aws-sdk-kms 1.63.0 → 1.72.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -264,6 +264,10 @@ module Aws::KMS
264
264
  # Specifies the alias name. This value must begin with `alias/`
265
265
  # followed by a name, such as `alias/ExampleAlias`.
266
266
  #
267
+ # Do not include confidential or sensitive information in this field.
268
+ # This field may be displayed in plaintext in CloudTrail logs and
269
+ # other output.
270
+ #
267
271
  # The `AliasName` value must be string of 1-256 characters. It can
268
272
  # contain only alphanumeric characters, forward slashes (/),
269
273
  # underscores (\_), and dashes (-). The alias name cannot begin with
@@ -317,6 +321,10 @@ module Aws::KMS
317
321
  # Specifies a friendly name for the custom key store. The name must be
318
322
  # unique in your Amazon Web Services account and Region. This
319
323
  # parameter is required for all custom key stores.
324
+ #
325
+ # Do not include confidential or sensitive information in this field.
326
+ # This field may be displayed in plaintext in CloudTrail logs and
327
+ # other output.
320
328
  # @return [String]
321
329
  #
322
330
  # @!attribute [rw] cloud_hsm_cluster_id
@@ -620,23 +628,19 @@ module Aws::KMS
620
628
  # @!attribute [rw] constraints
621
629
  # Specifies a grant constraint.
622
630
  #
623
- # KMS supports the `EncryptionContextEquals` and
624
- # `EncryptionContextSubset` grant constraints. Each constraint value
625
- # can include up to 8 encryption context pairs. The encryption context
626
- # value in each constraint cannot exceed 384 characters. For
627
- # information about grant constraints, see [Using grant
628
- # constraints][1] in the *Key Management Service Developer Guide*. For
629
- # more information about encryption context, see [Encryption
630
- # context][2] in the <i> <i>Key Management Service Developer Guide</i>
631
- # </i>.
631
+ # Do not include confidential or sensitive information in this field.
632
+ # This field may be displayed in plaintext in CloudTrail logs and
633
+ # other output.
632
634
  #
633
- # The encryption context grant constraints allow the permissions in
634
- # the grant only when the encryption context in the request matches
635
- # (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
636
- # the encryption context specified in this structure.
635
+ # KMS supports the `EncryptionContextEquals` and
636
+ # `EncryptionContextSubset` grant constraints, which allow the
637
+ # permissions in the grant only when the encryption context in the
638
+ # request matches (`EncryptionContextEquals`) or includes
639
+ # (`EncryptionContextSubset`) the encryption context specified in the
640
+ # constraint.
637
641
  #
638
642
  # The encryption context grant constraints are supported only on
639
- # [grant operations][3] that include an `EncryptionContext` parameter,
643
+ # [grant operations][1] that include an `EncryptionContext` parameter,
640
644
  # such as cryptographic operations on symmetric encryption KMS keys.
641
645
  # Grants with grant constraints can include the DescribeKey and
642
646
  # RetireGrant operations, but the constraint doesn't apply to these
@@ -647,15 +651,21 @@ module Aws::KMS
647
651
  #
648
652
  # You cannot use an encryption context grant constraint for
649
653
  # cryptographic operations with asymmetric KMS keys or HMAC KMS keys.
650
- # These keys don't support an encryption context.
651
- #
654
+ # Operations with these keys don't support an encryption context.
652
655
  #
656
+ # Each constraint value can include up to 8 encryption context pairs.
657
+ # The encryption context value in each constraint cannot exceed 384
658
+ # characters. For information about grant constraints, see [Using
659
+ # grant constraints][2] in the *Key Management Service Developer
660
+ # Guide*. For more information about encryption context, see
661
+ # [Encryption context][3] in the <i> <i>Key Management Service
662
+ # Developer Guide</i> </i>.
653
663
  #
654
664
  #
655
665
  #
656
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
657
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
658
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
666
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
667
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
668
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
659
669
  # @return [Types::GrantConstraints]
660
670
  #
661
671
  # @!attribute [rw] grant_tokens
@@ -676,6 +686,10 @@ module Aws::KMS
676
686
  # A friendly name for the grant. Use this value to prevent the
677
687
  # unintended creation of duplicate grants when retrying this request.
678
688
  #
689
+ # Do not include confidential or sensitive information in this field.
690
+ # This field may be displayed in plaintext in CloudTrail logs and
691
+ # other output.
692
+ #
679
693
  # When this value is absent, all `CreateGrant` requests result in a
680
694
  # new grant with a unique `GrantId` even if all the supplied
681
695
  # parameters are identical. This can result in unintended duplicates
@@ -689,6 +703,18 @@ module Aws::KMS
689
703
  # the same grant ID can be used interchangeably.
690
704
  # @return [String]
691
705
  #
706
+ # @!attribute [rw] dry_run
707
+ # Checks if your request will succeed. `DryRun` is an optional
708
+ # parameter.
709
+ #
710
+ # To learn more about how to use this parameter, see [Testing your KMS
711
+ # API calls][1] in the *Key Management Service Developer Guide*.
712
+ #
713
+ #
714
+ #
715
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
716
+ # @return [Boolean]
717
+ #
692
718
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrantRequest AWS API Documentation
693
719
  #
694
720
  class CreateGrantRequest < Struct.new(
@@ -698,7 +724,8 @@ module Aws::KMS
698
724
  :operations,
699
725
  :constraints,
700
726
  :grant_tokens,
701
- :name)
727
+ :name,
728
+ :dry_run)
702
729
  SENSITIVE = []
703
730
  include Aws::Structure
704
731
  end
@@ -773,11 +800,13 @@ module Aws::KMS
773
800
  # @return [String]
774
801
  #
775
802
  # @!attribute [rw] description
776
- # A description of the KMS key.
803
+ # A description of the KMS key. Use a description that helps you
804
+ # decide whether the KMS key is appropriate for a task. The default
805
+ # value is an empty string (no description).
777
806
  #
778
- # Use a description that helps you decide whether the KMS key is
779
- # appropriate for a task. The default value is an empty string (no
780
- # description).
807
+ # Do not include confidential or sensitive information in this field.
808
+ # This field may be displayed in plaintext in CloudTrail logs and
809
+ # other output.
781
810
  #
782
811
  # To set or change the description after the key is created, use
783
812
  # UpdateKeyDescription.
@@ -976,6 +1005,10 @@ module Aws::KMS
976
1005
  # the KMS key when it is created. To tag an existing KMS key, use the
977
1006
  # TagResource operation.
978
1007
  #
1008
+ # Do not include confidential or sensitive information in this field.
1009
+ # This field may be displayed in plaintext in CloudTrail logs and
1010
+ # other output.
