aws-sdk-kms 1.55.0 → 1.58.0

data/lib/aws-sdk-kms/client.rb

@@ -370,8 +370,8 @@ module Aws::KMS
     # Developer Guide*.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][2] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][2] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
@@ -544,8 +544,8 @@ module Aws::KMS
     # Creates a friendly name for a KMS key.
     #
     # <note markdown="1"> Adding, deleting, or updating an alias can allow or deny permission to
-    # the KMS key. For details, see [Using ABAC in KMS][1] in the *Key
-    # Management Service Developer Guide*.
+    # the KMS key. For details, see [ABAC in KMS][1] in the *Key Management
+    # Service Developer Guide*.
     #
     #  </note>
     #
@@ -570,8 +570,8 @@ module Aws::KMS
     # created, use the ListAliases operation.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][4] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][4] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on an
     # alias in a different Amazon Web Services account.
@@ -674,7 +674,7 @@ module Aws::KMS
     # Creates a [custom key store][1] that is associated with an [CloudHSM
     # cluster][2] that you own and manage.
     #
-    # This operation is part of the [Custom Key Store feature][1] feature in
+    # This operation is part of the [custom key store feature][1] feature in
     # KMS, which combines the convenience and extensive integration of KMS
     # with the isolation and control of a single-tenant key store.
     #
@@ -724,7 +724,7 @@ module Aws::KMS
     #   Specifies a friendly name for the custom key store. The name must be
     #   unique in your Amazon Web Services account.
     #
-    # @option params [required, String] :cloud_hsm_cluster_id
+    # @option params [String] :cloud_hsm_cluster_id
     #   Identifies the CloudHSM cluster for the custom key store. Enter the
     #   cluster ID of any active CloudHSM cluster that is not already
     #   associated with a custom key store. To find the cluster ID, use the
@@ -734,7 +734,7 @@ module Aws::KMS
     #
     #   [1]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
     #
-    # @option params [required, String] :trust_anchor_certificate
+    # @option params [String] :trust_anchor_certificate
     #   Enter the content of the trust anchor certificate for the cluster.
     #   This is the content of the `customerCA.crt` file that you created when
     #   you [initialized the cluster][1].
@@ -743,7 +743,7 @@ module Aws::KMS
     #
     #   [1]: https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html
     #
-    # @option params [required, String] :key_store_password
+    # @option params [String] :key_store_password
     #   Enter the password of the [ `kmsuser` crypto user (CU) account][1] in
     #   the specified CloudHSM cluster. KMS logs into the cluster as this user
     #   to manage key material on your behalf.
@@ -783,9 +783,9 @@ module Aws::KMS
     #
     #   resp = client.create_custom_key_store({
     #     custom_key_store_name: "CustomKeyStoreNameType", # required
-    #     cloud_hsm_cluster_id: "CloudHsmClusterIdType", # required
-    #     trust_anchor_certificate: "TrustAnchorCertificateType", # required
-    #     key_store_password: "KeyStorePasswordType", # required
+    #     cloud_hsm_cluster_id: "CloudHsmClusterIdType",
+    #     trust_anchor_certificate: "TrustAnchorCertificateType",
+    #     key_store_password: "KeyStorePasswordType",
     #   })
     #
     # @example Response structure
@@ -812,7 +812,7 @@ module Aws::KMS
     # and delete it without changing your key policies or IAM policies.
     #
     # For detailed information about grants, including grant terminology,
-    # see [Using grants][1] in the <i> <i>Key Management Service Developer
+    # see [Grants in KMS][1] in the <i> <i>Key Management Service Developer
     # Guide</i> </i>. For examples of working with grants in several
     # programming languages, see [Programming grants][2].
     #
@@ -835,8 +835,8 @@ module Aws::KMS
     #   the ListGrants or ListRetirableGrants operations.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][4] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][4] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: Yes. To perform this operation on a KMS key in
     # a different Amazon Web Services account, specify the key ARN in the
@@ -921,12 +921,13 @@ module Aws::KMS
     # @option params [required, Array<String>] :operations
     #   A list of operations that the grant permits.
     #
-    #   The operation must be supported on the KMS key. For example, you
-    #   cannot create a grant for a symmetric KMS key that allows the Sign
-    #   operation, or a grant for an asymmetric KMS key that allows the
-    #   GenerateDataKey operation. If you try, KMS returns a `ValidationError`
-    #   exception. For details, see [Grant operations][1] in the *Key
-    #   Management Service Developer Guide*.
+    #   This list must include only operations that are permitted in a grant.
+    #   Also, the operation must be supported on the KMS key. For example, you
+    #   cannot create a grant for a symmetric encryption KMS key that allows
+    #   the Sign operation, or a grant for an asymmetric KMS key that allows
+    #   the GenerateDataKey operation. If you try, KMS returns a
+    #   `ValidationError` exception. For details, see [Grant operations][1] in
+    #   the *Key Management Service Developer Guide*.
     #
     #
     #
@@ -938,27 +939,38 @@ module Aws::KMS
     #   KMS supports the `EncryptionContextEquals` and
     #   `EncryptionContextSubset` grant constraints. Each constraint value can
     #   include up to 8 encryption context pairs. The encryption context value
-    #   in each constraint cannot exceed 384 characters.
-    #
-    #   These grant constraints allow the permissions in the grant only when
-    #   the encryption context in the request matches
-    #   (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
-    #   the encryption context specified in this structure. For information
-    #   about grant constraints, see [Using grant constraints][1] in the *Key
+    #   in each constraint cannot exceed 384 characters. For information about
+    #   grant constraints, see [Using grant constraints][1] in the *Key
     #   Management Service Developer Guide*. For more information about
-    #   encryption context, see [Encryption Context][2] in the <i> <i>Key
+    #   encryption context, see [Encryption context][2] in the <i> <i>Key
     #   Management Service Developer Guide</i> </i>.
     #
-    #   The encryption context grant constraints are supported only on
-    #   operations that include an encryption context. You cannot use an
-    #   encryption context grant constraint for cryptographic operations with
-    #   asymmetric KMS keys or for management operations, such as DescribeKey
-    #   or RetireGrant.
+    #   The encryption context grant constraints allow the permissions in the
+    #   grant only when the encryption context in the request matches
+    #   (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
+    #   the encryption context specified in this structure.
+    #
+    #   The encryption context grant constraints are supported only on [grant
+    #   operations][3] that include an `EncryptionContext` parameter, such as
+    #   cryptographic operations on symmetric encryption KMS keys. Grants with
+    #   grant constraints can include the DescribeKey and RetireGrant
+    #   operations, but the constraint doesn't apply to these operations. If
+    #   a grant with a grant constraint includes the `CreateGrant` operation,
+    #   the constraint requires that any grants created with the `CreateGrant`
+    #   permission have an equally strict or stricter encryption context
+    #   constraint.
+    #
+    #   You cannot use an encryption context grant constraint for
+    #   cryptographic operations with asymmetric KMS keys or HMAC KMS keys.
+    #   These keys don't support an encryption context.
+    #
+    #
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -1020,7 +1032,7 @@ module Aws::KMS
     #     key_id: "KeyIdType", # required
     #     grantee_principal: "PrincipalIdType", # required
     #     retiring_principal: "PrincipalIdType",
-    #     operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext
+    #     operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateMac, VerifyMac
     #     constraints: {
     #       encryption_context_subset: {
     #         "EncryptionContextKey" => "EncryptionContextValue",
@@ -1050,35 +1062,37 @@ module Aws::KMS
     # Creates a unique customer managed [KMS key][1] in your Amazon Web
     # Services account and Region.
     #
+    # In addition to the required parameters, you can use the optional
+    # parameters to specify a key policy, description, tags, and other
+    # useful elements for any key type.
+    #
     # <note markdown="1"> KMS is replacing the term *customer master key (CMK)* with *KMS key*
     # and *KMS key*. The concept has not changed. To prevent breaking
     # changes, KMS is keeping some variations of this term.
     #
     #  </note>
     #
-    # You can use the `CreateKey` operation to create symmetric or
-    # asymmetric KMS keys.
+    # To create different types of KMS keys, use the following guidance:
     #
-    # * **Symmetric KMS keys** contain a 256-bit symmetric key that never
-    #   leaves KMS unencrypted. To use the KMS key, you must call KMS. You
-    #   can use a symmetric KMS key to encrypt and decrypt small amounts of
-    #   data, but they are typically used to generate [data keys][2] and
-    #   [data keys pairs][3]. For details, see GenerateDataKey and
-    #   GenerateDataKeyPair.
+    # Symmetric encryption KMS key
     #
-    # * **Asymmetric KMS keys** can contain an RSA key pair or an Elliptic
-    #   Curve (ECC) key pair. The private key in an asymmetric KMS key never
-    #   leaves KMS unencrypted. However, you can use the GetPublicKey
-    #   operation to download the public key so it can be used outside of
-    #   KMS. KMS keys with RSA key pairs can be used to encrypt or decrypt
-    #   data or sign and verify messages (but not both). KMS keys with ECC
-    #   key pairs can be used only to sign and verify messages.
+    # : To create a symmetric encryption KMS key, you aren't required to
+    #   specify any parameters. The default value for `KeySpec`,
+    #   `SYMMETRIC_DEFAULT`, and the default value for `KeyUsage`,
+    #   `ENCRYPT_DECRYPT`, create a symmetric encryption KMS key. For
+    #   technical details, see [ SYMMETRIC\_DEFAULT key spec][2] in the *Key
+    #   Management Service Developer Guide*.
+    #
+    #   If you need a key for basic encryption and decryption or you are
+    #   creating a KMS key to protect your resources in an Amazon Web
+    #   Services service, create a symmetric encryption KMS key. The key
+    #   material in a symmetric encryption key never leaves KMS unencrypted.
+    #   You can use a symmetric encryption KMS key to encrypt and decrypt
+    #   data up to 4,096 bytes, but they are typically used to generate data
+    #   keys and data keys pairs. For details, see GenerateDataKey and
+    #   GenerateDataKeyPair.
     #
-    # For information about symmetric and asymmetric KMS keys, see [Using
-    # Symmetric and Asymmetric KMS keys][4] in the *Key Management Service
-    # Developer Guide*.
     #
-    # To create different types of KMS keys, use the following guidance:
     #
     # Asymmetric KMS keys
     #
@@ -1088,14 +1102,38 @@ module Aws::KMS
     #   to encrypt and decrypt or sign and verify. You can't change these
     #   properties after the KMS key is created.
     #
+    #   Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC)
+    #   key pair, or an SM2 key pair (China Regions only). The private key
+    #   in an asymmetric KMS key never leaves KMS unencrypted. However, you
+    #   can use the GetPublicKey operation to download the public key so it
+    #   can be used outside of KMS. KMS keys with RSA or SM2 key pairs can
+    #   be used to encrypt or decrypt data or sign and verify messages (but
+    #   not both). KMS keys with ECC key pairs can be used only to sign and
+    #   verify messages. For information about asymmetric KMS keys, see
+    #   [Asymmetric KMS keys][3] in the *Key Management Service Developer
+    #   Guide*.
     #
     #
-    # Symmetric KMS keys
     #
-    # : When creating a symmetric KMS key, you don't need to specify the
-    #   `KeySpec` or `KeyUsage` parameters. The default value for `KeySpec`,
-    #   `SYMMETRIC_DEFAULT`, and the default value for `KeyUsage`,
-    #   `ENCRYPT_DECRYPT`, are the only valid values for symmetric KMS keys.
+    # HMAC KMS key
+    #
+    # : To create an HMAC KMS key, set the `KeySpec` parameter to a key spec
+    #   value for HMAC KMS keys. Then set the `KeyUsage` parameter to
+    #   `GENERATE_VERIFY_MAC`. You must set the key usage even though
+    #   `GENERATE_VERIFY_MAC` is the only valid key usage value for HMAC KMS
+    #   keys. You can't change these properties after the KMS key is
+    #   created.
+    #
+    #   HMAC KMS keys are symmetric keys that never leave KMS unencrypted.
+    #   You can use HMAC keys to generate (GenerateMac) and verify
+    #   (VerifyMac) HMAC codes for messages up to 4096 bytes.
+    #
+    #   HMAC KMS keys are not supported in all Amazon Web Services Regions.
+    #   If you try to create an HMAC KMS key in an Amazon Web Services
+    #   Region in which HMAC keys are not supported, the `CreateKey`
+    #   operation returns an `UnsupportedOperationException`. For a list of
+    #   Regions in which HMAC KMS keys are supported, see [HMAC keys in
+    #   KMS][4] in the *Key Management Service Developer Guide*.
     #
     #
     #
@@ -1110,6 +1148,12 @@ module Aws::KMS
     #   operation. To change a replica key to a primary key, and its primary
     #   key to a replica key, use the UpdatePrimaryRegion operation.
     #
+    #   You can create multi-Region KMS keys for all supported KMS key
+    #   types: symmetric encryption KMS keys, HMAC KMS keys, asymmetric
+    #   encryption KMS keys, and asymmetric signing KMS keys. You can also
+    #   create multi-Region keys with imported key material. However, you
+    #   can't create multi-Region keys in a custom key store.
+    #
     #   This operation supports *multi-Region keys*, an KMS feature that
     #   lets you create multiple interoperable KMS keys in different Amazon
     #   Web Services Regions. Because these KMS keys have the same key ID,
@@ -1117,49 +1161,49 @@ module Aws::KMS
     #   to encrypt data in one Amazon Web Services Region and decrypt it in
     #   a different Amazon Web Services Region without re-encrypting the
     #   data or making a cross-Region call. For more information about
-    #   multi-Region keys, see [Using multi-Region keys][5] in the *Key
+    #   multi-Region keys, see [Multi-Region keys in KMS][5] in the *Key
     #   Management Service Developer Guide*.
     #
-    #   You can create symmetric and asymmetric multi-Region keys and
-    #   multi-Region keys with imported key material. You cannot create
-    #   multi-Region keys in a custom key store.
-    #
     #
     #
-    # : To import your own key material, begin by creating a symmetric KMS
-    #   key with no key material. To do this, use the `Origin` parameter of
-    #   `CreateKey` with a value of `EXTERNAL`. Next, use
-    #   GetParametersForImport operation to get a public key and import
+    # : To import your own key material, begin by creating a symmetric
+    #   encryption KMS key with no key material. To do this, use the
+    #   `Origin` parameter of `CreateKey` with a value of `EXTERNAL`. Next,
+    #   use GetParametersForImport operation to get a public key and import
     #   token, and use the public key to encrypt your key material. Then,
     #   use ImportKeyMaterial with your import token to import the key
     #   material. For step-by-step instructions, see [Importing Key
     #   Material][6] in the <i> <i>Key Management Service Developer
-    #   Guide</i> </i>. You cannot import the key material into an
-    #   asymmetric KMS key.
+    #   Guide</i> </i>.
+    #
+    #   This feature supports only symmetric encryption KMS keys, including
+    #   multi-Region symmetric encryption KMS keys. You cannot import key
+    #   material into any other type of KMS key.
     #
     #   To create a multi-Region primary key with imported key material, use
     #   the `Origin` parameter of `CreateKey` with a value of `EXTERNAL` and
     #   the `MultiRegion` parameter with a value of `True`. To create
     #   replicas of the multi-Region primary key, use the ReplicateKey
-    #   operation. For more information about multi-Region keys, see [Using
-    #   multi-Region keys][5] in the *Key Management Service Developer
-    #   Guide*.
+    #   operation. For more information about multi-Region keys, see
+    #   [Multi-Region keys in KMS][5] in the *Key Management Service
+    #   Developer Guide*.
     #
     #
     #
     # Custom key store
     #
-    # : To create a symmetric KMS key in a [custom key store][7], use the
-    #   `CustomKeyStoreId` parameter to specify the custom key store. You
-    #   must also use the `Origin` parameter with a value of `AWS_CLOUDHSM`.
-    #   The CloudHSM cluster that is associated with the custom key store
-    #   must have at least two active HSMs in different Availability Zones
-    #   in the Amazon Web Services Region.
+    # : To create a symmetric encryption KMS key in a [custom key store][7],
+    #   use the `CustomKeyStoreId` parameter to specify the custom key
+    #   store. You must also use the `Origin` parameter with a value of
+    #   `AWS_CLOUDHSM`. The CloudHSM cluster that is associated with the
+    #   custom key store must have at least two active HSMs in different
+    #   Availability Zones in the Amazon Web Services Region.
     #
-    #   You cannot create an asymmetric KMS key in a custom key store. For
-    #   information about custom key stores in KMS see [Using Custom Key
-    #   Stores][7] in the <i> <i>Key Management Service Developer Guide</i>
-    #   </i>.
+    #   Custom key stores support only symmetric encryption KMS keys. You
+    #   cannot create an HMAC KMS key or an asymmetric KMS key in a custom
+    #   key store. For information about custom key stores in KMS see
+    #   [Custom key stores in KMS][7] in the <i> <i>Key Management Service
+    #   Developer Guide</i> </i>.
     #
     # **Cross-account use**\: No. You cannot use this operation to create a
     # KMS key in a different Amazon Web Services account.
@@ -1180,9 +1224,9 @@ module Aws::KMS
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys
-    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys
-    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-key-pairs
-    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-symmetric-default
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
     # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
     # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
@@ -1190,16 +1234,19 @@ module Aws::KMS
     # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key
     #
     # @option params [String] :policy
-    #   The key policy to attach to the KMS key.
