aws-sdk-kms 1.59.0 → 1.61.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -61,13 +61,6 @@ module Aws::KMS
61
61
  include Aws::Structure
62
62
  end
63
63
 
64
- # @note When making an API call, you may pass CancelKeyDeletionRequest
65
- # data as a hash:
66
- #
67
- # {
68
- # key_id: "KeyIdType", # required
69
- # }
70
- #
71
64
  # @!attribute [rw] key_id
72
65
  # Identifies the KMS key whose deletion is being canceled.
73
66
  #
@@ -110,14 +103,14 @@ module Aws::KMS
110
103
  end
111
104
 
112
105
  # The request was rejected because the specified CloudHSM cluster is
113
- # already associated with a custom key store or it shares a backup
114
- # history with a cluster that is associated with a custom key store.
115
- # Each custom key store must be associated with a different CloudHSM
116
- # cluster.
106
+ # already associated with an CloudHSM key store in the account, or it
107
+ # shares a backup history with an CloudHSM key store in the account.
108
+ # Each CloudHSM key store in the account must be associated with a
109
+ # different CloudHSM cluster.
117
110
  #
118
- # Clusters that share a backup history have the same cluster
119
- # certificate. To view the cluster certificate of a cluster, use the
120
- # [DescribeClusters][1] operation.
111
+ # CloudHSM clusters that share a backup history have the same cluster
112
+ # certificate. To view the cluster certificate of an CloudHSM cluster,
113
+ # use the [DescribeClusters][1] operation.
121
114
  #
122
115
  #
123
116
  #
@@ -135,22 +128,23 @@ module Aws::KMS
135
128
  end
136
129
 
137
130
  # The request was rejected because the associated CloudHSM cluster did
138
- # not meet the configuration requirements for a custom key store.
131
+ # not meet the configuration requirements for an CloudHSM key store.
139
132
  #
140
- # * The cluster must be configured with private subnets in at least two
141
- # different Availability Zones in the Region.
133
+ # * The CloudHSM cluster must be configured with private subnets in at
134
+ # least two different Availability Zones in the Region.
142
135
  #
143
136
  # * The [security group for the cluster][1]
144
137
  # (cloudhsm-cluster-*<cluster-id>*-sg) must include inbound
145
138
  # rules and outbound rules that allow TCP traffic on ports 2223-2225.
146
139
  # The **Source** in the inbound rules and the **Destination** in the
147
140
  # outbound rules must match the security group ID. These rules are set
148
- # by default when you create the cluster. Do not delete or change
149
- # them. To get information about a particular security group, use the
150
- # [DescribeSecurityGroups][2] operation.
141
+ # by default when you create the CloudHSM cluster. Do not delete or
142
+ # change them. To get information about a particular security group,
143
+ # use the [DescribeSecurityGroups][2] operation.
151
144
  #
152
- # * The cluster must contain at least as many HSMs as the operation
153
- # requires. To add HSMs, use the CloudHSM [CreateHsm][3] operation.
145
+ # * The CloudHSM cluster must contain at least as many HSMs as the
146
+ # operation requires. To add HSMs, use the CloudHSM [CreateHsm][3]
147
+ # operation.
154
148
  #
155
149
  # For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
156
150
  # operations, the CloudHSM cluster must have at least two active HSMs,
@@ -158,7 +152,7 @@ module Aws::KMS
158
152
  # operation, the CloudHSM must contain at least one active HSM.
159
153
  #
160
154
  # For information about the requirements for an CloudHSM cluster that is
161
- # associated with a custom key store, see [Assemble the
155
+ # associated with an CloudHSM key store, see [Assemble the
162
156
  # Prerequisites][4] in the *Key Management Service Developer Guide*. For
163
157
  # information about creating a private subnet for an CloudHSM cluster,
164
158
  # see [Create a Private Subnet][5] in the *CloudHSM User Guide*. For
@@ -184,10 +178,10 @@ module Aws::KMS
184
178
  include Aws::Structure
185
179
  end
186
180
 
187
- # The request was rejected because the CloudHSM cluster that is
188
- # associated with the custom key store is not active. Initialize and
189
- # activate the cluster and try the command again. For detailed
190
- # instructions, see [Getting Started][1] in the *CloudHSM User Guide*.
181
+ # The request was rejected because the CloudHSM cluster associated with
182
+ # the CloudHSM key store is not active. Initialize and activate the
183
+ # cluster and try the command again. For detailed instructions, see
184
+ # [Getting Started][1] in the *CloudHSM User Guide*.
191
185
  #
192
186
  #
193
187
  #
@@ -221,16 +215,17 @@ module Aws::KMS
221
215
 
222
216
  # The request was rejected because the specified CloudHSM cluster has a
223
217
  # different cluster certificate than the original cluster. You cannot
224
- # use the operation to specify an unrelated cluster.
218
+ # use the operation to specify an unrelated cluster for an CloudHSM key
219
+ # store.
225
220
  #
226
- # Specify a cluster that shares a backup history with the original
227
- # cluster. This includes clusters that were created from a backup of the
228
- # current cluster, and clusters that were created from the same backup
229
- # that produced the current cluster.
221
+ # Specify an CloudHSM cluster that shares a backup history with the
222
+ # original cluster. This includes clusters that were created from a
223
+ # backup of the current cluster, and clusters that were created from the
224
+ # same backup that produced the current cluster.
230
225
  #
231
- # Clusters that share a backup history have the same cluster
232
- # certificate. To view the cluster certificate of a cluster, use the
233
- # [DescribeClusters][1] operation.
226
+ # CloudHSM clusters that share a backup history have the same cluster
227
+ # certificate. To view the cluster certificate of an CloudHSM cluster,
228
+ # use the [DescribeClusters][1] operation.
234
229
  #
235
230
  #
236
231
  #
@@ -247,13 +242,6 @@ module Aws::KMS
247
242
  include Aws::Structure
248
243
  end
249
244
 
250
- # @note When making an API call, you may pass ConnectCustomKeyStoreRequest
251
- # data as a hash:
252
- #
253
- # {
254
- # custom_key_store_id: "CustomKeyStoreIdType", # required
255
- # }
256
- #
257
245
  # @!attribute [rw] custom_key_store_id
258
246
  # Enter the key store ID of the custom key store that you want to
259
247
  # connect. To find the ID of a custom key store, use the
@@ -272,14 +260,6 @@ module Aws::KMS
272
260
  #
273
261
  class ConnectCustomKeyStoreResponse < Aws::EmptyStructure; end
274
262
 
275
- # @note When making an API call, you may pass CreateAliasRequest
276
- # data as a hash:
277
- #
278
- # {
279
- # alias_name: "AliasNameType", # required
280
- # target_key_id: "KeyIdType", # required
281
- # }
282
- #
283
263
  # @!attribute [rw] alias_name
284
264
  # Specifies the alias name. This value must begin with `alias/`
285
265
  # followed by a name, such as `alias/ExampleAlias`.
@@ -333,26 +313,20 @@ module Aws::KMS
333
313
  include Aws::Structure
334
314
  end
335
315
 
336
- # @note When making an API call, you may pass CreateCustomKeyStoreRequest
337
- # data as a hash:
338
- #
339
- # {
340
- # custom_key_store_name: "CustomKeyStoreNameType", # required
341
- # cloud_hsm_cluster_id: "CloudHsmClusterIdType",
342
- # trust_anchor_certificate: "TrustAnchorCertificateType",
343
- # key_store_password: "KeyStorePasswordType",
344
- # }
345
- #
346
316
  # @!attribute [rw] custom_key_store_name
347
317
  # Specifies a friendly name for the custom key store. The name must be
348
- # unique in your Amazon Web Services account.
318
+ # unique in your Amazon Web Services account and Region. This
319
+ # parameter is required for all custom key stores.
349
320
  # @return [String]
350
321
  #
351
322
  # @!attribute [rw] cloud_hsm_cluster_id
352
- # Identifies the CloudHSM cluster for the custom key store. Enter the
353
- # cluster ID of any active CloudHSM cluster that is not already
354
- # associated with a custom key store. To find the cluster ID, use the
355
- # [DescribeClusters][1] operation.
323
+ # Identifies the CloudHSM cluster for an CloudHSM key store. This
324
+ # parameter is required for custom key stores with
325
+ # `CustomKeyStoreType` of `AWS_CLOUDHSM`.
326
+ #
327
+ # Enter the cluster ID of any active CloudHSM cluster that is not
328
+ # already associated with a custom key store. To find the cluster ID,
329
+ # use the [DescribeClusters][1] operation.
356
330
  #
357
331
  #
358
332
  #
@@ -360,9 +334,13 @@ module Aws::KMS
360
334
  # @return [String]
361
335
  #
362
336
  # @!attribute [rw] trust_anchor_certificate
363
- # Enter the content of the trust anchor certificate for the cluster.
364
- # This is the content of the `customerCA.crt` file that you created
365
- # when you [initialized the cluster][1].
337
+ # Specifies the certificate for an CloudHSM key store. This parameter
338
+ # is required for custom key stores with a `CustomKeyStoreType` of
339
+ # `AWS_CLOUDHSM`.
340
+ #
341
+ # Enter the content of the trust anchor certificate for the CloudHSM
342
+ # cluster. This is the content of the `customerCA.crt` file that you
343
+ # created when you [initialized the cluster][1].
366
344
  #
367
345
  #
368
346
  #
@@ -370,6 +348,10 @@ module Aws::KMS
370
348
  # @return [String]
371
349
  #
372
350
  # @!attribute [rw] key_store_password
351
+ # Specifies the `kmsuser` password for an CloudHSM key store. This
352
+ # parameter is required for custom key stores with a
353
+ # `CustomKeyStoreType` of `AWS_CLOUDHSM`.
354
+ #
373
355
  # Enter the password of the [ `kmsuser` crypto user (CU) account][1]
374
356
  # in the specified CloudHSM cluster. KMS logs into the cluster as this
375
357
  # user to manage key material on your behalf.
@@ -385,13 +367,167 @@ module Aws::KMS
385
367
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
386
368
  # @return [String]
387
369
  #
370
+ # @!attribute [rw] custom_key_store_type
371
+ # Specifies the type of custom key store. The default value is
372
+ # `AWS_CLOUDHSM`.
373
+ #
374
+ # For a custom key store backed by an CloudHSM cluster, omit the
375
+ # parameter or enter `AWS_CLOUDHSM`. For a custom key store backed by
376
+ # an external key manager outside of Amazon Web Services, enter
377
+ # `EXTERNAL_KEY_STORE`. You cannot change this property after the key
378
+ # store is created.
379
+ # @return [String]
380
+ #
381
+ # @!attribute [rw] xks_proxy_uri_endpoint
382
+ # Specifies the endpoint that KMS uses to send requests to the
383
+ # external key store proxy (XKS proxy). This parameter is required for
384
+ # custom key stores with a `CustomKeyStoreType` of
385
+ # `EXTERNAL_KEY_STORE`.
386
+ #
387
+ # The protocol must be HTTPS. KMS communicates on port 443. Do not
388
+ # specify the port in the `XksProxyUriEndpoint` value.
389
+ #
390
+ # For external key stores with `XksProxyConnectivity` value of
391
+ # `VPC_ENDPOINT_SERVICE`, specify `https://` followed by the private
392
+ # DNS name of the VPC endpoint service.
393
+ #
394
+ # For external key stores with `PUBLIC_ENDPOINT` connectivity, this
395
+ # endpoint must be reachable before you create the custom key store.
396
+ # KMS connects to the external key store proxy while creating the
397
+ # custom key store. For external key stores with
398
+ # `VPC_ENDPOINT_SERVICE` connectivity, KMS connects when you call the
399
+ # ConnectCustomKeyStore operation.
400
+ #
401
+ # The value of this parameter must begin with `https://`. The
402
+ # remainder can contain upper and lower case letters (A-Z and a-z),
403
+ # numbers (0-9), dots (`.`), and hyphens (`-`). Additional slashes
404
+ # (`/` and ``) are not permitted.
405
+ #
406
+ # <b>Uniqueness requirements: </b>
407
+ #
408
+ # * The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values
409
+ # must be unique in the Amazon Web Services account and Region.
410
+ #
411
+ # * An external key store with `PUBLIC_ENDPOINT` connectivity cannot
412
+ # use the same `XksProxyUriEndpoint` value as an external key store
413
+ # with `VPC_ENDPOINT_SERVICE` connectivity in the same Amazon Web
414
+ # Services Region.
415
+ #
416
+ # * Each external key store with `VPC_ENDPOINT_SERVICE` connectivity
417
+ # must have its own private DNS name. The `XksProxyUriEndpoint`
418
+ # value for external key stores with `VPC_ENDPOINT_SERVICE`
419
+ # connectivity (private DNS name) must be unique in the Amazon Web
420
+ # Services account and Region.
421
+ # @return [String]
422
+ #
423
+ # @!attribute [rw] xks_proxy_uri_path
424
+ # Specifies the base path to the proxy APIs for this external key
425
+ # store. To find this value, see the documentation for your external
426
+ # key store proxy. This parameter is required for all custom key
427
+ # stores with a `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
428
+ #
429
+ # The value must start with `/` and must end with `/kms/xks/v1` where
430
+ # `v1` represents the version of the KMS external key store proxy API.
431
+ # This path can include an optional prefix between the required
432
+ # elements such as `/prefix/kms/xks/v1`.
433
+ #
434
+ # <b>Uniqueness requirements: </b>
435
+ #
436
+ # * The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values
437
+ # must be unique in the Amazon Web Services account and Region.
438
+ #
439
+ # ^
440
+ # @return [String]
441
+ #
442
+ # @!attribute [rw] xks_proxy_vpc_endpoint_service_name
443
+ # Specifies the name of the Amazon VPC endpoint service for interface
444
+ # endpoints that is used to communicate with your external key store
445
+ # proxy (XKS proxy). This parameter is required when the value of
446
+ # `CustomKeyStoreType` is `EXTERNAL_KEY_STORE` and the value of
447
+ # `XksProxyConnectivity` is `VPC_ENDPOINT_SERVICE`.
448
+ #
449
+ # The Amazon VPC endpoint service must [fulfill all requirements][1]
450
+ # for use with an external key store.
451
+ #
452
+ # **Uniqueness requirements:**
453
+ #
454
+ # * External key stores with `VPC_ENDPOINT_SERVICE` connectivity can
455
+ # share an Amazon VPC, but each external key store must have its own
456
+ # VPC endpoint service and private DNS name.
457
+ #
458
+ # ^
459
+ #
460
+ #
461
+ #
462
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirements
463
+ # @return [String]
464
+ #
465
+ # @!attribute [rw] xks_proxy_authentication_credential
466
+ # Specifies an authentication credential for the external key store
467
+ # proxy (XKS proxy). This parameter is required for all custom key
468
+ # stores with a `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
469
+ #
470
+ # The `XksProxyAuthenticationCredential` has two required elements:
471
+ # `RawSecretAccessKey`, a secret key, and `AccessKeyId`, a unique
472
+ # identifier for the `RawSecretAccessKey`. For character requirements,
473
+ # see
474
+ # [XksProxyAuthenticationCredentialType](kms/latest/APIReference/API_XksProxyAuthenticationCredentialType.html).
475
+ #
476
+ # KMS uses this authentication credential to sign requests to the
477
+ # external key store proxy on your behalf. This credential is
478
+ # unrelated to Identity and Access Management (IAM) and Amazon Web
479
+ # Services credentials.
480
+ #
481
+ # This parameter doesn't set or change the authentication credentials
482
+ # on the XKS proxy. It just tells KMS the credential that you
483
+ # established on your external key store proxy. If you rotate your
484
+ # proxy authentication credential, use the UpdateCustomKeyStore
485
+ # operation to provide the new credential to KMS.
486
+ # @return [Types::XksProxyAuthenticationCredentialType]
487
+ #
488
+ # @!attribute [rw] xks_proxy_connectivity
489
+ # Indicates how KMS communicates with the external key store proxy.
490
+ # This parameter is required for custom key stores with a
491
+ # `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
492
+ #
493
+ # If the external key store proxy uses a public endpoint, specify
494
+ # `PUBLIC_ENDPOINT`. If the external key store proxy uses a Amazon VPC
495
+ # endpoint service for communication with KMS, specify
496
+ # `VPC_ENDPOINT_SERVICE`. For help making this choice, see [Choosing a
497
+ # connectivity option][1] in the *Key Management Service Developer
498
+ # Guide*.
499
+ #
500
+ # An Amazon VPC endpoint service keeps your communication with KMS in
501
+ # a private address space entirely within Amazon Web Services, but it
502
+ # requires more configuration, including establishing a Amazon VPC
503
+ # with multiple subnets, a VPC endpoint service, a network load
504
+ # balancer, and a verified private DNS name. A public endpoint is
505
+ # simpler to set up, but it might be slower and might not fulfill your
506
+ # security requirements. You might consider testing with a public
507
+ # endpoint, and then establishing a VPC endpoint service for
508
+ # production tasks. Note that this choice does not determine the
509
+ # location of the external key store proxy. Even if you choose a VPC
510
+ # endpoint service, the proxy can be hosted within the VPC or outside
511
+ # of Amazon Web Services such as in your corporate data center.
512
+ #
513
+ #
514
+ #
515
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/plan-xks-keystore.html#choose-xks-connectivity
516
+ # @return [String]
517
+ #
388
518
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStoreRequest AWS API Documentation
389
519
  #
390
520
  class CreateCustomKeyStoreRequest < Struct.new(
391
521
  :custom_key_store_name,
392
522
  :cloud_hsm_cluster_id,
393
523
  :trust_anchor_certificate,
394
- :key_store_password)
524
+ :key_store_password,
525
+ :custom_key_store_type,
526
+ :xks_proxy_uri_endpoint,
527
+ :xks_proxy_uri_path,
528
+ :xks_proxy_vpc_endpoint_service_name,
529
+ :xks_proxy_authentication_credential,
530
+ :xks_proxy_connectivity)
395
531
  SENSITIVE = [:key_store_password]
396
532
  include Aws::Structure
397
533
  end
@@ -408,26 +544,6 @@ module Aws::KMS
408
544
  include Aws::Structure
409
545
  end
410
546
 
