aws-sdk-kms 1.62.0 → 1.63.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cc4f9ec57e4facf9bdd94a84c03b65e0243af436d1a71ae364a6cb131578211f
-  data.tar.gz: c28fd15ca65baf3524392da759ef126639959d84861c83ca0e735716e2df3b67
+  metadata.gz: 13e659ace0d14d832118d6e21486a6b09daa9749d3a39a956fa07d716fd5aad0
+  data.tar.gz: eedbc3733612a3839fec7e47bf5f6b191ff8960da315188a0757d1ea8427565b
 SHA512:
-  metadata.gz: 8ab2220117a3674e77af57eea5ec9ff78d228f9b1d1747f819386d0a7d121014f70d2291f0ed798993dc130660d5caba2666075d862b34d239191583d0953258
-  data.tar.gz: 22e21dd917f98b22977d2ad7818f1ff36f7aa362ae8734133ca59c9133293a123b119541e777f6790f8830d90ecdbf16fbf7863be34d6cc13cd9ecb206d1949b
+  metadata.gz: 932fcf1f5b42d636b97506236eb463f18b7b9a6cda0c7482f0987ec40fba23fca8a6e30d0a8ebd0da9970771c6fb9a5648ce219a7a7b7636651021a9dd9ea7d9
+  data.tar.gz: 01dbb9b794db0b4914d8607543225e9d8665f94960a0044a525b8990232d423444e49dc6979f912da47a56505195ba88330535cb98a9490988bb6b05697ef7be

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+1.63.0 (2023-02-28)
+------------------
+
+* Feature - AWS KMS is deprecating the RSAES_PKCS1_V1_5 wrapping algorithm option in the GetParametersForImport API that is used in the AWS KMS Import Key Material feature. AWS KMS will end support for this wrapping algorithm by October 1, 2023.
+
 1.62.0 (2023-01-18)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.62.0
+1.63.0

data/lib/aws-sdk-kms/client.rb

@@ -1184,30 +1184,27 @@ module Aws::KMS
     # @option params [required, String] :grantee_principal
     #   The identity that gets the permissions specified in the grant.
     #
-    #   To specify the principal, use the [Amazon Resource Name (ARN)][1] of
-    #   an Amazon Web Services principal. Valid Amazon Web Services principals
-    #   include Amazon Web Services accounts (root), IAM users, IAM roles,
-    #   federated users, and assumed role users. For examples of the ARN
-    #   syntax to use for specifying a principal, see [Amazon Web Services
-    #   Identity and Access Management (IAM)][2] in the Example ARNs section
-    #   of the *Amazon Web Services General Reference*.
+    #   To specify the grantee principal, use the Amazon Resource Name (ARN)
+    #   of an Amazon Web Services principal. Valid principals include Amazon
+    #   Web Services accounts, IAM users, IAM roles, federated users, and
+    #   assumed role users. For help with the ARN syntax for a principal, see
+    #   [IAM ARNs][1] in the <i> <i>Identity and Access Management User
+    #   Guide</i> </i>.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
-    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
     #
     # @option params [String] :retiring_principal
     #   The principal that has permission to use the RetireGrant operation to
     #   retire the grant.
     #
     #   To specify the principal, use the [Amazon Resource Name (ARN)][1] of
-    #   an Amazon Web Services principal. Valid Amazon Web Services principals
-    #   include Amazon Web Services accounts (root), IAM users, federated
-    #   users, and assumed role users. For examples of the ARN syntax to use
-    #   for specifying a principal, see [Amazon Web Services Identity and
-    #   Access Management (IAM)][2] in the Example ARNs section of the *Amazon
-    #   Web Services General Reference*.
+    #   an Amazon Web Services principal. Valid principals include Amazon Web
+    #   Services accounts, IAM users, IAM roles, federated users, and assumed
+    #   role users. For help with the ARN syntax for a principal, see [IAM
+    #   ARNs][2] in the <i> <i>Identity and Access Management User Guide</i>
+    #   </i>.
     #
     #   The grant determines the retiring principal. Other principals might
     #   have permission to retire the grant or revoke the grant. For details,
@@ -1217,7 +1214,7 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
-    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
     #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete
     #
     # @option params [required, Array<String>] :operations
@@ -1591,26 +1588,23 @@ module Aws::KMS
     #
     #   If you provide a key policy, it must meet the following criteria:
     #
-    #   * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the key
-    #     policy must allow the principal that is making the `CreateKey`
-    #     request to make a subsequent PutKeyPolicy request on the KMS key.
-    #     This reduces the risk that the KMS key becomes unmanageable. For
-    #     more information, refer to the scenario in the [Default Key
-    #     Policy][1] section of the <i> <i>Key Management Service Developer
-    #     Guide</i> </i>.
+    #   * The key policy must allow the calling principal to make a subsequent
+    #     `PutKeyPolicy` request on the KMS key. This reduces the risk that
+    #     the KMS key becomes unmanageable. For more information, see [Default
+    #     key policy][1] in the *Key Management Service Developer Guide*. (To
+    #     omit this condition, set `BypassPolicyLockoutSafetyCheck` to true.)
     #
     #   * Each statement in the key policy must contain one or more
     #     principals. The principals in the key policy must exist and be
-    #     visible to KMS. When you create a new Amazon Web Services principal
-    #     (for example, an IAM user or role), you might need to enforce a
-    #     delay before including the new principal in a key policy because the
-    #     new principal might not be immediately visible to KMS. For more
-    #     information, see [Changes that I make are not always immediately
-    #     visible][2] in the *Amazon Web Services Identity and Access
-    #     Management User Guide*.
+    #     visible to KMS. When you create a new Amazon Web Services principal,
+    #     you might need to enforce a delay before including the new principal
+    #     in a key policy because the new principal might not be immediately
+    #     visible to KMS. For more information, see [Changes that I make are
+    #     not always immediately visible][2] in the *Amazon Web Services
+    #     Identity and Access Management User Guide*.