1011
+ #
979
1012
  # <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
980
1013
  # KMS key. For details, see [ABAC for KMS][1] in the *Key Management
981
1014
  # Service Developer Guide*.
@@ -1540,6 +1573,46 @@ module Aws::KMS
1540
1573
  # encryption KMS keys.
1541
1574
  # @return [String]
1542
1575
  #
1576
+ # @!attribute [rw] recipient
1577
+ # A signed [attestation document][1] from an Amazon Web Services Nitro
1578
+ # enclave and the encryption algorithm to use with the enclave's
1579
+ # public key. The only valid encryption algorithm is
1580
+ # `RSAES_OAEP_SHA_256`.
1581
+ #
1582
+ # This parameter only supports attestation documents for Amazon Web
1583
+ # Services Nitro Enclaves. To include this parameter, use the [Amazon
1584
+ # Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
1585
+ #
1586
+ # When you use this parameter, instead of returning the plaintext
1587
+ # data, KMS encrypts the plaintext data with the public key in the
1588
+ # attestation document, and returns the resulting ciphertext in the
1589
+ # `CiphertextForRecipient` field in the response. This ciphertext can
1590
+ # be decrypted only with the private key in the enclave. The
1591
+ # `Plaintext` field in the response is null or empty.
1592
+ #
1593
+ # For information about the interaction between KMS and Amazon Web
1594
+ # Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
1595
+ # uses KMS][3] in the *Key Management Service Developer Guide*.
1596
+ #
1597
+ #
1598
+ #
1599
+ # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
1600
+ # [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
1601
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
1602
+ # @return [Types::RecipientInfo]
1603
+ #
1604
+ # @!attribute [rw] dry_run
1605
+ # Checks if your request will succeed. `DryRun` is an optional
1606
+ # parameter.
1607
+ #
1608
+ # To learn more about how to use this parameter, see [Testing your KMS
1609
+ # API calls][1] in the *Key Management Service Developer Guide*.
1610
+ #
1611
+ #
1612
+ #
1613
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
1614
+ # @return [Boolean]
1615
+ #
1543
1616
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptRequest AWS API Documentation
1544
1617
  #
1545
1618
  class DecryptRequest < Struct.new(
@@ -1547,7 +1620,9 @@ module Aws::KMS
1547
1620
  :encryption_context,
1548
1621
  :grant_tokens,
1549
1622
  :key_id,
1550
- :encryption_algorithm)
1623
+ :encryption_algorithm,
1624
+ :recipient,
1625
+ :dry_run)
1551
1626
  SENSITIVE = []
1552
1627
  include Aws::Structure
1553
1628
  end
@@ -1565,18 +1640,38 @@ module Aws::KMS
1565
1640
  # Decrypted plaintext data. When you use the HTTP API or the Amazon
1566
1641
  # Web Services CLI, the value is Base64-encoded. Otherwise, it is not
1567
1642
  # Base64-encoded.
1643
+ #
1644
+ # If the response includes the `CiphertextForRecipient` field, the
1645
+ # `Plaintext` field is null or empty.
1568
1646
  # @return [String]
1569
1647
  #
1570
1648
  # @!attribute [rw] encryption_algorithm
1571
1649
  # The encryption algorithm that was used to decrypt the ciphertext.
1572
1650
  # @return [String]
1573
1651
  #
1652
+ # @!attribute [rw] ciphertext_for_recipient
1653
+ # The plaintext data encrypted with the public key in the attestation
1654
+ # document.
1655
+ #
1656
+ # This field is included in the response only when the `Recipient`
1657
+ # parameter in the request includes a valid attestation document from
1658
+ # an Amazon Web Services Nitro enclave. For information about the
1659
+ # interaction between KMS and Amazon Web Services Nitro Enclaves, see
1660
+ # [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
1661
+ # Management Service Developer Guide*.
1662
+ #
1663
+ #
1664
+ #
1665
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
1666
+ # @return [String]
1667
+ #
1574
1668
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptResponse AWS API Documentation
1575
1669
  #
1576
1670
  class DecryptResponse < Struct.new(
1577
1671
  :key_id,
1578
1672
  :plaintext,
1579
- :encryption_algorithm)
1673
+ :encryption_algorithm,
1674
+ :ciphertext_for_recipient)
1580
1675
  SENSITIVE = [:plaintext]
1581
1676
  include Aws::Structure
1582
1677
  end
@@ -1875,6 +1970,19 @@ module Aws::KMS
1875
1970
  #
1876
1971
  class DisconnectCustomKeyStoreResponse < Aws::EmptyStructure; end
1877
1972
 
1973
+ # The request was rejected because the DryRun parameter was specified.
1974
+ #
1975
+ # @!attribute [rw] message
1976
+ # @return [String]
1977
+ #
1978
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DryRunOperationException AWS API Documentation
1979
+ #
1980
+ class DryRunOperationException < Struct.new(
1981
+ :message)
1982
+ SENSITIVE = []
1983
+ include Aws::Structure
1984
+ end
1985
+
1878
1986
  # @!attribute [rw] key_id
1879
1987
  # Identifies the KMS key to enable.
1880
1988
  #
@@ -1971,6 +2079,10 @@ module Aws::KMS
1971
2079
  # asymmetric encryption algorithms and HMAC algorithms that KMS uses
1972
2080
  # do not support an encryption context.
1973
2081
  #
2082
+ # Do not include confidential or sensitive information in this field.
2083
+ # This field may be displayed in plaintext in CloudTrail logs and
2084
+ # other output.
2085
+ #
1974
2086
  # An *encryption context* is a collection of non-secret key-value
1975
2087
  # pairs that represent additional authenticated data. When you use an
1976
2088
  # encryption context to encrypt data, you must specify the same (an
@@ -2016,6 +2128,18 @@ module Aws::KMS
2016
2128
  # The SM2PKE algorithm is only available in China Regions.
2017
2129
  # @return [String]
2018
2130
  #
2131
+ # @!attribute [rw] dry_run
2132
+ # Checks if your request will succeed. `DryRun` is an optional
2133
+ # parameter.
2134
+ #
2135
+ # To learn more about how to use this parameter, see [Testing your KMS
2136
+ # API calls][1] in the *Key Management Service Developer Guide*.
