aws-sdk-kms 1.65.0 → 1.66.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 8147af70eb28e37d5582245109cb19ee01117935e03f87a5fd333b85da326a89
4
- data.tar.gz: 92b65d709ec4f488a32430b96568f5c6d7c80f89496a9c470ede33e99b361018
3
+ metadata.gz: b1f53095275f8c333b36736ced6e84074f5b72495cfac023175f99466dc376d8
4
+ data.tar.gz: 0720fc271c641b2d11131e3e9f2792355cd9cc2bc8bdeddd5c7a2b9257ff5605
5
5
  SHA512:
6
- metadata.gz: 601e80b4f0f2c63194c462bc7ef69bdce3c75ad3d6d1da3da09891375d6cbdb056484234380c0e65ca44f68a601c29a8cdfcd95197f6e6f4405ffbf146e6f6a3
7
- data.tar.gz: 8667c1189cc1bb85c50e29c6046e5d5dd20a1973ee3a9576bf06d82968c7f99079b85c8182bb52371cd4bcfa4193569406761c3c659d858b09be693ad8d13e40
6
+ metadata.gz: 653742b80c3e63f41967c9ef18f27cbeef00d44455f20712ce9aeba6a8175ae3502ada538ebd250ebebd2d7bccd182b25793f94004215dd1090b2fcdd379f486
7
+ data.tar.gz: f74c4208adb3bd2b2f621ed8aa78346d36eea055e3fb060406f0c9e36e46df82fa8393d254d50fe34fbe5d20eed5540b4a275d6835503a56e2c7c13f352be73f
data/CHANGELOG.md CHANGED
@@ -1,6 +1,11 @@
1
1
  Unreleased Changes
2
2
  ------------------
3
3
 
4
+ 1.66.0 (2023-06-05)
5
+ ------------------
6
+
7
+ * Feature - This release includes feature to import customer's asymmetric (RSA and ECC) and HMAC keys into KMS. It also includes feature to allow customers to specify number of days to schedule a KMS key deletion as a policy condition key.
8
+
4
9
  1.65.0 (2023-05-31)
5
10
  ------------------
6
11
 
data/VERSION CHANGED
@@ -1 +1 @@
1
- 1.65.0
1
+ 1.66.0
@@ -1458,13 +1458,6 @@ module Aws::KMS
1458
1458
  # You can use HMAC keys to generate (GenerateMac) and verify
1459
1459
  # (VerifyMac) HMAC codes for messages up to 4096 bytes.
1460
1460
  #
1461
- # HMAC KMS keys are not supported in all Amazon Web Services Regions.
1462
- # If you try to create an HMAC KMS key in an Amazon Web Services
1463
- # Region in which HMAC keys are not supported, the `CreateKey`
1464
- # operation returns an `UnsupportedOperationException`. For a list of
1465
- # Regions in which HMAC KMS keys are supported, see [HMAC keys in
1466
- # KMS][4] in the *Key Management Service Developer Guide*.
1467
- #
1468
1461
  #
1469
1462
  #
1470
1463
  # Multi-Region primary keys
@@ -1491,46 +1484,48 @@ module Aws::KMS
1491
1484
  # to encrypt data in one Amazon Web Services Region and decrypt it in
1492
1485
  # a different Amazon Web Services Region without re-encrypting the
1493
1486
  # data or making a cross-Region call. For more information about
1494
- # multi-Region keys, see [Multi-Region keys in KMS][5] in the *Key
1487
+ # multi-Region keys, see [Multi-Region keys in KMS][4] in the *Key
1495
1488
  # Management Service Developer Guide*.
1496
1489
  #
1497
1490
  #
1498
1491
  #
1499
1492
  # : To import your own key material into a KMS key, begin by creating a
1500
- # symmetric encryption KMS key with no key material. To do this, use
1501
- # the `Origin` parameter of `CreateKey` with a value of `EXTERNAL`.
1502
- # Next, use GetParametersForImport operation to get a public key and
1503
- # import token, and use the public key to encrypt your key material.
1493
+ # KMS key with no key material. To do this, use the `Origin` parameter
1494
+ # of `CreateKey` with a value of `EXTERNAL`. Next, use
1495
+ # GetParametersForImport operation to get a public key and import
1496
+ # token. Use the wrapping public key to encrypt your key material.