     #
     #   If you do not provide a key policy, KMS attaches a default key policy
-    #   to the KMS key. For more information, see [Default Key Policy][3] in
+    #   to the KMS key. For more information, see [Default key policy][3] in
     #   the *Key Management Service Developer Guide*.
     #
     #   The key policy size quota is 32 kilobytes (32768 bytes).
@@ -1621,7 +1615,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
     #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
     #   [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
@@ -1797,25 +1791,22 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
     #
     # @option params [Boolean] :bypass_policy_lockout_safety_check
-    #   A flag to indicate whether to bypass the key policy lockout safety
-    #   check.
+    #   Skips ("bypasses") the key policy lockout safety check. The default
+    #   value is false.
     #
     #   Setting this value to true increases the risk that the KMS key becomes
     #   unmanageable. Do not set this value to true indiscriminately.
     #
-    #    For more information, refer to the scenario in the [Default Key
-    #   Policy][1] section in the <i> <i>Key Management Service Developer
-    #   Guide</i> </i>.
-    #
-    #   Use this parameter only when you include a policy in the request and
-    #   you intend to prevent the principal that is making the request from
-    #   making a subsequent PutKeyPolicy request on the KMS key.
+    #    For more information, see [Default key policy][1] in the *Key
+    #   Management Service Developer Guide*.
     #
-    #   The default value is false.
+    #   Use this parameter only when you intend to prevent the principal that
+    #   is making the request from making a subsequent PutKeyPolicy request on
+    #   the KMS key.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #
     # @option params [Array<Types::Tag>] :tags
     #   Assigns one or more tags to the KMS key. Use this parameter to tag the
@@ -2296,14 +2287,15 @@ module Aws::KMS
     # key that you intend.
     #
     # Whenever possible, use key policies to give users permission to call
-    # the `Decrypt` operation on a particular KMS key, instead of using IAM
-    # policies. Otherwise, you might create an IAM user policy that gives
-    # the user `Decrypt` permission on all KMS keys. This user could decrypt
-    # ciphertext that was encrypted by KMS keys in other accounts if the key
-    # policy for the cross-account KMS key permits it. If you must use an
-    # IAM policy for `Decrypt` permissions, limit the user to particular KMS
-    # keys or particular trusted accounts. For details, see [Best practices
-    # for IAM policies][4] in the *Key Management Service Developer Guide*.
+    # the `Decrypt` operation on a particular KMS key, instead of using
+    # &amp;IAM; policies. Otherwise, you might create an &amp;IAM; policy
+    # that gives the user `Decrypt` permission on all KMS keys. This user
+    # could decrypt ciphertext that was encrypted by KMS keys in other
+    # accounts if the key policy for the cross-account KMS key permits it.
+    # If you must use an IAM policy for `Decrypt` permissions, limit the
+    # user to particular KMS keys or particular trusted accounts. For
+    # details, see [Best practices for IAM policies][4] in the *Key
+    # Management Service Developer Guide*.
     #
     # Applications in Amazon Web Services Nitro Enclaves can call this
     # operation by using the [Amazon Web Services Nitro Enclaves Development
@@ -2315,9 +2307,9 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][7] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: Yes. To perform this operation with a KMS key
-    # in a different Amazon Web Services account, specify the key ARN or
-    # alias ARN in the value of the `KeyId` parameter.
+    # **Cross-account use**\: Yes. If you use the `KeyId` parameter to
+    # identify a KMS key in a different Amazon Web Services account, specify
+    # the key ARN or the alias ARN of the KMS key.
     #
     # **Required permissions**\: [kms:Decrypt][8] (key policy)
     #
@@ -4001,10 +3993,10 @@ module Aws::KMS
     # `KeySpec` or `NumberOfBytes` parameters (but not both). For 128-bit
     # and 256-bit data keys, use the `KeySpec` parameter.
     #
-    # To generate an SM4 data key (China Regions only), specify a `KeySpec`
-    # value of `AES_128` or `NumberOfBytes` value of `128`. The symmetric
-    # encryption key used in China Regions to encrypt your data key is an
-    # SM4 encryption key.
+    # To generate a 128-bit SM4 data key (China Regions only), specify a
+    # `KeySpec` value of `AES_128` or a `NumberOfBytes` value of `16`. The
+    # symmetric encryption key used in China Regions to encrypt your data
+    # key is an SM4 encryption key.
     #
     # To get only an encrypted copy of the data key, use
     # GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key
@@ -5266,14 +5258,21 @@ module Aws::KMS
     #   DescribeKey.
     #
     # @option params [required, String] :wrapping_algorithm
-    #   The algorithm you will use to encrypt the key material before
-    #   importing it with ImportKeyMaterial. For more information, see
-    #   [Encrypt the Key Material][1] in the *Key Management Service Developer
-    #   Guide*.
+    #   The algorithm you will use to encrypt the key material before using
+    #   the ImportKeyMaterial operation to import it. For more information,
+    #   see [Encrypt the key material][1] in the *Key Management Service
+    #   Developer Guide*.
+    #
+    #   The `RSAES_PKCS1_V1_5` wrapping algorithm is deprecated. We recommend
+    #   that you begin using a different wrapping algorithm immediately. KMS
+    #   will end support for `RSAES_PKCS1_V1_5` by October 1, 2023 pursuant to
+    #   [cryptographic key management guidance][2] from the National Institute
+    #   of Standards and Technology (NIST).
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html
+    #   [2]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
     #
     # @option params [required, String] :wrapping_key_spec
     #   The type of wrapping key (public key) to return in the response. Only
@@ -6406,17 +6405,16 @@ module Aws::KMS
     #   your Amazon Web Services account.
     #
     #   To specify the retiring principal, use the [Amazon Resource Name
-    #   (ARN)][1] of an Amazon Web Services principal. Valid Amazon Web
-    #   Services principals include Amazon Web Services accounts (root), IAM
-    #   users, federated users, and assumed role users. For examples of the
-    #   ARN syntax for specifying a principal, see [Amazon Web Services
-    #   Identity and Access Management (IAM)][2] in the Example ARNs section
-    #   of the *Amazon Web Services General Reference*.
+    #   (ARN)][1] of an Amazon Web Services principal. Valid principals
+    #   include Amazon Web Services accounts, IAM users, IAM roles, federated
+    #   users, and assumed role users. For help with the ARN syntax for a
+    #   principal, see [IAM ARNs][2] in the <i> <i>Identity and Access
+    #   Management User Guide</i> </i>.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
-    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
     #
     # @return [Types::ListGrantsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -6537,22 +6535,20 @@ module Aws::KMS
     #
     #   The key policy must meet the following criteria:
     #
-    #   * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the key
-    #     policy must allow the principal that is making the `PutKeyPolicy`
-    #     request to make a subsequent `PutKeyPolicy` request on the KMS key.
