aws-sdk-kms 1.62.0 → 1.64.0

data/lib/aws-sdk-kms/types.rb

@@ -264,6 +264,10 @@ module Aws::KMS
     #   Specifies the alias name. This value must begin with `alias/`
     #   followed by a name, such as `alias/ExampleAlias`.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
+    #
     #   The `AliasName` value must be string of 1-256 characters. It can
     #   contain only alphanumeric characters, forward slashes (/),
     #   underscores (\_), and dashes (-). The alias name cannot begin with
@@ -317,6 +321,10 @@ module Aws::KMS
     #   Specifies a friendly name for the custom key store. The name must be
     #   unique in your Amazon Web Services account and Region. This
     #   parameter is required for all custom key stores.
+    #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
     #   @return [String]
     #
     # @!attribute [rw] cloud_hsm_cluster_id
@@ -566,18 +574,16 @@ module Aws::KMS
     # @!attribute [rw] grantee_principal
     #   The identity that gets the permissions specified in the grant.
     #
-    #   To specify the principal, use the [Amazon Resource Name (ARN)][1] of
-    #   an Amazon Web Services principal. Valid Amazon Web Services
-    #   principals include Amazon Web Services accounts (root), IAM users,
-    #   IAM roles, federated users, and assumed role users. For examples of
-    #   the ARN syntax to use for specifying a principal, see [Amazon Web
-    #   Services Identity and Access Management (IAM)][2] in the Example
-    #   ARNs section of the *Amazon Web Services General Reference*.
+    #   To specify the grantee principal, use the Amazon Resource Name (ARN)
+    #   of an Amazon Web Services principal. Valid principals include Amazon
+    #   Web Services accounts, IAM users, IAM roles, federated users, and
+    #   assumed role users. For help with the ARN syntax for a principal,
+    #   see [IAM ARNs][1] in the <i> <i>Identity and Access Management User
+    #   Guide</i> </i>.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
-    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
     #   @return [String]
     #
     # @!attribute [rw] retiring_principal
@@ -585,12 +591,11 @@ module Aws::KMS
     #   to retire the grant.
     #
     #   To specify the principal, use the [Amazon Resource Name (ARN)][1] of
-    #   an Amazon Web Services principal. Valid Amazon Web Services
-    #   principals include Amazon Web Services accounts (root), IAM users,
-    #   federated users, and assumed role users. For examples of the ARN
-    #   syntax to use for specifying a principal, see [Amazon Web Services
-    #   Identity and Access Management (IAM)][2] in the Example ARNs section
-    #   of the *Amazon Web Services General Reference*.
+    #   an Amazon Web Services principal. Valid principals include Amazon
+    #   Web Services accounts, IAM users, IAM roles, federated users, and
+    #   assumed role users. For help with the ARN syntax for a principal,
+    #   see [IAM ARNs][2] in the <i> <i>Identity and Access Management User
+    #   Guide</i> </i>.
     #
     #   The grant determines the retiring principal. Other principals might
     #   have permission to retire the grant or revoke the grant. For
@@ -600,7 +605,7 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
-    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
     #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete
     #   @return [String]
     #
@@ -623,23 +628,19 @@ module Aws::KMS
     # @!attribute [rw] constraints
     #   Specifies a grant constraint.
     #
-    #   KMS supports the `EncryptionContextEquals` and
-    #   `EncryptionContextSubset` grant constraints. Each constraint value
-    #   can include up to 8 encryption context pairs. The encryption context
-    #   value in each constraint cannot exceed 384 characters. For
-    #   information about grant constraints, see [Using grant
-    #   constraints][1] in the *Key Management Service Developer Guide*. For
-    #   more information about encryption context, see [Encryption
-    #   context][2] in the <i> <i>Key Management Service Developer Guide</i>
-    #   </i>.
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
     #
-    #   The encryption context grant constraints allow the permissions in
-    #   the grant only when the encryption context in the request matches
-    #   (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
-    #   the encryption context specified in this structure.
+    #   KMS supports the `EncryptionContextEquals` and
+    #   `EncryptionContextSubset` grant constraints, which allow the
+    #   permissions in the grant only when the encryption context in the
+    #   request matches (`EncryptionContextEquals`) or includes
+    #   (`EncryptionContextSubset`) the encryption context specified in the
+    #   constraint.
     #
     #   The encryption context grant constraints are supported only on
-    #   [grant operations][3] that include an `EncryptionContext` parameter,
+    #   [grant operations][1] that include an `EncryptionContext` parameter,
     #   such as cryptographic operations on symmetric encryption KMS keys.
     #   Grants with grant constraints can include the DescribeKey and
     #   RetireGrant operations, but the constraint doesn't apply to these
@@ -650,15 +651,21 @@ module Aws::KMS
     #
     #   You cannot use an encryption context grant constraint for
     #   cryptographic operations with asymmetric KMS keys or HMAC KMS keys.
-    #   These keys don't support an encryption context.