1504
1497
  # Then, use ImportKeyMaterial with your import token to import the key
1505
1498
  # material. For step-by-step instructions, see [Importing Key
1506
- # Material][6] in the <i> <i>Key Management Service Developer
1499
+ # Material][5] in the <i> <i>Key Management Service Developer
1507
1500
  # Guide</i> </i>.
1508
1501
  #
1509
- # This feature supports only symmetric encryption KMS keys, including
1510
- # multi-Region symmetric encryption KMS keys. You cannot import key
1511
- # material into any other type of KMS key.
1502
+ # You can import key material into KMS keys of all supported KMS key
1503
+ # types: symmetric encryption KMS keys, HMAC KMS keys, asymmetric
1504
+ # encryption KMS keys, and asymmetric signing KMS keys. You can also
1505
+ # create multi-Region keys with imported key material. However, you
1506
+ # can't import key material into a KMS key in a custom key store.
1512
1507
  #
1513
1508
  # To create a multi-Region primary key with imported key material, use
1514
1509
  # the `Origin` parameter of `CreateKey` with a value of `EXTERNAL` and
1515
1510
  # the `MultiRegion` parameter with a value of `True`. To create
1516
1511
  # replicas of the multi-Region primary key, use the ReplicateKey
1517
1512
  # operation. For instructions, see [Importing key material into
1518
- # multi-Region keys][7]. For more information about multi-Region keys,
1519
- # see [Multi-Region keys in KMS][5] in the *Key Management Service
1513
+ # multi-Region keys][6]. For more information about multi-Region keys,
1514
+ # see [Multi-Region keys in KMS][4] in the *Key Management Service
1520
1515
  # Developer Guide*.
1521
1516
  #
1522
1517
  #
1523
1518
  #
1524
1519
  # Custom key store
1525
1520
  #
1526
- # : A [custom key store][8] lets you protect your Amazon Web Services
1521
+ # : A [custom key store][7] lets you protect your Amazon Web Services
1527
1522
  # resources using keys in a backing key store that you own and manage.
1528
1523
  # When you request a cryptographic operation with a KMS key in a
1529
1524
  # custom key store, the operation is performed in the backing key
1530
1525
  # store using its cryptographic keys.
1531
1526
  #
1532
- # KMS supports [CloudHSM key stores][9] backed by an CloudHSM cluster
1533
- # and [external key stores][10] backed by an external key manager
1527
+ # KMS supports [CloudHSM key stores][8] backed by an CloudHSM cluster
1528
+ # and [external key stores][9] backed by an external key manager
1534
1529
  # outside of Amazon Web Services. When you create a KMS key in an
1535
1530
  # CloudHSM key store, KMS generates an encryption key in the CloudHSM
1536
1531
  # cluster and associates it with the KMS key. When you create a KMS
@@ -1555,13 +1550,13 @@ module Aws::KMS
1555
1550
  # `ENCRYPT_DECRYPT` to create a symmetric encryption key. No other key
1556
1551
  # type is supported in a custom key store.
1557
1552
  #
1558
- # To create a KMS key in an [CloudHSM key store][9], use the `Origin`
1553
+ # To create a KMS key in an [CloudHSM key store][8], use the `Origin`
1559
1554
  # parameter with a value of `AWS_CLOUDHSM`. The CloudHSM cluster that
1560
1555
  # is associated with the custom key store must have at least two
1561
1556
  # active HSMs in different Availability Zones in the Amazon Web
1562
1557
  # Services Region.
1563
1558
  #
1564
- # To create a KMS key in an [external key store][10], use the `Origin`
1559
+ # To create a KMS key in an [external key store][9], use the `Origin`
1565
1560
  # parameter with a value of `EXTERNAL_KEY_STORE` and an `XksKeyId`
1566
1561
  # parameter that identifies an existing external key.
1567
1562
  #
@@ -1574,10 +1569,10 @@ module Aws::KMS
1574
1569
  # **Cross-account use**: No. You cannot use this operation to create a
1575
1570
  # KMS key in a different Amazon Web Services account.
1576
1571
  #
1577
- # **Required permissions**: [kms:CreateKey][11] (IAM policy). To use the
1578
- # `Tags` parameter, [kms:TagResource][11] (IAM policy). For examples and
1572
+ # **Required permissions**: [kms:CreateKey][10] (IAM policy). To use the
1573
+ # `Tags` parameter, [kms:TagResource][10] (IAM policy). For examples and
1579
1574
  # information about related permissions, see [Allow a user to create KMS
1580
- # keys][12] in the *Key Management Service Developer Guide*.
