aws-sdk-kms 1.64.0 → 1.76.0

data/lib/aws-sdk-kms/client.rb

@@ -28,6 +28,7 @@ require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
 require 'aws-sdk-core/plugins/transfer_encoding.rb'
 require 'aws-sdk-core/plugins/http_checksum.rb'
 require 'aws-sdk-core/plugins/checksum_algorithm.rb'
+require 'aws-sdk-core/plugins/request_compression.rb'
 require 'aws-sdk-core/plugins/defaults_mode.rb'
 require 'aws-sdk-core/plugins/recursion_detection.rb'
 require 'aws-sdk-core/plugins/sign.rb'
@@ -77,6 +78,7 @@ module Aws::KMS
     add_plugin(Aws::Plugins::TransferEncoding)
     add_plugin(Aws::Plugins::HttpChecksum)
     add_plugin(Aws::Plugins::ChecksumAlgorithm)
+    add_plugin(Aws::Plugins::RequestCompression)
     add_plugin(Aws::Plugins::DefaultsMode)
     add_plugin(Aws::Plugins::RecursionDetection)
     add_plugin(Aws::Plugins::Sign)
@@ -190,6 +192,10 @@ module Aws::KMS
     #     Set to true to disable SDK automatically adding host prefix
     #     to default service endpoint when available.
     #
+    #   @option options [Boolean] :disable_request_compression (false)
+    #     When set to 'true' the request body will not be compressed
+    #     for supported operations.
+    #
     #   @option options [String] :endpoint
     #     The client endpoint is normally constructed from the `:region`
     #     option. You should only configure an `:endpoint` when connecting
@@ -210,6 +216,10 @@ module Aws::KMS
     #   @option options [Boolean] :endpoint_discovery (false)
     #     When set to `true`, endpoint discovery will be enabled for operations when available.
     #
+    #   @option options [Boolean] :ignore_configured_endpoint_urls
+    #     Setting to true disables use of endpoint URLs provided via environment
+    #     variables and the shared configuration file.
+    #
     #   @option options [Aws::Log::Formatter] :log_formatter (Aws::Log::Formatter.default)
     #     The log formatter.
     #
@@ -230,6 +240,11 @@ module Aws::KMS
     #     Used when loading credentials from the shared credentials file
     #     at HOME/.aws/credentials.  When not specified, 'default' is used.
     #
+    #   @option options [Integer] :request_min_compression_size_bytes (10240)
+    #     The minimum size in bytes that triggers compression for request
+    #     bodies. The value must be non-negative integer value between 0
+    #     and 10485780 bytes inclusive.
+    #
     #   @option options [Proc] :retry_backoff
     #     A proc or lambda used for backoff. Defaults to 2**retries * retry_base_delay.
     #     This option is only used in the `legacy` retry mode.
@@ -275,6 +290,11 @@ module Aws::KMS
     #       in the future.
     #
     #
+    #   @option options [String] :sdk_ua_app_id
+    #     A unique and opaque application ID that is appended to the
+    #     User-Agent header as app/<sdk_ua_app_id>. It should have a
+    #     maximum length of 50.
+    #
     #   @option options [String] :secret_access_key
     #
     #   @option options [String] :session_token
@@ -397,11 +417,15 @@ module Aws::KMS
     #
     # **Related operations**: ScheduleKeyDeletion
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][4].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies the KMS key whose deletion is being canceled.
@@ -544,6 +568,9 @@ module Aws::KMS
     #
     # * UpdateCustomKeyStore
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][8].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
@@ -553,6 +580,7 @@ module Aws::KMS
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
     # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html
     # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :custom_key_store_id
     #   Enter the key store ID of the custom key store that you want to
@@ -644,6 +672,9 @@ module Aws::KMS
     #
     # * UpdateAlias
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][7].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
@@ -652,6 +683,7 @@ module Aws::KMS
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :alias_name
     #   Specifies the alias name. This value must begin with `alias/` followed
@@ -809,6 +841,9 @@ module Aws::KMS
     #
     # * UpdateCustomKeyStore
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][10].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
@@ -820,6 +855,7 @@ module Aws::KMS
     # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
     # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html
     # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :custom_key_store_name
     #   Specifies a friendly name for the custom key store. The name must be
@@ -916,7 +952,7 @@ module Aws::KMS
     #
     #   * An external key store with `PUBLIC_ENDPOINT` connectivity cannot use
     #     the same `XksProxyUriEndpoint` value as an external key store with
-    #     `VPC_ENDPOINT_SERVICE` connectivity in the same Amazon Web Services
+    #     `VPC_ENDPOINT_SERVICE` connectivity in this Amazon Web Services
     #     Region.
     #
     #   * Each external key store with `VPC_ENDPOINT_SERVICE` connectivity
@@ -1164,6 +1200,9 @@ module Aws::KMS
     #
     # * RevokeGrant
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][6].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
@@ -1171,6 +1210,7 @@ module Aws::KMS
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies the KMS key for the grant. The grant gives principals
@@ -1314,6 +1354,17 @@ module Aws::KMS
     #   when a duplicate `GrantId` is returned. All grant tokens for the same
     #   grant ID can be used interchangeably.
     #
+    # @option params [Boolean] :dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #
     # @return [Types::CreateGrantResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::CreateGrantResponse#grant_token #grant_token} => String
@@ -1356,6 +1407,7 @@ module Aws::KMS
     #     },
     #     grant_tokens: ["GrantTokenType"],
     #     name: "GrantNameType",
+    #     dry_run: false,
     #   })
     #
     # @example Response structure
@@ -1453,13 +1505,6 @@ module Aws::KMS
     #   You can use HMAC keys to generate (GenerateMac) and verify
     #   (VerifyMac) HMAC codes for messages up to 4096 bytes.
     #
-    #   HMAC KMS keys are not supported in all Amazon Web Services Regions.
-    #   If you try to create an HMAC KMS key in an Amazon Web Services
-    #   Region in which HMAC keys are not supported, the `CreateKey`
-    #   operation returns an `UnsupportedOperationException`. For a list of
-    #   Regions in which HMAC KMS keys are supported, see [HMAC keys in
-    #   KMS][4] in the *Key Management Service Developer Guide*.
-    #
     #
     #
     # Multi-Region primary keys
@@ -1486,46 +1531,48 @@ module Aws::KMS
     #   to encrypt data in one Amazon Web Services Region and decrypt it in
     #   a different Amazon Web Services Region without re-encrypting the
     #   data or making a cross-Region call. For more information about
-    #   multi-Region keys, see [Multi-Region keys in KMS][5] in the *Key
+    #   multi-Region keys, see [Multi-Region keys in KMS][4] in the *Key
     #   Management Service Developer Guide*.
     #
     #
     #
     # : To import your own key material into a KMS key, begin by creating a
-    #   symmetric encryption KMS key with no key material. To do this, use
-    #   the `Origin` parameter of `CreateKey` with a value of `EXTERNAL`.
-    #   Next, use GetParametersForImport operation to get a public key and
-    #   import token, and use the public key to encrypt your key material.
+    #   KMS key with no key material. To do this, use the `Origin` parameter
+    #   of `CreateKey` with a value of `EXTERNAL`. Next, use
+    #   GetParametersForImport operation to get a public key and import
+    #   token. Use the wrapping public key to encrypt your key material.
     #   Then, use ImportKeyMaterial with your import token to import the key
     #   material. For step-by-step instructions, see [Importing Key
-    #   Material][6] in the <i> <i>Key Management Service Developer
+    #   Material][5] in the <i> <i>Key Management Service Developer
     #   Guide</i> </i>.
     #
-    #   This feature supports only symmetric encryption KMS keys, including
-    #   multi-Region symmetric encryption KMS keys. You cannot import key
-    #   material into any other type of KMS key.
+    #   You can import key material into KMS keys of all supported KMS key
+    #   types: symmetric encryption KMS keys, HMAC KMS keys, asymmetric
+    #   encryption KMS keys, and asymmetric signing KMS keys. You can also
+    #   create multi-Region keys with imported key material. However, you
+    #   can't import key material into a KMS key in a custom key store.