-    #
+    #   Operations with these keys don't support an encryption context.
     #
+    #   Each constraint value can include up to 8 encryption context pairs.
+    #   The encryption context value in each constraint cannot exceed 384
+    #   characters. For information about grant constraints, see [Using
+    #   grant constraints][2] in the *Key Management Service Developer
+    #   Guide*. For more information about encryption context, see
+    #   [Encryption context][3] in the <i> <i>Key Management Service
+    #   Developer Guide</i> </i>.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #   @return [Types::GrantConstraints]
     #
     # @!attribute [rw] grant_tokens
@@ -679,6 +686,10 @@ module Aws::KMS
     #   A friendly name for the grant. Use this value to prevent the
     #   unintended creation of duplicate grants when retrying this request.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
+    #
     #   When this value is absent, all `CreateGrant` requests result in a
     #   new grant with a unique `GrantId` even if all the supplied
     #   parameters are identical. This can result in unintended duplicates
@@ -741,27 +752,25 @@ module Aws::KMS
     #
     #   If you provide a key policy, it must meet the following criteria:
     #
-    #   * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
-    #     key policy must allow the principal that is making the `CreateKey`
-    #     request to make a subsequent PutKeyPolicy request on the KMS key.
-    #     This reduces the risk that the KMS key becomes unmanageable. For
-    #     more information, refer to the scenario in the [Default Key
-    #     Policy][1] section of the <i> <i>Key Management Service Developer
-    #     Guide</i> </i>.
+    #   * The key policy must allow the calling principal to make a
+    #     subsequent `PutKeyPolicy` request on the KMS key. This reduces the
+    #     risk that the KMS key becomes unmanageable. For more information,
+    #     see [Default key policy][1] in the *Key Management Service
+    #     Developer Guide*. (To omit this condition, set
+    #     `BypassPolicyLockoutSafetyCheck` to true.)
     #
     #   * Each statement in the key policy must contain one or more
     #     principals. The principals in the key policy must exist and be
     #     visible to KMS. When you create a new Amazon Web Services
-    #     principal (for example, an IAM user or role), you might need to
-    #     enforce a delay before including the new principal in a key policy
-    #     because the new principal might not be immediately visible to KMS.
-    #     For more information, see [Changes that I make are not always
-    #     immediately visible][2] in the *Amazon Web Services Identity and
-    #     Access Management User Guide*.
+    #     principal, you might need to enforce a delay before including the
+    #     new principal in a key policy because the new principal might not
+    #     be immediately visible to KMS. For more information, see [Changes
+    #     that I make are not always immediately visible][2] in the *Amazon
+    #     Web Services Identity and Access Management User Guide*.
     #
     #   If you do not provide a key policy, KMS attaches a default key
-    #   policy to the KMS key. For more information, see [Default Key
-    #   Policy][3] in the *Key Management Service Developer Guide*.
+    #   policy to the KMS key. For more information, see [Default key
+    #   policy][3] in the *Key Management Service Developer Guide*.
     #
     #   The key policy size quota is 32 kilobytes (32768 bytes).
     #
@@ -771,18 +780,20 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
     #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
     #   [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A description of the KMS key.
+    #   A description of the KMS key. Use a description that helps you
+    #   decide whether the KMS key is appropriate for a task. The default
+    #   value is an empty string (no description).
     #
-    #   Use a description that helps you decide whether the KMS key is
-    #   appropriate for a task. The default value is an empty string (no
-    #   description).
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
     #
     #   To set or change the description after the key is created, use
     #   UpdateKeyDescription.
@@ -957,26 +968,23 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] bypass_policy_lockout_safety_check
-    #   A flag to indicate whether to bypass the key policy lockout safety
-    #   check.
+    #   Skips ("bypasses") the key policy lockout safety check. The
+    #   default value is false.
     #
     #   Setting this value to true increases the risk that the KMS key
     #   becomes unmanageable. Do not set this value to true
     #   indiscriminately.
     #
-    #    For more information, refer to the scenario in the [Default Key
-    #   Policy][1] section in the <i> <i>Key Management Service Developer
-    #   Guide</i> </i>.
-    #
-    #   Use this parameter only when you include a policy in the request and
-    #   you intend to prevent the principal that is making the request from
-    #   making a subsequent PutKeyPolicy request on the KMS key.
+    #    For more information, see [Default key policy][1] in the *Key
+    #   Management Service Developer Guide*.
     #
-    #   The default value is false.