1575
+ # keys][11] in the *Key Management Service Developer Guide*.
1581
1576
  #
1582
1577
  # **Related operations:**
1583
1578
  #
@@ -1592,15 +1587,14 @@ module Aws::KMS
1592
1587
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys
1593
1588
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/getting-started.html
1594
1589
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
1595
- # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
1596
- # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
1597
- # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1598
- # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-import.html
1599
- # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1600
- # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html
1601
- # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html
1602
- # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
1603
- # [12]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key
1590
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
1591
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1592
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-import.html
1593
+ # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1594
+ # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html
1595
+ # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html
1596
+ # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
1597
+ # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key
1604
1598
  #
1605
1599
  # @option params [String] :policy
1606
1600
  # The key policy to attach to the KMS key.
@@ -2105,8 +2099,8 @@ module Aws::KMS
2105
2099
  #
2106
2100
  # @example Example: To create a KMS key for imported key material
2107
2101
  #
2108
- # # This example creates a KMS key with no key material. When the operation is complete, you can import your own key
2109
- # # material into the KMS key. To create this KMS key, set the Origin parameter to EXTERNAL.
2102
+ # # This example creates a symmetric KMS key with no key material. When the operation is complete, you can import your own
2103
+ # # key material into the KMS key. To create this KMS key, set the Origin parameter to EXTERNAL.
2110
2104
  #
2111
2105
  # resp = client.create_key({
2112
2106
  # origin: "EXTERNAL", # The source of the key material for the KMS key.
@@ -2745,18 +2739,16 @@ module Aws::KMS
2745
2739
  req.send_request(options)
2746
2740
  end
2747
2741
 
2748
- # Deletes key material that you previously imported. This operation
2749
- # makes the specified KMS key unusable. For more information about
2750
- # importing key material into KMS, see [Importing Key Material][1] in
2751
- # the *Key Management Service Developer Guide*.
2742
+ # Deletes key material that was previously imported. This operation
2743
+ # makes the specified KMS key temporarily unusable. To restore the
2744
+ # usability of the KMS key, reimport the same key material. For more
2745
+ # information about importing key material into KMS, see [Importing Key
2746
+ # Material][1] in the *Key Management Service Developer Guide*.
2752
2747
  #
2753
2748
  # When the specified KMS key is in the `PendingDeletion` state, this
2754
2749
  # operation does not change the KMS key's state. Otherwise, it changes
2755
2750
  # the KMS key's state to `PendingImport`.
2756
2751
  #
2757
- # After you delete key material, you can use ImportKeyMaterial to
2758
- # reimport the same key material into the KMS key.
2759
- #
2760
2752
  # The KMS key that you use for this operation must be in a compatible
2761
2753
  # key state. For details, see [Key states of KMS keys][2] in the *Key
2762
2754
  # Management Service Developer Guide*.
@@ -5547,29 +5539,63 @@ module Aws::KMS
5547
5539
  req.send_request(options)
5548
5540
  end
5549
5541
 
5550
- # Returns the items you need to import key material into a symmetric
5551
- # encryption KMS key. For more information about importing key material
5552
- # into KMS, see [Importing key material][1] in the *Key Management
5553
- # Service Developer Guide*.
5542
+ # Returns the public key and an import token you need to import or
5543
+ # reimport key material for a KMS key.
5544
+ #
5545
+ # By default, KMS keys are created with key material that KMS generates.
5546
+ # This operation supports [Importing key material][1], an advanced
5547
+ # feature that lets you generate and import the cryptographic key
5548
+ # material for a KMS key. For more information about importing key
5549
+ # material into KMS, see [Importing key material][1] in the *Key
5550
+ # Management Service Developer Guide*.
5554
5551
  #
5555
- # This operation returns a public key and an import token. Use the
5556
- # public key to encrypt the symmetric key material. Store the import
5557
- # token to send with a subsequent ImportKeyMaterial request.
5558
- #
5559
- # You must specify the key ID of the symmetric encryption KMS key into
5560
- # which you will import key material. The KMS key `Origin` must be
5561
- # `EXTERNAL`. You must also specify the wrapping algorithm and type of
5562
- # wrapping key (public key) that you will use to encrypt the key
5563
- # material. You cannot perform this operation on an asymmetric KMS key,
5564
- # an HMAC KMS key, or on any KMS key in a different Amazon Web Services
5565
- # account.