     #
     #   To create a multi-Region primary key with imported key material, use
     #   the `Origin` parameter of `CreateKey` with a value of `EXTERNAL` and
     #   the `MultiRegion` parameter with a value of `True`. To create
     #   replicas of the multi-Region primary key, use the ReplicateKey
     #   operation. For instructions, see [Importing key material into
-    #   multi-Region keys][7]. For more information about multi-Region keys,
-    #   see [Multi-Region keys in KMS][5] in the *Key Management Service
+    #   multi-Region keys][6]. For more information about multi-Region keys,
+    #   see [Multi-Region keys in KMS][4] in the *Key Management Service
     #   Developer Guide*.
     #
     #
     #
     # Custom key store
     #
-    # : A [custom key store][8] lets you protect your Amazon Web Services
+    # : A [custom key store][7] lets you protect your Amazon Web Services
     #   resources using keys in a backing key store that you own and manage.
     #   When you request a cryptographic operation with a KMS key in a
     #   custom key store, the operation is performed in the backing key
     #   store using its cryptographic keys.
     #
-    #   KMS supports [CloudHSM key stores][9] backed by an CloudHSM cluster
-    #   and [external key stores][10] backed by an external key manager
+    #   KMS supports [CloudHSM key stores][8] backed by an CloudHSM cluster
+    #   and [external key stores][9] backed by an external key manager
     #   outside of Amazon Web Services. When you create a KMS key in an
     #   CloudHSM key store, KMS generates an encryption key in the CloudHSM
     #   cluster and associates it with the KMS key. When you create a KMS
@@ -1550,13 +1597,13 @@ module Aws::KMS
     #   `ENCRYPT_DECRYPT` to create a symmetric encryption key. No other key
     #   type is supported in a custom key store.
     #
-    #   To create a KMS key in an [CloudHSM key store][9], use the `Origin`
+    #   To create a KMS key in an [CloudHSM key store][8], use the `Origin`
     #   parameter with a value of `AWS_CLOUDHSM`. The CloudHSM cluster that
     #   is associated with the custom key store must have at least two
     #   active HSMs in different Availability Zones in the Amazon Web
     #   Services Region.
     #
-    #   To create a KMS key in an [external key store][10], use the `Origin`
+    #   To create a KMS key in an [external key store][9], use the `Origin`
     #   parameter with a value of `EXTERNAL_KEY_STORE` and an `XksKeyId`
     #   parameter that identifies an existing external key.
     #
@@ -1569,10 +1616,10 @@ module Aws::KMS
     # **Cross-account use**: No. You cannot use this operation to create a
     # KMS key in a different Amazon Web Services account.
     #
-    # **Required permissions**: [kms:CreateKey][11] (IAM policy). To use the
-    # `Tags` parameter, [kms:TagResource][11] (IAM policy). For examples and
+    # **Required permissions**: [kms:CreateKey][10] (IAM policy). To use the
+    # `Tags` parameter, [kms:TagResource][10] (IAM policy). For examples and
     # information about related permissions, see [Allow a user to create KMS
-    # keys][12] in the *Key Management Service Developer Guide*.
+    # keys][11] in the *Key Management Service Developer Guide*.
     #
     # **Related operations:**
     #
@@ -1582,20 +1629,23 @@ module Aws::KMS
     #
     # * ScheduleKeyDeletion
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][12].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/getting-started.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
-    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
-    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
-    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-import.html
-    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
-    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html
-    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html
-    # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
-    # [12]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-import.html
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html
+    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html
+    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key
+    # [12]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [String] :policy
     #   The key policy to attach to the KMS key.
@@ -1817,12 +1867,13 @@ module Aws::KMS
     #   Management Service Developer Guide*.
     #
     #   Use this parameter only when you intend to prevent the principal that
-    #   is making the request from making a subsequent PutKeyPolicy request on
-    #   the KMS key.
+    #   is making the request from making a subsequent [PutKeyPolicy][2]
+    #   request on the KMS key.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
+    #   [2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html
     #
     # @option params [Array<Types::Tag>] :tags
     #   Assigns one or more tags to the KMS key. Use this parameter to tag the
@@ -2100,8 +2151,8 @@ module Aws::KMS
     #
     # @example Example: To create a KMS key for imported key material
     #
-    #   # This example creates a KMS key with no key material. When the operation is complete, you can import your own key
-    #   # material into the KMS key. To create this KMS key, set the Origin parameter to EXTERNAL.
+    #   # This example creates a symmetric KMS key with no key material. When the operation is complete, you can import your own
+    #   # key material into the KMS key. To create this KMS key, set the Origin parameter to EXTERNAL.
     #
     #   resp = client.create_key({
     #     origin: "EXTERNAL", # The source of the key material for the KMS key.
@@ -2324,10 +2375,10 @@ module Aws::KMS
     # parameter to provide the attestation document for the enclave. Instead
     # of the plaintext data, the response includes the plaintext data
     # encrypted with the public key from the attestation document
-    # (`CiphertextForRecipient`).For information about the interaction
+    # (`CiphertextForRecipient`). For information about the interaction
     # between KMS and Amazon Web Services Nitro Enclaves, see [How Amazon
     # Web Services Nitro Enclaves uses KMS][7] in the *Key Management
-    # Service Developer Guide*..
+    # Service Developer Guide*.
     #
     # The KMS key that you use for this operation must be in a compatible
     # key state. For details, see [Key states of KMS keys][8] in the *Key
@@ -2349,6 +2400,9 @@ module Aws::KMS
     #
     # * ReEncrypt
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][10].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
@@ -2360,6 +2414,7 @@ module Aws::KMS
     # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
     # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String, StringIO, File] :ciphertext_blob
     #   Ciphertext to be decrypted. The blob includes metadata.
@@ -2466,10 +2521,21 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
+    #   [1]: https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-concepts.html#term-attestdoc
     #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
     #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
     #
+    # @option params [Boolean] :dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #
     # @return [Types::DecryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::DecryptResponse#key_id #key_id} => String
@@ -2549,6 +2615,7 @@ module Aws::KMS
     #       key_encryption_algorithm: "RSAES_OAEP_SHA_256", # accepts RSAES_OAEP_SHA_256
     #       attestation_document: "data",
     #     },
+    #     dry_run: false,
     #   })
     #
     # @example Response structure
@@ -2605,11 +2672,15 @@ module Aws::KMS
     #
     # * UpdateAlias
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][4].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :alias_name
     #   The alias to be deleted. The alias name must begin with `alias/`
@@ -2696,6 +2767,9 @@ module Aws::KMS
     #
     # * UpdateCustomKeyStore
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][6].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
@@ -2703,6 +2777,7 @@ module Aws::KMS
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :custom_key_store_id
     #   Enter the ID of the custom key store you want to delete. To find the
@@ -2740,18 +2815,16 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Deletes key material that you previously imported. This operation
-    # makes the specified KMS key unusable. For more information about
-    # importing key material into KMS, see [Importing Key Material][1] in
-    # the *Key Management Service Developer Guide*.
+    # Deletes key material that was previously imported. This operation
+    # makes the specified KMS key temporarily unusable. To restore the
+    # usability of the KMS key, reimport the same key material. For more
+    # information about importing key material into KMS, see [Importing Key
+    # Material][1] in the *Key Management Service Developer Guide*.
     #
     # When the specified KMS key is in the `PendingDeletion` state, this
     # operation does not change the KMS key's state. Otherwise, it changes
     # the KMS key's state to `PendingImport`.
     #
-    # After you delete key material, you can use ImportKeyMaterial to
-    # reimport the same key material into the KMS key.