+    #   Use this parameter only when you intend to prevent the principal
+    #   that is making the request from making a subsequent PutKeyPolicy
+    #   request on the KMS key.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   @return [Boolean]
     #
     # @!attribute [rw] tags
@@ -984,6 +992,10 @@ module Aws::KMS
     #   the KMS key when it is created. To tag an existing KMS key, use the
     #   TagResource operation.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
+    #
     #   <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
     #   KMS key. For details, see [ABAC for KMS][1] in the *Key Management
     #   Service Developer Guide*.
@@ -1548,6 +1560,34 @@ module Aws::KMS
     #   encryption KMS keys.
     #   @return [String]
     #
+    # @!attribute [rw] recipient
+    #   A signed [attestation document][1] from an Amazon Web Services Nitro
+    #   enclave and the encryption algorithm to use with the enclave's
+    #   public key. The only valid encryption algorithm is
+    #   `RSAES_OAEP_SHA_256`.
+    #
+    #   This parameter only supports attestation documents for Amazon Web
+    #   Services Nitro Enclaves. To include this parameter, use the [Amazon
+    #   Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
+    #
+    #   When you use this parameter, instead of returning the plaintext
+    #   data, KMS encrypts the plaintext data with the public key in the
+    #   attestation document, and returns the resulting ciphertext in the
+    #   `CiphertextForRecipient` field in the response. This ciphertext can
+    #   be decrypted only with the private key in the enclave. The
+    #   `Plaintext` field in the response is null or empty.
+    #
+    #   For information about the interaction between KMS and Amazon Web
+    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
+    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
+    #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   @return [Types::RecipientInfo]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptRequest AWS API Documentation
     #
     class DecryptRequest < Struct.new(
@@ -1555,7 +1595,8 @@ module Aws::KMS
       :encryption_context,
       :grant_tokens,
       :key_id,
-      :encryption_algorithm)
+      :encryption_algorithm,
+      :recipient)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1573,18 +1614,38 @@ module Aws::KMS
     #   Decrypted plaintext data. When you use the HTTP API or the Amazon
     #   Web Services CLI, the value is Base64-encoded. Otherwise, it is not
     #   Base64-encoded.
+    #
+    #   If the response includes the `CiphertextForRecipient` field, the
+    #   `Plaintext` field is null or empty.
     #   @return [String]
     #
     # @!attribute [rw] encryption_algorithm
     #   The encryption algorithm that was used to decrypt the ciphertext.
     #   @return [String]
     #
+    # @!attribute [rw] ciphertext_for_recipient
+    #   The plaintext data encrypted with the public key in the attestation
+    #   document.
+    #
+    #   This field is included in the response only when the `Recipient`
+    #   parameter in the request includes a valid attestation document from
+    #   an Amazon Web Services Nitro enclave. For information about the
+    #   interaction between KMS and Amazon Web Services Nitro Enclaves, see
+    #   [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
+    #   Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptResponse AWS API Documentation
     #
     class DecryptResponse < Struct.new(
       :key_id,
       :plaintext,
-      :encryption_algorithm)
+      :encryption_algorithm,
+      :ciphertext_for_recipient)
       SENSITIVE = [:plaintext]
       include Aws::Structure
     end
@@ -1979,6 +2040,10 @@ module Aws::KMS
     #   asymmetric encryption algorithms and HMAC algorithms that KMS uses
     #   do not support an encryption context.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
+    #
     #   An *encryption context* is a collection of non-secret key-value
     #   pairs that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
@@ -2085,6 +2150,10 @@ module Aws::KMS
     #   Specifies the encryption context that will be used when encrypting
     #   the private key in the data key pair.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
+    #
     #   An *encryption context* is a collection of non-secret key-value
     #   pairs that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
@@ -2152,13 +2221,45 @@ module Aws::KMS
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #   @return [Array<String>]
     #
+    # @!attribute [rw] recipient
+    #   A signed [attestation document][1] from an Amazon Web Services Nitro
+    #   enclave and the encryption algorithm to use with the enclave's
+    #   public key. The only valid encryption algorithm is
+    #   `RSAES_OAEP_SHA_256`.
+    #
+    #   This parameter only supports attestation documents for Amazon Web
+    #   Services Nitro Enclaves. To include this parameter, use the [Amazon
+    #   Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
+    #
+    #   When you use this parameter, instead of returning a plaintext copy
+    #   of the private data key, KMS encrypts the plaintext private data key
+    #   under the public key in the attestation document, and returns the
+    #   resulting ciphertext in the `CiphertextForRecipient` field in the
+    #   response. This ciphertext can be decrypted only with the private key
+    #   in the enclave. The `CiphertextBlob` field in the response contains
+    #   a copy of the private data key encrypted under the KMS key specified
+    #   by the `KeyId` parameter. The `PrivateKeyPlaintext` field in the
+    #   response is null or empty.
+    #
+    #   For information about the interaction between KMS and Amazon Web
+    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
+    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
+    #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   @return [Types::RecipientInfo]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairRequest AWS API Documentation
     #
     class GenerateDataKeyPairRequest < Struct.new(
       :encryption_context,
       :key_id,
       :key_pair_spec,
-      :grant_tokens)
+      :grant_tokens,
+      :recipient)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2173,6 +2274,9 @@ module Aws::KMS
     #   The plaintext copy of the private key. When you use the HTTP API or
     #   the Amazon Web Services CLI, the value is Base64-encoded. Otherwise,
     #   it is not Base64-encoded.
+    #
+    #   If the response includes the `CiphertextForRecipient` field, the
+    #   `PrivateKeyPlaintext` field is null or empty.