2137
+ #
2138
+ #
2139
+ #
2140
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
2141
+ # @return [Boolean]
2142
+ #
2019
2143
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptRequest AWS API Documentation
2020
2144
  #
2021
2145
  class EncryptRequest < Struct.new(
@@ -2023,7 +2147,8 @@ module Aws::KMS
2023
2147
  :plaintext,
2024
2148
  :encryption_context,
2025
2149
  :grant_tokens,
2026
- :encryption_algorithm)
2150
+ :encryption_algorithm,
2151
+ :dry_run)
2027
2152
  SENSITIVE = [:plaintext]
2028
2153
  include Aws::Structure
2029
2154
  end
@@ -2077,6 +2202,10 @@ module Aws::KMS
2077
2202
  # Specifies the encryption context that will be used when encrypting
2078
2203
  # the private key in the data key pair.
2079
2204
  #
2205
+ # Do not include confidential or sensitive information in this field.
2206
+ # This field may be displayed in plaintext in CloudTrail logs and
2207
+ # other output.
2208
+ #
2080
2209
  # An *encryption context* is a collection of non-secret key-value
2081
2210
  # pairs that represent additional authenticated data. When you use an
2082
2211
  # encryption context to encrypt data, you must specify the same (an
@@ -2144,13 +2273,58 @@ module Aws::KMS
2144
2273
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
2145
2274
  # @return [Array<String>]
2146
2275
  #
2276
+ # @!attribute [rw] recipient
2277
+ # A signed [attestation document][1] from an Amazon Web Services Nitro
2278
+ # enclave and the encryption algorithm to use with the enclave's
2279
+ # public key. The only valid encryption algorithm is
2280
+ # `RSAES_OAEP_SHA_256`.
2281
+ #
2282
+ # This parameter only supports attestation documents for Amazon Web
2283
+ # Services Nitro Enclaves. To include this parameter, use the [Amazon
2284
+ # Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
2285
+ #
2286
+ # When you use this parameter, instead of returning a plaintext copy
2287
+ # of the private data key, KMS encrypts the plaintext private data key
2288
+ # under the public key in the attestation document, and returns the
2289
+ # resulting ciphertext in the `CiphertextForRecipient` field in the
2290
+ # response. This ciphertext can be decrypted only with the private key
2291
+ # in the enclave. The `CiphertextBlob` field in the response contains
2292
+ # a copy of the private data key encrypted under the KMS key specified
2293
+ # by the `KeyId` parameter. The `PrivateKeyPlaintext` field in the
2294
+ # response is null or empty.
2295
+ #
2296
+ # For information about the interaction between KMS and Amazon Web
2297
+ # Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
2298
+ # uses KMS][3] in the *Key Management Service Developer Guide*.
2299
+ #
2300
+ #
2301
+ #
2302
+ # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
2303
+ # [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
2304
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
2305
+ # @return [Types::RecipientInfo]
2306
+ #
2307
+ # @!attribute [rw] dry_run
2308
+ # Checks if your request will succeed. `DryRun` is an optional
2309
+ # parameter.
2310
+ #
2311
+ # To learn more about how to use this parameter, see [Testing your KMS
2312
+ # API calls][1] in the *Key Management Service Developer Guide*.
2313
+ #
2314
+ #
2315
+ #
2316
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
2317
+ # @return [Boolean]
2318
+ #
2147
2319
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairRequest AWS API Documentation
2148
2320
  #
2149
2321
  class GenerateDataKeyPairRequest < Struct.new(
2150
2322
  :encryption_context,
2151
2323
  :key_id,
2152
2324
  :key_pair_spec,
2153
- :grant_tokens)
2325
+ :grant_tokens,
2326
+ :recipient,
2327
+ :dry_run)
2154
2328
  SENSITIVE = []
2155
2329
  include Aws::Structure
2156
2330
  end
@@ -2165,6 +2339,9 @@ module Aws::KMS
2165
2339
  # The plaintext copy of the private key. When you use the HTTP API or
2166
2340
  # the Amazon Web Services CLI, the value is Base64-encoded. Otherwise,
2167
2341
  # it is not Base64-encoded.
2342
+ #
2343
+ # If the response includes the `CiphertextForRecipient` field, the
2344
+ # `PrivateKeyPlaintext` field is null or empty.
2168
2345
  # @return [String]
2169
2346
  #
2170
2347
  # @!attribute [rw] public_key
@@ -2186,6 +2363,23 @@ module Aws::KMS
2186
2363
  # The type of data key pair that was generated.
2187
2364
  # @return [String]
2188
2365
  #
2366
+ # @!attribute [rw] ciphertext_for_recipient
2367
+ # The plaintext private data key encrypted with the public key from
2368
+ # the Nitro enclave. This ciphertext can be decrypted only by using a
2369
+ # private key in the Nitro enclave.
2370
+ #
2371
+ # This field is included in the response only when the `Recipient`
2372
+ # parameter in the request includes a valid attestation document from
2373
+ # an Amazon Web Services Nitro enclave. For information about the
2374
+ # interaction between KMS and Amazon Web Services Nitro Enclaves, see
2375
+ # [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
2376
+ # Management Service Developer Guide*.
2377
+ #
2378
+ #
2379
+ #
2380
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
2381
+ # @return [String]
2382
+ #
2189
2383
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairResponse AWS API Documentation
2190
2384
  #
2191
2385
  class GenerateDataKeyPairResponse < Struct.new(
@@ -2193,7 +2387,8 @@ module Aws::KMS
2193
2387
  :private_key_plaintext,
2194
2388
  :public_key,
2195
2389
  :key_id,
2196
- :key_pair_spec)
2390
+ :key_pair_spec,
2391
+ :ciphertext_for_recipient)
2197
2392
  SENSITIVE = [:private_key_plaintext]
2198
2393
  include Aws::Structure
2199
2394
  end
@@ -2202,6 +2397,10 @@ module Aws::KMS
2202
2397
  # Specifies the encryption context that will be used when encrypting
2203
2398
  # the private key in the data key pair.
2204
2399
  #
2400
+ # Do not include confidential or sensitive information in this field.
2401
+ # This field may be displayed in plaintext in CloudTrail logs and
2402
+ # other output.
2403
+ #
2205
2404
  # An *encryption context* is a collection of non-secret key-value
2206
2405
  # pairs that represent additional authenticated data. When you use an
2207
2406
  # encryption context to encrypt data, you must specify the same (an
@@ -2269,13 +2468,26 @@ module Aws::KMS
2269
2468
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
2270
2469
  # @return [Array<String>]
2271
2470
  #
2471
+ # @!attribute [rw] dry_run
2472
+ # Checks if your request will succeed. `DryRun` is an optional
2473
+ # parameter.
2474
+ #
2475
+ # To learn more about how to use this parameter, see [Testing your KMS
2476
+ # API calls][1] in the *Key Management Service Developer Guide*.
