aws-sdk-kms 1.62.0 → 1.64.0

data/lib/aws-sdk-kms/client.rb

@@ -390,12 +390,12 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][2] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: No. You cannot perform this operation on a KMS
+    # **Cross-account use**: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:CancelKeyDeletion][3] (key policy)
+    # **Required permissions**: [kms:CancelKeyDeletion][3] (key policy)
     #
-    # **Related operations**\: ScheduleKeyDeletion
+    # **Related operations**: ScheduleKeyDeletion
     #
     #
     #
@@ -527,10 +527,10 @@ module Aws::KMS
     # store, see [Troubleshooting an external key store][6] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: No. You cannot perform this operation on a
+    # **Cross-account use**: No. You cannot perform this operation on a
     # custom key store in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:ConnectCustomKeyStore][7] (IAM policy)
+    # **Required permissions**: [kms:ConnectCustomKeyStore][7] (IAM policy)
     #
     # **Related operations**
     #
@@ -624,7 +624,7 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][4] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: No. You cannot perform this operation on an
+    # **Cross-account use**: No. You cannot perform this operation on an
     # alias in a different Amazon Web Services account.
     #
     # **Required permissions**
@@ -657,6 +657,10 @@ module Aws::KMS
     #   Specifies the alias name. This value must begin with `alias/` followed
     #   by a name, such as `alias/ExampleAlias`.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and other
+    #   output.
+    #
     #   The `AliasName` value must be string of 1-256 characters. It can
     #   contain only alphanumeric characters, forward slashes (/), underscores
     #   (\_), and dashes (-). The alias name cannot begin with `alias/aws/`.
@@ -788,10 +792,10 @@ module Aws::KMS
     # For help with failures, see [Troubleshooting a custom key store][7] in
     # the *Key Management Service Developer Guide*.
     #
-    # **Cross-account use**\: No. You cannot perform this operation on a
+    # **Cross-account use**: No. You cannot perform this operation on a
     # custom key store in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:CreateCustomKeyStore][9] (IAM policy).
+    # **Required permissions**: [kms:CreateCustomKeyStore][9] (IAM policy).
     #
     # **Related operations:**
     #
@@ -822,6 +826,10 @@ module Aws::KMS
     #   unique in your Amazon Web Services account and Region. This parameter
     #   is required for all custom key stores.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and other
+    #   output.
+    #
     # @option params [String] :cloud_hsm_cluster_id
     #   Identifies the CloudHSM cluster for an CloudHSM key store. This
     #   parameter is required for custom key stores with `CustomKeyStoreType`
@@ -1018,7 +1026,7 @@ module Aws::KMS
     #   # This example creates a custom key store that is associated with an AWS CloudHSM cluster.
     #
     #   resp = client.create_custom_key_store({
-    #     cloud_hsm_cluster_id: "cluster-1a23b4cdefg", # The ID of the CloudHSM cluster.
+    #     cloud_hsm_cluster_id: "cluster-234abcdefABC", # The ID of the CloudHSM cluster.
     #     custom_key_store_name: "ExampleKeyStore", # A friendly name for the custom key store.
     #     key_store_password: "kmsPswd", # The password for the kmsuser CU account in the specified cluster.
     #     trust_anchor_certificate: "<certificate-goes-here>", # The content of the customerCA.crt file that you created when you initialized the cluster.
@@ -1140,11 +1148,11 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][4] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: Yes. To perform this operation on a KMS key in
+    # **Cross-account use**: Yes. To perform this operation on a KMS key in
     # a different Amazon Web Services account, specify the key ARN in the
     # value of the `KeyId` parameter.
     #
-    # **Required permissions**\: [kms:CreateGrant][5] (key policy)
+    # **Required permissions**: [kms:CreateGrant][5] (key policy)
     #
     # **Related operations:**
     #
@@ -1184,30 +1192,27 @@ module Aws::KMS
     # @option params [required, String] :grantee_principal
     #   The identity that gets the permissions specified in the grant.
     #
-    #   To specify the principal, use the [Amazon Resource Name (ARN)][1] of
-    #   an Amazon Web Services principal. Valid Amazon Web Services principals
-    #   include Amazon Web Services accounts (root), IAM users, IAM roles,
-    #   federated users, and assumed role users. For examples of the ARN
-    #   syntax to use for specifying a principal, see [Amazon Web Services
-    #   Identity and Access Management (IAM)][2] in the Example ARNs section
-    #   of the *Amazon Web Services General Reference*.
+    #   To specify the grantee principal, use the Amazon Resource Name (ARN)
+    #   of an Amazon Web Services principal. Valid principals include Amazon
+    #   Web Services accounts, IAM users, IAM roles, federated users, and
+    #   assumed role users. For help with the ARN syntax for a principal, see
+    #   [IAM ARNs][1] in the <i> <i>Identity and Access Management User
+    #   Guide</i> </i>.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
-    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
     #
     # @option params [String] :retiring_principal
     #   The principal that has permission to use the RetireGrant operation to
     #   retire the grant.
     #
     #   To specify the principal, use the [Amazon Resource Name (ARN)][1] of
-    #   an Amazon Web Services principal. Valid Amazon Web Services principals
-    #   include Amazon Web Services accounts (root), IAM users, federated
-    #   users, and assumed role users. For examples of the ARN syntax to use
-    #   for specifying a principal, see [Amazon Web Services Identity and
-    #   Access Management (IAM)][2] in the Example ARNs section of the *Amazon
-    #   Web Services General Reference*.
+    #   an Amazon Web Services principal. Valid principals include Amazon Web
+    #   Services accounts, IAM users, IAM roles, federated users, and assumed
+    #   role users. For help with the ARN syntax for a principal, see [IAM
+    #   ARNs][2] in the <i> <i>Identity and Access Management User Guide</i>
+    #   </i>.
     #
     #   The grant determines the retiring principal. Other principals might
     #   have permission to retire the grant or revoke the grant. For details,
@@ -1217,7 +1222,7 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
-    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
     #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete
     #
     # @option params [required, Array<String>] :operations
@@ -1238,22 +1243,19 @@ module Aws::KMS
     # @option params [Types::GrantConstraints] :constraints
     #   Specifies a grant constraint.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and other
+    #   output.
+    #
     #   KMS supports the `EncryptionContextEquals` and
-    #   `EncryptionContextSubset` grant constraints. Each constraint value can
-    #   include up to 8 encryption context pairs. The encryption context value
-    #   in each constraint cannot exceed 384 characters. For information about
-    #   grant constraints, see [Using grant constraints][1] in the *Key
-    #   Management Service Developer Guide*. For more information about
-    #   encryption context, see [Encryption context][2] in the <i> <i>Key
-    #   Management Service Developer Guide</i> </i>.
-    #
-    #   The encryption context grant constraints allow the permissions in the
-    #   grant only when the encryption context in the request matches
-    #   (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
-    #   the encryption context specified in this structure.
+    #   `EncryptionContextSubset` grant constraints, which allow the
+    #   permissions in the grant only when the encryption context in the
+    #   request matches (`EncryptionContextEquals`) or includes
+    #   (`EncryptionContextSubset`) the encryption context specified in the
+    #   constraint.
     #
     #   The encryption context grant constraints are supported only on [grant
-    #   operations][3] that include an `EncryptionContext` parameter, such as
+    #   operations][1] that include an `EncryptionContext` parameter, such as
     #   cryptographic operations on symmetric encryption KMS keys. Grants with
     #   grant constraints can include the DescribeKey and RetireGrant
     #   operations, but the constraint doesn't apply to these operations. If
@@ -1264,15 +1266,20 @@ module Aws::KMS
     #
     #   You cannot use an encryption context grant constraint for
     #   cryptographic operations with asymmetric KMS keys or HMAC KMS keys.
-    #   These keys don't support an encryption context.
-    #
+    #   Operations with these keys don't support an encryption context.
     #
+    #   Each constraint value can include up to 8 encryption context pairs.
+    #   The encryption context value in each constraint cannot exceed 384
+    #   characters. For information about grant constraints, see [Using grant
+    #   constraints][2] in the *Key Management Service Developer Guide*. For
+    #   more information about encryption context, see [Encryption context][3]
+    #   in the <i> <i>Key Management Service Developer Guide</i> </i>.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -1291,6 +1298,10 @@ module Aws::KMS
     #   A friendly name for the grant. Use this value to prevent the
     #   unintended creation of duplicate grants when retrying this request.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and other
+    #   output.
+    #
     #   When this value is absent, all `CreateGrant` requests result in a new
     #   grant with a unique `GrantId` even if all the supplied parameters are
     #   identical. This can result in unintended duplicates when you retry the
@@ -1555,13 +1566,13 @@ module Aws::KMS
     #
     #    </note>
     #
-    # **Cross-account use**\: No. You cannot use this operation to create a
+    # **Cross-account use**: No. You cannot use this operation to create a
     # KMS key in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:CreateKey][11] (IAM policy). To use
-    # the `Tags` parameter, [kms:TagResource][11] (IAM policy). For examples
-    # and information about related permissions, see [Allow a user to create
-    # KMS keys][12] in the *Key Management Service Developer Guide*.
+    # **Required permissions**: [kms:CreateKey][11] (IAM policy). To use the
+    # `Tags` parameter, [kms:TagResource][11] (IAM policy). For examples and
+    # information about related permissions, see [Allow a user to create KMS
+    # keys][12] in the *Key Management Service Developer Guide*.
     #
     # **Related operations:**
     #
@@ -1591,26 +1602,23 @@ module Aws::KMS
     #
     #   If you provide a key policy, it must meet the following criteria:
     #
-    #   * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the key
-    #     policy must allow the principal that is making the `CreateKey`
-    #     request to make a subsequent PutKeyPolicy request on the KMS key.
-    #     This reduces the risk that the KMS key becomes unmanageable. For
-    #     more information, refer to the scenario in the [Default Key
-    #     Policy][1] section of the <i> <i>Key Management Service Developer
-    #     Guide</i> </i>.
+    #   * The key policy must allow the calling principal to make a subsequent
+    #     `PutKeyPolicy` request on the KMS key. This reduces the risk that
+    #     the KMS key becomes unmanageable. For more information, see [Default
+    #     key policy][1] in the *Key Management Service Developer Guide*. (To
+    #     omit this condition, set `BypassPolicyLockoutSafetyCheck` to true.)
     #
     #   * Each statement in the key policy must contain one or more
     #     principals. The principals in the key policy must exist and be
-    #     visible to KMS. When you create a new Amazon Web Services principal
-    #     (for example, an IAM user or role), you might need to enforce a
-    #     delay before including the new principal in a key policy because the
-    #     new principal might not be immediately visible to KMS. For more
-    #     information, see [Changes that I make are not always immediately
-    #     visible][2] in the *Amazon Web Services Identity and Access
-    #     Management User Guide*.