     #   @return [String]
     #
     # @!attribute [rw] public_key
@@ -2194,6 +2298,23 @@ module Aws::KMS
     #   The type of data key pair that was generated.
     #   @return [String]
     #
+    # @!attribute [rw] ciphertext_for_recipient
+    #   The plaintext private data key encrypted with the public key from
+    #   the Nitro enclave. This ciphertext can be decrypted only by using a
+    #   private key in the Nitro enclave.
+    #
+    #   This field is included in the response only when the `Recipient`
+    #   parameter in the request includes a valid attestation document from
+    #   an Amazon Web Services Nitro enclave. For information about the
+    #   interaction between KMS and Amazon Web Services Nitro Enclaves, see
+    #   [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
+    #   Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairResponse AWS API Documentation
     #
     class GenerateDataKeyPairResponse < Struct.new(
@@ -2201,7 +2322,8 @@ module Aws::KMS
       :private_key_plaintext,
       :public_key,
       :key_id,
-      :key_pair_spec)
+      :key_pair_spec,
+      :ciphertext_for_recipient)
       SENSITIVE = [:private_key_plaintext]
       include Aws::Structure
     end
@@ -2210,6 +2332,10 @@ module Aws::KMS
     #   Specifies the encryption context that will be used when encrypting
     #   the private key in the data key pair.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
+    #
     #   An *encryption context* is a collection of non-secret key-value
     #   pairs that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
@@ -2354,6 +2480,10 @@ module Aws::KMS
     #   Specifies the encryption context that will be used when encrypting
     #   the data key.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
+    #
     #   An *encryption context* is a collection of non-secret key-value
     #   pairs that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
@@ -2404,6 +2534,36 @@ module Aws::KMS
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #   @return [Array<String>]
     #
+    # @!attribute [rw] recipient
+    #   A signed [attestation document][1] from an Amazon Web Services Nitro
+    #   enclave and the encryption algorithm to use with the enclave's
+    #   public key. The only valid encryption algorithm is
+    #   `RSAES_OAEP_SHA_256`.
+    #
+    #   This parameter only supports attestation documents for Amazon Web
+    #   Services Nitro Enclaves. To include this parameter, use the [Amazon
+    #   Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
+    #
+    #   When you use this parameter, instead of returning the plaintext data
+    #   key, KMS encrypts the plaintext data key under the public key in the
+    #   attestation document, and returns the resulting ciphertext in the
+    #   `CiphertextForRecipient` field in the response. This ciphertext can
+    #   be decrypted only with the private key in the enclave. The
+    #   `CiphertextBlob` field in the response contains a copy of the data
+    #   key encrypted under the KMS key specified by the `KeyId` parameter.
+    #   The `Plaintext` field in the response is null or empty.
+    #
+    #   For information about the interaction between KMS and Amazon Web
+    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
+    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
+    #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   @return [Types::RecipientInfo]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyRequest AWS API Documentation
     #
     class GenerateDataKeyRequest < Struct.new(
@@ -2411,7 +2571,8 @@ module Aws::KMS
       :encryption_context,
       :number_of_bytes,
       :key_spec,
-      :grant_tokens)
+      :grant_tokens,
+      :recipient)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2427,6 +2588,9 @@ module Aws::KMS
     #   Services CLI, the value is Base64-encoded. Otherwise, it is not
     #   Base64-encoded. Use this data key to encrypt your data outside of
     #   KMS. Then, remove it from memory as soon as possible.
+    #
+    #   If the response includes the `CiphertextForRecipient` field, the
+    #   `Plaintext` field is null or empty.
     #   @return [String]
     #
     # @!attribute [rw] key_id
@@ -2438,12 +2602,30 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
+    # @!attribute [rw] ciphertext_for_recipient
+    #   The plaintext data key encrypted with the public key from the Nitro
+    #   enclave. This ciphertext can be decrypted only by using a private
+    #   key in the Nitro enclave.