-    #
     # The KMS key that you use for this operation must be in a compatible
     # key state. For details, see [Key states of KMS keys][2] in the *Key
     # Management Service Developer Guide*.
@@ -2768,11 +2841,15 @@ module Aws::KMS
     #
     # * ImportKeyMaterial
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][4].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies the KMS key from which you are deleting imported key
@@ -2869,12 +2946,16 @@ module Aws::KMS
     #
     # * UpdateCustomKeyStore
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][5].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [String] :custom_key_store_id
     #   Gets only information about the specified custom key store. Enter the
@@ -3058,15 +3139,11 @@ module Aws::KMS
     # also displays the key usage (encryption, signing, or generating and
     # verifying MACs) and the algorithms that the KMS key supports.
     #
-    # For [multi-Region
-    # keys](kms/latest/developerguide/multi-region-keys-overview.html),
-    # `DescribeKey` displays the primary key and all related replica keys.
-    # For KMS keys in [CloudHSM key
-    # stores](kms/latest/developerguide/keystore-cloudhsm.html), it includes
-    # information about the key store, such as the key store ID and the
-    # CloudHSM cluster ID. For KMS keys in [external key
-    # stores](kms/latest/developerguide/keystore-external.html), it includes
-    # the custom key store ID and the ID of the external key.
+    # For [multi-Region keys][3], `DescribeKey` displays the primary key and
+    # all related replica keys. For KMS keys in [CloudHSM key stores][4], it
+    # includes information about the key store, such as the key store ID and
+    # the CloudHSM cluster ID. For KMS keys in [external key stores][5], it
+    # includes the custom key store ID and the ID of the external key.
     #
     # `DescribeKey` does not return the following information:
     #
@@ -3076,7 +3153,7 @@ module Aws::KMS
     # * Whether automatic key rotation is enabled on the KMS key. To get
     #   this information, use GetKeyRotationStatus. Also, some key states
     #   prevent a KMS key from being automatically rotated. For details, see
-    #   [How Automatic Key Rotation Works][3] in the *Key Management Service
+    #   [How Automatic Key Rotation Works][6] in the *Key Management Service
     #   Developer Guide*.
     #
     # * Tags on the KMS key. To get this information, use ListResourceTags.
@@ -3093,7 +3170,7 @@ module Aws::KMS
     # in a different Amazon Web Services account, specify the key ARN or
     # alias ARN in the value of the `KeyId` parameter.
     #
-    # **Required permissions**: [kms:DescribeKey][4] (key policy)
+    # **Required permissions**: [kms:DescribeKey][7] (key policy)
     #
     # **Related operations:**
     #
@@ -3111,12 +3188,19 @@ module Aws::KMS
     #
     # * ListRetirableGrants
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][8].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
-    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works
-    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Describes the specified KMS key.
@@ -3447,11 +3531,15 @@ module Aws::KMS
     #
     # **Related operations**: EnableKey
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][4].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies the KMS key to disable.
@@ -3531,6 +3619,9 @@ module Aws::KMS
     #
     # * GetKeyRotationStatus
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][12].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
@@ -3544,6 +3635,7 @@ module Aws::KMS
     # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
     # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [12]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies a symmetric encryption KMS key. You cannot enable or
@@ -3643,11 +3735,15 @@ module Aws::KMS
     #
     # * UpdateCustomKeyStore
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][4].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :custom_key_store_id
     #   Enter the ID of the custom key store you want to disconnect. To find
@@ -3701,11 +3797,15 @@ module Aws::KMS
     #
     # **Related operations**: DisableKey
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][4].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies the KMS key to enable.
@@ -3751,7 +3851,7 @@ module Aws::KMS
     # Enables [automatic rotation of the key material][1] of the specified
     # symmetric encryption KMS key.
     #
-    # When you enable automatic rotation of a[customer managed KMS key][2],
+    # When you enable automatic rotation of a [customer managed KMS key][2],
     # KMS rotates the key material of the KMS key one year (approximately
     # 365 days) from the enable date and every year thereafter. You can
     # monitor rotation of the key material for your KMS keys in CloudTrail
@@ -3797,6 +3897,9 @@ module Aws::KMS
     #
     # * GetKeyRotationStatus
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][13].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
@@ -3811,6 +3914,7 @@ module Aws::KMS
     # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
     # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [12]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [13]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies a symmetric encryption KMS key. You cannot enable automatic
@@ -3947,11 +4051,15 @@ module Aws::KMS
     #
     # * GenerateDataKeyPair
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][4].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies the KMS key to use in the encryption operation. The KMS key
@@ -4032,6 +4140,17 @@ module Aws::KMS
     #
     #   The SM2PKE algorithm is only available in China Regions.
     #
+    # @option params [Boolean] :dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #
     # @return [Types::EncryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::EncryptResponse#ciphertext_blob #ciphertext_blob} => String
@@ -4083,6 +4202,7 @@ module Aws::KMS
     #     },
     #     grant_tokens: ["GrantTokenType"],
     #     encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
+    #     dry_run: false,
     #   })
     #
     # @example Response structure
@@ -4199,6 +4319,9 @@ module Aws::KMS
     #
     # * GenerateDataKeyWithoutPlaintext
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][10].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
@@ -4210,6 +4333,7 @@ module Aws::KMS
     # [7]: https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/
     # [8]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
     # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Specifies the symmetric encryption KMS key that encrypts the data key.
@@ -4317,6 +4441,17 @@ module Aws::KMS
     #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
     #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
     #
+    # @option params [Boolean] :dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #
     # @return [Types::GenerateDataKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::GenerateDataKeyResponse#ciphertext_blob #ciphertext_blob} => String
@@ -4381,6 +4516,7 @@ module Aws::KMS
     #       key_encryption_algorithm: "RSAES_OAEP_SHA_256", # accepts RSAES_OAEP_SHA_256
     #       attestation_document: "data",
     #     },
+    #     dry_run: false,
     #   })
     #
     # @example Response structure
@@ -4404,8 +4540,9 @@ module Aws::KMS
     # a copy of the private key that is encrypted under the symmetric
     # encryption KMS key you specify. You can use the data key pair to
     # perform asymmetric cryptography and implement digital signatures
-    # outside of KMS. The bytes in the keys are random; they not related to
-    # the caller or to the KMS key that is used to encrypt the private key.
+    # outside of KMS. The bytes in the keys are random; they are not related
+    # to the caller or to the KMS key that is used to encrypt the private
+    # key.
     #
     # You can use the public key that `GenerateDataKeyPair` returns to
     # encrypt data or verify a signature outside of KMS. Then, store the
@@ -4486,6 +4623,9 @@ module Aws::KMS
     #
     # * GenerateDataKeyWithoutPlaintext
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][9].
+    #
     #
     #
     # [1]: https://tools.ietf.org/html/rfc5280
@@ -4496,6 +4636,7 @@ module Aws::KMS
     # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [Hash<String,String>] :encryption_context
     #   Specifies the encryption context that will be used when encrypting the
@@ -4596,6 +4737,17 @@ module Aws::KMS
     #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
     #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
     #
+    # @option params [Boolean] :dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #
     # @return [Types::GenerateDataKeyPairResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::GenerateDataKeyPairResponse#private_key_ciphertext_blob #private_key_ciphertext_blob} => String
@@ -4665,6 +4817,7 @@ module Aws::KMS
     #       key_encryption_algorithm: "RSAES_OAEP_SHA_256", # accepts RSAES_OAEP_SHA_256
     #       attestation_document: "data",
     #     },
+    #     dry_run: false,
     #   })
     #
     # @example Response structure
@@ -4747,12 +4900,16 @@ module Aws::KMS
     #
     # * GenerateDataKeyWithoutPlaintext
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][5].
+    #
     #
     #
     # [1]: https://tools.ietf.org/html/rfc5280
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [Hash<String,String>] :encryption_context
     #   Specifies the encryption context that will be used when encrypting the
@@ -4824,6 +4981,17 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #
+    # @option params [Boolean] :dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #
     # @return [Types::GenerateDataKeyPairWithoutPlaintextResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::GenerateDataKeyPairWithoutPlaintextResponse#private_key_ciphertext_blob #private_key_ciphertext_blob} => String
@@ -4859,6 +5027,7 @@ module Aws::KMS
     #     key_id: "KeyIdType", # required
     #     key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SM2
     #     grant_tokens: ["GrantTokenType"],
+    #     dry_run: false,
     #   })
     #
     # @example Response structure
@@ -4951,11 +5120,15 @@ module Aws::KMS
     #
     # * GenerateDataKeyPairWithoutPlaintext
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][4].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Specifies the symmetric encryption KMS key that encrypts the data key.
