aws-sdk-kms 1.59.0 → 1.60.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -110,14 +110,14 @@ module Aws::KMS
110
110
  end
111
111
 
112
112
  # The request was rejected because the specified CloudHSM cluster is
113
- # already associated with a custom key store or it shares a backup
114
- # history with a cluster that is associated with a custom key store.
115
- # Each custom key store must be associated with a different CloudHSM
116
- # cluster.
113
+ # already associated with an CloudHSM key store in the account, or it
114
+ # shares a backup history with an CloudHSM key store in the account.
115
+ # Each CloudHSM key store in the account must be associated with a
116
+ # different CloudHSM cluster.
117
117
  #
118
- # Clusters that share a backup history have the same cluster
119
- # certificate. To view the cluster certificate of a cluster, use the
120
- # [DescribeClusters][1] operation.
118
+ # CloudHSM clusters that share a backup history have the same cluster
119
+ # certificate. To view the cluster certificate of an CloudHSM cluster,
120
+ # use the [DescribeClusters][1] operation.
121
121
  #
122
122
  #
123
123
  #
@@ -135,22 +135,23 @@ module Aws::KMS
135
135
  end
136
136
 
137
137
  # The request was rejected because the associated CloudHSM cluster did
138
- # not meet the configuration requirements for a custom key store.
138
+ # not meet the configuration requirements for an CloudHSM key store.
139
139
  #
140
- # * The cluster must be configured with private subnets in at least two
141
- # different Availability Zones in the Region.
140
+ # * The CloudHSM cluster must be configured with private subnets in at
141
+ # least two different Availability Zones in the Region.
142
142
  #
143
143
  # * The [security group for the cluster][1]
144
144
  # (cloudhsm-cluster-*<cluster-id>*-sg) must include inbound
145
145
  # rules and outbound rules that allow TCP traffic on ports 2223-2225.
146
146
  # The **Source** in the inbound rules and the **Destination** in the
147
147
  # outbound rules must match the security group ID. These rules are set
148
- # by default when you create the cluster. Do not delete or change
149
- # them. To get information about a particular security group, use the
150
- # [DescribeSecurityGroups][2] operation.
148
+ # by default when you create the CloudHSM cluster. Do not delete or
149
+ # change them. To get information about a particular security group,
150
+ # use the [DescribeSecurityGroups][2] operation.
151
151
  #
152
- # * The cluster must contain at least as many HSMs as the operation
153
- # requires. To add HSMs, use the CloudHSM [CreateHsm][3] operation.
152
+ # * The CloudHSM cluster must contain at least as many HSMs as the
153
+ # operation requires. To add HSMs, use the CloudHSM [CreateHsm][3]
154
+ # operation.
154
155
  #
155
156
  # For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
156
157
  # operations, the CloudHSM cluster must have at least two active HSMs,
@@ -158,7 +159,7 @@ module Aws::KMS
158
159
  # operation, the CloudHSM must contain at least one active HSM.
159
160
  #
160
161
  # For information about the requirements for an CloudHSM cluster that is
161
- # associated with a custom key store, see [Assemble the
162
+ # associated with an CloudHSM key store, see [Assemble the
162
163
  # Prerequisites][4] in the *Key Management Service Developer Guide*. For
163
164
  # information about creating a private subnet for an CloudHSM cluster,
164
165
  # see [Create a Private Subnet][5] in the *CloudHSM User Guide*. For
@@ -184,10 +185,10 @@ module Aws::KMS
184
185
  include Aws::Structure
185
186
  end
186
187
 
187
- # The request was rejected because the CloudHSM cluster that is
188
- # associated with the custom key store is not active. Initialize and
189
- # activate the cluster and try the command again. For detailed
190
- # instructions, see [Getting Started][1] in the *CloudHSM User Guide*.
188
+ # The request was rejected because the CloudHSM cluster associated with
189
+ # the CloudHSM key store is not active. Initialize and activate the
190
+ # cluster and try the command again. For detailed instructions, see
191
+ # [Getting Started][1] in the *CloudHSM User Guide*.
191
192
  #
192
193
  #
193
194
  #
@@ -221,16 +222,17 @@ module Aws::KMS
221
222
 
222
223
  # The request was rejected because the specified CloudHSM cluster has a
223
224
  # different cluster certificate than the original cluster. You cannot
224
- # use the operation to specify an unrelated cluster.
225
+ # use the operation to specify an unrelated cluster for an CloudHSM key
226
+ # store.
225
227
  #
226
- # Specify a cluster that shares a backup history with the original
227
- # cluster. This includes clusters that were created from a backup of the
228
- # current cluster, and clusters that were created from the same backup
229
- # that produced the current cluster.
228
+ # Specify an CloudHSM cluster that shares a backup history with the
229
+ # original cluster. This includes clusters that were created from a
230
+ # backup of the current cluster, and clusters that were created from the
231
+ # same backup that produced the current cluster.
230
232
  #
231
- # Clusters that share a backup history have the same cluster
232
- # certificate. To view the cluster certificate of a cluster, use the
233
- # [DescribeClusters][1] operation.
233
+ # CloudHSM clusters that share a backup history have the same cluster
234
+ # certificate. To view the cluster certificate of an CloudHSM cluster,
235
+ # use the [DescribeClusters][1] operation.
234
236
  #
235
237
  #
236
238
  #
@@ -341,18 +343,31 @@ module Aws::KMS
341
343
  # cloud_hsm_cluster_id: "CloudHsmClusterIdType",
342
344
  # trust_anchor_certificate: "TrustAnchorCertificateType",
343
345
  # key_store_password: "KeyStorePasswordType",
346
+ # custom_key_store_type: "AWS_CLOUDHSM", # accepts AWS_CLOUDHSM, EXTERNAL_KEY_STORE
347
+ # xks_proxy_uri_endpoint: "XksProxyUriEndpointType",
348
+ # xks_proxy_uri_path: "XksProxyUriPathType",
349
+ # xks_proxy_vpc_endpoint_service_name: "XksProxyVpcEndpointServiceNameType",
350
+ # xks_proxy_authentication_credential: {
351
+ # access_key_id: "XksProxyAuthenticationAccessKeyIdType", # required
352
+ # raw_secret_access_key: "XksProxyAuthenticationRawSecretAccessKeyType", # required
353
+ # },
354
+ # xks_proxy_connectivity: "PUBLIC_ENDPOINT", # accepts PUBLIC_ENDPOINT, VPC_ENDPOINT_SERVICE
344
355
  # }
345
356
  #
346
357
  # @!attribute [rw] custom_key_store_name
347
358
  # Specifies a friendly name for the custom key store. The name must be
348
- # unique in your Amazon Web Services account.
359
+ # unique in your Amazon Web Services account and Region. This
360
+ # parameter is required for all custom key stores.
349
361
  # @return [String]
350
362
  #
351
363
  # @!attribute [rw] cloud_hsm_cluster_id
352
- # Identifies the CloudHSM cluster for the custom key store. Enter the
353
- # cluster ID of any active CloudHSM cluster that is not already
354
- # associated with a custom key store. To find the cluster ID, use the
355
- # [DescribeClusters][1] operation.
364
+ # Identifies the CloudHSM cluster for an CloudHSM key store. This
365
+ # parameter is required for custom key stores with
366
+ # `CustomKeyStoreType` of `AWS_CLOUDHSM`.
367
+ #
368
+ # Enter the cluster ID of any active CloudHSM cluster that is not
369
+ # already associated with a custom key store. To find the cluster ID,
370
+ # use the [DescribeClusters][1] operation.
356
371
  #
357
372
  #
358
373
  #
@@ -360,9 +375,15 @@ module Aws::KMS
360
375
  # @return [String]
361
376
  #
362
377
  # @!attribute [rw] trust_anchor_certificate
363
- # Enter the content of the trust anchor certificate for the cluster.
364
- # This is the content of the `customerCA.crt` file that you created
365
- # when you [initialized the cluster][1].
378
+ # * CreateCustom
379
+ #
380
+ # Specifies the certificate for an CloudHSM key store. This parameter
381
+ # is required for custom key stores with a `CustomKeyStoreType` of
382
+ # `AWS_CLOUDHSM`.
383
+ #
384
+ # Enter the content of the trust anchor certificate for the CloudHSM
385
+ # cluster. This is the content of the `customerCA.crt` file that you
386
+ # created when you [initialized the cluster][1].
366
387
  #
367
388
  #
368
389
  #
@@ -370,6 +391,10 @@ module Aws::KMS
370
391
  # @return [String]
371
392
  #
372
393
  # @!attribute [rw] key_store_password
394
+ # Specifies the `kmsuser` password for an CloudHSM key store. This
395
+ # parameter is required for custom key stores with a
396
+ # `CustomKeyStoreType` of `AWS_CLOUDHSM`.
397
+ #
373
398
  # Enter the password of the [ `kmsuser` crypto user (CU) account][1]
374
399
  # in the specified CloudHSM cluster. KMS logs into the cluster as this
375
400
  # user to manage key material on your behalf.
@@ -385,13 +410,167 @@ module Aws::KMS
385
410
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
386
411
  # @return [String]
387
412
  #
413
+ # @!attribute [rw] custom_key_store_type
414
+ # Specifies the type of custom key store. The default value is
415
+ # `AWS_CLOUDHSM`.
416
+ #
417
+ # For a custom key store backed by an CloudHSM cluster, omit the
418
+ # parameter or enter `AWS_CLOUDHSM`. For a custom key store backed by
419
+ # an external key manager outside of Amazon Web Services, enter
420
+ # `EXTERNAL_KEY_STORE`. You cannot change this property after the key
421
+ # store is created.
422
+ # @return [String]
423
+ #
424
+ # @!attribute [rw] xks_proxy_uri_endpoint
425
+ # Specifies the endpoint that KMS uses to send requests to the
426
+ # external key store proxy (XKS proxy). This parameter is required for
427
+ # custom key stores with a `CustomKeyStoreType` of
428
+ # `EXTERNAL_KEY_STORE`.
429
+ #
430
+ # The protocol must be HTTPS. KMS communicates on port 443. Do not
431
+ # specify the port in the `XksProxyUriEndpoint` value.
432
+ #
433
+ # For external key stores with `XksProxyConnectivity` value of
434
+ # `VPC_ENDPOINT_SERVICE`, specify `https://` followed by the private
435
+ # DNS name of the VPC endpoint service.
436
+ #
437
+ # For external key stores with `PUBLIC_ENDPOINT` connectivity, this
438
+ # endpoint must be reachable before you create the custom key store.
439
+ # KMS connects to the external key store proxy while creating the
440
+ # custom key store. For external key stores with
441
+ # `VPC_ENDPOINT_SERVICE` connectivity, KMS connects when you call the
442
+ # ConnectCustomKeyStore operation.
