aws-sdk-kms 1.57.0 → 1.58.0

data/lib/aws-sdk-kms/client.rb

@@ -674,7 +674,7 @@ module Aws::KMS
     # Creates a [custom key store][1] that is associated with an [CloudHSM
     # cluster][2] that you own and manage.
     #
-    # This operation is part of the [Custom Key Store feature][1] feature in
+    # This operation is part of the [custom key store feature][1] feature in
     # KMS, which combines the convenience and extensive integration of KMS
     # with the isolation and control of a single-tenant key store.
     #
@@ -724,7 +724,7 @@ module Aws::KMS
     #   Specifies a friendly name for the custom key store. The name must be
     #   unique in your Amazon Web Services account.
     #
-    # @option params [required, String] :cloud_hsm_cluster_id
+    # @option params [String] :cloud_hsm_cluster_id
     #   Identifies the CloudHSM cluster for the custom key store. Enter the
     #   cluster ID of any active CloudHSM cluster that is not already
     #   associated with a custom key store. To find the cluster ID, use the
@@ -734,7 +734,7 @@ module Aws::KMS
     #
     #   [1]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
     #
-    # @option params [required, String] :trust_anchor_certificate
+    # @option params [String] :trust_anchor_certificate
     #   Enter the content of the trust anchor certificate for the cluster.
     #   This is the content of the `customerCA.crt` file that you created when
     #   you [initialized the cluster][1].
@@ -743,7 +743,7 @@ module Aws::KMS
     #
     #   [1]: https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html
     #
-    # @option params [required, String] :key_store_password
+    # @option params [String] :key_store_password
     #   Enter the password of the [ `kmsuser` crypto user (CU) account][1] in
     #   the specified CloudHSM cluster. KMS logs into the cluster as this user
     #   to manage key material on your behalf.
@@ -783,9 +783,9 @@ module Aws::KMS
     #
     #   resp = client.create_custom_key_store({
     #     custom_key_store_name: "CustomKeyStoreNameType", # required
-    #     cloud_hsm_cluster_id: "CloudHsmClusterIdType", # required
-    #     trust_anchor_certificate: "TrustAnchorCertificateType", # required
-    #     key_store_password: "KeyStorePasswordType", # required
+    #     cloud_hsm_cluster_id: "CloudHsmClusterIdType",
+    #     trust_anchor_certificate: "TrustAnchorCertificateType",
+    #     key_store_password: "KeyStorePasswordType",
     #   })
     #
     # @example Response structure
@@ -1079,7 +1079,9 @@ module Aws::KMS
     # : To create a symmetric encryption KMS key, you aren't required to
     #   specify any parameters. The default value for `KeySpec`,
     #   `SYMMETRIC_DEFAULT`, and the default value for `KeyUsage`,
-    #   `ENCRYPT_DECRYPT`, create a symmetric encryption KMS key.
+    #   `ENCRYPT_DECRYPT`, create a symmetric encryption KMS key. For
+    #   technical details, see [ SYMMETRIC\_DEFAULT key spec][2] in the *Key
+    #   Management Service Developer Guide*.
     #
     #   If you need a key for basic encryption and decryption or you are
     #   creating a KMS key to protect your resources in an Amazon Web
@@ -1100,15 +1102,16 @@ module Aws::KMS
     #   to encrypt and decrypt or sign and verify. You can't change these
     #   properties after the KMS key is created.
     #
-    #   Asymmetric KMS keys contain an RSA key pair or an Elliptic Curve
-    #   (ECC) key pair. The private key in an asymmetric KMS key never
-    #   leaves KMS unencrypted. However, you can use the GetPublicKey
-    #   operation to download the public key so it can be used outside of
-    #   KMS. KMS keys with RSA key pairs can be used to encrypt or decrypt
-    #   data or sign and verify messages (but not both). KMS keys with ECC
-    #   key pairs can be used only to sign and verify messages. For
-    #   information about asymmetric KMS keys, see [Asymmetric KMS keys][2]
-    #   in the *Key Management Service Developer Guide*.
+    #   Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC)
+    #   key pair, or an SM2 key pair (China Regions only). The private key
+    #   in an asymmetric KMS key never leaves KMS unencrypted. However, you
+    #   can use the GetPublicKey operation to download the public key so it
+    #   can be used outside of KMS. KMS keys with RSA or SM2 key pairs can
+    #   be used to encrypt or decrypt data or sign and verify messages (but
+    #   not both). KMS keys with ECC key pairs can be used only to sign and
+    #   verify messages. For information about asymmetric KMS keys, see
+    #   [Asymmetric KMS keys][3] in the *Key Management Service Developer
+    #   Guide*.