2477
+ #
2478
+ #
2479
+ #
2480
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
2481
+ # @return [Boolean]
2482
+ #
2272
2483
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintextRequest AWS API Documentation
2273
2484
  #
2274
2485
  class GenerateDataKeyPairWithoutPlaintextRequest < Struct.new(
2275
2486
  :encryption_context,
2276
2487
  :key_id,
2277
2488
  :key_pair_spec,
2278
- :grant_tokens)
2489
+ :grant_tokens,
2490
+ :dry_run)
2279
2491
  SENSITIVE = []
2280
2492
  include Aws::Structure
2281
2493
  end
@@ -2346,6 +2558,10 @@ module Aws::KMS
2346
2558
  # Specifies the encryption context that will be used when encrypting
2347
2559
  # the data key.
2348
2560
  #
2561
+ # Do not include confidential or sensitive information in this field.
2562
+ # This field may be displayed in plaintext in CloudTrail logs and
2563
+ # other output.
2564
+ #
2349
2565
  # An *encryption context* is a collection of non-secret key-value
2350
2566
  # pairs that represent additional authenticated data. When you use an
2351
2567
  # encryption context to encrypt data, you must specify the same (an
@@ -2396,6 +2612,48 @@ module Aws::KMS
2396
2612
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
2397
2613
  # @return [Array<String>]
2398
2614
  #
2615
+ # @!attribute [rw] recipient
2616
+ # A signed [attestation document][1] from an Amazon Web Services Nitro
2617
+ # enclave and the encryption algorithm to use with the enclave's
2618
+ # public key. The only valid encryption algorithm is
2619
+ # `RSAES_OAEP_SHA_256`.
2620
+ #
2621
+ # This parameter only supports attestation documents for Amazon Web
2622
+ # Services Nitro Enclaves. To include this parameter, use the [Amazon
2623
+ # Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
2624
+ #
2625
+ # When you use this parameter, instead of returning the plaintext data
2626
+ # key, KMS encrypts the plaintext data key under the public key in the
2627
+ # attestation document, and returns the resulting ciphertext in the
2628
+ # `CiphertextForRecipient` field in the response. This ciphertext can
2629
+ # be decrypted only with the private key in the enclave. The
2630
+ # `CiphertextBlob` field in the response contains a copy of the data
2631
+ # key encrypted under the KMS key specified by the `KeyId` parameter.
2632
+ # The `Plaintext` field in the response is null or empty.
2633
+ #
2634
+ # For information about the interaction between KMS and Amazon Web
2635
+ # Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
2636
+ # uses KMS][3] in the *Key Management Service Developer Guide*.
2637
+ #
2638
+ #
2639
+ #
2640
+ # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
2641
+ # [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
2642
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
2643
+ # @return [Types::RecipientInfo]
2644
+ #
2645
+ # @!attribute [rw] dry_run
2646
+ # Checks if your request will succeed. `DryRun` is an optional
2647
+ # parameter.
2648
+ #
2649
+ # To learn more about how to use this parameter, see [Testing your KMS
2650
+ # API calls][1] in the *Key Management Service Developer Guide*.
2651
+ #
2652
+ #
2653
+ #
2654
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
2655
+ # @return [Boolean]
2656
+ #
2399
2657
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyRequest AWS API Documentation
2400
2658
  #
2401
2659
  class GenerateDataKeyRequest < Struct.new(
@@ -2403,7 +2661,9 @@ module Aws::KMS
2403
2661
  :encryption_context,
2404
2662
  :number_of_bytes,
2405
2663
  :key_spec,
2406
- :grant_tokens)
2664
+ :grant_tokens,
2665
+ :recipient,
2666
+ :dry_run)
2407
2667
  SENSITIVE = []
2408
2668
  include Aws::Structure
2409
2669
  end
@@ -2419,6 +2679,9 @@ module Aws::KMS
2419
2679
  # Services CLI, the value is Base64-encoded. Otherwise, it is not
2420
2680
  # Base64-encoded. Use this data key to encrypt your data outside of
2421
2681
  # KMS. Then, remove it from memory as soon as possible.
2682
+ #
2683
+ # If the response includes the `CiphertextForRecipient` field, the
2684
+ # `Plaintext` field is null or empty.
2422
2685
  # @return [String]
2423
2686
  #
2424
2687
  # @!attribute [rw] key_id
@@ -2430,12 +2693,30 @@ module Aws::KMS
2430
2693
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
2431
2694
  # @return [String]
2432
2695
  #
2696
+ # @!attribute [rw] ciphertext_for_recipient
2697
+ # The plaintext data key encrypted with the public key from the Nitro
2698
+ # enclave. This ciphertext can be decrypted only by using a private
2699
+ # key in the Nitro enclave.
2700
+ #
2701
+ # This field is included in the response only when the `Recipient`
2702
+ # parameter in the request includes a valid attestation document from
2703
+ # an Amazon Web Services Nitro enclave. For information about the
2704
+ # interaction between KMS and Amazon Web Services Nitro Enclaves, see
2705
+ # [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
2706
+ # Management Service Developer Guide*.
2707
+ #
2708
+ #
2709
+ #
2710
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
2711
+ # @return [String]
2712
+ #
2433
2713
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyResponse AWS API Documentation
2434
2714
  #
2435
2715
  class GenerateDataKeyResponse < Struct.new(
2436
2716
  :ciphertext_blob,
2437
2717
  :plaintext,
2438
- :key_id)
2718
+ :key_id,
2719
+ :ciphertext_for_recipient)
2439
2720
  SENSITIVE = [:plaintext]
2440
2721
  include Aws::Structure
2441
2722
  end
@@ -2470,6 +2751,10 @@ module Aws::KMS
2470
2751
  # Specifies the encryption context that will be used when encrypting
2471
2752
  # the data key.
2472
2753
  #
2754
+ # Do not include confidential or sensitive information in this field.
2755
+ # This field may be displayed in plaintext in CloudTrail logs and
2756
+ # other output.
2757
+ #
2473
2758
  # An *encryption context* is a collection of non-secret key-value
2474
2759
  # pairs that represent additional authenticated data. When you use an
2475
2760
  # encryption context to encrypt data, you must specify the same (an
@@ -2513,6 +2798,18 @@ module Aws::KMS
2513
2798
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
2514
2799
  # @return [Array<String>]
2515
2800
  #
2801
+ # @!attribute [rw] dry_run
2802
+ # Checks if your request will succeed. `DryRun` is an optional
2803
+ # parameter.
2804
+ #
2805
+ # To learn more about how to use this parameter, see [Testing your KMS
2806
+ # API calls][1] in the *Key Management Service Developer Guide*.