@@ -5028,6 +5201,17 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #
+    # @option params [Boolean] :dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #
     # @return [Types::GenerateDataKeyWithoutPlaintextResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::GenerateDataKeyWithoutPlaintextResponse#ciphertext_blob #ciphertext_blob} => String
@@ -5060,6 +5244,7 @@ module Aws::KMS
     #     key_spec: "AES_256", # accepts AES_256, AES_128
     #     number_of_bytes: 1,
     #     grant_tokens: ["GrantTokenType"],
+    #     dry_run: false,
     #   })
     #
     # @example Response structure
@@ -5111,12 +5296,16 @@ module Aws::KMS
     #
     # **Related operations**: VerifyMac
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][5].
+    #
     #
     #
     # [1]: https://datatracker.ietf.org/doc/html/rfc2104
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String, StringIO, File] :message
     #   The message to be hashed. Specify a message of up to 4,096 bytes.
@@ -5157,6 +5346,17 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #
+    # @option params [Boolean] :dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #
     # @return [Types::GenerateMacResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::GenerateMacResponse#mac #mac} => String
@@ -5189,6 +5389,7 @@ module Aws::KMS
     #     key_id: "KeyIdType", # required
     #     mac_algorithm: "HMAC_SHA_224", # required, accepts HMAC_SHA_224, HMAC_SHA_256, HMAC_SHA_384, HMAC_SHA_512
     #     grant_tokens: ["GrantTokenType"],
+    #     dry_run: false,
     #   })
     #
     # @example Response structure
@@ -5235,6 +5436,9 @@ module Aws::KMS
     #
     # **Required permissions**: [kms:GenerateRandom][5] (IAM policy)
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][6].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html
@@ -5242,6 +5446,7 @@ module Aws::KMS
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
     # [4]: https://docs.aws.amazon.com/kms/latest/cryptographic-details/
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [Integer] :number_of_bytes
     #   The length of the random byte string. This parameter is required.
@@ -5352,11 +5557,16 @@ module Aws::KMS
     #
     # **Required permissions**: [kms:GetKeyPolicy][1] (key policy)
     #
-    # **Related operations**: PutKeyPolicy
+    # **Related operations**: [PutKeyPolicy][2]
+    #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][3].
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Gets the key policy for the specified KMS key.
@@ -5475,6 +5685,9 @@ module Aws::KMS
     #
     # * EnableKeyRotation
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][12].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
@@ -5488,6 +5701,7 @@ module Aws::KMS
     # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
     # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [12]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Gets the rotation status for the specified KMS key.
@@ -5542,38 +5756,69 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Returns the items you need to import key material into a symmetric
-    # encryption KMS key. For more information about importing key material
-    # into KMS, see [Importing key material][1] in the *Key Management
-    # Service Developer Guide*.
+    # Returns the public key and an import token you need to import or
+    # reimport key material for a KMS key.
+    #
+    # By default, KMS keys are created with key material that KMS generates.
+    # This operation supports [Importing key material][1], an advanced
+    # feature that lets you generate and import the cryptographic key
+    # material for a KMS key. For more information about importing key
+    # material into KMS, see [Importing key material][1] in the *Key
+    # Management Service Developer Guide*.
+    #
+    # Before calling `GetParametersForImport`, use the CreateKey operation
+    # with an `Origin` value of `EXTERNAL` to create a KMS key with no key
+    # material. You can import key material for a symmetric encryption KMS
+    # key, HMAC KMS key, asymmetric encryption KMS key, or asymmetric
+    # signing KMS key. You can also import key material into a [multi-Region
+    # key][2] of any supported type. However, you can't import key material
+    # into a KMS key in a [custom key store][3]. You can also use
+    # `GetParametersForImport` to get a public key and import token to
+    # [reimport the original key material][4] into a KMS key whose key
+    # material expired or was deleted.
+    #
+    # `GetParametersForImport` returns the items that you need to import
+    # your key material.
+    #
+    # * The public key (or "wrapping key") of an RSA key pair that KMS
+    #   generates.
+    #
+    #   You will use this public key to encrypt ("wrap") your key material
+    #   while it's in transit to KMS.
+    #
+    # * A import token that ensures that KMS can decrypt your key material
+    #   and associate it with the correct KMS key.
+    #
+    # The public key and its import token are permanently linked and must be
+    # used together. Each public key and import token set is valid for 24
+    # hours. The expiration date and time appear in the `ParametersValidTo`
+    # field in the `GetParametersForImport` response. You cannot use an
+    # expired public key or import token in an ImportKeyMaterial request. If
+    # your key and token expire, send another `GetParametersForImport`
+    # request.
+    #
+    # `GetParametersForImport` requires the following information:
     #
-    # This operation returns a public key and an import token. Use the
-    # public key to encrypt the symmetric key material. Store the import
-    # token to send with a subsequent ImportKeyMaterial request.
-    #
-    # You must specify the key ID of the symmetric encryption KMS key into
-    # which you will import key material. The KMS key `Origin` must be
-    # `EXTERNAL`. You must also specify the wrapping algorithm and type of
-    # wrapping key (public key) that you will use to encrypt the key
-    # material. You cannot perform this operation on an asymmetric KMS key,
-    # an HMAC KMS key, or on any KMS key in a different Amazon Web Services
-    # account.
-    #
-    # To import key material, you must use the public key and import token
-    # from the same response. These items are valid for 24 hours. The
-    # expiration date and time appear in the `GetParametersForImport`
-    # response. You cannot use an expired token in an ImportKeyMaterial
-    # request. If your key and token expire, send another
-    # `GetParametersForImport` request.
+    # * The key ID of the KMS key for which you are importing the key
+    #   material.
+    #
+    # * The key spec of the public key ("wrapping key") that you will use
+    #   to encrypt your key material during import.
+    #
+    # * The wrapping algorithm that you will use with the public key to
+    #   encrypt your key material.
+    #
+    # You can use the same or a different public key spec and wrapping
+    # algorithm each time you import or reimport the same key material.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key states of KMS keys][2] in the *Key
+    # key state. For details, see [Key states of KMS keys][5] in the *Key
     # Management Service Developer Guide*.
     #
     # **Cross-account use**: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
-    # **Required permissions**: [kms:GetParametersForImport][3] (key policy)
+    # **Required permissions**: [kms:GetParametersForImport][6] (key policy)
     #
     # **Related operations:**
     #
@@ -5581,15 +5826,25 @@ module Aws::KMS
     #
     # * DeleteImportedKeyMaterial
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][7].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
-    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
-    #   The identifier of the symmetric encryption KMS key into which you will
-    #   import key material. The `Origin` of the KMS key must be `EXTERNAL`.
+    #   The identifier of the KMS key that will be associated with the
+    #   imported key material. The `Origin` of the KMS key must be `EXTERNAL`.
+    #
+    #   All KMS key types are supported, including multi-Region keys. However,
+    #   you cannot import key material into a KMS key in a custom key store.
     #
     #   Specify the key ID or key ARN of the KMS key.
     #
@@ -5604,25 +5859,52 @@ module Aws::KMS
     #   DescribeKey.
     #
     # @option params [required, String] :wrapping_algorithm
-    #   The algorithm you will use to encrypt the key material before using
-    #   the ImportKeyMaterial operation to import it. For more information,
-    #   see [Encrypt the key material][1] in the *Key Management Service
-    #   Developer Guide*.
+    #   The algorithm you will use with the RSA public key (`PublicKey`) in
+    #   the response to protect your key material during import. For more
+    #   information, see [Select a wrapping
+    #   algorithm](kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
+    #   in the *Key Management Service Developer Guide*.