-    #     This reduces the risk that the KMS key becomes unmanageable. For
-    #     more information, refer to the scenario in the [Default Key
-    #     Policy][1] section of the *Key Management Service Developer Guide*.
+    #   * The key policy must allow the calling principal to make a subsequent
+    #     `PutKeyPolicy` request on the KMS key. This reduces the risk that
+    #     the KMS key becomes unmanageable. For more information, see [Default
+    #     key policy][1] in the *Key Management Service Developer Guide*. (To
+    #     omit this condition, set `BypassPolicyLockoutSafetyCheck` to true.)
     #
     #   * Each statement in the key policy must contain one or more
     #     principals. The principals in the key policy must exist and be
-    #     visible to KMS. When you create a new Amazon Web Services principal
-    #     (for example, an IAM user or role), you might need to enforce a
-    #     delay before including the new principal in a key policy because the
-    #     new principal might not be immediately visible to KMS. For more
-    #     information, see [Changes that I make are not always immediately
-    #     visible][2] in the *Amazon Web Services Identity and Access
-    #     Management User Guide*.
+    #     visible to KMS. When you create a new Amazon Web Services principal,
+    #     you might need to enforce a delay before including the new principal
+    #     in a key policy because the new principal might not be immediately
+    #     visible to KMS. For more information, see [Changes that I make are
+    #     not always immediately visible][2] in the *Amazon Web Services
+    #     Identity and Access Management User Guide*.
     #
     #   A key policy document can include only the following characters:
     #
@@ -6573,30 +6569,28 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
     #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
     #   [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
     #
     # @option params [Boolean] :bypass_policy_lockout_safety_check
-    #   A flag to indicate whether to bypass the key policy lockout safety
-    #   check.
+    #   Skips ("bypasses") the key policy lockout safety check. The default
+    #   value is false.
     #
     #   Setting this value to true increases the risk that the KMS key becomes
     #   unmanageable. Do not set this value to true indiscriminately.
     #
-    #    For more information, refer to the scenario in the [Default Key
-    #   Policy][1] section in the *Key Management Service Developer Guide*.
+    #    For more information, see [Default key policy][1] in the *Key
+    #   Management Service Developer Guide*.
     #
     #   Use this parameter only when you intend to prevent the principal that
-    #   is making the request from making a subsequent `PutKeyPolicy` request
-    #   on the KMS key.
-    #
-    #   The default value is false.
+    #   is making the request from making a subsequent PutKeyPolicy request on
+    #   the KMS key.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -7097,22 +7091,20 @@ module Aws::KMS
     #
     #   If you provide a key policy, it must meet the following criteria:
     #
-    #   * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the key
-    #     policy must give the caller `kms:PutKeyPolicy` permission on the
-    #     replica key. This reduces the risk that the KMS key becomes
-    #     unmanageable. For more information, refer to the scenario in the
-    #     [Default Key Policy][2] section of the <i> <i>Key Management Service
-    #     Developer Guide</i> </i>.
+    #   * The key policy must allow the calling principal to make a subsequent
+    #     `PutKeyPolicy` request on the KMS key. This reduces the risk that
+    #     the KMS key becomes unmanageable. For more information, see [Default
+    #     key policy][2] in the *Key Management Service Developer Guide*. (To
+    #     omit this condition, set `BypassPolicyLockoutSafetyCheck` to true.)
     #
     #   * Each statement in the key policy must contain one or more
     #     principals. The principals in the key policy must exist and be
-    #     visible to KMS. When you create a new Amazon Web Services principal
-    #     (for example, an IAM user or role), you might need to enforce a
-    #     delay before including the new principal in a key policy because the
-    #     new principal might not be immediately visible to KMS. For more
-    #     information, see [Changes that I make are not always immediately
-    #     visible][3] in the <i> <i>Identity and Access Management User
-    #     Guide</i> </i>.
+    #     visible to KMS. When you create a new Amazon Web Services principal,
+    #     you might need to enforce a delay before including the new principal
+    #     in a key policy because the new principal might not be immediately
+    #     visible to KMS. For more information, see [Changes that I make are
+    #     not always immediately visible][3] in the *Amazon Web Services
+    #     Identity and Access Management User Guide*.
     #
     #   A key policy document can include only the following characters:
     #
@@ -7134,30 +7126,28 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
     #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
     #   [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
     #
     # @option params [Boolean] :bypass_policy_lockout_safety_check
-    #   A flag to indicate whether to bypass the key policy lockout safety
-    #   check.
+    #   Skips ("bypasses") the key policy lockout safety check. The default
+    #   value is false.
     #
     #   Setting this value to true increases the risk that the KMS key becomes
     #   unmanageable. Do not set this value to true indiscriminately.
     #
-    #    For more information, refer to the scenario in the [Default Key
-    #   Policy][1] section in the *Key Management Service Developer Guide*.
+    #    For more information, see [Default key policy][1] in the *Key
+    #   Management Service Developer Guide*.
     #
     #   Use this parameter only when you intend to prevent the principal that
-    #   is making the request from making a subsequent `PutKeyPolicy` request
-    #   on the KMS key.
-    #
-    #   The default value is false.
+    #   is making the request from making a subsequent PutKeyPolicy request on
+    #   the KMS key.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #
     # @option params [String] :description
     #   A description of the KMS key. The default value is an empty string (no
@@ -7741,15 +7731,52 @@ module Aws::KMS
     #
     # @option params [required, String, StringIO, File] :message
     #   Specifies the message or message digest to sign. Messages can be
-    #   0-4096 bytes. To sign a larger message, provide the message digest.
+    #   0-4096 bytes. To sign a larger message, provide a message digest.
     #
-    #   If you provide a message, KMS generates a hash digest of the message
-    #   and then signs it.
+    #   If you provide a message digest, use the `DIGEST` value of
+    #   `MessageType` to prevent the digest from being hashed again while
+    #   signing.
