aws-sdk-kms 1.64.0 → 1.76.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -418,7 +418,7 @@ module Aws::KMS
418
418
  #
419
419
  # * An external key store with `PUBLIC_ENDPOINT` connectivity cannot
420
420
  # use the same `XksProxyUriEndpoint` value as an external key store
421
- # with `VPC_ENDPOINT_SERVICE` connectivity in the same Amazon Web
421
+ # with `VPC_ENDPOINT_SERVICE` connectivity in this Amazon Web
422
422
  # Services Region.
423
423
  #
424
424
  # * Each external key store with `VPC_ENDPOINT_SERVICE` connectivity
@@ -703,6 +703,18 @@ module Aws::KMS
703
703
  # the same grant ID can be used interchangeably.
704
704
  # @return [String]
705
705
  #
706
+ # @!attribute [rw] dry_run
707
+ # Checks if your request will succeed. `DryRun` is an optional
708
+ # parameter.
709
+ #
710
+ # To learn more about how to use this parameter, see [Testing your KMS
711
+ # API calls][1] in the *Key Management Service Developer Guide*.
712
+ #
713
+ #
714
+ #
715
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
716
+ # @return [Boolean]
717
+ #
706
718
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrantRequest AWS API Documentation
707
719
  #
708
720
  class CreateGrantRequest < Struct.new(
@@ -712,7 +724,8 @@ module Aws::KMS
712
724
  :operations,
713
725
  :constraints,
714
726
  :grant_tokens,
715
- :name)
727
+ :name,
728
+ :dry_run)
716
729
  SENSITIVE = []
717
730
  include Aws::Structure
718
731
  end
@@ -979,12 +992,13 @@ module Aws::KMS
979
992
  # Management Service Developer Guide*.
980
993
  #
981
994
  # Use this parameter only when you intend to prevent the principal
982
- # that is making the request from making a subsequent PutKeyPolicy
983
- # request on the KMS key.
995
+ # that is making the request from making a subsequent
996
+ # [PutKeyPolicy][2] request on the KMS key.
984
997
  #
985
998
  #
986
999
  #
987
1000
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
1001
+ # [2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html
988
1002
  # @return [Boolean]
989
1003
  #
990
1004
  # @!attribute [rw] tags
@@ -1583,11 +1597,23 @@ module Aws::KMS
1583
1597
  #
1584
1598
  #
1585
1599
  #
1586
- # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
1600
+ # [1]: https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-concepts.html#term-attestdoc
1587
1601
  # [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
1588
1602
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
1589
1603
  # @return [Types::RecipientInfo]
1590
1604
  #
1605
+ # @!attribute [rw] dry_run
1606
+ # Checks if your request will succeed. `DryRun` is an optional
1607
+ # parameter.
1608
+ #
1609
+ # To learn more about how to use this parameter, see [Testing your KMS
1610
+ # API calls][1] in the *Key Management Service Developer Guide*.
1611
+ #
1612
+ #
1613
+ #
1614
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
1615
+ # @return [Boolean]
1616
+ #
1591
1617
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptRequest AWS API Documentation
1592
1618
  #
1593
1619
  class DecryptRequest < Struct.new(
@@ -1596,7 +1622,8 @@ module Aws::KMS
1596
1622
  :grant_tokens,
1597
1623
  :key_id,
1598
1624
  :encryption_algorithm,
1599
- :recipient)
1625
+ :recipient,
1626
+ :dry_run)
1600
1627
  SENSITIVE = []
1601
1628
  include Aws::Structure
1602
1629
  end
@@ -1944,6 +1971,19 @@ module Aws::KMS
1944
1971
  #
1945
1972
  class DisconnectCustomKeyStoreResponse < Aws::EmptyStructure; end
1946
1973
 
1974
+ # The request was rejected because the DryRun parameter was specified.