     #
     #
     #
@@ -1130,7 +1133,7 @@ module Aws::KMS
     #   Region in which HMAC keys are not supported, the `CreateKey`
     #   operation returns an `UnsupportedOperationException`. For a list of
     #   Regions in which HMAC KMS keys are supported, see [HMAC keys in
-    #   KMS][3] in the *Key Management Service Developer Guide*.
+    #   KMS][4] in the *Key Management Service Developer Guide*.
     #
     #
     #
@@ -1158,7 +1161,7 @@ module Aws::KMS
     #   to encrypt data in one Amazon Web Services Region and decrypt it in
     #   a different Amazon Web Services Region without re-encrypting the
     #   data or making a cross-Region call. For more information about
-    #   multi-Region keys, see [Multi-Region keys in KMS][4] in the *Key
+    #   multi-Region keys, see [Multi-Region keys in KMS][5] in the *Key
     #   Management Service Developer Guide*.
     #
     #
@@ -1170,7 +1173,7 @@ module Aws::KMS
     #   token, and use the public key to encrypt your key material. Then,
     #   use ImportKeyMaterial with your import token to import the key
     #   material. For step-by-step instructions, see [Importing Key
-    #   Material][5] in the <i> <i>Key Management Service Developer
+    #   Material][6] in the <i> <i>Key Management Service Developer
     #   Guide</i> </i>.
     #
     #   This feature supports only symmetric encryption KMS keys, including
@@ -1182,14 +1185,14 @@ module Aws::KMS
     #   the `MultiRegion` parameter with a value of `True`. To create
     #   replicas of the multi-Region primary key, use the ReplicateKey
     #   operation. For more information about multi-Region keys, see
-    #   [Multi-Region keys in KMS][4] in the *Key Management Service
+    #   [Multi-Region keys in KMS][5] in the *Key Management Service
     #   Developer Guide*.
     #
     #
     #
     # Custom key store
     #
-    # : To create a symmetric encryption KMS key in a [custom key store][6],
+    # : To create a symmetric encryption KMS key in a [custom key store][7],
     #   use the `CustomKeyStoreId` parameter to specify the custom key
     #   store. You must also use the `Origin` parameter with a value of
     #   `AWS_CLOUDHSM`. The CloudHSM cluster that is associated with the
@@ -1199,16 +1202,16 @@ module Aws::KMS
     #   Custom key stores support only symmetric encryption KMS keys. You
     #   cannot create an HMAC KMS key or an asymmetric KMS key in a custom
     #   key store. For information about custom key stores in KMS see
-    #   [Custom key stores in KMS][6] in the <i> <i>Key Management Service
+    #   [Custom key stores in KMS][7] in the <i> <i>Key Management Service
     #   Developer Guide</i> </i>.
     #
     # **Cross-account use**\: No. You cannot use this operation to create a
     # KMS key in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:CreateKey][7] (IAM policy). To use the
-    # `Tags` parameter, [kms:TagResource][7] (IAM policy). For examples and
+    # **Required permissions**\: [kms:CreateKey][8] (IAM policy). To use the
+    # `Tags` parameter, [kms:TagResource][8] (IAM policy). For examples and
     # information about related permissions, see [Allow a user to create KMS
-    # keys][8] in the *Key Management Service Developer Guide*.
+    # keys][9] in the *Key Management Service Developer Guide*.
     #
     # **Related operations:**
     #
@@ -1221,13 +1224,14 @@ module Aws::KMS
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys
-    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
-    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
-    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
-    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
-    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
-    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-symmetric-default
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key
     #
     # @option params [String] :policy
     #   The key policy to attach to the KMS key. If you do not specify a key
@@ -1255,31 +1259,30 @@ module Aws::KMS
     #     visible][3] in the *Amazon Web Services Identity and Access
     #     Management User Guide*.
     #
-    #   A key policy document must conform to the following rules.
-    #
-    #   * Up to 32 kilobytes (32768 bytes)
+    #   A key policy document can include only the following characters:
     #
-    #   * Must be UTF-8 encoded
+    #   * Printable ASCII characters from the space character (`\u0020`)
+    #     through the end of the ASCII character range.
     #
-    #   * The only Unicode characters that are permitted in a key policy
-    #     document are the horizontal tab (U+0009), linefeed (U+000A),
-    #     carriage return (U+000D), and characters in the range U+0020 to
-    #     U+00FF.
+    #   * Printable characters in the Basic Latin and Latin-1 Supplement
+    #     character set (through `\u00FF`).
     #
-    #   * The `Sid` element in a key policy statement can include spaces.
-    #     (Spaces are prohibited in the `Sid` element of an IAM policy
-    #     document.)
+    #   * The tab (`\u0009`), line feed (`\u000A`), and carriage return
+    #     (`\u000D`) special characters
     #
-    #   For help writing and formatting a JSON policy document, see the [IAM
-    #   JSON Policy Reference][4] in the <i> <i>Identity and Access Management
-    #   User Guide</i> </i>.