5566
- #
5567
- # To import key material, you must use the public key and import token
5568
- # from the same response. These items are valid for 24 hours. The
5569
- # expiration date and time appear in the `GetParametersForImport`
5570
- # response. You cannot use an expired token in an ImportKeyMaterial
5571
- # request. If your key and token expire, send another
5572
- # `GetParametersForImport` request.
5552
+ # Before calling `GetParametersForImport`, use the CreateKey operation
5553
+ # with an `Origin` value of `EXTERNAL` to create a KMS key with no key
5554
+ # material. You can import key material for a symmetric encryption KMS
5555
+ # key, HMAC KMS key, asymmetric encryption KMS key, or asymmetric
5556
+ # signing KMS key. You can also import key material into a [multi-Region
5557
+ # key](kms/latest/developerguide/multi-region-keys-overview.html) of any
5558
+ # supported type. However, you can't import key material into a KMS key
5559
+ # in a [custom key
5560
+ # store](kms/latest/developerguide/custom-key-store-overview.html). You
5561
+ # can also use `GetParametersForImport` to get a public key and import
5562
+ # token to [reimport the original key
5563
+ # material](kms/latest/developerguide/importing-keys.html#reimport-key-material)
5564
+ # into a KMS key whose key material expired or was deleted.
5565
+ #
5566
+ # `GetParametersForImport` returns the items that you need to import
5567
+ # your key material.
5568
+ #
5569
+ # * The public key (or "wrapping key") of an RSA key pair that KMS
5570
+ # generates.
5571
+ #
5572
+ # You will use this public key to encrypt ("wrap") your key material
5573
+ # while it's in transit to KMS.
5574
+ #
5575
+ # * A import token that ensures that KMS can decrypt your key material
5576
+ # and associate it with the correct KMS key.
5577
+ #
5578
+ # The public key and its import token are permanently linked and must be
5579
+ # used together. Each public key and import token set is valid for 24
5580
+ # hours. The expiration date and time appear in the `ParametersValidTo`
5581
+ # field in the `GetParametersForImport` response. You cannot use an
5582
+ # expired public key or import token in an ImportKeyMaterial request. If
5583
+ # your key and token expire, send another `GetParametersForImport`
5584
+ # request.
5585
+ #
5586
+ # `GetParametersForImport` requires the following information:
5587
+ #
5588
+ # * The key ID of the KMS key for which you are importing the key
5589
+ # material.
5590
+ #
5591
+ # * The key spec of the public key ("wrapping key") that you will use
5592
+ # to encrypt your key material during import.
5593
+ #
5594
+ # * The wrapping algorithm that you will use with the public key to
5595
+ # encrypt your key material.
5596
+ #
5597
+ # You can use the same or a different public key spec and wrapping
5598
+ # algorithm each time you import or reimport the same key material.
5573
5599
  #
5574
5600
  # The KMS key that you use for this operation must be in a compatible
5575
5601
  # key state. For details, see [Key states of KMS keys][2] in the *Key
@@ -5593,8 +5619,11 @@ module Aws::KMS
5593
5619
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
5594
5620
  #
5595
5621
  # @option params [required, String] :key_id
5596
- # The identifier of the symmetric encryption KMS key into which you will
5597
- # import key material. The `Origin` of the KMS key must be `EXTERNAL`.
5622
+ # The identifier of the KMS key that will be associated with the
5623
+ # imported key material. The `Origin` of the KMS key must be `EXTERNAL`.
5624
+ #
5625
+ # All KMS key types are supported, including multi-Region keys. However,
5626
+ # you cannot import key material into a KMS key in a custom key store.
5598
5627
  #
5599
5628
  # Specify the key ID or key ARN of the KMS key.
5600
5629
  #
@@ -5609,25 +5638,52 @@ module Aws::KMS
5609
5638
  # DescribeKey.
5610
5639
  #
5611
5640
  # @option params [required, String] :wrapping_algorithm
5612
- # The algorithm you will use to encrypt the key material before using
5613
- # the ImportKeyMaterial operation to import it. For more information,
5614
- # see [Encrypt the key material][1] in the *Key Management Service
5615
- # Developer Guide*.
5641
+ # The algorithm you will use with the RSA public key (`PublicKey`) in
5642
+ # the response to protect your key material during import. For more
5643
+ # information, see [Select a wrapping
5644
+ # algorithm](kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
5645
+ # in the *Key Management Service Developer Guide*.