411
- # @note When making an API call, you may pass CreateGrantRequest
412
- # data as a hash:
413
- #
414
- # {
415
- # key_id: "KeyIdType", # required
416
- # grantee_principal: "PrincipalIdType", # required
417
- # retiring_principal: "PrincipalIdType",
418
- # operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateMac, VerifyMac
419
- # constraints: {
420
- # encryption_context_subset: {
421
- # "EncryptionContextKey" => "EncryptionContextValue",
422
- # },
423
- # encryption_context_equals: {
424
- # "EncryptionContextKey" => "EncryptionContextValue",
425
- # },
426
- # },
427
- # grant_tokens: ["GrantTokenType"],
428
- # name: "GrantNameType",
429
- # }
430
- #
431
547
  # @!attribute [rw] key_id
432
548
  # Identifies the KMS key for the grant. The grant gives principals
433
549
  # permission to use this KMS key.
@@ -620,41 +736,17 @@ module Aws::KMS
620
736
  include Aws::Structure
621
737
  end
622
738
 
623
- # @note When making an API call, you may pass CreateKeyRequest
624
- # data as a hash:
625
- #
626
- # {
627
- # policy: "PolicyType",
628
- # description: "DescriptionType",
629
- # key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC
630
- # customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
631
- # key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
632
- # origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
633
- # custom_key_store_id: "CustomKeyStoreIdType",
634
- # bypass_policy_lockout_safety_check: false,
635
- # tags: [
636
- # {
637
- # tag_key: "TagKeyType", # required
638
- # tag_value: "TagValueType", # required
639
- # },
640
- # ],
641
- # multi_region: false,
642
- # }
643
- #
644
739
  # @!attribute [rw] policy
645
- # The key policy to attach to the KMS key. If you do not specify a key
646
- # policy, KMS attaches a default key policy to the KMS key. For more
647
- # information, see [Default key policy][1] in the *Key Management
648
- # Service Developer Guide*.
740
+ # The key policy to attach to the KMS key.
649
741
  #
650
742
  # If you provide a key policy, it must meet the following criteria:
651
743
  #
652
- # * If you don't set `BypassPolicyLockoutSafetyCheck` to `True`, the
744
+ # * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
653
745
  # key policy must allow the principal that is making the `CreateKey`
654
746
  # request to make a subsequent PutKeyPolicy request on the KMS key.
655
747
  # This reduces the risk that the KMS key becomes unmanageable. For
656
748
  # more information, refer to the scenario in the [Default Key
657
- # Policy][2] section of the <i> <i>Key Management Service Developer
749
+ # Policy][1] section of the <i> <i>Key Management Service Developer
658
750
  # Guide</i> </i>.
659
751
  #
660
752
  # * Each statement in the key policy must contain one or more
@@ -664,33 +756,25 @@ module Aws::KMS
664
756
  # enforce a delay before including the new principal in a key policy
665
757
  # because the new principal might not be immediately visible to KMS.
666
758
  # For more information, see [Changes that I make are not always
667
- # immediately visible][3] in the *Amazon Web Services Identity and
759
+ # immediately visible][2] in the *Amazon Web Services Identity and
668
760
  # Access Management User Guide*.
669
761
  #
670
- # A key policy document can include only the following characters:
762
+ # If you do not provide a key policy, KMS attaches a default key
763
+ # policy to the KMS key. For more information, see [Default Key
764
+ # Policy][3] in the *Key Management Service Developer Guide*.
671
765
  #
672
- # * Printable ASCII characters from the space character (`\u0020`)
673
- # through the end of the ASCII character range.
766
+ # The key policy size quota is 32 kilobytes (32768 bytes).
674
767
  #
675
- # * Printable characters in the Basic Latin and Latin-1 Supplement
676
- # character set (through `\u00FF`).
768
+ # For help writing and formatting a JSON policy document, see the [IAM
769
+ # JSON Policy Reference][4] in the <i> <i>Identity and Access
770
+ # Management User Guide</i> </i>.
677
771
  #
678
- # * The tab (`\u0009`), line feed (`\u000A`), and carriage return
679
- # (`\u000D`) special characters
680
772
  #
681
- # For information about key policies, see [Key policies in KMS][4] in
682
- # the *Key Management Service Developer Guide*. For help writing and
683
- # formatting a JSON policy document, see the [IAM JSON Policy
684
- # Reference][5] in the <i> <i>Identity and Access Management User
685
- # Guide</i> </i>.
686
773
  #
687
- #
688
- #
689
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
690
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
691
- # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
692
- # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
693
- # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
774
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
775
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
776
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
777
+ # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
694
778
  # @return [String]
695
779
  #
696
780
  # @!attribute [rw] description
@@ -737,8 +821,8 @@ module Aws::KMS
737
821
  #
738
822
  # The `KeySpec` and `CustomerMasterKeySpec` parameters work the same
739
823
  # way. Only the names differ. We recommend that you use `KeySpec`
740
- # parameter in your code. However, to avoid breaking changes, KMS will
741
- # support both parameters.
824
+ # parameter in your code. However, to avoid breaking changes, KMS
825
+ # supports both parameters.
742
826
  # @return [String]
743
827
  #
744
828
  # @!attribute [rw] key_spec
@@ -751,14 +835,13 @@ module Aws::KMS
751
835
  # Guide</i> </i>.
752
836
  #
753
837
  # The `KeySpec` determines whether the KMS key contains a symmetric
754
- # key or an asymmetric key pair. It also determines the cryptographic
755
- # algorithms that the KMS key supports. You can't change the
756
- # `KeySpec` after the KMS key is created. To further restrict the
757
- # algorithms that can be used with the KMS key, use a condition key in
758
- # its key policy or IAM policy. For more information, see
759
- # [kms:EncryptionAlgorithm][2], [kms:MacAlgorithm][3] or [kms:Signing
760
- # Algorithm][4] in the <i> <i>Key Management Service Developer
761
- # Guide</i> </i>.
838
+ # key or an asymmetric key pair. It also determines the algorithms
839
+ # that the KMS key supports. You can't change the `KeySpec` after the
840
+ # KMS key is created. To further restrict the algorithms that can be
841
+ # used with the KMS key, use a condition key in its key policy or IAM
842
+ # policy. For more information, see [kms:EncryptionAlgorithm][2],
843
+ # [kms:MacAlgorithm][3] or [kms:Signing Algorithm][4] in the <i>
844
+ # <i>Key Management Service Developer Guide</i> </i>.
762
845
  #
763
846
  # [Amazon Web Services services that are integrated with KMS][5] use
764
847
  # symmetric encryption KMS keys to protect your data. These services
@@ -825,45 +908,48 @@ module Aws::KMS
825
908
  # the origin after you create the KMS key. The default is `AWS_KMS`,
826
909
  # which means that KMS creates the key material.
827
910
  #
828
- # To create a KMS key with no key material (for imported key
829
- # material), set the value to `EXTERNAL`. For more information about
830
- # importing key material into KMS, see [Importing Key Material][1] in
831
- # the *Key Management Service Developer Guide*. This value is valid
832
- # only for symmetric encryption KMS keys.
911
+ # To [create a KMS key with no key material][1] (for imported key
912
+ # material), set this value to `EXTERNAL`. For more information about
913
+ # importing key material into KMS, see [Importing Key Material][2] in
914
+ # the *Key Management Service Developer Guide*. The `EXTERNAL` origin
915
+ # value is valid only for symmetric KMS keys.
833
916
  #
834
- # To create a KMS key in an KMS [custom key store][2] and create its
835
- # key material in the associated CloudHSM cluster, set this value to
917
+ # To [create a KMS key in an CloudHSM key store][3] and create its key
918
+ # material in the associated CloudHSM cluster, set this value to
836
919
  # `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId` parameter
837
- # to identify the custom key store. This value is valid only for
838
- # symmetric encryption KMS keys.
920
+ # to identify the CloudHSM key store. The `KeySpec` value must be
921
+ # `SYMMETRIC_DEFAULT`.
922
+ #
923
+ # To [create a KMS key in an external key store][4], set this value to
924
+ # `EXTERNAL_KEY_STORE`. You must also use the `CustomKeyStoreId`
925
+ # parameter to identify the external key store and the `XksKeyId`
926
+ # parameter to identify the associated external key. The `KeySpec`
927
+ # value must be `SYMMETRIC_DEFAULT`.
839
928
  #
840
929
  #
841
930
  #
842
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
843
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
931
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html
932
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
933
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html
934
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keys.html
844
935
  # @return [String]
845
936
  #
846
937
  # @!attribute [rw] custom_key_store_id
847
- # Creates the KMS key in the specified [custom key store][1] and the
848
- # key material in its associated CloudHSM cluster. To create a KMS key
849
- # in a custom key store, you must also specify the `Origin` parameter
850
- # with a value of `AWS_CLOUDHSM`. The CloudHSM cluster that is
851
- # associated with the custom key store must have at least two active
852
- # HSMs, each in a different Availability Zone in the Region.
938
+ # Creates the KMS key in the specified [custom key store][1]. The
939
+ # `ConnectionState` of the custom key store must be `CONNECTED`. To
940
+ # find the CustomKeyStoreID and ConnectionState use the
941
+ # DescribeCustomKeyStores operation.
853
942
  #
854
943
  # This parameter is valid only for symmetric encryption KMS keys in a
855
944
  # single Region. You cannot create any other type of KMS key in a
856
945
  # custom key store.
857
946
  #
858
- # To find the ID of a custom key store, use the
859
- # DescribeCustomKeyStores operation.
860
- #
861
- # The response includes the custom key store ID and the ID of the
862
- # CloudHSM cluster.
863
- #
864
- # This operation is part of the [custom key store feature][1] feature
865
- # in KMS, which combines the convenience and extensive integration of
866
- # KMS with the isolation and control of a single-tenant key store.
947
+ # When you create a KMS key in an CloudHSM key store, KMS generates a
948
+ # non-exportable 256-bit symmetric key in its associated CloudHSM
949
+ # cluster and associates it with the KMS key. When you create a KMS
950
+ # key in an external key store, you must use the `XksKeyId` parameter
951
+ # to specify an external key that serves as key material for the KMS
952
+ # key.
867
953
  #
868
954
  #
869
955
  #
@@ -899,7 +985,7 @@ module Aws::KMS
899
985
  # TagResource operation.
900
986
  #
901
987
  # <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
902
- # KMS key. For details, see [ABAC in KMS][1] in the *Key Management
988
+ # KMS key. For details, see [ABAC for KMS][1] in the *Key Management
903
989
  # Service Developer Guide*.
904
990
  #
905
991
  # </note>
@@ -947,16 +1033,52 @@ module Aws::KMS
947
1033
  # This value creates a *primary key*, not a replica. To create a
948
1034
  # *replica key*, use the ReplicateKey operation.
949
1035
  #
950
- # You can create a multi-Region version of a symmetric encryption KMS
951
- # key, an HMAC KMS key, an asymmetric KMS key, or a KMS key with
952
- # imported key material. However, you cannot create a multi-Region key
953
- # in a custom key store.
1036
+ # You can create a symmetric or asymmetric multi-Region key, and you
1037
+ # can create a multi-Region key with imported key material. However,
1038
+ # you cannot create a multi-Region key in a custom key store.
954
1039
  #
955
1040
  #
956
1041
  #
957
1042
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
958
1043
  # @return [Boolean]
959
1044
  #
1045
+ # @!attribute [rw] xks_key_id
1046
+ # Identifies the [external key][1] that serves as key material for the
1047
+ # KMS key in an [external key store][2]. Specify the ID that the
1048
+ # [external key store proxy][3] uses to refer to the external key. For
1049
+ # help, see the documentation for your external key store proxy.
1050
+ #
1051
+ # This parameter is required for a KMS key with an `Origin` value of
1052
+ # `EXTERNAL_KEY_STORE`. It is not valid for KMS keys with any other
1053
+ # `Origin` value.
1054
+ #
1055
+ # The external key must be an existing 256-bit AES symmetric
1056
+ # encryption key hosted outside of Amazon Web Services in an external
1057
+ # key manager associated with the external key store specified by the
1058
+ # `CustomKeyStoreId` parameter. This key must be enabled and
1059
+ # configured to perform encryption and decryption. Each KMS key in an
1060
+ # external key store must use a different external key. For details,
1061
+ # see [Requirements for a KMS key in an external key store][4] in the
1062
+ # *Key Management Service Developer Guide*.
1063
+ #
1064
+ # Each KMS key in an external key store is associated two backing
1065
+ # keys. One is key material that KMS generates. The other is the
1066
+ # external key specified by this parameter. When you use the KMS key
1067
+ # in an external key store to encrypt data, the encryption operation
1068
+ # is performed first by KMS using the KMS key material, and then by
1069
+ # the external key manager using the specified external key, a process
1070
+ # known as *double encryption*. For details, see [Double
1071
+ # encryption][5] in the *Key Management Service Developer Guide*.
1072
+ #
1073
+ #
1074
+ #
1075
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
1076
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html
1077
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-xks-proxy
1078
+ # [4]: https://docs.aws.amazon.com/create-xks-keys.html#xks-key-requirements
1079
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-double-encryption
1080
+ # @return [String]
1081
+ #
960
1082
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKeyRequest AWS API Documentation
961
1083
  #
962
1084
  class CreateKeyRequest < Struct.new(
@@ -969,7 +1091,8 @@ module Aws::KMS
969
1091
  :custom_key_store_id,
970
1092
  :bypass_policy_lockout_safety_check,
971
1093
  :tags,
972
- :multi_region)
1094
+ :multi_region,
1095
+ :xks_key_id)
973
1096
  SENSITIVE = []
974
1097
  include Aws::Structure
975
1098
  end
@@ -1008,18 +1131,29 @@ module Aws::KMS
1008
1131
  #
1009
1132
  # This exception is thrown under the following conditions:
1010
1133
  #
1011
- # * You requested the CreateKey or GenerateRandom operation in a custom
1012
- # key store that is not connected. These operations are valid only
1013
- # when the custom key store `ConnectionState` is `CONNECTED`.
1134
+ # * You requested the ConnectCustomKeyStore operation on a custom key
1135
+ # store with a `ConnectionState` of `DISCONNECTING` or `FAILED`. This
1136
+ # operation is valid for all other `ConnectionState` values. To
1137
+ # reconnect a custom key store in a `FAILED` state, disconnect it
1138
+ # (DisconnectCustomKeyStore), then connect it
1139
+ # (`ConnectCustomKeyStore`).
1140
+ #
1141
+ # * You requested the CreateKey operation in a custom key store that is
1142
+ # not connected. This operations is valid only when the custom key
1143
+ # store `ConnectionState` is `CONNECTED`.
1144
+ #
1145
+ # * You requested the DisconnectCustomKeyStore operation on a custom key