2807
+ #
2808
+ #
2809
+ #
2810
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
2811
+ # @return [Boolean]
2812
+ #
2516
2813
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextRequest AWS API Documentation
2517
2814
  #
2518
2815
  class GenerateDataKeyWithoutPlaintextRequest < Struct.new(
@@ -2520,7 +2817,8 @@ module Aws::KMS
2520
2817
  :encryption_context,
2521
2818
  :key_spec,
2522
2819
  :number_of_bytes,
2523
- :grant_tokens)
2820
+ :grant_tokens,
2821
+ :dry_run)
2524
2822
  SENSITIVE = []
2525
2823
  include Aws::Structure
2526
2824
  end
@@ -2592,13 +2890,26 @@ module Aws::KMS
2592
2890
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
2593
2891
  # @return [Array<String>]
2594
2892
  #
2893
+ # @!attribute [rw] dry_run
2894
+ # Checks if your request will succeed. `DryRun` is an optional
2895
+ # parameter.
2896
+ #
2897
+ # To learn more about how to use this parameter, see [Testing your KMS
2898
+ # API calls][1] in the *Key Management Service Developer Guide*.
2899
+ #
2900
+ #
2901
+ #
2902
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
2903
+ # @return [Boolean]
2904
+ #
2595
2905
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMacRequest AWS API Documentation
2596
2906
  #
2597
2907
  class GenerateMacRequest < Struct.new(
2598
2908
  :message,
2599
2909
  :key_id,
2600
2910
  :mac_algorithm,
2601
- :grant_tokens)
2911
+ :grant_tokens,
2912
+ :dry_run)
2602
2913
  SENSITIVE = [:message]
2603
2914
  include Aws::Structure
2604
2915
  end
@@ -2646,11 +2957,40 @@ module Aws::KMS
2646
2957
  # `UnsupportedOperationException`.
2647
2958
  # @return [String]
2648
2959
  #
2960
+ # @!attribute [rw] recipient
2961
+ # A signed [attestation document][1] from an Amazon Web Services Nitro
2962
+ # enclave and the encryption algorithm to use with the enclave's
2963
+ # public key. The only valid encryption algorithm is
2964
+ # `RSAES_OAEP_SHA_256`.
2965
+ #
2966
+ # This parameter only supports attestation documents for Amazon Web
2967
+ # Services Nitro Enclaves. To include this parameter, use the [Amazon
2968
+ # Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
2969
+ #
2970
+ # When you use this parameter, instead of returning plaintext bytes,
2971
+ # KMS encrypts the plaintext bytes under the public key in the
2972
+ # attestation document, and returns the resulting ciphertext in the
2973
+ # `CiphertextForRecipient` field in the response. This ciphertext can
2974
+ # be decrypted only with the private key in the enclave. The
2975
+ # `Plaintext` field in the response is null or empty.
2976
+ #
2977
+ # For information about the interaction between KMS and Amazon Web
2978
+ # Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
2979
+ # uses KMS][3] in the *Key Management Service Developer Guide*.
2980
+ #
2981
+ #
2982
+ #
2983
+ # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
2984
+ # [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
2985
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
2986
+ # @return [Types::RecipientInfo]
2987
+ #
2649
2988
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomRequest AWS API Documentation
2650
2989
  #
2651
2990
  class GenerateRandomRequest < Struct.new(
2652
2991
  :number_of_bytes,
2653
- :custom_key_store_id)
2992
+ :custom_key_store_id,
2993
+ :recipient)
2654
2994
  SENSITIVE = []
2655
2995
  include Aws::Structure
2656
2996
  end
@@ -2659,12 +2999,33 @@ module Aws::KMS
2659
2999
  # The random byte string. When you use the HTTP API or the Amazon Web
2660
3000
  # Services CLI, the value is Base64-encoded. Otherwise, it is not
2661
3001
  # Base64-encoded.
3002
+ #
3003
+ # If the response includes the `CiphertextForRecipient` field, the
3004
+ # `Plaintext` field is null or empty.
3005
+ # @return [String]
3006
+ #
3007
+ # @!attribute [rw] ciphertext_for_recipient
3008
+ # The plaintext random bytes encrypted with the public key from the
3009
+ # Nitro enclave. This ciphertext can be decrypted only by using a
3010
+ # private key in the Nitro enclave.
3011
+ #
3012
+ # This field is included in the response only when the `Recipient`
3013
+ # parameter in the request includes a valid attestation document from
3014
+ # an Amazon Web Services Nitro enclave. For information about the
3015
+ # interaction between KMS and Amazon Web Services Nitro Enclaves, see
3016
+ # [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
3017
+ # Management Service Developer Guide*.
3018
+ #
3019
+ #
3020
+ #
3021
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
2662
3022
  # @return [String]
2663
3023
  #
2664
3024
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomResponse AWS API Documentation
2665
3025
  #
2666
3026
  class GenerateRandomResponse < Struct.new(
2667
- :plaintext)
3027
+ :plaintext,
3028
+ :ciphertext_for_recipient)
2668
3029
  SENSITIVE = [:plaintext]
2669
3030
  include Aws::Structure
2670
3031
  end
@@ -2750,10 +3111,14 @@ module Aws::KMS
2750
3111
  end
2751
3112
 
2752
3113
  # @!attribute [rw] key_id
2753
- # The identifier of the symmetric encryption KMS key into which you
2754
- # will import key material. The `Origin` of the KMS key must be
3114
+ # The identifier of the KMS key that will be associated with the
3115
+ # imported key material. The `Origin` of the KMS key must be
2755
3116
  # `EXTERNAL`.
2756
3117
  #
3118
+ # All KMS key types are supported, including multi-Region keys.
3119
+ # However, you cannot import key material into a KMS key in a custom
3120
+ # key store.
3121
+ #
2757
3122
  # Specify the key ID or key ARN of the KMS key.
2758
3123
  #
2759
3124
  # For example:
@@ -2768,26 +3133,54 @@ module Aws::KMS
2768
3133
  # @return [String]
2769
3134
  #
2770
3135
  # @!attribute [rw] wrapping_algorithm
2771
- # The algorithm you will use to encrypt the key material before using
2772
- # the ImportKeyMaterial operation to import it. For more information,
2773
- # see [Encrypt the key material][1] in the *Key Management Service
2774
- # Developer Guide*.
3136
+ # The algorithm you will use with the RSA public key (`PublicKey`) in
3137
+ # the response to protect your key material during import. For more
3138
+ # information, see [Select a wrapping
3139
+ # algorithm](kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
3140
+ # in the *Key Management Service Developer Guide*.
3141
+ #
3142
+ # For RSA\_AES wrapping algorithms, you encrypt your key material with
3143
+ # an AES key that you generate, then encrypt your AES key with the RSA
3144
+ # public key from KMS. For RSAES wrapping algorithms, you encrypt your
3145
+ # key material directly with the RSA public key from KMS.