443
+ #
444
+ # The value of this parameter must begin with `https://`. The
445
+ # remainder can contain upper and lower case letters (A-Z and a-z),
446
+ # numbers (0-9), dots (`.`), and hyphens (`-`). Additional slashes
447
+ # (`/` and ``) are not permitted.
448
+ #
449
+ # <b>Uniqueness requirements: </b>
450
+ #
451
+ # * The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values
452
+ # must be unique in the Amazon Web Services account and Region.
453
+ #
454
+ # * An external key store with `PUBLIC_ENDPOINT` connectivity cannot
455
+ # use the same `XksProxyUriEndpoint` value as an external key store
456
+ # with `VPC_ENDPOINT_SERVICE` connectivity in the same Amazon Web
457
+ # Services Region.
458
+ #
459
+ # * Each external key store with `VPC_ENDPOINT_SERVICE` connectivity
460
+ # must have its own private DNS name. The `XksProxyUriEndpoint`
461
+ # value for external key stores with `VPC_ENDPOINT_SERVICE`
462
+ # connectivity (private DNS name) must be unique in the Amazon Web
463
+ # Services account and Region.
464
+ # @return [String]
465
+ #
466
+ # @!attribute [rw] xks_proxy_uri_path
467
+ # Specifies the base path to the proxy APIs for this external key
468
+ # store. To find this value, see the documentation for your external
469
+ # key store proxy. This parameter is required for all custom key
470
+ # stores with a `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
471
+ #
472
+ # The value must start with `/` and must end with `/kms/xks/v1` where
473
+ # `v1` represents the version of the KMS external key store proxy API.
474
+ # This path can include an optional prefix between the required
475
+ # elements such as `/prefix/kms/xks/v1`.
476
+ #
477
+ # <b>Uniqueness requirements: </b>
478
+ #
479
+ # * The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values
480
+ # must be unique in the Amazon Web Services account and Region.
481
+ #
482
+ # ^
483
+ # @return [String]
484
+ #
485
+ # @!attribute [rw] xks_proxy_vpc_endpoint_service_name
486
+ # Specifies the name of the Amazon VPC endpoint service for interface
487
+ # endpoints that is used to communicate with your external key store
488
+ # proxy (XKS proxy). This parameter is required when the value of
489
+ # `CustomKeyStoreType` is `EXTERNAL_KEY_STORE` and the value of
490
+ # `XksProxyConnectivity` is `VPC_ENDPOINT_SERVICE`.
491
+ #
492
+ # The Amazon VPC endpoint service must [fulfill all requirements][1]
493
+ # for use with an external key store.
494
+ #
495
+ # **Uniqueness requirements:**
496
+ #
497
+ # * External key stores with `VPC_ENDPOINT_SERVICE` connectivity can
498
+ # share an Amazon VPC, but each external key store must have its own
499
+ # VPC endpoint service and private DNS name.
500
+ #
501
+ # ^
502
+ #
503
+ #
504
+ #
505
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirements
506
+ # @return [String]
507
+ #
508
+ # @!attribute [rw] xks_proxy_authentication_credential
509
+ # Specifies an authentication credential for the external key store
510
+ # proxy (XKS proxy). This parameter is required for all custom key
511
+ # stores with a `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
512
+ #
513
+ # The `XksProxyAuthenticationCredential` has two required elements:
514
+ # `RawSecretAccessKey`, a secret key, and `AccessKeyId`, a unique
515
+ # identifier for the `RawSecretAccessKey`. For character requirements,
516
+ # see
517
+ # [XksProxyAuthenticationCredentialType](kms/latest/APIReference/API_XksProxyAuthenticationCredentialType.html).
518
+ #
519
+ # KMS uses this authentication credential to sign requests to the
520
+ # external key store proxy on your behalf. This credential is
521
+ # unrelated to Identity and Access Management (IAM) and Amazon Web
522
+ # Services credentials.
523
+ #
524
+ # This parameter doesn't set or change the authentication credentials
525
+ # on the XKS proxy. It just tells KMS the credential that you
526
+ # established on your external key store proxy. If you rotate your
527
+ # proxy authentication credential, use the UpdateCustomKeyStore
528
+ # operation to provide the new credential to KMS.
529
+ # @return [Types::XksProxyAuthenticationCredentialType]
530
+ #
531
+ # @!attribute [rw] xks_proxy_connectivity
532
+ # Indicates how KMS communicates with the external key store proxy.
533
+ # This parameter is required for custom key stores with a
534
+ # `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
535
+ #
536
+ # If the external key store proxy uses a public endpoint, specify
537
+ # `PUBLIC_ENDPOINT`. If the external key store proxy uses a Amazon VPC
538
+ # endpoint service for communication with KMS, specify
539
+ # `VPC_ENDPOINT_SERVICE`. For help making this choice, see [Choosing a
540
+ # connectivity option][1] in the *Key Management Service Developer
541
+ # Guide*.
542
+ #
543
+ # An Amazon VPC endpoint service keeps your communication with KMS in
544
+ # a private address space entirely within Amazon Web Services, but it
545
+ # requires more configuration, including establishing a Amazon VPC
546
+ # with multiple subnets, a VPC endpoint service, a network load
547
+ # balancer, and a verified private DNS name. A public endpoint is
548
+ # simpler to set up, but it might be slower and might not fulfill your
549
+ # security requirements. You might consider testing with a public
550
+ # endpoint, and then establishing a VPC endpoint service for
551
+ # production tasks. Note that this choice does not determine the
552
+ # location of the external key store proxy. Even if you choose a VPC
553
+ # endpoint service, the proxy can be hosted within the VPC or outside
554
+ # of Amazon Web Services such as in your corporate data center.
555
+ #
556
+ #
557
+ #
558
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/plan-xks-keystore.html#choose-xks-connectivity
559
+ # @return [String]
560
+ #
388
561
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStoreRequest AWS API Documentation
389
562
  #
390
563
  class CreateCustomKeyStoreRequest < Struct.new(
391
564
  :custom_key_store_name,
392
565
  :cloud_hsm_cluster_id,
393
566
  :trust_anchor_certificate,
394
- :key_store_password)
567
+ :key_store_password,
568
+ :custom_key_store_type,
569
+ :xks_proxy_uri_endpoint,
570
+ :xks_proxy_uri_path,
571
+ :xks_proxy_vpc_endpoint_service_name,
572
+ :xks_proxy_authentication_credential,
573
+ :xks_proxy_connectivity)
395
574
  SENSITIVE = [:key_store_password]
396
575
  include Aws::Structure
397
576
  end
@@ -629,7 +808,7 @@ module Aws::KMS
629
808
  # key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC
630
809
  # customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
631
810
  # key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
632
- # origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
811
+ # origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM, EXTERNAL_KEY_STORE
633
812
  # custom_key_store_id: "CustomKeyStoreIdType",
634
813
  # bypass_policy_lockout_safety_check: false,
635
814
  # tags: [
@@ -639,22 +818,20 @@ module Aws::KMS
639
818
  # },
640
819
  # ],
641
820
  # multi_region: false,
821
+ # xks_key_id: "XksKeyIdType",
642
822
  # }
643
823
  #
644
824
  # @!attribute [rw] policy
645
- # The key policy to attach to the KMS key. If you do not specify a key
646
- # policy, KMS attaches a default key policy to the KMS key. For more
647
- # information, see [Default key policy][1] in the *Key Management
648
- # Service Developer Guide*.
825
+ # The key policy to attach to the KMS key.
649
826
  #
650
827
  # If you provide a key policy, it must meet the following criteria:
651
828
  #
652
- # * If you don't set `BypassPolicyLockoutSafetyCheck` to `True`, the
829
+ # * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
653
830
  # key policy must allow the principal that is making the `CreateKey`
654
831
  # request to make a subsequent PutKeyPolicy request on the KMS key.
655
832
  # This reduces the risk that the KMS key becomes unmanageable. For
656
833
  # more information, refer to the scenario in the [Default Key
657
- # Policy][2] section of the <i> <i>Key Management Service Developer
834
+ # Policy][1] section of the <i> <i>Key Management Service Developer
658
835
  # Guide</i> </i>.
659
836
  #
660
837
  # * Each statement in the key policy must contain one or more
@@ -664,33 +841,25 @@ module Aws::KMS
664
841
  # enforce a delay before including the new principal in a key policy
665
842
  # because the new principal might not be immediately visible to KMS.
666
843
  # For more information, see [Changes that I make are not always
667
- # immediately visible][3] in the *Amazon Web Services Identity and
844
+ # immediately visible][2] in the *Amazon Web Services Identity and
668
845
  # Access Management User Guide*.
669
846
  #
670
- # A key policy document can include only the following characters:
847
+ # If you do not provide a key policy, KMS attaches a default key
848
+ # policy to the KMS key. For more information, see [Default Key
849
+ # Policy][3] in the *Key Management Service Developer Guide*.
671
850
  #
672
- # * Printable ASCII characters from the space character (`\u0020`)
673
- # through the end of the ASCII character range.
851
+ # The key policy size quota is 32 kilobytes (32768 bytes).
674
852
  #
675
- # * Printable characters in the Basic Latin and Latin-1 Supplement
676
- # character set (through `\u00FF`).
853
+ # For help writing and formatting a JSON policy document, see the [IAM
854
+ # JSON Policy Reference][4] in the <i> <i>Identity and Access
855
+ # Management User Guide</i> </i>.
677
856
  #
678
- # * The tab (`\u0009`), line feed (`\u000A`), and carriage return
679
- # (`\u000D`) special characters
680
857
  #
681
- # For information about key policies, see [Key policies in KMS][4] in
682
- # the *Key Management Service Developer Guide*. For help writing and
683
- # formatting a JSON policy document, see the [IAM JSON Policy
684
- # Reference][5] in the <i> <i>Identity and Access Management User
685
- # Guide</i> </i>.
686
858
  #
687
- #
688
- #
689
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
690
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
691
- # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
692
- # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
693
- # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
859
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
860
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
861
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
862
+ # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
694
863
  # @return [String]
695
864
  #
696
865
  # @!attribute [rw] description
@@ -737,8 +906,8 @@ module Aws::KMS
737
906
  #
738
907
  # The `KeySpec` and `CustomerMasterKeySpec` parameters work the same
739
908
  # way. Only the names differ. We recommend that you use `KeySpec`
740
- # parameter in your code. However, to avoid breaking changes, KMS will
741
- # support both parameters.
909
+ # parameter in your code. However, to avoid breaking changes, KMS
910
+ # supports both parameters.
742
911
  # @return [String]
743
912
  #
744
913
  # @!attribute [rw] key_spec
@@ -751,14 +920,13 @@ module Aws::KMS
751
920
  # Guide</i> </i>.
752
921
  #
753
922
  # The `KeySpec` determines whether the KMS key contains a symmetric
754
- # key or an asymmetric key pair. It also determines the cryptographic
755
- # algorithms that the KMS key supports. You can't change the
756
- # `KeySpec` after the KMS key is created. To further restrict the
757
- # algorithms that can be used with the KMS key, use a condition key in
758
- # its key policy or IAM policy. For more information, see
759
- # [kms:EncryptionAlgorithm][2], [kms:MacAlgorithm][3] or [kms:Signing
760
- # Algorithm][4] in the <i> <i>Key Management Service Developer
761
- # Guide</i> </i>.