+    #   For information about key policies, see [Key policies in KMS][4] in
+    #   the *Key Management Service Developer Guide*. For help writing and
+    #   formatting a JSON policy document, see the [IAM JSON Policy
+    #   Reference][5] in the <i> <i>Identity and Access Management User
+    #   Guide</i> </i>.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
     #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
-    #   [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
+    #   [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
     #
     # @option params [String] :description
     #   A description of the KMS key.
@@ -1311,6 +1314,9 @@ module Aws::KMS
     #   * For asymmetric KMS keys with ECC key material, specify
     #     `SIGN_VERIFY`.
     #
+    #   * For asymmetric KMS keys with SM2 key material (China Regions only),
+    #     specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
+    #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
@@ -1325,10 +1331,11 @@ module Aws::KMS
     #
     # @option params [String] :key_spec
     #   Specifies the type of KMS key to create. The default value,
-    #   `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit symmetric key
-    #   for encryption and decryption. For help choosing a key spec for your
-    #   KMS key, see [Choosing a KMS key type][1] in the <i> <i>Key Management
-    #   Service Developer Guide</i> </i>.
+    #   `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit AES-GCM key that
+    #   is used for encryption and decryption, except in China Regions, where
+    #   it creates a 128-bit symmetric key that uses SM4 encryption. For help
+    #   choosing a key spec for your KMS key, see [Choosing a KMS key type][1]
+    #   in the <i> <i>Key Management Service Developer Guide</i> </i>.
     #
     #   The `KeySpec` determines whether the KMS key contains a symmetric key
     #   or an asymmetric key pair. It also determines the cryptographic
@@ -1347,7 +1354,7 @@ module Aws::KMS
     #
     #   * Symmetric encryption key (default)
     #
-    #     * `SYMMETRIC_DEFAULT` (AES-256-GCM)
+    #     * `SYMMETRIC_DEFAULT`
     #
     #     ^
     #
@@ -1383,6 +1390,12 @@ module Aws::KMS
     #
     #     ^
     #
+    #   * SM2 key pairs (China Regions only)
+    #
+    #     * `SM2`
+    #
+    #     ^
+    #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose
@@ -1431,7 +1444,7 @@ module Aws::KMS
     #   The response includes the custom key store ID and the ID of the
     #   CloudHSM cluster.
     #
-    #   This operation is part of the [Custom Key Store feature][1] feature in
+    #   This operation is part of the [custom key store feature][1] feature in
     #   KMS, which combines the convenience and extensive integration of KMS
     #   with the isolation and control of a single-tenant key store.
     #
@@ -1767,8 +1780,8 @@ module Aws::KMS
     #     policy: "PolicyType",
     #     description: "DescriptionType",
     #     key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC
-    #     customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512
-    #     key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512
+    #     customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
+    #     key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
     #     origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
     #     custom_key_store_id: "CustomKeyStoreIdType",
     #     bypass_policy_lockout_safety_check: false,
@@ -1798,12 +1811,12 @@ module Aws::KMS
     #   resp.key_metadata.cloud_hsm_cluster_id #=> String
     #   resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
     #   resp.key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
-    #   resp.key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512"
-    #   resp.key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512"
+    #   resp.key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
+    #   resp.key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
     #   resp.key_metadata.encryption_algorithms #=> Array
-    #   resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
+    #   resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #   resp.key_metadata.signing_algorithms #=> Array
-    #   resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
+    #   resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
     #   resp.key_metadata.multi_region #=> Boolean
     #   resp.key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
     #   resp.key_metadata.multi_region_configuration.primary_key.arn #=> String
@@ -2024,14 +2037,14 @@ module Aws::KMS
     #     },
     #     grant_tokens: ["GrantTokenType"],
     #     key_id: "KeyIdType",
-    #     encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
+    #     encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
     #   })
     #
     # @example Response structure
     #
     #   resp.key_id #=> String
     #   resp.plaintext #=> String
-    #   resp.encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
+    #   resp.encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt AWS API Documentation
     #
@@ -2120,15 +2133,15 @@ module Aws::KMS
     # CloudHSM cluster that is associated with the custom key store, or
     # affect any users or keys in the cluster.
     #
-    # The custom key store that you delete cannot contain any KMS [KMS
-    # keys][2]. Before deleting the key store, verify that you will never
-    # need to use any of the KMS keys in the key store for any
-    # [cryptographic operations][3]. Then, use ScheduleKeyDeletion to delete
-    # the KMS keys from the key store. When the scheduled waiting period
-    # expires, the `ScheduleKeyDeletion` operation deletes the KMS keys.
-    # Then it makes a best effort to delete the key material from the
-    # associated cluster. However, you might need to manually [delete the
-    # orphaned key material][4] from the cluster and its backups.