     #
     # @option params [String] :message_type
-    #   Tells KMS whether the value of the `Message` parameter is a message or
-    #   message digest. The default value, RAW, indicates a message. To
-    #   indicate a message digest, enter `DIGEST`.
+    #   Tells KMS whether the value of the `Message` parameter should be
+    #   hashed as part of the signing algorithm. Use `RAW` for unhashed
+    #   messages; use `DIGEST` for message digests, which are already hashed.
+    #
+    #   When the value of `MessageType` is `RAW`, KMS uses the standard
+    #   signing algorithm, which begins with a hash function. When the value
+    #   is `DIGEST`, KMS skips the hashing step in the signing algorithm.
+    #
+    #   Use the `DIGEST` value only when the value of the `Message` parameter
+    #   is a message digest. If you use the `DIGEST` value with an unhashed
+    #   message, the security of the signing operation can be compromised.
+    #
+    #   When the value of `MessageType`is `DIGEST`, the length of the
+    #   `Message` value must match the length of hashed messages for the
+    #   specified signing algorithm.
+    #
+    #   You can submit a message digest and omit the `MessageType` or specify
+    #   `RAW` so the digest is hashed again while signing. However, this can
+    #   cause verification failures when verifying with a system that assumes
+    #   a single hash.
+    #
+    #   The hashing algorithm in that `Sign` uses is based on the
+    #   `SigningAlgorithm` value.
+    #
+    #   * Signing algorithms that end in SHA\_256 use the SHA\_256 hashing
+    #     algorithm.
+    #
+    #   * Signing algorithms that end in SHA\_384 use the SHA\_384 hashing
+    #     algorithm.
+    #
+    #   * Signing algorithms that end in SHA\_512 use the SHA\_512 hashing
+    #     algorithm.
+    #
+    #   * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
+    #     verification with SM2 key pairs][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -7768,7 +7795,9 @@ module Aws::KMS
     #   Specifies the signing algorithm to use when signing the message.
     #
     #   Choose an algorithm that is compatible with the type and size of the
-    #   specified asymmetric KMS key.
+    #   specified asymmetric KMS key. When signing with RSA key pairs,
+    #   RSASSA-PSS algorithms are preferred. We include RSASSA-PKCS1-v1\_5
+    #   algorithms for compatibility with existing applications.
     #
     # @return [Types::SignResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -7796,6 +7825,26 @@ module Aws::KMS
     #     signing_algorithm: "ECDSA_SHA_384", # The actual signing algorithm that was used to generate the signature.
     #   }
     #
+    # @example Example: To digitally sign a message digest with an asymmetric KMS key.
+    #
+    #   # This operation uses the private key in an asymmetric RSA signing KMS key to generate a digital signature for a message
+    #   # digest. In this example, a large message was hashed and the resulting digest is provided in the Message parameter. To
+    #   # tell KMS not to hash the message again, the MessageType field is set to DIGEST
+    #
+    #   resp = client.sign({
+    #     key_id: "alias/RSA_signing_key", # The asymmetric KMS key to be used to generate the digital signature. This example uses an alias of the KMS key.
+    #     message: "<message digest to be signed>", # Message to be signed. Use Base-64 for the CLI.
+    #     message_type: "DIGEST", # Indicates whether the message is RAW or a DIGEST. When it is RAW, KMS hashes the message before signing. When it is DIGEST, KMS skips the hashing step and signs the Message value.
+    #     signing_algorithm: "RSASSA_PKCS1_V1_5_SHA_256", # The requested signing algorithm. This must be an algorithm that the KMS key supports.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     key_id: "arn:aws:kms:us-east-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", # The key ARN of the asymmetric KMS key that was used to sign the message.
+    #     signature: "<binary data>", # The digital signature of the message.
+    #     signing_algorithm: "RSASSA_PKCS1_V1_5_SHA_256", # The actual signing algorithm that was used to generate the signature.
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.sign({
@@ -8735,9 +8784,12 @@ module Aws::KMS
     # keys, see [Asymmetric KMS keys][1] in the *Key Management Service
     # Developer Guide*.
     #
-    # To verify a digital signature, you can use the `Verify` operation.
-    # Specify the same asymmetric KMS key, message, and signing algorithm
-    # that were used to produce the signature.
+    # To use the `Verify` operation, specify the same asymmetric KMS key,
+    # message, and signing algorithm that were used to produce the
+    # signature. The message type does not need to be the same as the one
+    # used for signing, but it must indicate whether the value of the
+    # `Message` parameter should be hashed as part of the verification
+    # process.
     #
     # You can also verify the digital signature by using the public key of
     # the KMS key outside of KMS. Use the GetPublicKey operation to download
@@ -8808,13 +8860,46 @@ module Aws::KMS
     #   digest are considered to be the same message.
     #
     # @option params [String] :message_type
-    #   Tells KMS whether the value of the `Message` parameter is a message or
-    #   message digest. The default value, RAW, indicates a message. To
-    #   indicate a message digest, enter `DIGEST`.
+    #   Tells KMS whether the value of the `Message` parameter should be
+    #   hashed as part of the signing algorithm. Use `RAW` for unhashed
+    #   messages; use `DIGEST` for message digests, which are already hashed.
+    #
+    #   When the value of `MessageType` is `RAW`, KMS uses the standard
+    #   signing algorithm, which begins with a hash function. When the value
+    #   is `DIGEST`, KMS skips the hashing step in the signing algorithm.
     #
     #   Use the `DIGEST` value only when the value of the `Message` parameter
-    #   is a message digest. If you use the `DIGEST` value with a raw message,
-    #   the security of the verification operation can be compromised.
+    #   is a message digest. If you use the `DIGEST` value with an unhashed
+    #   message, the security of the verification operation can be
+    #   compromised.
+    #
+    #   When the value of `MessageType`is `DIGEST`, the length of the
+    #   `Message` value must match the length of hashed messages for the
+    #   specified signing algorithm.
+    #
+    #   You can submit a message digest and omit the `MessageType` or specify
+    #   `RAW` so the digest is hashed again while signing. However, if the
+    #   signed message is hashed once while signing, but twice while
+    #   verifying, verification fails, even when the message hasn't changed.
+    #
+    #   The hashing algorithm in that `Verify` uses is based on the
+    #   `SigningAlgorithm` value.