1146
+ # store with a `ConnectionState` of `DISCONNECTING` or `DISCONNECTED`.
1147
+ # This operation is valid for all other `ConnectionState` values.
1014
1148
  #
1015
1149
  # * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore
1016
1150
  # operation on a custom key store that is not disconnected. This
1017
1151
  # operation is valid only when the custom key store `ConnectionState`
1018
1152
  # is `DISCONNECTED`.
1019
1153
  #
1020
- # * You requested the ConnectCustomKeyStore operation on a custom key
1021
- # store with a `ConnectionState` of `DISCONNECTING` or `FAILED`. This
1022
- # operation is valid for all other `ConnectionState` values.
1154
+ # * You requested the GenerateRandom operation in an CloudHSM key store
1155
+ # that is not connected. This operation is valid only when the
1156
+ # CloudHSM key store `ConnectionState` is `CONNECTED`.
1023
1157
  #
1024
1158
  # @!attribute [rw] message
1025
1159
  # @return [String]
@@ -1074,13 +1208,17 @@ module Aws::KMS
1074
1208
  #
1075
1209
  # @!attribute [rw] cloud_hsm_cluster_id
1076
1210
  # A unique identifier for the CloudHSM cluster that is associated with
1077
- # the custom key store.
1211
+ # an CloudHSM key store. This field appears only when the
1212
+ # `CustomKeyStoreType` is `AWS_CLOUDHSM`.
1078
1213
  # @return [String]
1079
1214
  #
1080
1215
  # @!attribute [rw] trust_anchor_certificate
1081
- # The trust anchor certificate of the associated CloudHSM cluster.
1082
- # When you [initialize the cluster][1], you create this certificate
1083
- # and save it in the `customerCA.crt` file.
1216
+ # The trust anchor certificate of the CloudHSM cluster associated with
1217
+ # an CloudHSM key store. When you [initialize the cluster][1], you
1218
+ # create this certificate and save it in the `customerCA.crt` file.
1219
+ #
1220
+ # This field appears only when the `CustomKeyStoreType` is
1221
+ # `AWS_CLOUDHSM`.
1084
1222
  #
1085
1223
  #
1086
1224
  #
@@ -1088,22 +1226,30 @@ module Aws::KMS
1088
1226
  # @return [String]
1089
1227
  #
1090
1228
  # @!attribute [rw] connection_state
1091
- # Indicates whether the custom key store is connected to its CloudHSM
1092
- # cluster.
1229
+ # Indicates whether the custom key store is connected to its backing
1230
+ # key store. For an CloudHSM key store, the `ConnectionState`
1231
+ # indicates whether it is connected to its CloudHSM cluster. For an
1232
+ # external key store, the `ConnectionState` indicates whether it is
1233
+ # connected to the external key store proxy that communicates with
1234
+ # your external key manager.
1093
1235
  #
1094
1236
  # You can create and use KMS keys in your custom key stores only when
1095
- # its connection state is `CONNECTED`.
1096
- #
1097
- # The value is `DISCONNECTED` if the key store has never been
1098
- # connected or you use the DisconnectCustomKeyStore operation to
1099
- # disconnect it. If the value is `CONNECTED` but you are having
1100
- # trouble using the custom key store, make sure that its associated
1101
- # CloudHSM cluster is active and contains at least one active HSM.
1237
+ # its `ConnectionState` is `CONNECTED`.
1238
+ #
1239
+ # The `ConnectionState` value is `DISCONNECTED` only if the key store
1240
+ # has never been connected or you use the DisconnectCustomKeyStore
1241
+ # operation to disconnect it. If the value is `CONNECTED` but you are
1242
+ # having trouble using the custom key store, make sure that the
1243
+ # backing key store is reachable and active. For an CloudHSM key
1244
+ # store, verify that its associated CloudHSM cluster is active and
1245
+ # contains at least one active HSM. For an external key store, verify
1246
+ # that the external key store proxy and external key manager are
1247
+ # connected and enabled.
1102
1248
  #
1103
1249
  # A value of `FAILED` indicates that an attempt to connect was
1104
1250
  # unsuccessful. The `ConnectionErrorCode` field in the response
1105
1251
  # indicates the cause of the failure. For help resolving a connection
1106
- # failure, see [Troubleshooting a Custom Key Store][1] in the *Key
1252
+ # failure, see [Troubleshooting a custom key store][1] in the *Key
1107
1253
  # Management Service Developer Guide*.
1108
1254
  #
1109
1255
  #
@@ -1113,35 +1259,52 @@ module Aws::KMS
1113
1259
  #
1114
1260
  # @!attribute [rw] connection_error_code
1115
1261
  # Describes the connection error. This field appears in the response
1116
- # only when the `ConnectionState` is `FAILED`. For help resolving
1117
- # these errors, see [How to Fix a Connection Failure][1] in *Key
1118
- # Management Service Developer Guide*.
1262
+ # only when the `ConnectionState` is `FAILED`.
1263
+ #
1264
+ # Many failures can be resolved by updating the properties of the
1265
+ # custom key store. To update a custom key store, disconnect it
1266
+ # (DisconnectCustomKeyStore), correct the errors
1267
+ # (UpdateCustomKeyStore), and try to connect again
1268
+ # (ConnectCustomKeyStore). For additional help resolving these errors,
1269
+ # see [How to Fix a Connection Failure][1] in *Key Management Service
1270
+ # Developer Guide*.
1271
+ #
1272
+ # **All custom key stores:**
1273
+ #
1274
+ # * `INTERNAL_ERROR` — KMS could not complete the request due to an
1275
+ # internal error. Retry the request. For `ConnectCustomKeyStore`
1276
+ # requests, disconnect the custom key store before trying to connect
1277
+ # again.
1278
+ #
1279
+ # * `NETWORK_ERRORS` — Network errors are preventing KMS from
1280
+ # connecting the custom key store to its backing key store.
1119
1281
  #
1120
- # Valid values are:
1282
+ # **CloudHSM key stores:**
1121
1283
  #
1122
- # * `CLUSTER_NOT_FOUND` - KMS cannot find the CloudHSM cluster with
1284
+ # * `CLUSTER_NOT_FOUND` KMS cannot find the CloudHSM cluster with
1123
1285
  # the specified cluster ID.
1124
1286
  #
1125
- # * `INSUFFICIENT_CLOUDHSM_HSMS` - The associated CloudHSM cluster
1287
+ # * `INSUFFICIENT_CLOUDHSM_HSMS` The associated CloudHSM cluster
1126
1288
  # does not contain any active HSMs. To connect a custom key store to
1127
1289
  # its CloudHSM cluster, the cluster must contain at least one active
1128
1290
  # HSM.
1129
1291
  #
1130
- # * `INTERNAL_ERROR` - KMS could not complete the request due to an
1131
- # internal error. Retry the request. For `ConnectCustomKeyStore`
1132
- # requests, disconnect the custom key store before trying to connect
1133
- # again.
1134
- #
1135
- # * `INVALID_CREDENTIALS` - KMS does not have the correct password for
1136
- # the `kmsuser` crypto user in the CloudHSM cluster. Before you can
1137
- # connect your custom key store to its CloudHSM cluster, you must
1138
- # change the `kmsuser` account password and update the key store
1139
- # password value for the custom key store.
1292
+ # * `INSUFFICIENT_FREE_ADDRESSES_IN_SUBNET` At least one private
1293
+ # subnet associated with the CloudHSM cluster doesn't have any
1294
+ # available IP addresses. A CloudHSM key store connection requires
1295
+ # one free IP address in each of the associated private subnets,
1296
+ # although two are preferable. For details, see [How to Fix a
1297
+ # Connection Failure][1] in the *Key Management Service Developer
1298
+ # Guide*.
1140
1299
  #
1141
- # * `NETWORK_ERRORS` - Network errors are preventing KMS from
1142
- # connecting to the custom key store.
1300
+ # * `INVALID_CREDENTIALS` The `KeyStorePassword` for the custom key
1301
+ # store doesn't match the current password of the `kmsuser` crypto
1302
+ # user in the CloudHSM cluster. Before you can connect your custom
1303
+ # key store to its CloudHSM cluster, you must change the `kmsuser`
1304
+ # account password and update the `KeyStorePassword` value for the
1305
+ # custom key store.
1143
1306
  #
1144
- # * `SUBNET_NOT_FOUND` - A subnet in the CloudHSM cluster
1307
+ # * `SUBNET_NOT_FOUND` A subnet in the CloudHSM cluster
1145
1308
  # configuration was deleted. If KMS cannot find all of the subnets
1146
1309
  # in the cluster configuration, attempts to connect the custom key
1147
1310
  # store to the CloudHSM cluster fail. To fix this error, create a
@@ -1151,13 +1314,13 @@ module Aws::KMS
1151
1314
  # Connection Failure][1] in the *Key Management Service Developer
1152
1315
  # Guide*.
1153
1316
  #
1154
- # * `USER_LOCKED_OUT` - The `kmsuser` CU account is locked out of the
1317
+ # * `USER_LOCKED_OUT` The `kmsuser` CU account is locked out of the
1155
1318
  # associated CloudHSM cluster due to too many failed password
1156
1319
  # attempts. Before you can connect your custom key store to its
1157
1320
  # CloudHSM cluster, you must change the `kmsuser` account password
1158
1321
  # and update the key store password value for the custom key store.
1159
1322
  #
1160
- # * `USER_LOGGED_IN` - The `kmsuser` CU account is logged into the the
1323
+ # * `USER_LOGGED_IN` The `kmsuser` CU account is logged into the
1161
1324
  # associated CloudHSM cluster. This prevents KMS from rotating the
1162
1325
  # `kmsuser` account password and logging into the cluster. Before
1163
1326
  # you can connect your custom key store to its CloudHSM cluster, you
@@ -1167,22 +1330,119 @@ module Aws::KMS
1167
1330
  # help, see [How to Log Out and Reconnect][2] in the *Key Management
1168
1331
  # Service Developer Guide*.
1169
1332
  #
1170
- # * `USER_NOT_FOUND` - KMS cannot find a `kmsuser` CU account in the
1333
+ # * `USER_NOT_FOUND` KMS cannot find a `kmsuser` CU account in the
1171
1334
  # associated CloudHSM cluster. Before you can connect your custom
1172
1335
  # key store to its CloudHSM cluster, you must create a `kmsuser` CU
1173
1336
  # account in the cluster, and then update the key store password
1174
1337
  # value for the custom key store.
1175
1338
  #
1339
+ # **External key stores:**
1340
+ #
1341
+ # * `INVALID_CREDENTIALS` — One or both of the
1342
+ # `XksProxyAuthenticationCredential` values is not valid on the
1343
+ # specified external key store proxy.
1344
+ #
1345
+ # * `XKS_PROXY_ACCESS_DENIED` — KMS requests are denied access to the
1346
+ # external key store proxy. If the external key store proxy has
1347
+ # authorization rules, verify that they permit KMS to communicate
1348
+ # with the proxy on your behalf.
1349
+ #
1350
+ # * `XKS_PROXY_INVALID_CONFIGURATION` — A configuration error is
1351
+ # preventing the external key store from connecting to its proxy.
1352
+ # Verify the value of the `XksProxyUriPath`.
1353
+ #
1354
+ # * `XKS_PROXY_INVALID_RESPONSE` — KMS cannot interpret the response
1355
+ # from the external key store proxy. If you see this connection
1356
+ # error code repeatedly, notify your external key store proxy
1357
+ # vendor.
1358
+ #
1359
+ # * `XKS_PROXY_INVALID_TLS_CONFIGURATION` — KMS cannot connect to the
1360
+ # external key store proxy because the TLS configuration is invalid.
1361
+ # Verify that the XKS proxy supports TLS 1.2 or 1.3. Also, verify
1362
+ # that the TLS certificate is not expired, and that it matches the
1363
+ # hostname in the `XksProxyUriEndpoint` value, and that it is signed
1364
+ # by a certificate authority included in the [Trusted Certificate
1365
+ # Authorities][3] list.
1366
+ #
1367
+ # * `XKS_PROXY_NOT_REACHABLE` — KMS can't communicate with your
1368
+ # external key store proxy. Verify that the `XksProxyUriEndpoint`
1369
+ # and `XksProxyUriPath` are correct. Use the tools for your external
1370
+ # key store proxy to verify that the proxy is active and available
1371
+ # on its network. Also, verify that your external key manager
1372
+ # instances are operating properly. Connection attempts fail with
1373
+ # this connection error code if the proxy reports that all external
1374
+ # key manager instances are unavailable.
1375
+ #
1376
+ # * `XKS_PROXY_TIMED_OUT` — KMS can connect to the external key store
1377
+ # proxy, but the proxy does not respond to KMS in the time allotted.
1378
+ # If you see this connection error code repeatedly, notify your
1379
+ # external key store proxy vendor.
1380
+ #
1381
+ # * `XKS_VPC_ENDPOINT_SERVICE_INVALID_CONFIGURATION` — The Amazon VPC
1382
+ # endpoint service configuration doesn't conform to the
1383
+ # requirements for an KMS external key store.
1384
+ #
1385
+ # * The VPC endpoint service must be an endpoint service for
1386
+ # interface endpoints in the caller's Amazon Web Services
1387
+ # account.
1388
+ #
1389
+ # * It must have a network load balancer (NLB) connected to at least
1390
+ # two subnets, each in a different Availability Zone.
1391
+ #
1392
+ # * The `Allow principals` list must include the KMS service
1393
+ # principal for the Region, `cks.kms.<region>.amazonaws.com`, such
1394
+ # as `cks.kms.us-east-1.amazonaws.com`.
1395
+ #
1396
+ # * It must *not* require [acceptance][4] of connection requests.
1397
+ #
1398
+ # * It must have a private DNS name. The private DNS name for an
1399
+ # external key store with `VPC_ENDPOINT_SERVICE` connectivity must
1400
+ # be unique in its Amazon Web Services Region.
1401
+ #
1402
+ # * The domain of the private DNS name must have a [verification
1403
+ # status][5] of `verified`.
1404
+ #
1405
+ # * The [TLS certificate][6] specifies the private DNS hostname at
1406
+ # which the endpoint is reachable.
1407
+ #
1408
+ # * `XKS_VPC_ENDPOINT_SERVICE_NOT_FOUND` — KMS can't find the VPC
1409
+ # endpoint service that it uses to communicate with the external key
1410
+ # store proxy. Verify that the `XksProxyVpcEndpointServiceName` is
1411
+ # correct and the KMS service principal has service consumer
1412
+ # permissions on the Amazon VPC endpoint service.
1413
+ #
1176
1414
  #
1177
1415
  #
1178
1416
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed
1179
1417
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#login-kmsuser-2
1418
+ # [3]: https://github.com/aws/aws-kms-xksproxy-api-spec/blob/main/TrustedCertificateAuthorities
1419
+ # [4]: https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html
1420
+ # [5]: https://docs.aws.amazon.com/vpc/latest/privatelink/verify-domains.html
1421
+ # [6]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html
1180
1422
  # @return [String]
1181
1423
  #
1182
1424
  # @!attribute [rw] creation_date
1183
1425
  # The date and time when the custom key store was created.
1184
1426
  # @return [Time]
1185
1427
  #
1428
+ # @!attribute [rw] custom_key_store_type
1429
+ # Indicates the type of the custom key store. `AWS_CLOUDHSM` indicates
1430
+ # a custom key store backed by an CloudHSM cluster.
1431
+ # `EXTERNAL_KEY_STORE` indicates a custom key store backed by an
1432
+ # external key store proxy and external key manager outside of Amazon
1433
+ # Web Services.
1434
+ # @return [String]
1435
+ #
1436
+ # @!attribute [rw] xks_proxy_configuration
1437
+ # Configuration settings for the external key store proxy (XKS proxy).
1438
+ # The external key store proxy translates KMS requests into a format
1439
+ # that your external key manager can understand. The proxy
1440
+ # configuration includes connection information that KMS requires.
1441
+ #
1442
+ # This field appears only when the `CustomKeyStoreType` is
1443
+ # `EXTERNAL_KEY_STORE`.
1444
+ # @return [Types::XksProxyConfigurationType]
1445
+ #
1186
1446
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CustomKeyStoresListEntry AWS API Documentation
1187
1447
  #
1188
1448
  class CustomKeyStoresListEntry < Struct.new(
@@ -1192,24 +1452,13 @@ module Aws::KMS
1192
1452
  :trust_anchor_certificate,
1193
1453
  :connection_state,
1194
1454
  :connection_error_code,
1195
- :creation_date)
1455
+ :creation_date,
1456
+ :custom_key_store_type,
1457
+ :xks_proxy_configuration)
1196
1458
  SENSITIVE = []
1197
1459
  include Aws::Structure
1198
1460
  end
1199
1461
 