+    # The custom key store that you delete cannot contain any [KMS keys][2].
+    # Before deleting the key store, verify that you will never need to use
+    # any of the KMS keys in the key store for any [cryptographic
+    # operations][3]. Then, use ScheduleKeyDeletion to delete the KMS keys
+    # from the key store. When the scheduled waiting period expires, the
+    # `ScheduleKeyDeletion` operation deletes the KMS keys. Then it makes a
+    # best effort to delete the key material from the associated cluster.
+    # However, you might need to manually [delete the orphaned key
+    # material][4] from the cluster and its backups.
     #
     # After all KMS keys are deleted from KMS, use DisconnectCustomKeyStore
     # to disconnect the key store from KMS. Then, you can delete the custom
@@ -2143,7 +2156,7 @@ module Aws::KMS
     # If the operation succeeds, it returns a JSON object with no
     # properties.
     #
-    # This operation is part of the [Custom Key Store feature][1] feature in
+    # This operation is part of the [custom key store feature][1] feature in
     # KMS, which combines the convenience and extensive integration of KMS
     # with the isolation and control of a single-tenant key store.
     #
@@ -2287,7 +2300,7 @@ module Aws::KMS
     # Gets information about [custom key stores][1] in the account and
     # Region.
     #
-    # This operation is part of the [Custom Key Store feature][1] feature in
+    # This operation is part of the [custom key store feature][1] feature in
     # KMS, which combines the convenience and extensive integration of KMS
     # with the isolation and control of a single-tenant key store.
     #
@@ -2372,6 +2385,8 @@ module Aws::KMS
     #   * {Types::DescribeCustomKeyStoresResponse#next_marker #next_marker} => String
     #   * {Types::DescribeCustomKeyStoresResponse#truncated #truncated} => Boolean
     #
+    # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
+    #
     #
     # @example Example: To get detailed information about custom key stores in the account and Region
     #
@@ -2427,7 +2442,7 @@ module Aws::KMS
     #   resp.custom_key_stores[0].cloud_hsm_cluster_id #=> String
     #   resp.custom_key_stores[0].trust_anchor_certificate #=> String
     #   resp.custom_key_stores[0].connection_state #=> String, one of "CONNECTED", "CONNECTING", "FAILED", "DISCONNECTED", "DISCONNECTING"
-    #   resp.custom_key_stores[0].connection_error_code #=> String, one of "INVALID_CREDENTIALS", "CLUSTER_NOT_FOUND", "NETWORK_ERRORS", "INTERNAL_ERROR", "INSUFFICIENT_CLOUDHSM_HSMS", "USER_LOCKED_OUT", "USER_NOT_FOUND", "USER_LOGGED_IN", "SUBNET_NOT_FOUND"
+    #   resp.custom_key_stores[0].connection_error_code #=> String, one of "INVALID_CREDENTIALS", "CLUSTER_NOT_FOUND", "NETWORK_ERRORS", "INTERNAL_ERROR", "INSUFFICIENT_CLOUDHSM_HSMS", "USER_LOCKED_OUT", "USER_NOT_FOUND", "USER_LOGGED_IN", "SUBNET_NOT_FOUND", "INSUFFICIENT_FREE_ADDRESSES_IN_SUBNET"
     #   resp.custom_key_stores[0].creation_date #=> Time
     #   resp.next_marker #=> String
     #   resp.truncated #=> Boolean
@@ -2464,7 +2479,7 @@ module Aws::KMS
     # * Whether automatic key rotation is enabled on the KMS key. To get
     #   this information, use GetKeyRotationStatus. Also, some key states
     #   prevent a KMS key from being automatically rotated. For details, see
-    #   [How Automatic Key Rotation Works][3] in *Key Management Service
+    #   [How Automatic Key Rotation Works][3] in the *Key Management Service
     #   Developer Guide*.
     #
     # * Tags on the KMS key. To get this information, use ListResourceTags.
@@ -2724,12 +2739,12 @@ module Aws::KMS
     #   resp.key_metadata.cloud_hsm_cluster_id #=> String
     #   resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
     #   resp.key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
-    #   resp.key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512"
-    #   resp.key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512"
+    #   resp.key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
+    #   resp.key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
     #   resp.key_metadata.encryption_algorithms #=> Array
-    #   resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
+    #   resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #   resp.key_metadata.signing_algorithms #=> Array
-    #   resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
+    #   resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
     #   resp.key_metadata.multi_region #=> Boolean
     #   resp.key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
     #   resp.key_metadata.multi_region_configuration.primary_key.arn #=> String
@@ -2940,7 +2955,7 @@ module Aws::KMS
     # If the operation succeeds, it returns a JSON object with no
     # properties.
     #
-    # This operation is part of the [Custom Key Store feature][1] feature in
+    # This operation is part of the [custom key store feature][1] feature in
     # KMS, which combines the convenience and extensive integration of KMS
     # with the isolation and control of a single-tenant key store.
     #
@@ -3204,7 +3219,7 @@ module Aws::KMS
     #
     # If you specify an asymmetric KMS key, you must also specify the
     # encryption algorithm. The algorithm must be compatible with the KMS
-    # key type.