1975
+ #
1976
+ # @!attribute [rw] message
1977
+ # @return [String]
1978
+ #
1979
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DryRunOperationException AWS API Documentation
1980
+ #
1981
+ class DryRunOperationException < Struct.new(
1982
+ :message)
1983
+ SENSITIVE = []
1984
+ include Aws::Structure
1985
+ end
1986
+
1947
1987
  # @!attribute [rw] key_id
1948
1988
  # Identifies the KMS key to enable.
1949
1989
  #
@@ -2089,6 +2129,18 @@ module Aws::KMS
2089
2129
  # The SM2PKE algorithm is only available in China Regions.
2090
2130
  # @return [String]
2091
2131
  #
2132
+ # @!attribute [rw] dry_run
2133
+ # Checks if your request will succeed. `DryRun` is an optional
2134
+ # parameter.
2135
+ #
2136
+ # To learn more about how to use this parameter, see [Testing your KMS
2137
+ # API calls][1] in the *Key Management Service Developer Guide*.
2138
+ #
2139
+ #
2140
+ #
2141
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
2142
+ # @return [Boolean]
2143
+ #
2092
2144
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptRequest AWS API Documentation
2093
2145
  #
2094
2146
  class EncryptRequest < Struct.new(
@@ -2096,7 +2148,8 @@ module Aws::KMS
2096
2148
  :plaintext,
2097
2149
  :encryption_context,
2098
2150
  :grant_tokens,
2099
- :encryption_algorithm)
2151
+ :encryption_algorithm,
2152
+ :dry_run)
2100
2153
  SENSITIVE = [:plaintext]
2101
2154
  include Aws::Structure
2102
2155
  end
@@ -2252,6 +2305,18 @@ module Aws::KMS
2252
2305
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
2253
2306
  # @return [Types::RecipientInfo]
2254
2307
  #
2308
+ # @!attribute [rw] dry_run
2309
+ # Checks if your request will succeed. `DryRun` is an optional
2310
+ # parameter.
2311
+ #
2312
+ # To learn more about how to use this parameter, see [Testing your KMS
2313
+ # API calls][1] in the *Key Management Service Developer Guide*.
2314
+ #
2315
+ #
2316
+ #
2317
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
2318
+ # @return [Boolean]
2319
+ #
2255
2320
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairRequest AWS API Documentation
2256
2321
  #
2257
2322
  class GenerateDataKeyPairRequest < Struct.new(
@@ -2259,7 +2324,8 @@ module Aws::KMS
2259
2324
  :key_id,
2260
2325
  :key_pair_spec,
2261
2326
  :grant_tokens,
2262
- :recipient)
2327
+ :recipient,
2328
+ :dry_run)
2263
2329
  SENSITIVE = []
2264
2330
  include Aws::Structure
2265
2331
  end
@@ -2403,13 +2469,26 @@ module Aws::KMS
2403
2469
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
2404
2470
  # @return [Array<String>]
2405
2471
  #
2472
+ # @!attribute [rw] dry_run
2473
+ # Checks if your request will succeed. `DryRun` is an optional
2474
+ # parameter.
2475
+ #
2476
+ # To learn more about how to use this parameter, see [Testing your KMS
2477
+ # API calls][1] in the *Key Management Service Developer Guide*.
2478
+ #
2479
+ #
2480
+ #
2481
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
2482
+ # @return [Boolean]
2483
+ #
2406
2484
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintextRequest AWS API Documentation
2407
2485
  #
2408
2486
  class GenerateDataKeyPairWithoutPlaintextRequest < Struct.new(
2409
2487
  :encryption_context,
2410
2488
  :key_id,
2411
2489
  :key_pair_spec,
2412
- :grant_tokens)
2490
+ :grant_tokens,
2491
+ :dry_run)
2413
2492
  SENSITIVE = []
2414
2493
  include Aws::Structure
2415
2494
  end
@@ -2564,6 +2643,18 @@ module Aws::KMS
2564
2643
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
2565
2644
  # @return [Types::RecipientInfo]
2566
2645
  #
2646
+ # @!attribute [rw] dry_run
2647
+ # Checks if your request will succeed. `DryRun` is an optional
2648
+ # parameter.