+    #
+    #   This field is included in the response only when the `Recipient`
+    #   parameter in the request includes a valid attestation document from
+    #   an Amazon Web Services Nitro enclave. For information about the
+    #   interaction between KMS and Amazon Web Services Nitro Enclaves, see
+    #   [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
+    #   Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyResponse AWS API Documentation
     #
     class GenerateDataKeyResponse < Struct.new(
       :ciphertext_blob,
       :plaintext,
-      :key_id)
+      :key_id,
+      :ciphertext_for_recipient)
       SENSITIVE = [:plaintext]
       include Aws::Structure
     end
@@ -2478,6 +2660,10 @@ module Aws::KMS
     #   Specifies the encryption context that will be used when encrypting
     #   the data key.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
+    #
     #   An *encryption context* is a collection of non-secret key-value
     #   pairs that represent additional authenticated data. When you use an
     #   encryption context to encrypt data, you must specify the same (an
@@ -2654,11 +2840,40 @@ module Aws::KMS
     #   `UnsupportedOperationException`.
     #   @return [String]
     #
+    # @!attribute [rw] recipient
+    #   A signed [attestation document][1] from an Amazon Web Services Nitro
+    #   enclave and the encryption algorithm to use with the enclave's
+    #   public key. The only valid encryption algorithm is
+    #   `RSAES_OAEP_SHA_256`.
+    #
+    #   This parameter only supports attestation documents for Amazon Web
+    #   Services Nitro Enclaves. To include this parameter, use the [Amazon
+    #   Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
+    #
+    #   When you use this parameter, instead of returning plaintext bytes,
+    #   KMS encrypts the plaintext bytes under the public key in the
+    #   attestation document, and returns the resulting ciphertext in the
+    #   `CiphertextForRecipient` field in the response. This ciphertext can
+    #   be decrypted only with the private key in the enclave. The
+    #   `Plaintext` field in the response is null or empty.
+    #
+    #   For information about the interaction between KMS and Amazon Web
+    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
+    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
+    #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   @return [Types::RecipientInfo]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomRequest AWS API Documentation
     #
     class GenerateRandomRequest < Struct.new(
       :number_of_bytes,
-      :custom_key_store_id)
+      :custom_key_store_id,
+      :recipient)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2667,12 +2882,33 @@ module Aws::KMS
     #   The random byte string. When you use the HTTP API or the Amazon Web
     #   Services CLI, the value is Base64-encoded. Otherwise, it is not
     #   Base64-encoded.
+    #
+    #   If the response includes the `CiphertextForRecipient` field, the
+    #   `Plaintext` field is null or empty.
+    #   @return [String]
+    #
+    # @!attribute [rw] ciphertext_for_recipient
+    #   The plaintext random bytes encrypted with the public key from the
+    #   Nitro enclave. This ciphertext can be decrypted only by using a
+    #   private key in the Nitro enclave.
+    #
+    #   This field is included in the response only when the `Recipient`
+    #   parameter in the request includes a valid attestation document from
+    #   an Amazon Web Services Nitro enclave. For information about the
+    #   interaction between KMS and Amazon Web Services Nitro Enclaves, see
+    #   [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
+    #   Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomResponse AWS API Documentation
     #
     class GenerateRandomResponse < Struct.new(
-      :plaintext)
+      :plaintext,
+      :ciphertext_for_recipient)
       SENSITIVE = [:plaintext]
       include Aws::Structure
     end
@@ -2776,14 +3012,21 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] wrapping_algorithm
-    #   The algorithm you will use to encrypt the key material before
-    #   importing it with ImportKeyMaterial. For more information, see
-    #   [Encrypt the Key Material][1] in the *Key Management Service
+    #   The algorithm you will use to encrypt the key material before using
+    #   the ImportKeyMaterial operation to import it. For more information,
+    #   see [Encrypt the key material][1] in the *Key Management Service
     #   Developer Guide*.
     #
+    #   The `RSAES_PKCS1_V1_5` wrapping algorithm is deprecated. We
+    #   recommend that you begin using a different wrapping algorithm
+    #   immediately. KMS will end support for `RSAES_PKCS1_V1_5` by October
+    #   1, 2023 pursuant to [cryptographic key management guidance][2] from
+    #   the National Institute of Standards and Technology (NIST).
+    #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html
+    #   [2]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
     #   @return [String]
     #
     # @!attribute [rw] wrapping_key_spec
@@ -4128,17 +4371,16 @@ module Aws::KMS
     #   in your Amazon Web Services account.
     #
     #   To specify the retiring principal, use the [Amazon Resource Name
-    #   (ARN)][1] of an Amazon Web Services principal. Valid Amazon Web
-    #   Services principals include Amazon Web Services accounts (root), IAM
-    #   users, federated users, and assumed role users. For examples of the
-    #   ARN syntax for specifying a principal, see [Amazon Web Services
-    #   Identity and Access Management (IAM)][2] in the Example ARNs section
-    #   of the *Amazon Web Services General Reference*.
+    #   (ARN)][1] of an Amazon Web Services principal. Valid principals
+    #   include Amazon Web Services accounts, IAM users, IAM roles,
+    #   federated users, and assumed role users. For help with the ARN
+    #   syntax for a principal, see [IAM ARNs][2] in the <i> <i>Identity and
+    #   Access Management User Guide</i> </i>.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
-    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrantsRequest AWS API Documentation
@@ -4256,23 +4498,21 @@ module Aws::KMS
     #
     #   The key policy must meet the following criteria:
     #
-    #   * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
-    #     key policy must allow the principal that is making the
-    #     `PutKeyPolicy` request to make a subsequent `PutKeyPolicy` request
-    #     on the KMS key. This reduces the risk that the KMS key becomes
-    #     unmanageable. For more information, refer to the scenario in the
-    #     [Default Key Policy][1] section of the *Key Management Service
-    #     Developer Guide*.