3146
+ #
3147
+ # The wrapping algorithms that you can use depend on the type of key
3148
+ # material that you are importing. To import an RSA private key, you
3149
+ # must use an RSA\_AES wrapping algorithm.
3150
+ #
3151
+ # * **RSA\_AES\_KEY\_WRAP\_SHA\_256** — Supported for wrapping RSA and
3152
+ # ECC key material.
3153
+ #
3154
+ # * **RSA\_AES\_KEY\_WRAP\_SHA\_1** — Supported for wrapping RSA and
3155
+ # ECC key material.
2775
3156
  #
2776
- # The `RSAES_PKCS1_V1_5` wrapping algorithm is deprecated. We
2777
- # recommend that you begin using a different wrapping algorithm
2778
- # immediately. KMS will end support for `RSAES_PKCS1_V1_5` by October
2779
- # 1, 2023 pursuant to [cryptographic key management guidance][2] from
2780
- # the National Institute of Standards and Technology (NIST).
3157
+ # * **RSAES\_OAEP\_SHA\_256** Supported for all types of key
3158
+ # material, except RSA key material (private key).
2781
3159
  #
3160
+ # You cannot use the RSAES\_OAEP\_SHA\_256 wrapping algorithm with
3161
+ # the RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key
3162
+ # material.
2782
3163
  #
3164
+ # * **RSAES\_OAEP\_SHA\_1** — Supported for all types of key material,
3165
+ # except RSA key material (private key).
2783
3166
  #
2784
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html
2785
- # [2]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
3167
+ # You cannot use the RSAES\_OAEP\_SHA\_1 wrapping algorithm with the
3168
+ # RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key material.
3169
+ #
3170
+ # * **RSAES\_PKCS1\_V1\_5** (Deprecated) — Supported only for
3171
+ # symmetric encryption key material (and only in legacy mode).
2786
3172
  # @return [String]
2787
3173
  #
2788
3174
  # @!attribute [rw] wrapping_key_spec
2789
- # The type of wrapping key (public key) to return in the response.
2790
- # Only 2048-bit RSA public keys are supported.
3175
+ # The type of RSA public key to return in the response. You will use
3176
+ # this wrapping key with the specified wrapping algorithm to protect
3177
+ # your key material during import.
3178
+ #
3179
+ # Use the longest RSA wrapping key that is practical.
3180
+ #
3181
+ # You cannot use an RSA\_2048 public key to directly wrap an
3182
+ # ECC\_NIST\_P521 private key. Instead, use an RSA\_AES wrapping
3183
+ # algorithm or choose a longer RSA public key.
2791
3184
  # @return [String]
2792
3185
  #
2793
3186
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImportRequest AWS API Documentation
@@ -3094,13 +3487,19 @@ module Aws::KMS
3094
3487
  end
3095
3488
 
3096
3489
  # @!attribute [rw] key_id
3097
- # The identifier of the symmetric encryption KMS key that receives the
3490
+ # The identifier of the KMS key that will be associated with the
3098
3491
  # imported key material. This must be the same KMS key specified in
3099
3492
  # the `KeyID` parameter of the corresponding GetParametersForImport
3100
- # request. The `Origin` of the KMS key must be `EXTERNAL`. You cannot
3101
- # perform this operation on an asymmetric KMS key, an HMAC KMS key, a
3102
- # KMS key in a custom key store, or on a KMS key in a different Amazon
3103
- # Web Services account
3493
+ # request. The `Origin` of the KMS key must be `EXTERNAL` and its
3494
+ # `KeyState` must be `PendingImport`.
3495
+ #
3496
+ # The KMS key can be a symmetric encryption KMS key, HMAC KMS key,
3497
+ # asymmetric encryption KMS key, or asymmetric signing KMS key,
3498
+ # including a [multi-Region
3499
+ # key](kms/latest/developerguide/multi-region-keys-overview.html) of
3500
+ # any supported type. You cannot perform this operation on a KMS key
3501
+ # in a custom key store, or on a KMS key in a different Amazon Web
3502
+ # Services account.
3104
3503
  #
3105
3504
  # Specify the key ID or key ARN of the KMS key.
3106
3505
  #
@@ -3124,7 +3523,7 @@ module Aws::KMS
3124
3523
  #
3125
3524
  # @!attribute [rw] encrypted_key_material
3126
3525
  # The encrypted key material to import. The key material must be
3127
- # encrypted with the public wrapping key that GetParametersForImport
3526
+ # encrypted under the public wrapping key that GetParametersForImport
3128
3527
  # returned, using the wrapping algorithm that you specified in the
3129
3528
  # same `GetParametersForImport` request.
3130
3529
  # @return [String]
@@ -3150,7 +3549,8 @@ module Aws::KMS
3150
3549
  #
3151
3550
  # @!attribute [rw] expiration_model
3152
3551
  # Specifies whether the key material expires. The default is
3153
- # `KEY_MATERIAL_EXPIRES`.
3552
+ # `KEY_MATERIAL_EXPIRES`. For help with this choice, see [Setting an
3553
+ # expiration time][1] in the *Key Management Service Developer Guide*.
3154
3554
  #
3155
3555
  # When the value of `ExpirationModel` is `KEY_MATERIAL_EXPIRES`, you
3156
3556
  # must specify a value for the `ValidTo` parameter. When value is
@@ -3159,8 +3559,11 @@ module Aws::KMS
3159
3559
  #
3160
3560
  # You cannot change the `ExpirationModel` or `ValidTo` values for the
3161
3561
  # current import after the request completes. To change either value,
3162
- # you must delete (DeleteImportedKeyMaterial) and reimport the key
3163
- # material.
3562
+ # you must reimport the key material.
3563
+ #
3564
+ #
3565
+ #
3566
+ # [1]: https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration
3164
3567
  # @return [String]
3165
3568
  #
3166
3569
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterialRequest AWS API Documentation
@@ -4417,6 +4820,10 @@ module Aws::KMS
4417
4820
  # Specifies that encryption context to use when the reencrypting the
4418
4821
  # data.
4419
4822
  #
4823
+ # Do not include confidential or sensitive information in this field.
4824
+ # This field may be displayed in plaintext in CloudTrail logs and
4825
+ # other output.
4826
+ #
4420
4827
  # A destination encryption context is valid only when the destination
4421
4828
  # KMS key is a symmetric encryption KMS key. The standard ciphertext
4422
4829
  # format for asymmetric KMS keys does not include fields for metadata.
@@ -4475,6 +4882,18 @@ module Aws::KMS
4475
4882
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
4476
4883
  # @return [Array<String>]
4477
4884
  #
4885
+ # @!attribute [rw] dry_run
4886
+ # Checks if your request will succeed. `DryRun` is an optional
4887
+ # parameter.