2649
+ #
2650
+ # To learn more about how to use this parameter, see [Testing your KMS
2651
+ # API calls][1] in the *Key Management Service Developer Guide*.
2652
+ #
2653
+ #
2654
+ #
2655
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
2656
+ # @return [Boolean]
2657
+ #
2567
2658
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyRequest AWS API Documentation
2568
2659
  #
2569
2660
  class GenerateDataKeyRequest < Struct.new(
@@ -2572,7 +2663,8 @@ module Aws::KMS
2572
2663
  :number_of_bytes,
2573
2664
  :key_spec,
2574
2665
  :grant_tokens,
2575
- :recipient)
2666
+ :recipient,
2667
+ :dry_run)
2576
2668
  SENSITIVE = []
2577
2669
  include Aws::Structure
2578
2670
  end
@@ -2707,6 +2799,18 @@ module Aws::KMS
2707
2799
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
2708
2800
  # @return [Array<String>]
2709
2801
  #
2802
+ # @!attribute [rw] dry_run
2803
+ # Checks if your request will succeed. `DryRun` is an optional
2804
+ # parameter.
2805
+ #
2806
+ # To learn more about how to use this parameter, see [Testing your KMS
2807
+ # API calls][1] in the *Key Management Service Developer Guide*.
2808
+ #
2809
+ #
2810
+ #
2811
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
2812
+ # @return [Boolean]
2813
+ #
2710
2814
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextRequest AWS API Documentation
2711
2815
  #
2712
2816
  class GenerateDataKeyWithoutPlaintextRequest < Struct.new(
@@ -2714,7 +2818,8 @@ module Aws::KMS
2714
2818
  :encryption_context,
2715
2819
  :key_spec,
2716
2820
  :number_of_bytes,
2717
- :grant_tokens)
2821
+ :grant_tokens,
2822
+ :dry_run)
2718
2823
  SENSITIVE = []
2719
2824
  include Aws::Structure
2720
2825
  end
@@ -2786,13 +2891,26 @@ module Aws::KMS
2786
2891
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
2787
2892
  # @return [Array<String>]
2788
2893
  #
2894
+ # @!attribute [rw] dry_run
2895
+ # Checks if your request will succeed. `DryRun` is an optional
2896
+ # parameter.
2897
+ #
2898
+ # To learn more about how to use this parameter, see [Testing your KMS
2899
+ # API calls][1] in the *Key Management Service Developer Guide*.
2900
+ #
2901
+ #
2902
+ #
2903
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
2904
+ # @return [Boolean]
2905
+ #
2789
2906
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMacRequest AWS API Documentation
2790
2907
  #
2791
2908
  class GenerateMacRequest < Struct.new(
2792
2909
  :message,
2793
2910
  :key_id,
2794
2911
  :mac_algorithm,
2795
- :grant_tokens)
2912
+ :grant_tokens,
2913
+ :dry_run)
2796
2914
  SENSITIVE = [:message]
2797
2915
  include Aws::Structure
2798
2916
  end
@@ -2994,10 +3112,14 @@ module Aws::KMS
2994
3112
  end
2995
3113
 
2996
3114
  # @!attribute [rw] key_id
2997
- # The identifier of the symmetric encryption KMS key into which you
2998
- # will import key material. The `Origin` of the KMS key must be
3115
+ # The identifier of the KMS key that will be associated with the
3116
+ # imported key material. The `Origin` of the KMS key must be
2999
3117
  # `EXTERNAL`.
3000
3118
  #
3119
+ # All KMS key types are supported, including multi-Region keys.
3120
+ # However, you cannot import key material into a KMS key in a custom
3121
+ # key store.
3122
+ #
3001
3123
  # Specify the key ID or key ARN of the KMS key.
3002
3124
  #
3003
3125
  # For example:
@@ -3012,26 +3134,54 @@ module Aws::KMS
3012
3134
  # @return [String]
3013
3135
  #
3014
3136
  # @!attribute [rw] wrapping_algorithm
3015
- # The algorithm you will use to encrypt the key material before using
3016
- # the ImportKeyMaterial operation to import it. For more information,
3017
- # see [Encrypt the key material][1] in the *Key Management Service
3018
- # Developer Guide*.