+    #
+    #   * Signing algorithms that end in SHA\_256 use the SHA\_256 hashing
+    #     algorithm.
+    #
+    #   * Signing algorithms that end in SHA\_384 use the SHA\_384 hashing
+    #     algorithm.
+    #
+    #   * Signing algorithms that end in SHA\_512 use the SHA\_512 hashing
+    #     algorithm.
+    #
+    #   * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
+    #     verification with SM2 key pairs][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
     #
     # @option params [required, String, StringIO, File] :signature
     #   The signature that the `Sign` operation generated.
@@ -8863,6 +8948,27 @@ module Aws::KMS
     #     signing_algorithm: "ECDSA_SHA_384", # The signing algorithm that was used to verify the signature.
     #   }
     #
+    # @example Example: To use an asymmetric KMS key to verify a digital signature on a message digest
+    #
+    #   # This operation uses the public key in an RSA asymmetric signing key pair to verify the digital signature of a message
+    #   # digest. Hashing a message into a digest before sending it to KMS lets you verify messages that exceed the 4096-byte
+    #   # message size limit. To indicate that the value of Message is a digest, use the MessageType parameter 
+    #
+    #   resp = client.verify({
+    #     key_id: "arn:aws:kms:us-east-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", # The asymmetric KMS key to be used to verify the digital signature. This example uses an alias to identify the KMS key.
+    #     message: "<message digest to be verified>", # The message that was signed.
+    #     message_type: "DIGEST", # Indicates whether the message is RAW or a DIGEST. When it is RAW, KMS hashes the message before signing. When it is DIGEST, KMS skips the hashing step and signs the Message value.
+    #     signature: "<binary data>", # The signature to be verified.
+    #     signing_algorithm: "RSASSA_PSS_SHA_512", # The signing algorithm to be used to verify the signature.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     key_id: "arn:aws:kms:us-east-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", # The key ARN of the asymmetric KMS key that was used to verify the digital signature.
+    #     signature_valid: true, # A value of 'true' Indicates that the signature was verified. If verification fails, the call to Verify fails.
+    #     signing_algorithm: "RSASSA_PSS_SHA_512", # The signing algorithm that was used to verify the signature.
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.verify({
@@ -9026,7 +9132,7 @@ module Aws::KMS
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-kms'
-      context[:gem_version] = '1.62.0'
+      context[:gem_version] = '1.63.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-kms/endpoint_parameters.rb

@@ -50,9 +50,6 @@ module Aws::KMS
 
     def initialize(options = {})
       self[:region] = options[:region]
-      if self[:region].nil?
-        raise ArgumentError, "Missing required EndpointParameter: :region"
-      end
       self[:use_dual_stack] = options[:use_dual_stack]
       self[:use_dual_stack] = false if self[:use_dual_stack].nil?
       if self[:use_dual_stack].nil?

data/lib/aws-sdk-kms/endpoint_provider.rb

@@ -14,36 +14,39 @@ module Aws::KMS
       use_dual_stack = parameters.use_dual_stack
       use_fips = parameters.use_fips
       endpoint = parameters.endpoint
-      if (partition_result = Aws::Endpoints::Matchers.aws_partition(region))
-        if Aws::Endpoints::Matchers.set?(endpoint)
-          if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true)
-            raise ArgumentError, "Invalid Configuration: FIPS and custom endpoint are not supported"
-          end
-          if Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, true)
-            raise ArgumentError, "Invalid Configuration: Dualstack and custom endpoint are not supported"
-          end
-          return Aws::Endpoints::Endpoint.new(url: endpoint, headers: {}, properties: {})
-        end
-        if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true) && Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, true)
-          if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsFIPS")) && Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsDualStack"))
-            return Aws::Endpoints::Endpoint.new(url: "https://kms-fips.#{region}.#{partition_result['dualStackDnsSuffix']}", headers: {}, properties: {})
-          end
-          raise ArgumentError, "FIPS and DualStack are enabled, but this partition does not support one or both"
-        end
+      if Aws::Endpoints::Matchers.set?(endpoint)
         if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true)
-          if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsFIPS"))
-            return Aws::Endpoints::Endpoint.new(url: "https://kms-fips.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {})
-          end
-          raise ArgumentError, "FIPS is enabled but this partition does not support FIPS"
+          raise ArgumentError, "Invalid Configuration: FIPS and custom endpoint are not supported"
         end
         if Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, true)
-          if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsDualStack"))
-            return Aws::Endpoints::Endpoint.new(url: "https://kms.#{region}.#{partition_result['dualStackDnsSuffix']}", headers: {}, properties: {})
+          raise ArgumentError, "Invalid Configuration: Dualstack and custom endpoint are not supported"
+        end
+        return Aws::Endpoints::Endpoint.new(url: endpoint, headers: {}, properties: {})
+      end
+      if Aws::Endpoints::Matchers.set?(region)
+        if (partition_result = Aws::Endpoints::Matchers.aws_partition(region))
+          if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true) && Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, true)
+            if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsFIPS")) && Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsDualStack"))
+              return Aws::Endpoints::Endpoint.new(url: "https://kms-fips.#{region}.#{partition_result['dualStackDnsSuffix']}", headers: {}, properties: {})
+            end
+            raise ArgumentError, "FIPS and DualStack are enabled, but this partition does not support one or both"
+          end
+          if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true)
+            if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsFIPS"))
+              return Aws::Endpoints::Endpoint.new(url: "https://kms-fips.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {})
+            end
+            raise ArgumentError, "FIPS is enabled but this partition does not support FIPS"
+          end
+          if Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, true)
+            if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsDualStack"))
+              return Aws::Endpoints::Endpoint.new(url: "https://kms.#{region}.#{partition_result['dualStackDnsSuffix']}", headers: {}, properties: {})
+            end
+            raise ArgumentError, "DualStack is enabled but this partition does not support DualStack"
           end
-          raise ArgumentError, "DualStack is enabled but this partition does not support DualStack"
+          return Aws::Endpoints::Endpoint.new(url: "https://kms.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {})
         end
-        return Aws::Endpoints::Endpoint.new(url: "https://kms.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {})
       end
+      raise ArgumentError, "Invalid Configuration: Missing Region"
       raise ArgumentError, 'No endpoint could be resolved'
 
     end

data/lib/aws-sdk-kms/types.rb

@@ -566,18 +566,16 @@ module Aws::KMS
     # @!attribute [rw] grantee_principal
     #   The identity that gets the permissions specified in the grant.
     #
-    #   To specify the principal, use the [Amazon Resource Name (ARN)][1] of
-    #   an Amazon Web Services principal. Valid Amazon Web Services
-    #   principals include Amazon Web Services accounts (root), IAM users,
-    #   IAM roles, federated users, and assumed role users. For examples of
-    #   the ARN syntax to use for specifying a principal, see [Amazon Web
-    #   Services Identity and Access Management (IAM)][2] in the Example
-    #   ARNs section of the *Amazon Web Services General Reference*.