+    #     visible to KMS. When you create a new Amazon Web Services principal,
+    #     you might need to enforce a delay before including the new principal
+    #     in a key policy because the new principal might not be immediately
+    #     visible to KMS. For more information, see [Changes that I make are
+    #     not always immediately visible][2] in the *Amazon Web Services
+    #     Identity and Access Management User Guide*.
     #
     #   If you do not provide a key policy, KMS attaches a default key policy
-    #   to the KMS key. For more information, see [Default Key Policy][3] in
+    #   to the KMS key. For more information, see [Default key policy][3] in
     #   the *Key Management Service Developer Guide*.
     #
     #   The key policy size quota is 32 kilobytes (32768 bytes).
@@ -1621,17 +1629,19 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
     #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
     #   [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
     #
     # @option params [String] :description
-    #   A description of the KMS key.
+    #   A description of the KMS key. Use a description that helps you decide
+    #   whether the KMS key is appropriate for a task. The default value is an
+    #   empty string (no description).
     #
-    #   Use a description that helps you decide whether the KMS key is
-    #   appropriate for a task. The default value is an empty string (no
-    #   description).
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and other
+    #   output.
     #
     #   To set or change the description after the key is created, use
     #   UpdateKeyDescription.
@@ -1797,31 +1807,32 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
     #
     # @option params [Boolean] :bypass_policy_lockout_safety_check
-    #   A flag to indicate whether to bypass the key policy lockout safety
-    #   check.
+    #   Skips ("bypasses") the key policy lockout safety check. The default
+    #   value is false.
     #
     #   Setting this value to true increases the risk that the KMS key becomes
     #   unmanageable. Do not set this value to true indiscriminately.
     #
-    #    For more information, refer to the scenario in the [Default Key
-    #   Policy][1] section in the <i> <i>Key Management Service Developer
-    #   Guide</i> </i>.
-    #
-    #   Use this parameter only when you include a policy in the request and
-    #   you intend to prevent the principal that is making the request from
-    #   making a subsequent PutKeyPolicy request on the KMS key.
+    #    For more information, see [Default key policy][1] in the *Key
+    #   Management Service Developer Guide*.
     #
-    #   The default value is false.
+    #   Use this parameter only when you intend to prevent the principal that
+    #   is making the request from making a subsequent PutKeyPolicy request on
+    #   the KMS key.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #
     # @option params [Array<Types::Tag>] :tags
     #   Assigns one or more tags to the KMS key. Use this parameter to tag the
     #   KMS key when it is created. To tag an existing KMS key, use the
     #   TagResource operation.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and other
+    #   output.
+    #
     #   <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the KMS
     #   key. For details, see [ABAC for KMS][1] in the *Key Management Service
     #   Developer Guide*.
@@ -2134,7 +2145,7 @@ module Aws::KMS
     #     key_metadata: {
     #       aws_account_id: "111122223333", 
     #       arn: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", 
-    #       cloud_hsm_cluster_id: "cluster-1a23b4cdefg", 
+    #       cloud_hsm_cluster_id: "cluster-234abcdefABC", 
     #       creation_date: Time.parse("2019-12-02T07:48:55-07:00"), 
     #       custom_key_store_id: "cks-1234567890abcdef0", 
     #       customer_master_key_spec: "SYMMETRIC_DEFAULT", 
@@ -2296,30 +2307,37 @@ module Aws::KMS
     # key that you intend.
     #
     # Whenever possible, use key policies to give users permission to call
-    # the `Decrypt` operation on a particular KMS key, instead of using IAM
-    # policies. Otherwise, you might create an IAM user policy that gives
-    # the user `Decrypt` permission on all KMS keys. This user could decrypt
-    # ciphertext that was encrypted by KMS keys in other accounts if the key
-    # policy for the cross-account KMS key permits it. If you must use an
-    # IAM policy for `Decrypt` permissions, limit the user to particular KMS
-    # keys or particular trusted accounts. For details, see [Best practices
-    # for IAM policies][4] in the *Key Management Service Developer Guide*.
-    #
-    # Applications in Amazon Web Services Nitro Enclaves can call this
-    # operation by using the [Amazon Web Services Nitro Enclaves Development
-    # Kit][5]. For information about the supporting parameters, see [How
-    # Amazon Web Services Nitro Enclaves use KMS][6] in the *Key Management
-    # Service Developer Guide*.
+    # the `Decrypt` operation on a particular KMS key, instead of using
+    # &amp;IAM; policies. Otherwise, you might create an &amp;IAM; policy
+    # that gives the user `Decrypt` permission on all KMS keys. This user
+    # could decrypt ciphertext that was encrypted by KMS keys in other
+    # accounts if the key policy for the cross-account KMS key permits it.
+    # If you must use an IAM policy for `Decrypt` permissions, limit the
+    # user to particular KMS keys or particular trusted accounts. For
+    # details, see [Best practices for IAM policies][4] in the *Key
+    # Management Service Developer Guide*.
+    #
+    # `Decrypt` also supports [Amazon Web Services Nitro Enclaves][5], which
+    # provide an isolated compute environment in Amazon EC2. To call
+    # `Decrypt` for a Nitro enclave, use the [Amazon Web Services Nitro
+    # Enclaves SDK][6] or any Amazon Web Services SDK. Use the `Recipient`
+    # parameter to provide the attestation document for the enclave. Instead
+    # of the plaintext data, the response includes the plaintext data
+    # encrypted with the public key from the attestation document
+    # (`CiphertextForRecipient`).For information about the interaction
+    # between KMS and Amazon Web Services Nitro Enclaves, see [How Amazon
+    # Web Services Nitro Enclaves uses KMS][7] in the *Key Management
+    # Service Developer Guide*..
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key states of KMS keys][7] in the *Key
+    # key state. For details, see [Key states of KMS keys][8] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: Yes. To perform this operation with a KMS key
-    # in a different Amazon Web Services account, specify the key ARN or
-    # alias ARN in the value of the `KeyId` parameter.
+    # **Cross-account use**: Yes. If you use the `KeyId` parameter to
+    # identify a KMS key in a different Amazon Web Services account, specify
+    # the key ARN or the alias ARN of the KMS key.
     #
-    # **Required permissions**\: [kms:Decrypt][8] (key policy)
+    # **Required permissions**: [kms:Decrypt][9] (key policy)
     #
     # **Related operations:**
     #
@@ -2337,10 +2355,11 @@ module Aws::KMS
     # [2]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
     # [3]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policies-best-practices
-    # [5]: https://github.com/aws/aws-nitro-enclaves-sdk-c
-    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
-    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
-    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [5]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html
+    # [6]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     #
     # @option params [required, String, StringIO, File] :ciphertext_blob
     #   Ciphertext to be decrypted. The blob includes metadata.
@@ -2425,16 +2444,44 @@ module Aws::KMS
     #   represents the only supported algorithm that is valid for symmetric
     #   encryption KMS keys.
     #
+    # @option params [Types::RecipientInfo] :recipient
+    #   A signed [attestation document][1] from an Amazon Web Services Nitro
+    #   enclave and the encryption algorithm to use with the enclave's public
+    #   key. The only valid encryption algorithm is `RSAES_OAEP_SHA_256`.
+    #
+    #   This parameter only supports attestation documents for Amazon Web
+    #   Services Nitro Enclaves. To include this parameter, use the [Amazon
+    #   Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
+    #
+    #   When you use this parameter, instead of returning the plaintext data,
+    #   KMS encrypts the plaintext data with the public key in the attestation
+    #   document, and returns the resulting ciphertext in the
+    #   `CiphertextForRecipient` field in the response. This ciphertext can be
+    #   decrypted only with the private key in the enclave. The `Plaintext`
+    #   field in the response is null or empty.
+    #
+    #   For information about the interaction between KMS and Amazon Web
+    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
+    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
+    #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #
     # @return [Types::DecryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::DecryptResponse#key_id #key_id} => String
     #   * {Types::DecryptResponse#plaintext #plaintext} => String
     #   * {Types::DecryptResponse#encryption_algorithm #encryption_algorithm} => String
+    #   * {Types::DecryptResponse#ciphertext_for_recipient #ciphertext_for_recipient} => String
     #
     #
-    # @example Example: To decrypt data
+    # @example Example: To decrypt data with a symmetric encryption KMS key
     #
-    #   # The following example decrypts data that was encrypted with a KMS key.
+    #   # The following example decrypts data that was encrypted with a symmetric encryption KMS key. The KeyId is not required
+    #   # when decrypting with a symmetric encryption key, but it is a best practice.
     #
     #   resp = client.decrypt({
     #     ciphertext_blob: "<binary data>", # The encrypted data (ciphertext).
@@ -2443,10 +2490,51 @@ module Aws::KMS
     #
     #   resp.to_h outputs the following:
     #   {
+    #     encryption_algorithm: "SYMMETRIC_DEFAULT", # The encryption algorithm that was used to decrypt the ciphertext. SYMMETRIC_DEFAULT is the only valid value for symmetric encryption in AWS KMS.
     #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The Amazon Resource Name (ARN) of the KMS key that was used to decrypt the data.
     #     plaintext: "<binary data>", # The decrypted (plaintext) data.
     #   }
     #
+    # @example Example: To decrypt data with an asymmetric encryption KMS key
+    #
+    #   # The following example decrypts data that was encrypted with an asymmetric encryption KMS key. When the KMS encryption
+    #   # key is asymmetric, you must specify the KMS key ID and the encryption algorithm that was used to encrypt the data.
+    #
+    #   resp = client.decrypt({
+    #     ciphertext_blob: "<binary data>", # The encrypted data (ciphertext).
+    #     encryption_algorithm: "RSAES_OAEP_SHA_256", # The encryption algorithm that was used to encrypt the data. This parameter is required to decrypt with an asymmetric KMS key.
+    #     key_id: "0987dcba-09fe-87dc-65ba-ab0987654321", # A key identifier for the KMS key to use to decrypt the data. This parameter is required to decrypt with an asymmetric KMS key.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     encryption_algorithm: "RSAES_OAEP_SHA_256", # The encryption algorithm that was used to decrypt the ciphertext.
+    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", # The Amazon Resource Name (ARN) of the KMS key that was used to decrypt the data.
+    #     plaintext: "<binary data>", # The decrypted (plaintext) data.
+    #   }
+    #
+    # @example Example: To decrypt data for a Nitro enclave
+    #
+    #   # The following Decrypt example includes the Recipient parameter with a signed attestation document from an AWS Nitro
+    #   # enclave. Instead of returning the decrypted data in plaintext (Plaintext), the operation returns the decrypted data
+    #   # encrypted by the public key from the attestation document (CiphertextForRecipient).