3137
+ # The algorithm you will use with the RSA public key (`PublicKey`) in
3138
+ # the response to protect your key material during import. For more
3139
+ # information, see [Select a wrapping
3140
+ # algorithm](kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
3141
+ # in the *Key Management Service Developer Guide*.
3142
+ #
3143
+ # For RSA\_AES wrapping algorithms, you encrypt your key material with
3144
+ # an AES key that you generate, then encrypt your AES key with the RSA
3145
+ # public key from KMS. For RSAES wrapping algorithms, you encrypt your
3146
+ # key material directly with the RSA public key from KMS.
3147
+ #
3148
+ # The wrapping algorithms that you can use depend on the type of key
3149
+ # material that you are importing. To import an RSA private key, you
3150
+ # must use an RSA\_AES wrapping algorithm.
3151
+ #
3152
+ # * **RSA\_AES\_KEY\_WRAP\_SHA\_256** — Supported for wrapping RSA and
3153
+ # ECC key material.
3019
3154
  #
3020
- # The `RSAES_PKCS1_V1_5` wrapping algorithm is deprecated. We
3021
- # recommend that you begin using a different wrapping algorithm
3022
- # immediately. KMS will end support for `RSAES_PKCS1_V1_5` by October
3023
- # 1, 2023 pursuant to [cryptographic key management guidance][2] from
3024
- # the National Institute of Standards and Technology (NIST).
3155
+ # * **RSA\_AES\_KEY\_WRAP\_SHA\_1** Supported for wrapping RSA and
3156
+ # ECC key material.
3025
3157
  #
3158
+ # * **RSAES\_OAEP\_SHA\_256** — Supported for all types of key
3159
+ # material, except RSA key material (private key).
3026
3160
  #
3161
+ # You cannot use the RSAES\_OAEP\_SHA\_256 wrapping algorithm with
3162
+ # the RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key
3163
+ # material.
3027
3164
  #
3028
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html
3029
- # [2]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
3165
+ # * **RSAES\_OAEP\_SHA\_1** — Supported for all types of key material,
3166
+ # except RSA key material (private key).
3167
+ #
3168
+ # You cannot use the RSAES\_OAEP\_SHA\_1 wrapping algorithm with the
3169
+ # RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key material.
3170
+ #
3171
+ # * **RSAES\_PKCS1\_V1\_5** (Deprecated) — As of October 10, 2023, KMS
3172
+ # does not support the RSAES\_PKCS1\_V1\_5 wrapping algorithm.
3030
3173
  # @return [String]
3031
3174
  #
3032
3175
  # @!attribute [rw] wrapping_key_spec
3033
- # The type of wrapping key (public key) to return in the response.
3034
- # Only 2048-bit RSA public keys are supported.
3176
+ # The type of RSA public key to return in the response. You will use
3177
+ # this wrapping key with the specified wrapping algorithm to protect
3178
+ # your key material during import.
3179
+ #
3180
+ # Use the longest RSA wrapping key that is practical.
3181
+ #
3182
+ # You cannot use an RSA\_2048 public key to directly wrap an
3183
+ # ECC\_NIST\_P521 private key. Instead, use an RSA\_AES wrapping
3184
+ # algorithm or choose a longer RSA public key.
3035
3185
  # @return [String]
3036
3186
  #
3037
3187
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImportRequest AWS API Documentation
@@ -3338,13 +3488,19 @@ module Aws::KMS
3338
3488
  end
3339
3489
 
3340
3490
  # @!attribute [rw] key_id
3341
- # The identifier of the symmetric encryption KMS key that receives the
3491
+ # The identifier of the KMS key that will be associated with the
3342
3492
  # imported key material. This must be the same KMS key specified in
3343
3493
  # the `KeyID` parameter of the corresponding GetParametersForImport
3344
- # request. The `Origin` of the KMS key must be `EXTERNAL`. You cannot
3345
- # perform this operation on an asymmetric KMS key, an HMAC KMS key, a
3346
- # KMS key in a custom key store, or on a KMS key in a different Amazon
3347
- # Web Services account
3494
+ # request. The `Origin` of the KMS key must be `EXTERNAL` and its
3495
+ # `KeyState` must be `PendingImport`.