923
+ # key or an asymmetric key pair. It also determines the algorithms
924
+ # that the KMS key supports. You can't change the `KeySpec` after the
925
+ # KMS key is created. To further restrict the algorithms that can be
926
+ # used with the KMS key, use a condition key in its key policy or IAM
927
+ # policy. For more information, see [kms:EncryptionAlgorithm][2],
928
+ # [kms:MacAlgorithm][3] or [kms:Signing Algorithm][4] in the <i>
929
+ # <i>Key Management Service Developer Guide</i> </i>.
762
930
  #
763
931
  # [Amazon Web Services services that are integrated with KMS][5] use
764
932
  # symmetric encryption KMS keys to protect your data. These services
@@ -825,45 +993,48 @@ module Aws::KMS
825
993
  # the origin after you create the KMS key. The default is `AWS_KMS`,
826
994
  # which means that KMS creates the key material.
827
995
  #
828
- # To create a KMS key with no key material (for imported key
829
- # material), set the value to `EXTERNAL`. For more information about
830
- # importing key material into KMS, see [Importing Key Material][1] in
831
- # the *Key Management Service Developer Guide*. This value is valid
832
- # only for symmetric encryption KMS keys.
996
+ # To [create a KMS key with no key material][1] (for imported key
997
+ # material), set this value to `EXTERNAL`. For more information about
998
+ # importing key material into KMS, see [Importing Key Material][2] in
999
+ # the *Key Management Service Developer Guide*. The `EXTERNAL` origin
1000
+ # value is valid only for symmetric KMS keys.
833
1001
  #
834
- # To create a KMS key in an KMS [custom key store][2] and create its
835
- # key material in the associated CloudHSM cluster, set this value to
1002
+ # To [create a KMS key in an CloudHSM key store][3] and create its key
1003
+ # material in the associated CloudHSM cluster, set this value to
836
1004
  # `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId` parameter
837
- # to identify the custom key store. This value is valid only for
838
- # symmetric encryption KMS keys.
1005
+ # to identify the CloudHSM key store. The `KeySpec` value must be
1006
+ # `SYMMETRIC_DEFAULT`.
1007
+ #
1008
+ # To [create a KMS key in an external key store][4], set this value to
1009
+ # `EXTERNAL_KEY_STORE`. You must also use the `CustomKeyStoreId`
1010
+ # parameter to identify the external key store and the `XksKeyId`
1011
+ # parameter to identify the associated external key. The `KeySpec`
1012
+ # value must be `SYMMETRIC_DEFAULT`.
839
1013
  #
840
1014
  #
841
1015
  #
842
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
843
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1016
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html
1017
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1018
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html
1019
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keys.html
844
1020
  # @return [String]
845
1021
  #
846
1022
  # @!attribute [rw] custom_key_store_id
847
- # Creates the KMS key in the specified [custom key store][1] and the
848
- # key material in its associated CloudHSM cluster. To create a KMS key
849
- # in a custom key store, you must also specify the `Origin` parameter
850
- # with a value of `AWS_CLOUDHSM`. The CloudHSM cluster that is
851
- # associated with the custom key store must have at least two active
852
- # HSMs, each in a different Availability Zone in the Region.
1023
+ # Creates the KMS key in the specified [custom key store][1]. The
1024
+ # `ConnectionState` of the custom key store must be `CONNECTED`. To
1025
+ # find the CustomKeyStoreID and ConnectionState use the
1026
+ # DescribeCustomKeyStores operation.
853
1027
  #
854
1028
  # This parameter is valid only for symmetric encryption KMS keys in a
855
1029
  # single Region. You cannot create any other type of KMS key in a
856
1030
  # custom key store.
857
1031
  #
858
- # To find the ID of a custom key store, use the
859
- # DescribeCustomKeyStores operation.
860
- #
861
- # The response includes the custom key store ID and the ID of the
862
- # CloudHSM cluster.
863
- #
864
- # This operation is part of the [custom key store feature][1] feature
865
- # in KMS, which combines the convenience and extensive integration of
866
- # KMS with the isolation and control of a single-tenant key store.
1032
+ # When you create a KMS key in an CloudHSM key store, KMS generates a
1033
+ # non-exportable 256-bit symmetric key in its associated CloudHSM
1034
+ # cluster and associates it with the KMS key. When you create a KMS
1035
+ # key in an external key store, you must use the `XksKeyId` parameter
1036
+ # to specify an external key that serves as key material for the KMS
1037
+ # key.
867
1038
  #
868
1039
  #
869
1040
  #
@@ -899,7 +1070,7 @@ module Aws::KMS
899
1070
  # TagResource operation.
900
1071
  #
901
1072
  # <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
902
- # KMS key. For details, see [ABAC in KMS][1] in the *Key Management
1073
+ # KMS key. For details, see [ABAC for KMS][1] in the *Key Management
903
1074
  # Service Developer Guide*.
904
1075
  #
905
1076
  # </note>
@@ -947,16 +1118,52 @@ module Aws::KMS
947
1118
  # This value creates a *primary key*, not a replica. To create a
948
1119
  # *replica key*, use the ReplicateKey operation.
949
1120
  #
950
- # You can create a multi-Region version of a symmetric encryption KMS
951
- # key, an HMAC KMS key, an asymmetric KMS key, or a KMS key with
952
- # imported key material. However, you cannot create a multi-Region key
953
- # in a custom key store.
1121
+ # You can create a symmetric or asymmetric multi-Region key, and you
1122
+ # can create a multi-Region key with imported key material. However,
1123
+ # you cannot create a multi-Region key in a custom key store.
954
1124
  #
955
1125
  #
956
1126
  #
957
1127
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
958
1128
  # @return [Boolean]
959
1129
  #
1130
+ # @!attribute [rw] xks_key_id
1131
+ # Identifies the [external key][1] that serves as key material for the
1132
+ # KMS key in an [external key store][2]. Specify the ID that the
1133
+ # [external key store proxy][3] uses to refer to the external key. For
1134
+ # help, see the documentation for your external key store proxy.
1135
+ #
1136
+ # This parameter is required for a KMS key with an `Origin` value of
1137
+ # `EXTERNAL_KEY_STORE`. It is not valid for KMS keys with any other
1138
+ # `Origin` value.
1139
+ #
1140
+ # The external key must be an existing 256-bit AES symmetric
1141
+ # encryption key hosted outside of Amazon Web Services in an external
1142
+ # key manager associated with the external key store specified by the
1143
+ # `CustomKeyStoreId` parameter. This key must be enabled and
1144
+ # configured to perform encryption and decryption. Each KMS key in an
1145
+ # external key store must use a different external key. For details,
1146
+ # see [Requirements for a KMS key in an external key store][4] in the
1147
+ # *Key Management Service Developer Guide*.
1148
+ #
1149
+ # Each KMS key in an external key store is associated two backing
1150
+ # keys. One is key material that KMS generates. The other is the
1151
+ # external key specified by this parameter. When you use the KMS key
1152
+ # in an external key store to encrypt data, the encryption operation
1153
+ # is performed first by KMS using the KMS key material, and then by
1154
+ # the external key manager using the specified external key, a process
1155
+ # known as *double encryption*. For details, see [Double
1156
+ # encryption][5] in the *Key Management Service Developer Guide*.
1157
+ #
1158
+ #
1159
+ #
1160
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
1161
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html
1162
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-xks-proxy
1163
+ # [4]: https://docs.aws.amazon.com/create-xks-keys.html#xks-key-requirements
1164
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-double-encryption
1165
+ # @return [String]
1166
+ #
960
1167
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKeyRequest AWS API Documentation
961
1168
  #
962
1169
  class CreateKeyRequest < Struct.new(
@@ -969,7 +1176,8 @@ module Aws::KMS
969
1176
  :custom_key_store_id,
970
1177
  :bypass_policy_lockout_safety_check,
971
1178
  :tags,
972
- :multi_region)
1179
+ :multi_region,
1180
+ :xks_key_id)
973
1181
  SENSITIVE = []
974
1182
  include Aws::Structure
975
1183
  end
@@ -1008,18 +1216,29 @@ module Aws::KMS
1008
1216
  #
1009
1217
  # This exception is thrown under the following conditions:
1010
1218
  #
1011
- # * You requested the CreateKey or GenerateRandom operation in a custom
1012
- # key store that is not connected. These operations are valid only
1013
- # when the custom key store `ConnectionState` is `CONNECTED`.
1219
+ # * You requested the ConnectCustomKeyStore operation on a custom key
1220
+ # store with a `ConnectionState` of `DISCONNECTING` or `FAILED`. This
1221
+ # operation is valid for all other `ConnectionState` values. To
1222
+ # reconnect a custom key store in a `FAILED` state, disconnect it
1223
+ # (DisconnectCustomKeyStore), then connect it
1224
+ # (`ConnectCustomKeyStore`).
1225
+ #
1226
+ # * You requested the CreateKey operation in a custom key store that is
1227
+ # not connected. This operations is valid only when the custom key
1228
+ # store `ConnectionState` is `CONNECTED`.
1229
+ #
1230
+ # * You requested the DisconnectCustomKeyStore operation on a custom key
1231
+ # store with a `ConnectionState` of `DISCONNECTING` or `DISCONNECTED`.
1232
+ # This operation is valid for all other `ConnectionState` values.
1014
1233
  #
1015
1234
  # * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore
1016
1235
  # operation on a custom key store that is not disconnected. This
1017
1236
  # operation is valid only when the custom key store `ConnectionState`
1018
1237
  # is `DISCONNECTED`.
1019
1238
  #
1020
- # * You requested the ConnectCustomKeyStore operation on a custom key
1021
- # store with a `ConnectionState` of `DISCONNECTING` or `FAILED`. This
1022
- # operation is valid for all other `ConnectionState` values.
1239
+ # * You requested the GenerateRandom operation in an CloudHSM key store
1240
+ # that is not connected. This operation is valid only when the
1241
+ # CloudHSM key store `ConnectionState` is `CONNECTED`.
1023
1242
  #
1024
1243
  # @!attribute [rw] message
1025
1244
  # @return [String]
@@ -1074,13 +1293,17 @@ module Aws::KMS
1074
1293
  #
1075
1294
  # @!attribute [rw] cloud_hsm_cluster_id
1076
1295
  # A unique identifier for the CloudHSM cluster that is associated with
1077
- # the custom key store.
1296
+ # an CloudHSM key store. This field appears only when the
1297
+ # `CustomKeyStoreType` is `AWS_CLOUDHSM`.
1078
1298
  # @return [String]
1079
1299
  #
1080
1300
  # @!attribute [rw] trust_anchor_certificate
1081
- # The trust anchor certificate of the associated CloudHSM cluster.