+    #
+    #   For RSA\_AES wrapping algorithms, you encrypt your key material with
+    #   an AES key that you generate, then encrypt your AES key with the RSA
+    #   public key from KMS. For RSAES wrapping algorithms, you encrypt your
+    #   key material directly with the RSA public key from KMS.
+    #
+    #   The wrapping algorithms that you can use depend on the type of key
+    #   material that you are importing. To import an RSA private key, you
+    #   must use an RSA\_AES wrapping algorithm.
     #
-    #   The `RSAES_PKCS1_V1_5` wrapping algorithm is deprecated. We recommend
-    #   that you begin using a different wrapping algorithm immediately. KMS
-    #   will end support for `RSAES_PKCS1_V1_5` by October 1, 2023 pursuant to
-    #   [cryptographic key management guidance][2] from the National Institute
-    #   of Standards and Technology (NIST).
+    #   * **RSA\_AES\_KEY\_WRAP\_SHA\_256** — Supported for wrapping RSA and
+    #     ECC key material.
     #
+    #   * **RSA\_AES\_KEY\_WRAP\_SHA\_1** — Supported for wrapping RSA and ECC
+    #     key material.
     #
+    #   * **RSAES\_OAEP\_SHA\_256** — Supported for all types of key material,
+    #     except RSA key material (private key).
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html
-    #   [2]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
+    #     You cannot use the RSAES\_OAEP\_SHA\_256 wrapping algorithm with the
+    #     RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key material.
+    #
+    #   * **RSAES\_OAEP\_SHA\_1** — Supported for all types of key material,
+    #     except RSA key material (private key).
+    #
+    #     You cannot use the RSAES\_OAEP\_SHA\_1 wrapping algorithm with the
+    #     RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key material.
+    #
+    #   * **RSAES\_PKCS1\_V1\_5** (Deprecated) — As of October 10, 2023, KMS
+    #     does not support the RSAES\_PKCS1\_V1\_5 wrapping algorithm.
     #
     # @option params [required, String] :wrapping_key_spec
-    #   The type of wrapping key (public key) to return in the response. Only
-    #   2048-bit RSA public keys are supported.
+    #   The type of RSA public key to return in the response. You will use
+    #   this wrapping key with the specified wrapping algorithm to protect
+    #   your key material during import.
+    #
+    #   Use the longest RSA wrapping key that is practical.
+    #
+    #   You cannot use an RSA\_2048 public key to directly wrap an
+    #   ECC\_NIST\_P521 private key. Instead, use an RSA\_AES wrapping
+    #   algorithm or choose a longer RSA public key.
     #
     # @return [Types::GetParametersForImportResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -5632,12 +5914,13 @@ module Aws::KMS
     #   * {Types::GetParametersForImportResponse#parameters_valid_to #parameters_valid_to} => Time
     #
     #
-    # @example Example: To retrieve the public key and import token for a KMS key
+    # @example Example: To download the public key and import token for a symmetric encryption KMS key
     #
-    #   # The following example retrieves the public key and import token for the specified KMS key.
+    #   # The following example downloads a public key and import token to import symmetric encryption key material. It uses the
+    #   # default wrapping key spec and the RSAES_OAEP_SHA_256 wrapping algorithm.
     #
     #   resp = client.get_parameters_for_import({
-    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key for which to retrieve the public key and import token. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
+    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key that will be associated with the imported key material. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
     #     wrapping_algorithm: "RSAES_OAEP_SHA_1", # The algorithm that you will use to encrypt the key material before importing it.
     #     wrapping_key_spec: "RSA_2048", # The type of wrapping key (public key) to return in the response.
     #   })
@@ -5645,8 +5928,67 @@ module Aws::KMS
     #   resp.to_h outputs the following:
     #   {
     #     import_token: "<binary data>", # The import token to send with a subsequent ImportKeyMaterial request.
-    #     key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the KMS key for which you are retrieving the public key and import token. This is the same KMS key specified in the request.
-    #     parameters_valid_to: Time.parse("2016-12-01T14:52:17-08:00"), # The time at which the import token and public key are no longer valid.
+    #     key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the KMS key that will be associated with the imported key material.
+    #     parameters_valid_to: Time.parse("2023-02-01T14:52:17-08:00"), # The date and time when the import token and public key expire. After this time, call GetParametersForImport again.
+    #     public_key: "<binary data>", # The public key to use to encrypt the key material before importing it.
+    #   }
+    #
+    # @example Example: To download the public key and import token for an RSA asymmetric KMS key
+    #
+    #   # The following example downloads a public key and import token to import an RSA private key. It uses a required RSA_AES
+    #   # wrapping algorithm and the largest supported private key.
+    #
+    #   resp = client.get_parameters_for_import({
+    #     key_id: "arn:aws:kms:us-east-2:111122223333:key/8888abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key that will be associated with the imported key material. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
+    #     wrapping_algorithm: "RSA_AES_KEY_WRAP_SHA_256", # The algorithm that you will use to encrypt the key material before importing it.
+    #     wrapping_key_spec: "RSA_4096", # The type of wrapping key (public key) to return in the response.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     import_token: "<binary data>", # The import token to send with a subsequent ImportKeyMaterial request.
+    #     key_id: "arn:aws:kms:us-east-2:111122223333:key/8888abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the KMS key that will be associated with the imported key material.
+    #     parameters_valid_to: Time.parse("2023-03-08T13:02:02-07:00"), # The date and time when the import token and public key expire. After this time, call GetParametersForImport again.
+    #     public_key: "<binary data>", # The public key to use to encrypt the key material before importing it.
+    #   }
+    #
+    # @example Example: To download the public key and import token for an elliptic curve (ECC) asymmetric KMS key
+    #
+    #   # The following example downloads a public key and import token to import an ECC_NIST_P521 (secp521r1) private key. You
+    #   # cannot directly wrap this ECC key under an RSA_2048 public key, although you can use an RSA_2048 public key with an
+    #   # RSA_AES wrapping algorithm to wrap any supported key material. This example requests an RSA_3072 public key for use with
+    #   # the RSAES_OAEP_SHA_256.
+    #
+    #   resp = client.get_parameters_for_import({
+    #     key_id: "arn:aws:kms:us-east-2:111122223333:key/9876abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key that will be associated with the imported key material. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
+    #     wrapping_algorithm: "RSAES_OAEP_SHA_256", # The algorithm that you will use to encrypt the key material before importing it.
+    #     wrapping_key_spec: "RSA_3072", # The type of wrapping key (public key) to return in the response.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     import_token: "<binary data>", # The import token to send with a subsequent ImportKeyMaterial request.
+    #     key_id: "arn:aws:kms:us-east-2:111122223333:key/9876abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the KMS key that will be associated with the imported key material.
+    #     parameters_valid_to: Time.parse("2023-09-12T03:15:01-20:00"), # The date and time when the import token and public key expire. After this time, call GetParametersForImport again.
+    #     public_key: "<binary data>", # The public key to use to encrypt the key material before importing it.
+    #   }
+    #
+    # @example Example: To download the public key and import token for an HMAC KMS key
+    #
+    #   # The following example downloads a public key and import token to import an HMAC key. It uses the RSAES_OAEP_SHA_256
+    #   # wrapping algorithm and an RSA_4096 private key.
+    #
+    #   resp = client.get_parameters_for_import({
+    #     key_id: "2468abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key that will be associated with the imported key material. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
+    #     wrapping_algorithm: "RSAES_OAEP_SHA_256", # The algorithm that you will use to encrypt the key material before importing it.
+    #     wrapping_key_spec: "RSA_4096", # The type of wrapping key (public key) to return in the response.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     import_token: "<binary data>", # The import token to send with a subsequent ImportKeyMaterial request.
+    #     key_id: "arn:aws:kms:us-east-2:111122223333:key/2468abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the KMS key that will be associated with the imported key material.
+    #     parameters_valid_to: Time.parse("2023-04-02T13:02:02-07:00"), # The date and time when the import token and public key expire. After this time, call GetParametersForImport again.