3496
+ #
3497
+ # The KMS key can be a symmetric encryption KMS key, HMAC KMS key,
3498
+ # asymmetric encryption KMS key, or asymmetric signing KMS key,
3499
+ # including a [multi-Region
3500
+ # key](kms/latest/developerguide/multi-region-keys-overview.html) of
3501
+ # any supported type. You cannot perform this operation on a KMS key
3502
+ # in a custom key store, or on a KMS key in a different Amazon Web
3503
+ # Services account.
3348
3504
  #
3349
3505
  # Specify the key ID or key ARN of the KMS key.
3350
3506
  #
@@ -3368,7 +3524,7 @@ module Aws::KMS
3368
3524
  #
3369
3525
  # @!attribute [rw] encrypted_key_material
3370
3526
  # The encrypted key material to import. The key material must be
3371
- # encrypted with the public wrapping key that GetParametersForImport
3527
+ # encrypted under the public wrapping key that GetParametersForImport
3372
3528
  # returned, using the wrapping algorithm that you specified in the
3373
3529
  # same `GetParametersForImport` request.
3374
3530
  # @return [String]
@@ -3394,7 +3550,8 @@ module Aws::KMS
3394
3550
  #
3395
3551
  # @!attribute [rw] expiration_model
3396
3552
  # Specifies whether the key material expires. The default is
3397
- # `KEY_MATERIAL_EXPIRES`.
3553
+ # `KEY_MATERIAL_EXPIRES`. For help with this choice, see [Setting an
3554
+ # expiration time][1] in the *Key Management Service Developer Guide*.
3398
3555
  #
3399
3556
  # When the value of `ExpirationModel` is `KEY_MATERIAL_EXPIRES`, you
3400
3557
  # must specify a value for the `ValidTo` parameter. When value is
@@ -3403,8 +3560,11 @@ module Aws::KMS
3403
3560
  #
3404
3561
  # You cannot change the `ExpirationModel` or `ValidTo` values for the
3405
3562
  # current import after the request completes. To change either value,
3406
- # you must delete (DeleteImportedKeyMaterial) and reimport the key
3407
- # material.
3563
+ # you must reimport the key material.
3564
+ #
3565
+ #
3566
+ #
3567
+ # [1]: https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration
3408
3568
  # @return [String]
3409
3569
  #
3410
3570
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterialRequest AWS API Documentation
@@ -4551,12 +4711,13 @@ module Aws::KMS
4551
4711
  # Management Service Developer Guide*.
4552
4712
  #
4553
4713
  # Use this parameter only when you intend to prevent the principal
4554
- # that is making the request from making a subsequent PutKeyPolicy
4555
- # request on the KMS key.
4714
+ # that is making the request from making a subsequent
4715
+ # [PutKeyPolicy][2] request on the KMS key.
4556
4716
  #
4557
4717
  #
4558
4718
  #
4559
4719
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
4720
+ # [2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html
4560
4721
  # @return [Boolean]
4561
4722
  #
4562
4723
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicyRequest AWS API Documentation
@@ -4723,6 +4884,18 @@ module Aws::KMS
4723
4884
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
4724
4885
  # @return [Array<String>]
4725
4886
  #
4887
+ # @!attribute [rw] dry_run
4888
+ # Checks if your request will succeed. `DryRun` is an optional
4889
+ # parameter.
4890
+ #
4891
+ # To learn more about how to use this parameter, see [Testing your KMS
4892
+ # API calls][1] in the *Key Management Service Developer Guide*.