+    #   The key policy to attach to the KMS key. If you do not specify a key
+    #   policy, KMS attaches a default key policy to the KMS key. For more
+    #   information, see [Default key policy][1] in the *Key Management
+    #   Service Developer Guide*.
     #
     #   If you provide a key policy, it must meet the following criteria:
     #
-    #   * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the key
-    #     policy must allow the principal that is making the `CreateKey`
+    #   * If you don't set `BypassPolicyLockoutSafetyCheck` to `True`, the
+    #     key policy must allow the principal that is making the `CreateKey`
     #     request to make a subsequent PutKeyPolicy request on the KMS key.
     #     This reduces the risk that the KMS key becomes unmanageable. For
     #     more information, refer to the scenario in the [Default Key
-    #     Policy][1] section of the <i> <i>Key Management Service Developer
+    #     Policy][2] section of the <i> <i>Key Management Service Developer
     #     Guide</i> </i>.
     #
     #   * Each statement in the key policy must contain one or more
@@ -1209,25 +1256,33 @@ module Aws::KMS
     #     delay before including the new principal in a key policy because the
     #     new principal might not be immediately visible to KMS. For more
     #     information, see [Changes that I make are not always immediately
-    #     visible][2] in the *Amazon Web Services Identity and Access
+    #     visible][3] in the *Amazon Web Services Identity and Access
     #     Management User Guide*.
     #
-    #   If you do not provide a key policy, KMS attaches a default key policy
-    #   to the KMS key. For more information, see [Default Key Policy][3] in
-    #   the *Key Management Service Developer Guide*.
+    #   A key policy document can include only the following characters:
+    #
+    #   * Printable ASCII characters from the space character (`\u0020`)
+    #     through the end of the ASCII character range.
     #
-    #   The key policy size quota is 32 kilobytes (32768 bytes).
+    #   * Printable characters in the Basic Latin and Latin-1 Supplement
+    #     character set (through `\u00FF`).
     #
-    #   For help writing and formatting a JSON policy document, see the [IAM
-    #   JSON Policy Reference][4] in the <i> <i>Identity and Access Management
-    #   User Guide</i> </i>.
+    #   * The tab (`\u0009`), line feed (`\u000A`), and carriage return
+    #     (`\u000D`) special characters
     #
+    #   For information about key policies, see [Key policies in KMS][4] in
+    #   the *Key Management Service Developer Guide*. For help writing and
+    #   formatting a JSON policy document, see the [IAM JSON Policy
+    #   Reference][5] in the <i> <i>Identity and Access Management User
+    #   Guide</i> </i>.
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
-    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
-    #   [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
+    #   [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
     #
     # @option params [String] :description
     #   A description of the KMS key.
@@ -1242,20 +1297,26 @@ module Aws::KMS
     # @option params [String] :key_usage
     #   Determines the [cryptographic operations][1] for which you can use the
     #   KMS key. The default value is `ENCRYPT_DECRYPT`. This parameter is
-    #   required only for asymmetric KMS keys. You can't change the
-    #   `KeyUsage` value after the KMS key is created.
+    #   optional when you are creating a symmetric encryption KMS key;
+    #   otherwise, it is required. You can't change the `KeyUsage` value
+    #   after the KMS key is created.
     #
     #   Select only one valid value.
     #
-    #   * For symmetric KMS keys, omit the parameter or specify
+    #   * For symmetric encryption KMS keys, omit the parameter or specify
     #     `ENCRYPT_DECRYPT`.
     #
+    #   * For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
+    #
     #   * For asymmetric KMS keys with RSA key material, specify
     #     `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
     #
     #   * For asymmetric KMS keys with ECC key material, specify
     #     `SIGN_VERIFY`.
     #
+    #   * For asymmetric KMS keys with SM2 key material (China Regions only),
+    #     specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
+    #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
@@ -1270,34 +1331,43 @@ module Aws::KMS
     #
     # @option params [String] :key_spec
     #   Specifies the type of KMS key to create. The default value,
-    #   `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit symmetric key
-    #   for encryption and decryption. For help choosing a key spec for your
-    #   KMS key, see [How to Choose Your KMS key Configuration][1] in the <i>
-    #   <i>Key Management Service Developer Guide</i> </i>.
+    #   `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit AES-GCM key that
+    #   is used for encryption and decryption, except in China Regions, where
+    #   it creates a 128-bit symmetric key that uses SM4 encryption. For help
+    #   choosing a key spec for your KMS key, see [Choosing a KMS key type][1]
+    #   in the <i> <i>Key Management Service Developer Guide</i> </i>.
     #
     #   The `KeySpec` determines whether the KMS key contains a symmetric key
-    #   or an asymmetric key pair. It also determines the encryption
-    #   algorithms or signing algorithms that the KMS key supports. You can't
-    #   change the `KeySpec` after the KMS key is created. To further restrict
-    #   the algorithms that can be used with the KMS key, use a condition key
-    #   in its key policy or IAM policy. For more information, see
-    #   [kms:EncryptionAlgorithm][2] or [kms:Signing Algorithm][3] in the <i>
-    #   <i>Key Management Service Developer Guide</i> </i>.
-    #
-    #   [Amazon Web Services services that are integrated with KMS][4] use
-    #   symmetric KMS keys to protect your data. These services do not support
-    #   asymmetric KMS keys. For help determining whether a KMS key is
-    #   symmetric or asymmetric, see [Identifying Symmetric and Asymmetric KMS
-    #   keys][5] in the *Key Management Service Developer Guide*.
+    #   or an asymmetric key pair. It also determines the cryptographic
+    #   algorithms that the KMS key supports. You can't change the `KeySpec`
+    #   after the KMS key is created. To further restrict the algorithms that
+    #   can be used with the KMS key, use a condition key in its key policy or
+    #   IAM policy. For more information, see [kms:EncryptionAlgorithm][2],
+    #   [kms:MacAlgorithm][3] or [kms:Signing Algorithm][4] in the <i> <i>Key
+    #   Management Service Developer Guide</i> </i>.
+    #
+    #   [Amazon Web Services services that are integrated with KMS][5] use
+    #   symmetric encryption KMS keys to protect your data. These services do
+    #   not support asymmetric KMS keys or HMAC KMS keys.
     #
     #   KMS supports the following key specs for KMS keys:
     #
-    #   * Symmetric key (default)
+    #   * Symmetric encryption key (default)
     #
-    #     * `SYMMETRIC_DEFAULT` (AES-256-GCM)
+    #     * `SYMMETRIC_DEFAULT`
     #
     #     ^
     #
+    #   * HMAC keys (symmetric)
+    #
+    #     * `HMAC_224`
+    #
+    #     * `HMAC_256`
+    #
+    #     * `HMAC_384`
+    #
+    #     * `HMAC_512`
+    #
     #   * Asymmetric RSA key pairs
     #
     #     * `RSA_2048`
@@ -1320,13 +1390,19 @@ module Aws::KMS
     #
     #     ^
     #
+    #   * SM2 key pairs (China Regions only)
+    #
+    #     * `SM2`
+    #
+    #     ^
+    #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm
-    #   [4]: http://aws.amazon.com/kms/features/#AWS_Service_Integration
-    #   [5]: https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-mac-algorithm
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm
+    #   [5]: http://aws.amazon.com/kms/features/#AWS_Service_Integration
     #
     # @option params [String] :origin
     #   The source of the key material for the KMS key. You cannot change the
@@ -1337,13 +1413,13 @@ module Aws::KMS
     #   set the value to `EXTERNAL`. For more information about importing key
     #   material into KMS, see [Importing Key Material][1] in the *Key
     #   Management Service Developer Guide*. This value is valid only for
-    #   symmetric KMS keys.
+    #   symmetric encryption KMS keys.
     #
     #   To create a KMS key in an KMS [custom key store][2] and create its key
     #   material in the associated CloudHSM cluster, set this value to
     #   `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId` parameter to
     #   identify the custom key store. This value is valid only for symmetric
-    #   KMS keys.
+    #   encryption KMS keys.
     #
     #
     #
@@ -1358,9 +1434,9 @@ module Aws::KMS
     #   the custom key store must have at least two active HSMs, each in a
     #   different Availability Zone in the Region.
     #
-    #   This parameter is valid only for symmetric KMS keys and regional KMS
-    #   keys. You cannot create an asymmetric KMS key or a multi-Region key in
-    #   a custom key store.
+    #   This parameter is valid only for symmetric encryption KMS keys in a
+    #   single Region. You cannot create any other type of KMS key in a custom
+    #   key store.
     #
     #   To find the ID of a custom key store, use the DescribeCustomKeyStores
     #   operation.
@@ -1368,7 +1444,7 @@ module Aws::KMS
     #   The response includes the custom key store ID and the ID of the
     #   CloudHSM cluster.
     #
-    #   This operation is part of the [Custom Key Store feature][1] feature in
+    #   This operation is part of the [custom key store feature][1] feature in
     #   KMS, which combines the convenience and extensive integration of KMS
     #   with the isolation and control of a single-tenant key store.
     #
@@ -1403,8 +1479,8 @@ module Aws::KMS
     #   TagResource operation.
     #
     #   <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the KMS
-    #   key. For details, see [Using ABAC in KMS][1] in the *Key Management
-    #   Service Developer Guide*.
+    #   key. For details, see [ABAC in KMS][1] in the *Key Management Service
+    #   Developer Guide*.
     #
     #    </note>
     #
@@ -1444,15 +1520,16 @@ module Aws::KMS
     #   encrypt data in one Amazon Web Services Region and decrypt it in a
     #   different Amazon Web Services Region without re-encrypting the data or
     #   making a cross-Region call. For more information about multi-Region
-    #   keys, see [Using multi-Region keys][1] in the *Key Management Service
+    #   keys, see [Multi-Region keys in KMS][1] in the *Key Management Service
     #   Developer Guide*.
     #
     #   This value creates a *primary key*, not a replica. To create a
     #   *replica key*, use the ReplicateKey operation.
     #
-    #   You can create a symmetric or asymmetric multi-Region key, and you can
-    #   create a multi-Region key with imported key material. However, you
-    #   cannot create a multi-Region key in a custom key store.
+    #   You can create a multi-Region version of a symmetric encryption KMS
+    #   key, an HMAC KMS key, an asymmetric KMS key, or a KMS key with
+    #   imported key material. However, you cannot create a multi-Region key
+    #   in a custom key store.
     #
     #
     #
@@ -1665,14 +1742,46 @@ module Aws::KMS
     #     }, # Detailed information about the KMS key that this operation creates.
     #   }
     #
+    # @example Example: To create an HMAC KMS key
+    #
+    #   # This example creates a 384-bit symmetric HMAC KMS key. The GENERATE_VERIFY_MAC key usage value is required even though
+    #   # it's the only valid value for HMAC KMS keys. The key spec and key usage can't be changed after the key is created. 
+    #
+    #   resp = client.create_key({
+    #     key_spec: "HMAC_384", # Describes the type of key material in the KMS key.
+    #     key_usage: "GENERATE_VERIFY_MAC", # The cryptographic operations for which you can use the KMS key.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     key_metadata: {
+    #       aws_account_id: "111122223333", 
+    #       arn: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", 
+    #       creation_date: Time.parse("2022-04-05T14:04:55-07:00"), 
+    #       customer_master_key_spec: "HMAC_384", 
+    #       description: "", 
+    #       enabled: true, 
+    #       key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", 
+    #       key_manager: "CUSTOMER", 
+    #       key_spec: "HMAC_384", 
+    #       key_state: "Enabled", 
+    #       key_usage: "GENERATE_VERIFY_MAC", 
+    #       mac_algorithms: [
+    #         "HMAC_SHA_384", 
+    #       ], 
+    #       multi_region: false, 
+    #       origin: "AWS_KMS", 
+    #     }, # Detailed information about the KMS key that this operation creates.
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.create_key({
     #     policy: "PolicyType",
     #     description: "DescriptionType",
-    #     key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT
-    #     customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
-    #     key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
+    #     key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC
+    #     customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
+    #     key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
     #     origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
     #     custom_key_store_id: "CustomKeyStoreIdType",
     #     bypass_policy_lockout_safety_check: false,
@@ -1693,7 +1802,7 @@ module Aws::KMS
     #   resp.key_metadata.creation_date #=> Time
     #   resp.key_metadata.enabled #=> Boolean
     #   resp.key_metadata.description #=> String
-    #   resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
+    #   resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
     #   resp.key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
     #   resp.key_metadata.deletion_date #=> Time
     #   resp.key_metadata.valid_to #=> Time
@@ -1702,12 +1811,12 @@ module Aws::KMS
     #   resp.key_metadata.cloud_hsm_cluster_id #=> String
     #   resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
     #   resp.key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
-    #   resp.key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
-    #   resp.key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
+    #   resp.key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
+    #   resp.key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
     #   resp.key_metadata.encryption_algorithms #=> Array
-    #   resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
+    #   resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #   resp.key_metadata.signing_algorithms #=> Array
-    #   resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
+    #   resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
     #   resp.key_metadata.multi_region #=> Boolean
     #   resp.key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
     #   resp.key_metadata.multi_region_configuration.primary_key.arn #=> String
@@ -1716,6 +1825,8 @@ module Aws::KMS
     #   resp.key_metadata.multi_region_configuration.replica_keys[0].arn #=> String
     #   resp.key_metadata.multi_region_configuration.replica_keys[0].region #=> String
     #   resp.key_metadata.pending_deletion_window_in_days #=> Integer
+    #   resp.key_metadata.mac_algorithms #=> Array
+    #   resp.key_metadata.mac_algorithms[0] #=> String, one of "HMAC_SHA_224", "HMAC_SHA_256", "HMAC_SHA_384", "HMAC_SHA_512"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey AWS API Documentation
     #
@@ -1740,29 +1851,30 @@ module Aws::KMS
     # * GenerateDataKeyPairWithoutPlaintext
     #
     # You can use this operation to decrypt ciphertext that was encrypted
-    # under a symmetric or asymmetric KMS key. When the KMS key is
-    # asymmetric, you must specify the KMS key and the encryption algorithm
-    # that was used to encrypt the ciphertext. For information about
-    # symmetric and asymmetric KMS keys, see [Using Symmetric and Asymmetric
-    # KMS keys][1] in the *Key Management Service Developer Guide*.
+    # under a symmetric encryption KMS key or an asymmetric encryption KMS
+    # key. When the KMS key is asymmetric, you must specify the KMS key and
+    # the encryption algorithm that was used to encrypt the ciphertext. For
+    # information about asymmetric KMS keys, see [Asymmetric KMS keys][1] in
+    # the *Key Management Service Developer Guide*.
     #
-    # The Decrypt operation also decrypts ciphertext that was encrypted
+    # The `Decrypt` operation also decrypts ciphertext that was encrypted
     # outside of KMS by the public key in an KMS asymmetric KMS key.
     # However, it cannot decrypt ciphertext produced by other libraries,
     # such as the [Amazon Web Services Encryption SDK][2] or [Amazon S3
     # client-side encryption][3]. These libraries return a ciphertext format
     # that is incompatible with KMS.
     #
-    # If the ciphertext was encrypted under a symmetric KMS key, the `KeyId`
-    # parameter is optional. KMS can get this information from metadata that
-    # it adds to the symmetric ciphertext blob. This feature adds durability
-    # to your implementation by ensuring that authorized users can decrypt
-    # ciphertext decades after it was encrypted, even if they've lost track
-    # of the key ID. However, specifying the KMS key is always recommended
-    # as a best practice. When you use the `KeyId` parameter to specify a
-    # KMS key, KMS only uses the KMS key you specify. If the ciphertext was
-    # encrypted under a different KMS key, the `Decrypt` operation fails.
-    # This practice ensures that you use the KMS key that you intend.
+    # If the ciphertext was encrypted under a symmetric encryption KMS key,
+    # the `KeyId` parameter is optional. KMS can get this information from
+    # metadata that it adds to the symmetric ciphertext blob. This feature
+    # adds durability to your implementation by ensuring that authorized
+    # users can decrypt ciphertext decades after it was encrypted, even if
+    # they've lost track of the key ID. However, specifying the KMS key is
+    # always recommended as a best practice. When you use the `KeyId`
+    # parameter to specify a KMS key, KMS only uses the KMS key you specify.
+    # If the ciphertext was encrypted under a different KMS key, the
+    # `Decrypt` operation fails. This practice ensures that you use the KMS
+    # key that you intend.
     #
     # Whenever possible, use key policies to give users permission to call
     # the `Decrypt` operation on a particular KMS key, instead of using IAM
@@ -1781,8 +1893,8 @@ module Aws::KMS
     # Service Developer Guide*.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][7] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][7] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
@@ -1817,17 +1929,19 @@ module Aws::KMS
     # @option params [Hash<String,String>] :encryption_context
     #   Specifies the encryption context to use when decrypting the data. An
     #   encryption context is valid only for [cryptographic operations][1]
-    #   with a symmetric KMS key. The standard asymmetric encryption
-    #   algorithms that KMS uses do not support an encryption context.