1200
- # @note When making an API call, you may pass DecryptRequest
1201
- # data as a hash:
1202
- #
1203
- # {
1204
- # ciphertext_blob: "data", # required
1205
- # encryption_context: {
1206
- # "EncryptionContextKey" => "EncryptionContextValue",
1207
- # },
1208
- # grant_tokens: ["GrantTokenType"],
1209
- # key_id: "KeyIdType",
1210
- # encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
1211
- # }
1212
- #
1213
1462
  # @!attribute [rw] ciphertext_blob
1214
1463
  # Ciphertext to be decrypted. The blob includes metadata.
1215
1464
  # @return [String]
@@ -1340,13 +1589,6 @@ module Aws::KMS
1340
1589
  include Aws::Structure
1341
1590
  end
1342
1591
 
1343
- # @note When making an API call, you may pass DeleteAliasRequest
1344
- # data as a hash:
1345
- #
1346
- # {
1347
- # alias_name: "AliasNameType", # required
1348
- # }
1349
- #
1350
1592
  # @!attribute [rw] alias_name
1351
1593
  # The alias to be deleted. The alias name must begin with `alias/`
1352
1594
  # followed by the alias name, such as `alias/ExampleAlias`.
@@ -1360,13 +1602,6 @@ module Aws::KMS
1360
1602
  include Aws::Structure
1361
1603
  end
1362
1604
 
1363
- # @note When making an API call, you may pass DeleteCustomKeyStoreRequest
1364
- # data as a hash:
1365
- #
1366
- # {
1367
- # custom_key_store_id: "CustomKeyStoreIdType", # required
1368
- # }
1369
- #
1370
1605
  # @!attribute [rw] custom_key_store_id
1371
1606
  # Enter the ID of the custom key store you want to delete. To find the
1372
1607
  # ID of a custom key store, use the DescribeCustomKeyStores operation.
@@ -1384,13 +1619,6 @@ module Aws::KMS
1384
1619
  #
1385
1620
  class DeleteCustomKeyStoreResponse < Aws::EmptyStructure; end
1386
1621
 
1387
- # @note When making an API call, you may pass DeleteImportedKeyMaterialRequest
1388
- # data as a hash:
1389
- #
1390
- # {
1391
- # key_id: "KeyIdType", # required
1392
- # }
1393
- #
1394
1622
  # @!attribute [rw] key_id
1395
1623
  # Identifies the KMS key from which you are deleting imported key
1396
1624
  # material. The `Origin` of the KMS key must be `EXTERNAL`.
@@ -1416,8 +1644,8 @@ module Aws::KMS
1416
1644
  include Aws::Structure
1417
1645
  end
1418
1646
 
1419
- # The system timed out while trying to fulfill the request. The request
1420
- # can be retried.
1647
+ # The system timed out while trying to fulfill the request. You can
1648
+ # retry the request.
1421
1649
  #
1422
1650
  # @!attribute [rw] message
1423
1651
  # @return [String]
@@ -1430,24 +1658,14 @@ module Aws::KMS
1430
1658
  include Aws::Structure
1431
1659
  end
1432
1660
 
1433
- # @note When making an API call, you may pass DescribeCustomKeyStoresRequest
1434
- # data as a hash:
1435
- #
1436
- # {
1437
- # custom_key_store_id: "CustomKeyStoreIdType",
1438
- # custom_key_store_name: "CustomKeyStoreNameType",
1439
- # limit: 1,
1440
- # marker: "MarkerType",
1441
- # }
1442
- #
1443
1661
  # @!attribute [rw] custom_key_store_id
1444
1662
  # Gets only information about the specified custom key store. Enter
1445
1663
  # the key store ID.
1446
1664
  #
1447
1665
  # By default, this operation gets information about all custom key
1448
1666
  # stores in the account and Region. To limit the output to a
1449
- # particular custom key store, you can use either the
1450
- # `CustomKeyStoreId` or `CustomKeyStoreName` parameter, but not both.
1667
+ # particular custom key store, provide either the `CustomKeyStoreId`
1668
+ # or `CustomKeyStoreName` parameter, but not both.
1451
1669
  # @return [String]
1452
1670
  #
1453
1671
  # @!attribute [rw] custom_key_store_name
@@ -1456,8 +1674,8 @@ module Aws::KMS
1456
1674
  #
1457
1675
  # By default, this operation gets information about all custom key
1458
1676
  # stores in the account and Region. To limit the output to a
1459
- # particular custom key store, you can use either the
1460
- # `CustomKeyStoreId` or `CustomKeyStoreName` parameter, but not both.
1677
+ # particular custom key store, provide either the `CustomKeyStoreId`
1678
+ # or `CustomKeyStoreName` parameter, but not both.
1461
1679
  # @return [String]
1462
1680
  #
1463
1681
  # @!attribute [rw] limit
@@ -1509,14 +1727,6 @@ module Aws::KMS
1509
1727
  include Aws::Structure
1510
1728
  end
1511
1729
 
1512
- # @note When making an API call, you may pass DescribeKeyRequest
1513
- # data as a hash:
1514
- #
1515
- # {
1516
- # key_id: "KeyIdType", # required
1517
- # grant_tokens: ["GrantTokenType"],
1518
- # }
1519
- #
1520
1730
  # @!attribute [rw] key_id
1521
1731
  # Describes the specified KMS key.
1522
1732
  #
@@ -1584,13 +1794,6 @@ module Aws::KMS
1584
1794
  include Aws::Structure
1585
1795
  end
1586
1796
 
1587
- # @note When making an API call, you may pass DisableKeyRequest
1588
- # data as a hash:
1589
- #
1590
- # {
1591
- # key_id: "KeyIdType", # required
1592
- # }
1593
- #
1594
1797
  # @!attribute [rw] key_id
1595
1798
  # Identifies the KMS key to disable.
1596
1799
  #
@@ -1615,13 +1818,6 @@ module Aws::KMS
1615
1818
  include Aws::Structure
1616
1819
  end
1617
1820
 
1618
- # @note When making an API call, you may pass DisableKeyRotationRequest
1619
- # data as a hash:
1620
- #
1621
- # {
1622
- # key_id: "KeyIdType", # required
1623
- # }
1624
- #
1625
1821
  # @!attribute [rw] key_id
1626
1822
  # Identifies a symmetric encryption KMS key. You cannot enable or
1627
1823
  # disable automatic rotation of [asymmetric KMS keys][1], [HMAC KMS
@@ -1669,13 +1865,6 @@ module Aws::KMS
1669
1865
  include Aws::Structure
1670
1866
  end
1671
1867
 
1672
- # @note When making an API call, you may pass DisconnectCustomKeyStoreRequest
1673
- # data as a hash:
1674
- #
1675
- # {
1676
- # custom_key_store_id: "CustomKeyStoreIdType", # required
1677
- # }
1678
- #
1679
1868
  # @!attribute [rw] custom_key_store_id
1680
1869
  # Enter the ID of the custom key store you want to disconnect. To find
1681
1870
  # the ID of a custom key store, use the DescribeCustomKeyStores
@@ -1694,13 +1883,6 @@ module Aws::KMS
1694
1883
  #
1695
1884
  class DisconnectCustomKeyStoreResponse < Aws::EmptyStructure; end
1696
1885
 
1697
- # @note When making an API call, you may pass EnableKeyRequest
1698
- # data as a hash:
1699
- #
1700
- # {
1701
- # key_id: "KeyIdType", # required
1702
- # }
1703
- #
1704
1886
  # @!attribute [rw] key_id
1705
1887
  # Identifies the KMS key to enable.
1706
1888
  #
@@ -1725,19 +1907,11 @@ module Aws::KMS
1725
1907
  include Aws::Structure
1726
1908
  end
1727
1909
 
1728
- # @note When making an API call, you may pass EnableKeyRotationRequest
1729
- # data as a hash:
1730
- #
1731
- # {
1732
- # key_id: "KeyIdType", # required
1733
- # }
1734
- #
1735
1910
  # @!attribute [rw] key_id
1736
- # Identifies a symmetric encryption KMS key. You cannot enable or
1737
- # disable automatic rotation of [asymmetric KMS keys][1], [HMAC KMS
1738
- # keys][2], KMS keys with [imported key material][3], or KMS keys in a
1739
- # [custom key store][4]. The key rotation status of these KMS keys is
1740
- # always `false`. To enable or disable automatic rotation of a set of
1911
+ # Identifies a symmetric encryption KMS key. You cannot enable
1912
+ # automatic rotation of [asymmetric KMS keys][1], [HMAC KMS keys][2],
1913
+ # KMS keys with [imported key material][3], or KMS keys in a [custom
1914
+ # key store][4]. To enable or disable automatic rotation of a set of
1741
1915
  # related [multi-Region keys][5], set the property on the primary key.
1742
1916
  #
1743
1917
  # Specify the key ID or key ARN of the KMS key.
@@ -1769,19 +1943,6 @@ module Aws::KMS
1769
1943
  include Aws::Structure
1770
1944
  end
1771
1945
 