1082
- # When you [initialize the cluster][1], you create this certificate
1083
- # and save it in the `customerCA.crt` file.
1301
+ # The trust anchor certificate of the CloudHSM cluster associated with
1302
+ # an CloudHSM key store. When you [initialize the cluster][1], you
1303
+ # create this certificate and save it in the `customerCA.crt` file.
1304
+ #
1305
+ # This field appears only when the `CustomKeyStoreType` is
1306
+ # `AWS_CLOUDHSM`.
1084
1307
  #
1085
1308
  #
1086
1309
  #
@@ -1088,22 +1311,30 @@ module Aws::KMS
1088
1311
  # @return [String]
1089
1312
  #
1090
1313
  # @!attribute [rw] connection_state
1091
- # Indicates whether the custom key store is connected to its CloudHSM
1092
- # cluster.
1314
+ # Indicates whether the custom key store is connected to its backing
1315
+ # key store. For an CloudHSM key store, the `ConnectionState`
1316
+ # indicates whether it is connected to its CloudHSM cluster. For an
1317
+ # external key store, the `ConnectionState` indicates whether it is
1318
+ # connected to the external key store proxy that communicates with
1319
+ # your external key manager.
1093
1320
  #
1094
1321
  # You can create and use KMS keys in your custom key stores only when
1095
- # its connection state is `CONNECTED`.
1096
- #
1097
- # The value is `DISCONNECTED` if the key store has never been
1098
- # connected or you use the DisconnectCustomKeyStore operation to
1099
- # disconnect it. If the value is `CONNECTED` but you are having
1100
- # trouble using the custom key store, make sure that its associated
1101
- # CloudHSM cluster is active and contains at least one active HSM.
1322
+ # its `ConnectionState` is `CONNECTED`.
1323
+ #
1324
+ # The `ConnectionState` value is `DISCONNECTED` only if the key store
1325
+ # has never been connected or you use the DisconnectCustomKeyStore
1326
+ # operation to disconnect it. If the value is `CONNECTED` but you are
1327
+ # having trouble using the custom key store, make sure that the
1328
+ # backing key store is reachable and active. For an CloudHSM key
1329
+ # store, verify that its associated CloudHSM cluster is active and
1330
+ # contains at least one active HSM. For an external key store, verify
1331
+ # that the external key store proxy and external key manager are
1332
+ # connected and enabled.
1102
1333
  #
1103
1334
  # A value of `FAILED` indicates that an attempt to connect was
1104
1335
  # unsuccessful. The `ConnectionErrorCode` field in the response
1105
1336
  # indicates the cause of the failure. For help resolving a connection
1106
- # failure, see [Troubleshooting a Custom Key Store][1] in the *Key
1337
+ # failure, see [Troubleshooting a custom key store][1] in the *Key
1107
1338
  # Management Service Developer Guide*.
1108
1339
  #
1109
1340
  #
@@ -1113,35 +1344,52 @@ module Aws::KMS
1113
1344
  #
1114
1345
  # @!attribute [rw] connection_error_code
1115
1346
  # Describes the connection error. This field appears in the response
1116
- # only when the `ConnectionState` is `FAILED`. For help resolving
1117
- # these errors, see [How to Fix a Connection Failure][1] in *Key
1118
- # Management Service Developer Guide*.
1347
+ # only when the `ConnectionState` is `FAILED`.
1348
+ #
1349
+ # Many failures can be resolved by updating the properties of the
1350
+ # custom key store. To update a custom key store, disconnect it
1351
+ # (DisconnectCustomKeyStore), correct the errors
1352
+ # (UpdateCustomKeyStore), and try to connect again
1353
+ # (ConnectCustomKeyStore). For additional help resolving these errors,
1354
+ # see [How to Fix a Connection Failure][1] in *Key Management Service
1355
+ # Developer Guide*.
1356
+ #
1357
+ # **All custom key stores:**
1119
1358
  #
1120
- # Valid values are:
1359
+ # * `INTERNAL_ERROR` — KMS could not complete the request due to an
1360
+ # internal error. Retry the request. For `ConnectCustomKeyStore`
1361
+ # requests, disconnect the custom key store before trying to connect
1362
+ # again.
1121
1363
  #
1122
- # * `CLUSTER_NOT_FOUND` - KMS cannot find the CloudHSM cluster with
1364
+ # * `NETWORK_ERRORS` Network errors are preventing KMS from
1365
+ # connecting the custom key store to its backing key store.
1366
+ #
1367
+ # **CloudHSM key stores:**
1368
+ #
1369
+ # * `CLUSTER_NOT_FOUND` — KMS cannot find the CloudHSM cluster with
1123
1370
  # the specified cluster ID.
1124
1371
  #
1125
- # * `INSUFFICIENT_CLOUDHSM_HSMS` - The associated CloudHSM cluster
1372
+ # * `INSUFFICIENT_CLOUDHSM_HSMS` The associated CloudHSM cluster
1126
1373
  # does not contain any active HSMs. To connect a custom key store to
1127
1374
  # its CloudHSM cluster, the cluster must contain at least one active
1128
1375
  # HSM.
1129
1376
  #
1130
- # * `INTERNAL_ERROR` - KMS could not complete the request due to an
1131
- # internal error. Retry the request. For `ConnectCustomKeyStore`
1132
- # requests, disconnect the custom key store before trying to connect
1133
- # again.
1134
- #
1135
- # * `INVALID_CREDENTIALS` - KMS does not have the correct password for
1136
- # the `kmsuser` crypto user in the CloudHSM cluster. Before you can
1137
- # connect your custom key store to its CloudHSM cluster, you must
1138
- # change the `kmsuser` account password and update the key store
1139
- # password value for the custom key store.
1377
+ # * `INSUFFICIENT_FREE_ADDRESSES_IN_SUBNET` At least one private
1378
+ # subnet associated with the CloudHSM cluster doesn't have any
1379
+ # available IP addresses. A CloudHSM key store connection requires
1380
+ # one free IP address in each of the associated private subnets,
1381
+ # although two are preferable. For details, see [How to Fix a
1382
+ # Connection Failure][1] in the *Key Management Service Developer
1383
+ # Guide*.
1140
1384
  #
1141
- # * `NETWORK_ERRORS` - Network errors are preventing KMS from
1142
- # connecting to the custom key store.
1385
+ # * `INVALID_CREDENTIALS` The `KeyStorePassword` for the custom key
1386
+ # store doesn't match the current password of the `kmsuser` crypto
1387
+ # user in the CloudHSM cluster. Before you can connect your custom
1388
+ # key store to its CloudHSM cluster, you must change the `kmsuser`
1389
+ # account password and update the `KeyStorePassword` value for the
1390
+ # custom key store.
1143
1391
  #
1144
- # * `SUBNET_NOT_FOUND` - A subnet in the CloudHSM cluster
1392
+ # * `SUBNET_NOT_FOUND` A subnet in the CloudHSM cluster
1145
1393
  # configuration was deleted. If KMS cannot find all of the subnets
1146
1394
  # in the cluster configuration, attempts to connect the custom key
1147
1395
  # store to the CloudHSM cluster fail. To fix this error, create a
@@ -1151,13 +1399,13 @@ module Aws::KMS
1151
1399
  # Connection Failure][1] in the *Key Management Service Developer
1152
1400
  # Guide*.
1153
1401
  #
1154
- # * `USER_LOCKED_OUT` - The `kmsuser` CU account is locked out of the
1402
+ # * `USER_LOCKED_OUT` The `kmsuser` CU account is locked out of the
1155
1403
  # associated CloudHSM cluster due to too many failed password
1156
1404
  # attempts. Before you can connect your custom key store to its
1157
1405
  # CloudHSM cluster, you must change the `kmsuser` account password
1158
1406
  # and update the key store password value for the custom key store.
1159
1407
  #
1160
- # * `USER_LOGGED_IN` - The `kmsuser` CU account is logged into the the
1408
+ # * `USER_LOGGED_IN` The `kmsuser` CU account is logged into the
1161
1409
  # associated CloudHSM cluster. This prevents KMS from rotating the
1162
1410
  # `kmsuser` account password and logging into the cluster. Before
1163
1411
  # you can connect your custom key store to its CloudHSM cluster, you
@@ -1167,22 +1415,119 @@ module Aws::KMS
1167
1415
  # help, see [How to Log Out and Reconnect][2] in the *Key Management
1168
1416
  # Service Developer Guide*.
1169
1417
  #
1170
- # * `USER_NOT_FOUND` - KMS cannot find a `kmsuser` CU account in the
1418
+ # * `USER_NOT_FOUND` KMS cannot find a `kmsuser` CU account in the
1171
1419
  # associated CloudHSM cluster. Before you can connect your custom
1172
1420
  # key store to its CloudHSM cluster, you must create a `kmsuser` CU
1173
1421
  # account in the cluster, and then update the key store password
1174
1422
  # value for the custom key store.
1175
1423
  #
1424
+ # **External key stores:**
1425
+ #
1426
+ # * `INVALID_CREDENTIALS` — One or both of the
1427
+ # `XksProxyAuthenticationCredential` values is not valid on the
1428
+ # specified external key store proxy.
1429
+ #
1430
+ # * `XKS_PROXY_ACCESS_DENIED` — KMS requests are denied access to the
1431
+ # external key store proxy. If the external key store proxy has
1432
+ # authorization rules, verify that they permit KMS to communicate
1433
+ # with the proxy on your behalf.
1434
+ #
1435
+ # * `XKS_PROXY_INVALID_CONFIGURATION` — A configuration error is
1436
+ # preventing the external key store from connecting to its proxy.
1437
+ # Verify the value of the `XksProxyUriPath`.
1438
+ #
1439
+ # * `XKS_PROXY_INVALID_RESPONSE` — KMS cannot interpret the response
1440
+ # from the external key store proxy. If you see this connection
1441
+ # error code repeatedly, notify your external key store proxy
1442
+ # vendor.
1443
+ #
1444
+ # * `XKS_PROXY_INVALID_TLS_CONFIGURATION` — KMS cannot connect to the
1445
+ # external key store proxy because the TLS configuration is invalid.
1446
+ # Verify that the XKS proxy supports TLS 1.2 or 1.3. Also, verify
1447
+ # that the TLS certificate is not expired, and that it matches the
1448
+ # hostname in the `XksProxyUriEndpoint` value, and that it is signed
1449
+ # by a certificate authority included in the [Trusted Certificate
1450
+ # Authorities][3] list.
1451
+ #
1452
+ # * `XKS_PROXY_NOT_REACHABLE` — KMS can't communicate with your
1453
+ # external key store proxy. Verify that the `XksProxyUriEndpoint`
1454
+ # and `XksProxyUriPath` are correct. Use the tools for your external
1455
+ # key store proxy to verify that the proxy is active and available
1456
+ # on its network. Also, verify that your external key manager
1457
+ # instances are operating properly. Connection attempts fail with
1458
+ # this connection error code if the proxy reports that all external
1459
+ # key manager instances are unavailable.