4893
+ #
4894
+ #
4895
+ #
4896
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
4897
+ # @return [Boolean]
4898
+ #
4726
4899
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncryptRequest AWS API Documentation
4727
4900
  #
4728
4901
  class ReEncryptRequest < Struct.new(
@@ -4733,7 +4906,8 @@ module Aws::KMS
4733
4906
  :destination_encryption_context,
4734
4907
  :source_encryption_algorithm,
4735
4908
  :destination_encryption_algorithm,
4736
- :grant_tokens)
4909
+ :grant_tokens,
4910
+ :dry_run)
4737
4911
  SENSITIVE = []
4738
4912
  include Aws::Structure
4739
4913
  end
@@ -4935,12 +5109,13 @@ module Aws::KMS
4935
5109
  # Management Service Developer Guide*.
4936
5110
  #
4937
5111
  # Use this parameter only when you intend to prevent the principal
4938
- # that is making the request from making a subsequent PutKeyPolicy
4939
- # request on the KMS key.
5112
+ # that is making the request from making a subsequent
5113
+ # [PutKeyPolicy][2] request on the KMS key.
4940
5114
  #
4941
5115
  #
4942
5116
  #
4943
5117
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
5118
+ # [2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html
4944
5119
  # @return [Boolean]
4945
5120
  #
4946
5121
  # @!attribute [rw] description
@@ -5075,12 +5250,25 @@ module Aws::KMS
5075
5250
  # ^
5076
5251
  # @return [String]
5077
5252
  #
5253
+ # @!attribute [rw] dry_run
5254
+ # Checks if your request will succeed. `DryRun` is an optional
5255
+ # parameter.
5256
+ #
5257
+ # To learn more about how to use this parameter, see [Testing your KMS
5258
+ # API calls][1] in the *Key Management Service Developer Guide*.
5259
+ #
5260
+ #
5261
+ #
5262
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
5263
+ # @return [Boolean]
5264
+ #
5078
5265
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrantRequest AWS API Documentation
5079
5266
  #
5080
5267
  class RetireGrantRequest < Struct.new(
5081
5268
  :grant_token,
5082
5269
  :key_id,
5083
- :grant_id)
5270
+ :grant_id,
5271
+ :dry_run)
5084
5272
  SENSITIVE = []
5085
5273
  include Aws::Structure
5086
5274
  end
@@ -5110,11 +5298,24 @@ module Aws::KMS
5110
5298
  # CreateGrant, ListGrants, or ListRetirableGrants.
5111
5299
  # @return [String]
5112
5300
  #
5301
+ # @!attribute [rw] dry_run
5302
+ # Checks if your request will succeed. `DryRun` is an optional
5303
+ # parameter.
5304
+ #
5305
+ # To learn more about how to use this parameter, see [Testing your KMS
5306
+ # API calls][1] in the *Key Management Service Developer Guide*.
5307
+ #
5308
+ #
5309
+ #
5310
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
5311
+ # @return [Boolean]
5312
+ #
5113
5313
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrantRequest AWS API Documentation
5114
5314
  #
5115
5315
  class RevokeGrantRequest < Struct.new(
5116
5316
  :key_id,
5117
- :grant_id)
5317
+ :grant_id,
5318
+ :dry_run)
5118
5319
  SENSITIVE = []
5119
5320
  include Aws::Structure
5120
5321
  end
@@ -5145,6 +5346,13 @@ module Aws::KMS
5145
5346
  #
5146
5347
  # This value is optional. If you include a value, it must be between 7
5147
5348
  # and 30, inclusive. If you do not include a value, it defaults to 30.
5349
+ # You can use the [ `kms:ScheduleKeyDeletionPendingWindowInDays` ][1]
5350
+ # condition key to further constrain the values that principals can
5351
+ # specify in the `PendingWindowInDays` parameter.