+    #   with a symmetric encryption KMS key. The standard asymmetric
+    #   encryption algorithms and HMAC algorithms that KMS uses do not support
+    #   an encryption context.
     #
     #   An *encryption context* is a collection of non-secret key-value pairs
-    #   that represents additional authenticated data. When you use an
+    #   that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data. An
-    #   encryption context is optional when encrypting with a symmetric KMS
-    #   key, but it is highly recommended.
+    #   encryption context is supported only on operations with symmetric
+    #   encryption KMS keys. On operations with symmetric encryption KMS keys,
+    #   an encryption context is optional, but it is strongly recommended.
     #
-    #   For more information, see [Encryption Context][2] in the *Key
+    #   For more information, see [Encryption context][2] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -1849,14 +1963,18 @@ module Aws::KMS
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #
     # @option params [String] :key_id
-    #   Specifies the KMS key that KMS uses to decrypt the ciphertext. Enter a
-    #   key ID of the KMS key that was used to encrypt the ciphertext.
+    #   Specifies the KMS key that KMS uses to decrypt the ciphertext.
+    #
+    #   Enter a key ID of the KMS key that was used to encrypt the ciphertext.
+    #   If you identify a different KMS key, the `Decrypt` operation throws an
+    #   `IncorrectKeyException`.
     #
     #   This parameter is required only when the ciphertext was encrypted
-    #   under an asymmetric KMS key. If you used a symmetric KMS key, KMS can
-    #   get the KMS key from metadata that it adds to the symmetric ciphertext
-    #   blob. However, it is always recommended as a best practice. This
-    #   practice ensures that you use the KMS key that you intend.
+    #   under an asymmetric KMS key. If you used a symmetric encryption KMS
+    #   key, KMS can get the KMS key from metadata that it adds to the
+    #   symmetric ciphertext blob. However, it is always recommended as a best
+    #   practice. This practice ensures that you use the KMS key that you
+    #   intend.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify a
@@ -1886,7 +2004,7 @@ module Aws::KMS
     #   This parameter is required only when the ciphertext was encrypted
     #   under an asymmetric KMS key. The default value, `SYMMETRIC_DEFAULT`,
     #   represents the only supported algorithm that is valid for symmetric
-    #   KMS keys.
+    #   encryption KMS keys.
     #
     # @return [Types::DecryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -1919,14 +2037,14 @@ module Aws::KMS
     #     },
     #     grant_tokens: ["GrantTokenType"],
     #     key_id: "KeyIdType",
-    #     encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
+    #     encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
     #   })
     #
     # @example Response structure
     #
     #   resp.key_id #=> String
     #   resp.plaintext #=> String
-    #   resp.encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
+    #   resp.encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt AWS API Documentation
     #
@@ -1940,8 +2058,8 @@ module Aws::KMS
     # Deletes the specified alias.
     #
     # <note markdown="1"> Adding, deleting, or updating an alias can allow or deny permission to
-    # the KMS key. For details, see [Using ABAC in KMS][1] in the *Key
-    # Management Service Developer Guide*.
+    # the KMS key. For details, see [ABAC in KMS][1] in the *Key Management
+    # Service Developer Guide*.
     #
     #  </note>
     #
@@ -2015,15 +2133,15 @@ module Aws::KMS
     # CloudHSM cluster that is associated with the custom key store, or
     # affect any users or keys in the cluster.
     #
-    # The custom key store that you delete cannot contain any KMS [KMS
-    # keys][2]. Before deleting the key store, verify that you will never
-    # need to use any of the KMS keys in the key store for any
-    # [cryptographic operations][3]. Then, use ScheduleKeyDeletion to delete
-    # the KMS keys from the key store. When the scheduled waiting period
-    # expires, the `ScheduleKeyDeletion` operation deletes the KMS keys.
-    # Then it makes a best effort to delete the key material from the
-    # associated cluster. However, you might need to manually [delete the
-    # orphaned key material][4] from the cluster and its backups.
+    # The custom key store that you delete cannot contain any [KMS keys][2].
+    # Before deleting the key store, verify that you will never need to use
+    # any of the KMS keys in the key store for any [cryptographic
+    # operations][3]. Then, use ScheduleKeyDeletion to delete the KMS keys
+    # from the key store. When the scheduled waiting period expires, the
+    # `ScheduleKeyDeletion` operation deletes the KMS keys. Then it makes a
+    # best effort to delete the key material from the associated cluster.
+    # However, you might need to manually [delete the orphaned key
+    # material][4] from the cluster and its backups.
     #
     # After all KMS keys are deleted from KMS, use DisconnectCustomKeyStore
     # to disconnect the key store from KMS. Then, you can delete the custom
@@ -2038,7 +2156,7 @@ module Aws::KMS
     # If the operation succeeds, it returns a JSON object with no
     # properties.
     #
-    # This operation is part of the [Custom Key Store feature][1] feature in
+    # This operation is part of the [custom key store feature][1] feature in
     # KMS, which combines the convenience and extensive integration of KMS
     # with the isolation and control of a single-tenant key store.
     #
@@ -2116,8 +2234,8 @@ module Aws::KMS
     # reimport the same key material into the KMS key.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][2] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][2] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
@@ -2182,7 +2300,7 @@ module Aws::KMS
     # Gets information about [custom key stores][1] in the account and
     # Region.
     #
-    # This operation is part of the [Custom Key Store feature][1] feature in
+    # This operation is part of the [custom key store feature][1] feature in
     # KMS, which combines the convenience and extensive integration of KMS
     # with the isolation and control of a single-tenant key store.
     #
@@ -2267,6 +2385,8 @@ module Aws::KMS
     #   * {Types::DescribeCustomKeyStoresResponse#next_marker #next_marker} => String
     #   * {Types::DescribeCustomKeyStoresResponse#truncated #truncated} => Boolean
     #
+    # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
+    #
     #
     # @example Example: To get detailed information about custom key stores in the account and Region
     #
@@ -2322,7 +2442,7 @@ module Aws::KMS
     #   resp.custom_key_stores[0].cloud_hsm_cluster_id #=> String
     #   resp.custom_key_stores[0].trust_anchor_certificate #=> String
     #   resp.custom_key_stores[0].connection_state #=> String, one of "CONNECTED", "CONNECTING", "FAILED", "DISCONNECTED", "DISCONNECTING"
-    #   resp.custom_key_stores[0].connection_error_code #=> String, one of "INVALID_CREDENTIALS", "CLUSTER_NOT_FOUND", "NETWORK_ERRORS", "INTERNAL_ERROR", "INSUFFICIENT_CLOUDHSM_HSMS", "USER_LOCKED_OUT", "USER_NOT_FOUND", "USER_LOGGED_IN", "SUBNET_NOT_FOUND"
+    #   resp.custom_key_stores[0].connection_error_code #=> String, one of "INVALID_CREDENTIALS", "CLUSTER_NOT_FOUND", "NETWORK_ERRORS", "INTERNAL_ERROR", "INSUFFICIENT_CLOUDHSM_HSMS", "USER_LOCKED_OUT", "USER_NOT_FOUND", "USER_LOGGED_IN", "SUBNET_NOT_FOUND", "INSUFFICIENT_FREE_ADDRESSES_IN_SUBNET"
     #   resp.custom_key_stores[0].creation_date #=> Time
     #   resp.next_marker #=> String
     #   resp.truncated #=> Boolean
@@ -2343,14 +2463,13 @@ module Aws::KMS
     # This detailed information includes the key ARN, creation date (and
     # deletion date, if applicable), the key state, and the origin and
     # expiration date (if any) of the key material. It includes fields, like
-    # `KeySpec`, that help you distinguish symmetric from asymmetric KMS
-    # keys. It also provides information that is particularly important to
-    # asymmetric keys, such as the key usage (encryption or signing) and the
-    # encryption algorithms or signing algorithms that the KMS key supports.
-    # For KMS keys in custom key stores, it includes information about the
-    # custom key store, such as the key store ID and the CloudHSM cluster
-    # ID. For multi-Region keys, it displays the primary key and all related
-    # replica keys.
+    # `KeySpec`, that help you distinguish different types of KMS keys. It
+    # also displays the key usage (encryption, signing, or generating and
+    # verifying MACs) and the algorithms that the KMS key supports. For KMS
+    # keys in custom key stores, it includes information about the custom
+    # key store, such as the key store ID and the CloudHSM cluster ID. For
+    # multi-Region keys, it displays the primary key and all related replica
+    # keys.
     #
     # `DescribeKey` does not return the following information:
     #
@@ -2360,7 +2479,7 @@ module Aws::KMS
     # * Whether automatic key rotation is enabled on the KMS key. To get
     #   this information, use GetKeyRotationStatus. Also, some key states
     #   prevent a KMS key from being automatically rotated. For details, see
-    #   [How Automatic Key Rotation Works][3] in *Key Management Service
+    #   [How Automatic Key Rotation Works][3] in the *Key Management Service
     #   Developer Guide*.
     #
     # * Tags on the KMS key. To get this information, use ListResourceTags.
@@ -2368,11 +2487,10 @@ module Aws::KMS
     # * Key policies and grants on the KMS key. To get this information, use
     #   GetKeyPolicy and ListGrants.
     #
-    # If you call the `DescribeKey` operation on a *predefined Amazon Web
-    # Services alias*, that is, an Amazon Web Services alias with no key ID,
-    # KMS creates an [Amazon Web Services managed key][2]. Then, it
-    # associates the alias with the new KMS key, and returns the `KeyId` and
-    # `Arn` of the new KMS key in the response.
+    # In general, `DescribeKey` is a non-mutating operation. It returns data
+    # about KMS keys, but doesn't change them. However, Amazon Web Services
+    # services use `DescribeKey` to create [Amazon Web Services managed
+    # keys][2] from a *predefined Amazon Web Services alias* with no key ID.
     #
     # **Cross-account use**\: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
@@ -2454,10 +2572,10 @@ module Aws::KMS
     #
     # @example Example: To get details about a KMS key
     #
-    #   # The following example gets metadata about a symmetric KMS key.
+    #   # The following example gets metadata for a symmetric encryption KMS key.
     #
     #   resp = client.describe_key({
-    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key that you want information about. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
+    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # An identifier for the KMS key. You can use the key ID, key ARN, alias name, alias ARN of the KMS key.
     #   })
     #
     #   resp.to_h outputs the following:
@@ -2482,6 +2600,121 @@ module Aws::KMS
     #     }, # An object that contains information about the specified KMS key.
     #   }
     #
+    # @example Example: To get details about an RSA asymmetric KMS key
+    #
+    #   # The following example gets metadata for an asymmetric RSA KMS key used for signing and verification.
+    #
+    #   resp = client.describe_key({
+    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # An identifier for the KMS key. You can use the key ID, key ARN, alias name, alias ARN of the KMS key.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     key_metadata: {
+    #       aws_account_id: "111122223333", 
+    #       arn: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", 
+    #       creation_date: Time.parse(1571767572.317), 
+    #       customer_master_key_spec: "RSA_2048", 
+    #       description: "", 
+    #       enabled: false, 
+    #       key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", 
+    #       key_manager: "CUSTOMER", 
+    #       key_spec: "RSA_2048", 
+    #       key_state: "Disabled", 
+    #       key_usage: "SIGN_VERIFY", 
+    #       multi_region: false, 
+    #       origin: "AWS_KMS", 
+    #       signing_algorithms: [
+    #         "RSASSA_PKCS1_V1_5_SHA_256", 
+    #         "RSASSA_PKCS1_V1_5_SHA_384", 
+    #         "RSASSA_PKCS1_V1_5_SHA_512", 
+    #         "RSASSA_PSS_SHA_256", 
+    #         "RSASSA_PSS_SHA_384", 
+    #         "RSASSA_PSS_SHA_512", 
+    #       ], 
+    #     }, # An object that contains information about the specified KMS key.
+    #   }
+    #
+    # @example Example: To get details about a multi-Region key
+    #
+    #   # The following example gets metadata for a multi-Region replica key. This multi-Region key is a symmetric encryption key.
+    #   # DescribeKey returns information about the primary key and all of its replicas.
+    #
+    #   resp = client.describe_key({
+    #     key_id: "arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", # An identifier for the KMS key. You can use the key ID, key ARN, alias name, alias ARN of the KMS key.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     key_metadata: {
+    #       aws_account_id: "111122223333", 
+    #       arn: "arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", 
+    #       creation_date: Time.parse(1586329200.918), 
+    #       customer_master_key_spec: "SYMMETRIC_DEFAULT", 
+    #       description: "", 
+    #       enabled: true, 
+    #       encryption_algorithms: [
+    #         "SYMMETRIC_DEFAULT", 
+    #       ], 
+    #       key_id: "mrk-1234abcd12ab34cd56ef1234567890ab", 
+    #       key_manager: "CUSTOMER", 
+    #       key_state: "Enabled", 
+    #       key_usage: "ENCRYPT_DECRYPT", 
+    #       multi_region: true, 
+    #       multi_region_configuration: {
+    #         multi_region_key_type: "PRIMARY", 
+    #         primary_key: {
+    #           arn: "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", 
+    #           region: "us-west-2", 
+    #         }, 
+    #         replica_keys: [
+    #           {
+    #             arn: "arn:aws:kms:eu-west-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", 
+    #             region: "eu-west-1", 
+    #           }, 
+    #           {
+    #             arn: "arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", 
+    #             region: "ap-northeast-1", 
+    #           }, 
+    #           {
+    #             arn: "arn:aws:kms:sa-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", 
+    #             region: "sa-east-1", 
+    #           }, 
+    #         ], 
+    #       }, 
+    #       origin: "AWS_KMS", 
+    #     }, # An object that contains information about the specified KMS key.
+    #   }
+    #
+    # @example Example: To get details about an HMAC KMS key
+    #
+    #   # The following example gets the metadata of an HMAC KMS key. 
+    #
+    #   resp = client.describe_key({
+    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # An identifier for the KMS key. You can use the key ID, key ARN, alias name, alias ARN of the KMS key.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     key_metadata: {
+    #       aws_account_id: "123456789012", 
+    #       arn: "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", 
+    #       creation_date: Time.parse(1566160362.664), 
+    #       customer_master_key_spec: "HMAC_256", 
+    #       description: "Development test key", 
+    #       enabled: true, 
+    #       key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", 
+    #       key_manager: "CUSTOMER", 
+    #       key_state: "Enabled", 
+    #       key_usage: "GENERATE_VERIFY_MAC", 
+    #       mac_algorithms: [
+    #         "HMAC_SHA_256", 
+    #       ], 
+    #       multi_region: false, 
+    #       origin: "AWS_KMS", 
+    #     }, # An object that contains information about the specified KMS key.
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.describe_key({
@@ -2497,7 +2730,7 @@ module Aws::KMS
     #   resp.key_metadata.creation_date #=> Time
     #   resp.key_metadata.enabled #=> Boolean
     #   resp.key_metadata.description #=> String
-    #   resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
+    #   resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
     #   resp.key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
     #   resp.key_metadata.deletion_date #=> Time
     #   resp.key_metadata.valid_to #=> Time
@@ -2506,12 +2739,12 @@ module Aws::KMS
     #   resp.key_metadata.cloud_hsm_cluster_id #=> String
     #   resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
     #   resp.key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
-    #   resp.key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
-    #   resp.key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
+    #   resp.key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
+    #   resp.key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
     #   resp.key_metadata.encryption_algorithms #=> Array
-    #   resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
+    #   resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #   resp.key_metadata.signing_algorithms #=> Array
-    #   resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
+    #   resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
     #   resp.key_metadata.multi_region #=> Boolean
     #   resp.key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
     #   resp.key_metadata.multi_region_configuration.primary_key.arn #=> String
@@ -2520,6 +2753,8 @@ module Aws::KMS
     #   resp.key_metadata.multi_region_configuration.replica_keys[0].arn #=> String
     #   resp.key_metadata.multi_region_configuration.replica_keys[0].region #=> String
     #   resp.key_metadata.pending_deletion_window_in_days #=> Integer
+    #   resp.key_metadata.mac_algorithms #=> Array
+    #   resp.key_metadata.mac_algorithms[0] #=> String, one of "HMAC_SHA_224", "HMAC_SHA_256", "HMAC_SHA_384", "HMAC_SHA_512"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey AWS API Documentation
     #
@@ -2534,12 +2769,12 @@ module Aws::KMS
     # prevents use of the KMS key for [cryptographic operations][1].
     #
     # For more information about how key state affects the use of a KMS key,
-    # see [Key state: Effect on your KMS key][2] in the <i> <i>Key
-    # Management Service Developer Guide</i> </i>.
+    # see [Key states of KMS keys][2] in the <i> <i>Key Management Service
+    # Developer Guide</i> </i>.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][2] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][2] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
@@ -2595,22 +2830,37 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Disables [automatic rotation of the key material][1] for the specified
-    # symmetric KMS key.
+    # Disables [automatic rotation of the key material][1] of the specified
+    # symmetric encryption KMS key.
+    #
+    # Automatic key rotation is supported only on symmetric encryption KMS
+    # keys. You cannot enable or disable automatic rotation of [asymmetric
+    # KMS keys][2], [HMAC KMS keys][3], KMS keys with [imported key
+    # material][4], or KMS keys in a [custom key store][5]. The key rotation
+    # status of these KMS keys is always `false`. To enable or disable
+    # automatic rotation of a set of related [multi-Region keys][6], set the
+    # property on the primary key.