+    #
+    #   resp = client.decrypt({
+    #     ciphertext_blob: "<binary data>", # The encrypted data. This ciphertext was encrypted with the KMS key
+    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The KMS key to use to decrypt the ciphertext
+    #     recipient: {
+    #       attestation_document: "<attestation document>", 
+    #       key_encryption_algorithm: "RSAES_OAEP_SHA_256", 
+    #     }, # Specifies the attestation document from the Nitro enclave and the encryption algorithm to use with the public key from the attestation document
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     ciphertext_for_recipient: "<binary data>", # The decrypted CiphertextBlob encrypted with the public key from the attestation document
+    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The KMS key that was used to decrypt the encrypted data (CiphertextBlob)
+    #     plaintext: "", # This field is null or empty
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.decrypt({
@@ -2457,6 +2545,10 @@ module Aws::KMS
     #     grant_tokens: ["GrantTokenType"],
     #     key_id: "KeyIdType",
     #     encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
+    #     recipient: {
+    #       key_encryption_algorithm: "RSAES_OAEP_SHA_256", # accepts RSAES_OAEP_SHA_256
+    #       attestation_document: "data",
+    #     },
     #   })
     #
     # @example Response structure
@@ -2464,6 +2556,7 @@ module Aws::KMS
     #   resp.key_id #=> String
     #   resp.plaintext #=> String
     #   resp.encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
+    #   resp.ciphertext_for_recipient #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt AWS API Documentation
     #
@@ -2492,7 +2585,7 @@ module Aws::KMS
     # create a new alias. To associate an existing alias with a different
     # KMS key, call UpdateAlias.
     #
-    # **Cross-account use**\: No. You cannot perform this operation on an
+    # **Cross-account use**: No. You cannot perform this operation on an
     # alias in a different Amazon Web Services account.
     #
     # **Required permissions**
@@ -2586,10 +2679,10 @@ module Aws::KMS
     # If the operation succeeds, it returns a JSON object with no
     # properties.
     #
-    # **Cross-account use**\: No. You cannot perform this operation on a
+    # **Cross-account use**: No. You cannot perform this operation on a
     # custom key store in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:DeleteCustomKeyStore][5] (IAM policy)
+    # **Required permissions**: [kms:DeleteCustomKeyStore][5] (IAM policy)
     #
     # **Related operations:**
     #
@@ -2663,10 +2756,10 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][2] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: No. You cannot perform this operation on a KMS
+    # **Cross-account use**: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:DeleteImportedKeyMaterial][3] (key
+    # **Required permissions**: [kms:DeleteImportedKeyMaterial][3] (key
     # policy)
     #
     # **Related operations:**
@@ -2758,10 +2851,10 @@ module Aws::KMS
     # see the [Troubleshooting external key stores][3]. Both topics are in
     # the *Key Management Service Developer Guide*.
     #
-    # **Cross-account use**\: No. You cannot perform this operation on a
+    # **Cross-account use**: No. You cannot perform this operation on a
     # custom key store in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:DescribeCustomKeyStores][4] (IAM
+    # **Required permissions**: [kms:DescribeCustomKeyStores][4] (IAM
     # policy)
     #
     # **Related operations:**
@@ -2847,7 +2940,7 @@ module Aws::KMS
     #   {
     #     custom_key_stores: [
     #       {
-    #         cloud_hsm_cluster_id: "cluster-1a23b4cdefg", 
+    #         cloud_hsm_cluster_id: "cluster-234abcdefABC", 
     #         connection_state: "CONNECTED", 
     #         creation_date: Time.parse("1.499288695918E9"), 
     #         custom_key_store_id: "cks-1234567890abcdef0", 
@@ -2996,11 +3089,11 @@ module Aws::KMS
     # services use `DescribeKey` to create [Amazon Web Services managed
     # keys][2] from a *predefined Amazon Web Services alias* with no key ID.
     #
-    # **Cross-account use**\: Yes. To perform this operation with a KMS key
+    # **Cross-account use**: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
     # alias ARN in the value of the `KeyId` parameter.
     #
-    # **Required permissions**\: [kms:DescribeKey][4] (key policy)
+    # **Required permissions**: [kms:DescribeKey][4] (key policy)
     #
     # **Related operations:**
     #
@@ -3232,7 +3325,7 @@ module Aws::KMS
     #     key_metadata: {
     #       aws_account_id: "123456789012", 
     #       arn: "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", 
-    #       cloud_hsm_cluster_id: "cluster-1a23b4cdefg", 
+    #       cloud_hsm_cluster_id: "cluster-234abcdefABC", 
     #       creation_date: Time.parse(1646160362.664), 
     #       custom_key_store_id: "cks-1234567890abcdef0", 
     #       customer_master_key_spec: "SYMMETRIC_DEFAULT", 
@@ -3347,12 +3440,12 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][2] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: No. You cannot perform this operation on a KMS
+    # **Cross-account use**: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:DisableKey][3] (key policy)
+    # **Required permissions**: [kms:DisableKey][3] (key policy)
     #
-    # **Related operations**\: EnableKey
+    # **Related operations**: EnableKey
     #
     #
     #
@@ -3427,10 +3520,10 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][10] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: No. You cannot perform this operation on a KMS
+    # **Cross-account use**: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:DisableKeyRotation][11] (key policy)
+    # **Required permissions**: [kms:DisableKeyRotation][11] (key policy)
     #
     # **Related operations:**
     #
@@ -3532,10 +3625,10 @@ module Aws::KMS
     # If the operation succeeds, it returns a JSON object with no
     # properties.
     #
-    # **Cross-account use**\: No. You cannot perform this operation on a
+    # **Cross-account use**: No. You cannot perform this operation on a
     # custom key store in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:DisconnectCustomKeyStore][3] (IAM
+    # **Required permissions**: [kms:DisconnectCustomKeyStore][3] (IAM
     # policy)
     #
     # **Related operations:**
@@ -3601,12 +3694,12 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][2] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: No. You cannot perform this operation on a KMS
+    # **Cross-account use**: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:EnableKey][3] (key policy)
+    # **Required permissions**: [kms:EnableKey][3] (key policy)
     #
-    # **Related operations**\: DisableKey
+    # **Related operations**: DisableKey
     #
     #
     #
@@ -3693,10 +3786,10 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][11] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: No. You cannot perform this operation on a KMS
+    # **Cross-account use**: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:EnableKeyRotation][12] (key policy)
+    # **Required permissions**: [kms:EnableKeyRotation][12] (key policy)
     #
     # **Related operations:**
     #
@@ -3812,39 +3905,39 @@ module Aws::KMS
     #
     # * Symmetric encryption KMS keys
     #
-    #   * `SYMMETRIC_DEFAULT`\: 4096 bytes
+    #   * `SYMMETRIC_DEFAULT`: 4096 bytes
     #
     #   ^
     #
     # * `RSA_2048`
     #
-    #   * `RSAES_OAEP_SHA_1`\: 214 bytes
+    #   * `RSAES_OAEP_SHA_1`: 214 bytes
     #
-    #   * `RSAES_OAEP_SHA_256`\: 190 bytes
+    #   * `RSAES_OAEP_SHA_256`: 190 bytes
     #
     # * `RSA_3072`
     #
-    #   * `RSAES_OAEP_SHA_1`\: 342 bytes
+    #   * `RSAES_OAEP_SHA_1`: 342 bytes
     #
-    #   * `RSAES_OAEP_SHA_256`\: 318 bytes
+    #   * `RSAES_OAEP_SHA_256`: 318 bytes
     #
     # * `RSA_4096`
     #
-    #   * `RSAES_OAEP_SHA_1`\: 470 bytes
+    #   * `RSAES_OAEP_SHA_1`: 470 bytes
     #
-    #   * `RSAES_OAEP_SHA_256`\: 446 bytes
+    #   * `RSAES_OAEP_SHA_256`: 446 bytes
     #
-    # * `SM2PKE`\: 1024 bytes (China Regions only)
+    # * `SM2PKE`: 1024 bytes (China Regions only)
     #
     # The KMS key that you use for this operation must be in a compatible
     # key state. For details, see [Key states of KMS keys][2] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: Yes. To perform this operation with a KMS key
+    # **Cross-account use**: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
     # alias ARN in the value of the `KeyId` parameter.
     #
-    # **Required permissions**\: [kms:Encrypt][3] (key policy)
+    # **Required permissions**: [kms:Encrypt][3] (key policy)
     #
     # **Related operations:**
     #
@@ -3894,6 +3987,10 @@ module Aws::KMS
     #   asymmetric encryption algorithms and HMAC algorithms that KMS uses do
     #   not support an encryption context.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and other
+    #   output.
+    #
     #   An *encryption context* is a collection of non-secret key-value pairs
     #   that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
@@ -3942,9 +4039,9 @@ module Aws::KMS
     #   * {Types::EncryptResponse#encryption_algorithm #encryption_algorithm} => String
     #
     #
-    # @example Example: To encrypt data
+    # @example Example: To encrypt data with a symmetric encryption KMS key
     #
-    #   # The following example encrypts data with the specified KMS key.
+    #   # The following example encrypts data with the specified symmetric encryption KMS key.
     #
     #   resp = client.encrypt({
     #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key to use for encryption. You can use the key ID or Amazon Resource Name (ARN) of the KMS key, or the name or ARN of an alias that refers to the KMS key.
@@ -3954,9 +4051,28 @@ module Aws::KMS
     #   resp.to_h outputs the following:
     #   {
     #     ciphertext_blob: "<binary data>", # The encrypted data (ciphertext).
+    #     encryption_algorithm: "SYMMETRIC_DEFAULT", # The encryption algorithm that was used in the operation. For symmetric encryption keys, the encryption algorithm is always SYMMETRIC_DEFAULT.
     #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the KMS key that was used to encrypt the data.
     #   }
     #
+    # @example Example: To encrypt data with an asymmetric encryption KMS key
+    #
+    #   # The following example encrypts data with the specified RSA asymmetric KMS key. When you encrypt with an asymmetric key,
+    #   # you must specify the encryption algorithm.
+    #
+    #   resp = client.encrypt({
+    #     encryption_algorithm: "RSAES_OAEP_SHA_256", # The encryption algorithm to use in the operation.
+    #     key_id: "0987dcba-09fe-87dc-65ba-ab0987654321", # The identifier of the KMS key to use for encryption. You can use the key ID or Amazon Resource Name (ARN) of the KMS key, or the name or ARN of an alias that refers to the KMS key.
+    #     plaintext: "<binary data>", # The data to encrypt.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     ciphertext_blob: "<binary data>", # The encrypted data (ciphertext).
+    #     encryption_algorithm: "RSAES_OAEP_SHA_256", # The encryption algorithm that was used in the operation.
+    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", # The ARN of the KMS key that was used to encrypt the data.
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.encrypt({
@@ -4001,10 +4117,10 @@ module Aws::KMS
     # `KeySpec` or `NumberOfBytes` parameters (but not both). For 128-bit
     # and 256-bit data keys, use the `KeySpec` parameter.
     #
-    # To generate an SM4 data key (China Regions only), specify a `KeySpec`
-    # value of `AES_128` or `NumberOfBytes` value of `128`. The symmetric
-    # encryption key used in China Regions to encrypt your data key is an
-    # SM4 encryption key.
+    # To generate a 128-bit SM4 data key (China Regions only), specify a
+    # `KeySpec` value of `AES_128` or a `NumberOfBytes` value of `16`. The
+    # symmetric encryption key used in China Regions to encrypt your data
+    # key is an SM4 encryption key.