1460
+ #
1461
+ # * `XKS_PROXY_TIMED_OUT` — KMS can connect to the external key store
1462
+ # proxy, but the proxy does not respond to KMS in the time allotted.
1463
+ # If you see this connection error code repeatedly, notify your
1464
+ # external key store proxy vendor.
1465
+ #
1466
+ # * `XKS_VPC_ENDPOINT_SERVICE_INVALID_CONFIGURATION` — The Amazon VPC
1467
+ # endpoint service configuration doesn't conform to the
1468
+ # requirements for an KMS external key store.
1469
+ #
1470
+ # * The VPC endpoint service must be an endpoint service for
1471
+ # interface endpoints in the caller's Amazon Web Services
1472
+ # account.
1473
+ #
1474
+ # * It must have a network load balancer (NLB) connected to at least
1475
+ # two subnets, each in a different Availability Zone.
1476
+ #
1477
+ # * The `Allow principals` list must include the KMS service
1478
+ # principal for the Region, `cks.kms.<region>.amazonaws.com`, such
1479
+ # as `cks.kms.us-east-1.amazonaws.com`.
1480
+ #
1481
+ # * It must *not* require [acceptance][4] of connection requests.
1482
+ #
1483
+ # * It must have a private DNS name. The private DNS name for an
1484
+ # external key store with `VPC_ENDPOINT_SERVICE` connectivity must
1485
+ # be unique in its Amazon Web Services Region.
1486
+ #
1487
+ # * The domain of the private DNS name must have a [verification
1488
+ # status][5] of `verified`.
1489
+ #
1490
+ # * The [TLS certificate][6] specifies the private DNS hostname at
1491
+ # which the endpoint is reachable.
1492
+ #
1493
+ # * `XKS_VPC_ENDPOINT_SERVICE_NOT_FOUND` — KMS can't find the VPC
1494
+ # endpoint service that it uses to communicate with the external key
1495
+ # store proxy. Verify that the `XksProxyVpcEndpointServiceName` is
1496
+ # correct and the KMS service principal has service consumer
1497
+ # permissions on the Amazon VPC endpoint service.
1498
+ #
1176
1499
  #
1177
1500
  #
1178
1501
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed
1179
1502
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#login-kmsuser-2
1503
+ # [3]: https://github.com/aws/aws-kms-xksproxy-api-spec/blob/main/TrustedCertificateAuthorities
1504
+ # [4]: https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html
1505
+ # [5]: https://docs.aws.amazon.com/vpc/latest/privatelink/verify-domains.html
1506
+ # [6]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html
1180
1507
  # @return [String]
1181
1508
  #
1182
1509
  # @!attribute [rw] creation_date
1183
1510
  # The date and time when the custom key store was created.
1184
1511
  # @return [Time]
1185
1512
  #
1513
+ # @!attribute [rw] custom_key_store_type
1514
+ # Indicates the type of the custom key store. `AWS_CLOUDHSM` indicates
1515
+ # a custom key store backed by an CloudHSM cluster.
1516
+ # `EXTERNAL_KEY_STORE` indicates a custom key store backed by an
1517
+ # external key store proxy and external key manager outside of Amazon
1518
+ # Web Services.
1519
+ # @return [String]
1520
+ #
1521
+ # @!attribute [rw] xks_proxy_configuration
1522
+ # Configuration settings for the external key store proxy (XKS proxy).
1523
+ # The external key store proxy translates KMS requests into a format
1524
+ # that your external key manager can understand. The proxy
1525
+ # configuration includes connection information that KMS requires.
1526
+ #
1527
+ # This field appears only when the `CustomKeyStoreType` is
1528
+ # `EXTERNAL_KEY_STORE`.
1529
+ # @return [Types::XksProxyConfigurationType]
1530
+ #
1186
1531
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CustomKeyStoresListEntry AWS API Documentation
1187
1532
  #
1188
1533
  class CustomKeyStoresListEntry < Struct.new(
@@ -1192,7 +1537,9 @@ module Aws::KMS
1192
1537
  :trust_anchor_certificate,
1193
1538
  :connection_state,
1194
1539
  :connection_error_code,
1195
- :creation_date)
1540
+ :creation_date,
1541
+ :custom_key_store_type,
1542
+ :xks_proxy_configuration)
1196
1543
  SENSITIVE = []
1197
1544
  include Aws::Structure
1198
1545
  end
@@ -1416,8 +1763,8 @@ module Aws::KMS
1416
1763
  include Aws::Structure
1417
1764
  end
1418
1765
 
1419
- # The system timed out while trying to fulfill the request. The request
1420
- # can be retried.
1766
+ # The system timed out while trying to fulfill the request. You can
1767
+ # retry the request.
1421
1768
  #
1422
1769
  # @!attribute [rw] message
1423
1770
  # @return [String]
@@ -1446,8 +1793,8 @@ module Aws::KMS
1446
1793
  #
1447
1794
  # By default, this operation gets information about all custom key
1448
1795
  # stores in the account and Region. To limit the output to a
1449
- # particular custom key store, you can use either the
1450
- # `CustomKeyStoreId` or `CustomKeyStoreName` parameter, but not both.
1796
+ # particular custom key store, provide either the `CustomKeyStoreId`
1797
+ # or `CustomKeyStoreName` parameter, but not both.
1451
1798
  # @return [String]
1452
1799
  #
1453
1800
  # @!attribute [rw] custom_key_store_name
@@ -1456,8 +1803,8 @@ module Aws::KMS
1456
1803
  #
1457
1804
  # By default, this operation gets information about all custom key
1458
1805
  # stores in the account and Region. To limit the output to a
1459
- # particular custom key store, you can use either the
1460
- # `CustomKeyStoreId` or `CustomKeyStoreName` parameter, but not both.
1806
+ # particular custom key store, provide either the `CustomKeyStoreId`
1807
+ # or `CustomKeyStoreName` parameter, but not both.
1461
1808
  # @return [String]
1462
1809
  #
1463
1810
  # @!attribute [rw] limit
@@ -1733,11 +2080,10 @@ module Aws::KMS
1733
2080
  # }
1734
2081
  #
1735
2082
  # @!attribute [rw] key_id
1736
- # Identifies a symmetric encryption KMS key. You cannot enable or
1737
- # disable automatic rotation of [asymmetric KMS keys][1], [HMAC KMS
1738
- # keys][2], KMS keys with [imported key material][3], or KMS keys in a
1739
- # [custom key store][4]. The key rotation status of these KMS keys is
1740
- # always `false`. To enable or disable automatic rotation of a set of
2083
+ # Identifies a symmetric encryption KMS key. You cannot enable
2084
+ # automatic rotation of [asymmetric KMS keys][1], [HMAC KMS keys][2],
2085
+ # KMS keys with [imported key material][3], or KMS keys in a [custom
2086
+ # key store][4]. To enable or disable automatic rotation of a set of
1741
2087
  # related [multi-Region keys][5], set the property on the primary key.
1742
2088
  #
1743
2089
  # Specify the key ID or key ARN of the KMS key.
@@ -1859,6 +2205,8 @@ module Aws::KMS
1859
2205
  # value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
1860
2206
  # encryption KMS keys. If you are using an asymmetric KMS key, we
1861
2207
  # recommend RSAES\_OAEP\_SHA\_256.
2208
+ #
2209
+ # The SM2PKE algorithm is only available in China Regions.
1862
2210
  # @return [String]
1863
2211
  #
1864
2212
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptRequest AWS API Documentation
@@ -1984,8 +2332,7 @@ module Aws::KMS
1984
2332
  # keys to encrypt and decrypt or to sign and verify (but not both),
1985
2333
  # and the rule that permits you to use ECC KMS keys only to sign and
1986
2334
  # verify, are not effective on data key pairs, which are used outside
1987
- # of KMS. The SM2 key spec is only available in China Regions. RSA and
1988
- # ECC asymmetric key pairs are also available in China Regions.
2335
+ # of KMS. The SM2 key spec is only available in China Regions.
1989
2336
  # @return [String]
1990
2337
  #
1991
2338
  # @!attribute [rw] grant_tokens
@@ -2122,8 +2469,7 @@ module Aws::KMS
2122
2469
  # keys to encrypt and decrypt or to sign and verify (but not both),
2123
2470
  # and the rule that permits you to use ECC KMS keys only to sign and
2124
2471
  # verify, are not effective on data key pairs, which are used outside
2125
- # of KMS. The SM2 key spec is only available in China Regions. RSA and
2126
- # ECC asymmetric key pairs are also available in China Regions.
2472
+ # of KMS. The SM2 key spec is only available in China Regions.
2127
2473
  # @return [String]
2128
2474
  #
2129
2475
  # @!attribute [rw] grant_tokens
@@ -2511,8 +2857,14 @@ module Aws::KMS
2511
2857
  end
2512
2858
 
2513
2859
  # @!attribute [rw] mac
2514
- # The hash-based message authentication code (HMAC) for the given
2515
- # message, key, and MAC algorithm.
2860
+ # The hash-based message authentication code (HMAC) that was generated
2861
+ # for the specified message, HMAC KMS key, and MAC algorithm.
2862
+ #
2863
+ # This is the standard, raw HMAC defined in [RFC 2104][1].
2864
+ #
2865
+ #
2866
+ #
2867
+ # [1]: https://datatracker.ietf.org/doc/html/rfc2104
2516
2868
  # @return [String]
2517
2869
  #
2518
2870
  # @!attribute [rw] mac_algorithm
@@ -2547,12 +2899,12 @@ module Aws::KMS
2547
2899
  #
2548
2900
  # @!attribute [rw] custom_key_store_id
2549
2901
  # Generates the random byte string in the CloudHSM cluster that is
2550
- # associated with the specified [custom key store][1]. To find the ID
2551
- # of a custom key store, use the DescribeCustomKeyStores operation.
2552
- #
2902
+ # associated with the specified CloudHSM key store. To find the ID of
2903
+ # a custom key store, use the DescribeCustomKeyStores operation.
2553
2904
  #
2554
- #
2555
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
2905
+ # External key store IDs are not valid for this parameter. If you
2906
+ # specify the ID of an external key store, `GenerateRandom` throws an
2907
+ # `UnsupportedOperationException`.
2556
2908
  # @return [String]
2557
2909
  #
2558
2910
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomRequest AWS API Documentation
@@ -2846,7 +3198,7 @@ module Aws::KMS
2846
3198
  #
2847
3199
  # The `KeySpec` and `CustomerMasterKeySpec` fields have the same
2848
3200
  # value. We recommend that you use the `KeySpec` field in your code.
2849
- # However, to avoid breaking changes, KMS will support both fields.
3201
+ # However, to avoid breaking changes, KMS supports both fields.