5352
+ #
5353
+ #
5354
+ #
5355
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-schedule-key-deletion-pending-window-in-days
5148
5356
  # @return [Integer]
5149
5357
  #
5150
5358
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletionRequest AWS API Documentation
@@ -5306,6 +5514,18 @@ module Aws::KMS
5306
5514
  # algorithms for compatibility with existing applications.
5307
5515
  # @return [String]
5308
5516
  #
5517
+ # @!attribute [rw] dry_run
5518
+ # Checks if your request will succeed. `DryRun` is an optional
5519
+ # parameter.
5520
+ #
5521
+ # To learn more about how to use this parameter, see [Testing your KMS
5522
+ # API calls][1] in the *Key Management Service Developer Guide*.
5523
+ #
5524
+ #
5525
+ #
5526
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
5527
+ # @return [Boolean]
5528
+ #
5309
5529
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/SignRequest AWS API Documentation
5310
5530
  #
5311
5531
  class SignRequest < Struct.new(
@@ -5313,7 +5533,8 @@ module Aws::KMS
5313
5533
  :message,
5314
5534
  :message_type,
5315
5535
  :grant_tokens,
5316
- :signing_algorithm)
5536
+ :signing_algorithm,
5537
+ :dry_run)
5317
5538
  SENSITIVE = [:message]
5318
5539
  include Aws::Structure
5319
5540
  end
@@ -5335,7 +5556,7 @@ module Aws::KMS
5335
5556
  #
5336
5557
  # * When used with the `ECDSA_SHA_256`, `ECDSA_SHA_384`, or
5337
5558
  # `ECDSA_SHA_512` signing algorithms, this value is a DER-encoded
5338
- # object as defined by ANS X9.62–2005 and [RFC 3279 Section
5559
+ # object as defined by ANSI X9.62–2005 and [RFC 3279 Section
5339
5560
  # 2.2.3][2]. This is the most commonly used signature format and is
5340
5561
  # appropriate for most uses.
5341
5562
  #
@@ -5810,6 +6031,18 @@ module Aws::KMS
5810
6031
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
5811
6032
  # @return [Array<String>]
5812
6033
  #
6034
+ # @!attribute [rw] dry_run
6035
+ # Checks if your request will succeed. `DryRun` is an optional
6036
+ # parameter.
6037
+ #
6038
+ # To learn more about how to use this parameter, see [Testing your KMS
6039
+ # API calls][1] in the *Key Management Service Developer Guide*.
6040
+ #
6041
+ #
6042
+ #
6043
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
6044
+ # @return [Boolean]
6045
+ #
5813
6046
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMacRequest AWS API Documentation
5814
6047
  #
5815
6048
  class VerifyMacRequest < Struct.new(
@@ -5817,7 +6050,8 @@ module Aws::KMS
5817
6050
  :key_id,
5818
6051
  :mac_algorithm,
5819
6052
  :mac,
5820
- :grant_tokens)
6053
+ :grant_tokens,
6054
+ :dry_run)
5821
6055
  SENSITIVE = [:message]
5822
6056
  include Aws::Structure
5823
6057
  end
@@ -5954,6 +6188,18 @@ module Aws::KMS
5954
6188
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
5955
6189
  # @return [Array<String>]
5956
6190
  #
6191
+ # @!attribute [rw] dry_run
6192
+ # Checks if your request will succeed. `DryRun` is an optional
6193
+ # parameter.
6194
+ #
6195
+ # To learn more about how to use this parameter, see [Testing your KMS
6196
+ # API calls][1] in the *Key Management Service Developer Guide*.
6197
+ #
6198
+ #
6199
+ #
6200
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
6201
+ # @return [Boolean]
6202
+ #
5957
6203
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyRequest AWS API Documentation
5958
6204
  #
5959
6205
  class VerifyRequest < Struct.new(
@@ -5962,7 +6208,8 @@ module Aws::KMS
5962
6208
  :message_type,
5963
6209
  :signature,
5964
6210
  :signing_algorithm,
5965
- :grant_tokens)
6211
+ :grant_tokens,
6212
+ :dry_run)
5966
6213
  SENSITIVE = [:message]
5967
6214
  include Aws::Structure
5968
6215
  end
@@ -5999,9 +6246,9 @@ module Aws::KMS
5999
6246
  end
6000
6247
 
6001
6248
  # The request was rejected because the (`XksKeyId`) is already
6002
- # associated with a KMS key in this external key store. Each KMS key in
6003
- # an external key store must be associated with a different external
6004
- # key.