     #
     # To get only an encrypted copy of the data key, use
     # GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key
@@ -4020,14 +4136,22 @@ module Aws::KMS
     # information, see [Encryption Context][1] in the *Key Management
     # Service Developer Guide*.
     #
-    # Applications in Amazon Web Services Nitro Enclaves can call this
-    # operation by using the [Amazon Web Services Nitro Enclaves Development
-    # Kit][2]. For information about the supporting parameters, see [How
-    # Amazon Web Services Nitro Enclaves use KMS][3] in the *Key Management
-    # Service Developer Guide*.
+    # `GenerateDataKey` also supports [Amazon Web Services Nitro
+    # Enclaves][2], which provide an isolated compute environment in Amazon
+    # EC2. To call `GenerateDataKey` for an Amazon Web Services Nitro
+    # enclave, use the [Amazon Web Services Nitro Enclaves SDK][3] or any
+    # Amazon Web Services SDK. Use the `Recipient` parameter to provide the
+    # attestation document for the enclave. `GenerateDataKey` returns a copy
+    # of the data key encrypted under the specified KMS key, as usual. But
+    # instead of a plaintext copy of the data key, the response includes a
+    # copy of the data key encrypted under the public key from the
+    # attestation document (`CiphertextForRecipient`). For information about
+    # the interaction between KMS and Amazon Web Services Nitro Enclaves,
+    # see [How Amazon Web Services Nitro Enclaves uses KMS][4] in the *Key
+    # Management Service Developer Guide*..
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key states of KMS keys][4] in the *Key
+    # key state. For details, see [Key states of KMS keys][5] in the *Key
     # Management Service Developer Guide*.
     #
     # **How to use your data key**
@@ -4035,8 +4159,8 @@ module Aws::KMS
     # We recommend that you use the following pattern to encrypt data
     # locally in your application. You can write your own code or use a
     # client-side encryption library, such as the [Amazon Web Services
-    # Encryption SDK][5], the [Amazon DynamoDB Encryption Client][6], or
-    # [Amazon S3 client-side encryption][7] to do these tasks for you.
+    # Encryption SDK][6], the [Amazon DynamoDB Encryption Client][7], or
+    # [Amazon S3 client-side encryption][8] to do these tasks for you.
     #
     # To encrypt data outside of KMS:
     #
@@ -4057,11 +4181,11 @@ module Aws::KMS
     # 2.  Use the plaintext data key to decrypt data outside of KMS, then
     #     erase the plaintext data key from memory.
     #
-    # **Cross-account use**\: Yes. To perform this operation with a KMS key
+    # **Cross-account use**: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
     # alias ARN in the value of the `KeyId` parameter.
     #
-    # **Required permissions**\: [kms:GenerateDataKey][8] (key policy)
+    # **Required permissions**: [kms:GenerateDataKey][9] (key policy)
     #
     # **Related operations:**
     #
@@ -4078,13 +4202,14 @@ module Aws::KMS
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
-    # [2]: https://github.com/aws/aws-nitro-enclaves-sdk-c
-    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
-    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
-    # [5]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
-    # [6]: https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/
-    # [7]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
-    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html
+    # [3]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [6]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
+    # [7]: https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/
+    # [8]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
+    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     #
     # @option params [required, String] :key_id
     #   Specifies the symmetric encryption KMS key that encrypts the data key.
@@ -4115,6 +4240,10 @@ module Aws::KMS
     #   Specifies the encryption context that will be used when encrypting the
     #   data key.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and other
+    #   output.
+    #
     #   An *encryption context* is a collection of non-secret key-value pairs
     #   that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
@@ -4160,11 +4289,40 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #
+    # @option params [Types::RecipientInfo] :recipient
+    #   A signed [attestation document][1] from an Amazon Web Services Nitro
+    #   enclave and the encryption algorithm to use with the enclave's public
+    #   key. The only valid encryption algorithm is `RSAES_OAEP_SHA_256`.
+    #
+    #   This parameter only supports attestation documents for Amazon Web
+    #   Services Nitro Enclaves. To include this parameter, use the [Amazon
+    #   Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
+    #
+    #   When you use this parameter, instead of returning the plaintext data
+    #   key, KMS encrypts the plaintext data key under the public key in the
+    #   attestation document, and returns the resulting ciphertext in the
+    #   `CiphertextForRecipient` field in the response. This ciphertext can be
+    #   decrypted only with the private key in the enclave. The
+    #   `CiphertextBlob` field in the response contains a copy of the data key
+    #   encrypted under the KMS key specified by the `KeyId` parameter. The
+    #   `Plaintext` field in the response is null or empty.
+    #
+    #   For information about the interaction between KMS and Amazon Web
+    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
+    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
+    #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #
     # @return [Types::GenerateDataKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::GenerateDataKeyResponse#ciphertext_blob #ciphertext_blob} => String
     #   * {Types::GenerateDataKeyResponse#plaintext #plaintext} => String
     #   * {Types::GenerateDataKeyResponse#key_id #key_id} => String
+    #   * {Types::GenerateDataKeyResponse#ciphertext_for_recipient #ciphertext_for_recipient} => String
     #
     #
     # @example Example: To generate a data key
@@ -4184,6 +4342,31 @@ module Aws::KMS
     #     plaintext: "<binary data>", # The unencrypted (plaintext) data key.
     #   }
     #
+    # @example Example: To generate a data key pair for a Nitro enclave
+    #
+    #   # The following example includes the Recipient parameter with a signed attestation document from an AWS Nitro enclave.
+    #   # Instead of returning a copy of the data key encrypted by the KMS key and a plaintext copy of the data key,
+    #   # GenerateDataKey returns one copy of the data key encrypted by the KMS key (CiphertextBlob) and one copy of the data key
+    #   # encrypted by the public key from the attestation document (CiphertextForRecipient). The operation doesn't return a
+    #   # plaintext data key. 
+    #
+    #   resp = client.generate_data_key({
+    #     key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # Identifies the KMS key used to encrypt the encrypted data key (CiphertextBlob)
+    #     key_spec: "AES_256", # Specifies the type of data key to return
+    #     recipient: {
+    #       attestation_document: "<attestation document>", 
+    #       key_encryption_algorithm: "RSAES_OAEP_SHA_256", 
+    #     }, # Specifies the attestation document from the Nitro enclave and the encryption algorithm to use with the public key from the attestation document
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     ciphertext_blob: "<binary data>", # The data key encrypted by the specified KMS key
+    #     ciphertext_for_recipient: "<binary data>", # The plaintext data key encrypted by the public key from the attestation document
+    #     key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The KMS key used to encrypt the CiphertextBlob (encrypted data key)
+    #     plaintext: "", # This field is null or empty
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.generate_data_key({
@@ -4194,6 +4377,10 @@ module Aws::KMS
     #     number_of_bytes: 1,
     #     key_spec: "AES_256", # accepts AES_256, AES_128
     #     grant_tokens: ["GrantTokenType"],
+    #     recipient: {
+    #       key_encryption_algorithm: "RSAES_OAEP_SHA_256", # accepts RSAES_OAEP_SHA_256
+    #       attestation_document: "data",
+    #     },
     #   })
     #
     # @example Response structure
@@ -4201,6 +4388,7 @@ module Aws::KMS
     #   resp.ciphertext_blob #=> String
     #   resp.plaintext #=> String
     #   resp.key_id #=> String
+    #   resp.ciphertext_for_recipient #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKey AWS API Documentation
     #
@@ -4253,23 +4441,38 @@ module Aws::KMS
     # 5280][1]. The private key is a DER-encoded PKCS8 PrivateKeyInfo, as
     # specified in [RFC 5958][2].
     #
+    # `GenerateDataKeyPair` also supports [Amazon Web Services Nitro
+    # Enclaves][3], which provide an isolated compute environment in Amazon
+    # EC2. To call `GenerateDataKeyPair` for an Amazon Web Services Nitro
+    # enclave, use the [Amazon Web Services Nitro Enclaves SDK][4] or any
+    # Amazon Web Services SDK. Use the `Recipient` parameter to provide the
+    # attestation document for the enclave. `GenerateDataKeyPair` returns
+    # the public data key and a copy of the private data key encrypted under
+    # the specified KMS key, as usual. But instead of a plaintext copy of
+    # the private data key (`PrivateKeyPlaintext`), the response includes a
+    # copy of the private data key encrypted under the public key from the
+    # attestation document (`CiphertextForRecipient`). For information about
+    # the interaction between KMS and Amazon Web Services Nitro Enclaves,
+    # see [How Amazon Web Services Nitro Enclaves uses KMS][5] in the *Key
+    # Management Service Developer Guide*..
+    #
     # You can use an optional encryption context to add additional security
     # to the encryption operation. If you specify an `EncryptionContext`,
     # you must specify the same encryption context (a case-sensitive exact
     # match) when decrypting the encrypted data key. Otherwise, the request
     # to decrypt fails with an `InvalidCiphertextException`. For more
-    # information, see [Encryption Context][3] in the *Key Management
+    # information, see [Encryption Context][6] in the *Key Management
     # Service Developer Guide*.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key states of KMS keys][4] in the *Key
+    # key state. For details, see [Key states of KMS keys][7] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: Yes. To perform this operation with a KMS key
+    # **Cross-account use**: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
     # alias ARN in the value of the `KeyId` parameter.
     #
-    # **Required permissions**\: [kms:GenerateDataKeyPair][5] (key policy)
+    # **Required permissions**: [kms:GenerateDataKeyPair][8] (key policy)
     #
     # **Related operations:**
     #
@@ -4287,14 +4490,21 @@ module Aws::KMS
     #
     # [1]: https://tools.ietf.org/html/rfc5280
     # [2]: https://tools.ietf.org/html/rfc5958
-    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
-    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
-    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html
+    # [4]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     #
     # @option params [Hash<String,String>] :encryption_context
     #   Specifies the encryption context that will be used when encrypting the
     #   private key in the data key pair.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and other
+    #   output.
+    #
     #   An *encryption context* is a collection of non-secret key-value pairs
     #   that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
@@ -4357,6 +4567,35 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #
+    # @option params [Types::RecipientInfo] :recipient
+    #   A signed [attestation document][1] from an Amazon Web Services Nitro
+    #   enclave and the encryption algorithm to use with the enclave's public
+    #   key. The only valid encryption algorithm is `RSAES_OAEP_SHA_256`.
+    #
+    #   This parameter only supports attestation documents for Amazon Web
+    #   Services Nitro Enclaves. To include this parameter, use the [Amazon
+    #   Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
+    #
+    #   When you use this parameter, instead of returning a plaintext copy of
+    #   the private data key, KMS encrypts the plaintext private data key
+    #   under the public key in the attestation document, and returns the
+    #   resulting ciphertext in the `CiphertextForRecipient` field in the
+    #   response. This ciphertext can be decrypted only with the private key
+    #   in the enclave. The `CiphertextBlob` field in the response contains a
+    #   copy of the private data key encrypted under the KMS key specified by
+    #   the `KeyId` parameter. The `PrivateKeyPlaintext` field in the response
+    #   is null or empty.