2850
3202
  # @return [String]
2851
3203
  #
2852
3204
  # @!attribute [rw] key_spec
@@ -2900,11 +3252,10 @@ module Aws::KMS
2900
3252
  #
2901
3253
  # KMS applies the grant constraints only to cryptographic operations
2902
3254
  # that support an encryption context, that is, all cryptographic
2903
- # operations with a [symmetric encryption KMS key][3]. Grant constraints
2904
- # are not applied to operations that do not support an encryption
2905
- # context, such as cryptographic operations with HMAC KMS keys or
2906
- # asymmetric KMS keys, and management operations, such as DescribeKey or
2907
- # RetireGrant.
3255
+ # operations with a [symmetric KMS key][3]. Grant constraints are not
3256
+ # applied to operations that do not support an encryption context, such
3257
+ # as cryptographic operations with asymmetric KMS keys and management
3258
+ # operations, such as DescribeKey or RetireGrant.
2908
3259
  #
2909
3260
  # In a cryptographic operation, the encryption context in the decryption
2910
3261
  # operation must be an exact, case-sensitive match for the keys and
@@ -3088,19 +3439,37 @@ module Aws::KMS
3088
3439
  # @return [String]
3089
3440
  #
3090
3441
  # @!attribute [rw] valid_to
3091
- # The time at which the imported key material expires. When the key
3092
- # material expires, KMS deletes the key material and the KMS key
3093
- # becomes unusable. You must omit this parameter when the
3094
- # `ExpirationModel` parameter is set to
3095
- # `KEY_MATERIAL_DOES_NOT_EXPIRE`. Otherwise it is required.
3442
+ # The date and time when the imported key material expires. This
3443
+ # parameter is required when the value of the `ExpirationModel`
3444
+ # parameter is `KEY_MATERIAL_EXPIRES`. Otherwise it is not valid.
3445
+ #
3446
+ # The value of this parameter must be a future date and time. The
3447
+ # maximum value is 365 days from the request date.
3448
+ #
3449
+ # When the key material expires, KMS deletes the key material from the
3450
+ # KMS key. Without its key material, the KMS key is unusable. To use
3451
+ # the KMS key in cryptographic operations, you must reimport the same
3452
+ # key material.
3453
+ #
3454
+ # You cannot change the `ExpirationModel` or `ValidTo` values for the
3455
+ # current import after the request completes. To change either value,
3456
+ # you must delete (DeleteImportedKeyMaterial) and reimport the key
3457
+ # material.
3096
3458
  # @return [Time]
3097
3459
  #
3098
3460
  # @!attribute [rw] expiration_model
3099
3461
  # Specifies whether the key material expires. The default is
3100
- # `KEY_MATERIAL_EXPIRES`, in which case you must include the `ValidTo`
3101
- # parameter. When this parameter is set to
3462
+ # `KEY_MATERIAL_EXPIRES`.
3463
+ #
3464
+ # When the value of `ExpirationModel` is `KEY_MATERIAL_EXPIRES`, you
3465
+ # must specify a value for the `ValidTo` parameter. When value is
3102
3466
  # `KEY_MATERIAL_DOES_NOT_EXPIRE`, you must omit the `ValidTo`
3103
3467
  # parameter.
3468
+ #
3469
+ # You cannot change the `ExpirationModel` or `ValidTo` values for the
3470
+ # current import after the request completes. To change either value,
3471
+ # you must delete (DeleteImportedKeyMaterial) and reimport the key
3472
+ # material.
3104
3473
  # @return [String]
3105
3474
  #
3106
3475
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterialRequest AWS API Documentation
@@ -3151,11 +3520,11 @@ module Aws::KMS
3151
3520
  end
3152
3521
 
3153
3522
  # The request was rejected because the trust anchor certificate in the
3154
- # request is not the trust anchor certificate for the specified CloudHSM
3155
- # cluster.
3523
+ # request to create an CloudHSM key store is not the trust anchor
3524
+ # certificate for the specified CloudHSM cluster.
3156
3525
  #
3157
- # When you [initialize the cluster][1], you create the trust anchor
3158
- # certificate and save it in the `customerCA.crt` file.
3526
+ # When you [initialize the CloudHSM cluster][1], you create the trust
3527
+ # anchor certificate and save it in the `customerCA.crt` file.
3159
3528
  #
3160
3529
  #
3161
3530
  #
@@ -3353,9 +3722,19 @@ module Aws::KMS
3353
3722
  # The request was rejected because the state of the specified resource
3354
3723
  # is not valid for this request.
3355
3724
  #
3356
- # For more information about how key state affects the use of a KMS key,
3357
- # see [Key states of KMS keys][1] in the <i> <i>Key Management Service
3358
- # Developer Guide</i> </i>.
3725
+ # This exceptions means one of the following:
3726
+ #
3727
+ # * The key state of the KMS key is not compatible with the operation.
3728
+ #
3729
+ # To find the key state, use the DescribeKey operation. For more
3730
+ # information about which key states are compatible with each KMS
3731
+ # operation, see [Key states of KMS keys][1] in the <i> <i>Key
3732
+ # Management Service Developer Guide</i> </i>.
3733
+ #
3734
+ # * For cryptographic operations on KMS keys in custom key stores, this
3735
+ # exception represents a general failure with many possible causes. To
3736
+ # identify the cause, see the error message that accompanies the
3737
+ # exception.
3359
3738
  #
3360
3739
  #
3361
3740
  #
@@ -3393,8 +3772,8 @@ module Aws::KMS
3393
3772
 
3394
3773
  # Contains metadata about a KMS key.
3395
3774
  #
3396
- # This data type is used as a response element for the CreateKey and
3397
- # DescribeKey operations.
3775
+ # This data type is used as a response element for the CreateKey,
3776
+ # DescribeKey, and ReplicateKey operations.
3398
3777
  #
3399
3778
  # @!attribute [rw] aws_account_id
3400
3779
  # The twelve-digit account ID of the Amazon Web Services account that
@@ -3478,7 +3857,7 @@ module Aws::KMS
3478
3857
  #
3479
3858
  # @!attribute [rw] custom_key_store_id
3480
3859
  # A unique identifier for the [custom key store][1] that contains the
3481
- # KMS key. This value is present only when the KMS key is created in a
3860
+ # KMS key. This field is present only when the KMS key is created in a
3482
3861
  # custom key store.
3483
3862
  #
3484
3863
  #
@@ -3488,10 +3867,10 @@ module Aws::KMS
3488
3867
  #
3489
3868
  # @!attribute [rw] cloud_hsm_cluster_id
3490
3869
  # The cluster ID of the CloudHSM cluster that contains the key
3491
- # material for the KMS key. When you create a KMS key in a [custom key
3492
- # store][1], KMS creates the key material for the KMS key in the
3493
- # associated CloudHSM cluster. This value is present only when the KMS
3494
- # key is created in a custom key store.
3870
+ # material for the KMS key. When you create a KMS key in an CloudHSM
3871
+ # [custom key store][1], KMS creates the key material for the KMS key
3872
+ # in the associated CloudHSM cluster. This field is present only when
3873
+ # the KMS key is created in an CloudHSM key store.
3495
3874
  #
3496
3875
  #
3497
3876
  #
@@ -3520,7 +3899,7 @@ module Aws::KMS
3520
3899
  #
3521
3900
  # The `KeySpec` and `CustomerMasterKeySpec` fields have the same
3522
3901
  # value. We recommend that you use the `KeySpec` field in your code.
3523
- # However, to avoid breaking changes, KMS will support both fields.
3902
+ # However, to avoid breaking changes, KMS supports both fields.
3524
3903
  # @return [String]
3525
3904
  #
3526
3905
  # @!attribute [rw] key_spec
@@ -3602,6 +3981,18 @@ module Aws::KMS
3602
3981
  # `GENERATE_VERIFY_MAC`.
3603
3982
  # @return [Array<String>]
3604
3983
  #
3984
+ # @!attribute [rw] xks_key_configuration
3985
+ # Information about the external key that is associated with a KMS key
3986
+ # in an external key store.
3987
+ #
3988
+ # For more information, see [External key][1] in the *Key Management
3989
+ # Service Developer Guide*.
3990
+ #
3991
+ #
3992
+ #
3993
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
3994
+ # @return [Types::XksKeyConfigurationType]
3995
+ #
3605
3996
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
3606
3997
  #
3607
3998
  class KeyMetadata < Struct.new(
@@ -3627,7 +4018,8 @@ module Aws::KMS
3627
4018
  :multi_region,
3628
4019
  :multi_region_configuration,
3629
4020
  :pending_deletion_window_in_days,
3630
- :mac_algorithms)
4021
+ :mac_algorithms,
4022
+ :xks_key_configuration)
3631
4023
  SENSITIVE = []
3632
4024
  include Aws::Structure
3633
4025
  end
@@ -4035,7 +4427,7 @@ module Aws::KMS
4035
4427
  # A list of tags. Each tag consists of a tag key and a tag value.
4036
4428
  #
4037
4429
  # <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
4038
- # KMS key. For details, see [ABAC in KMS][1] in the *Key Management
4430
+ # KMS key. For details, see [ABAC for KMS][1] in the *Key Management
4039
4431
  # Service Developer Guide*.
4040
4432
  #
4041
4433
  # </note>
@@ -4267,7 +4659,7 @@ module Aws::KMS
4267
4659
  # (`\u000D`) special characters
4268
4660
  #
4269
4661
  # For information about key policies, see [Key policies in KMS][3] in
4270
- # the *Key Management Service Developer Guide*. For help writing and
4662
+ # the *Key Management Service Developer Guide*.For help writing and
4271
4663
  # formatting a JSON policy document, see the [IAM JSON Policy
4272
4664
  # Reference][4] in the <i> <i>Identity and Access Management User
4273
4665
  # Guide</i> </i>.
@@ -4703,7 +5095,7 @@ module Aws::KMS
4703
5095
  # the TagResource operation.
4704
5096
  #
4705
5097
  # <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
4706
- # KMS key. For details, see [ABAC in KMS][1] in the *Key Management
5098
+ # KMS key. For details, see [ABAC for KMS][1] in the *Key Management
4707
5099
  # Service Developer Guide*.
4708
5100
  #
4709
5101
  # </note>
@@ -5266,7 +5658,7 @@ module Aws::KMS
5266
5658
  # The KMS key must be in the same Amazon Web Services account and
5267
5659
  # Region as the alias. Also, the new target KMS key must be the same
5268
5660
  # type as the current target KMS key (both symmetric or both
5269
- # asymmetric) and they must have the same key usage.
5661
+ # asymmetric or both HMAC) and they must have the same key usage.