1772
- # @note When making an API call, you may pass EncryptRequest
1773
- # data as a hash:
1774
- #
1775
- # {
1776
- # key_id: "KeyIdType", # required
1777
- # plaintext: "data", # required
1778
- # encryption_context: {
1779
- # "EncryptionContextKey" => "EncryptionContextValue",
1780
- # },
1781
- # grant_tokens: ["GrantTokenType"],
1782
- # encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
1783
- # }
1784
- #
1785
1946
  # @!attribute [rw] key_id
1786
1947
  # Identifies the KMS key to use in the encryption operation. The KMS
1787
1948
  # key must have a `KeyUsage` of `ENCRYPT_DECRYPT`. To find the
@@ -1859,6 +2020,8 @@ module Aws::KMS
1859
2020
  # value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
1860
2021
  # encryption KMS keys. If you are using an asymmetric KMS key, we
1861
2022
  # recommend RSAES\_OAEP\_SHA\_256.
2023
+ #
2024
+ # The SM2PKE algorithm is only available in China Regions.
1862
2025
  # @return [String]
1863
2026
  #
1864
2027
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptRequest AWS API Documentation
@@ -1918,18 +2081,6 @@ module Aws::KMS
1918
2081
  include Aws::Structure
1919
2082
  end
1920
2083
 
1921
- # @note When making an API call, you may pass GenerateDataKeyPairRequest
1922
- # data as a hash:
1923
- #
1924
- # {
1925
- # encryption_context: {
1926
- # "EncryptionContextKey" => "EncryptionContextValue",
1927
- # },
1928
- # key_id: "KeyIdType", # required
1929
- # key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SM2
1930
- # grant_tokens: ["GrantTokenType"],
1931
- # }
1932
- #
1933
2084
  # @!attribute [rw] encryption_context
1934
2085
  # Specifies the encryption context that will be used when encrypting
1935
2086
  # the private key in the data key pair.
@@ -1984,8 +2135,7 @@ module Aws::KMS
1984
2135
  # keys to encrypt and decrypt or to sign and verify (but not both),
1985
2136
  # and the rule that permits you to use ECC KMS keys only to sign and
1986
2137
  # verify, are not effective on data key pairs, which are used outside
1987
- # of KMS. The SM2 key spec is only available in China Regions. RSA and
1988
- # ECC asymmetric key pairs are also available in China Regions.
2138
+ # of KMS. The SM2 key spec is only available in China Regions.
1989
2139
  # @return [String]
1990
2140
  #
1991
2141
  # @!attribute [rw] grant_tokens
@@ -2056,18 +2206,6 @@ module Aws::KMS
2056
2206
  include Aws::Structure
2057
2207
  end
2058
2208
 
2059
- # @note When making an API call, you may pass GenerateDataKeyPairWithoutPlaintextRequest
2060
- # data as a hash:
2061
- #
2062
- # {
2063
- # encryption_context: {
2064
- # "EncryptionContextKey" => "EncryptionContextValue",
2065
- # },
2066
- # key_id: "KeyIdType", # required
2067
- # key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SM2
2068
- # grant_tokens: ["GrantTokenType"],
2069
- # }
2070
- #
2071
2209
  # @!attribute [rw] encryption_context
2072
2210
  # Specifies the encryption context that will be used when encrypting
2073
2211
  # the private key in the data key pair.
@@ -2122,8 +2260,7 @@ module Aws::KMS
2122
2260
  # keys to encrypt and decrypt or to sign and verify (but not both),
2123
2261
  # and the rule that permits you to use ECC KMS keys only to sign and
2124
2262
  # verify, are not effective on data key pairs, which are used outside
2125
- # of KMS. The SM2 key spec is only available in China Regions. RSA and
2126
- # ECC asymmetric key pairs are also available in China Regions.
2263
+ # of KMS. The SM2 key spec is only available in China Regions.
2127
2264
  # @return [String]
2128
2265
  #
2129
2266
  # @!attribute [rw] grant_tokens
@@ -2187,19 +2324,6 @@ module Aws::KMS
2187
2324
  include Aws::Structure
2188
2325
  end
2189
2326
 
2190
- # @note When making an API call, you may pass GenerateDataKeyRequest
2191
- # data as a hash:
2192
- #
2193
- # {
2194
- # key_id: "KeyIdType", # required
2195
- # encryption_context: {
2196
- # "EncryptionContextKey" => "EncryptionContextValue",
2197
- # },
2198
- # number_of_bytes: 1,
2199
- # key_spec: "AES_256", # accepts AES_256, AES_128
2200
- # grant_tokens: ["GrantTokenType"],
2201
- # }
2202
- #
2203
2327
  # @!attribute [rw] key_id
2204
2328
  # Specifies the symmetric encryption KMS key that encrypts the data
2205
2329
  # key. You cannot specify an asymmetric KMS key or a KMS key in a
@@ -2324,19 +2448,6 @@ module Aws::KMS
2324
2448
  include Aws::Structure
2325
2449
  end
2326
2450
 
2327
- # @note When making an API call, you may pass GenerateDataKeyWithoutPlaintextRequest
2328
- # data as a hash:
2329
- #
2330
- # {
2331
- # key_id: "KeyIdType", # required
2332
- # encryption_context: {
2333
- # "EncryptionContextKey" => "EncryptionContextValue",
2334
- # },
2335
- # key_spec: "AES_256", # accepts AES_256, AES_128
2336
- # number_of_bytes: 1,
2337
- # grant_tokens: ["GrantTokenType"],
2338
- # }
2339
- #
2340
2451
  # @!attribute [rw] key_id
2341
2452
  # Specifies the symmetric encryption KMS key that encrypts the data
2342
2453
  # key. You cannot specify an asymmetric KMS key or a KMS key in a
@@ -2446,16 +2557,6 @@ module Aws::KMS
2446
2557
  include Aws::Structure
2447
2558
  end
2448
2559
 
2449
- # @note When making an API call, you may pass GenerateMacRequest
2450
- # data as a hash:
2451
- #
2452
- # {
2453
- # message: "data", # required
2454
- # key_id: "KeyIdType", # required
2455
- # mac_algorithm: "HMAC_SHA_224", # required, accepts HMAC_SHA_224, HMAC_SHA_256, HMAC_SHA_384, HMAC_SHA_512
2456
- # grant_tokens: ["GrantTokenType"],
2457
- # }
2458
- #
2459
2560
  # @!attribute [rw] message
2460
2561
  # The message to be hashed. Specify a message of up to 4,096 bytes.
2461
2562
  #
@@ -2511,8 +2612,14 @@ module Aws::KMS
2511
2612
  end
2512
2613
 
2513
2614
  # @!attribute [rw] mac
2514
- # The hash-based message authentication code (HMAC) for the given
2515
- # message, key, and MAC algorithm.
2615
+ # The hash-based message authentication code (HMAC) that was generated
2616
+ # for the specified message, HMAC KMS key, and MAC algorithm.
2617
+ #
2618
+ # This is the standard, raw HMAC defined in [RFC 2104][1].
2619
+ #
2620
+ #
2621
+ #
2622
+ # [1]: https://datatracker.ietf.org/doc/html/rfc2104
2516
2623
  # @return [String]
2517
2624
  #
2518
2625
  # @!attribute [rw] mac_algorithm
@@ -2533,26 +2640,18 @@ module Aws::KMS
2533
2640
  include Aws::Structure
2534
2641
  end
2535
2642
 
2536
- # @note When making an API call, you may pass GenerateRandomRequest
2537
- # data as a hash:
2538
- #
2539
- # {
2540
- # number_of_bytes: 1,
2541
- # custom_key_store_id: "CustomKeyStoreIdType",
2542
- # }
2543
- #
2544
2643
  # @!attribute [rw] number_of_bytes
2545
2644
  # The length of the random byte string. This parameter is required.
2546
2645
  # @return [Integer]
2547
2646
  #
2548
2647
  # @!attribute [rw] custom_key_store_id
2549
2648
  # Generates the random byte string in the CloudHSM cluster that is
2550
- # associated with the specified [custom key store][1]. To find the ID
2551
- # of a custom key store, use the DescribeCustomKeyStores operation.
2649
+ # associated with the specified CloudHSM key store. To find the ID of
2650
+ # a custom key store, use the DescribeCustomKeyStores operation.
2552
2651
  #
2553
- #
2554
- #
2555
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
2652
+ # External key store IDs are not valid for this parameter. If you
2653
+ # specify the ID of an external key store, `GenerateRandom` throws an
2654
+ # `UnsupportedOperationException`.
2556
2655
  # @return [String]
2557
2656
  #
2558
2657
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomRequest AWS API Documentation
@@ -2578,14 +2677,6 @@ module Aws::KMS
2578
2677
  include Aws::Structure
2579
2678
  end
2580
2679
 
2581
- # @note When making an API call, you may pass GetKeyPolicyRequest
2582
- # data as a hash:
2583
- #
2584
- # {
2585
- # key_id: "KeyIdType", # required
2586
- # policy_name: "PolicyNameType", # required
2587
- # }
2588
- #
2589
2680
  # @!attribute [rw] key_id
2590
2681
  # Gets the key policy for the specified KMS key.
2591
2682
  #
@@ -2628,13 +2719,6 @@ module Aws::KMS
2628
2719
  include Aws::Structure
2629
2720
  end
2630
2721
 
2631
- # @note When making an API call, you may pass GetKeyRotationStatusRequest
2632
- # data as a hash:
2633
- #
2634
- # {
2635
- # key_id: "KeyIdType", # required
2636
- # }
2637
- #
2638
2722
  # @!attribute [rw] key_id
2639
2723
  # Gets the rotation status for the specified KMS key.
2640
2724
  #
@@ -2673,15 +2757,6 @@ module Aws::KMS
2673
2757
  include Aws::Structure
2674
2758
  end
2675
2759
 
2676
- # @note When making an API call, you may pass GetParametersForImportRequest
2677
- # data as a hash:
2678
- #
2679
- # {
2680
- # key_id: "KeyIdType", # required
2681
- # wrapping_algorithm: "RSAES_PKCS1_V1_5", # required, accepts RSAES_PKCS1_V1_5, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
2682
- # wrapping_key_spec: "RSA_2048", # required, accepts RSA_2048
2683
- # }
2684
- #
2685
2760
  # @!attribute [rw] key_id
2686
2761
  # The identifier of the symmetric encryption KMS key into which you
2687
2762
  # will import key material. The `Origin` of the KMS key must be
@@ -2763,14 +2838,6 @@ module Aws::KMS
2763
2838
  include Aws::Structure
2764
2839
  end
2765
2840
 
2766
- # @note When making an API call, you may pass GetPublicKeyRequest
2767
- # data as a hash:
2768
- #
2769
- # {
2770
- # key_id: "KeyIdType", # required
2771
- # grant_tokens: ["GrantTokenType"],
2772
- # }
2773
- #
2774
2841
  # @!attribute [rw] key_id
2775
2842
  # Identifies the asymmetric KMS key that includes the public key.
2776
2843
  #
@@ -2846,7 +2913,7 @@ module Aws::KMS
2846
2913
  #
2847
2914
  # The `KeySpec` and `CustomerMasterKeySpec` fields have the same
2848
2915
  # value. We recommend that you use the `KeySpec` field in your code.
2849
- # However, to avoid breaking changes, KMS will support both fields.
2916
+ # However, to avoid breaking changes, KMS supports both fields.
2850
2917
  # @return [String]
2851
2918
  #
2852
2919
  # @!attribute [rw] key_spec
@@ -2900,11 +2967,10 @@ module Aws::KMS
2900
2967
  #
2901
2968
  # KMS applies the grant constraints only to cryptographic operations
2902
2969
  # that support an encryption context, that is, all cryptographic
2903
- # operations with a [symmetric encryption KMS key][3]. Grant constraints
2904
- # are not applied to operations that do not support an encryption
2905
- # context, such as cryptographic operations with HMAC KMS keys or
2906
- # asymmetric KMS keys, and management operations, such as DescribeKey or
2907
- # RetireGrant.
2970
+ # operations with a [symmetric KMS key][3]. Grant constraints are not
2971
+ # applied to operations that do not support an encryption context, such
2972
+ # as cryptographic operations with asymmetric KMS keys and management
2973
+ # operations, such as DescribeKey or RetireGrant.
2908
2974
  #
2909
2975
  # In a cryptographic operation, the encryption context in the decryption
2910
2976
  # operation must be an exact, case-sensitive match for the keys and
@@ -2928,18 +2994,6 @@ module Aws::KMS
2928
2994
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks
2929
2995
  # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context
2930
2996
  #
2931
- # @note When making an API call, you may pass GrantConstraints
2932
- # data as a hash:
2933
- #
2934
- # {
2935
- # encryption_context_subset: {
2936
- # "EncryptionContextKey" => "EncryptionContextValue",
2937
- # },
2938
- # encryption_context_equals: {
2939
- # "EncryptionContextKey" => "EncryptionContextValue",
2940
- # },
2941
- # }
2942
- #
2943
2997
  # @!attribute [rw] encryption_context_subset
2944
2998
  # A list of key-value pairs that must be included in the encryption
2945
2999
  # context of the [cryptographic operation][1] request. The grant
@@ -3040,17 +3094,6 @@ module Aws::KMS
3040
3094
  include Aws::Structure
3041
3095
  end
3042
3096
 