+    #
+    #   For information about the interaction between KMS and Amazon Web
+    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
+    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
+    #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #
     # @return [Types::GenerateDataKeyPairResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::GenerateDataKeyPairResponse#private_key_ciphertext_blob #private_key_ciphertext_blob} => String
@@ -4364,6 +4603,7 @@ module Aws::KMS
     #   * {Types::GenerateDataKeyPairResponse#public_key #public_key} => String
     #   * {Types::GenerateDataKeyPairResponse#key_id #key_id} => String
     #   * {Types::GenerateDataKeyPairResponse#key_pair_spec #key_pair_spec} => String
+    #   * {Types::GenerateDataKeyPairResponse#ciphertext_for_recipient #ciphertext_for_recipient} => String
     #
     #
     # @example Example: To generate an RSA key pair for encryption and decryption
@@ -4385,6 +4625,33 @@ module Aws::KMS
     #     public_key: "<binary data>", # The public key (plaintext) of the RSA data key pair.
     #   }
     #
+    # @example Example: To generate a data key pair for a Nitro enclave
+    #
+    #   # The following example includes the Recipient parameter with a signed attestation document from an AWS Nitro enclave.
+    #   # Instead of returning a plaintext copy of the private data key, GenerateDataKeyPair returns a copy of the private data
+    #   # key encrypted by the public key from the attestation document (CiphertextForRecipient). It returns the public data key
+    #   # (PublicKey) and a copy of private data key encrypted under the specified KMS key (PrivateKeyCiphertextBlob), as usual,
+    #   # but plaintext private data key field (PrivateKeyPlaintext) is null or empty. 
+    #
+    #   resp = client.generate_data_key_pair({
+    #     key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ID of the symmetric encryption KMS key that encrypts the private RSA key in the data key pair.
+    #     key_pair_spec: "RSA_3072", # The requested key spec of the RSA data key pair.
+    #     recipient: {
+    #       attestation_document: "<attestation document>", 
+    #       key_encryption_algorithm: "RSAES_OAEP_SHA_256", 
+    #     }, # Specifies the attestation document from the Nitro enclave and the encryption algorithm to use with the public key from the attestation document.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     ciphertext_for_recipient: "<binary data>", # The private key of the RSA data key pair encrypted by the public key from the attestation document
+    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ARN of the symmetric encryption KMS key that was used to encrypt the PrivateKeyCiphertextBlob.
+    #     key_pair_spec: "RSA_3072", # The actual key spec of the RSA data key pair.
+    #     private_key_ciphertext_blob: "<binary data>", # The private key of the RSA data key pair encrypted by the KMS key.
+    #     private_key_plaintext: "", # This field is null or empty
+    #     public_key: "<binary data>", # The public key (plaintext) of the RSA data key pair.
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.generate_data_key_pair({
@@ -4394,6 +4661,10 @@ module Aws::KMS
     #     key_id: "KeyIdType", # required
     #     key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SM2
     #     grant_tokens: ["GrantTokenType"],
+    #     recipient: {
+    #       key_encryption_algorithm: "RSAES_OAEP_SHA_256", # accepts RSAES_OAEP_SHA_256
+    #       attestation_document: "data",
+    #     },
     #   })
     #
     # @example Response structure
@@ -4403,6 +4674,7 @@ module Aws::KMS
     #   resp.public_key #=> String
     #   resp.key_id #=> String
     #   resp.key_pair_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SM2"
+    #   resp.ciphertext_for_recipient #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPair AWS API Documentation
     #
@@ -4456,12 +4728,12 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][3] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: Yes. To perform this operation with a KMS key
+    # **Cross-account use**: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
     # alias ARN in the value of the `KeyId` parameter.
     #
-    # **Required permissions**\:
-    # [kms:GenerateDataKeyPairWithoutPlaintext][4] (key policy)
+    # **Required permissions**: [kms:GenerateDataKeyPairWithoutPlaintext][4]
+    # (key policy)
     #
     # **Related operations:**
     #
@@ -4486,6 +4758,10 @@ module Aws::KMS
     #   Specifies the encryption context that will be used when encrypting the
     #   private key in the data key pair.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and other
+    #   output.
+    #
     #   An *encryption context* is a collection of non-secret key-value pairs
     #   that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
@@ -4637,7 +4913,7 @@ module Aws::KMS
     # and 256-bit data keys, use the `KeySpec` parameter.
     #
     # To generate an SM4 data key (China Regions only), specify a `KeySpec`
-    # value of `AES_128` or `NumberOfBytes` value of `128`. The symmetric
+    # value of `AES_128` or `NumberOfBytes` value of `16`. The symmetric
     # encryption key used in China Regions to encrypt your data key is an
     # SM4 encryption key.
     #
@@ -4656,11 +4932,11 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][2] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: Yes. To perform this operation with a KMS key
+    # **Cross-account use**: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
     # alias ARN in the value of the `KeyId` parameter.
     #
-    # **Required permissions**\: [kms:GenerateDataKeyWithoutPlaintext][3]
+    # **Required permissions**: [kms:GenerateDataKeyWithoutPlaintext][3]
     # (key policy)
     #
     # **Related operations:**
@@ -4710,6 +4986,10 @@ module Aws::KMS
     #   Specifies the encryption context that will be used when encrypting the
     #   data key.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and other
+    #   output.
+    #
     #   An *encryption context* is a collection of non-secret key-value pairs
     #   that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
@@ -4823,13 +5103,13 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][3] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: Yes. To perform this operation with a KMS key
+    # **Cross-account use**: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
     # alias ARN in the value of the `KeyId` parameter.
     #
-    # **Required permissions**\: [kms:GenerateMac][4] (key policy)
+    # **Required permissions**: [kms:GenerateMac][4] (key policy)
     #
-    # **Related operations**\: VerifyMac
+    # **Related operations**: VerifyMac
     #
     #
     #
@@ -4935,26 +5215,33 @@ module Aws::KMS
     # the byte string in the CloudHSM cluster associated with an CloudHSM
     # key store, use the `CustomKeyStoreId` parameter.
     #
-    # Applications in Amazon Web Services Nitro Enclaves can call this
-    # operation by using the [Amazon Web Services Nitro Enclaves Development
-    # Kit][1]. For information about the supporting parameters, see [How
-    # Amazon Web Services Nitro Enclaves use KMS][2] in the *Key Management
-    # Service Developer Guide*.
+    # `GenerateRandom` also supports [Amazon Web Services Nitro
+    # Enclaves][1], which provide an isolated compute environment in Amazon
+    # EC2. To call `GenerateRandom` for a Nitro enclave, use the [Amazon Web
+    # Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK. Use
+    # the `Recipient` parameter to provide the attestation document for the
+    # enclave. Instead of plaintext bytes, the response includes the
+    # plaintext bytes encrypted under the public key from the attestation
+    # document (`CiphertextForRecipient`).For information about the
+    # interaction between KMS and Amazon Web Services Nitro Enclaves, see
+    # [How Amazon Web Services Nitro Enclaves uses KMS][3] in the *Key
+    # Management Service Developer Guide*.
     #
     # For more information about entropy and random number generation, see
-    # [Key Management Service Cryptographic Details][3].
+    # [Key Management Service Cryptographic Details][4].
     #
-    # **Cross-account use**\: Not applicable. `GenerateRandom` does not use
+    # **Cross-account use**: Not applicable. `GenerateRandom` does not use
     # any account-specific resources, such as KMS keys.
     #
-    # **Required permissions**\: [kms:GenerateRandom][4] (IAM policy)
+    # **Required permissions**: [kms:GenerateRandom][5] (IAM policy)
     #
     #
     #
-    # [1]: https://github.com/aws/aws-nitro-enclaves-sdk-c
-    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
-    # [3]: https://docs.aws.amazon.com/kms/latest/cryptographic-details/
-    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html
+    # [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/cryptographic-details/
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     #
     # @option params [Integer] :number_of_bytes
     #   The length of the random byte string. This parameter is required.
@@ -4968,9 +5255,36 @@ module Aws::KMS
     #   specify the ID of an external key store, `GenerateRandom` throws an
     #   `UnsupportedOperationException`.
     #
+    # @option params [Types::RecipientInfo] :recipient
+    #   A signed [attestation document][1] from an Amazon Web Services Nitro
+    #   enclave and the encryption algorithm to use with the enclave's public
+    #   key. The only valid encryption algorithm is `RSAES_OAEP_SHA_256`.
+    #
+    #   This parameter only supports attestation documents for Amazon Web
+    #   Services Nitro Enclaves. To include this parameter, use the [Amazon
+    #   Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
+    #
+    #   When you use this parameter, instead of returning plaintext bytes, KMS
+    #   encrypts the plaintext bytes under the public key in the attestation
+    #   document, and returns the resulting ciphertext in the
+    #   `CiphertextForRecipient` field in the response. This ciphertext can be
+    #   decrypted only with the private key in the enclave. The `Plaintext`
+    #   field in the response is null or empty.
+    #
+    #   For information about the interaction between KMS and Amazon Web
+    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
+    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
+    #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #
     # @return [Types::GenerateRandomResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::GenerateRandomResponse#plaintext #plaintext} => String
+    #   * {Types::GenerateRandomResponse#ciphertext_for_recipient #ciphertext_for_recipient} => String
     #
     #
     # @example Example: To generate random data
@@ -4986,16 +5300,41 @@ module Aws::KMS
     #     plaintext: "<binary data>", # The random data.
     #   }
     #
+    # @example Example: To generate random data
+    #
+    #   # The following example includes the Recipient parameter with a signed attestation document from an AWS Nitro enclave.
+    #   # Instead of returning a plaintext (unencrypted) byte string, GenerateRandom returns the byte string encrypted by the
+    #   # public key from the enclave's attestation document.