6249
+ # associated with another KMS key in this external key store. Each KMS
6250
+ # key in an external key store must be associated with a different
6251
+ # external key.
6005
6252
  #
6006
6253
  # @!attribute [rw] message
6007
6254
  # @return [String]
@@ -6180,9 +6427,9 @@ module Aws::KMS
6180
6427
  include Aws::Structure
6181
6428
  end
6182
6429
 
6183
- # The request was rejected because the Amazon VPC endpoint service
6184
- # configuration does not fulfill the requirements for an external key
6185
- # store proxy. For details, see the exception message.
6430
+ # The request was rejected because the external key store proxy is not
6431
+ # configured correctly. To identify the cause, see the error message
6432
+ # that accompanies the exception.
6186
6433
  #
6187
6434
  # @!attribute [rw] message
6188
6435
  # @return [String]
@@ -6211,11 +6458,10 @@ module Aws::KMS
6211
6458
  include Aws::Structure
6212
6459
  end
6213
6460
 
6214
- # The request was rejected because the concatenation of the
6215
- # `XksProxyUriEndpoint` is already associated with an external key store
6216
- # in the Amazon Web Services account and Region. Each external key store
6217
- # in an account and Region must use a unique external key store proxy
6218
- # address.
6461
+ # The request was rejected because the `XksProxyUriEndpoint` is already
6462
+ # associated with another external key store in this Amazon Web Services
6463
+ # Region. To identify the cause, see the error message that accompanies
6464
+ # the exception.
6219
6465
  #
6220
6466
  # @!attribute [rw] message
6221
6467
  # @return [String]
@@ -6230,9 +6476,9 @@ module Aws::KMS
6230
6476
 
6231
6477
  # The request was rejected because the concatenation of the
6232
6478
  # `XksProxyUriEndpoint` and `XksProxyUriPath` is already associated with
6233
- # an external key store in the Amazon Web Services account and Region.
6234
- # Each external key store in an account and Region must use a unique
6235
- # external key store proxy API address.
6479
+ # another external key store in this Amazon Web Services Region. Each
6480
+ # external key store in a Region must use a unique external key store
6481
+ # proxy API address.
6236
6482
  #
6237
6483
  # @!attribute [rw] message
6238
6484
  # @return [String]
@@ -6265,10 +6511,9 @@ module Aws::KMS
6265
6511
  end
6266
6512
 
6267
6513
  # The request was rejected because the specified Amazon VPC endpoint
6268
- # service is already associated with an external key store in the Amazon
6269
- # Web Services account and Region. Each external key store in an Amazon
6270
- # Web Services account and Region must use a different Amazon VPC
6271
- # endpoint service.
6514
+ # service is already associated with another external key store in this
6515
+ # Amazon Web Services Region. Each external key store in a Region must
6516
+ # use a different Amazon VPC endpoint service.
6272
6517
  #
6273
6518
  # @!attribute [rw] message
6274
6519
  # @return [String]
@@ -6283,10 +6528,13 @@ module Aws::KMS
6283
6528
 
6284
6529
  # The request was rejected because the Amazon VPC endpoint service
6285
6530
  # configuration does not fulfill the requirements for an external key
6286
- # store proxy. For details, see the exception message and [review the
6287
- # requirements](kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements)
6288
- # for Amazon VPC endpoint service connectivity for an external key
6289
- # store.
6531
+ # store. To identify the cause, see the error message that accompanies
6532
+ # the exception and [review the requirements][1] for Amazon VPC endpoint
6533
+ # service connectivity for an external key store.
6534
+ #
6535
+ #
6536
+ #
6537
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements
6290
6538
  #
6291
6539
  # @!attribute [rw] message
6292
6540
  # @return [String]