3043
- # @note When making an API call, you may pass ImportKeyMaterialRequest
3044
- # data as a hash:
3045
- #
3046
- # {
3047
- # key_id: "KeyIdType", # required
3048
- # import_token: "data", # required
3049
- # encrypted_key_material: "data", # required
3050
- # valid_to: Time.now,
3051
- # expiration_model: "KEY_MATERIAL_EXPIRES", # accepts KEY_MATERIAL_EXPIRES, KEY_MATERIAL_DOES_NOT_EXPIRE
3052
- # }
3053
- #
3054
3097
  # @!attribute [rw] key_id
3055
3098
  # The identifier of the symmetric encryption KMS key that receives the
3056
3099
  # imported key material. This must be the same KMS key specified in
@@ -3088,19 +3131,37 @@ module Aws::KMS
3088
3131
  # @return [String]
3089
3132
  #
3090
3133
  # @!attribute [rw] valid_to
3091
- # The time at which the imported key material expires. When the key
3092
- # material expires, KMS deletes the key material and the KMS key
3093
- # becomes unusable. You must omit this parameter when the
3094
- # `ExpirationModel` parameter is set to
3095
- # `KEY_MATERIAL_DOES_NOT_EXPIRE`. Otherwise it is required.
3134
+ # The date and time when the imported key material expires. This
3135
+ # parameter is required when the value of the `ExpirationModel`
3136
+ # parameter is `KEY_MATERIAL_EXPIRES`. Otherwise it is not valid.
3137
+ #
3138
+ # The value of this parameter must be a future date and time. The
3139
+ # maximum value is 365 days from the request date.
3140
+ #
3141
+ # When the key material expires, KMS deletes the key material from the
3142
+ # KMS key. Without its key material, the KMS key is unusable. To use
3143
+ # the KMS key in cryptographic operations, you must reimport the same
3144
+ # key material.
3145
+ #
3146
+ # You cannot change the `ExpirationModel` or `ValidTo` values for the
3147
+ # current import after the request completes. To change either value,
3148
+ # you must delete (DeleteImportedKeyMaterial) and reimport the key
3149
+ # material.
3096
3150
  # @return [Time]
3097
3151
  #
3098
3152
  # @!attribute [rw] expiration_model
3099
3153
  # Specifies whether the key material expires. The default is
3100
- # `KEY_MATERIAL_EXPIRES`, in which case you must include the `ValidTo`
3101
- # parameter. When this parameter is set to
3154
+ # `KEY_MATERIAL_EXPIRES`.
3155
+ #
3156
+ # When the value of `ExpirationModel` is `KEY_MATERIAL_EXPIRES`, you
3157
+ # must specify a value for the `ValidTo` parameter. When value is
3102
3158
  # `KEY_MATERIAL_DOES_NOT_EXPIRE`, you must omit the `ValidTo`
3103
3159
  # parameter.
3160
+ #
3161
+ # You cannot change the `ExpirationModel` or `ValidTo` values for the
3162
+ # current import after the request completes. To change either value,
3163
+ # you must delete (DeleteImportedKeyMaterial) and reimport the key
3164
+ # material.
3104
3165
  # @return [String]
3105
3166
  #
3106
3167
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterialRequest AWS API Documentation
@@ -3151,11 +3212,11 @@ module Aws::KMS
3151
3212
  end
3152
3213
 
3153
3214
  # The request was rejected because the trust anchor certificate in the
3154
- # request is not the trust anchor certificate for the specified CloudHSM
3155
- # cluster.
3215
+ # request to create an CloudHSM key store is not the trust anchor
3216
+ # certificate for the specified CloudHSM cluster.
3156
3217
  #
3157
- # When you [initialize the cluster][1], you create the trust anchor
3158
- # certificate and save it in the `customerCA.crt` file.
3218
+ # When you [initialize the CloudHSM cluster][1], you create the trust
3219
+ # anchor certificate and save it in the `customerCA.crt` file.
3159
3220
  #
3160
3221
  #
3161
3222
  #
@@ -3353,9 +3414,19 @@ module Aws::KMS
3353
3414
  # The request was rejected because the state of the specified resource
3354
3415
  # is not valid for this request.
3355
3416
  #
3356
- # For more information about how key state affects the use of a KMS key,
3357
- # see [Key states of KMS keys][1] in the <i> <i>Key Management Service
3358
- # Developer Guide</i> </i>.
3417
+ # This exceptions means one of the following:
3418
+ #
3419
+ # * The key state of the KMS key is not compatible with the operation.
3420
+ #
3421
+ # To find the key state, use the DescribeKey operation. For more
3422
+ # information about which key states are compatible with each KMS
3423
+ # operation, see [Key states of KMS keys][1] in the <i> <i>Key
3424
+ # Management Service Developer Guide</i> </i>.
3425
+ #
3426
+ # * For cryptographic operations on KMS keys in custom key stores, this
3427
+ # exception represents a general failure with many possible causes. To
3428
+ # identify the cause, see the error message that accompanies the
3429
+ # exception.
3359
3430
  #
3360
3431
  #
3361
3432
  #
@@ -3393,8 +3464,8 @@ module Aws::KMS
3393
3464
 
3394
3465
  # Contains metadata about a KMS key.
3395
3466
  #
3396
- # This data type is used as a response element for the CreateKey and
3397
- # DescribeKey operations.
3467
+ # This data type is used as a response element for the CreateKey,
3468
+ # DescribeKey, and ReplicateKey operations.
3398
3469
  #
3399
3470
  # @!attribute [rw] aws_account_id
3400
3471
  # The twelve-digit account ID of the Amazon Web Services account that
@@ -3478,7 +3549,7 @@ module Aws::KMS
3478
3549
  #
3479
3550
  # @!attribute [rw] custom_key_store_id
3480
3551
  # A unique identifier for the [custom key store][1] that contains the
3481
- # KMS key. This value is present only when the KMS key is created in a
3552
+ # KMS key. This field is present only when the KMS key is created in a
3482
3553
  # custom key store.
3483
3554
  #
3484
3555
  #
@@ -3488,10 +3559,10 @@ module Aws::KMS
3488
3559
  #
3489
3560
  # @!attribute [rw] cloud_hsm_cluster_id
3490
3561
  # The cluster ID of the CloudHSM cluster that contains the key
3491
- # material for the KMS key. When you create a KMS key in a [custom key
3492
- # store][1], KMS creates the key material for the KMS key in the
3493
- # associated CloudHSM cluster. This value is present only when the KMS
3494
- # key is created in a custom key store.
3562
+ # material for the KMS key. When you create a KMS key in an CloudHSM
3563
+ # [custom key store][1], KMS creates the key material for the KMS key
3564
+ # in the associated CloudHSM cluster. This field is present only when
3565
+ # the KMS key is created in an CloudHSM key store.
3495
3566
  #
3496
3567
  #
3497
3568
  #
@@ -3520,7 +3591,7 @@ module Aws::KMS
3520
3591
  #
3521
3592
  # The `KeySpec` and `CustomerMasterKeySpec` fields have the same
3522
3593
  # value. We recommend that you use the `KeySpec` field in your code.
3523
- # However, to avoid breaking changes, KMS will support both fields.
3594
+ # However, to avoid breaking changes, KMS supports both fields.
3524
3595
  # @return [String]
3525
3596
  #
3526
3597
  # @!attribute [rw] key_spec
@@ -3602,6 +3673,18 @@ module Aws::KMS
3602
3673
  # `GENERATE_VERIFY_MAC`.
3603
3674
  # @return [Array<String>]
3604
3675
  #
3676
+ # @!attribute [rw] xks_key_configuration
3677
+ # Information about the external key that is associated with a KMS key
3678
+ # in an external key store.
3679
+ #
3680
+ # For more information, see [External key][1] in the *Key Management
3681
+ # Service Developer Guide*.
3682
+ #
3683
+ #
3684
+ #
3685
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
3686
+ # @return [Types::XksKeyConfigurationType]
3687
+ #
3605
3688
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
3606
3689
  #
3607
3690
  class KeyMetadata < Struct.new(
@@ -3627,7 +3710,8 @@ module Aws::KMS
3627
3710
  :multi_region,
3628
3711
  :multi_region_configuration,
3629
3712
  :pending_deletion_window_in_days,
3630
- :mac_algorithms)
3713
+ :mac_algorithms,
3714
+ :xks_key_configuration)
3631
3715
  SENSITIVE = []
3632
3716
  include Aws::Structure
3633
3717
  end
@@ -3665,15 +3749,6 @@ module Aws::KMS
3665
3749
  include Aws::Structure
3666
3750
  end
3667
3751
 
3668
- # @note When making an API call, you may pass ListAliasesRequest
3669
- # data as a hash:
3670
- #
3671
- # {
3672
- # key_id: "KeyIdType",
3673
- # limit: 1,
3674
- # marker: "MarkerType",
3675
- # }
3676
- #
3677
3752
  # @!attribute [rw] key_id
3678
3753
  # Lists only aliases that are associated with the specified KMS key.
3679
3754
  # Enter a KMS key in your Amazon Web Services account.
@@ -3746,17 +3821,6 @@ module Aws::KMS
3746
3821
  include Aws::Structure
3747
3822
  end
3748
3823
 
3749
- # @note When making an API call, you may pass ListGrantsRequest
3750
- # data as a hash:
3751
- #
3752
- # {
3753
- # limit: 1,
3754
- # marker: "MarkerType",
3755
- # key_id: "KeyIdType", # required
3756
- # grant_id: "GrantIdType",
3757
- # grantee_principal: "PrincipalIdType",
3758
- # }
3759
- #
3760
3824
  # @!attribute [rw] limit
3761
3825
  # Use this parameter to specify the maximum number of items to return.
3762
3826
  # When this value is present, KMS does not return more than the
@@ -3840,15 +3904,6 @@ module Aws::KMS
3840
3904
  include Aws::Structure
3841
3905
  end
3842
3906
 
3843
- # @note When making an API call, you may pass ListKeyPoliciesRequest
3844
- # data as a hash:
3845
- #
3846
- # {
3847
- # key_id: "KeyIdType", # required
3848
- # limit: 1,
3849
- # marker: "MarkerType",
3850
- # }
3851
- #
3852
3907
  # @!attribute [rw] key_id
3853
3908
  # Gets the names of key policies for the specified KMS key.
3854
3909
  #
@@ -3919,14 +3974,6 @@ module Aws::KMS
3919
3974
  include Aws::Structure
3920
3975
  end
3921
3976
 
3922
- # @note When making an API call, you may pass ListKeysRequest
3923
- # data as a hash:
3924
- #
3925
- # {
3926
- # limit: 1,
3927
- # marker: "MarkerType",
3928
- # }
3929
- #
3930
3977
  # @!attribute [rw] limit
3931
3978
  # Use this parameter to specify the maximum number of items to return.
3932
3979
  # When this value is present, KMS does not return more than the
@@ -3978,15 +4025,6 @@ module Aws::KMS
3978
4025
  include Aws::Structure
3979
4026
  end
3980
4027
 
3981
- # @note When making an API call, you may pass ListResourceTagsRequest
3982
- # data as a hash:
3983
- #
3984
- # {
3985
- # key_id: "KeyIdType", # required
3986
- # limit: 1,
3987
- # marker: "MarkerType",
3988
- # }
3989
- #
3990
4028
  # @!attribute [rw] key_id
3991
4029
  # Gets tags on the specified KMS key.
3992
4030
  #
@@ -4035,7 +4073,7 @@ module Aws::KMS
4035
4073
  # A list of tags. Each tag consists of a tag key and a tag value.
4036
4074
  #
4037
4075
  # <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
4038
- # KMS key. For details, see [ABAC in KMS][1] in the *Key Management
4076
+ # KMS key. For details, see [ABAC for KMS][1] in the *Key Management
4039
4077
  # Service Developer Guide*.
4040
4078
  #
4041
4079
  # </note>
@@ -4069,15 +4107,6 @@ module Aws::KMS
4069
4107
  include Aws::Structure
4070
4108
  end
4071
4109
 
4072
- # @note When making an API call, you may pass ListRetirableGrantsRequest
4073
- # data as a hash:
4074
- #
4075
- # {
4076
- # limit: 1,
4077
- # marker: "MarkerType",
4078
- # retiring_principal: "PrincipalIdType", # required
4079
- # }
4080
- #
4081
4110
  # @!attribute [rw] limit
4082
4111
  # Use this parameter to specify the maximum number of items to return.
4083
4112
  # When this value is present, KMS does not return more than the
@@ -4202,16 +4231,6 @@ module Aws::KMS
4202
4231
  include Aws::Structure
4203
4232
  end
4204
4233
 
4205
- # @note When making an API call, you may pass PutKeyPolicyRequest
4206
- # data as a hash:
4207
- #
4208
- # {
4209
- # key_id: "KeyIdType", # required
4210
- # policy_name: "PolicyNameType", # required
4211
- # policy: "PolicyType", # required
4212
- # bypass_policy_lockout_safety_check: false,
4213
- # }
4214
- #
4215
4234
  # @!attribute [rw] key_id
4216
4235
  # Sets the key policy on the specified KMS key.
4217
4236
  #
@@ -4267,7 +4286,7 @@ module Aws::KMS
4267
4286
  # (`\u000D`) special characters
4268
4287
  #
4269
4288
  # For information about key policies, see [Key policies in KMS][3] in
4270
- # the *Key Management Service Developer Guide*. For help writing and
4289
+ # the *Key Management Service Developer Guide*.For help writing and
4271
4290
  # formatting a JSON policy document, see the [IAM JSON Policy
4272
4291
  # Reference][4] in the <i> <i>Identity and Access Management User
4273
4292
  # Guide</i> </i>.
@@ -4313,24 +4332,6 @@ module Aws::KMS
4313
4332
  include Aws::Structure
4314
4333
  end
4315
4334
 
4316
- # @note When making an API call, you may pass ReEncryptRequest
4317
- # data as a hash:
4318
- #
4319
- # {
4320
- # ciphertext_blob: "data", # required
4321
- # source_encryption_context: {
4322
- # "EncryptionContextKey" => "EncryptionContextValue",
4323
- # },
4324
- # source_key_id: "KeyIdType",
4325
- # destination_key_id: "KeyIdType", # required
4326
- # destination_encryption_context: {
4327
- # "EncryptionContextKey" => "EncryptionContextValue",
4328
- # },
4329
- # source_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
4330
- # destination_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
4331
- # grant_tokens: ["GrantTokenType"],
4332
- # }
4333
- #
4334
4335
  # @!attribute [rw] ciphertext_blob
4335
4336
  # Ciphertext of the data to reencrypt.
4336
4337
  # @return [String]
@@ -4536,23 +4537,6 @@ module Aws::KMS
4536
4537
  include Aws::Structure
4537
4538
  end
4538
4539
 
4539
- # @note When making an API call, you may pass ReplicateKeyRequest
4540
- # data as a hash:
4541
- #
4542
- # {
4543
- # key_id: "KeyIdType", # required
4544
- # replica_region: "RegionType", # required
4545
- # policy: "PolicyType",
4546
- # bypass_policy_lockout_safety_check: false,
4547
- # description: "DescriptionType",
4548
- # tags: [
4549
- # {
4550
- # tag_key: "TagKeyType", # required
4551
- # tag_value: "TagValueType", # required
4552
- # },
4553
- # ],
4554
- # }
4555
- #
4556
4540
  # @!attribute [rw] key_id
4557
4541
  # Identifies the multi-Region primary key that is being replicated. To
4558
4542
  # determine whether a KMS key is a multi-Region primary key, use the
@@ -4703,7 +4687,7 @@ module Aws::KMS
4703
4687
  # the TagResource operation.
4704
4688
  #
4705
4689
  # <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
4706
- # KMS key. For details, see [ABAC in KMS][1] in the *Key Management
4690
+ # KMS key. For details, see [ABAC for KMS][1] in the *Key Management
4707
4691
  # Service Developer Guide*.
4708
4692
  #
4709
4693
  # </note>
@@ -4778,15 +4762,6 @@ module Aws::KMS
4778
4762
  include Aws::Structure
4779
4763
  end
4780
4764
 