5646
+ #
5647
+ # For RSA\_AES wrapping algorithms, you encrypt your key material with
5648
+ # an AES key that you generate, then encrypt your AES key with the RSA
5649
+ # public key from KMS. For RSAES wrapping algorithms, you encrypt your
5650
+ # key material directly with the RSA public key from KMS.
5651
+ #
5652
+ # The wrapping algorithms that you can use depend on the type of key
5653
+ # material that you are importing. To import an RSA private key, you
5654
+ # must use an RSA\_AES wrapping algorithm.
5655
+ #
5656
+ # * **RSA\_AES\_KEY\_WRAP\_SHA\_256** — Supported for wrapping RSA and
5657
+ # ECC key material.
5658
+ #
5659
+ # * **RSA\_AES\_KEY\_WRAP\_SHA\_1** — Supported for wrapping RSA and ECC
5660
+ # key material.
5661
+ #
5662
+ # * **RSAES\_OAEP\_SHA\_256** — Supported for all types of key material,
5663
+ # except RSA key material (private key).
5616
5664
  #
5617
- # The `RSAES_PKCS1_V1_5` wrapping algorithm is deprecated. We recommend
5618
- # that you begin using a different wrapping algorithm immediately. KMS
5619
- # will end support for `RSAES_PKCS1_V1_5` by October 1, 2023 pursuant to
5620
- # [cryptographic key management guidance][2] from the National Institute
5621
- # of Standards and Technology (NIST).
5665
+ # You cannot use the RSAES\_OAEP\_SHA\_256 wrapping algorithm with the
5666
+ # RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key material.
5622
5667
  #
5668
+ # * **RSAES\_OAEP\_SHA\_1** — Supported for all types of key material,
5669
+ # except RSA key material (private key).
5623
5670
  #
5671
+ # You cannot use the RSAES\_OAEP\_SHA\_1 wrapping algorithm with the
5672
+ # RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key material.
5624
5673
  #
5625
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html
5626
- # [2]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
5674
+ # * **RSAES\_PKCS1\_V1\_5** (Deprecated) — Supported only for symmetric
5675
+ # encryption key material (and only in legacy mode).
5627
5676
  #
5628
5677
  # @option params [required, String] :wrapping_key_spec
5629
- # The type of wrapping key (public key) to return in the response. Only
5630
- # 2048-bit RSA public keys are supported.
5678
+ # The type of RSA public key to return in the response. You will use
5679
+ # this wrapping key with the specified wrapping algorithm to protect
5680
+ # your key material during import.
5681
+ #
5682
+ # Use the longest RSA wrapping key that is practical.
5683
+ #
5684
+ # You cannot use an RSA\_2048 public key to directly wrap an
5685
+ # ECC\_NIST\_P521 private key. Instead, use an RSA\_AES wrapping
5686
+ # algorithm or choose a longer RSA public key.
5631
5687
  #
5632
5688
  # @return [Types::GetParametersForImportResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
5633
5689
  #
@@ -5637,12 +5693,13 @@ module Aws::KMS
5637
5693
  # * {Types::GetParametersForImportResponse#parameters_valid_to #parameters_valid_to} => Time
5638
5694
  #
5639
5695
  #
5640
- # @example Example: To retrieve the public key and import token for a KMS key
5696
+ # @example Example: To download the public key and import token for a symmetric encryption KMS key
5641
5697
  #
5642
- # # The following example retrieves the public key and import token for the specified KMS key.
5698
+ # # The following example downloads a public key and import token to import symmetric encryption key material. It uses the
5699
+ # # default wrapping key spec and the RSAES_OAEP_SHA_256 wrapping algorithm.
5643
5700
  #
5644
5701
  # resp = client.get_parameters_for_import({
5645
- # key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key for which to retrieve the public key and import token. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
5702
+ # key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key that will be associated with the imported key material. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
5646
5703
  # wrapping_algorithm: "RSAES_OAEP_SHA_1", # The algorithm that you will use to encrypt the key material before importing it.
5647
5704
  # wrapping_key_spec: "RSA_2048", # The type of wrapping key (public key) to return in the response.
5648
5705
  # })
@@ -5650,8 +5707,67 @@ module Aws::KMS
5650
5707
  # resp.to_h outputs the following:
5651
5708
  # {
5652
5709
  # import_token: "<binary data>", # The import token to send with a subsequent ImportKeyMaterial request.
5653
- # key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the KMS key for which you are retrieving the public key and import token. This is the same KMS key specified in the request.