+    #   To specify the grantee principal, use the Amazon Resource Name (ARN)
+    #   of an Amazon Web Services principal. Valid principals include Amazon
+    #   Web Services accounts, IAM users, IAM roles, federated users, and
+    #   assumed role users. For help with the ARN syntax for a principal,
+    #   see [IAM ARNs][1] in the <i> <i>Identity and Access Management User
+    #   Guide</i> </i>.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
-    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
     #   @return [String]
     #
     # @!attribute [rw] retiring_principal
@@ -585,12 +583,11 @@ module Aws::KMS
     #   to retire the grant.
     #
     #   To specify the principal, use the [Amazon Resource Name (ARN)][1] of
-    #   an Amazon Web Services principal. Valid Amazon Web Services
-    #   principals include Amazon Web Services accounts (root), IAM users,
-    #   federated users, and assumed role users. For examples of the ARN
-    #   syntax to use for specifying a principal, see [Amazon Web Services
-    #   Identity and Access Management (IAM)][2] in the Example ARNs section
-    #   of the *Amazon Web Services General Reference*.
+    #   an Amazon Web Services principal. Valid principals include Amazon
+    #   Web Services accounts, IAM users, IAM roles, federated users, and
+    #   assumed role users. For help with the ARN syntax for a principal,
+    #   see [IAM ARNs][2] in the <i> <i>Identity and Access Management User
+    #   Guide</i> </i>.
     #
     #   The grant determines the retiring principal. Other principals might
     #   have permission to retire the grant or revoke the grant. For
@@ -600,7 +597,7 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
-    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
     #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete
     #   @return [String]
     #
@@ -741,27 +738,25 @@ module Aws::KMS
     #
     #   If you provide a key policy, it must meet the following criteria:
     #
-    #   * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
-    #     key policy must allow the principal that is making the `CreateKey`
-    #     request to make a subsequent PutKeyPolicy request on the KMS key.
-    #     This reduces the risk that the KMS key becomes unmanageable. For
-    #     more information, refer to the scenario in the [Default Key
-    #     Policy][1] section of the <i> <i>Key Management Service Developer
-    #     Guide</i> </i>.
+    #   * The key policy must allow the calling principal to make a
+    #     subsequent `PutKeyPolicy` request on the KMS key. This reduces the
+    #     risk that the KMS key becomes unmanageable. For more information,
+    #     see [Default key policy][1] in the *Key Management Service
+    #     Developer Guide*. (To omit this condition, set
+    #     `BypassPolicyLockoutSafetyCheck` to true.)
     #
     #   * Each statement in the key policy must contain one or more
     #     principals. The principals in the key policy must exist and be
     #     visible to KMS. When you create a new Amazon Web Services
-    #     principal (for example, an IAM user or role), you might need to
-    #     enforce a delay before including the new principal in a key policy
-    #     because the new principal might not be immediately visible to KMS.
-    #     For more information, see [Changes that I make are not always
-    #     immediately visible][2] in the *Amazon Web Services Identity and
-    #     Access Management User Guide*.
+    #     principal, you might need to enforce a delay before including the
+    #     new principal in a key policy because the new principal might not
+    #     be immediately visible to KMS. For more information, see [Changes
+    #     that I make are not always immediately visible][2] in the *Amazon
+    #     Web Services Identity and Access Management User Guide*.
     #
     #   If you do not provide a key policy, KMS attaches a default key
-    #   policy to the KMS key. For more information, see [Default Key
-    #   Policy][3] in the *Key Management Service Developer Guide*.
+    #   policy to the KMS key. For more information, see [Default key
+    #   policy][3] in the *Key Management Service Developer Guide*.
     #
     #   The key policy size quota is 32 kilobytes (32768 bytes).
     #
@@ -771,7 +766,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
     #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
     #   [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
@@ -957,26 +952,23 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] bypass_policy_lockout_safety_check
-    #   A flag to indicate whether to bypass the key policy lockout safety
-    #   check.
+    #   Skips ("bypasses") the key policy lockout safety check. The
+    #   default value is false.
     #
     #   Setting this value to true increases the risk that the KMS key
     #   becomes unmanageable. Do not set this value to true
     #   indiscriminately.
     #
-    #    For more information, refer to the scenario in the [Default Key
-    #   Policy][1] section in the <i> <i>Key Management Service Developer
-    #   Guide</i> </i>.
-    #
-    #   Use this parameter only when you include a policy in the request and
-    #   you intend to prevent the principal that is making the request from
-    #   making a subsequent PutKeyPolicy request on the KMS key.
+    #    For more information, see [Default key policy][1] in the *Key
+    #   Management Service Developer Guide*.
     #
-    #   The default value is false.
+    #   Use this parameter only when you intend to prevent the principal
+    #   that is making the request from making a subsequent PutKeyPolicy
+    #   request on the KMS key.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   @return [Boolean]
     #
     # @!attribute [rw] tags
@@ -2776,14 +2768,21 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] wrapping_algorithm
-    #   The algorithm you will use to encrypt the key material before
-    #   importing it with ImportKeyMaterial. For more information, see
-    #   [Encrypt the Key Material][1] in the *Key Management Service
+    #   The algorithm you will use to encrypt the key material before using
+    #   the ImportKeyMaterial operation to import it. For more information,
+    #   see [Encrypt the key material][1] in the *Key Management Service
     #   Developer Guide*.
     #
+    #   The `RSAES_PKCS1_V1_5` wrapping algorithm is deprecated. We
+    #   recommend that you begin using a different wrapping algorithm
+    #   immediately. KMS will end support for `RSAES_PKCS1_V1_5` by October
+    #   1, 2023 pursuant to [cryptographic key management guidance][2] from
+    #   the National Institute of Standards and Technology (NIST).