5270
5662
  #
5271
5663
  # Specify the key ID or key ARN of the KMS key.
5272
5664
  #
@@ -5306,6 +5698,14 @@ module Aws::KMS
5306
5698
  # new_custom_key_store_name: "CustomKeyStoreNameType",
5307
5699
  # key_store_password: "KeyStorePasswordType",
5308
5700
  # cloud_hsm_cluster_id: "CloudHsmClusterIdType",
5701
+ # xks_proxy_uri_endpoint: "XksProxyUriEndpointType",
5702
+ # xks_proxy_uri_path: "XksProxyUriPathType",
5703
+ # xks_proxy_vpc_endpoint_service_name: "XksProxyVpcEndpointServiceNameType",
5704
+ # xks_proxy_authentication_credential: {
5705
+ # access_key_id: "XksProxyAuthenticationAccessKeyIdType", # required
5706
+ # raw_secret_access_key: "XksProxyAuthenticationRawSecretAccessKeyType", # required
5707
+ # },
5708
+ # xks_proxy_connectivity: "PUBLIC_ENDPOINT", # accepts PUBLIC_ENDPOINT, VPC_ENDPOINT_SERVICE
5309
5709
  # }
5310
5710
  #
5311
5711
  # @!attribute [rw] custom_key_store_id
@@ -5318,19 +5718,28 @@ module Aws::KMS
5318
5718
  # Changes the friendly name of the custom key store to the value that
5319
5719
  # you specify. The custom key store name must be unique in the Amazon
5320
5720
  # Web Services account.
5721
+ #
5722
+ # To change this value, an CloudHSM key store must be disconnected. An
5723
+ # external key store can be connected or disconnected.
5321
5724
  # @return [String]
5322
5725
  #
5323
5726
  # @!attribute [rw] key_store_password
5324
5727
  # Enter the current password of the `kmsuser` crypto user (CU) in the
5325
- # CloudHSM cluster that is associated with the custom key store.
5728
+ # CloudHSM cluster that is associated with the custom key store. This
5729
+ # parameter is valid only for custom key stores with a
5730
+ # `CustomKeyStoreType` of `AWS_CLOUDHSM`.
5326
5731
  #
5327
5732
  # This parameter tells KMS the current password of the `kmsuser`
5328
5733
  # crypto user (CU). It does not set or change the password of any
5329
5734
  # users in the CloudHSM cluster.
5735
+ #
5736
+ # To change this value, the CloudHSM key store must be disconnected.
5330
5737
  # @return [String]
5331
5738
  #
5332
5739
  # @!attribute [rw] cloud_hsm_cluster_id
5333
5740
  # Associates the custom key store with a related CloudHSM cluster.
5741
+ # This parameter is valid only for custom key stores with a
5742
+ # `CustomKeyStoreType` of `AWS_CLOUDHSM`.
5334
5743
  #
5335
5744
  # Enter the cluster ID of the cluster that you used to create the
5336
5745
  # custom key store or a cluster that shares a backup history and has
@@ -5341,19 +5750,111 @@ module Aws::KMS
5341
5750
  # To view the cluster certificate of a cluster, use the
5342
5751
  # [DescribeClusters][2] operation.
5343
5752
  #
5753
+ # To change this value, the CloudHSM key store must be disconnected.
5754
+ #
5344
5755
  #
5345
5756
  #
5346
5757
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore
5347
5758
  # [2]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
5348
5759
  # @return [String]
5349
5760
  #
5761
+ # @!attribute [rw] xks_proxy_uri_endpoint
5762
+ # Changes the URI endpoint that KMS uses to connect to your external
5763
+ # key store proxy (XKS proxy). This parameter is valid only for custom
5764
+ # key stores with a `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
5765
+ #
5766
+ # For external key stores with an `XksProxyConnectivity` value of
5767
+ # `PUBLIC_ENDPOINT`, the protocol must be HTTPS.
5768
+ #
5769
+ # For external key stores with an `XksProxyConnectivity` value of
5770
+ # `VPC_ENDPOINT_SERVICE`, specify `https://` followed by the private
5771
+ # DNS name associated with the VPC endpoint service. Each external key
5772
+ # store must use a different private DNS name.
5773
+ #
5774
+ # The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values must
5775
+ # be unique in the Amazon Web Services account and Region.
5776
+ #
5777
+ # To change this value, the external key store must be disconnected.
5778
+ # @return [String]
5779
+ #
5780
+ # @!attribute [rw] xks_proxy_uri_path
5781
+ # Changes the base path to the proxy APIs for this external key store.
5782
+ # To find this value, see the documentation for your external key
5783
+ # manager and external key store proxy (XKS proxy). This parameter is
5784
+ # valid only for custom key stores with a `CustomKeyStoreType` of
5785
+ # `EXTERNAL_KEY_STORE`.
5786
+ #
5787
+ # The value must start with `/` and must end with `/kms/xks/v1`, where
5788
+ # `v1` represents the version of the KMS external key store proxy API.
5789
+ # You can include an optional prefix between the required elements
5790
+ # such as `/example/kms/xks/v1`.
5791
+ #
5792
+ # The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values must
5793
+ # be unique in the Amazon Web Services account and Region.
5794
+ #
5795
+ # You can change this value when the external key store is connected
5796
+ # or disconnected.
5797
+ # @return [String]
5798
+ #
5799
+ # @!attribute [rw] xks_proxy_vpc_endpoint_service_name
5800
+ # Changes the name that KMS uses to identify the Amazon VPC endpoint
5801
+ # service for your external key store proxy (XKS proxy). This
5802
+ # parameter is valid when the `CustomKeyStoreType` is
5803
+ # `EXTERNAL_KEY_STORE` and the `XksProxyConnectivity` is
5804
+ # `VPC_ENDPOINT_SERVICE`.
5805
+ #
5806
+ # To change this value, the external key store must be disconnected.
5807
+ # @return [String]
5808
+ #
5809
+ # @!attribute [rw] xks_proxy_authentication_credential
5810
+ # Changes the credentials that KMS uses to sign requests to the
5811
+ # external key store proxy (XKS proxy). This parameter is valid only
5812
+ # for custom key stores with a `CustomKeyStoreType` of
5813
+ # `EXTERNAL_KEY_STORE`.
5814
+ #
5815
+ # You must specify both the `AccessKeyId` and `SecretAccessKey` value
5816
+ # in the authentication credential, even if you are only updating one
5817
+ # value.
5818
+ #
5819
+ # This parameter doesn't establish or change your authentication
5820
+ # credentials on the proxy. It just tells KMS the credential that you
5821
+ # established with your external key store proxy. For example, if you
5822
+ # rotate the credential on your external key store proxy, you can use
5823
+ # this parameter to update the credential in KMS.
5824
+ #
5825
+ # You can change this value when the external key store is connected
5826
+ # or disconnected.
5827
+ # @return [Types::XksProxyAuthenticationCredentialType]
5828
+ #
5829
+ # @!attribute [rw] xks_proxy_connectivity
5830
+ # Changes the connectivity setting for the external key store. To
5831
+ # indicate that the external key store proxy uses a Amazon VPC
5832
+ # endpoint service to communicate with KMS, specify
5833
+ # `VPC_ENDPOINT_SERVICE`. Otherwise, specify `PUBLIC_ENDPOINT`.
5834
+ #
5835
+ # If you change the `XksProxyConnectivity` to `VPC_ENDPOINT_SERVICE`,
5836
+ # you must also change the `XksProxyUriEndpoint` and add an
5837
+ # `XksProxyVpcEndpointServiceName` value.
5838
+ #
5839
+ # If you change the `XksProxyConnectivity` to `PUBLIC_ENDPOINT`, you
5840
+ # must also change the `XksProxyUriEndpoint` and specify a null or
5841
+ # empty string for the `XksProxyVpcEndpointServiceName` value.
5842
+ #
5843
+ # To change this value, the external key store must be disconnected.
5844
+ # @return [String]
5845
+ #
5350
5846
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStoreRequest AWS API Documentation
5351
5847
  #
5352
5848
  class UpdateCustomKeyStoreRequest < Struct.new(
5353
5849
  :custom_key_store_id,
5354
5850
  :new_custom_key_store_name,
5355
5851
  :key_store_password,
5356
- :cloud_hsm_cluster_id)
5852
+ :cloud_hsm_cluster_id,
5853
+ :xks_proxy_uri_endpoint,
5854
+ :xks_proxy_uri_path,
5855
+ :xks_proxy_vpc_endpoint_service_name,
5856
+ :xks_proxy_authentication_credential,
5857
+ :xks_proxy_connectivity)
5357
5858
  SENSITIVE = [:key_store_password]
5358
5859
  include Aws::Structure
5359
5860
  end
@@ -5662,5 +6163,332 @@ module Aws::KMS
5662
6163
  include Aws::Structure
5663
6164
  end
5664
6165
 
6166
+ # The request was rejected because the (`XksKeyId`) is already
6167
+ # associated with a KMS key in this external key store. Each KMS key in
6168
+ # an external key store must be associated with a different external
6169
+ # key.
6170
+ #
6171
+ # @!attribute [rw] message
6172
+ # @return [String]
6173
+ #
6174
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyAlreadyInUseException AWS API Documentation
6175
+ #
6176
+ class XksKeyAlreadyInUseException < Struct.new(
6177
+ :message)
6178
+ SENSITIVE = []
6179
+ include Aws::Structure
6180
+ end
6181
+
6182
+ # Information about the [external key ][1]that is associated with a KMS
6183
+ # key in an external key store.
6184
+ #
6185
+ # These fields appear in a CreateKey or DescribeKey response only for a
6186
+ # KMS key in an external key store.
6187
+ #
6188
+ # The *external key* is a symmetric encryption key that is hosted by an
6189
+ # external key manager outside of Amazon Web Services. When you use the
6190
+ # KMS key in an external key store in a cryptographic operation, the
6191
+ # cryptographic operation is performed in the external key manager using
6192
+ # the specified external key. For more information, see [External
6193
+ # key][1] in the *Key Management Service Developer Guide*.
6194
+ #
6195
+ #
6196
+ #
6197
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
6198
+ #
6199
+ # @!attribute [rw] id
6200
+ # The ID of the external key in its external key manager. This is the
6201
+ # ID that the external key store proxy uses to identify the external
6202
+ # key.
6203
+ # @return [String]
6204
+ #
6205
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyConfigurationType AWS API Documentation
6206
+ #
6207
+ class XksKeyConfigurationType < Struct.new(
6208
+ :id)
6209
+ SENSITIVE = []
6210
+ include Aws::Structure
6211
+ end
6212
+
6213
+ # The request was rejected because the external key specified by the
6214
+ # `XksKeyId` parameter did not meet the configuration requirements for
6215
+ # an external key store.
6216
+ #
6217
+ # The external key must be an AES-256 symmetric key that is enabled and
6218
+ # performs encryption and decryption.
6219
+ #
6220
+ # @!attribute [rw] message
6221
+ # @return [String]
6222
+ #
6223
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyInvalidConfigurationException AWS API Documentation
6224
+ #
6225
+ class XksKeyInvalidConfigurationException < Struct.new(
6226
+ :message)
6227
+ SENSITIVE = []
6228
+ include Aws::Structure
6229
+ end
6230
+
6231
+ # The request was rejected because the external key store proxy could
6232
+ # not find the external key. This exception is thrown when the value of
6233
+ # the `XksKeyId` parameter doesn't identify a key in the external key
6234
+ # manager associated with the external key proxy.