5654
- # parameters_valid_to: Time.parse("2016-12-01T14:52:17-08:00"), # The time at which the import token and public key are no longer valid.
5710
+ # key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the KMS key that will be associated with the imported key material.
5711
+ # parameters_valid_to: Time.parse("2023-02-01T14:52:17-08:00"), # The date and time when the import token and public key expire. After this time, call GetParametersForImport again.
5712
+ # public_key: "<binary data>", # The public key to use to encrypt the key material before importing it.
5713
+ # }
5714
+ #
5715
+ # @example Example: To download the public key and import token for an RSA asymmetric KMS key
5716
+ #
5717
+ # # The following example downloads a public key and import token to import an RSA private key. It uses a required RSA_AES
5718
+ # # wrapping algorithm and the largest supported private key.
5719
+ #
5720
+ # resp = client.get_parameters_for_import({
5721
+ # key_id: "arn:aws:kms:us-east-2:111122223333:key/8888abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key that will be associated with the imported key material. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
5722
+ # wrapping_algorithm: "RSA_AES_KEY_WRAP_SHA_256", # The algorithm that you will use to encrypt the key material before importing it.
5723
+ # wrapping_key_spec: "RSA_4096", # The type of wrapping key (public key) to return in the response.
5724
+ # })
5725
+ #
5726
+ # resp.to_h outputs the following:
5727
+ # {
5728
+ # import_token: "<binary data>", # The import token to send with a subsequent ImportKeyMaterial request.
5729
+ # key_id: "arn:aws:kms:us-east-2:111122223333:key/8888abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the KMS key that will be associated with the imported key material.
5730
+ # parameters_valid_to: Time.parse("2023-03-08T13:02:02-07:00"), # The date and time when the import token and public key expire. After this time, call GetParametersForImport again.
5731
+ # public_key: "<binary data>", # The public key to use to encrypt the key material before importing it.
5732
+ # }
5733
+ #
5734
+ # @example Example: To download the public key and import token for an elliptic curve (ECC) asymmetric KMS key
5735
+ #
5736
+ # # The following example downloads a public key and import token to import an ECC_NIST_P521 (secp521r1) private key. You
5737
+ # # cannot directly wrap this ECC key under an RSA_2048 public key, although you can use an RSA_2048 public key with an
5738
+ # # RSA_AES wrapping algorithm to wrap any supported key material. This example requests an RSA_3072 public key for use with
5739
+ # # the RSAES_OAEP_SHA_256.
5740
+ #
5741
+ # resp = client.get_parameters_for_import({
5742
+ # key_id: "arn:aws:kms:us-east-2:111122223333:key/9876abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key that will be associated with the imported key material. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
5743
+ # wrapping_algorithm: "RSAES_OAEP_SHA_256", # The algorithm that you will use to encrypt the key material before importing it.
5744
+ # wrapping_key_spec: "RSA_3072", # The type of wrapping key (public key) to return in the response.
5745
+ # })
5746
+ #
5747
+ # resp.to_h outputs the following:
5748
+ # {
5749
+ # import_token: "<binary data>", # The import token to send with a subsequent ImportKeyMaterial request.
5750
+ # key_id: "arn:aws:kms:us-east-2:111122223333:key/9876abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the KMS key that will be associated with the imported key material.
5751
+ # parameters_valid_to: Time.parse("2023-09-12T03:15:01-20:00"), # The date and time when the import token and public key expire. After this time, call GetParametersForImport again.
5752
+ # public_key: "<binary data>", # The public key to use to encrypt the key material before importing it.
5753
+ # }
5754
+ #
5755
+ # @example Example: To download the public key and import token for an HMAC KMS key
5756
+ #
5757
+ # # The following example downloads a public key and import token to import an HMAC key. It uses the RSAES_OAEP_SHA_256
5758
+ # # wrapping algorithm and an RSA_4096 private key.
5759
+ #
5760
+ # resp = client.get_parameters_for_import({
5761
+ # key_id: "2468abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key that will be associated with the imported key material. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
5762
+ # wrapping_algorithm: "RSAES_OAEP_SHA_256", # The algorithm that you will use to encrypt the key material before importing it.