+    #   * The key policy must allow the calling principal to make a
+    #     subsequent `PutKeyPolicy` request on the KMS key. This reduces the
+    #     risk that the KMS key becomes unmanageable. For more information,
+    #     see [Default key policy][1] in the *Key Management Service
+    #     Developer Guide*. (To omit this condition, set
+    #     `BypassPolicyLockoutSafetyCheck` to true.)
     #
     #   * Each statement in the key policy must contain one or more
     #     principals. The principals in the key policy must exist and be
     #     visible to KMS. When you create a new Amazon Web Services
-    #     principal (for example, an IAM user or role), you might need to
-    #     enforce a delay before including the new principal in a key policy
-    #     because the new principal might not be immediately visible to KMS.
-    #     For more information, see [Changes that I make are not always
-    #     immediately visible][2] in the *Amazon Web Services Identity and
-    #     Access Management User Guide*.
+    #     principal, you might need to enforce a delay before including the
+    #     new principal in a key policy because the new principal might not
+    #     be immediately visible to KMS. For more information, see [Changes
+    #     that I make are not always immediately visible][2] in the *Amazon
+    #     Web Services Identity and Access Management User Guide*.
     #
     #   A key policy document can include only the following characters:
     #
@@ -4293,32 +4533,30 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
     #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
     #   [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
     #   @return [String]
     #
     # @!attribute [rw] bypass_policy_lockout_safety_check
-    #   A flag to indicate whether to bypass the key policy lockout safety
-    #   check.
+    #   Skips ("bypasses") the key policy lockout safety check. The
+    #   default value is false.
     #
     #   Setting this value to true increases the risk that the KMS key
     #   becomes unmanageable. Do not set this value to true
     #   indiscriminately.
     #
-    #    For more information, refer to the scenario in the [Default Key
-    #   Policy][1] section in the *Key Management Service Developer Guide*.
+    #    For more information, see [Default key policy][1] in the *Key
+    #   Management Service Developer Guide*.
     #
     #   Use this parameter only when you intend to prevent the principal
-    #   that is making the request from making a subsequent `PutKeyPolicy`
+    #   that is making the request from making a subsequent PutKeyPolicy
     #   request on the KMS key.
     #
-    #   The default value is false.
-    #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicyRequest AWS API Documentation
@@ -4423,6 +4661,10 @@ module Aws::KMS
     #   Specifies that encryption context to use when the reencrypting the
     #   data.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
+    #
     #   A destination encryption context is valid only when the destination
     #   KMS key is a symmetric encryption KMS key. The standard ciphertext
     #   format for asymmetric KMS keys does not include fields for metadata.
@@ -4537,6 +4779,39 @@ module Aws::KMS
       include Aws::Structure
     end
 
+    # Contains information about the party that receives the response from
+    # the API operation.
+    #
+    # This data type is designed to support Amazon Web Services Nitro
+    # Enclaves, which lets you create an isolated compute environment in
+    # Amazon EC2. For information about the interaction between KMS and
+    # Amazon Web Services Nitro Enclaves, see [How Amazon Web Services Nitro
+    # Enclaves uses KMS][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #
+    # @!attribute [rw] key_encryption_algorithm
+    #   The encryption algorithm that KMS should use with the public key for
+    #   an Amazon Web Services Nitro Enclave to encrypt plaintext values for
+    #   the response. The only valid value is `RSAES_OAEP_SHA_256`.
+    #   @return [String]
+    #
+    # @!attribute [rw] attestation_document
+    #   The attestation document for an Amazon Web Services Nitro Enclave.
+    #   This document includes the enclave's public key.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RecipientInfo AWS API Documentation
+    #
+    class RecipientInfo < Struct.new(
+      :key_encryption_algorithm,
+      :attestation_document)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] key_id
     #   Identifies the multi-Region primary key that is being replicated. To
     #   determine whether a KMS key is a multi-Region primary key, use the
@@ -4606,22 +4881,21 @@ module Aws::KMS
     #
     #   If you provide a key policy, it must meet the following criteria:
     #
-    #   * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
-    #     key policy must give the caller `kms:PutKeyPolicy` permission on
-    #     the replica key. This reduces the risk that the KMS key becomes
-    #     unmanageable. For more information, refer to the scenario in the
-    #     [Default Key Policy][2] section of the <i> <i>Key Management
-    #     Service Developer Guide</i> </i>.