+    # key spec.
     #
     # When you use an asymmetric KMS key to encrypt or reencrypt data, be
     # sure to record the KMS key and encryption algorithm that you choose.
@@ -3246,6 +3261,8 @@ module Aws::KMS
     #
     #   * `RSAES_OAEP_SHA_256`\: 446 bytes
     #
+    # * `SM2PKE`\: 1024 bytes (China Regions only)
+    #
     # The KMS key that you use for this operation must be in a compatible
     # key state. For details, see [Key states of KMS keys][2] in the *Key
     # Management Service Developer Guide*.
@@ -3374,14 +3391,14 @@ module Aws::KMS
     #       "EncryptionContextKey" => "EncryptionContextValue",
     #     },
     #     grant_tokens: ["GrantTokenType"],
-    #     encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
+    #     encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
     #   })
     #
     # @example Response structure
     #
     #   resp.ciphertext_blob #=> String
     #   resp.key_id #=> String
-    #   resp.encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
+    #   resp.encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Encrypt AWS API Documentation
     #
@@ -3403,9 +3420,16 @@ module Aws::KMS
     # To generate a data key, specify the symmetric encryption KMS key that
     # will be used to encrypt the data key. You cannot use an asymmetric KMS
     # key to encrypt data keys. To get the type of your KMS key, use the
-    # DescribeKey operation. You must also specify the length of the data
-    # key. Use either the `KeySpec` or `NumberOfBytes` parameters (but not
-    # both). For 128-bit and 256-bit data keys, use the `KeySpec` parameter.
+    # DescribeKey operation.
+    #
+    # You must also specify the length of the data key. Use either the
+    # `KeySpec` or `NumberOfBytes` parameters (but not both). For 128-bit
+    # and 256-bit data keys, use the `KeySpec` parameter.
+    #
+    # To generate an SM4 data key (China Regions only), specify a `KeySpec`
+    # value of `AES_128` or `NumberOfBytes` value of `128`. The symmetric
+    # encryption key used in China Regions to encrypt your data key is an
+    # SM4 encryption key.
     #
     # To get only an encrypted copy of the data key, use
     # GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key
@@ -3632,10 +3656,11 @@ module Aws::KMS
     # type and origin of your KMS key, use the DescribeKey operation.
     #
     # Use the `KeyPairSpec` parameter to choose an RSA or Elliptic Curve
-    # (ECC) data key pair. KMS recommends that your use ECC key pairs for
-    # signing, and use RSA key pairs for either encryption or signing, but
-    # not both. However, KMS cannot enforce any restrictions on the use of
-    # data key pairs outside of KMS.
+    # (ECC) data key pair. In China Regions, you can also choose an SM2 data
+    # key pair. KMS recommends that you use ECC key pairs for signing, and
+    # use RSA and SM2 key pairs for either encryption or signing, but not
+    # both. However, KMS cannot enforce any restrictions on the use of data
+    # key pairs outside of KMS.
     #
     # If you are using the data key pair to encrypt data, or for any
     # operation where you don't immediately need a private key, consider
@@ -3738,10 +3763,12 @@ module Aws::KMS
     # @option params [required, String] :key_pair_spec
     #   Determines the type of data key pair that is generated.
     #
-    #   The KMS rule that restricts the use of asymmetric RSA KMS keys to
-    #   encrypt and decrypt or to sign and verify (but not both), and the rule
-    #   that permits you to use ECC KMS keys only to sign and verify, are not
-    #   effective on data key pairs, which are used outside of KMS.
+    #   The KMS rule that restricts the use of asymmetric RSA and SM2 KMS keys
+    #   to encrypt and decrypt or to sign and verify (but not both), and the
+    #   rule that permits you to use ECC KMS keys only to sign and verify, are
+    #   not effective on data key pairs, which are used outside of KMS. The
+    #   SM2 key spec is only available in China Regions. RSA and ECC
+    #   asymmetric key pairs are also available in China Regions.