+    #
+    # You can enable (EnableKeyRotation) and disable automatic rotation of
+    # the key material in [customer managed KMS keys][7]. Key material
+    # rotation of [Amazon Web Services managed KMS keys][8] is not
+    # configurable. KMS always rotates the key material for every year.
+    # Rotation of [Amazon Web Services owned KMS keys][9] varies.
+    #
+    # <note markdown="1"> In May 2022, KMS changed the rotation schedule for Amazon Web Services
+    # managed keys from every three years to every year. For details, see
+    # EnableKeyRotation.
     #
-    # You cannot enable automatic rotation of [asymmetric KMS keys][2], KMS
-    # keys with [imported key material][3], or KMS keys in a [custom key
-    # store][4]. To enable or disable automatic rotation of a set of related
-    # [multi-Region keys][5], set the property on the primary key.
+    #  </note>
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][6] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][10] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:DisableKeyRotation][7] (key policy)
+    # **Required permissions**\: [kms:DisableKeyRotation][11] (key policy)
     #
     # **Related operations:**
     #
@@ -2621,17 +2871,22 @@ module Aws::KMS
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
-    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
-    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
-    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
-    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
-    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
+    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
+    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
+    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     #
     # @option params [required, String] :key_id
-    #   Identifies a symmetric KMS key. You cannot enable or disable automatic
-    #   rotation of [asymmetric KMS keys][1], KMS keys with [imported key
-    #   material][2], or KMS keys in a [custom key store][3].
+    #   Identifies a symmetric encryption KMS key. You cannot enable or
+    #   disable automatic rotation of [asymmetric KMS keys][1], [HMAC KMS
+    #   keys][2], KMS keys with [imported key material][3], or KMS keys in a
+    #   [custom key store][4].
     #
     #   Specify the key ID or key ARN of the KMS key.
     #
@@ -2648,8 +2903,9 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -2699,7 +2955,7 @@ module Aws::KMS
     # If the operation succeeds, it returns a JSON object with no
     # properties.
     #
-    # This operation is part of the [Custom Key Store feature][1] feature in
+    # This operation is part of the [custom key store feature][1] feature in
     # KMS, which combines the convenience and extensive integration of KMS
     # with the isolation and control of a single-tenant key store.
     #
@@ -2767,8 +3023,8 @@ module Aws::KMS
     # KMS key for [cryptographic operations][1].
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][2] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][2] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
@@ -2824,22 +3080,49 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Enables [automatic rotation of the key material][1] for the specified
-    # symmetric KMS key.
+    # Enables [automatic rotation of the key material][1] of the specified
+    # symmetric encryption KMS key.
+    #
+    # When you enable automatic rotation of a[customer managed KMS key][2],
+    # KMS rotates the key material of the KMS key one year (approximately
+    # 365 days) from the enable date and every year thereafter. You can
+    # monitor rotation of the key material for your KMS keys in CloudTrail
+    # and Amazon CloudWatch. To disable rotation of the key material in a
+    # customer managed KMS key, use the DisableKeyRotation operation.
+    #
+    # Automatic key rotation is supported only on [symmetric encryption KMS
+    # keys][3]. You cannot enable or disable automatic rotation of
+    # [asymmetric KMS keys][4], [HMAC KMS keys][5], KMS keys with [imported
+    # key material][6], or KMS keys in a [custom key store][7]. The key
+    # rotation status of these KMS keys is always `false`. To enable or
+    # disable automatic rotation of a set of related [multi-Region keys][8],
+    # set the property on the primary key.
+    #
+    # You cannot enable or disable automatic rotation [Amazon Web Services
+    # managed KMS keys][9]. KMS always rotates the key material of Amazon
+    # Web Services managed keys every year. Rotation of [Amazon Web Services
+    # owned KMS keys][10] varies.
+    #
+    # <note markdown="1"> In May 2022, KMS changed the rotation schedule for Amazon Web Services
+    # managed keys from every three years (approximately 1,095 days) to
+    # every year (approximately 365 days).
+    #
+    #  New Amazon Web Services managed keys are automatically rotated one
+    # year after they are created, and approximately every year thereafter.
+    #
+    #  Existing Amazon Web Services managed keys are automatically rotated
+    # one year after their most recent rotation, and every year thereafter.
     #
-    # You cannot enable automatic rotation of [asymmetric KMS keys][2], KMS
-    # keys with [imported key material][3], or KMS keys in a [custom key
-    # store][4]. To enable or disable automatic rotation of a set of related
-    # [multi-Region keys][5], set the property on the primary key.
+    #  </note>
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][6] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][11] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:EnableKeyRotation][7] (key policy)
+    # **Required permissions**\: [kms:EnableKeyRotation][12] (key policy)
     #
     # **Related operations:**
     #
@@ -2850,19 +3133,25 @@ module Aws::KMS
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
-    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
-    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
-    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
-    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
-    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
+    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
+    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
+    # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [12]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     #
     # @option params [required, String] :key_id
-    #   Identifies a symmetric KMS key. You cannot enable automatic rotation
-    #   of [asymmetric KMS keys][1], KMS keys with [imported key material][2],
-    #   or KMS keys in a [custom key store][3]. To enable or disable automatic
-    #   rotation of a set of related [multi-Region keys][4], set the property
-    #   on the primary key.
+    #   Identifies a symmetric encryption KMS key. You cannot enable or
+    #   disable automatic rotation of [asymmetric KMS keys][1], [HMAC KMS
+    #   keys][2], KMS keys with [imported key material][3], or KMS keys in a
+    #   [custom key store][4]. The key rotation status of these KMS keys is
+    #   always `false`. To enable or disable automatic rotation of a set of
+    #   related [multi-Region keys][5], set the property on the primary key.
     #
     #   Specify the key ID or key ARN of the KMS key.
     #
@@ -2878,10 +3167,11 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
-    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    #   [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -2909,41 +3199,27 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Encrypts plaintext into ciphertext by using a KMS key. The `Encrypt`
-    # operation has two primary use cases:
-    #
-    # * You can encrypt small amounts of arbitrary data, such as a personal
-    #   identifier or database password, or other sensitive information.
-    #
-    # * You can use the `Encrypt` operation to move encrypted data from one
-    #   Amazon Web Services Region to another. For example, in Region A,
-    #   generate a data key and use the plaintext key to encrypt your data.
-    #   Then, in Region A, use the `Encrypt` operation to encrypt the
-    #   plaintext data key under a KMS key in Region B. Now, you can move
-    #   the encrypted data and the encrypted data key to Region B. When
-    #   necessary, you can decrypt the encrypted data key and the encrypted
-    #   data entirely within in Region B.
-    #
-    # You don't need to use the `Encrypt` operation to encrypt a data key.
-    # The GenerateDataKey and GenerateDataKeyPair operations return a
-    # plaintext data key and an encrypted copy of that data key.
-    #
-    # When you encrypt data, you must specify a symmetric or asymmetric KMS
-    # key to use in the encryption operation. The KMS key must have a
-    # `KeyUsage` value of `ENCRYPT_DECRYPT.` To find the `KeyUsage` of a KMS
-    # key, use the DescribeKey operation.
-    #
-    # If you use a symmetric KMS key, you can use an encryption context to
-    # add additional security to your encryption operation. If you specify
-    # an `EncryptionContext` when encrypting data, you must specify the same
-    # encryption context (a case-sensitive exact match) when decrypting the
-    # data. Otherwise, the request to decrypt fails with an
-    # `InvalidCiphertextException`. For more information, see [Encryption
+    # Encrypts plaintext of up to 4,096 bytes using a KMS key. You can use a
+    # symmetric or asymmetric KMS key with a `KeyUsage` of
+    # `ENCRYPT_DECRYPT`.
+    #
+    # You can use this operation to encrypt small amounts of arbitrary data,
+    # such as a personal identifier or database password, or other sensitive
+    # information. You don't need to use the `Encrypt` operation to encrypt
+    # a data key. The GenerateDataKey and GenerateDataKeyPair operations
+    # return a plaintext data key and an encrypted copy of that data key.
+    #
+    # If you use a symmetric encryption KMS key, you can use an encryption
+    # context to add additional security to your encryption operation. If
+    # you specify an `EncryptionContext` when encrypting data, you must
+    # specify the same encryption context (a case-sensitive exact match)
+    # when decrypting the data. Otherwise, the request to decrypt fails with
+    # an `InvalidCiphertextException`. For more information, see [Encryption
     # Context][1] in the *Key Management Service Developer Guide*.
     #
     # If you specify an asymmetric KMS key, you must also specify the
     # encryption algorithm. The algorithm must be compatible with the KMS
-    # key type.
+    # key spec.
     #
     # When you use an asymmetric KMS key to encrypt or reencrypt data, be
     # sure to record the KMS key and encryption algorithm that you choose.
@@ -2953,15 +3229,15 @@ module Aws::KMS
     # fails.
     #
     #  You are not required to supply the key ID and encryption algorithm
-    # when you decrypt with symmetric KMS keys because KMS stores this
-    # information in the ciphertext blob. KMS cannot store metadata in
+    # when you decrypt with symmetric encryption KMS keys because KMS stores
+    # this information in the ciphertext blob. KMS cannot store metadata in
     # ciphertext generated with asymmetric keys. The standard format for
     # asymmetric key ciphertext does not include configurable fields.
     #
     # The maximum size of the data that you can encrypt varies with the type
     # of KMS key and the encryption algorithm that you choose.
     #
-    # * Symmetric KMS keys
+    # * Symmetric encryption KMS keys
     #
     #   * `SYMMETRIC_DEFAULT`\: 4096 bytes
     #
@@ -2985,9 +3261,11 @@ module Aws::KMS
     #
     #   * `RSAES_OAEP_SHA_256`\: 446 bytes
     #
+    # * `SM2PKE`\: 1024 bytes (China Regions only)
+    #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][2] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][2] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
@@ -3010,7 +3288,9 @@ module Aws::KMS
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     #
     # @option params [required, String] :key_id
-    #   Identifies the KMS key to use in the encryption operation.
+    #   Identifies the KMS key to use in the encryption operation. The KMS key
+    #   must have a `KeyUsage` of `ENCRYPT_DECRYPT`. To find the `KeyUsage` of
+    #   a KMS key, use the DescribeKey operation.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify a
@@ -3037,18 +3317,19 @@ module Aws::KMS
     # @option params [Hash<String,String>] :encryption_context
     #   Specifies the encryption context that will be used to encrypt the
     #   data. An encryption context is valid only for [cryptographic
-    #   operations][1] with a symmetric KMS key. The standard asymmetric
-    #   encryption algorithms that KMS uses do not support an encryption
-    #   context.
+    #   operations][1] with a symmetric encryption KMS key. The standard
+    #   asymmetric encryption algorithms and HMAC algorithms that KMS uses do
+    #   not support an encryption context.
     #
     #   An *encryption context* is a collection of non-secret key-value pairs
-    #   that represents additional authenticated data. When you use an
+    #   that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data. An
-    #   encryption context is optional when encrypting with a symmetric KMS
-    #   key, but it is highly recommended.
+    #   encryption context is supported only on operations with symmetric
+    #   encryption KMS keys. On operations with symmetric encryption KMS keys,
+    #   an encryption context is optional, but it is strongly recommended.
     #
-    #   For more information, see [Encryption Context][2] in the *Key
+    #   For more information, see [Encryption context][2] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -3075,9 +3356,9 @@ module Aws::KMS
     #   that you specify.
     #
     #   This parameter is required only for asymmetric KMS keys. The default
-    #   value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric KMS
-    #   keys. If you are using an asymmetric KMS key, we recommend
-    #   RSAES\_OAEP\_SHA\_256.
+    #   value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
+    #   encryption KMS keys. If you are using an asymmetric KMS key, we
+    #   recommend RSAES\_OAEP\_SHA\_256.
     #
     # @return [Types::EncryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -3110,14 +3391,14 @@ module Aws::KMS
     #       "EncryptionContextKey" => "EncryptionContextValue",
     #     },
     #     grant_tokens: ["GrantTokenType"],
-    #     encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
+    #     encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
     #   })
     #
     # @example Response structure
     #
     #   resp.ciphertext_blob #=> String
     #   resp.key_id #=> String
-    #   resp.encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
+    #   resp.encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Encrypt AWS API Documentation
     #
@@ -3128,22 +3409,27 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Generates a unique symmetric data key for client-side encryption. This
+    # Returns a unique symmetric data key for use outside of KMS. This
     # operation returns a plaintext copy of the data key and a copy that is
-    # encrypted under a KMS key that you specify. You can use the plaintext
-    # key to encrypt your data outside of KMS and store the encrypted data
-    # key with the encrypted data.
+    # encrypted under a symmetric encryption KMS key that you specify. The
+    # bytes in the plaintext key are random; they are not related to the
+    # caller or the KMS key. You can use the plaintext key to encrypt your
+    # data outside of KMS and store the encrypted data key with the
+    # encrypted data.
+    #
+    # To generate a data key, specify the symmetric encryption KMS key that
+    # will be used to encrypt the data key. You cannot use an asymmetric KMS
+    # key to encrypt data keys. To get the type of your KMS key, use the
+    # DescribeKey operation.
     #
-    # `GenerateDataKey` returns a unique data key for each request. The
-    # bytes in the plaintext key are not related to the caller or the KMS
-    # key.
+    # You must also specify the length of the data key. Use either the
+    # `KeySpec` or `NumberOfBytes` parameters (but not both). For 128-bit
+    # and 256-bit data keys, use the `KeySpec` parameter.
     #
-    # To generate a data key, specify the symmetric KMS key that will be
-    # used to encrypt the data key. You cannot use an asymmetric KMS key to
-    # generate data keys. To get the type of your KMS key, use the
-    # DescribeKey operation. You must also specify the length of the data
-    # key. Use either the `KeySpec` or `NumberOfBytes` parameters (but not
-    # both). For 128-bit and 256-bit data keys, use the `KeySpec` parameter.
+    # To generate an SM4 data key (China Regions only), specify a `KeySpec`
+    # value of `AES_128` or `NumberOfBytes` value of `128`. The symmetric
+    # encryption key used in China Regions to encrypt your data key is an
+    # SM4 encryption key.
     #
     # To get only an encrypted copy of the data key, use
     # GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key
@@ -3151,7 +3437,7 @@ module Aws::KMS
     # GenerateDataKeyPairWithoutPlaintext operation. To get a
     # cryptographically secure random byte string, use GenerateRandom.
     #
-    # You can use the optional encryption context to add additional security
+    # You can use an optional encryption context to add additional security
     # to the encryption operation. If you specify an `EncryptionContext`,
     # you must specify the same encryption context (a case-sensitive exact
     # match) when decrypting the encrypted data key. Otherwise, the request
@@ -3166,8 +3452,8 @@ module Aws::KMS
     # Service Developer Guide*.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][4] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][4] in the *Key
+    # Management Service Developer Guide*.
     #
     # **How to use your data key**
     #
@@ -3226,7 +3512,10 @@ module Aws::KMS
     # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     #
     # @option params [required, String] :key_id
-    #   Identifies the symmetric KMS key that encrypts the data key.
+    #   Specifies the symmetric encryption KMS key that encrypts the data key.
+    #   You cannot specify an asymmetric KMS key or a KMS key in a custom key
+    #   store. To get the type and origin of your KMS key, use the DescribeKey
+    #   operation.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify a
@@ -3252,13 +3541,14 @@ module Aws::KMS
     #   data key.
     #
     #   An *encryption context* is a collection of non-secret key-value pairs
-    #   that represents additional authenticated data. When you use an
+    #   that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data. An
-    #   encryption context is optional when encrypting with a symmetric KMS
-    #   key, but it is highly recommended.
+    #   encryption context is supported only on operations with symmetric
+    #   encryption KMS keys. On operations with symmetric encryption KMS keys,
+    #   an encryption context is optional, but it is strongly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *Key
+    #   For more information, see [Encryption context][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -3346,11 +3636,13 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Generates a unique asymmetric data key pair. The `GenerateDataKeyPair`
+    # Returns a unique asymmetric data key pair for use outside of KMS. This
     # operation returns a plaintext public key, a plaintext private key, and
-    # a copy of the private key that is encrypted under the symmetric KMS
-    # key you specify. You can use the data key pair to perform asymmetric
-    # cryptography and implement digital signatures outside of KMS.
+    # a copy of the private key that is encrypted under the symmetric
+    # encryption KMS key you specify. You can use the data key pair to
+    # perform asymmetric cryptography and implement digital signatures
+    # outside of KMS. The bytes in the keys are random; they not related to
+    # the caller or to the KMS key that is used to encrypt the private key.
     #
     # You can use the public key that `GenerateDataKeyPair` returns to
     # encrypt data or verify a signature outside of KMS. Then, store the
@@ -3358,16 +3650,17 @@ module Aws::KMS
     # data or sign a message, you can use the Decrypt operation to decrypt
     # the encrypted private key.
     #
-    # To generate a data key pair, you must specify a symmetric KMS key to
-    # encrypt the private key in a data key pair. You cannot use an
-    # asymmetric KMS key or a KMS key in a custom key store. To get the type
-    # and origin of your KMS key, use the DescribeKey operation.