4781
- # @note When making an API call, you may pass RetireGrantRequest
4782
- # data as a hash:
4783
- #
4784
- # {
4785
- # grant_token: "GrantTokenType",
4786
- # key_id: "KeyIdType",
4787
- # grant_id: "GrantIdType",
4788
- # }
4789
- #
4790
4765
  # @!attribute [rw] grant_token
4791
4766
  # Identifies the grant to be retired. You can use a grant token to
4792
4767
  # identify a new grant even before it has achieved eventual
@@ -4830,14 +4805,6 @@ module Aws::KMS
4830
4805
  include Aws::Structure
4831
4806
  end
4832
4807
 
4833
- # @note When making an API call, you may pass RevokeGrantRequest
4834
- # data as a hash:
4835
- #
4836
- # {
4837
- # key_id: "KeyIdType", # required
4838
- # grant_id: "GrantIdType", # required
4839
- # }
4840
- #
4841
4808
  # @!attribute [rw] key_id
4842
4809
  # A unique identifier for the KMS key associated with the grant. To
4843
4810
  # get the key ID and key ARN for a KMS key, use ListKeys or
@@ -4872,14 +4839,6 @@ module Aws::KMS
4872
4839
  include Aws::Structure
4873
4840
  end
4874
4841
 
4875
- # @note When making an API call, you may pass ScheduleKeyDeletionRequest
4876
- # data as a hash:
4877
- #
4878
- # {
4879
- # key_id: "KeyIdType", # required
4880
- # pending_window_in_days: 1,
4881
- # }
4882
- #
4883
4842
  # @!attribute [rw] key_id
4884
4843
  # The unique identifier of the KMS key to delete.
4885
4844
  #
@@ -4965,17 +4924,6 @@ module Aws::KMS
4965
4924
  include Aws::Structure
4966
4925
  end
4967
4926
 
4968
- # @note When making an API call, you may pass SignRequest
4969
- # data as a hash:
4970
- #
4971
- # {
4972
- # key_id: "KeyIdType", # required
4973
- # message: "data", # required
4974
- # message_type: "RAW", # accepts RAW, DIGEST
4975
- # grant_tokens: ["GrantTokenType"],
4976
- # signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA
4977
- # }
4978
- #
4979
4927
  # @!attribute [rw] key_id
4980
4928
  # Identifies an asymmetric KMS key. KMS uses the private key in the
4981
4929
  # asymmetric KMS key to sign the message. The `KeyUsage` type of the
@@ -5105,14 +5053,6 @@ module Aws::KMS
5105
5053
  #
5106
5054
  # [1]: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html
5107
5055
  #
5108
- # @note When making an API call, you may pass Tag
5109
- # data as a hash:
5110
- #
5111
- # {
5112
- # tag_key: "TagKeyType", # required
5113
- # tag_value: "TagValueType", # required
5114
- # }
5115
- #
5116
5056
  # @!attribute [rw] tag_key
5117
5057
  # The key of the tag.
5118
5058
  # @return [String]
@@ -5143,19 +5083,6 @@ module Aws::KMS
5143
5083
  include Aws::Structure
5144
5084
  end
5145
5085
 
5146
- # @note When making an API call, you may pass TagResourceRequest
5147
- # data as a hash:
5148
- #
5149
- # {
5150
- # key_id: "KeyIdType", # required
5151
- # tags: [ # required
5152
- # {
5153
- # tag_key: "TagKeyType", # required
5154
- # tag_value: "TagValueType", # required
5155
- # },
5156
- # ],
5157
- # }
5158
- #
5159
5086
  # @!attribute [rw] key_id
5160
5087
  # Identifies a customer managed key in the account and Region.
5161
5088
  #
@@ -5206,14 +5133,6 @@ module Aws::KMS
5206
5133
  include Aws::Structure
5207
5134
  end
5208
5135
 
5209
- # @note When making an API call, you may pass UntagResourceRequest
5210
- # data as a hash:
5211
- #
5212
- # {
5213
- # key_id: "KeyIdType", # required
5214
- # tag_keys: ["TagKeyType"], # required
5215
- # }
5216
- #
5217
5136
  # @!attribute [rw] key_id
5218
5137
  # Identifies the KMS key from which you are removing tags.
5219
5138
  #
@@ -5243,14 +5162,6 @@ module Aws::KMS
5243
5162
  include Aws::Structure
5244
5163
  end
5245
5164
 
5246
- # @note When making an API call, you may pass UpdateAliasRequest
5247
- # data as a hash:
5248
- #
5249
- # {
5250
- # alias_name: "AliasNameType", # required
5251
- # target_key_id: "KeyIdType", # required
5252
- # }
5253
- #
5254
5165
  # @!attribute [rw] alias_name
5255
5166
  # Identifies the alias that is changing its KMS key. This value must
5256
5167
  # begin with `alias/` followed by the alias name, such as
@@ -5266,7 +5177,7 @@ module Aws::KMS
5266
5177
  # The KMS key must be in the same Amazon Web Services account and
5267
5178
  # Region as the alias. Also, the new target KMS key must be the same
5268
5179
  # type as the current target KMS key (both symmetric or both
5269
- # asymmetric) and they must have the same key usage.
5180
+ # asymmetric or both HMAC) and they must have the same key usage.
5270
5181
  #
5271
5182
  # Specify the key ID or key ARN of the KMS key.
5272
5183
  #
@@ -5298,16 +5209,6 @@ module Aws::KMS
5298
5209
  include Aws::Structure
5299
5210
  end
5300
5211
 
5301
- # @note When making an API call, you may pass UpdateCustomKeyStoreRequest
5302
- # data as a hash:
5303
- #
5304
- # {
5305
- # custom_key_store_id: "CustomKeyStoreIdType", # required
5306
- # new_custom_key_store_name: "CustomKeyStoreNameType",
5307
- # key_store_password: "KeyStorePasswordType",
5308
- # cloud_hsm_cluster_id: "CloudHsmClusterIdType",
5309
- # }
5310
- #
5311
5212
  # @!attribute [rw] custom_key_store_id
5312
5213
  # Identifies the custom key store that you want to update. Enter the
5313
5214
  # ID of the custom key store. To find the ID of a custom key store,
@@ -5318,19 +5219,28 @@ module Aws::KMS
5318
5219
  # Changes the friendly name of the custom key store to the value that
5319
5220
  # you specify. The custom key store name must be unique in the Amazon
5320
5221
  # Web Services account.
5222
+ #
5223
+ # To change this value, an CloudHSM key store must be disconnected. An
5224
+ # external key store can be connected or disconnected.
5321
5225
  # @return [String]
5322
5226
  #
5323
5227
  # @!attribute [rw] key_store_password
5324
5228
  # Enter the current password of the `kmsuser` crypto user (CU) in the
5325
- # CloudHSM cluster that is associated with the custom key store.
5229
+ # CloudHSM cluster that is associated with the custom key store. This
5230
+ # parameter is valid only for custom key stores with a
5231
+ # `CustomKeyStoreType` of `AWS_CLOUDHSM`.
5326
5232
  #
5327
5233
  # This parameter tells KMS the current password of the `kmsuser`
5328
5234
  # crypto user (CU). It does not set or change the password of any
5329
5235
  # users in the CloudHSM cluster.
5236
+ #
5237
+ # To change this value, the CloudHSM key store must be disconnected.
5330
5238
  # @return [String]
5331
5239
  #
5332
5240
  # @!attribute [rw] cloud_hsm_cluster_id
5333
5241
  # Associates the custom key store with a related CloudHSM cluster.
5242
+ # This parameter is valid only for custom key stores with a
5243
+ # `CustomKeyStoreType` of `AWS_CLOUDHSM`.
5334
5244
  #
5335
5245
  # Enter the cluster ID of the cluster that you used to create the
5336
5246
  # custom key store or a cluster that shares a backup history and has
@@ -5341,19 +5251,111 @@ module Aws::KMS
5341
5251
  # To view the cluster certificate of a cluster, use the
5342
5252
  # [DescribeClusters][2] operation.
5343
5253
  #
5254
+ # To change this value, the CloudHSM key store must be disconnected.
5255
+ #
5344
5256
  #
5345
5257
  #
5346
5258
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore
5347
5259
  # [2]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
5348
5260
  # @return [String]
5349
5261
  #
5262
+ # @!attribute [rw] xks_proxy_uri_endpoint
5263
+ # Changes the URI endpoint that KMS uses to connect to your external
5264
+ # key store proxy (XKS proxy). This parameter is valid only for custom
5265
+ # key stores with a `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
5266
+ #
5267
+ # For external key stores with an `XksProxyConnectivity` value of
5268
+ # `PUBLIC_ENDPOINT`, the protocol must be HTTPS.
5269
+ #
5270
+ # For external key stores with an `XksProxyConnectivity` value of
5271
+ # `VPC_ENDPOINT_SERVICE`, specify `https://` followed by the private
5272
+ # DNS name associated with the VPC endpoint service. Each external key
5273
+ # store must use a different private DNS name.
5274
+ #
5275
+ # The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values must
5276
+ # be unique in the Amazon Web Services account and Region.
5277
+ #
5278
+ # To change this value, the external key store must be disconnected.
5279
+ # @return [String]
5280
+ #
5281
+ # @!attribute [rw] xks_proxy_uri_path
5282
+ # Changes the base path to the proxy APIs for this external key store.
5283
+ # To find this value, see the documentation for your external key
5284
+ # manager and external key store proxy (XKS proxy). This parameter is
5285
+ # valid only for custom key stores with a `CustomKeyStoreType` of
5286
+ # `EXTERNAL_KEY_STORE`.
5287
+ #
5288
+ # The value must start with `/` and must end with `/kms/xks/v1`, where
5289
+ # `v1` represents the version of the KMS external key store proxy API.
5290
+ # You can include an optional prefix between the required elements
5291
+ # such as `/example/kms/xks/v1`.
5292
+ #
5293
+ # The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values must
5294
+ # be unique in the Amazon Web Services account and Region.
5295
+ #
5296
+ # You can change this value when the external key store is connected
5297
+ # or disconnected.
5298
+ # @return [String]
5299
+ #
5300
+ # @!attribute [rw] xks_proxy_vpc_endpoint_service_name
5301
+ # Changes the name that KMS uses to identify the Amazon VPC endpoint
5302
+ # service for your external key store proxy (XKS proxy). This
5303
+ # parameter is valid when the `CustomKeyStoreType` is
5304
+ # `EXTERNAL_KEY_STORE` and the `XksProxyConnectivity` is
5305
+ # `VPC_ENDPOINT_SERVICE`.
5306
+ #
5307
+ # To change this value, the external key store must be disconnected.
5308
+ # @return [String]
5309
+ #
5310
+ # @!attribute [rw] xks_proxy_authentication_credential
5311
+ # Changes the credentials that KMS uses to sign requests to the
5312
+ # external key store proxy (XKS proxy). This parameter is valid only
5313
+ # for custom key stores with a `CustomKeyStoreType` of
5314
+ # `EXTERNAL_KEY_STORE`.
5315
+ #
5316
+ # You must specify both the `AccessKeyId` and `SecretAccessKey` value
5317
+ # in the authentication credential, even if you are only updating one
5318
+ # value.
5319
+ #
5320
+ # This parameter doesn't establish or change your authentication
5321
+ # credentials on the proxy. It just tells KMS the credential that you
5322
+ # established with your external key store proxy. For example, if you
5323
+ # rotate the credential on your external key store proxy, you can use
5324
+ # this parameter to update the credential in KMS.
5325
+ #
5326
+ # You can change this value when the external key store is connected
5327
+ # or disconnected.
5328
+ # @return [Types::XksProxyAuthenticationCredentialType]
5329
+ #
5330
+ # @!attribute [rw] xks_proxy_connectivity
5331
+ # Changes the connectivity setting for the external key store. To
5332
+ # indicate that the external key store proxy uses a Amazon VPC
5333
+ # endpoint service to communicate with KMS, specify
5334
+ # `VPC_ENDPOINT_SERVICE`. Otherwise, specify `PUBLIC_ENDPOINT`.
5335
+ #
5336
+ # If you change the `XksProxyConnectivity` to `VPC_ENDPOINT_SERVICE`,
5337
+ # you must also change the `XksProxyUriEndpoint` and add an
5338
+ # `XksProxyVpcEndpointServiceName` value.
5339
+ #
5340
+ # If you change the `XksProxyConnectivity` to `PUBLIC_ENDPOINT`, you
5341
+ # must also change the `XksProxyUriEndpoint` and specify a null or
5342
+ # empty string for the `XksProxyVpcEndpointServiceName` value.
5343
+ #
5344
+ # To change this value, the external key store must be disconnected.
5345
+ # @return [String]
5346
+ #
5350
5347
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStoreRequest AWS API Documentation
5351
5348
  #
5352
5349
  class UpdateCustomKeyStoreRequest < Struct.new(
5353
5350
  :custom_key_store_id,
5354
5351
  :new_custom_key_store_name,
5355
5352
  :key_store_password,
5356
- :cloud_hsm_cluster_id)
5353
+ :cloud_hsm_cluster_id,
5354
+ :xks_proxy_uri_endpoint,
5355
+ :xks_proxy_uri_path,
5356
+ :xks_proxy_vpc_endpoint_service_name,
5357
+ :xks_proxy_authentication_credential,
5358
+ :xks_proxy_connectivity)
5357
5359
  SENSITIVE = [:key_store_password]
5358
5360
  include Aws::Structure
5359
5361
  end
@@ -5362,14 +5364,6 @@ module Aws::KMS
5362
5364
  #
5363
5365
  class UpdateCustomKeyStoreResponse < Aws::EmptyStructure; end
5364
5366
 
5365
- # @note When making an API call, you may pass UpdateKeyDescriptionRequest
5366
- # data as a hash:
5367
- #
5368
- # {
5369
- # key_id: "KeyIdType", # required
5370
- # description: "DescriptionType", # required
5371
- # }
5372
- #
5373
5367
  # @!attribute [rw] key_id
5374
5368
  # Updates the description of the specified KMS key.
5375
5369
  #
@@ -5399,14 +5393,6 @@ module Aws::KMS
5399
5393
  include Aws::Structure
5400
5394
  end
5401
5395
 
5402
- # @note When making an API call, you may pass UpdatePrimaryRegionRequest
5403
- # data as a hash:
5404
- #
5405
- # {
5406
- # key_id: "KeyIdType", # required
5407
- # primary_region: "RegionType", # required
5408
- # }
5409
- #
5410
5396
  # @!attribute [rw] key_id
5411
5397
  # Identifies the current primary key. When the operation completes,
5412
5398
  # this KMS key will be a replica key.
@@ -5442,17 +5428,6 @@ module Aws::KMS
5442
5428
  include Aws::Structure
5443
5429
  end
5444
5430
 