+    #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html
+    #   [2]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
     #   @return [String]
     #
     # @!attribute [rw] wrapping_key_spec
@@ -4128,17 +4127,16 @@ module Aws::KMS
     #   in your Amazon Web Services account.
     #
     #   To specify the retiring principal, use the [Amazon Resource Name
-    #   (ARN)][1] of an Amazon Web Services principal. Valid Amazon Web
-    #   Services principals include Amazon Web Services accounts (root), IAM
-    #   users, federated users, and assumed role users. For examples of the
-    #   ARN syntax for specifying a principal, see [Amazon Web Services
-    #   Identity and Access Management (IAM)][2] in the Example ARNs section
-    #   of the *Amazon Web Services General Reference*.
+    #   (ARN)][1] of an Amazon Web Services principal. Valid principals
+    #   include Amazon Web Services accounts, IAM users, IAM roles,
+    #   federated users, and assumed role users. For help with the ARN
+    #   syntax for a principal, see [IAM ARNs][2] in the <i> <i>Identity and
+    #   Access Management User Guide</i> </i>.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
-    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrantsRequest AWS API Documentation
@@ -4256,23 +4254,21 @@ module Aws::KMS
     #
     #   The key policy must meet the following criteria:
     #
-    #   * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
-    #     key policy must allow the principal that is making the
-    #     `PutKeyPolicy` request to make a subsequent `PutKeyPolicy` request
-    #     on the KMS key. This reduces the risk that the KMS key becomes
-    #     unmanageable. For more information, refer to the scenario in the
-    #     [Default Key Policy][1] section of the *Key Management Service
-    #     Developer Guide*.
+    #   * The key policy must allow the calling principal to make a
+    #     subsequent `PutKeyPolicy` request on the KMS key. This reduces the
+    #     risk that the KMS key becomes unmanageable. For more information,
+    #     see [Default key policy][1] in the *Key Management Service
+    #     Developer Guide*. (To omit this condition, set
+    #     `BypassPolicyLockoutSafetyCheck` to true.)
     #
     #   * Each statement in the key policy must contain one or more
     #     principals. The principals in the key policy must exist and be
     #     visible to KMS. When you create a new Amazon Web Services
-    #     principal (for example, an IAM user or role), you might need to
-    #     enforce a delay before including the new principal in a key policy
-    #     because the new principal might not be immediately visible to KMS.
-    #     For more information, see [Changes that I make are not always
-    #     immediately visible][2] in the *Amazon Web Services Identity and
-    #     Access Management User Guide*.
+    #     principal, you might need to enforce a delay before including the
+    #     new principal in a key policy because the new principal might not
+    #     be immediately visible to KMS. For more information, see [Changes
+    #     that I make are not always immediately visible][2] in the *Amazon
+    #     Web Services Identity and Access Management User Guide*.
     #
     #   A key policy document can include only the following characters:
     #
@@ -4293,32 +4289,30 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
     #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
     #   [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
     #   @return [String]
     #
     # @!attribute [rw] bypass_policy_lockout_safety_check
-    #   A flag to indicate whether to bypass the key policy lockout safety
-    #   check.
+    #   Skips ("bypasses") the key policy lockout safety check. The
+    #   default value is false.
     #
     #   Setting this value to true increases the risk that the KMS key
     #   becomes unmanageable. Do not set this value to true
     #   indiscriminately.
     #
-    #    For more information, refer to the scenario in the [Default Key
-    #   Policy][1] section in the *Key Management Service Developer Guide*.
+    #    For more information, see [Default key policy][1] in the *Key
+    #   Management Service Developer Guide*.
     #
     #   Use this parameter only when you intend to prevent the principal
-    #   that is making the request from making a subsequent `PutKeyPolicy`
+    #   that is making the request from making a subsequent PutKeyPolicy
     #   request on the KMS key.
     #
-    #   The default value is false.
-    #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicyRequest AWS API Documentation
@@ -4606,22 +4600,21 @@ module Aws::KMS
     #
     #   If you provide a key policy, it must meet the following criteria:
     #
-    #   * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
-    #     key policy must give the caller `kms:PutKeyPolicy` permission on
-    #     the replica key. This reduces the risk that the KMS key becomes
-    #     unmanageable. For more information, refer to the scenario in the
-    #     [Default Key Policy][2] section of the <i> <i>Key Management
-    #     Service Developer Guide</i> </i>.
+    #   * The key policy must allow the calling principal to make a
+    #     subsequent `PutKeyPolicy` request on the KMS key. This reduces the
+    #     risk that the KMS key becomes unmanageable. For more information,
+    #     see [Default key policy][2] in the *Key Management Service
+    #     Developer Guide*. (To omit this condition, set
+    #     `BypassPolicyLockoutSafetyCheck` to true.)
     #
     #   * Each statement in the key policy must contain one or more
     #     principals. The principals in the key policy must exist and be
     #     visible to KMS. When you create a new Amazon Web Services
-    #     principal (for example, an IAM user or role), you might need to
-    #     enforce a delay before including the new principal in a key policy
-    #     because the new principal might not be immediately visible to KMS.
-    #     For more information, see [Changes that I make are not always
-    #     immediately visible][3] in the <i> <i>Identity and Access
-    #     Management User Guide</i> </i>.
+    #     principal, you might need to enforce a delay before including the
+    #     new principal in a key policy because the new principal might not
+    #     be immediately visible to KMS. For more information, see [Changes
+    #     that I make are not always immediately visible][3] in the *Amazon
+    #     Web Services Identity and Access Management User Guide*.
     #
     #   A key policy document can include only the following characters:
     #
@@ -4643,32 +4636,30 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
     #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
     #   [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
     #   @return [String]
     #
     # @!attribute [rw] bypass_policy_lockout_safety_check
-    #   A flag to indicate whether to bypass the key policy lockout safety
-    #   check.
+    #   Skips ("bypasses") the key policy lockout safety check. The
+    #   default value is false.