+    # To generate a data key pair, you must specify a symmetric encryption
+    # KMS key to encrypt the private key in a data key pair. You cannot use
+    # an asymmetric KMS key or a KMS key in a custom key store. To get the
+    # type and origin of your KMS key, use the DescribeKey operation.
     #
     # Use the `KeyPairSpec` parameter to choose an RSA or Elliptic Curve
-    # (ECC) data key pair. KMS recommends that your use ECC key pairs for
-    # signing, and use RSA key pairs for either encryption or signing, but
-    # not both. However, KMS cannot enforce any restrictions on the use of
-    # data key pairs outside of KMS.
+    # (ECC) data key pair. In China Regions, you can also choose an SM2 data
+    # key pair. KMS recommends that you use ECC key pairs for signing, and
+    # use RSA and SM2 key pairs for either encryption or signing, but not
+    # both. However, KMS cannot enforce any restrictions on the use of data
+    # key pairs outside of KMS.
     #
     # If you are using the data key pair to encrypt data, or for any
     # operation where you don't immediately need a private key, consider
@@ -3379,13 +3672,13 @@ module Aws::KMS
     # to decrypt the encrypted private key in the data key pair.
     #
     # `GenerateDataKeyPair` returns a unique data key pair for each request.
-    # The bytes in the keys are not related to the caller or the KMS key
-    # that is used to encrypt the private key. The public key is a
-    # DER-encoded X.509 SubjectPublicKeyInfo, as specified in [RFC 5280][1].
-    # The private key is a DER-encoded PKCS8 PrivateKeyInfo, as specified in
-    # [RFC 5958][2].
+    # The bytes in the keys are random; they are not related to the caller
+    # or the KMS key that is used to encrypt the private key. The public key
+    # is a DER-encoded X.509 SubjectPublicKeyInfo, as specified in [RFC
+    # 5280][1]. The private key is a DER-encoded PKCS8 PrivateKeyInfo, as
+    # specified in [RFC 5958][2].
     #
-    # You can use the optional encryption context to add additional security
+    # You can use an optional encryption context to add additional security
     # to the encryption operation. If you specify an `EncryptionContext`,
     # you must specify the same encryption context (a case-sensitive exact
     # match) when decrypting the encrypted data key. Otherwise, the request
@@ -3394,8 +3687,8 @@ module Aws::KMS
     # Service Developer Guide*.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][4] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][4] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
@@ -3428,13 +3721,14 @@ module Aws::KMS
     #   private key in the data key pair.
     #
     #   An *encryption context* is a collection of non-secret key-value pairs
-    #   that represents additional authenticated data. When you use an
+    #   that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data. An
-    #   encryption context is optional when encrypting with a symmetric KMS
-    #   key, but it is highly recommended.
+    #   encryption context is supported only on operations with symmetric
+    #   encryption KMS keys. On operations with symmetric encryption KMS keys,
+    #   an encryption context is optional, but it is strongly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *Key
+    #   For more information, see [Encryption context][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -3442,10 +3736,10 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #
     # @option params [required, String] :key_id
-    #   Specifies the symmetric KMS key that encrypts the private key in the
-    #   data key pair. You cannot specify an asymmetric KMS key or a KMS key
-    #   in a custom key store. To get the type and origin of your KMS key, use
-    #   the DescribeKey operation.
+    #   Specifies the symmetric encryption KMS key that encrypts the private
+    #   key in the data key pair. You cannot specify an asymmetric KMS key or
+    #   a KMS key in a custom key store. To get the type and origin of your
+    #   KMS key, use the DescribeKey operation.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify a
@@ -3469,10 +3763,12 @@ module Aws::KMS
     # @option params [required, String] :key_pair_spec
     #   Determines the type of data key pair that is generated.
     #
-    #   The KMS rule that restricts the use of asymmetric RSA KMS keys to
-    #   encrypt and decrypt or to sign and verify (but not both), and the rule
-    #   that permits you to use ECC KMS keys only to sign and verify, are not
-    #   effective on data key pairs, which are used outside of KMS.
+    #   The KMS rule that restricts the use of asymmetric RSA and SM2 KMS keys
+    #   to encrypt and decrypt or to sign and verify (but not both), and the
+    #   rule that permits you to use ECC KMS keys only to sign and verify, are
+    #   not effective on data key pairs, which are used outside of KMS. The
+    #   SM2 key spec is only available in China Regions. RSA and ECC
+    #   asymmetric key pairs are also available in China Regions.
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -3499,16 +3795,16 @@ module Aws::KMS
     # @example Example: To generate an RSA key pair for encryption and decryption
     #
     #   # This example generates an RSA data key pair for encryption and decryption. The operation returns a plaintext public key
-    #   # and private key, and a copy of the private key that is encrypted under a symmetric KMS key that you specify.
+    #   # and private key, and a copy of the private key that is encrypted under a symmetric encryption KMS key that you specify.
     #
     #   resp = client.generate_data_key_pair({
-    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ID of the symmetric KMS key that encrypts the private RSA key in the data key pair.
+    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ID of the symmetric encryption KMS key that encrypts the private RSA key in the data key pair.
     #     key_pair_spec: "RSA_3072", # The requested key spec of the RSA data key pair.
     #   })
     #
     #   resp.to_h outputs the following:
     #   {
-    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ARN of the symmetric KMS key that was used to encrypt the private key.
+    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ARN of the symmetric encryption KMS key that was used to encrypt the private key.
     #     key_pair_spec: "RSA_3072", # The actual key spec of the RSA data key pair.
     #     private_key_ciphertext_blob: "<binary data>", # The encrypted private key of the RSA data key pair.
     #     private_key_plaintext: "<binary data>", # The plaintext private key of the RSA data key pair.
@@ -3522,7 +3818,7 @@ module Aws::KMS
     #       "EncryptionContextKey" => "EncryptionContextValue",
     #     },
     #     key_id: "KeyIdType", # required
-    #     key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
+    #     key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SM2
     #     grant_tokens: ["GrantTokenType"],
     #   })
     #
@@ -3532,7 +3828,7 @@ module Aws::KMS
     #   resp.private_key_plaintext #=> String
     #   resp.public_key #=> String
     #   resp.key_id #=> String
-    #   resp.key_pair_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1"
+    #   resp.key_pair_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SM2"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPair AWS API Documentation
     #
@@ -3543,11 +3839,12 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Generates a unique asymmetric data key pair. The
-    # `GenerateDataKeyPairWithoutPlaintext` operation returns a plaintext
-    # public key and a copy of the private key that is encrypted under the
-    # symmetric KMS key you specify. Unlike GenerateDataKeyPair, this
-    # operation does not return a plaintext private key.
+    # Returns a unique asymmetric data key pair for use outside of KMS. This
+    # operation returns a plaintext public key and a copy of the private key
+    # that is encrypted under the symmetric encryption KMS key you specify.
+    # Unlike GenerateDataKeyPair, this operation does not return a plaintext
+    # private key. The bytes in the keys are random; they are not related to
+    # the caller or to the KMS key that is used to encrypt the private key.
     #
     # You can use the public key that `GenerateDataKeyPairWithoutPlaintext`
     # returns to encrypt data or verify a signature outside of KMS. Then,
@@ -3555,16 +3852,17 @@ module Aws::KMS
     # decrypt data or sign a message, you can use the Decrypt operation to
     # decrypt the encrypted private key.
     #
-    # To generate a data key pair, you must specify a symmetric KMS key to
-    # encrypt the private key in a data key pair. You cannot use an
-    # asymmetric KMS key or a KMS key in a custom key store. To get the type
-    # and origin of your KMS key, use the DescribeKey operation.
+    # To generate a data key pair, you must specify a symmetric encryption
+    # KMS key to encrypt the private key in a data key pair. You cannot use
+    # an asymmetric KMS key or a KMS key in a custom key store. To get the
+    # type and origin of your KMS key, use the DescribeKey operation.
     #
     # Use the `KeyPairSpec` parameter to choose an RSA or Elliptic Curve
-    # (ECC) data key pair. KMS recommends that your use ECC key pairs for
-    # signing, and use RSA key pairs for either encryption or signing, but
-    # not both. However, KMS cannot enforce any restrictions on the use of
-    # data key pairs outside of KMS.
+    # (ECC) data key pair. In China Regions, you can also choose an SM2 data
+    # key pair. KMS recommends that you use ECC key pairs for signing, and
+    # use RSA and SM2 key pairs for either encryption or signing, but not
+    # both. However, KMS cannot enforce any restrictions on the use of data
+    # key pairs outside of KMS.
     #
     # `GenerateDataKeyPairWithoutPlaintext` returns a unique data key pair
     # for each request. The bytes in the key are not related to the caller
@@ -3572,7 +3870,7 @@ module Aws::KMS
     # a DER-encoded X.509 SubjectPublicKeyInfo, as specified in [RFC
     # 5280][1].
     #
-    # You can use the optional encryption context to add additional security
+    # You can use an optional encryption context to add additional security
     # to the encryption operation. If you specify an `EncryptionContext`,
     # you must specify the same encryption context (a case-sensitive exact
     # match) when decrypting the encrypted data key. Otherwise, the request
@@ -3581,8 +3879,8 @@ module Aws::KMS
     # Service Developer Guide*.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][3] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][3] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
@@ -3615,13 +3913,14 @@ module Aws::KMS
     #   private key in the data key pair.
     #
     #   An *encryption context* is a collection of non-secret key-value pairs
-    #   that represents additional authenticated data. When you use an
+    #   that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data. An
-    #   encryption context is optional when encrypting with a symmetric KMS
-    #   key, but it is highly recommended.
+    #   encryption context is supported only on operations with symmetric
+    #   encryption KMS keys. On operations with symmetric encryption KMS keys,
+    #   an encryption context is optional, but it is strongly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *Key
+    #   For more information, see [Encryption context][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -3629,10 +3928,10 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #
     # @option params [required, String] :key_id
-    #   Specifies the KMS key that encrypts the private key in the data key
-    #   pair. You must specify a symmetric KMS key. You cannot use an
-    #   asymmetric KMS key or a KMS key in a custom key store. To get the type
-    #   and origin of your KMS key, use the DescribeKey operation.
+    #   Specifies the symmetric encryption KMS key that encrypts the private
+    #   key in the data key pair. You cannot specify an asymmetric KMS key or
+    #   a KMS key in a custom key store. To get the type and origin of your
+    #   KMS key, use the DescribeKey operation.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify a
@@ -3656,10 +3955,12 @@ module Aws::KMS
     # @option params [required, String] :key_pair_spec
     #   Determines the type of data key pair that is generated.
     #
-    #   The KMS rule that restricts the use of asymmetric RSA KMS keys to
-    #   encrypt and decrypt or to sign and verify (but not both), and the rule
-    #   that permits you to use ECC KMS keys only to sign and verify, are not
-    #   effective on data key pairs, which are used outside of KMS.
+    #   The KMS rule that restricts the use of asymmetric RSA and SM2 KMS keys
+    #   to encrypt and decrypt or to sign and verify (but not both), and the
+    #   rule that permits you to use ECC KMS keys only to sign and verify, are
+    #   not effective on data key pairs, which are used outside of KMS. The
+    #   SM2 key spec is only available in China Regions. RSA and ECC
+    #   asymmetric key pairs are also available in China Regions.
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -3685,16 +3986,16 @@ module Aws::KMS
     # @example Example: To generate an asymmetric data key pair without a plaintext key
     #
     #   # This example returns an asymmetric elliptic curve (ECC) data key pair. The private key is encrypted under the symmetric
-    #   # KMS key that you specify. This operation doesn't return a plaintext (unencrypted) private key.
+    #   # encryption KMS key that you specify. This operation doesn't return a plaintext (unencrypted) private key.
     #
     #   resp = client.generate_data_key_pair_without_plaintext({
-    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The symmetric KMS key that encrypts the private key of the ECC data key pair.
+    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The symmetric encryption KMS key that encrypts the private key of the ECC data key pair.
     #     key_pair_spec: "ECC_NIST_P521", # The requested key spec of the ECC asymmetric data key pair.
     #   })
     #
     #   resp.to_h outputs the following:
     #   {
-    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ARN of the symmetric KMS key that encrypted the private key in the ECC asymmetric data key pair.
+    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ARN of the symmetric encryption KMS key that encrypted the private key in the ECC asymmetric data key pair.
     #     key_pair_spec: "ECC_NIST_P521", # The actual key spec of the ECC asymmetric data key pair.
     #     private_key_ciphertext_blob: "<binary data>", # The encrypted private key of the asymmetric ECC data key pair.
     #     public_key: "<binary data>", # The public key (plaintext).
@@ -3707,7 +4008,7 @@ module Aws::KMS
     #       "EncryptionContextKey" => "EncryptionContextValue",
     #     },
     #     key_id: "KeyIdType", # required
-    #     key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
+    #     key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SM2
     #     grant_tokens: ["GrantTokenType"],
     #   })
     #
@@ -3716,7 +4017,7 @@ module Aws::KMS
     #   resp.private_key_ciphertext_blob #=> String
     #   resp.public_key #=> String
     #   resp.key_id #=> String
-    #   resp.key_pair_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1"
+    #   resp.key_pair_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SM2"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintext AWS API Documentation
     #
@@ -3727,13 +4028,15 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Generates a unique symmetric data key. This operation returns a data
-    # key that is encrypted under a KMS key that you specify. To request an
-    # asymmetric data key pair, use the GenerateDataKeyPair or
-    # GenerateDataKeyPairWithoutPlaintext operations.
+    # Returns a unique symmetric data key for use outside of KMS. This
+    # operation returns a data key that is encrypted under a symmetric
+    # encryption KMS key that you specify. The bytes in the key are random;
+    # they are not related to the caller or to the KMS key.
     #
     # `GenerateDataKeyWithoutPlaintext` is identical to the GenerateDataKey
-    # operation except that returns only the encrypted copy of the data key.
+    # operation except that it does not return a plaintext copy of the data
+    # key.
+    #
     # This operation is useful for systems that need to encrypt data at some
     # point, but not immediately. When you need to encrypt the data, you
     # call the Decrypt operation on the encrypted copy of the key.
@@ -3748,19 +4051,18 @@ module Aws::KMS
     # data key. In this system, the component that creates the containers
     # never sees the plaintext data key.
     #
-    # `GenerateDataKeyWithoutPlaintext` returns a unique data key for each
-    # request. The bytes in the keys are not related to the caller or KMS
-    # key that is used to encrypt the private key.
+    # To request an asymmetric data key pair, use the GenerateDataKeyPair or
+    # GenerateDataKeyPairWithoutPlaintext operations.
     #
-    # To generate a data key, you must specify the symmetric KMS key that is
-    # used to encrypt the data key. You cannot use an asymmetric KMS key to
-    # generate a data key. To get the type of your KMS key, use the
-    # DescribeKey operation.
+    # To generate a data key, you must specify the symmetric encryption KMS
+    # key that is used to encrypt the data key. You cannot use an asymmetric
+    # KMS key or a key in a custom key store to generate a data key. To get
+    # the type of your KMS key, use the DescribeKey operation.
     #
     # If the operation succeeds, you will find the encrypted copy of the
     # data key in the `CiphertextBlob` field.
     #
-    # You can use the optional encryption context to add additional security
+    # You can use an optional encryption context to add additional security
     # to the encryption operation. If you specify an `EncryptionContext`,
     # you must specify the same encryption context (a case-sensitive exact
     # match) when decrypting the encrypted data key. Otherwise, the request
@@ -3769,8 +4071,8 @@ module Aws::KMS
     # Service Developer Guide*.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][2] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][2] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
@@ -3798,7 +4100,10 @@ module Aws::KMS
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     #
     # @option params [required, String] :key_id
-    #   The identifier of the symmetric KMS key that encrypts the data key.
+    #   Specifies the symmetric encryption KMS key that encrypts the data key.
+    #   You cannot specify an asymmetric KMS key or a KMS key in a custom key
+    #   store. To get the type and origin of your KMS key, use the DescribeKey
+    #   operation.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify a
@@ -3824,13 +4129,14 @@ module Aws::KMS
     #   data key.
     #
     #   An *encryption context* is a collection of non-secret key-value pairs
-    #   that represents additional authenticated data. When you use an
+    #   that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data. An
-    #   encryption context is optional when encrypting with a symmetric KMS
-    #   key, but it is highly recommended.
+    #   encryption context is supported only on operations with symmetric
+    #   encryption KMS keys. On operations with symmetric encryption KMS keys,
+    #   an encryption context is optional, but it is strongly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *Key
+    #   For more information, see [Encryption context][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -3908,8 +4214,140 @@ module Aws::KMS
       req.send_request(options)
     end
 
+    # Generates a hash-based message authentication code (HMAC) for a
+    # message using an HMAC KMS key and a MAC algorithm that the key
+    # supports. The MAC algorithm computes the HMAC for the message and the
+    # key as described in [RFC 2104][1].
+    #
+    # You can use the HMAC that this operation generates with the VerifyMac
+    # operation to demonstrate that the original message has not changed.
+    # Also, because a secret key is used to create the hash, you can verify
+    # that the party that generated the hash has the required secret key.