6235
+ #
6236
+ # Verify that the `XksKeyId` represents an existing key in the external
6237
+ # key manager. Use the key identifier that the external key store proxy
6238
+ # uses to identify the key. For details, see the documentation provided
6239
+ # with your external key store proxy or key manager.
6240
+ #
6241
+ # @!attribute [rw] message
6242
+ # @return [String]
6243
+ #
6244
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyNotFoundException AWS API Documentation
6245
+ #
6246
+ class XksKeyNotFoundException < Struct.new(
6247
+ :message)
6248
+ SENSITIVE = []
6249
+ include Aws::Structure
6250
+ end
6251
+
6252
+ # KMS uses the authentication credential to sign requests that it sends
6253
+ # to the external key store proxy (XKS proxy) on your behalf. You
6254
+ # establish these credentials on your external key store proxy and
6255
+ # report them to KMS.
6256
+ #
6257
+ # The `XksProxyAuthenticationCredential` includes two required elements.
6258
+ #
6259
+ # @note When making an API call, you may pass XksProxyAuthenticationCredentialType
6260
+ # data as a hash:
6261
+ #
6262
+ # {
6263
+ # access_key_id: "XksProxyAuthenticationAccessKeyIdType", # required
6264
+ # raw_secret_access_key: "XksProxyAuthenticationRawSecretAccessKeyType", # required
6265
+ # }
6266
+ #
6267
+ # @!attribute [rw] access_key_id
6268
+ # A unique identifier for the raw secret access key.
6269
+ # @return [String]
6270
+ #
6271
+ # @!attribute [rw] raw_secret_access_key
6272
+ # A secret string of 43-64 characters. Valid characters are a-z, A-Z,
6273
+ # 0-9, /, +, and =.
6274
+ # @return [String]
6275
+ #
6276
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyAuthenticationCredentialType AWS API Documentation
6277
+ #
6278
+ class XksProxyAuthenticationCredentialType < Struct.new(
6279
+ :access_key_id,
6280
+ :raw_secret_access_key)
6281
+ SENSITIVE = [:access_key_id, :raw_secret_access_key]
6282
+ include Aws::Structure
6283
+ end
6284
+
6285
+ # Detailed information about the external key store proxy (XKS proxy).
6286
+ # Your external key store proxy translates KMS requests into a format
6287
+ # that your external key manager can understand. These fields appear in
6288
+ # a DescribeCustomKeyStores response only when the `CustomKeyStoreType`
6289
+ # is `EXTERNAL_KEY_STORE`.
6290
+ #
6291
+ # @!attribute [rw] connectivity
6292
+ # Indicates whether the external key store proxy uses a public
6293
+ # endpoint or an Amazon VPC endpoint service to communicate with KMS.
6294
+ # @return [String]
6295
+ #
6296
+ # @!attribute [rw] access_key_id
6297
+ # The part of the external key store [proxy authentication
6298
+ # credential][1] that uniquely identifies the secret access key.
6299
+ #
6300
+ #
6301
+ #
6302
+ # [1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateCustomKeyStore.html#KMS-CreateCustomKeyStore-request-XksProxyAuthenticationCredential
6303
+ # @return [String]
6304
+ #
6305
+ # @!attribute [rw] uri_endpoint
6306
+ # The URI endpoint for the external key store proxy.
6307
+ #
6308
+ # If the external key store proxy has a public endpoint, it is
6309
+ # displayed here.
6310
+ #
6311
+ # If the external key store proxy uses an Amazon VPC endpoint service
6312
+ # name, this field displays the private DNS name associated with the
6313
+ # VPC endpoint service.
6314
+ # @return [String]
6315
+ #
6316
+ # @!attribute [rw] uri_path
6317
+ # The path to the external key store proxy APIs.
6318
+ # @return [String]
6319
+ #
6320
+ # @!attribute [rw] vpc_endpoint_service_name
6321
+ # The Amazon VPC endpoint service used to communicate with the
6322
+ # external key store proxy. This field appears only when the external
6323
+ # key store proxy uses an Amazon VPC endpoint service to communicate
6324
+ # with KMS.
6325
+ # @return [String]
6326
+ #
6327
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyConfigurationType AWS API Documentation
6328
+ #
6329
+ class XksProxyConfigurationType < Struct.new(
6330
+ :connectivity,
6331
+ :access_key_id,
6332
+ :uri_endpoint,
6333
+ :uri_path,
6334
+ :vpc_endpoint_service_name)
6335
+ SENSITIVE = [:access_key_id]
6336
+ include Aws::Structure
6337
+ end
6338
+
6339
+ # The request was rejected because the proxy credentials failed to
6340
+ # authenticate to the specified external key store proxy. The specified
6341
+ # external key store proxy rejected a status request from KMS due to
6342
+ # invalid credentials. This can indicate an error in the credentials or
6343
+ # in the identification of the external key store proxy.
6344
+ #
6345
+ # @!attribute [rw] message
6346
+ # @return [String]
6347
+ #
6348
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyIncorrectAuthenticationCredentialException AWS API Documentation
6349
+ #
6350
+ class XksProxyIncorrectAuthenticationCredentialException < Struct.new(
6351
+ :message)
6352
+ SENSITIVE = []
6353
+ include Aws::Structure
6354
+ end
6355
+
6356
+ # The request was rejected because the Amazon VPC endpoint service
6357
+ # configuration does not fulfill the requirements for an external key
6358
+ # store proxy. For details, see the exception message.
6359
+ #
6360
+ # @!attribute [rw] message
6361
+ # @return [String]
6362
+ #
6363
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyInvalidConfigurationException AWS API Documentation
6364
+ #
6365
+ class XksProxyInvalidConfigurationException < Struct.new(
6366
+ :message)
6367
+ SENSITIVE = []
6368
+ include Aws::Structure
6369
+ end
6370
+
6371
+ # KMS cannot interpret the response it received from the external key
6372
+ # store proxy. The problem might be a poorly constructed response, but
6373
+ # it could also be a transient network issue. If you see this error
6374
+ # repeatedly, report it to the proxy vendor.
6375
+ #
6376
+ # @!attribute [rw] message
6377
+ # @return [String]
6378
+ #
6379
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyInvalidResponseException AWS API Documentation
6380
+ #
6381
+ class XksProxyInvalidResponseException < Struct.new(
6382
+ :message)
6383
+ SENSITIVE = []
6384
+ include Aws::Structure
6385
+ end
6386
+
6387
+ # The request was rejected because the concatenation of the
6388
+ # `XksProxyUriEndpoint` is already associated with an external key store
6389
+ # in the Amazon Web Services account and Region. Each external key store
6390
+ # in an account and Region must use a unique external key store proxy
6391
+ # address.
6392
+ #
6393
+ # @!attribute [rw] message
6394
+ # @return [String]
6395
+ #
6396
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyUriEndpointInUseException AWS API Documentation
6397
+ #
6398
+ class XksProxyUriEndpointInUseException < Struct.new(
6399
+ :message)
6400
+ SENSITIVE = []
6401
+ include Aws::Structure
6402
+ end
6403
+
6404
+ # The request was rejected because the concatenation of the
6405
+ # `XksProxyUriEndpoint` and `XksProxyUriPath` is already associated with
6406
+ # an external key store in the Amazon Web Services account and Region.
6407
+ # Each external key store in an account and Region must use a unique
6408
+ # external key store proxy API address.
6409
+ #
6410
+ # @!attribute [rw] message
6411
+ # @return [String]
6412
+ #
6413
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyUriInUseException AWS API Documentation
6414
+ #
6415
+ class XksProxyUriInUseException < Struct.new(
6416
+ :message)
6417
+ SENSITIVE = []
6418
+ include Aws::Structure
6419
+ end
6420
+
6421
+ # KMS was unable to reach the specified `XksProxyUriPath`. The path must
6422
+ # be reachable before you create the external key store or update its
6423
+ # settings.
6424
+ #
6425
+ # This exception is also thrown when the external key store proxy
6426
+ # response to a `GetHealthStatus` request indicates that all external
6427
+ # key manager instances are unavailable.
6428
+ #
6429
+ # @!attribute [rw] message
6430
+ # @return [String]
6431
+ #
6432
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyUriUnreachableException AWS API Documentation
6433
+ #
6434
+ class XksProxyUriUnreachableException < Struct.new(
6435
+ :message)
6436
+ SENSITIVE = []
6437
+ include Aws::Structure
6438
+ end
6439
+
6440
+ # The request was rejected because the specified Amazon VPC endpoint
6441
+ # service is already associated with an external key store in the Amazon
6442
+ # Web Services account and Region. Each external key store in an Amazon
6443
+ # Web Services account and Region must use a different Amazon VPC
6444
+ # endpoint service.
6445
+ #
6446
+ # @!attribute [rw] message
6447
+ # @return [String]
6448
+ #
6449
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyVpcEndpointServiceInUseException AWS API Documentation
6450
+ #
6451
+ class XksProxyVpcEndpointServiceInUseException < Struct.new(
6452
+ :message)
6453
+ SENSITIVE = []
6454
+ include Aws::Structure
6455
+ end
6456
+
6457
+ # The request was rejected because the Amazon VPC endpoint service
6458
+ # configuration does not fulfill the requirements for an external key
6459
+ # store proxy. For details, see the exception message and [review the
6460
+ # requirements](kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements)
6461
+ # for Amazon VPC endpoint service connectivity for an external key
6462
+ # store.
6463
+ #
6464
+ # @!attribute [rw] message
6465
+ # @return [String]
6466
+ #
6467
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyVpcEndpointServiceInvalidConfigurationException AWS API Documentation
6468
+ #
6469
+ class XksProxyVpcEndpointServiceInvalidConfigurationException < Struct.new(
6470
+ :message)
6471
+ SENSITIVE = []
6472
+ include Aws::Structure
6473
+ end
6474
+
6475
+ # The request was rejected because KMS could not find the specified VPC
6476
+ # endpoint service. Use DescribeCustomKeyStores to verify the VPC
6477
+ # endpoint service name for the external key store. Also, confirm that
6478
+ # the `Allow principals` list for the VPC endpoint service includes the
6479
+ # KMS service principal for the Region, such as
6480
+ # `cks.kms.us-east-1.amazonaws.com`.
6481
+ #
6482
+ # @!attribute [rw] message
6483
+ # @return [String]
6484
+ #
6485
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyVpcEndpointServiceNotFoundException AWS API Documentation
6486
+ #
6487
+ class XksProxyVpcEndpointServiceNotFoundException < Struct.new(
6488
+ :message)
6489
+ SENSITIVE = []
6490
+ include Aws::Structure
6491
+ end
6492
+
5665
6493
  end
5666
6494
  end