+    #
+    #   resp = client.generate_random({
+    #     number_of_bytes: 1024, # The length of the random byte string
+    #     recipient: {
+    #       attestation_document: "<attestation document>", 
+    #       key_encryption_algorithm: "RSAES_OAEP_SHA_256", 
+    #     }, # Specifies the attestation document from the Nitro enclave and the encryption algorithm to use with the public key from the attestation document
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     ciphertext_for_recipient: "<binary data>", # The random data encrypted under the public key from the attestation document
+    #     plaintext: "", # This field is null or empty
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.generate_random({
     #     number_of_bytes: 1,
     #     custom_key_store_id: "CustomKeyStoreIdType",
+    #     recipient: {
+    #       key_encryption_algorithm: "RSAES_OAEP_SHA_256", # accepts RSAES_OAEP_SHA_256
+    #       attestation_document: "data",
+    #     },
     #   })
     #
     # @example Response structure
     #
     #   resp.plaintext #=> String
+    #   resp.ciphertext_for_recipient #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandom AWS API Documentation
     #
@@ -5008,12 +5347,12 @@ module Aws::KMS
 
     # Gets a key policy attached to the specified KMS key.
     #
-    # **Cross-account use**\: No. You cannot perform this operation on a KMS
+    # **Cross-account use**: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:GetKeyPolicy][1] (key policy)
+    # **Required permissions**: [kms:GetKeyPolicy][1] (key policy)
     #
-    # **Related operations**\: PutKeyPolicy
+    # **Related operations**: PutKeyPolicy
     #
     #
     #
@@ -5124,11 +5463,11 @@ module Aws::KMS
     #   If you cancel the deletion, the original key rotation status returns
     #   to `true`.
     #
-    # **Cross-account use**\: Yes. To perform this operation on a KMS key in
+    # **Cross-account use**: Yes. To perform this operation on a KMS key in
     # a different Amazon Web Services account, specify the key ARN in the
     # value of the `KeyId` parameter.
     #
-    # **Required permissions**\: [kms:GetKeyRotationStatus][11] (key policy)
+    # **Required permissions**: [kms:GetKeyRotationStatus][11] (key policy)
     #
     # **Related operations:**
     #
@@ -5231,11 +5570,10 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][2] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: No. You cannot perform this operation on a KMS
+    # **Cross-account use**: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:GetParametersForImport][3] (key
-    # policy)
+    # **Required permissions**: [kms:GetParametersForImport][3] (key policy)
     #
     # **Related operations:**
     #
@@ -5266,14 +5604,21 @@ module Aws::KMS
     #   DescribeKey.
     #
     # @option params [required, String] :wrapping_algorithm
-    #   The algorithm you will use to encrypt the key material before
-    #   importing it with ImportKeyMaterial. For more information, see
-    #   [Encrypt the Key Material][1] in the *Key Management Service Developer
-    #   Guide*.
+    #   The algorithm you will use to encrypt the key material before using
+    #   the ImportKeyMaterial operation to import it. For more information,
+    #   see [Encrypt the key material][1] in the *Key Management Service
+    #   Developer Guide*.
+    #
+    #   The `RSAES_PKCS1_V1_5` wrapping algorithm is deprecated. We recommend
+    #   that you begin using a different wrapping algorithm immediately. KMS
+    #   will end support for `RSAES_PKCS1_V1_5` by October 1, 2023 pursuant to
+    #   [cryptographic key management guidance][2] from the National Institute
+    #   of Standards and Technology (NIST).
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html
+    #   [2]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
     #
     # @option params [required, String] :wrapping_key_spec
     #   The type of wrapping key (public key) to return in the response. Only
@@ -5349,12 +5694,12 @@ module Aws::KMS
     # returns important information about the public key in the response,
     # including:
     #
-    # * [KeySpec][2]\: The type of key material in the public key, such as
+    # * [KeySpec][2]: The type of key material in the public key, such as
     #   `RSA_4096` or `ECC_NIST_P521`.
     #
-    # * [KeyUsage][3]\: Whether the key is used for encryption or signing.
+    # * [KeyUsage][3]: Whether the key is used for encryption or signing.
     #
-    # * [EncryptionAlgorithms][4] or [SigningAlgorithms][5]\: A list of the
+    # * [EncryptionAlgorithms][4] or [SigningAlgorithms][5]: A list of the
     #   encryption algorithms or the signing algorithms for the key.
     #
     # Although KMS cannot enforce these restrictions on external operations,
@@ -5374,13 +5719,13 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][7] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: Yes. To perform this operation with a KMS key
+    # **Cross-account use**: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
     # alias ARN in the value of the `KeyId` parameter.
     #
-    # **Required permissions**\: [kms:GetPublicKey][8] (key policy)
+    # **Required permissions**: [kms:GetPublicKey][8] (key policy)
     #
-    # **Related operations**\: CreateKey
+    # **Related operations**: CreateKey
     #
     #
     #
@@ -5545,10 +5890,10 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][4] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: No. You cannot perform this operation on a KMS
+    # **Cross-account use**: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:ImportKeyMaterial][5] (key policy)
+    # **Required permissions**: [kms:ImportKeyMaterial][5] (key policy)
     #
     # **Related operations:**
     #
@@ -5680,10 +6025,10 @@ module Aws::KMS
     # Web Services creates in your account, including predefined aliases, do
     # not count against your [KMS aliases quota][1].
     #
-    # **Cross-account use**\: No. `ListAliases` does not return aliases in
+    # **Cross-account use**: No. `ListAliases` does not return aliases in
     # other Amazon Web Services accounts.
     #
-    # **Required permissions**\: [kms:ListAliases][2] (IAM policy)
+    # **Required permissions**: [kms:ListAliases][2] (IAM policy)
     #
     # For details, see [Controlling access to aliases][3] in the *Key
     # Management Service Developer Guide*.
@@ -5844,11 +6189,11 @@ module Aws::KMS
     #
     #  </note>
     #
-    # **Cross-account use**\: Yes. To perform this operation on a KMS key in
+    # **Cross-account use**: Yes. To perform this operation on a KMS key in
     # a different Amazon Web Services account, specify the key ARN in the
     # value of the `KeyId` parameter.
     #
-    # **Required permissions**\: [kms:ListGrants][4] (key policy)
+    # **Required permissions**: [kms:ListGrants][4] (key policy)
     #
     # **Related operations:**
     #
@@ -6023,10 +6368,10 @@ module Aws::KMS
     # GetKeyPolicy operation. However, the only valid policy name is
     # `default`.
     #
-    # **Cross-account use**\: No. You cannot perform this operation on a KMS
+    # **Cross-account use**: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:ListKeyPolicies][1] (key policy)
+    # **Required permissions**: [kms:ListKeyPolicies][1] (key policy)
     #
     # **Related operations:**
     #
@@ -6121,10 +6466,10 @@ module Aws::KMS
     # Gets a list of all KMS keys in the caller's Amazon Web Services
     # account and Region.
     #
-    # **Cross-account use**\: No. You cannot perform this operation on a KMS
+    # **Cross-account use**: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:ListKeys][1] (IAM policy)
+    # **Required permissions**: [kms:ListKeys][1] (IAM policy)
     #
     # **Related operations:**
     #
@@ -6236,10 +6581,10 @@ module Aws::KMS
     # Services General Reference*. For information about using tags in KMS,
     # see [Tagging keys][2].
     #
-    # **Cross-account use**\: No. You cannot perform this operation on a KMS
+    # **Cross-account use**: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:ListResourceTags][3] (key policy)
+    # **Required permissions**: [kms:ListResourceTags][3] (key policy)
     #
     # **Related operations:**
     #
@@ -6363,14 +6708,14 @@ module Aws::KMS
     # Guide</i> </i>. For examples of working with grants in several
     # programming languages, see [Programming grants][2].
     #
-    # **Cross-account use**\: You must specify a principal in your Amazon
-    # Web Services account. However, this operation can return grants in any
+    # **Cross-account use**: You must specify a principal in your Amazon Web
+    # Services account. However, this operation can return grants in any
     # Amazon Web Services account. You do not need `kms:ListRetirableGrants`
     # permission (or any other additional permission) in any Amazon Web
     # Services account other than your own.
     #
-    # **Required permissions**\: [kms:ListRetirableGrants][3] (IAM policy)
-    # in your Amazon Web Services account.
+    # **Required permissions**: [kms:ListRetirableGrants][3] (IAM policy) in
+    # your Amazon Web Services account.
     #
     # **Related operations:**
     #
@@ -6406,17 +6751,16 @@ module Aws::KMS
     #   your Amazon Web Services account.
     #
     #   To specify the retiring principal, use the [Amazon Resource Name
-    #   (ARN)][1] of an Amazon Web Services principal. Valid Amazon Web
-    #   Services principals include Amazon Web Services accounts (root), IAM
-    #   users, federated users, and assumed role users. For examples of the
-    #   ARN syntax for specifying a principal, see [Amazon Web Services
-    #   Identity and Access Management (IAM)][2] in the Example ARNs section
-    #   of the *Amazon Web Services General Reference*.
+    #   (ARN)][1] of an Amazon Web Services principal. Valid principals
+    #   include Amazon Web Services accounts, IAM users, IAM roles, federated
+    #   users, and assumed role users. For help with the ARN syntax for a
+    #   principal, see [IAM ARNs][2] in the <i> <i>Identity and Access
+    #   Management User Guide</i> </i>.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
-    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
     #
     # @return [Types::ListGrantsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -6500,12 +6844,12 @@ module Aws::KMS
     # programming languages, see [Setting a key policy][3] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: No. You cannot perform this operation on a KMS
+    # **Cross-account use**: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:PutKeyPolicy][4] (key policy)
+    # **Required permissions**: [kms:PutKeyPolicy][4] (key policy)
     #
-    # **Related operations**\: GetKeyPolicy
+    # **Related operations**: GetKeyPolicy
     #
     #
     #
@@ -6537,22 +6881,20 @@ module Aws::KMS
     #
     #   The key policy must meet the following criteria:
     #
-    #   * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the key
-    #     policy must allow the principal that is making the `PutKeyPolicy`
-    #     request to make a subsequent `PutKeyPolicy` request on the KMS key.
-    #     This reduces the risk that the KMS key becomes unmanageable. For
-    #     more information, refer to the scenario in the [Default Key
-    #     Policy][1] section of the *Key Management Service Developer Guide*.
+    #   * The key policy must allow the calling principal to make a subsequent
+    #     `PutKeyPolicy` request on the KMS key. This reduces the risk that
+    #     the KMS key becomes unmanageable. For more information, see [Default
+    #     key policy][1] in the *Key Management Service Developer Guide*. (To
+    #     omit this condition, set `BypassPolicyLockoutSafetyCheck` to true.)
     #
     #   * Each statement in the key policy must contain one or more
     #     principals. The principals in the key policy must exist and be
-    #     visible to KMS. When you create a new Amazon Web Services principal
-    #     (for example, an IAM user or role), you might need to enforce a
-    #     delay before including the new principal in a key policy because the
-    #     new principal might not be immediately visible to KMS. For more
-    #     information, see [Changes that I make are not always immediately
-    #     visible][2] in the *Amazon Web Services Identity and Access
-    #     Management User Guide*.
+    #     visible to KMS. When you create a new Amazon Web Services principal,
+    #     you might need to enforce a delay before including the new principal
+    #     in a key policy because the new principal might not be immediately
+    #     visible to KMS. For more information, see [Changes that I make are
+    #     not always immediately visible][2] in the *Amazon Web Services
+    #     Identity and Access Management User Guide*.
     #
     #   A key policy document can include only the following characters:
     #
@@ -6573,30 +6915,28 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
     #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
     #   [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
     #
     # @option params [Boolean] :bypass_policy_lockout_safety_check
-    #   A flag to indicate whether to bypass the key policy lockout safety
-    #   check.
+    #   Skips ("bypasses") the key policy lockout safety check. The default
+    #   value is false.