+    # This operation is part of KMS support for HMAC KMS keys. For details,
+    # see [HMAC keys in KMS][2] in the <i> <i>Key Management Service
+    # Developer Guide</i> </i>.
+    #
+    # <note markdown="1"> Best practices recommend that you limit the time during which any
+    # signing mechanism, including an HMAC, is effective. This deters an
+    # attack where the actor uses a signed message to establish validity
+    # repeatedly or long after the message is superseded. HMAC tags do not
+    # include a timestamp, but you can include a timestamp in the token or
+    # message to help you detect when its time to refresh the HMAC.
+    #
+    #  </note>
+    #
+    # The KMS key that you use for this operation must be in a compatible
+    # key state. For details, see [Key states of KMS keys][3] in the *Key
+    # Management Service Developer Guide*.
+    #
+    # **Cross-account use**\: Yes. To perform this operation with a KMS key
+    # in a different Amazon Web Services account, specify the key ARN or
+    # alias ARN in the value of the `KeyId` parameter.
+    #
+    # **Required permissions**\: [kms:GenerateMac][4] (key policy)
+    #
+    # **Related operations**\: VerifyMac
+    #
+    #
+    #
+    # [1]: https://datatracker.ietf.org/doc/html/rfc2104
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    #
+    # @option params [required, String, StringIO, File] :message
+    #   The message to be hashed. Specify a message of up to 4,096 bytes.
+    #
+    #   `GenerateMac` and VerifyMac do not provide special handling for
+    #   message digests. If you generate an HMAC for a hash digest of a
+    #   message, you must verify the HMAC of the same hash digest.
+    #
+    # @option params [required, String] :key_id
+    #   The HMAC KMS key to use in the operation. The MAC algorithm computes
+    #   the HMAC for the message and the key as described in [RFC 2104][1].
+    #
+    #   To identify an HMAC KMS key, use the DescribeKey operation and see the
+    #   `KeySpec` field in the response.
+    #
+    #
+    #
+    #   [1]: https://datatracker.ietf.org/doc/html/rfc2104
+    #
+    # @option params [required, String] :mac_algorithm
+    #   The MAC algorithm used in the operation.
+    #
+    #   The algorithm must be compatible with the HMAC KMS key that you
+    #   specify. To find the MAC algorithms that your HMAC KMS key supports,
+    #   use the DescribeKey operation and see the `MacAlgorithms` field in the
+    #   `DescribeKey` response.
+    #
+    # @option params [Array<String>] :grant_tokens
+    #   A list of grant tokens.
+    #
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*. For
+    #   more information, see [Grant token][1] and [Using a grant token][2] in
+    #   the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
+    #
+    # @return [Types::GenerateMacResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GenerateMacResponse#mac #mac} => String
+    #   * {Types::GenerateMacResponse#mac_algorithm #mac_algorithm} => String
+    #   * {Types::GenerateMacResponse#key_id #key_id} => String
+    #
+    #
+    # @example Example: To generate an HMAC for a message
+    #
+    #   # This example generates an HMAC for a message, an HMAC KMS key, and a MAC algorithm. The algorithm must be supported by
+    #   # the specified HMAC KMS key.
+    #
+    #   resp = client.generate_mac({
+    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The HMAC KMS key input to the HMAC algorithm.
+    #     mac_algorithm: "HMAC_SHA_384", # The HMAC algorithm requested for the operation.
+    #     message: "Hello World", # The message input to the HMAC algorithm.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ARN of the HMAC KMS key used in the operation.
+    #     mac: "<HMAC_TAG>", # The HMAC tag that results from this operation.
+    #     mac_algorithm: "HMAC_SHA_384", # The HMAC algorithm used in the operation.
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.generate_mac({
+    #     message: "data", # required
+    #     key_id: "KeyIdType", # required
+    #     mac_algorithm: "HMAC_SHA_224", # required, accepts HMAC_SHA_224, HMAC_SHA_256, HMAC_SHA_384, HMAC_SHA_512
+    #     grant_tokens: ["GrantTokenType"],
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.mac #=> String
+    #   resp.mac_algorithm #=> String, one of "HMAC_SHA_224", "HMAC_SHA_256", "HMAC_SHA_384", "HMAC_SHA_512"
+    #   resp.key_id #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMac AWS API Documentation
+    #
+    # @overload generate_mac(params = {})
+    # @param [Hash] params ({})
+    def generate_mac(params = {}, options = {})
+      req = build_request(:generate_mac, params)
+      req.send_request(options)
+    end
+
     # Returns a random byte string that is cryptographically secure.
     #
+    # You must use the `NumberOfBytes` parameter to specify the length of
+    # the random byte string. There is no default value for string length.
+    #
     # By default, the random byte string is generated in KMS. To generate
     # the byte string in the CloudHSM cluster that is associated with a
     # [custom key store][1], specify the custom key store ID.
@@ -3923,6 +4361,9 @@ module Aws::KMS
     # For more information about entropy and random number generation, see
     # [Key Management Service Cryptographic Details][4].
     #
+    # **Cross-account use**\: Not applicable. `GenerateRandom` does not use
+    # any account-specific resources, such as KMS keys.
+    #
     # **Required permissions**\: [kms:GenerateRandom][5] (IAM policy)
     #
     #
@@ -3934,7 +4375,7 @@ module Aws::KMS
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     #
     # @option params [Integer] :number_of_bytes
-    #   The length of the byte string.
+    #   The length of the random byte string. This parameter is required.
     #
     # @option params [String] :custom_key_store_id
     #   Generates the random byte string in the CloudHSM cluster that is
@@ -4057,30 +4498,56 @@ module Aws::KMS
     # Gets a Boolean value that indicates whether [automatic rotation of the
     # key material][1] is enabled for the specified KMS key.
     #
-    # You cannot enable automatic rotation of [asymmetric KMS keys][2], KMS
-    # keys with [imported key material][3], or KMS keys in a [custom key
-    # store][4]. To enable or disable automatic rotation of a set of related
-    # [multi-Region keys][5], set the property on the primary key. The key
-    # rotation status for these KMS keys is always `false`.
+    # When you enable automatic rotation for [customer managed KMS keys][2],
+    # KMS rotates the key material of the KMS key one year (approximately
+    # 365 days) from the enable date and every year thereafter. You can
+    # monitor rotation of the key material for your KMS keys in CloudTrail
+    # and Amazon CloudWatch.
+    #
+    # Automatic key rotation is supported only on [symmetric encryption KMS
+    # keys][3]. You cannot enable or disable automatic rotation of
+    # [asymmetric KMS keys][4], [HMAC KMS keys][5], KMS keys with [imported
+    # key material][6], or KMS keys in a [custom key store][7]. The key
+    # rotation status of these KMS keys is always `false`. To enable or
+    # disable automatic rotation of a set of related [multi-Region keys][8],
+    # set the property on the primary key..
+    #
+    # You can enable (EnableKeyRotation) and disable automatic rotation
+    # (DisableKeyRotation) of the key material in customer managed KMS keys.
+    # Key material rotation of [Amazon Web Services managed KMS keys][9] is
+    # not configurable. KMS always rotates the key material in Amazon Web
+    # Services managed KMS keys every year. The key rotation status for
+    # Amazon Web Services managed KMS keys is always `true`.
+    #
+    # <note markdown="1"> In May 2022, KMS changed the rotation schedule for Amazon Web Services
+    # managed keys from every three years to every year. For details, see
+    # EnableKeyRotation.
+    #
+    #  </note>
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][6] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][10] in the *Key
+    # Management Service Developer Guide*.
     #
     # * Disabled: The key rotation status does not change when you disable a
     #   KMS key. However, while the KMS key is disabled, KMS does not rotate
-    #   the key material.
+    #   the key material. When you re-enable the KMS key, rotation resumes.
+    #   If the key material in the re-enabled KMS key hasn't been rotated
+    #   in one year, KMS rotates it immediately, and every year thereafter.
+    #   If it's been less than a year since the key material in the
+    #   re-enabled KMS key was rotated, the KMS key resumes its prior
+    #   rotation schedule.
     #
     # * Pending deletion: While a KMS key is pending deletion, its key
     #   rotation status is `false` and KMS does not rotate the key material.
-    #   If you cancel the deletion, the original key rotation status is
-    #   restored.
+    #   If you cancel the deletion, the original key rotation status returns
+    #   to `true`.
     #
     # **Cross-account use**\: Yes. To perform this operation on a KMS key in
     # a different Amazon Web Services account, specify the key ARN in the
     # value of the `KeyId` parameter.
     #
-    # **Required permissions**\: [kms:GetKeyRotationStatus][7] (key policy)
+    # **Required permissions**\: [kms:GetKeyRotationStatus][11] (key policy)
     #
     # **Related operations:**
     #
@@ -4091,12 +4558,16 @@ module Aws::KMS
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
-    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
-    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
-    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
-    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
-    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
+    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
+    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     #
     # @option params [required, String] :key_id
     #   Gets the rotation status for the specified KMS key.
@@ -4151,21 +4622,22 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Returns the items you need to import key material into a symmetric,
-    # customer managed KMS key. For more information about importing key
-    # material into KMS, see [Importing Key Material][1] in the *Key
-    # Management Service Developer Guide*.
+    # Returns the items you need to import key material into a symmetric
+    # encryption KMS key. For more information about importing key material
+    # into KMS, see [Importing key material][1] in the *Key Management
+    # Service Developer Guide*.
     #
     # This operation returns a public key and an import token. Use the
     # public key to encrypt the symmetric key material. Store the import
     # token to send with a subsequent ImportKeyMaterial request.
     #
-    # You must specify the key ID of the symmetric KMS key into which you
-    # will import key material. This KMS key's `Origin` must be `EXTERNAL`.
-    # You must also specify the wrapping algorithm and type of wrapping key
-    # (public key) that you will use to encrypt the key material. You cannot
-    # perform this operation on an asymmetric KMS key or on any KMS key in a
-    # different Amazon Web Services account.
+    # You must specify the key ID of the symmetric encryption KMS key into
+    # which you will import key material. This KMS key's `Origin` must be
+    # `EXTERNAL`. You must also specify the wrapping algorithm and type of
+    # wrapping key (public key) that you will use to encrypt the key
+    # material. You cannot perform this operation on an asymmetric KMS key,
+    # an HMAC KMS key, or on any KMS key in a different Amazon Web Services
+    # account.
     #
     # To import key material, you must use the public key and import token
     # from the same response. These items are valid for 24 hours. The
@@ -4175,8 +4647,8 @@ module Aws::KMS
     # `GetParametersForImport` request.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][2] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][2] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
@@ -4197,8 +4669,8 @@ module Aws::KMS
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     #
     # @option params [required, String] :key_id
-    #   The identifier of the symmetric KMS key into which you will import key
-    #   material. The `Origin` of the KMS key must be `EXTERNAL`.
+    #   The identifier of the symmetric encryption KMS key into which you will
+    #   import key material. The `Origin` of the KMS key must be `EXTERNAL`.
     #
     #   Specify the key ID or key ARN of the KMS key.
     #
@@ -4281,9 +4753,8 @@ module Aws::KMS
     # callers with `kms:GetPublicKey` permission can download the public key
     # of an asymmetric KMS key. You can share the public key to allow others
     # to encrypt messages and verify signatures outside of KMS. For
-    # information about symmetric and asymmetric KMS keys, see [Using
-    # Symmetric and Asymmetric KMS keys][1] in the *Key Management Service
-    # Developer Guide*.
+    # information about asymmetric KMS keys, see [Asymmetric KMS keys][1] in
+    # the *Key Management Service Developer Guide*.
     #
     # You do not need to download the public key. Instead, you can use the
     # public key within KMS by calling the Encrypt, ReEncrypt, or Verify
@@ -4291,8 +4762,12 @@ module Aws::KMS
     # the public key within KMS, you benefit from the authentication,
     # authorization, and logging that are part of every KMS operation. You
     # also reduce of risk of encrypting data that cannot be decrypted. These
-    # features are not effective outside of KMS. For details, see [Special
-    # Considerations for Downloading Public Keys][2].
+    # features are not effective outside of KMS.
+    #
+    # To verify a signature outside of KMS with an SM2 public key (China
+    # Regions only), you must specify the distinguishing ID. By default, KMS
+    # uses `1234567812345678` as the distinguishing ID. For more
+    # information, see [Offline verification with SM2 key pairs][2].
     #
     # To help you use the public key safely outside of KMS, `GetPublicKey`
     # returns important information about the public key in the response,
@@ -4315,8 +4790,8 @@ module Aws::KMS
     # in a verification operation.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][7] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][7] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
@@ -4329,7 +4804,7 @@ module Aws::KMS
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
-    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/download-public-key.html#download-public-key-considerations
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
     # [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeySpec
     # [4]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeyUsage
     # [5]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms
@@ -4416,13 +4891,13 @@ module Aws::KMS
     #
     #   resp.key_id #=> String
     #   resp.public_key #=> String
-    #   resp.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
-    #   resp.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
-    #   resp.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
+    #   resp.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
+    #   resp.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
+    #   resp.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
     #   resp.encryption_algorithms #=> Array
-    #   resp.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
+    #   resp.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #   resp.signing_algorithms #=> Array
-    #   resp.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
+    #   resp.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKey AWS API Documentation
     #
@@ -4433,16 +4908,17 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Imports key material into an existing symmetric KMS KMS key that was
-    # created without key material. After you successfully import key
-    # material into a KMS key, you can [reimport the same key material][1]
-    # into that KMS key, but you cannot import different key material.
-    #
-    # You cannot perform this operation on an asymmetric KMS key or on any
-    # KMS key in a different Amazon Web Services account. For more
-    # information about creating KMS keys with no key material and then
-    # importing key material, see [Importing Key Material][2] in the *Key
-    # Management Service Developer Guide*.
+    # Imports key material into an existing symmetric encryption KMS key
+    # that was created without key material. After you successfully import
+    # key material into a KMS key, you can [reimport the same key
+    # material][1] into that KMS key, but you cannot import different key
+    # material.
+    #
+    # You cannot perform this operation on an asymmetric KMS key, an HMAC
+    # KMS key, or on any KMS key in a different Amazon Web Services account.
+    # For more information about creating KMS keys with no key material and
+    # then importing key material, see [Importing Key Material][2] in the
+    # *Key Management Service Developer Guide*.
     #
     # Before using this operation, call GetParametersForImport. Its response
     # includes a public key and an import token. Use the public key to
@@ -4484,8 +4960,8 @@ module Aws::KMS
     # Service Developer Guide*.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][4] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][4] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
@@ -4507,10 +4983,13 @@ module Aws::KMS
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     #
     # @option params [required, String] :key_id
-    #   The identifier of the symmetric KMS key that receives the imported key
-    #   material. The KMS key's `Origin` must be `EXTERNAL`. This must be the
-    #   same KMS key specified in the `KeyID` parameter of the corresponding
-    #   GetParametersForImport request.
+    #   The identifier of the symmetric encryption KMS key that receives the
+    #   imported key material. This must be the same KMS key specified in the
+    #   `KeyID` parameter of the corresponding GetParametersForImport request.
+    #   The `Origin` of the KMS key must be `EXTERNAL`. You cannot perform
+    #   this operation on an asymmetric KMS key, an HMAC KMS key, a KMS key in
+    #   a custom key store, or on a KMS key in a different Amazon Web Services
+    #   account
     #
     #   Specify the key ID or key ARN of the KMS key.
     #
@@ -4752,7 +5231,7 @@ module Aws::KMS
     # list by grant ID or grantee principal.
     #
     # For detailed information about grants, including grant terminology,
-    # see [Using grants][1] in the <i> <i>Key Management Service Developer
+    # see [Grants in KMS][1] in the <i> <i>Key Management Service Developer
     # Guide</i> </i>. For examples of working with grants in several
     # programming languages, see [Programming grants][2].
     #
@@ -4922,7 +5401,7 @@ module Aws::KMS
     #   resp.grants[0].retiring_principal #=> String
     #   resp.grants[0].issuing_account #=> String
     #   resp.grants[0].operations #=> Array
-    #   resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext"
+    #   resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateMac", "VerifyMac"
     #   resp.grants[0].constraints.encryption_context_subset #=> Hash
     #   resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
     #   resp.grants[0].constraints.encryption_context_equals #=> Hash
@@ -5215,6 +5694,8 @@ module Aws::KMS
     #   * {Types::ListResourceTagsResponse#next_marker #next_marker} => String
     #   * {Types::ListResourceTagsResponse#truncated #truncated} => Boolean
     #
+    # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
+    #
     #
     # @example Example: To list tags for a KMS key
     #
@@ -5278,7 +5759,7 @@ module Aws::KMS
     # a grant, use the RetireGrant operation.
     #
     # For detailed information about grants, including grant terminology,
-    # see [Using grants][1] in the <i> <i>Key Management Service Developer
+    # see [Grants in KMS][1] in the <i> <i>Key Management Service Developer
     # Guide</i> </i>. For examples of working with grants in several
     # programming languages, see [Programming grants][2].
     #
@@ -5343,6 +5824,8 @@ module Aws::KMS
     #   * {Types::ListGrantsResponse#next_marker #next_marker} => String
     #   * {Types::ListGrantsResponse#truncated #truncated} => Boolean
     #
+    # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
+    #
     #
     # @example Example: To list grants that the specified principal can retire
     #
@@ -5390,7 +5873,7 @@ module Aws::KMS
     #   resp.grants[0].retiring_principal #=> String
     #   resp.grants[0].issuing_account #=> String
     #   resp.grants[0].operations #=> Array
-    #   resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext"
+    #   resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateMac", "VerifyMac"
     #   resp.grants[0].constraints.encryption_context_subset #=> Hash
     #   resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
     #   resp.grants[0].constraints.encryption_context_equals #=> Hash
@@ -5471,15 +5954,29 @@ module Aws::KMS
     #     visible][2] in the *Amazon Web Services Identity and Access
     #     Management User Guide*.
     #
-    #   The key policy cannot exceed 32 kilobytes (32768 bytes). For more
-    #   information, see [Resource Quotas][3] in the *Key Management Service
-    #   Developer Guide*.