+    #   * The key policy must allow the calling principal to make a
+    #     subsequent `PutKeyPolicy` request on the KMS key. This reduces the
+    #     risk that the KMS key becomes unmanageable. For more information,
+    #     see [Default key policy][2] in the *Key Management Service
+    #     Developer Guide*. (To omit this condition, set
+    #     `BypassPolicyLockoutSafetyCheck` to true.)
     #
     #   * Each statement in the key policy must contain one or more
     #     principals. The principals in the key policy must exist and be
     #     visible to KMS. When you create a new Amazon Web Services
-    #     principal (for example, an IAM user or role), you might need to
-    #     enforce a delay before including the new principal in a key policy
-    #     because the new principal might not be immediately visible to KMS.
-    #     For more information, see [Changes that I make are not always
-    #     immediately visible][3] in the <i> <i>Identity and Access
-    #     Management User Guide</i> </i>.
+    #     principal, you might need to enforce a delay before including the
+    #     new principal in a key policy because the new principal might not
+    #     be immediately visible to KMS. For more information, see [Changes
+    #     that I make are not always immediately visible][3] in the *Amazon
+    #     Web Services Identity and Access Management User Guide*.
     #
     #   A key policy document can include only the following characters:
     #
@@ -4643,38 +4917,40 @@ module Aws::KMS
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
     #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
     #   [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
     #   @return [String]
     #
     # @!attribute [rw] bypass_policy_lockout_safety_check
-    #   A flag to indicate whether to bypass the key policy lockout safety
-    #   check.
+    #   Skips ("bypasses") the key policy lockout safety check. The
+    #   default value is false.
     #
     #   Setting this value to true increases the risk that the KMS key
     #   becomes unmanageable. Do not set this value to true
     #   indiscriminately.
     #
-    #    For more information, refer to the scenario in the [Default Key
-    #   Policy][1] section in the *Key Management Service Developer Guide*.
+    #    For more information, see [Default key policy][1] in the *Key
+    #   Management Service Developer Guide*.
     #
     #   Use this parameter only when you intend to prevent the principal
-    #   that is making the request from making a subsequent `PutKeyPolicy`
+    #   that is making the request from making a subsequent PutKeyPolicy
     #   request on the KMS key.
     #
-    #   The default value is false.
     #
     #
-    #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
     #   @return [Boolean]
     #
     # @!attribute [rw] description
     #   A description of the KMS key. The default value is an empty string
     #   (no description).
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
+    #
     #   The description is not a shared property of multi-Region keys. You
     #   can specify the same description or a different description for each
     #   key in a set of related multi-Region keys. KMS does not synchronize
@@ -4686,6 +4962,10 @@ module Aws::KMS
     #   tag the KMS key when it is created. To tag an existing KMS key, use
     #   the TagResource operation.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
+    #
     #   <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
     #   KMS key. For details, see [ABAC for KMS][1] in the *Key Management
     #   Service Developer Guide*.
@@ -4952,16 +5232,55 @@ module Aws::KMS
     #
     # @!attribute [rw] message
     #   Specifies the message or message digest to sign. Messages can be
-    #   0-4096 bytes. To sign a larger message, provide the message digest.
+    #   0-4096 bytes. To sign a larger message, provide a message digest.
     #
-    #   If you provide a message, KMS generates a hash digest of the message
-    #   and then signs it.
+    #   If you provide a message digest, use the `DIGEST` value of
+    #   `MessageType` to prevent the digest from being hashed again while
+    #   signing.
     #   @return [String]
     #
     # @!attribute [rw] message_type
-    #   Tells KMS whether the value of the `Message` parameter is a message
-    #   or message digest. The default value, RAW, indicates a message. To
-    #   indicate a message digest, enter `DIGEST`.
+    #   Tells KMS whether the value of the `Message` parameter should be
+    #   hashed as part of the signing algorithm. Use `RAW` for unhashed
+    #   messages; use `DIGEST` for message digests, which are already
+    #   hashed.
+    #
+    #   When the value of `MessageType` is `RAW`, KMS uses the standard
+    #   signing algorithm, which begins with a hash function. When the value
+    #   is `DIGEST`, KMS skips the hashing step in the signing algorithm.
+    #
+    #   Use the `DIGEST` value only when the value of the `Message`
+    #   parameter is a message digest. If you use the `DIGEST` value with an
+    #   unhashed message, the security of the signing operation can be
+    #   compromised.
+    #
+    #   When the value of `MessageType`is `DIGEST`, the length of the
+    #   `Message` value must match the length of hashed messages for the
+    #   specified signing algorithm.
+    #
+    #   You can submit a message digest and omit the `MessageType` or
+    #   specify `RAW` so the digest is hashed again while signing. However,
+    #   this can cause verification failures when verifying with a system
+    #   that assumes a single hash.
+    #
+    #   The hashing algorithm in that `Sign` uses is based on the
+    #   `SigningAlgorithm` value.
+    #
+    #   * Signing algorithms that end in SHA\_256 use the SHA\_256 hashing
+    #     algorithm.