     #
     #   Setting this value to true increases the risk that the KMS key becomes
     #   unmanageable. Do not set this value to true indiscriminately.
     #
-    #    For more information, refer to the scenario in the [Default Key
-    #   Policy][1] section in the *Key Management Service Developer Guide*.
+    #    For more information, see [Default key policy][1] in the *Key
+    #   Management Service Developer Guide*.
     #
     #   Use this parameter only when you intend to prevent the principal that
-    #   is making the request from making a subsequent `PutKeyPolicy` request
-    #   on the KMS key.
-    #
-    #   The default value is false.
+    #   is making the request from making a subsequent PutKeyPolicy request on
+    #   the KMS key.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -6692,12 +7032,12 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][6] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: Yes. The source KMS key and destination KMS
-    # key can be in different Amazon Web Services accounts. Either or both
-    # KMS keys can be in a different account than the caller. To specify a
-    # KMS key in a different account, you must use its key ARN or alias ARN.
+    # **Cross-account use**: Yes. The source KMS key and destination KMS key
+    # can be in different Amazon Web Services accounts. Either or both KMS
+    # keys can be in a different account than the caller. To specify a KMS
+    # key in a different account, you must use its key ARN or alias ARN.
     #
-    # **Required permissions**\:
+    # **Required permissions**:
     #
     # * [kms:ReEncryptFrom][7] permission on the source KMS key (key policy)
     #
@@ -6818,6 +7158,10 @@ module Aws::KMS
     #   Specifies that encryption context to use when the reencrypting the
     #   data.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and other
+    #   output.
+    #
     #   A destination encryption context is valid only when the destination
     #   KMS key is a symmetric encryption KMS key. The standard ciphertext
     #   format for asymmetric KMS keys does not include fields for metadata.
@@ -6998,10 +7342,10 @@ module Aws::KMS
     #
     #  </note>
     #
-    # **Cross-account use**\: No. You cannot use this operation to create a
+    # **Cross-account use**: No. You cannot use this operation to create a
     # replica key in a different Amazon Web Services account.
     #
-    # **Required permissions**\:
+    # **Required permissions**:
     #
     # * `kms:ReplicateKey` on the primary key (in the primary key's
     #   Region). Include this permission in the primary key's key policy.
@@ -7097,22 +7441,20 @@ module Aws::KMS
     #
     #   If you provide a key policy, it must meet the following criteria:
     #
-    #   * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the key
-    #     policy must give the caller `kms:PutKeyPolicy` permission on the
-    #     replica key. This reduces the risk that the KMS key becomes
-    #     unmanageable. For more information, refer to the scenario in the
-    #     [Default Key Policy][2] section of the <i> <i>Key Management Service
-    #     Developer Guide</i> </i>.
+    #   * The key policy must allow the calling principal to make a subsequent
+    #     `PutKeyPolicy` request on the KMS key. This reduces the risk that
+    #     the KMS key becomes unmanageable. For more information, see [Default
+    #     key policy][2] in the *Key Management Service Developer Guide*. (To
+    #     omit this condition, set `BypassPolicyLockoutSafetyCheck` to true.)
     #
     #   * Each statement in the key policy must contain one or more
     #     principals. The principals in the key policy must exist and be
-    #     visible to KMS. When you create a new Amazon Web Services principal
-    #     (for example, an IAM user or role), you might need to enforce a
-    #     delay before including the new principal in a key policy because the
-    #     new principal might not be immediately visible to KMS. For more
-    #     information, see [Changes that I make are not always immediately
-    #     visible][3] in the <i> <i>Identity and Access Management User
-    #     Guide</i> </i>.
+    #     visible to KMS. When you create a new Amazon Web Services principal,
+    #     you might need to enforce a delay before including the new principal
+    #     in a key policy because the new principal might not be immediately
+    #     visible to KMS. For more information, see [Changes that I make are
+    #     not always immediately visible][3] in the *Amazon Web Services
+    #     Identity and Access Management User Guide*.
     #
     #   A key policy document can include only the following characters:
     #
@@ -7134,35 +7476,37 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
     #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
     #   [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
     #
     # @option params [Boolean] :bypass_policy_lockout_safety_check
-    #   A flag to indicate whether to bypass the key policy lockout safety
-    #   check.
+    #   Skips ("bypasses") the key policy lockout safety check. The default
+    #   value is false.
     #
     #   Setting this value to true increases the risk that the KMS key becomes
     #   unmanageable. Do not set this value to true indiscriminately.
     #
-    #    For more information, refer to the scenario in the [Default Key
-    #   Policy][1] section in the *Key Management Service Developer Guide*.
+    #    For more information, see [Default key policy][1] in the *Key
+    #   Management Service Developer Guide*.
     #
     #   Use this parameter only when you intend to prevent the principal that
-    #   is making the request from making a subsequent `PutKeyPolicy` request
-    #   on the KMS key.
-    #
-    #   The default value is false.
+    #   is making the request from making a subsequent PutKeyPolicy request on
+    #   the KMS key.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #
     # @option params [String] :description
     #   A description of the KMS key. The default value is an empty string (no
     #   description).
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and other
+    #   output.
+    #
     #   The description is not a shared property of multi-Region keys. You can
     #   specify the same description or a different description for each key
     #   in a set of related multi-Region keys. KMS does not synchronize this
@@ -7173,6 +7517,10 @@ module Aws::KMS
     #   the KMS key when it is created. To tag an existing KMS key, use the
     #   TagResource operation.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and other
+    #   output.
+    #
     #   <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the KMS
     #   key. For details, see [ABAC for KMS][1] in the *Key Management Service
     #   Developer Guide*.
@@ -7337,10 +7685,10 @@ module Aws::KMS
     # Guide</i> </i>. For examples of working with grants in several
     # programming languages, see [Programming grants][4].
     #
-    # **Cross-account use**\: Yes. You can retire a grant on a KMS key in a
+    # **Cross-account use**: Yes. You can retire a grant on a KMS key in a
     # different Amazon Web Services account.
     #
-    # **Required permissions:**\:Permission to retire a grant is determined
+    # **Required permissions:**:Permission to retire a grant is determined
     # primarily by the grant. For details, see [Retiring and revoking
     # grants][2] in the *Key Management Service Developer Guide*.
     #
@@ -7435,11 +7783,11 @@ module Aws::KMS
     # Guide</i> </i>. For examples of working with grants in several
     # programming languages, see [Programming grants][4].
     #
-    # **Cross-account use**\: Yes. To perform this operation on a KMS key in
+    # **Cross-account use**: Yes. To perform this operation on a KMS key in
     # a different Amazon Web Services account, specify the key ARN in the
     # value of the `KeyId` parameter.
     #
-    # **Required permissions**\: [kms:RevokeGrant][5] (key policy).
+    # **Required permissions**: [kms:RevokeGrant][5] (key policy).
     #
     # **Related operations:**
     #
@@ -7556,10 +7904,10 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][6] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: No. You cannot perform this operation on a KMS
+    # **Cross-account use**: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
-    # **Required permissions**\: kms:ScheduleKeyDeletion (key policy)
+    # **Required permissions**: kms:ScheduleKeyDeletion (key policy)
     #
     # **Related operations**
     #
@@ -7699,13 +8047,13 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][3] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: Yes. To perform this operation with a KMS key
+    # **Cross-account use**: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
     # alias ARN in the value of the `KeyId` parameter.
     #
-    # **Required permissions**\: [kms:Sign][4] (key policy)
+    # **Required permissions**: [kms:Sign][4] (key policy)
     #
-    # **Related operations**\: Verify
+    # **Related operations**: Verify
     #
     #
     #
@@ -7741,15 +8089,52 @@ module Aws::KMS
     #
     # @option params [required, String, StringIO, File] :message
     #   Specifies the message or message digest to sign. Messages can be
-    #   0-4096 bytes. To sign a larger message, provide the message digest.
+    #   0-4096 bytes. To sign a larger message, provide a message digest.
     #
-    #   If you provide a message, KMS generates a hash digest of the message
-    #   and then signs it.
+    #   If you provide a message digest, use the `DIGEST` value of
+    #   `MessageType` to prevent the digest from being hashed again while
+    #   signing.
     #
     # @option params [String] :message_type
-    #   Tells KMS whether the value of the `Message` parameter is a message or
-    #   message digest. The default value, RAW, indicates a message. To
-    #   indicate a message digest, enter `DIGEST`.
+    #   Tells KMS whether the value of the `Message` parameter should be
+    #   hashed as part of the signing algorithm. Use `RAW` for unhashed
+    #   messages; use `DIGEST` for message digests, which are already hashed.
+    #
+    #   When the value of `MessageType` is `RAW`, KMS uses the standard
+    #   signing algorithm, which begins with a hash function. When the value
+    #   is `DIGEST`, KMS skips the hashing step in the signing algorithm.
+    #
+    #   Use the `DIGEST` value only when the value of the `Message` parameter
+    #   is a message digest. If you use the `DIGEST` value with an unhashed
+    #   message, the security of the signing operation can be compromised.
+    #
+    #   When the value of `MessageType`is `DIGEST`, the length of the
+    #   `Message` value must match the length of hashed messages for the
+    #   specified signing algorithm.
+    #
+    #   You can submit a message digest and omit the `MessageType` or specify
+    #   `RAW` so the digest is hashed again while signing. However, this can
+    #   cause verification failures when verifying with a system that assumes
+    #   a single hash.
+    #
+    #   The hashing algorithm in that `Sign` uses is based on the
+    #   `SigningAlgorithm` value.
+    #
+    #   * Signing algorithms that end in SHA\_256 use the SHA\_256 hashing
+    #     algorithm.
+    #
+    #   * Signing algorithms that end in SHA\_384 use the SHA\_384 hashing
+    #     algorithm.
+    #
+    #   * Signing algorithms that end in SHA\_512 use the SHA\_512 hashing
+    #     algorithm.
+    #
+    #   * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
+    #     verification with SM2 key pairs][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -7768,7 +8153,9 @@ module Aws::KMS
     #   Specifies the signing algorithm to use when signing the message.
     #
     #   Choose an algorithm that is compatible with the type and size of the
-    #   specified asymmetric KMS key.
+    #   specified asymmetric KMS key. When signing with RSA key pairs,
+    #   RSASSA-PSS algorithms are preferred. We include RSASSA-PKCS1-v1\_5
+    #   algorithms for compatibility with existing applications.
     #
     # @return [Types::SignResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -7796,6 +8183,26 @@ module Aws::KMS
     #     signing_algorithm: "ECDSA_SHA_384", # The actual signing algorithm that was used to generate the signature.
     #   }
     #
+    # @example Example: To digitally sign a message digest with an asymmetric KMS key.
+    #
+    #   # This operation uses the private key in an asymmetric RSA signing KMS key to generate a digital signature for a message
+    #   # digest. In this example, a large message was hashed and the resulting digest is provided in the Message parameter. To
+    #   # tell KMS not to hash the message again, the MessageType field is set to DIGEST
+    #
+    #   resp = client.sign({
+    #     key_id: "alias/RSA_signing_key", # The asymmetric KMS key to be used to generate the digital signature. This example uses an alias of the KMS key.