+    #   A key policy document can include only the following characters:
+    #
+    #   * Printable ASCII characters from the space character (`\u0020`)
+    #     through the end of the ASCII character range.
+    #
+    #   * Printable characters in the Basic Latin and Latin-1 Supplement
+    #     character set (through `\u00FF`).
+    #
+    #   * The tab (`\u0009`), line feed (`\u000A`), and carriage return
+    #     (`\u000D`) special characters
+    #
+    #   For information about key policies, see [Key policies in KMS][3] in
+    #   the *Key Management Service Developer Guide*. For help writing and
+    #   formatting a JSON policy document, see the [IAM JSON Policy
+    #   Reference][4] in the <i> <i>Identity and Access Management User
+    #   Guide</i> </i>.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/resource-limits.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
+    #   [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
     #
     # @option params [Boolean] :bypass_policy_lockout_safety_check
     #   A flag to indicate whether to bypass the key policy lockout safety
@@ -5540,7 +6037,7 @@ module Aws::KMS
     # [encryption context][2] of a ciphertext.
     #
     # The `ReEncrypt` operation can decrypt ciphertext that was encrypted by
-    # using an KMS KMS key in an KMS operation, such as Encrypt or
+    # using a KMS key in an KMS operation, such as Encrypt or
     # GenerateDataKey. It can also decrypt ciphertext that was encrypted by
     # using the public key of an [asymmetric KMS key][3] outside of KMS.
     # However, it cannot decrypt ciphertext produced by other libraries,
@@ -5558,25 +6055,24 @@ module Aws::KMS
     #   algorithm that was used. This information is required to decrypt the
     #   data.
     #
-    # * If your ciphertext was encrypted under a symmetric KMS key, the
-    #   `SourceKeyId` parameter is optional. KMS can get this information
-    #   from metadata that it adds to the symmetric ciphertext blob. This
-    #   feature adds durability to your implementation by ensuring that
-    #   authorized users can decrypt ciphertext decades after it was
-    #   encrypted, even if they've lost track of the key ID. However,
-    #   specifying the source KMS key is always recommended as a best
-    #   practice. When you use the `SourceKeyId` parameter to specify a KMS
-    #   key, KMS uses only the KMS key you specify. If the ciphertext was
-    #   encrypted under a different KMS key, the `ReEncrypt` operation
+    # * If your ciphertext was encrypted under a symmetric encryption KMS
+    #   key, the `SourceKeyId` parameter is optional. KMS can get this
+    #   information from metadata that it adds to the symmetric ciphertext
+    #   blob. This feature adds durability to your implementation by
+    #   ensuring that authorized users can decrypt ciphertext decades after
+    #   it was encrypted, even if they've lost track of the key ID.
+    #   However, specifying the source KMS key is always recommended as a
+    #   best practice. When you use the `SourceKeyId` parameter to specify a
+    #   KMS key, KMS uses only the KMS key you specify. If the ciphertext
+    #   was encrypted under a different KMS key, the `ReEncrypt` operation
     #   fails. This practice ensures that you use the KMS key that you
     #   intend.
     #
     # * To reencrypt the data, you must use the `DestinationKeyId` parameter
     #   specify the KMS key that re-encrypts the data after it is decrypted.
-    #   You can select a symmetric or asymmetric KMS key. If the destination
-    #   KMS key is an asymmetric KMS key, you must also provide the
-    #   encryption algorithm. The algorithm that you choose must be
-    #   compatible with the KMS key.
+    #   If the destination KMS key is an asymmetric KMS key, you must also
+    #   provide the encryption algorithm. The algorithm that you choose must
+    #   be compatible with the KMS key.
     #
     #   When you use an asymmetric KMS key to encrypt or reencrypt data, be
     #   sure to record the KMS key and encryption algorithm that you choose.
@@ -5586,14 +6082,15 @@ module Aws::KMS
     #   fails.
     #
     #    You are not required to supply the key ID and encryption algorithm
-    #   when you decrypt with symmetric KMS keys because KMS stores this
-    #   information in the ciphertext blob. KMS cannot store metadata in
-    #   ciphertext generated with asymmetric keys. The standard format for
-    #   asymmetric key ciphertext does not include configurable fields.
+    #   when you decrypt with symmetric encryption KMS keys because KMS
+    #   stores this information in the ciphertext blob. KMS cannot store
+    #   metadata in ciphertext generated with asymmetric keys. The standard
+    #   format for asymmetric key ciphertext does not include configurable
+    #   fields.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][6] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][6] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: Yes. The source KMS key and destination KMS
     # key can be in different Amazon Web Services accounts. Either or both
@@ -5644,13 +6141,14 @@ module Aws::KMS
     #   ciphertext.
     #
     #   An *encryption context* is a collection of non-secret key-value pairs
-    #   that represents additional authenticated data. When you use an
+    #   that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data. An
-    #   encryption context is optional when encrypting with a symmetric KMS
-    #   key, but it is highly recommended.
+    #   encryption context is supported only on operations with symmetric
+    #   encryption KMS keys. On operations with symmetric encryption KMS keys,
+    #   an encryption context is optional, but it is strongly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *Key
+    #   For more information, see [Encryption context][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -5659,14 +6157,18 @@ module Aws::KMS
     #
     # @option params [String] :source_key_id
     #   Specifies the KMS key that KMS will use to decrypt the ciphertext
-    #   before it is re-encrypted. Enter a key ID of the KMS key that was used
-    #   to encrypt the ciphertext.
+    #   before it is re-encrypted.
+    #
+    #   Enter a key ID of the KMS key that was used to encrypt the ciphertext.
+    #   If you identify a different KMS key, the `ReEncrypt` operation throws
+    #   an `IncorrectKeyException`.
     #
     #   This parameter is required only when the ciphertext was encrypted
-    #   under an asymmetric KMS key. If you used a symmetric KMS key, KMS can
-    #   get the KMS key from metadata that it adds to the symmetric ciphertext
-    #   blob. However, it is always recommended as a best practice. This
-    #   practice ensures that you use the KMS key that you intend.
+    #   under an asymmetric KMS key. If you used a symmetric encryption KMS
+    #   key, KMS can get the KMS key from metadata that it adds to the
+    #   symmetric ciphertext blob. However, it is always recommended as a best
+    #   practice. This practice ensures that you use the KMS key that you
+    #   intend.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify a
@@ -5689,9 +6191,9 @@ module Aws::KMS
     #
     # @option params [required, String] :destination_key_id
     #   A unique identifier for the KMS key that is used to reencrypt the
-    #   data. Specify a symmetric or asymmetric KMS key with a `KeyUsage`
-    #   value of `ENCRYPT_DECRYPT`. To find the `KeyUsage` value of a KMS key,
-    #   use the DescribeKey operation.
+    #   data. Specify a symmetric encryption KMS key or an asymmetric KMS key
+    #   with a `KeyUsage` value of `ENCRYPT_DECRYPT`. To find the `KeyUsage`
+    #   value of a KMS key, use the DescribeKey operation.
     #
     #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
     #   ARN. When using an alias name, prefix it with `"alias/"`. To specify a
@@ -5717,17 +6219,18 @@ module Aws::KMS
     #   data.
     #
     #   A destination encryption context is valid only when the destination
-    #   KMS key is a symmetric KMS key. The standard ciphertext format for
-    #   asymmetric KMS keys does not include fields for metadata.
+    #   KMS key is a symmetric encryption KMS key. The standard ciphertext
+    #   format for asymmetric KMS keys does not include fields for metadata.
     #
     #   An *encryption context* is a collection of non-secret key-value pairs
-    #   that represents additional authenticated data. When you use an
+    #   that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
     #   exact case-sensitive match) encryption context to decrypt the data. An
-    #   encryption context is optional when encrypting with a symmetric KMS
-    #   key, but it is highly recommended.
+    #   encryption context is supported only on operations with symmetric
+    #   encryption KMS keys. On operations with symmetric encryption KMS keys,
+    #   an encryption context is optional, but it is strongly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *Key
+    #   For more information, see [Encryption context][1] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -5737,8 +6240,8 @@ module Aws::KMS
     # @option params [String] :source_encryption_algorithm
     #   Specifies the encryption algorithm that KMS will use to decrypt the
     #   ciphertext before it is reencrypted. The default value,
-    #   `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric KMS
-    #   keys.
+    #   `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric
+    #   encryption KMS keys.
     #
     #   Specify the same algorithm that was used to encrypt the ciphertext. If
     #   you specify a different algorithm, the decrypt attempt fails.
@@ -5750,7 +6253,7 @@ module Aws::KMS
     #   Specifies the encryption algorithm that KMS will use to reecrypt the
     #   data after it has decrypted it. The default value,
     #   `SYMMETRIC_DEFAULT`, represents the encryption algorithm used for
-    #   symmetric KMS keys.
+    #   symmetric encryption KMS keys.
     #
     #   This parameter is required only when the destination KMS key is an
     #   asymmetric KMS key.
@@ -5805,8 +6308,8 @@ module Aws::KMS
     #     destination_encryption_context: {
     #       "EncryptionContextKey" => "EncryptionContextValue",
     #     },
-    #     source_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
-    #     destination_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
+    #     source_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
+    #     destination_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
     #     grant_tokens: ["GrantTokenType"],
     #   })
     #
@@ -5815,8 +6318,8 @@ module Aws::KMS
     #   resp.ciphertext_blob #=> String
     #   resp.source_key_id #=> String
     #   resp.key_id #=> String
-    #   resp.source_encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
-    #   resp.destination_encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
+    #   resp.source_encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
+    #   resp.destination_encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncrypt AWS API Documentation
     #
@@ -5841,7 +6344,7 @@ module Aws::KMS
     # encrypt data in one Amazon Web Services Region and decrypt it in a
     # different Amazon Web Services Region without re-encrypting the data or
     # making a cross-Region call. For more information about multi-Region
-    # keys, see [Using multi-Region keys][1] in the *Key Management Service
+    # keys, see [Multi-Region keys in KMS][1] in the *Key Management Service
     # Developer Guide*.
     #
     # A *replica key* is a fully-functional KMS key that can be used
@@ -5852,8 +6355,8 @@ module Aws::KMS
     # [automatic key rotation status][6]. KMS automatically synchronizes
     # these shared properties among related multi-Region keys. All other
     # properties of a replica key can differ, including its [key policy][7],
-    # [tags][8], [aliases][9], and [key state][10]. KMS pricing and quotas
-    # for KMS keys apply to each primary key and replica key.
+    # [tags][8], [aliases][9], and [Key states of KMS keys][10]. KMS pricing
+    # and quotas for KMS keys apply to each primary key and replica key.
     #
     # When this operation completes, the new replica key has a transient key
     # state of `Creating`. This key state changes to `Enabled` (or
@@ -5863,9 +6366,17 @@ module Aws::KMS
     # If you are creating and using the replica key programmatically, retry
     # on `KMSInvalidStateException` or call `DescribeKey` to check its
     # `KeyState` value before using it. For details about the `Creating` key
-    # state, see [Key state: Effect on your KMS
-    # key](kms/latest/developerguide/key-state.html) in the *Key Management
-    # Service Developer Guide*.
+    # state, see [Key states of KMS keys][10] in the *Key Management Service
+    # Developer Guide*.
+    #
+    # You cannot create more than one replica of a primary key in any
+    # Region. If the Region already includes a replica of the key you're
+    # trying to replicate, `ReplicateKey` returns an
+    # `AlreadyExistsException` error. If the key state of the existing
+    # replica is `PendingDeletion`, you can cancel the scheduled key
+    # deletion (CancelKeyDeletion) or wait for the key to be deleted. The
+    # new replica key you create will have the same [shared properties][11]
+    # as the original replica key.
     #
     # The CloudTrail log of a `ReplicateKey` operation records a
     # `ReplicateKey` operation in the primary key's Region and a CreateKey
@@ -5918,6 +6429,7 @@ module Aws::KMS
     # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
     # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html
     # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-sync-properties
     #
     # @option params [required, String] :key_id
     #   Identifies the multi-Region primary key that is being replicated. To
@@ -5945,24 +6457,33 @@ module Aws::KMS
     #   [KMS service endpoints][1] in the *Amazon Web Services General
     #   Reference*.
     #
+    #   <note markdown="1"> HMAC KMS keys are not supported in all Amazon Web Services Regions. If
+    #   you try to replicate an HMAC KMS key in an Amazon Web Services Region
+    #   in which HMAC keys are not supported, the `ReplicateKey` operation
+    #   returns an `UnsupportedOperationException`. For a list of Regions in
+    #   which HMAC KMS keys are supported, see [HMAC keys in KMS][2] in the
+    #   *Key Management Service Developer Guide*.
+    #
+    #    </note>
+    #
     #   The replica must be in a different Amazon Web Services Region than its
     #   primary key and other replicas of that primary key, but in the same
     #   Amazon Web Services partition. KMS must be available in the replica
     #   Region. If the Region is not enabled by default, the Amazon Web
-    #   Services account must be enabled in the Region.
-    #
-    #   For information about Amazon Web Services partitions, see [Amazon
-    #   Resource Names (ARNs) in the *Amazon Web Services General
-    #   Reference*.][2] For information about enabling and disabling Regions,
-    #   see [Enabling a Region][3] and [Disabling a Region][4] in the *Amazon
-    #   Web Services General Reference*.
+    #   Services account must be enabled in the Region. For information about
+    #   Amazon Web Services partitions, see [Amazon Resource Names (ARNs)][3]
+    #   in the *Amazon Web Services General Reference*. For information about
+    #   enabling and disabling Regions, see [Enabling a Region][4] and
+    #   [Disabling a Region][5] in the *Amazon Web Services General
+    #   Reference*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region
-    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
-    #   [3]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
-    #   [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
+    #   [3]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    #   [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
+    #   [5]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
     #
     # @option params [String] :policy
     #   The key policy to attach to the KMS key. This parameter is optional.
@@ -5993,13 +6514,30 @@ module Aws::KMS
     #     visible][3] in the <i> <i>Identity and Access Management User
     #     Guide</i> </i>.
     #
-    #   * The key policy size quota is 32 kilobytes (32768 bytes).
+    #   A key policy document can include only the following characters:
+    #
+    #   * Printable ASCII characters from the space character (`\u0020`)
+    #     through the end of the ASCII character range.
+    #
+    #   * Printable characters in the Basic Latin and Latin-1 Supplement
+    #     character set (through `\u00FF`).
+    #
+    #   * The tab (`\u0009`), line feed (`\u000A`), and carriage return
+    #     (`\u000D`) special characters
+    #
+    #   For information about key policies, see [Key policies in KMS][4] in
+    #   the *Key Management Service Developer Guide*. For help writing and
+    #   formatting a JSON policy document, see the [IAM JSON Policy
+    #   Reference][5] in the <i> <i>Identity and Access Management User
+    #   Guide</i> </i>.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
     #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
+    #   [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
     #
     # @option params [Boolean] :bypass_policy_lockout_safety_check
     #   A flag to indicate whether to bypass the key policy lockout safety
@@ -6036,8 +6574,8 @@ module Aws::KMS
     #   TagResource operation.
     #
     #   <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the KMS
-    #   key. For details, see [Using ABAC in KMS][1] in the *Key Management
-    #   Service Developer Guide*.
+    #   key. For details, see [ABAC in KMS][1] in the *Key Management Service
+    #   Developer Guide*.