     #
     #   Setting this value to true increases the risk that the KMS key
     #   becomes unmanageable. Do not set this value to true
     #   indiscriminately.
     #
-    #    For more information, refer to the scenario in the [Default Key
-    #   Policy][1] section in the *Key Management Service Developer Guide*.
+    #    For more information, see [Default key policy][1] in the *Key
+    #   Management Service Developer Guide*.
     #
     #   Use this parameter only when you intend to prevent the principal
-    #   that is making the request from making a subsequent `PutKeyPolicy`
+    #   that is making the request from making a subsequent PutKeyPolicy
     #   request on the KMS key.
     #
-    #   The default value is false.
     #
     #
-    #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   @return [Boolean]
     #
     # @!attribute [rw] description
@@ -4952,16 +4943,55 @@ module Aws::KMS
     #
     # @!attribute [rw] message
     #   Specifies the message or message digest to sign. Messages can be
-    #   0-4096 bytes. To sign a larger message, provide the message digest.
+    #   0-4096 bytes. To sign a larger message, provide a message digest.
     #
-    #   If you provide a message, KMS generates a hash digest of the message
-    #   and then signs it.
+    #   If you provide a message digest, use the `DIGEST` value of
+    #   `MessageType` to prevent the digest from being hashed again while
+    #   signing.
     #   @return [String]
     #
     # @!attribute [rw] message_type
-    #   Tells KMS whether the value of the `Message` parameter is a message
-    #   or message digest. The default value, RAW, indicates a message. To
-    #   indicate a message digest, enter `DIGEST`.
+    #   Tells KMS whether the value of the `Message` parameter should be
+    #   hashed as part of the signing algorithm. Use `RAW` for unhashed
+    #   messages; use `DIGEST` for message digests, which are already
+    #   hashed.
+    #
+    #   When the value of `MessageType` is `RAW`, KMS uses the standard
+    #   signing algorithm, which begins with a hash function. When the value
+    #   is `DIGEST`, KMS skips the hashing step in the signing algorithm.
+    #
+    #   Use the `DIGEST` value only when the value of the `Message`
+    #   parameter is a message digest. If you use the `DIGEST` value with an
+    #   unhashed message, the security of the signing operation can be
+    #   compromised.
+    #
+    #   When the value of `MessageType`is `DIGEST`, the length of the
+    #   `Message` value must match the length of hashed messages for the
+    #   specified signing algorithm.
+    #
+    #   You can submit a message digest and omit the `MessageType` or
+    #   specify `RAW` so the digest is hashed again while signing. However,
+    #   this can cause verification failures when verifying with a system
+    #   that assumes a single hash.
+    #
+    #   The hashing algorithm in that `Sign` uses is based on the
+    #   `SigningAlgorithm` value.
+    #
+    #   * Signing algorithms that end in SHA\_256 use the SHA\_256 hashing
+    #     algorithm.
+    #
+    #   * Signing algorithms that end in SHA\_384 use the SHA\_384 hashing
+    #     algorithm.
+    #
+    #   * Signing algorithms that end in SHA\_512 use the SHA\_512 hashing
+    #     algorithm.
+    #
+    #   * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
+    #     verification with SM2 key pairs][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
     #   @return [String]
     #
     # @!attribute [rw] grant_tokens
@@ -4982,7 +5012,9 @@ module Aws::KMS
     #   Specifies the signing algorithm to use when signing the message.
     #
     #   Choose an algorithm that is compatible with the type and size of the
-    #   specified asymmetric KMS key.
+    #   specified asymmetric KMS key. When signing with RSA key pairs,
+    #   RSASSA-PSS algorithms are preferred. We include RSASSA-PKCS1-v1\_5
+    #   algorithms for compatibility with existing applications.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/SignRequest AWS API Documentation
@@ -5548,14 +5580,48 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] message_type
-    #   Tells KMS whether the value of the `Message` parameter is a message
-    #   or message digest. The default value, RAW, indicates a message. To
-    #   indicate a message digest, enter `DIGEST`.
+    #   Tells KMS whether the value of the `Message` parameter should be
+    #   hashed as part of the signing algorithm. Use `RAW` for unhashed
+    #   messages; use `DIGEST` for message digests, which are already
+    #   hashed.
+    #
+    #   When the value of `MessageType` is `RAW`, KMS uses the standard
+    #   signing algorithm, which begins with a hash function. When the value
+    #   is `DIGEST`, KMS skips the hashing step in the signing algorithm.
     #
     #   Use the `DIGEST` value only when the value of the `Message`
-    #   parameter is a message digest. If you use the `DIGEST` value with a
-    #   raw message, the security of the verification operation can be
+    #   parameter is a message digest. If you use the `DIGEST` value with an
+    #   unhashed message, the security of the verification operation can be
     #   compromised.
+    #
+    #   When the value of `MessageType`is `DIGEST`, the length of the
+    #   `Message` value must match the length of hashed messages for the
+    #   specified signing algorithm.
+    #
+    #   You can submit a message digest and omit the `MessageType` or
+    #   specify `RAW` so the digest is hashed again while signing. However,
+    #   if the signed message is hashed once while signing, but twice while
+    #   verifying, verification fails, even when the message hasn't
+    #   changed.
+    #
+    #   The hashing algorithm in that `Verify` uses is based on the
+    #   `SigningAlgorithm` value.
+    #
+    #   * Signing algorithms that end in SHA\_256 use the SHA\_256 hashing
+    #     algorithm.
+    #
+    #   * Signing algorithms that end in SHA\_384 use the SHA\_384 hashing
+    #     algorithm.
+    #
+    #   * Signing algorithms that end in SHA\_512 use the SHA\_512 hashing
+    #     algorithm.
+    #
+    #   * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
+    #     verification with SM2 key pairs][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
     #   @return [String]
     #
     # @!attribute [rw] signature

data/lib/aws-sdk-kms.rb

@@ -52,6 +52,6 @@ require_relative 'aws-sdk-kms/customizations'
 # @!group service
 module Aws::KMS
 
-  GEM_VERSION = '1.62.0'
+  GEM_VERSION = '1.63.0'
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-kms
 version: !ruby/object:Gem::Version
-  version: 1.62.0
+  version: 1.63.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-01-18 00:00:00.000000000 Z
+date: 2023-02-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core