+    #
+    #   * Signing algorithms that end in SHA\_384 use the SHA\_384 hashing
+    #     algorithm.
+    #
+    #   * Signing algorithms that end in SHA\_512 use the SHA\_512 hashing
+    #     algorithm.
+    #
+    #   * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
+    #     verification with SM2 key pairs][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
     #   @return [String]
     #
     # @!attribute [rw] grant_tokens
@@ -4982,7 +5301,9 @@ module Aws::KMS
     #   Specifies the signing algorithm to use when signing the message.
     #
     #   Choose an algorithm that is compatible with the type and size of the
-    #   specified asymmetric KMS key.
+    #   specified asymmetric KMS key. When signing with RSA key pairs,
+    #   RSASSA-PSS algorithms are preferred. We include RSASSA-PKCS1-v1\_5
+    #   algorithms for compatibility with existing applications.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/SignRequest AWS API Documentation
@@ -5045,6 +5366,10 @@ module Aws::KMS
     # keys and tag values are both required, but tag values can be empty
     # (null) strings.
     #
+    # Do not include confidential or sensitive information in this field.
+    # This field may be displayed in plaintext in CloudTrail logs and other
+    # output.
+    #
     # For information about the rules that apply to tag keys and tag values,
     # see [User-Defined Tag Restrictions][1] in the *Amazon Web Services
     # Billing and Cost Management User Guide*.
@@ -5100,10 +5425,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] tags
-    #   One or more tags.
+    #   One or more tags. Each tag consists of a tag key and a tag value.
+    #   The tag value can be an empty (null) string.
     #
-    #   Each tag consists of a tag key and a tag value. The tag value can be
-    #   an empty (null) string.
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
     #
     #   You cannot have more than one tag on a KMS key with the same tag
     #   key. If you specify an existing tag key with a different tag value,
@@ -5167,6 +5494,10 @@ module Aws::KMS
     #   begin with `alias/` followed by the alias name, such as
     #   `alias/ExampleAlias`. You cannot use `UpdateAlias` to change the
     #   alias name.
+    #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
     #   @return [String]
     #
     # @!attribute [rw] target_key_id
@@ -5220,6 +5551,10 @@ module Aws::KMS
     #   you specify. The custom key store name must be unique in the Amazon
     #   Web Services account.
     #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
+    #
     #   To change this value, an CloudHSM key store must be disconnected. An
     #   external key store can be connected or disconnected.
     #   @return [String]
@@ -5382,6 +5717,10 @@ module Aws::KMS
     #
     # @!attribute [rw] description
     #   New description for the KMS key.
+    #
+    #   Do not include confidential or sensitive information in this field.
+    #   This field may be displayed in plaintext in CloudTrail logs and
+    #   other output.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescriptionRequest AWS API Documentation
@@ -5548,14 +5887,48 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] message_type
-    #   Tells KMS whether the value of the `Message` parameter is a message
-    #   or message digest. The default value, RAW, indicates a message. To
-    #   indicate a message digest, enter `DIGEST`.
+    #   Tells KMS whether the value of the `Message` parameter should be
+    #   hashed as part of the signing algorithm. Use `RAW` for unhashed
+    #   messages; use `DIGEST` for message digests, which are already
+    #   hashed.
+    #
+    #   When the value of `MessageType` is `RAW`, KMS uses the standard
+    #   signing algorithm, which begins with a hash function. When the value
+    #   is `DIGEST`, KMS skips the hashing step in the signing algorithm.
     #
     #   Use the `DIGEST` value only when the value of the `Message`
-    #   parameter is a message digest. If you use the `DIGEST` value with a
-    #   raw message, the security of the verification operation can be
+    #   parameter is a message digest. If you use the `DIGEST` value with an
+    #   unhashed message, the security of the verification operation can be
     #   compromised.
+    #
+    #   When the value of `MessageType`is `DIGEST`, the length of the
+    #   `Message` value must match the length of hashed messages for the
+    #   specified signing algorithm.
+    #
+    #   You can submit a message digest and omit the `MessageType` or
+    #   specify `RAW` so the digest is hashed again while signing. However,
+    #   if the signed message is hashed once while signing, but twice while
+    #   verifying, verification fails, even when the message hasn't
+    #   changed.
+    #
+    #   The hashing algorithm in that `Verify` uses is based on the
+    #   `SigningAlgorithm` value.
+    #
+    #   * Signing algorithms that end in SHA\_256 use the SHA\_256 hashing
+    #     algorithm.
+    #
+    #   * Signing algorithms that end in SHA\_384 use the SHA\_384 hashing
+    #     algorithm.
+    #
+    #   * Signing algorithms that end in SHA\_512 use the SHA\_512 hashing
+    #     algorithm.
+    #
+    #   * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
+    #     verification with SM2 key pairs][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
     #   @return [String]
     #
     # @!attribute [rw] signature