4888
+ #
4889
+ # To learn more about how to use this parameter, see [Testing your KMS
4890
+ # API calls][1] in the *Key Management Service Developer Guide*.
4891
+ #
4892
+ #
4893
+ #
4894
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
4895
+ # @return [Boolean]
4896
+ #
4478
4897
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncryptRequest AWS API Documentation
4479
4898
  #
4480
4899
  class ReEncryptRequest < Struct.new(
@@ -4485,7 +4904,8 @@ module Aws::KMS
4485
4904
  :destination_encryption_context,
4486
4905
  :source_encryption_algorithm,
4487
4906
  :destination_encryption_algorithm,
4488
- :grant_tokens)
4907
+ :grant_tokens,
4908
+ :dry_run)
4489
4909
  SENSITIVE = []
4490
4910
  include Aws::Structure
4491
4911
  end
@@ -4531,6 +4951,39 @@ module Aws::KMS
4531
4951
  include Aws::Structure
4532
4952
  end
4533
4953
 
4954
+ # Contains information about the party that receives the response from
4955
+ # the API operation.
4956
+ #
4957
+ # This data type is designed to support Amazon Web Services Nitro
4958
+ # Enclaves, which lets you create an isolated compute environment in
4959
+ # Amazon EC2. For information about the interaction between KMS and
4960
+ # Amazon Web Services Nitro Enclaves, see [How Amazon Web Services Nitro
4961
+ # Enclaves uses KMS][1] in the *Key Management Service Developer Guide*.
4962
+ #
4963
+ #
4964
+ #
4965
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
4966
+ #
4967
+ # @!attribute [rw] key_encryption_algorithm
4968
+ # The encryption algorithm that KMS should use with the public key for
4969
+ # an Amazon Web Services Nitro Enclave to encrypt plaintext values for
4970
+ # the response. The only valid value is `RSAES_OAEP_SHA_256`.
4971
+ # @return [String]
4972
+ #
4973
+ # @!attribute [rw] attestation_document
4974
+ # The attestation document for an Amazon Web Services Nitro Enclave.
4975
+ # This document includes the enclave's public key.
4976
+ # @return [String]
4977
+ #
4978
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RecipientInfo AWS API Documentation
4979
+ #
4980
+ class RecipientInfo < Struct.new(
4981
+ :key_encryption_algorithm,
4982
+ :attestation_document)
4983
+ SENSITIVE = []
4984
+ include Aws::Structure
4985
+ end
4986
+
4534
4987
  # @!attribute [rw] key_id
4535
4988
  # Identifies the multi-Region primary key that is being replicated. To
4536
4989
  # determine whether a KMS key is a multi-Region primary key, use the
@@ -4666,6 +5119,10 @@ module Aws::KMS
4666
5119
  # A description of the KMS key. The default value is an empty string
4667
5120
  # (no description).
4668
5121
  #
5122
+ # Do not include confidential or sensitive information in this field.
5123
+ # This field may be displayed in plaintext in CloudTrail logs and
5124
+ # other output.
5125
+ #
4669
5126
  # The description is not a shared property of multi-Region keys. You
4670
5127
  # can specify the same description or a different description for each
4671
5128
  # key in a set of related multi-Region keys. KMS does not synchronize
@@ -4677,6 +5134,10 @@ module Aws::KMS
4677
5134
  # tag the KMS key when it is created. To tag an existing KMS key, use
4678
5135
  # the TagResource operation.
4679
5136
  #
5137
+ # Do not include confidential or sensitive information in this field.
5138
+ # This field may be displayed in plaintext in CloudTrail logs and
5139
+ # other output.
5140
+ #
4680
5141
  # <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
4681
5142
  # KMS key. For details, see [ABAC for KMS][1] in the *Key Management
4682
5143
  # Service Developer Guide*.
@@ -4786,12 +5247,25 @@ module Aws::KMS
4786
5247
  # ^
4787
5248
  # @return [String]
4788
5249
  #
5250
+ # @!attribute [rw] dry_run
5251
+ # Checks if your request will succeed. `DryRun` is an optional
5252
+ # parameter.
5253
+ #
5254
+ # To learn more about how to use this parameter, see [Testing your KMS
5255
+ # API calls][1] in the *Key Management Service Developer Guide*.
5256
+ #
5257
+ #
5258
+ #
5259
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
5260
+ # @return [Boolean]
5261
+ #
4789
5262
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrantRequest AWS API Documentation
4790
5263
  #
4791
5264
  class RetireGrantRequest < Struct.new(
4792
5265
  :grant_token,
4793
5266
  :key_id,
4794
- :grant_id)
5267
+ :grant_id,
5268
+ :dry_run)
4795
5269
  SENSITIVE = []
4796
5270
  include Aws::Structure
4797
5271
  end
@@ -4821,11 +5295,24 @@ module Aws::KMS
4821
5295
  # CreateGrant, ListGrants, or ListRetirableGrants.
4822
5296
  # @return [String]
4823
5297
  #
5298
+ # @!attribute [rw] dry_run
5299
+ # Checks if your request will succeed. `DryRun` is an optional
5300
+ # parameter.
5301
+ #
5302
+ # To learn more about how to use this parameter, see [Testing your KMS
5303
+ # API calls][1] in the *Key Management Service Developer Guide*.
5304
+ #
5305
+ #
5306
+ #
5307
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
5308
+ # @return [Boolean]
5309
+ #
4824
5310
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrantRequest AWS API Documentation
4825
5311
  #
4826
5312
  class RevokeGrantRequest < Struct.new(
4827
5313
  :key_id,
4828
- :grant_id)
5314
+ :grant_id,
5315
+ :dry_run)
4829
5316
  SENSITIVE = []
4830
5317
  include Aws::Structure
4831
5318
  end
@@ -4856,6 +5343,13 @@ module Aws::KMS
4856
5343
  #
4857
5344
  # This value is optional. If you include a value, it must be between 7
4858
5345
  # and 30, inclusive. If you do not include a value, it defaults to 30.
5346
+ # You can use the [ `kms:ScheduleKeyDeletionPendingWindowInDays` ][1]
5347
+ # condition key to further constrain the values that principals can
5348
+ # specify in the `PendingWindowInDays` parameter.
5349
+ #
5350
+ #
5351
+ #
5352
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-schedule-key-deletion-pending-window-in-days
4859
5353
  # @return [Integer]
4860
5354
  #
4861
5355
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletionRequest AWS API Documentation
@@ -5017,6 +5511,18 @@ module Aws::KMS
5017
5511
  # algorithms for compatibility with existing applications.
5018
5512
  # @return [String]
5019
5513
  #
5514
+ # @!attribute [rw] dry_run
5515
+ # Checks if your request will succeed. `DryRun` is an optional
5516
+ # parameter.