5763
+ # wrapping_key_spec: "RSA_4096", # The type of wrapping key (public key) to return in the response.
5764
+ # })
5765
+ #
5766
+ # resp.to_h outputs the following:
5767
+ # {
5768
+ # import_token: "<binary data>", # The import token to send with a subsequent ImportKeyMaterial request.
5769
+ # key_id: "arn:aws:kms:us-east-2:111122223333:key/2468abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the KMS key that will be associated with the imported key material.
5770
+ # parameters_valid_to: Time.parse("2023-04-02T13:02:02-07:00"), # The date and time when the import token and public key expire. After this time, call GetParametersForImport again.
5655
5771
  # public_key: "<binary data>", # The public key to use to encrypt the key material before importing it.
5656
5772
  # }
5657
5773
  #
@@ -5659,8 +5775,8 @@ module Aws::KMS
5659
5775
  #
5660
5776
  # resp = client.get_parameters_for_import({
5661
5777
  # key_id: "KeyIdType", # required
5662
- # wrapping_algorithm: "RSAES_PKCS1_V1_5", # required, accepts RSAES_PKCS1_V1_5, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
5663
- # wrapping_key_spec: "RSA_2048", # required, accepts RSA_2048
5778
+ # wrapping_algorithm: "RSAES_PKCS1_V1_5", # required, accepts RSAES_PKCS1_V1_5, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, RSA_AES_KEY_WRAP_SHA_1, RSA_AES_KEY_WRAP_SHA_256
5779
+ # wrapping_key_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096
5664
5780
  # })
5665
5781
  #
5666
5782
  # @example Response structure
@@ -5839,66 +5955,112 @@ module Aws::KMS
5839
5955
  req.send_request(options)
5840
5956
  end
5841
5957
 
5842
- # Imports key material into an existing symmetric encryption KMS key
5843
- # that was created without key material. After you successfully import
5844
- # key material into a KMS key, you can [reimport the same key
5845
- # material][1] into that KMS key, but you cannot import different key
5846
- # material.
5847
- #
5848
- # You cannot perform this operation on an asymmetric KMS key, an HMAC
5849
- # KMS key, or on any KMS key in a different Amazon Web Services account.
5850
- # For more information about creating KMS keys with no key material and
5851
- # then importing key material, see [Importing Key Material][2] in the
5852
- # *Key Management Service Developer Guide*.
5853
- #
5854
- # Before using this operation, call GetParametersForImport. Its response
5855
- # includes a public key and an import token. Use the public key to
5856
- # encrypt the key material. Then, submit the import token from the same
5857
- # `GetParametersForImport` response.
5858
- #
5859
- # When calling this operation, you must specify the following values:
5860
- #
5861
- # * The key ID or key ARN of a KMS key with no key material. Its
5862
- # `Origin` must be `EXTERNAL`.
5863
- #
5864
- # To create a KMS key with no key material, call CreateKey and set the
5865
- # value of its `Origin` parameter to `EXTERNAL`. To get the `Origin`
5866
- # of a KMS key, call DescribeKey.)
5958
+ # Imports or reimports key material into an existing KMS key that was
5959
+ # created without key material. `ImportKeyMaterial` also sets the
5960
+ # expiration model and expiration date of the imported key material.
5961
+ #
5962
+ # By default, KMS keys are created with key material that KMS generates.
5963
+ # This operation supports [Importing key material][1], an advanced
5964
+ # feature that lets you generate and import the cryptographic key
5965
+ # material for a KMS key. For more information about importing key
5966
+ # material into KMS, see [Importing key material][1] in the *Key
5967
+ # Management Service Developer Guide*.
5867
5968
  #
5868
- # * The encrypted key material. To get the public key to encrypt the key
5869
- # material, call GetParametersForImport.
5969
+ # After you successfully import key material into a KMS key, you can
5970
+ # [reimport the same key material][2] into that KMS key, but you cannot
5971
+ # import different key material. You might reimport key material to
5972
+ # replace key material that expired or key material that you deleted.
5973
+ # You might also reimport key material to change the expiration model or
5974
+ # expiration date of the key material. Before reimporting key material,
5975
+ # if necessary, call DeleteImportedKeyMaterial to delete the current
5976
+ # imported key material.