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -3791,7 +3818,7 @@ module Aws::KMS
     #       "EncryptionContextKey" => "EncryptionContextValue",
     #     },
     #     key_id: "KeyIdType", # required
-    #     key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
+    #     key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SM2
     #     grant_tokens: ["GrantTokenType"],
     #   })
     #
@@ -3801,7 +3828,7 @@ module Aws::KMS
     #   resp.private_key_plaintext #=> String
     #   resp.public_key #=> String
     #   resp.key_id #=> String
-    #   resp.key_pair_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1"
+    #   resp.key_pair_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SM2"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPair AWS API Documentation
     #
@@ -3831,10 +3858,11 @@ module Aws::KMS
     # type and origin of your KMS key, use the DescribeKey operation.
     #
     # Use the `KeyPairSpec` parameter to choose an RSA or Elliptic Curve
-    # (ECC) data key pair. KMS recommends that your use ECC key pairs for
-    # signing, and use RSA key pairs for either encryption or signing, but
-    # not both. However, KMS cannot enforce any restrictions on the use of
-    # data key pairs outside of KMS.
+    # (ECC) data key pair. In China Regions, you can also choose an SM2 data
+    # key pair. KMS recommends that you use ECC key pairs for signing, and
+    # use RSA and SM2 key pairs for either encryption or signing, but not
+    # both. However, KMS cannot enforce any restrictions on the use of data
+    # key pairs outside of KMS.
     #
     # `GenerateDataKeyPairWithoutPlaintext` returns a unique data key pair
     # for each request. The bytes in the key are not related to the caller
@@ -3927,10 +3955,12 @@ module Aws::KMS
     # @option params [required, String] :key_pair_spec
     #   Determines the type of data key pair that is generated.
     #
-    #   The KMS rule that restricts the use of asymmetric RSA KMS keys to
-    #   encrypt and decrypt or to sign and verify (but not both), and the rule
-    #   that permits you to use ECC KMS keys only to sign and verify, are not
-    #   effective on data key pairs, which are used outside of KMS.
+    #   The KMS rule that restricts the use of asymmetric RSA and SM2 KMS keys
+    #   to encrypt and decrypt or to sign and verify (but not both), and the
+    #   rule that permits you to use ECC KMS keys only to sign and verify, are
+    #   not effective on data key pairs, which are used outside of KMS. The
+    #   SM2 key spec is only available in China Regions. RSA and ECC
+    #   asymmetric key pairs are also available in China Regions.
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -3978,7 +4008,7 @@ module Aws::KMS
     #       "EncryptionContextKey" => "EncryptionContextValue",
     #     },
     #     key_id: "KeyIdType", # required
-    #     key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
+    #     key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SM2
     #     grant_tokens: ["GrantTokenType"],
     #   })
     #
@@ -3987,7 +4017,7 @@ module Aws::KMS
     #   resp.private_key_ciphertext_blob #=> String
     #   resp.public_key #=> String
     #   resp.key_id #=> String
-    #   resp.key_pair_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1"
+    #   resp.key_pair_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SM2"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintext AWS API Documentation
     #
@@ -4315,6 +4345,9 @@ module Aws::KMS
 
     # Returns a random byte string that is cryptographically secure.
     #
+    # You must use the `NumberOfBytes` parameter to specify the length of
+    # the random byte string. There is no default value for string length.
+    #
     # By default, the random byte string is generated in KMS. To generate
     # the byte string in the CloudHSM cluster that is associated with a
     # [custom key store][1], specify the custom key store ID.
@@ -4328,6 +4361,9 @@ module Aws::KMS
     # For more information about entropy and random number generation, see
     # [Key Management Service Cryptographic Details][4].
     #
+    # **Cross-account use**\: Not applicable. `GenerateRandom` does not use
+    # any account-specific resources, such as KMS keys.
+    #
     # **Required permissions**\: [kms:GenerateRandom][5] (IAM policy)
     #
     #
@@ -4339,7 +4375,7 @@ module Aws::KMS
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     #
     # @option params [Integer] :number_of_bytes
-    #   The length of the byte string.
+    #   The length of the random byte string. This parameter is required.
     #
     # @option params [String] :custom_key_store_id
     #   Generates the random byte string in the CloudHSM cluster that is
@@ -4726,8 +4762,12 @@ module Aws::KMS
     # the public key within KMS, you benefit from the authentication,
     # authorization, and logging that are part of every KMS operation. You
     # also reduce of risk of encrypting data that cannot be decrypted. These
-    # features are not effective outside of KMS. For details, see [Special
-    # Considerations for Downloading Public Keys][2].
+    # features are not effective outside of KMS.
+    #
+    # To verify a signature outside of KMS with an SM2 public key (China
+    # Regions only), you must specify the distinguishing ID. By default, KMS
+    # uses `1234567812345678` as the distinguishing ID. For more
+    # information, see [Offline verification with SM2 key pairs][2].