5517
+ #
5518
+ # To learn more about how to use this parameter, see [Testing your KMS
5519
+ # API calls][1] in the *Key Management Service Developer Guide*.
5520
+ #
5521
+ #
5522
+ #
5523
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
5524
+ # @return [Boolean]
5525
+ #
5020
5526
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/SignRequest AWS API Documentation
5021
5527
  #
5022
5528
  class SignRequest < Struct.new(
@@ -5024,7 +5530,8 @@ module Aws::KMS
5024
5530
  :message,
5025
5531
  :message_type,
5026
5532
  :grant_tokens,
5027
- :signing_algorithm)
5533
+ :signing_algorithm,
5534
+ :dry_run)
5028
5535
  SENSITIVE = [:message]
5029
5536
  include Aws::Structure
5030
5537
  end
@@ -5046,7 +5553,7 @@ module Aws::KMS
5046
5553
  #
5047
5554
  # * When used with the `ECDSA_SHA_256`, `ECDSA_SHA_384`, or
5048
5555
  # `ECDSA_SHA_512` signing algorithms, this value is a DER-encoded
5049
- # object as defined by ANS X9.62–2005 and [RFC 3279 Section
5556
+ # object as defined by ANSI X9.62–2005 and [RFC 3279 Section
5050
5557
  # 2.2.3][2]. This is the most commonly used signature format and is
5051
5558
  # appropriate for most uses.
5052
5559
  #
@@ -5077,6 +5584,10 @@ module Aws::KMS
5077
5584
  # keys and tag values are both required, but tag values can be empty
5078
5585
  # (null) strings.
5079
5586
  #
5587
+ # Do not include confidential or sensitive information in this field.
5588
+ # This field may be displayed in plaintext in CloudTrail logs and other
5589
+ # output.
5590
+ #
5080
5591
  # For information about the rules that apply to tag keys and tag values,
5081
5592
  # see [User-Defined Tag Restrictions][1] in the *Amazon Web Services
5082
5593
  # Billing and Cost Management User Guide*.
@@ -5132,10 +5643,12 @@ module Aws::KMS
5132
5643
  # @return [String]
5133
5644
  #
5134
5645
  # @!attribute [rw] tags
5135
- # One or more tags.
5646
+ # One or more tags. Each tag consists of a tag key and a tag value.
5647
+ # The tag value can be an empty (null) string.
5136
5648
  #
5137
- # Each tag consists of a tag key and a tag value. The tag value can be
5138
- # an empty (null) string.
5649
+ # Do not include confidential or sensitive information in this field.
5650
+ # This field may be displayed in plaintext in CloudTrail logs and
5651
+ # other output.
5139
5652
  #
5140
5653
  # You cannot have more than one tag on a KMS key with the same tag
5141
5654
  # key. If you specify an existing tag key with a different tag value,
@@ -5199,6 +5712,10 @@ module Aws::KMS
5199
5712
  # begin with `alias/` followed by the alias name, such as
5200
5713
  # `alias/ExampleAlias`. You cannot use `UpdateAlias` to change the
5201
5714
  # alias name.
5715
+ #
5716
+ # Do not include confidential or sensitive information in this field.
5717
+ # This field may be displayed in plaintext in CloudTrail logs and
5718
+ # other output.
5202
5719
  # @return [String]
5203
5720
  #
5204
5721
  # @!attribute [rw] target_key_id
@@ -5252,6 +5769,10 @@ module Aws::KMS
5252
5769
  # you specify. The custom key store name must be unique in the Amazon
5253
5770
  # Web Services account.
5254
5771
  #
5772
+ # Do not include confidential or sensitive information in this field.
5773
+ # This field may be displayed in plaintext in CloudTrail logs and
5774
+ # other output.
5775
+ #
5255
5776
  # To change this value, an CloudHSM key store must be disconnected. An
5256
5777
  # external key store can be connected or disconnected.
5257
5778
  # @return [String]
@@ -5414,6 +5935,10 @@ module Aws::KMS
5414
5935
  #
5415
5936
  # @!attribute [rw] description
5416
5937
  # New description for the KMS key.
5938
+ #
5939
+ # Do not include confidential or sensitive information in this field.
5940
+ # This field may be displayed in plaintext in CloudTrail logs and
5941
+ # other output.
5417
5942
  # @return [String]
5418
5943
  #
5419
5944
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescriptionRequest AWS API Documentation
@@ -5503,6 +6028,18 @@ module Aws::KMS
5503
6028
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
5504
6029
  # @return [Array<String>]
5505
6030
  #
6031
+ # @!attribute [rw] dry_run
6032
+ # Checks if your request will succeed. `DryRun` is an optional
6033
+ # parameter.
6034
+ #
6035
+ # To learn more about how to use this parameter, see [Testing your KMS
6036
+ # API calls][1] in the *Key Management Service Developer Guide*.
6037
+ #
6038
+ #
6039
+ #
6040
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
6041
+ # @return [Boolean]
6042
+ #
5506
6043
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMacRequest AWS API Documentation
5507
6044
  #
5508
6045
  class VerifyMacRequest < Struct.new(
@@ -5510,7 +6047,8 @@ module Aws::KMS
5510
6047
  :key_id,
5511
6048
  :mac_algorithm,
5512
6049
  :mac,
5513
- :grant_tokens)
6050
+ :grant_tokens,
6051
+ :dry_run)
5514
6052
  SENSITIVE = [:message]
5515
6053
  include Aws::Structure
5516
6054
  end
@@ -5647,6 +6185,18 @@ module Aws::KMS
5647
6185
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
5648
6186
  # @return [Array<String>]
5649
6187
  #
6188
+ # @!attribute [rw] dry_run
6189
+ # Checks if your request will succeed. `DryRun` is an optional
6190
+ # parameter.
6191
+ #
6192
+ # To learn more about how to use this parameter, see [Testing your KMS
6193
+ # API calls][1] in the *Key Management Service Developer Guide*.
6194
+ #
6195
+ #
6196
+ #
6197
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
6198
+ # @return [Boolean]
6199
+ #
5650
6200
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyRequest AWS API Documentation
5651
6201
  #
5652
6202
  class VerifyRequest < Struct.new(
@@ -5655,7 +6205,8 @@ module Aws::KMS
5655
6205
  :message_type,
5656
6206
  :signature,
5657
6207
  :signing_algorithm,
5658
- :grant_tokens)
6208
+ :grant_tokens,
6209
+ :dry_run)
5659
6210
  SENSITIVE = [:message]
5660
6211
  include Aws::Structure
5661
6212
  end