     #     public_key: "<binary data>", # The public key to use to encrypt the key material before importing it.
     #   }
     #
@@ -5654,8 +5996,8 @@ module Aws::KMS
     #
     #   resp = client.get_parameters_for_import({
     #     key_id: "KeyIdType", # required
-    #     wrapping_algorithm: "RSAES_PKCS1_V1_5", # required, accepts RSAES_PKCS1_V1_5, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
-    #     wrapping_key_spec: "RSA_2048", # required, accepts RSA_2048
+    #     wrapping_algorithm: "RSAES_PKCS1_V1_5", # required, accepts RSAES_PKCS1_V1_5, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, RSA_AES_KEY_WRAP_SHA_1, RSA_AES_KEY_WRAP_SHA_256
+    #     wrapping_key_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096
     #   })
     #
     # @example Response structure
@@ -5727,6 +6069,9 @@ module Aws::KMS
     #
     # **Related operations**: CreateKey
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][9].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
@@ -5737,6 +6082,7 @@ module Aws::KMS
     # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
     # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies the asymmetric KMS key that includes the public key.
@@ -5834,66 +6180,112 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Imports key material into an existing symmetric encryption KMS key
-    # that was created without key material. After you successfully import
-    # key material into a KMS key, you can [reimport the same key
-    # material][1] into that KMS key, but you cannot import different key
-    # material.
-    #
-    # You cannot perform this operation on an asymmetric KMS key, an HMAC
-    # KMS key, or on any KMS key in a different Amazon Web Services account.
-    # For more information about creating KMS keys with no key material and
-    # then importing key material, see [Importing Key Material][2] in the
-    # *Key Management Service Developer Guide*.
-    #
-    # Before using this operation, call GetParametersForImport. Its response
-    # includes a public key and an import token. Use the public key to
-    # encrypt the key material. Then, submit the import token from the same
-    # `GetParametersForImport` response.
-    #
-    # When calling this operation, you must specify the following values:
-    #
-    # * The key ID or key ARN of a KMS key with no key material. Its
-    #   `Origin` must be `EXTERNAL`.
-    #
-    #   To create a KMS key with no key material, call CreateKey and set the
-    #   value of its `Origin` parameter to `EXTERNAL`. To get the `Origin`
-    #   of a KMS key, call DescribeKey.)
+    # Imports or reimports key material into an existing KMS key that was
+    # created without key material. `ImportKeyMaterial` also sets the
+    # expiration model and expiration date of the imported key material.
+    #
+    # By default, KMS keys are created with key material that KMS generates.
+    # This operation supports [Importing key material][1], an advanced
+    # feature that lets you generate and import the cryptographic key
+    # material for a KMS key. For more information about importing key
+    # material into KMS, see [Importing key material][1] in the *Key
+    # Management Service Developer Guide*.
     #
-    # * The encrypted key material. To get the public key to encrypt the key
-    #   material, call GetParametersForImport.
+    # After you successfully import key material into a KMS key, you can
+    # [reimport the same key material][2] into that KMS key, but you cannot
+    # import different key material. You might reimport key material to
+    # replace key material that expired or key material that you deleted.
+    # You might also reimport key material to change the expiration model or
+    # expiration date of the key material. Before reimporting key material,
+    # if necessary, call DeleteImportedKeyMaterial to delete the current
+    # imported key material.
+    #
+    # Each time you import key material into KMS, you can determine whether
+    # (`ExpirationModel`) and when (`ValidTo`) the key material expires. To
+    # change the expiration of your key material, you must import it again,
+    # either by calling `ImportKeyMaterial` or using the [import
+    # features](kms/latest/developerguide/importing-keys-import-key-material.html#importing-keys-import-key-material-console)
+    # of the KMS console.
+    #
+    # Before calling `ImportKeyMaterial`:
+    #
+    # * Create or identify a KMS key with no key material. The KMS key must
+    #   have an `Origin` value of `EXTERNAL`, which indicates that the KMS
+    #   key is designed for imported key material.
+    #
+    #   To create an new KMS key for imported key material, call the
+    #   CreateKey operation with an `Origin` value of `EXTERNAL`. You can
+    #   create a symmetric encryption KMS key, HMAC KMS key, asymmetric
+    #   encryption KMS key, or asymmetric signing KMS key. You can also
+    #   import key material into a [multi-Region
+    #   key](kms/latest/developerguide/multi-region-keys-overview.html) of
+    #   any supported type. However, you can't import key material into a
+    #   KMS key in a [custom key
+    #   store](kms/latest/developerguide/custom-key-store-overview.html).
+    #
+    # * Use the DescribeKey operation to verify that the `KeyState` of the
+    #   KMS key is `PendingImport`, which indicates that the KMS key has no
+    #   key material.
+    #
+    #   If you are reimporting the same key material into an existing KMS
+    #   key, you might need to call the DeleteImportedKeyMaterial to delete
+    #   its existing key material.
+    #
+    # * Call the GetParametersForImport operation to get a public key and
+    #   import token set for importing key material.
+    #
+    # * Use the public key in the GetParametersForImport response to encrypt
+    #   your key material.
+    #
+    # Then, in an `ImportKeyMaterial` request, you submit your encrypted key
+    # material and import token. When calling this operation, you must
+    # specify the following values:
+    #
+    # * The key ID or key ARN of the KMS key to associate with the imported
+    #   key material. Its `Origin` must be `EXTERNAL` and its `KeyState`
+    #   must be `PendingImport`. You cannot perform this operation on a KMS
+    #   key in a [custom key
+    #   store](kms/latest/developerguide/custom-key-store-overview.html), or
+    #   on a KMS key in a different Amazon Web Services account. To get the
+    #   `Origin` and `KeyState` of a KMS key, call DescribeKey.
+    #
+    # * The encrypted key material.
     #
     # * The import token that GetParametersForImport returned. You must use
     #   a public key and token from the same `GetParametersForImport`
     #   response.
     #
     # * Whether the key material expires (`ExpirationModel`) and, if so,
-    #   when (`ValidTo`). If you set an expiration date, on the specified
-    #   date, KMS deletes the key material from the KMS key, making the KMS
-    #   key unusable. To use the KMS key in cryptographic operations again,
-    #   you must reimport the same key material. The only way to change the
-    #   expiration model or expiration date is by reimporting the same key
-    #   material and specifying a new expiration date.
+    #   when (`ValidTo`). For help with this choice, see [Setting an
+    #   expiration time][3] in the *Key Management Service Developer Guide*.
+    #
+    #   If you set an expiration date, KMS deletes the key material from the
+    #   KMS key on the specified date, making the KMS key unusable. To use
+    #   the KMS key in cryptographic operations again, you must reimport the
+    #   same key material. However, you can delete and reimport the key
+    #   material at any time, including before the key material expires.
+    #   Each time you reimport, you can eliminate or reset the expiration
+    #   time.
     #
     # When this operation is successful, the key state of the KMS key
-    # changes from `PendingImport` to `Enabled`, and you can use the KMS
-    # key.
+    # changes from `PendingImport` to `Enabled`, and you can use the KMS key
+    # in cryptographic operations.
     #
     # If this operation fails, use the exception to help determine the
     # problem. If the error is related to the key material, the import
     # token, or wrapping key, use GetParametersForImport to get a new public
     # key and import token for the KMS key and repeat the import procedure.
-    # For help, see [How To Import Key Material][3] in the *Key Management
+    # For help, see [How To Import Key Material][4] in the *Key Management
     # Service Developer Guide*.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key states of KMS keys][4] in the *Key
+    # key state. For details, see [Key states of KMS keys][5] in the *Key
     # Management Service Developer Guide*.
     #
     # **Cross-account use**: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
-    # **Required permissions**: [kms:ImportKeyMaterial][5] (key policy)
+    # **Required permissions**: [kms:ImportKeyMaterial][6] (key policy)
     #
     # **Related operations:**
     #
@@ -5901,22 +6293,33 @@ module Aws::KMS
     #
     # * GetParametersForImport
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][7].