     #
     # To help you use the public key safely outside of KMS, `GetPublicKey`
     # returns important information about the public key in the response,
@@ -4764,7 +4804,7 @@ module Aws::KMS
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
-    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/download-public-key.html#download-public-key-considerations
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
     # [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeySpec
     # [4]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeyUsage
     # [5]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms
@@ -4851,13 +4891,13 @@ module Aws::KMS
     #
     #   resp.key_id #=> String
     #   resp.public_key #=> String
-    #   resp.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512"
-    #   resp.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512"
+    #   resp.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
+    #   resp.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
     #   resp.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
     #   resp.encryption_algorithms #=> Array
-    #   resp.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
+    #   resp.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #   resp.signing_algorithms #=> Array
-    #   resp.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
+    #   resp.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKey AWS API Documentation
     #
@@ -5654,6 +5694,8 @@ module Aws::KMS
     #   * {Types::ListResourceTagsResponse#next_marker #next_marker} => String
     #   * {Types::ListResourceTagsResponse#truncated #truncated} => Boolean
     #
+    # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
+    #
     #
     # @example Example: To list tags for a KMS key
     #
@@ -5782,6 +5824,8 @@ module Aws::KMS
     #   * {Types::ListGrantsResponse#next_marker #next_marker} => String
     #   * {Types::ListGrantsResponse#truncated #truncated} => Boolean
     #
+    # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
+    #
     #
     # @example Example: To list grants that the specified principal can retire
     #
@@ -5910,25 +5954,29 @@ module Aws::KMS
     #     visible][2] in the *Amazon Web Services Identity and Access
     #     Management User Guide*.
     #
-    #   A key policy document must conform to the following rules.
+    #   A key policy document can include only the following characters:
     #
-    #   * Up to 32 kilobytes (32768 bytes)
+    #   * Printable ASCII characters from the space character (`\u0020`)
+    #     through the end of the ASCII character range.
     #
-    #   * Must be UTF-8 encoded
+    #   * Printable characters in the Basic Latin and Latin-1 Supplement
+    #     character set (through `\u00FF`).
     #
-    #   * The only Unicode characters that are permitted in a key policy
-    #     document are the horizontal tab (U+0009), linefeed (U+000A),
-    #     carriage return (U+000D), and characters in the range U+0020 to
-    #     U+00FF.
+    #   * The tab (`\u0009`), line feed (`\u000A`), and carriage return
+    #     (`\u000D`) special characters
     #
-    #   * The `Sid` element in a key policy statement can include spaces.
-    #     (Spaces are prohibited in the `Sid` element of an IAM policy
-    #     document.)
+    #   For information about key policies, see [Key policies in KMS][3] in
+    #   the *Key Management Service Developer Guide*. For help writing and
+    #   formatting a JSON policy document, see the [IAM JSON Policy
+    #   Reference][4] in the <i> <i>Identity and Access Management User
+    #   Guide</i> </i>.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
+    #   [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
     #
     # @option params [Boolean] :bypass_policy_lockout_safety_check
     #   A flag to indicate whether to bypass the key policy lockout safety
@@ -6260,8 +6308,8 @@ module Aws::KMS
     #     destination_encryption_context: {
     #       "EncryptionContextKey" => "EncryptionContextValue",
     #     },
-    #     source_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
-    #     destination_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
+    #     source_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
+    #     destination_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
     #     grant_tokens: ["GrantTokenType"],
     #   })
     #
@@ -6270,8 +6318,8 @@ module Aws::KMS
     #   resp.ciphertext_blob #=> String
     #   resp.source_key_id #=> String
     #   resp.key_id #=> String
-    #   resp.source_encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
-    #   resp.destination_encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
+    #   resp.source_encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
+    #   resp.destination_encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncrypt AWS API Documentation
     #
@@ -6466,26 +6514,30 @@ module Aws::KMS
     #     visible][3] in the <i> <i>Identity and Access Management User
     #     Guide</i> </i>.
     #
-    #   A key policy document must conform to the following rules.
+    #   A key policy document can include only the following characters:
     #
-    #   * Up to 32 kilobytes (32768 bytes)
+    #   * Printable ASCII characters from the space character (`\u0020`)
+    #     through the end of the ASCII character range.
     #
-    #   * Must be UTF-8 encoded
+    #   * Printable characters in the Basic Latin and Latin-1 Supplement
+    #     character set (through `\u00FF`).
     #
-    #   * The only Unicode characters that are permitted in a key policy
-    #     document are the horizontal tab (U+0009), linefeed (U+000A),
-    #     carriage return (U+000D), and characters in the range U+0020 to
-    #     U+00FF.
+    #   * The tab (`\u0009`), line feed (`\u000A`), and carriage return
+    #     (`\u000D`) special characters
     #
-    #   * The `Sid` element in a key policy statement can include spaces.
-    #     (Spaces are prohibited in the `Sid` element of an IAM policy
-    #     document.)
