringIO, File] :message
+    #   The message that will be used in the verification. Enter the same
+    #   message that was used to generate the HMAC.
+    #
+    #   GenerateMac and `VerifyMac` do not provide special handling for
+    #   message digests. If you generated an HMAC for a hash digest of a
+    #   message, you must verify the HMAC for the same hash digest.
+    #
+    # @option params [required, String] :key_id
+    #   The KMS key that will be used in the verification.
+    #
+    #   Enter a key ID of the KMS key that was used to generate the HMAC. If
+    #   you identify a different KMS key, the `VerifyMac` operation fails.
+    #
+    # @option params [required, String] :mac_algorithm
+    #   The MAC algorithm that will be used in the verification. Enter the
+    #   same MAC algorithm that was used to compute the HMAC. This algorithm
+    #   must be supported by the HMAC KMS key identified by the `KeyId`
+    #   parameter.
+    #
+    # @option params [required, String, StringIO, File] :mac
+    #   The HMAC to verify. Enter the HMAC that was generated by the
+    #   GenerateMac operation when you specified the same message, HMAC KMS
+    #   key, and MAC algorithm as the values specified in this request.
+    #
+    # @option params [Array<String>] :grant_tokens
+    #   A list of grant tokens.
+    #
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*. For
+    #   more information, see [Grant token][1] and [Using a grant token][2] in
+    #   the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
+    #
+    # @return [Types::VerifyMacResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::VerifyMacResponse#key_id #key_id} => String
+    #   * {Types::VerifyMacResponse#mac_valid #mac_valid} => Boolean
+    #   * {Types::VerifyMacResponse#mac_algorithm #mac_algorithm} => String
+    #
+    #
+    # @example Example: To verify an HMAC
+    #
+    #   # This example verifies an HMAC for a particular message, HMAC KMS keys, and MAC algorithm. A value of 'true' in the
+    #   # MacValid value in the response indicates that the HMAC is valid.
+    #
+    #   resp = client.verify_mac({
+    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The HMAC KMS key input to the HMAC algorithm.
+    #     mac: "<HMAC_TAG>", # The HMAC to be verified.
+    #     mac_algorithm: "HMAC_SHA_384", # The HMAC algorithm requested for the operation.
+    #     message: "Hello World", # The message input to the HMAC algorithm.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ARN of the HMAC key used in the operation.
+    #     mac_algorithm: "HMAC_SHA_384", # The HMAC algorithm used in the operation.
+    #     mac_valid: true, # A value of 'true' indicates that verification succeeded. If verification fails, the call to VerifyMac fails.
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.verify_mac({
+    #     message: "data", # required
+    #     key_id: "KeyIdType", # required
+    #     mac_algorithm: "HMAC_SHA_224", # required, accepts HMAC_SHA_224, HMAC_SHA_256, HMAC_SHA_384, HMAC_SHA_512
+    #     mac: "data", # required
+    #     grant_tokens: ["GrantTokenType"],
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.key_id #=> String
+    #   resp.mac_valid #=> Boolean
+    #   resp.mac_algorithm #=> String, one of "HMAC_SHA_224", "HMAC_SHA_256", "HMAC_SHA_384", "HMAC_SHA_512"
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMac AWS API Documentation
+    #
+    # @overload verify_mac(params = {})
+    # @param [Hash] params ({})
+    def verify_mac(params = {}, options = {})
+      req = build_request(:verify_mac, params)
+      req.send_request(options)
+    end
+
     # @!endgroup
 
     # @param params ({})
@@ -7544,7 +8164,7 @@ module Aws::KMS
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-kms'
-      context[:gem_version] = '1.54.0'
+      context[:gem_version] = '1.57.0'
       Seahorse::Client::Request.new(handlers, context)
     end