     #
     #
-    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material
-    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-overview
-    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
-    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    #
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material
+    # [3]: https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-overview
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
-    #   The identifier of the symmetric encryption KMS key that receives the
+    #   The identifier of the KMS key that will be associated with the
     #   imported key material. This must be the same KMS key specified in the
     #   `KeyID` parameter of the corresponding GetParametersForImport request.
-    #   The `Origin` of the KMS key must be `EXTERNAL`. You cannot perform
-    #   this operation on an asymmetric KMS key, an HMAC KMS key, a KMS key in
-    #   a custom key store, or on a KMS key in a different Amazon Web Services
-    #   account
+    #   The `Origin` of the KMS key must be `EXTERNAL` and its `KeyState` must
+    #   be `PendingImport`.
+    #
+    #   The KMS key can be a symmetric encryption KMS key, HMAC KMS key,
+    #   asymmetric encryption KMS key, or asymmetric signing KMS key,
+    #   including a [multi-Region
+    #   key](kms/latest/developerguide/multi-region-keys-overview.html) of any
+    #   supported type. You cannot perform this operation on a KMS key in a
+    #   custom key store, or on a KMS key in a different Amazon Web Services
+    #   account.
     #
     #   Specify the key ID or key ARN of the KMS key.
     #
@@ -5937,7 +6340,7 @@ module Aws::KMS
     #
     # @option params [required, String, StringIO, File] :encrypted_key_material
     #   The encrypted key material to import. The key material must be
-    #   encrypted with the public wrapping key that GetParametersForImport
+    #   encrypted under the public wrapping key that GetParametersForImport
     #   returned, using the wrapping algorithm that you specified in the same
     #   `GetParametersForImport` request.
     #
@@ -5961,7 +6364,8 @@ module Aws::KMS
     #
     # @option params [String] :expiration_model
     #   Specifies whether the key material expires. The default is
-    #   `KEY_MATERIAL_EXPIRES`.
+    #   `KEY_MATERIAL_EXPIRES`. For help with this choice, see [Setting an
+    #   expiration time][1] in the *Key Management Service Developer Guide*.
     #
     #   When the value of `ExpirationModel` is `KEY_MATERIAL_EXPIRES`, you
     #   must specify a value for the `ValidTo` parameter. When value is
@@ -5969,8 +6373,11 @@ module Aws::KMS
     #
     #   You cannot change the `ExpirationModel` or `ValidTo` values for the
     #   current import after the request completes. To change either value,
-    #   you must delete (DeleteImportedKeyMaterial) and reimport the key
-    #   material.
+    #   you must reimport the key material.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -5986,6 +6393,19 @@ module Aws::KMS
     #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key to import the key material into. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
     #   })
     #
+    # @example Example: To import key material into a KMS key
+    #
+    #   # The following example imports key material that expires in 3 days. It might be part of an application that frequently
+    #   # reimports the same key material to comply with business rules or regulations.
+    #
+    #   resp = client.import_key_material({
+    #     encrypted_key_material: "<binary data>", # The encrypted key material to import.
+    #     expiration_model: "KEY_MATERIAL_EXPIRES", # A value that specifies whether the key material expires.
+    #     import_token: "<binary data>", # The import token that you received in the response to a previous GetParametersForImport request.
+    #     key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key to import the key material into. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
+    #     valid_to: Time.parse("2023-09-30T00:00:00-00:00"), # Specifies the date and time when the imported key material expires.
+    #   })
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.import_key_material({
@@ -6041,11 +6461,15 @@ module Aws::KMS
     #
     # * UpdateAlias
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][4].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [String] :key_id
     #   Lists only aliases that are associated with the specified KMS key.
@@ -6205,12 +6629,16 @@ module Aws::KMS
     #
     # * RevokeGrant
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][5].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html
     # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [Integer] :limit
     #   Use this parameter to specify the maximum number of items to return.
@@ -6377,11 +6805,16 @@ module Aws::KMS
     #
     # * GetKeyPolicy
     #
-    # * PutKeyPolicy
+    # * [PutKeyPolicy][2]
+    #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][3].
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Gets the names of key policies for the specified KMS key.
@@ -6481,9 +6914,13 @@ module Aws::KMS
     #
     # * ListResourceTags
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][2].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [Integer] :limit
     #   Use this parameter to specify the maximum number of items to return.
@@ -6596,11 +7033,15 @@ module Aws::KMS
     #
     # * UntagResource
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][4].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Gets tags on the specified KMS key.
@@ -6709,14 +7150,25 @@ module Aws::KMS
     # programming languages, see [Programming grants][2].
     #
     # **Cross-account use**: You must specify a principal in your Amazon Web
-    # Services account. However, this operation can return grants in any
-    # Amazon Web Services account. You do not need `kms:ListRetirableGrants`
-    # permission (or any other additional permission) in any Amazon Web
-    # Services account other than your own.
+    # Services account. This operation returns a list of grants where the
+    # retiring principal specified in the `ListRetirableGrants` request is
+    # the same retiring principal on the grant. This can include grants on
+    # KMS keys owned by other Amazon Web Services accounts, but you do not
+    # need `kms:ListRetirableGrants` permission (or any other additional
+    # permission) in any Amazon Web Services account other than your own.
     #
     # **Required permissions**: [kms:ListRetirableGrants][3] (IAM policy) in
     # your Amazon Web Services account.
     #
+    # <note markdown="1"> KMS authorizes `ListRetirableGrants` requests by evaluating the caller
+    # account's kms:ListRetirableGrants permissions. The authorized
+    # resource in `ListRetirableGrants` calls is the retiring principal
+    # specified in the request. KMS does not evaluate the caller's
+    # permissions to verify their access to any KMS keys or grants that
+    # might be returned by the `ListRetirableGrants` call.
+    #
+    #  </note>
+    #
     # **Related operations:**
     #
     # * CreateGrant
@@ -6727,11 +7179,15 @@ module Aws::KMS
     #
     # * RevokeGrant
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][4].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [Integer] :limit
     #   Use this parameter to specify the maximum number of items to return.
@@ -6851,12 +7307,16 @@ module Aws::KMS
     #
     # **Related operations**: GetKeyPolicy
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][5].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
     # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-key-policies.html#put-policy
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Sets the key policy on the specified KMS key.
@@ -6931,12 +7391,13 @@ module Aws::KMS
     #   Management Service Developer Guide*.
     #
     #   Use this parameter only when you intend to prevent the principal that
-    #   is making the request from making a subsequent PutKeyPolicy request on
-    #   the KMS key.
+    #   is making the request from making a subsequent [PutKeyPolicy][2]
+    #   request on the KMS key.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
+    #   [2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -7061,6 +7522,9 @@ module Aws::KMS
     #
     # * GenerateDataKeyPair
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][9].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually
@@ -7071,6 +7535,7 @@ module Aws::KMS
     # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
+    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String, StringIO, File] :ciphertext_blob
     #   Ciphertext of the data to reencrypt.
@@ -7215,6 +7680,17 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #
+    # @option params [Boolean] :dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #
     # @return [Types::ReEncryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::ReEncryptResponse#ciphertext_blob #ciphertext_blob} => String
@@ -7255,6 +7731,7 @@ module Aws::KMS
     #     source_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
     #     destination_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
     #     grant_tokens: ["GrantTokenType"],
+    #     dry_run: false,
     #   })
     #
     # @example Response structure
@@ -7329,9 +7806,8 @@ module Aws::KMS
     # If you replicate a multi-Region primary key with imported key
     # material, the replica key is created with no key material. You must
     # import the same key material that you imported into the primary key.
-    # For details, see [Importing key material into multi-Region
-    # keys](kms/latest/developerguide/multi-region-keys-import.html) in the
-    # *Key Management Service Developer Guide*.
+    # For details, see [Importing key material into multi-Region keys][12]
+    # in the *Key Management Service Developer Guide*.