+    #     message: "<message digest to be signed>", # Message to be signed. Use Base-64 for the CLI.
+    #     message_type: "DIGEST", # Indicates whether the message is RAW or a DIGEST. When it is RAW, KMS hashes the message before signing. When it is DIGEST, KMS skips the hashing step and signs the Message value.
+    #     signing_algorithm: "RSASSA_PKCS1_V1_5_SHA_256", # The requested signing algorithm. This must be an algorithm that the KMS key supports.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     key_id: "arn:aws:kms:us-east-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", # The key ARN of the asymmetric KMS key that was used to sign the message.
+    #     signature: "<binary data>", # The digital signature of the message.
+    #     signing_algorithm: "RSASSA_PKCS1_V1_5_SHA_256", # The actual signing algorithm that was used to generate the signature.
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.sign({
@@ -7850,10 +8257,10 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][9] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: No. You cannot perform this operation on a KMS
+    # **Cross-account use**: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:TagResource][10] (key policy)
+    # **Required permissions**: [kms:TagResource][10] (key policy)
     #
     # **Related operations**
     #
@@ -7894,10 +8301,12 @@ module Aws::KMS
     #   DescribeKey.
     #
     # @option params [required, Array<Types::Tag>] :tags
-    #   One or more tags.
+    #   One or more tags. Each tag consists of a tag key and a tag value. The
+    #   tag value can be an empty (null) string.
     #
-    #   Each tag consists of a tag key and a tag value. The tag value can be
-    #   an empty (null) string.
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and other
+    #   output.
     #
     #   You cannot have more than one tag on a KMS key with the same tag key.
     #   If you specify an existing tag key with a different tag value, KMS
@@ -7964,10 +8373,10 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][5] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: No. You cannot perform this operation on a KMS
+    # **Cross-account use**: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:UntagResource][6] (key policy)
+    # **Required permissions**: [kms:UntagResource][6] (key policy)
     #
     # **Related operations**
     #
@@ -8068,7 +8477,7 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][2] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: No. You cannot perform this operation on a KMS
+    # **Cross-account use**: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
     # **Required permissions**
@@ -8103,6 +8512,10 @@ module Aws::KMS
     #   `alias/ExampleAlias`. You cannot use `UpdateAlias` to change the alias
     #   name.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and other
+    #   output.
+    #
     # @option params [required, String] :target_key_id
     #   Identifies the [customer managed key][1] to associate with the alias.
     #   You don't have permission to associate an alias with an [Amazon Web
@@ -8240,10 +8653,10 @@ module Aws::KMS
     # If the operation succeeds, it returns a JSON object with no
     # properties.
     #
-    # **Cross-account use**\: No. You cannot perform this operation on a
+    # **Cross-account use**: No. You cannot perform this operation on a
     # custom key store in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:UpdateCustomKeyStore][2] (IAM policy)
+    # **Required permissions**: [kms:UpdateCustomKeyStore][2] (IAM policy)
     #
     # **Related operations:**
     #
@@ -8272,6 +8685,10 @@ module Aws::KMS
     #   you specify. The custom key store name must be unique in the Amazon
     #   Web Services account.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and other
+    #   output.
+    #
     #   To change this value, an CloudHSM key store must be disconnected. An
     #   external key store can be connected or disconnected.
     #
@@ -8425,7 +8842,7 @@ module Aws::KMS
     #   # worked, use the DescribeCustomKeyStores operation.
     #
     #   resp = client.update_custom_key_store({
-    #     cloud_hsm_cluster_id: "cluster-1a23b4cdefg", # The ID of the AWS CloudHSM cluster that you want to associate with the custom key store. This cluster must be related to the original CloudHSM cluster for this key store.
+    #     cloud_hsm_cluster_id: "cluster-234abcdefABC", # The ID of the AWS CloudHSM cluster that you want to associate with the custom key store. This cluster must be related to the original CloudHSM cluster for this key store.
     #     custom_key_store_id: "cks-1234567890abcdef0", # The ID of the custom key store that you are updating.
     #   })
     #
@@ -8516,10 +8933,10 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][1] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: No. You cannot perform this operation on a KMS
+    # **Cross-account use**: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
-    # **Required permissions**\: [kms:UpdateKeyDescription][2] (key policy)
+    # **Required permissions**: [kms:UpdateKeyDescription][2] (key policy)
     #
     # **Related operations**
     #
@@ -8550,6 +8967,10 @@ module Aws::KMS
     # @option params [required, String] :description
     #   New description for the KMS key.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and other
+    #   output.
+    #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
     #
@@ -8632,10 +9053,10 @@ module Aws::KMS
     # This operation does not return any output. To verify that primary key
     # is changed, use the DescribeKey operation.
     #
-    # **Cross-account use**\: No. You cannot use this operation in a
+    # **Cross-account use**: No. You cannot use this operation in a
     # different Amazon Web Services account.
     #
-    # **Required permissions**\:
+    # **Required permissions**:
     #
     # * `kms:UpdatePrimaryRegion` on the current primary key (in the primary
     #   key's Region). Include this permission primary key's key policy.
@@ -8735,9 +9156,12 @@ module Aws::KMS
     # keys, see [Asymmetric KMS keys][1] in the *Key Management Service
     # Developer Guide*.
     #
-    # To verify a digital signature, you can use the `Verify` operation.
-    # Specify the same asymmetric KMS key, message, and signing algorithm
-    # that were used to produce the signature.
+    # To use the `Verify` operation, specify the same asymmetric KMS key,
+    # message, and signing algorithm that were used to produce the
+    # signature. The message type does not need to be the same as the one
+    # used for signing, but it must indicate whether the value of the
+    # `Message` parameter should be hashed as part of the verification
+    # process.
     #
     # You can also verify the digital signature by using the public key of
     # the KMS key outside of KMS. Use the GetPublicKey operation to download
@@ -8758,13 +9182,13 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][3] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: Yes. To perform this operation with a KMS key
+    # **Cross-account use**: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
     # alias ARN in the value of the `KeyId` parameter.
     #
-    # **Required permissions**\: [kms:Verify][4] (key policy)
+    # **Required permissions**: [kms:Verify][4] (key policy)
     #
-    # **Related operations**\: Sign
+    # **Related operations**: Sign
     #
     #
     #
@@ -8808,13 +9232,46 @@ module Aws::KMS
     #   digest are considered to be the same message.
     #
     # @option params [String] :message_type
-    #   Tells KMS whether the value of the `Message` parameter is a message or
-    #   message digest. The default value, RAW, indicates a message. To
-    #   indicate a message digest, enter `DIGEST`.
+    #   Tells KMS whether the value of the `Message` parameter should be
+    #   hashed as part of the signing algorithm. Use `RAW` for unhashed
+    #   messages; use `DIGEST` for message digests, which are already hashed.
+    #
+    #   When the value of `MessageType` is `RAW`, KMS uses the standard
+    #   signing algorithm, which begins with a hash function. When the value
+    #   is `DIGEST`, KMS skips the hashing step in the signing algorithm.
     #
     #   Use the `DIGEST` value only when the value of the `Message` parameter
-    #   is a message digest. If you use the `DIGEST` value with a raw message,
-    #   the security of the verification operation can be compromised.
+    #   is a message digest. If you use the `DIGEST` value with an unhashed
+    #   message, the security of the verification operation can be
+    #   compromised.
+    #
+    #   When the value of `MessageType`is `DIGEST`, the length of the
+    #   `Message` value must match the length of hashed messages for the
+    #   specified signing algorithm.
+    #
+    #   You can submit a message digest and omit the `MessageType` or specify
+    #   `RAW` so the digest is hashed again while signing. However, if the
+    #   signed message is hashed once while signing, but twice while
+    #   verifying, verification fails, even when the message hasn't changed.
+    #
+    #   The hashing algorithm in that `Verify` uses is based on the
+    #   `SigningAlgorithm` value.
+    #
+    #   * Signing algorithms that end in SHA\_256 use the SHA\_256 hashing
+    #     algorithm.
+    #
+    #   * Signing algorithms that end in SHA\_384 use the SHA\_384 hashing
+    #     algorithm.
+    #
+    #   * Signing algorithms that end in SHA\_512 use the SHA\_512 hashing
+    #     algorithm.
+    #
+    #   * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
+    #     verification with SM2 key pairs][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
     #
     # @option params [required, String, StringIO, File] :signature
     #   The signature that the `Sign` operation generated.
@@ -8863,6 +9320,27 @@ module Aws::KMS
     #     signing_algorithm: "ECDSA_SHA_384", # The signing algorithm that was used to verify the signature.
     #   }
     #
+    # @example Example: To use an asymmetric KMS key to verify a digital signature on a message digest
+    #
+    #   # This operation uses the public key in an RSA asymmetric signing key pair to verify the digital signature of a message
+    #   # digest. Hashing a message into a digest before sending it to KMS lets you verify messages that exceed the 4096-byte
+    #   # message size limit. To indicate that the value of Message is a digest, use the MessageType parameter 
+    #
+    #   resp = client.verify({
+    #     key_id: "arn:aws:kms:us-east-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", # The asymmetric KMS key to be used to verify the digital signature. This example uses an alias to identify the KMS key.
+    #     message: "<message digest to be verified>", # The message that was signed.
+    #     message_type: "DIGEST", # Indicates whether the message is RAW or a DIGEST. When it is RAW, KMS hashes the message before signing. When it is DIGEST, KMS skips the hashing step and signs the Message value.
+    #     signature: "<binary data>", # The signature to be verified.
+    #     signing_algorithm: "RSASSA_PSS_SHA_512", # The signing algorithm to be used to verify the signature.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     key_id: "arn:aws:kms:us-east-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", # The key ARN of the asymmetric KMS key that was used to verify the digital signature.
+    #     signature_valid: true, # A value of 'true' Indicates that the signature was verified. If verification fails, the call to Verify fails.
+    #     signing_algorithm: "RSASSA_PSS_SHA_512", # The signing algorithm that was used to verify the signature.
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.verify({
@@ -8909,13 +9387,13 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][3] in the *Key
     # Management Service Developer Guide*.
     #
-    # **Cross-account use**\: Yes. To perform this operation with a KMS key
+    # **Cross-account use**: Yes. To perform this operation with a KMS key
     # in a different Amazon Web Services account, specify the key ARN or
     # alias ARN in the value of the `KeyId` parameter.
     #
-    # **Required permissions**\: [kms:VerifyMac][4] (key policy)
+    # **Required permissions**: [kms:VerifyMac][4] (key policy)
     #
-    # **Related operations**\: GenerateMac
+    # **Related operations**: GenerateMac
     #
     #
     #
@@ -9026,7 +9504,7 @@ module Aws::KMS
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-kms'
-      context[:gem_version] = '1.62.0'
+      context[:gem_version] = '1.64.0'
       Seahorse::Client::Request.new(handlers, context)
     end