5445
- # @note When making an API call, you may pass VerifyMacRequest
5446
- # data as a hash:
5447
- #
5448
- # {
5449
- # message: "data", # required
5450
- # key_id: "KeyIdType", # required
5451
- # mac_algorithm: "HMAC_SHA_224", # required, accepts HMAC_SHA_224, HMAC_SHA_256, HMAC_SHA_384, HMAC_SHA_512
5452
- # mac: "data", # required
5453
- # grant_tokens: ["GrantTokenType"],
5454
- # }
5455
- #
5456
5431
  # @!attribute [rw] message
5457
5432
  # The message that will be used in the verification. Enter the same
5458
5433
  # message that was used to generate the HMAC.
@@ -5536,18 +5511,6 @@ module Aws::KMS
5536
5511
  include Aws::Structure
5537
5512
  end
5538
5513
 
5539
- # @note When making an API call, you may pass VerifyRequest
5540
- # data as a hash:
5541
- #
5542
- # {
5543
- # key_id: "KeyIdType", # required
5544
- # message: "data", # required
5545
- # message_type: "RAW", # accepts RAW, DIGEST
5546
- # signature: "data", # required
5547
- # signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA
5548
- # grant_tokens: ["GrantTokenType"],
5549
- # }
5550
- #
5551
5514
  # @!attribute [rw] key_id
5552
5515
  # Identifies the asymmetric KMS key that will be used to verify the
5553
5516
  # signature. This must be the same KMS key that was used to generate
@@ -5662,5 +5625,324 @@ module Aws::KMS
5662
5625
  include Aws::Structure
5663
5626
  end
5664
5627
 
5628
+ # The request was rejected because the (`XksKeyId`) is already
5629
+ # associated with a KMS key in this external key store. Each KMS key in
5630
+ # an external key store must be associated with a different external
5631
+ # key.
5632
+ #
5633
+ # @!attribute [rw] message
5634
+ # @return [String]
5635
+ #
5636
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyAlreadyInUseException AWS API Documentation
5637
+ #
5638
+ class XksKeyAlreadyInUseException < Struct.new(
5639
+ :message)
5640
+ SENSITIVE = []
5641
+ include Aws::Structure
5642
+ end
5643
+
5644
+ # Information about the [external key ][1]that is associated with a KMS
5645
+ # key in an external key store.
5646
+ #
5647
+ # This element appears in a CreateKey or DescribeKey response only for a
5648
+ # KMS key in an external key store.
5649
+ #
5650
+ # The *external key* is a symmetric encryption key that is hosted by an
5651
+ # external key manager outside of Amazon Web Services. When you use the
5652
+ # KMS key in an external key store in a cryptographic operation, the
5653
+ # cryptographic operation is performed in the external key manager using
5654
+ # the specified external key. For more information, see [External
5655
+ # key][1] in the *Key Management Service Developer Guide*.
5656
+ #
5657
+ #
5658
+ #
5659
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
5660
+ #
5661
+ # @!attribute [rw] id
5662
+ # The ID of the external key in its external key manager. This is the
5663
+ # ID that the external key store proxy uses to identify the external
5664
+ # key.
5665
+ # @return [String]
5666
+ #
5667
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyConfigurationType AWS API Documentation
5668
+ #
5669
+ class XksKeyConfigurationType < Struct.new(
5670
+ :id)
5671
+ SENSITIVE = []
5672
+ include Aws::Structure
5673
+ end
5674
+
5675
+ # The request was rejected because the external key specified by the
5676
+ # `XksKeyId` parameter did not meet the configuration requirements for
5677
+ # an external key store.
5678
+ #
5679
+ # The external key must be an AES-256 symmetric key that is enabled and
5680
+ # performs encryption and decryption.
5681
+ #
5682
+ # @!attribute [rw] message
5683
+ # @return [String]
5684
+ #
5685
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyInvalidConfigurationException AWS API Documentation
5686
+ #
5687
+ class XksKeyInvalidConfigurationException < Struct.new(
5688
+ :message)
5689
+ SENSITIVE = []
5690
+ include Aws::Structure
5691
+ end
5692
+
5693
+ # The request was rejected because the external key store proxy could
5694
+ # not find the external key. This exception is thrown when the value of
5695
+ # the `XksKeyId` parameter doesn't identify a key in the external key
5696
+ # manager associated with the external key proxy.
5697
+ #
5698
+ # Verify that the `XksKeyId` represents an existing key in the external
5699
+ # key manager. Use the key identifier that the external key store proxy
5700
+ # uses to identify the key. For details, see the documentation provided
5701
+ # with your external key store proxy or key manager.
5702
+ #
5703
+ # @!attribute [rw] message
5704
+ # @return [String]
5705
+ #
5706
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyNotFoundException AWS API Documentation
5707
+ #
5708
+ class XksKeyNotFoundException < Struct.new(
5709
+ :message)
5710
+ SENSITIVE = []
5711
+ include Aws::Structure
5712
+ end
5713
+
5714
+ # KMS uses the authentication credential to sign requests that it sends
5715
+ # to the external key store proxy (XKS proxy) on your behalf. You
5716
+ # establish these credentials on your external key store proxy and
5717
+ # report them to KMS.
5718
+ #
5719
+ # The `XksProxyAuthenticationCredential` includes two required elements.
5720
+ #
5721
+ # @!attribute [rw] access_key_id
5722
+ # A unique identifier for the raw secret access key.
5723
+ # @return [String]
5724
+ #
5725
+ # @!attribute [rw] raw_secret_access_key
5726
+ # A secret string of 43-64 characters. Valid characters are a-z, A-Z,
5727
+ # 0-9, /, +, and =.
5728
+ # @return [String]
5729
+ #
5730
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyAuthenticationCredentialType AWS API Documentation
5731
+ #
5732
+ class XksProxyAuthenticationCredentialType < Struct.new(
5733
+ :access_key_id,
5734
+ :raw_secret_access_key)
5735
+ SENSITIVE = [:access_key_id, :raw_secret_access_key]
5736
+ include Aws::Structure
5737
+ end
5738
+
5739
+ # Detailed information about the external key store proxy (XKS proxy).
5740
+ # Your external key store proxy translates KMS requests into a format
5741
+ # that your external key manager can understand. These fields appear in
5742
+ # a DescribeCustomKeyStores response only when the `CustomKeyStoreType`
5743
+ # is `EXTERNAL_KEY_STORE`.
5744
+ #
5745
+ # @!attribute [rw] connectivity
5746
+ # Indicates whether the external key store proxy uses a public
5747
+ # endpoint or an Amazon VPC endpoint service to communicate with KMS.
5748
+ # @return [String]
5749
+ #
5750
+ # @!attribute [rw] access_key_id
5751
+ # The part of the external key store [proxy authentication
5752
+ # credential][1] that uniquely identifies the secret access key.
5753
+ #
5754
+ #
5755
+ #
5756
+ # [1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateCustomKeyStore.html#KMS-CreateCustomKeyStore-request-XksProxyAuthenticationCredential
5757
+ # @return [String]
5758
+ #
5759
+ # @!attribute [rw] uri_endpoint
5760
+ # The URI endpoint for the external key store proxy.
5761
+ #
5762
+ # If the external key store proxy has a public endpoint, it is
5763
+ # displayed here.
5764
+ #
5765
+ # If the external key store proxy uses an Amazon VPC endpoint service
5766
+ # name, this field displays the private DNS name associated with the
5767
+ # VPC endpoint service.
5768
+ # @return [String]
5769
+ #
5770
+ # @!attribute [rw] uri_path
5771
+ # The path to the external key store proxy APIs.
5772
+ # @return [String]
5773
+ #
5774
+ # @!attribute [rw] vpc_endpoint_service_name
5775
+ # The Amazon VPC endpoint service used to communicate with the
5776
+ # external key store proxy. This field appears only when the external
5777
+ # key store proxy uses an Amazon VPC endpoint service to communicate
5778
+ # with KMS.
5779
+ # @return [String]
5780
+ #
5781
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyConfigurationType AWS API Documentation
5782
+ #
5783
+ class XksProxyConfigurationType < Struct.new(
5784
+ :connectivity,
5785
+ :access_key_id,
5786
+ :uri_endpoint,
5787
+ :uri_path,
5788
+ :vpc_endpoint_service_name)
5789
+ SENSITIVE = [:access_key_id]
5790
+ include Aws::Structure
5791
+ end
5792
+
5793
+ # The request was rejected because the proxy credentials failed to
5794
+ # authenticate to the specified external key store proxy. The specified
5795
+ # external key store proxy rejected a status request from KMS due to
5796
+ # invalid credentials. This can indicate an error in the credentials or
5797
+ # in the identification of the external key store proxy.
5798
+ #
5799
+ # @!attribute [rw] message
5800
+ # @return [String]
5801
+ #
5802
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyIncorrectAuthenticationCredentialException AWS API Documentation
5803
+ #
5804
+ class XksProxyIncorrectAuthenticationCredentialException < Struct.new(
5805
+ :message)
5806
+ SENSITIVE = []
5807
+ include Aws::Structure
5808
+ end
5809
+
5810
+ # The request was rejected because the Amazon VPC endpoint service
5811
+ # configuration does not fulfill the requirements for an external key
5812
+ # store proxy. For details, see the exception message.
5813
+ #
5814
+ # @!attribute [rw] message
5815
+ # @return [String]
5816
+ #
5817
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyInvalidConfigurationException AWS API Documentation
5818
+ #
5819
+ class XksProxyInvalidConfigurationException < Struct.new(
5820
+ :message)
5821
+ SENSITIVE = []
5822
+ include Aws::Structure
5823
+ end
5824
+
5825
+ # KMS cannot interpret the response it received from the external key
5826
+ # store proxy. The problem might be a poorly constructed response, but
5827
+ # it could also be a transient network issue. If you see this error
5828
+ # repeatedly, report it to the proxy vendor.
5829
+ #
5830
+ # @!attribute [rw] message
5831
+ # @return [String]
5832
+ #
5833
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyInvalidResponseException AWS API Documentation
5834
+ #
5835
+ class XksProxyInvalidResponseException < Struct.new(
5836
+ :message)
5837
+ SENSITIVE = []
5838
+ include Aws::Structure
5839
+ end
5840
+
5841
+ # The request was rejected because the concatenation of the
5842
+ # `XksProxyUriEndpoint` is already associated with an external key store
5843
+ # in the Amazon Web Services account and Region. Each external key store
5844
+ # in an account and Region must use a unique external key store proxy
5845
+ # address.
5846
+ #
5847
+ # @!attribute [rw] message
5848
+ # @return [String]
5849
+ #
5850
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyUriEndpointInUseException AWS API Documentation
5851
+ #
5852
+ class XksProxyUriEndpointInUseException < Struct.new(
5853
+ :message)
5854
+ SENSITIVE = []
5855
+ include Aws::Structure
5856
+ end
5857
+
5858
+ # The request was rejected because the concatenation of the
5859
+ # `XksProxyUriEndpoint` and `XksProxyUriPath` is already associated with
5860
+ # an external key store in the Amazon Web Services account and Region.
5861
+ # Each external key store in an account and Region must use a unique
5862
+ # external key store proxy API address.
5863
+ #
5864
+ # @!attribute [rw] message
5865
+ # @return [String]
5866
+ #
5867
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyUriInUseException AWS API Documentation
5868
+ #
5869
+ class XksProxyUriInUseException < Struct.new(
5870
+ :message)
5871
+ SENSITIVE = []
5872
+ include Aws::Structure
5873
+ end
5874
+
5875
+ # KMS was unable to reach the specified `XksProxyUriPath`. The path must
5876
+ # be reachable before you create the external key store or update its
5877
+ # settings.
5878
+ #
5879
+ # This exception is also thrown when the external key store proxy
5880
+ # response to a `GetHealthStatus` request indicates that all external
5881
+ # key manager instances are unavailable.
5882
+ #
5883
+ # @!attribute [rw] message
5884
+ # @return [String]
5885
+ #
5886
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyUriUnreachableException AWS API Documentation
5887
+ #
5888
+ class XksProxyUriUnreachableException < Struct.new(
5889
+ :message)
5890
+ SENSITIVE = []
5891
+ include Aws::Structure
5892
+ end
5893
+
5894
+ # The request was rejected because the specified Amazon VPC endpoint
5895
+ # service is already associated with an external key store in the Amazon
5896
+ # Web Services account and Region. Each external key store in an Amazon
5897
+ # Web Services account and Region must use a different Amazon VPC
5898
+ # endpoint service.
5899
+ #
5900
+ # @!attribute [rw] message
5901
+ # @return [String]
5902
+ #
5903
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyVpcEndpointServiceInUseException AWS API Documentation
5904
+ #
5905
+ class XksProxyVpcEndpointServiceInUseException < Struct.new(
5906
+ :message)
5907
+ SENSITIVE = []
5908
+ include Aws::Structure
5909
+ end
5910
+
5911
+ # The request was rejected because the Amazon VPC endpoint service
5912
+ # configuration does not fulfill the requirements for an external key
5913
+ # store proxy. For details, see the exception message and [review the
5914
+ # requirements](kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements)
5915
+ # for Amazon VPC endpoint service connectivity for an external key
5916
+ # store.
5917
+ #
5918
+ # @!attribute [rw] message
5919
+ # @return [String]
5920
+ #
5921
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyVpcEndpointServiceInvalidConfigurationException AWS API Documentation
5922
+ #
5923
+ class XksProxyVpcEndpointServiceInvalidConfigurationException < Struct.new(
5924
+ :message)
5925
+ SENSITIVE = []
5926
+ include Aws::Structure
5927
+ end
5928
+
5929
+ # The request was rejected because KMS could not find the specified VPC
5930
+ # endpoint service. Use DescribeCustomKeyStores to verify the VPC
5931
+ # endpoint service name for the external key store. Also, confirm that
5932
+ # the `Allow principals` list for the VPC endpoint service includes the
5933
+ # KMS service principal for the Region, such as
5934
+ # `cks.kms.us-east-1.amazonaws.com`.
5935
+ #
5936
+ # @!attribute [rw] message
5937
+ # @return [String]
5938
+ #
5939
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyVpcEndpointServiceNotFoundException AWS API Documentation
5940
+ #
5941
+ class XksProxyVpcEndpointServiceNotFoundException < Struct.new(
5942
+ :message)
5943
+ SENSITIVE = []
5944
+ include Aws::Structure
5945
+ end
5946
+
5665
5947
  end
5666
5948
  end