     #
     # To convert a replica key to a primary key, use the UpdatePrimaryRegion
     # operation.
@@ -7361,6 +7837,9 @@ module Aws::KMS
     #
     # * UpdatePrimaryRegion
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][13].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
@@ -7374,6 +7853,8 @@ module Aws::KMS
     # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html
     # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-sync-properties
+    # [12]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-import.html
+    # [13]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies the multi-Region primary key that is being replicated. To
@@ -7492,12 +7973,13 @@ module Aws::KMS
     #   Management Service Developer Guide*.
     #
     #   Use this parameter only when you intend to prevent the principal that
-    #   is making the request from making a subsequent PutKeyPolicy request on
-    #   the KMS key.
+    #   is making the request from making a subsequent [PutKeyPolicy][2]
+    #   request on the KMS key.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
+    #   [2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html
     #
     # @option params [String] :description
     #   A description of the KMS key. The default value is an empty string (no
@@ -7688,7 +8170,7 @@ module Aws::KMS
     # **Cross-account use**: Yes. You can retire a grant on a KMS key in a
     # different Amazon Web Services account.
     #
-    # **Required permissions:**:Permission to retire a grant is determined
+    # **Required permissions**: Permission to retire a grant is determined
     # primarily by the grant. For details, see [Retiring and revoking
     # grants][2] in the *Key Management Service Developer Guide*.
     #
@@ -7702,12 +8184,16 @@ module Aws::KMS
     #
     # * RevokeGrant
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][5].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [String] :grant_token
     #   Identifies the grant to be retired. You can use a grant token to
@@ -7738,6 +8224,17 @@ module Aws::KMS
     #
     #   ^
     #
+    # @option params [Boolean] :dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
     #
@@ -7756,6 +8253,7 @@ module Aws::KMS
     #     grant_token: "GrantTokenType",
     #     key_id: "KeyIdType",
     #     grant_id: "GrantIdType",
+    #     dry_run: false,
     #   })
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrant AWS API Documentation
@@ -7799,6 +8297,9 @@ module Aws::KMS
     #
     # * RetireGrant
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][6].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/managing-grants.html#grant-delete
@@ -7806,6 +8307,7 @@ module Aws::KMS
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   A unique identifier for the KMS key associated with the grant. To get
@@ -7828,6 +8330,17 @@ module Aws::KMS
     #   Identifies the grant to revoke. To get the grant ID, use CreateGrant,
     #   ListGrants, or ListRetirableGrants.
     #
+    # @option params [Boolean] :dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
     #
@@ -7845,6 +8358,7 @@ module Aws::KMS
     #   resp = client.revoke_grant({
     #     key_id: "KeyIdType", # required
     #     grant_id: "GrantIdType", # required
+    #     dry_run: false,
     #   })
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrant AWS API Documentation
@@ -7870,8 +8384,10 @@ module Aws::KMS
     # Deleting a KMS key is a destructive and potentially dangerous
     # operation. When a KMS key is deleted, all data that was encrypted
     # under the KMS key is unrecoverable. (The only exception is a
-    # multi-Region replica key.) To prevent the use of a KMS key without
-    # deleting it, use DisableKey.
+    # [multi-Region replica key][1], or an [asymmetric or HMAC KMS key with
+    # imported key
+    # material](kms/latest/developerguide/importing-keys-managing.html#import-delete-key).)
+    # To prevent the use of a KMS key without deleting it, use DisableKey.
     #
     # You can schedule the deletion of a multi-Region primary key and its
     # replica keys at any time. However, KMS will not delete a multi-Region
@@ -7915,6 +8431,9 @@ module Aws::KMS
     #
     # * DisableKey
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][7].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html
@@ -7923,6 +8442,7 @@ module Aws::KMS
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/delete-xks-key.html
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
     # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   The unique identifier of the KMS key to delete.
@@ -7949,6 +8469,13 @@ module Aws::KMS
     #
     #   This value is optional. If you include a value, it must be between 7
     #   and 30, inclusive. If you do not include a value, it defaults to 30.
+    #   You can use the [ `kms:ScheduleKeyDeletionPendingWindowInDays` ][1]
+    #   condition key to further constrain the values that principals can
+    #   specify in the `PendingWindowInDays` parameter.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-schedule-key-deletion-pending-window-in-days
     #
     # @return [Types::ScheduleKeyDeletionResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -8055,12 +8582,16 @@ module Aws::KMS
     #
     # **Related operations**: Verify
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][5].
+    #
     #
     #
     # [1]: https://en.wikipedia.org/wiki/Digital_signature
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies an asymmetric KMS key. KMS uses the private key in the
@@ -8157,6 +8688,17 @@ module Aws::KMS
     #   RSASSA-PSS algorithms are preferred. We include RSASSA-PKCS1-v1\_5
     #   algorithms for compatibility with existing applications.
     #
+    # @option params [Boolean] :dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #
     # @return [Types::SignResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::SignResponse#key_id #key_id} => String
@@ -8211,6 +8753,7 @@ module Aws::KMS
     #     message_type: "RAW", # accepts RAW, DIGEST
     #     grant_tokens: ["GrantTokenType"],
     #     signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA
+    #     dry_run: false,
     #   })
     #
     # @example Response structure
@@ -8272,6 +8815,9 @@ module Aws::KMS
     #
     # * UntagResource
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][11].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
@@ -8284,6 +8830,7 @@ module Aws::KMS
     # [8]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
     # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies a customer managed key in the account and Region.
@@ -8388,6 +8935,9 @@ module Aws::KMS
     #
     # * TagResource
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][7].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
@@ -8396,6 +8946,7 @@ module Aws::KMS
     # [4]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies the KMS key from which you are removing tags.
@@ -8499,12 +9050,16 @@ module Aws::KMS
     #
     # * ListAliases
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][5].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :alias_name
     #   Identifies the alias that is changing its KMS key. This value must
@@ -8670,10 +9225,14 @@ module Aws::KMS
     #
     # * DisconnectCustomKeyStore
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][3].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :custom_key_store_id
     #   Identifies the custom key store that you want to update. Enter the ID
@@ -8944,10 +9503,14 @@ module Aws::KMS
     #
     # * DescribeKey
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][3].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Updates the description of the specified KMS key.
@@ -9071,6 +9634,9 @@ module Aws::KMS
     #
     # * ReplicateKey
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][10].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-update
@@ -9082,6 +9648,7 @@ module Aws::KMS
     # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
     # [8]: https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html
     # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies the current primary key. When the operation completes, this
@@ -9190,12 +9757,16 @@ module Aws::KMS
     #
     # **Related operations**: Sign
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][5].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies the asymmetric KMS key that will be used to verify the
@@ -9293,6 +9864,17 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #
+    # @option params [Boolean] :dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #
     # @return [Types::VerifyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::VerifyResponse#key_id #key_id} => String
@@ -9350,6 +9932,7 @@ module Aws::KMS
     #     signature: "data", # required
     #     signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA
     #     grant_tokens: ["GrantTokenType"],
+    #     dry_run: false,
     #   })
     #
     # @example Response structure
@@ -9395,12 +9978,16 @@ module Aws::KMS
     #
     # **Related operations**: GenerateMac
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][5].
+    #
     #
     #
     # [1]: https://datatracker.ietf.org/doc/html/rfc2104
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String, StringIO, File] :message
     #   The message that will be used in the verification. Enter the same
@@ -9440,6 +10027,17 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     #
+    # @option params [Boolean] :dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #
     # @return [Types::VerifyMacResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::VerifyMacResponse#key_id #key_id} => String
@@ -9474,6 +10072,7 @@ module Aws::KMS
     #     mac_algorithm: "HMAC_SHA_224", # required, accepts HMAC_SHA_224, HMAC_SHA_256, HMAC_SHA_384, HMAC_SHA_512
     #     mac: "data", # required
     #     grant_tokens: ["GrantTokenType"],
+    #     dry_run: false,
     #   })
     #
     # @example Response structure
@@ -9504,7 +10103,7 @@ module Aws::KMS
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-kms'
-      context[:gem_version] = '1.64.0'
+      context[:gem_version] = '1.76.0'
       Seahorse::Client::Request.new(handlers, context)
     end