+    #   For information about key policies, see [Key policies in KMS][4] in
+    #   the *Key Management Service Developer Guide*. For help writing and
+    #   formatting a JSON policy document, see the [IAM JSON Policy
+    #   Reference][5] in the <i> <i>Identity and Access Management User
+    #   Guide</i> </i>.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
     #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
+    #   [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
     #
     # @option params [Boolean] :bypass_policy_lockout_safety_check
     #   A flag to indicate whether to bypass the key policy lockout safety
@@ -6637,12 +6689,12 @@ module Aws::KMS
     #   resp.replica_key_metadata.cloud_hsm_cluster_id #=> String
     #   resp.replica_key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
     #   resp.replica_key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
-    #   resp.replica_key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512"
-    #   resp.replica_key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512"
+    #   resp.replica_key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
+    #   resp.replica_key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
     #   resp.replica_key_metadata.encryption_algorithms #=> Array
-    #   resp.replica_key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
+    #   resp.replica_key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #   resp.replica_key_metadata.signing_algorithms #=> Array
-    #   resp.replica_key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
+    #   resp.replica_key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
     #   resp.replica_key_metadata.multi_region #=> Boolean
     #   resp.replica_key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
     #   resp.replica_key_metadata.multi_region_configuration.primary_key.arn #=> String
@@ -7144,14 +7196,14 @@ module Aws::KMS
     #     message: "data", # required
     #     message_type: "RAW", # accepts RAW, DIGEST
     #     grant_tokens: ["GrantTokenType"],
-    #     signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
+    #     signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA
     #   })
     #
     # @example Response structure
     #
     #   resp.key_id #=> String
     #   resp.signature #=> String
-    #   resp.signing_algorithm #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
+    #   resp.signing_algorithm #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Sign AWS API Documentation
     #
@@ -7442,7 +7494,7 @@ module Aws::KMS
     # @option params [required, String] :alias_name
     #   Identifies the alias that is changing its KMS key. This value must
     #   begin with `alias/` followed by the alias name, such as
-    #   `alias/ExampleAlias`. You cannot use UpdateAlias to change the alias
+    #   `alias/ExampleAlias`. You cannot use `UpdateAlias` to change the alias
     #   name.
     #
     # @option params [required, String] :target_key_id
@@ -7541,7 +7593,7 @@ module Aws::KMS
     # If the operation succeeds, it returns a JSON object with no
     # properties.
     #
-    # This operation is part of the [Custom Key Store feature][3] feature in
+    # This operation is part of the [custom key store feature][3] feature in
     # KMS, which combines the convenience and extensive integration of KMS
     # with the isolation and control of a single-tenant key store.
     #
@@ -7888,7 +7940,11 @@ module Aws::KMS
     # You can also verify the digital signature by using the public key of
     # the KMS key outside of KMS. Use the GetPublicKey operation to download
     # the public key in the asymmetric KMS key and then use the public key
-    # to verify the signature outside of KMS. The advantage of using the
+    # to verify the signature outside of KMS. To verify a signature outside
+    # of KMS with an SM2 public key, you must specify the distinguishing ID.
+    # By default, KMS uses `1234567812345678` as the distinguishing ID. For
+    # more information, see [Offline verification with SM2 key pairs][2] in
+    # *Key Management Service Developer Guide*. The advantage of using the
     # `Verify` operation is that it is performed within KMS. As a result,
     # it's easy to call, the operation is performed within the FIPS
     # boundary, it is logged in CloudTrail, and you can use key policy and
@@ -7896,22 +7952,23 @@ module Aws::KMS
     # signatures.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key states of KMS keys][2] in the *Key
+    # key state. For details, see [Key states of KMS keys][3] in the *Key
     # Management Service Developer Guide*.
     #
     # **Cross-account use**\: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
     # alias ARN in the value of the `KeyId` parameter.
     #
-    # **Required permissions**\: [kms:Verify][3] (key policy)
+    # **Required permissions**\: [kms:Verify][4] (key policy)
     #
     # **Related operations**\: Sign
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
-    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
-    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     #
     # @option params [required, String] :key_id
     #   Identifies the asymmetric KMS key that will be used to verify the
@@ -8010,7 +8067,7 @@ module Aws::KMS
     #     message: "data", # required
     #     message_type: "RAW", # accepts RAW, DIGEST
     #     signature: "data", # required
-    #     signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
+    #     signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA
     #     grant_tokens: ["GrantTokenType"],
     #   })
     #
@@ -8018,7 +8075,7 @@ module Aws::KMS
     #
     #   resp.key_id #=> String
     #   resp.signature_valid #=> Boolean
-    #   resp.signing_algorithm #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
+    #   resp.signing_algorithm #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Verify AWS API Documentation
     #
@@ -8164,7 +8221,7 @@ module Aws::KMS
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-kms'
-      context[:gem_version] = '1.57.0'
+      context[:gem_version] = '1.58.0'
       Seahorse::Client::Request.new(handlers, context)
     end