     #
     #    </note>
     #
@@ -6142,7 +6680,7 @@ module Aws::KMS
     #   resp.replica_key_metadata.creation_date #=> Time
     #   resp.replica_key_metadata.enabled #=> Boolean
     #   resp.replica_key_metadata.description #=> String
-    #   resp.replica_key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
+    #   resp.replica_key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
     #   resp.replica_key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
     #   resp.replica_key_metadata.deletion_date #=> Time
     #   resp.replica_key_metadata.valid_to #=> Time
@@ -6151,12 +6689,12 @@ module Aws::KMS
     #   resp.replica_key_metadata.cloud_hsm_cluster_id #=> String
     #   resp.replica_key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
     #   resp.replica_key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
-    #   resp.replica_key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
-    #   resp.replica_key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
+    #   resp.replica_key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
+    #   resp.replica_key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
     #   resp.replica_key_metadata.encryption_algorithms #=> Array
-    #   resp.replica_key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
+    #   resp.replica_key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #   resp.replica_key_metadata.signing_algorithms #=> Array
-    #   resp.replica_key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
+    #   resp.replica_key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
     #   resp.replica_key_metadata.multi_region #=> Boolean
     #   resp.replica_key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
     #   resp.replica_key_metadata.multi_region_configuration.primary_key.arn #=> String
@@ -6165,6 +6703,8 @@ module Aws::KMS
     #   resp.replica_key_metadata.multi_region_configuration.replica_keys[0].arn #=> String
     #   resp.replica_key_metadata.multi_region_configuration.replica_keys[0].region #=> String
     #   resp.replica_key_metadata.pending_deletion_window_in_days #=> Integer
+    #   resp.replica_key_metadata.mac_algorithms #=> Array
+    #   resp.replica_key_metadata.mac_algorithms[0] #=> String, one of "HMAC_SHA_224", "HMAC_SHA_256", "HMAC_SHA_384", "HMAC_SHA_512"
     #   resp.replica_policy #=> String
     #   resp.replica_tags #=> Array
     #   resp.replica_tags[0].tag_key #=> String
@@ -6186,14 +6726,13 @@ module Aws::KMS
     #
     # This operation can be called by the *retiring principal* for a grant,
     # by the *grantee principal* if the grant allows the `RetireGrant`
-    # operation, and by the Amazon Web Services account (root user) in which
-    # the grant is created. It can also be called by principals to whom
-    # permission for retiring a grant is delegated. For details, see
-    # [Retiring and revoking grants][2] in the *Key Management Service
-    # Developer Guide*.
+    # operation, and by the Amazon Web Services account in which the grant
+    # is created. It can also be called by principals to whom permission for
+    # retiring a grant is delegated. For details, see [Retiring and revoking
+    # grants][2] in the *Key Management Service Developer Guide*.
     #
     # For detailed information about grants, including grant terminology,
-    # see [Using grants][3] in the <i> <i>Key Management Service Developer
+    # see [Grants in KMS][3] in the <i> <i>Key Management Service Developer
     # Guide</i> </i>. For examples of working with grants in several
     # programming languages, see [Programming grants][4].
     #
@@ -6291,7 +6830,7 @@ module Aws::KMS
     # Service Developer Guide</i> </i>.
     #
     # For detailed information about grants, including grant terminology,
-    # see [Using grants][3] in the <i> <i>Key Management Service Developer
+    # see [Grants in KMS][3] in the <i> <i>Key Management Service Developer
     # Guide</i> </i>. For examples of working with grants in several
     # programming languages, see [Programming grants][4].
     #
@@ -6408,8 +6947,8 @@ module Aws::KMS
     # Guide*.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][5] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][5] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
@@ -6449,7 +6988,7 @@ module Aws::KMS
     #   The waiting period, specified in number of days. After the waiting
     #   period ends, KMS deletes the KMS key.
     #
-    #   If the KMS key is a multi-Region primary key with replicas, the
+    #   If the KMS key is a multi-Region primary key with replica keys, the
     #   waiting period begins when the last of its replica keys is deleted.
     #   Otherwise, the waiting period begins immediately.
     #
@@ -6503,11 +7042,11 @@ module Aws::KMS
     end
 
     # Creates a [digital signature][1] for a message or message digest by
-    # using the private key in an asymmetric KMS key. To verify the
+    # using the private key in an asymmetric signing KMS key. To verify the
     # signature, use the Verify operation, or use the public key in the same
-    # asymmetric KMS key outside of KMS. For information about symmetric and
-    # asymmetric KMS keys, see [Using Symmetric and Asymmetric KMS keys][2]
-    # in the *Key Management Service Developer Guide*.
+    # asymmetric KMS key outside of KMS. For information about asymmetric
+    # KMS keys, see [Asymmetric KMS keys][2] in the *Key Management Service
+    # Developer Guide*.
     #
     # Digital signatures are generated and verified by using asymmetric key
     # pair, such as an RSA or ECC pair that is represented by an asymmetric
@@ -6535,14 +7074,23 @@ module Aws::KMS
     # When signing a message, be sure to record the KMS key and the signing
     # algorithm. This information is required to verify the signature.
     #
+    # <note markdown="1"> Best practices recommend that you limit the time during which any
+    # signature is effective. This deters an attack where the actor uses a
+    # signed message to establish validity repeatedly or long after the
+    # message is superseded. Signatures do not include a timestamp, but you
+    # can include a timestamp in the signed message to help you detect when
+    # its time to refresh the signature.
+    #
+    #  </note>
+    #
     # To verify the signature that this operation generates, use the Verify
     # operation. Or use the GetPublicKey operation to download the public
     # key and then use the public key to verify the signature outside of
     # KMS.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][3] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][3] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
@@ -6648,14 +7196,14 @@ module Aws::KMS
     #     message: "data", # required
     #     message_type: "RAW", # accepts RAW, DIGEST
     #     grant_tokens: ["GrantTokenType"],
-    #     signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
+    #     signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA
     #   })
     #
     # @example Response structure
     #
     #   resp.key_id #=> String
     #   resp.signature #=> String
-    #   resp.signing_algorithm #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
+    #   resp.signing_algorithm #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Sign AWS API Documentation
     #
@@ -6669,8 +7217,8 @@ module Aws::KMS
     # Adds or edits tags on a [customer managed key][1].
     #
     # <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the KMS
-    # key. For details, see [Using ABAC in KMS][2] in the *Key Management
-    # Service Developer Guide*.
+    # key. For details, see [ABAC in KMS][2] in the *Key Management Service
+    # Developer Guide*.
     #
     #  </note>
     #
@@ -6692,8 +7240,8 @@ module Aws::KMS
     # General Reference*.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][9] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][9] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
@@ -6790,8 +7338,8 @@ module Aws::KMS
     # specify the tag key and the KMS key.
     #
     # <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the KMS
-    # key. For details, see [Using ABAC in KMS][2] in the *Key Management
-    # Service Developer Guide*.
+    # key. For details, see [ABAC in KMS][2] in the *Key Management Service
+    # Developer Guide*.
     #
     #  </note>
     #
@@ -6806,8 +7354,8 @@ module Aws::KMS
     # General Reference*.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][5] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][5] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
@@ -6888,8 +7436,8 @@ module Aws::KMS
     # Amazon Web Services account and Region.
     #
     # <note markdown="1"> Adding, deleting, or updating an alias can allow or deny permission to
-    # the KMS key. For details, see [Using ABAC in KMS][1] in the *Key
-    # Management Service Developer Guide*.
+    # the KMS key. For details, see [ABAC in KMS][1] in the *Key Management
+    # Service Developer Guide*.
     #
     #  </note>
     #
@@ -6911,8 +7459,8 @@ module Aws::KMS
     # ListAliases operation.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][2] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][2] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
@@ -6946,7 +7494,7 @@ module Aws::KMS
     # @option params [required, String] :alias_name
     #   Identifies the alias that is changing its KMS key. This value must
     #   begin with `alias/` followed by the alias name, such as
-    #   `alias/ExampleAlias`. You cannot use UpdateAlias to change the alias
+    #   `alias/ExampleAlias`. You cannot use `UpdateAlias` to change the alias
     #   name.
     #
     # @option params [required, String] :target_key_id
@@ -7045,7 +7593,7 @@ module Aws::KMS
     # If the operation succeeds, it returns a JSON object with no
     # properties.
     #
-    # This operation is part of the [Custom Key Store feature][3] feature in
+    # This operation is part of the [custom key store feature][3] feature in
     # KMS, which combines the convenience and extensive integration of KMS
     # with the isolation and control of a single-tenant key store.
     #
@@ -7177,8 +7725,8 @@ module Aws::KMS
     # key, use DescribeKey.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][1] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][1] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
@@ -7260,7 +7808,7 @@ module Aws::KMS
     # encrypt data in one Amazon Web Services Region and decrypt it in a
     # different Amazon Web Services Region without re-encrypting the data or
     # making a cross-Region call. For more information about multi-Region
-    # keys, see [Using multi-Region keys][2] in the *Key Management Service
+    # keys, see [Multi-Region keys in KMS][2] in the *Key Management Service
     # Developer Guide*.
     #
     # The *primary key* of a multi-Region key is the source for properties
@@ -7290,9 +7838,8 @@ module Aws::KMS
     # can use the keys in cryptographic operations, but you cannot replicate
     # the new primary key or perform certain management operations, such as
     # enabling or disabling these keys. For details about the `Updating` key
-    # state, see [Key state: Effect on your KMS
-    # key](kms/latest/developerguide/key-state.html) in the *Key Management
-    # Service Developer Guide*.
+    # state, see [Key states of KMS keys][9] in the *Key Management Service
+    # Developer Guide*.
     #
     # This operation does not return any output. To verify that primary key
     # is changed, use the DescribeKey operation.
@@ -7325,6 +7872,7 @@ module Aws::KMS
     # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin
     # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
     # [8]: https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html
+    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :key_id
     #   Identifies the current primary key. When the operation completes, this
@@ -7381,9 +7929,9 @@ module Aws::KMS
     #
     # A digital signature is generated by using the private key in an
     # asymmetric KMS key. The signature is verified by using the public key
-    # in the same asymmetric KMS key. For information about symmetric and
-    # asymmetric KMS keys, see [Using Symmetric and Asymmetric KMS keys][1]
-    # in the *Key Management Service Developer Guide*.
+    # in the same asymmetric KMS key. For information about asymmetric KMS
+    # keys, see [Asymmetric KMS keys][1] in the *Key Management Service
+    # Developer Guide*.
     #
     # To verify a digital signature, you can use the `Verify` operation.
     # Specify the same asymmetric KMS key, message, and signing algorithm
@@ -7392,7 +7940,11 @@ module Aws::KMS
     # You can also verify the digital signature by using the public key of
     # the KMS key outside of KMS. Use the GetPublicKey operation to download
     # the public key in the asymmetric KMS key and then use the public key
-    # to verify the signature outside of KMS. The advantage of using the
+    # to verify the signature outside of KMS. To verify a signature outside
+    # of KMS with an SM2 public key, you must specify the distinguishing ID.
+    # By default, KMS uses `1234567812345678` as the distinguishing ID. For
+    # more information, see [Offline verification with SM2 key pairs][2] in
+    # *Key Management Service Developer Guide*. The advantage of using the
     # `Verify` operation is that it is performed within KMS. As a result,
     # it's easy to call, the operation is performed within the FIPS
     # boundary, it is logged in CloudTrail, and you can use key policy and
@@ -7400,22 +7952,23 @@ module Aws::KMS
     # signatures.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key state: Effect on your KMS key][2] in
-    # the *Key Management Service Developer Guide*.
+    # key state. For details, see [Key states of KMS keys][3] in the *Key
+    # Management Service Developer Guide*.
     #
     # **Cross-account use**\: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
     # alias ARN in the value of the `KeyId` parameter.
     #
-    # **Required permissions**\: [kms:Verify][3] (key policy)
+    # **Required permissions**\: [kms:Verify][4] (key policy)
     #
     # **Related operations**\: Sign
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
-    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
-    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     #
     # @option params [required, String] :key_id
     #   Identifies the asymmetric KMS key that will be used to verify the
@@ -7503,7 +8056,7 @@ module Aws::KMS
     #   resp.to_h outputs the following:
     #   {
     #     key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ARN of the asymmetric KMS key that was used to verify the digital signature.
-    #     signature_valid: true, # Indicates whether the signature was verified (true) or failed verification (false).
+    #     signature_valid: true, # A value of 'true' Indicates that the signature was verified. If verification fails, the call to Verify fails.
     #     signing_algorithm: "ECDSA_SHA_384", # The signing algorithm that was used to verify the signature.
     #   }
     #
@@ -7514,7 +8067,7 @@ module Aws::KMS
     #     message: "data", # required
     #     message_type: "RAW", # accepts RAW, DIGEST
     #     signature: "data", # required
-    #     signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
+    #     signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA
     #     grant_tokens: ["GrantTokenType"],
     #   })
     #
@@ -7522,7 +8075,7 @@ module Aws::KMS
     #
     #   resp.key_id #=> String
     #   resp.signature_valid #=> Boolean
-    #   resp.signing_algorithm #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
+    #   resp.signing_algorithm #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Verify AWS API Documentation
     #
@@ -7533,6 +8086,128 @@ module Aws::KMS
       req.send_request(options)
     end
 
+    # Verifies the hash-based message authentication code (HMAC) for a
+    # specified message, HMAC KMS key, and MAC algorithm. To verify the
+    # HMAC, `VerifyMac` computes an HMAC using the message, HMAC KMS key,
+    # and MAC algorithm that you specify, and compares the computed HMAC to
+    # the HMAC that you specify. If the HMACs are identical, the
+    # verification succeeds; otherwise, it fails.
+    #
+    # Verification indicates that the message hasn't changed since the HMAC
+    # was calculated, and the specified key was used to generate and verify
+    # the HMAC.
+    #
+    # This operation is part of KMS support for HMAC KMS keys. For details,
+    # see [HMAC keys in KMS][1] in the *Key Management Service Developer
+    # Guide*.
+    #
+    # The KMS key that you use for this operation must be in a compatible
+    # key state. For details, see [Key states of KMS keys][2] in the *Key
+    # Management Service Developer Guide*.
+    #
+    # **Cross-account use**\: Yes. To perform this operation with a KMS key
+    # in a different Amazon Web Services account, specify the key ARN or
+    # alias ARN in the value of the `KeyId` parameter.
+    #
+    # **Required permissions**\: [kms:VerifyMac][3] (key policy)
+    #
+    # **Related operations**\: GenerateMac
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    #
+    # @option params [required, String, StringIO, File] :message
+    #   The message that will be used in the verification. Enter the same
+    #   message that was used to generate the HMAC.
+    #
+    #   GenerateMac and `VerifyMac` do not provide special handling for
+    #   message digests. If you generated an HMAC for a hash digest of a
+    #   message, you must verify the HMAC for the same hash digest.
+    #
+    # @option params [required, String] :key_id
+    #   The KMS key that will be used in the verification.
+    #
+    #   Enter a key ID of the KMS key that was used to generate the HMAC. If
+    #   you identify a different KMS key, the `VerifyMac` operation fails.
+    #
+    # @option params [required, String] :mac_algorithm
+    #   The MAC algorithm that will be used in the verification. Enter the
+    #   same MAC algorithm that was used to compute the HMAC. This algorithm
+    #   must be supported by the HMAC KMS key identified by the `KeyId`
+    #   parameter.
+    #
+    # @option params [required, String, StringIO, File] :mac
+    #   The HMAC to verify. Enter the HMAC that was generated by the
+    #   GenerateMac operation when you specified the same message, HMAC KMS
+    #   key, and MAC algorithm as the values specified in this request.
+    #
+    # @option params [Array<String>] :grant_tokens
+    #   A list of grant tokens.
+    #
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*. For
+    #   more information, see [Grant token][1] and [Using a grant token][2] in
+    #   the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
+    #
+    # @return [Types::VerifyMacResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::VerifyMacResponse#key_id #key_id} => String
+    #   * {Types::VerifyMacResponse#mac_valid #mac_valid} => Boolean
+    #   * {Types::VerifyMacResponse#mac_algorithm #mac_algorithm} => String
+    #
+    #
+    # @example Example: To verify an HMAC
+    #
+    #   # This example verifies an HMAC for a particular message, HMAC KMS keys, and MAC algorithm. A value of 'true' in the
+    #   # MacValid value in the response indicates that the HMAC is valid.
+    #
+    #   resp = client.verify_mac({
+    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The HMAC KMS key input to the HMAC algorithm.
+    #     mac: "<HMAC_TAG>", # The HMAC to be verified.
+    #     mac_algorithm: "HMAC_SHA_384", # The HMAC algorithm requested for the operation.
+    #     message: "Hello World", # The message input to the HMAC algorithm.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ARN of the HMAC key used in the operation.
+    #     mac_algorithm: "HMAC_SHA_384", # The HMAC algorithm used in the operation.
+    #     mac_valid: true, # A value of 'true' indicates that verification succeeded. If verification fails, the call to VerifyMac fails.
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.verify_mac({
+    #     message: "data", # required
+    #     key_id: "KeyIdType", # required
+    #     mac_algorithm: "HMAC_SHA_224", # required, accepts HMAC_SHA_224, HMAC_SHA_256, HMAC_SHA_384, HMAC_SHA_512
+    #     mac: "data", # required
+    #     grant_tokens: ["GrantTokenType"],
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.key_id #=> String
+    #   resp.mac_valid #=> Boolean
+    #   resp.mac_algorithm #=> String, one of "HMAC_SHA_224", "HMAC_SHA_256", "HMAC_SHA_384", "HMAC_SHA_512"
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMac AWS API Documentation
+    #
+    # @overload verify_mac(params = {})
+    # @param [Hash] params ({})
+    def verify_mac(params = {}, options = {})
+      req = build_request(:verify_mac, params)
+      req.send_request(options)
+    end
+
     # @!endgroup
 
     # @param params ({})
@@ -7546,7 +8221,7 @@ module Aws::KMS
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-kms'
-      context[:gem_version] = '1.55.0'
+      context[:gem_version] = '1.58.0'
       Seahorse::Client::Request.new(handlers, context)
     end