5977
+ #
5978
+ # Each time you import key material into KMS, you can determine whether
5979
+ # (`ExpirationModel`) and when (`ValidTo`) the key material expires. To
5980
+ # change the expiration of your key material, you must import it again,
5981
+ # either by calling `ImportKeyMaterial` or using the [import
5982
+ # features](kms/latest/developerguide/importing-keys-import-key-material.html#importing-keys-import-key-material-console)
5983
+ # of the KMS console.
5984
+ #
5985
+ # Before calling `ImportKeyMaterial`:
5986
+ #
5987
+ # * Create or identify a KMS key with no key material. The KMS key must
5988
+ # have an `Origin` value of `EXTERNAL`, which indicates that the KMS
5989
+ # key is designed for imported key material.
5990
+ #
5991
+ # To create an new KMS key for imported key material, call the
5992
+ # CreateKey operation with an `Origin` value of `EXTERNAL`. You can
5993
+ # create a symmetric encryption KMS key, HMAC KMS key, asymmetric
5994
+ # encryption KMS key, or asymmetric signing KMS key. You can also
5995
+ # import key material into a [multi-Region
5996
+ # key](kms/latest/developerguide/multi-region-keys-overview.html) of
5997
+ # any supported type. However, you can't import key material into a
5998
+ # KMS key in a [custom key
5999
+ # store](kms/latest/developerguide/custom-key-store-overview.html).
6000
+ #
6001
+ # * Use the DescribeKey operation to verify that the `KeyState` of the
6002
+ # KMS key is `PendingImport`, which indicates that the KMS key has no
6003
+ # key material.
6004
+ #
6005
+ # If you are reimporting the same key material into an existing KMS
6006
+ # key, you might need to call the DeleteImportedKeyMaterial to delete
6007
+ # its existing key material.
6008
+ #
6009
+ # * Call the GetParametersForImport operation to get a public key and
6010
+ # import token set for importing key material.
6011
+ #
6012
+ # * Use the public key in the GetParametersForImport response to encrypt
6013
+ # your key material.
6014
+ #
6015
+ # Then, in an `ImportKeyMaterial` request, you submit your encrypted key
6016
+ # material and import token. When calling this operation, you must
6017
+ # specify the following values:
6018
+ #
6019
+ # * The key ID or key ARN of the KMS key to associate with the imported
6020
+ # key material. Its `Origin` must be `EXTERNAL` and its `KeyState`
6021
+ # must be `PendingImport`. You cannot perform this operation on a KMS
6022
+ # key in a [custom key
6023
+ # store](kms/latest/developerguide/custom-key-store-overview.html), or
6024
+ # on a KMS key in a different Amazon Web Services account. To get the
6025
+ # `Origin` and `KeyState` of a KMS key, call DescribeKey.
6026
+ #
6027
+ # * The encrypted key material.
5870
6028
  #
5871
6029
  # * The import token that GetParametersForImport returned. You must use
5872
6030
  # a public key and token from the same `GetParametersForImport`
5873
6031
  # response.
5874
6032
  #
5875
6033
  # * Whether the key material expires (`ExpirationModel`) and, if so,
5876
- # when (`ValidTo`). If you set an expiration date, on the specified
5877
- # date, KMS deletes the key material from the KMS key, making the KMS
5878
- # key unusable. To use the KMS key in cryptographic operations again,
5879
- # you must reimport the same key material. The only way to change the
5880
- # expiration model or expiration date is by reimporting the same key
5881
- # material and specifying a new expiration date.
6034
+ # when (`ValidTo`). For help with this choice, see [Setting an
6035
+ # expiration time][3] in the *Key Management Service Developer Guide*.
6036
+ #
6037
+ # If you set an expiration date, KMS deletes the key material from the
6038
+ # KMS key on the specified date, making the KMS key unusable. To use
6039
+ # the KMS key in cryptographic operations again, you must reimport the
6040
+ # same key material. However, you can delete and reimport the key
6041
+ # material at any time, including before the key material expires.
6042
+ # Each time you reimport, you can eliminate or reset the expiration
6043
+ # time.
5882
6044
  #
5883
6045
  # When this operation is successful, the key state of the KMS key
5884
- # changes from `PendingImport` to `Enabled`, and you can use the KMS
5885
- # key.
6046
+ # changes from `PendingImport` to `Enabled`, and you can use the KMS key
6047
+ # in cryptographic operations.
5886
6048
  #
5887
6049
  # If this operation fails, use the exception to help determine the
5888
6050
  # problem. If the error is related to the key material, the import
5889
6051
  # token, or wrapping key, use GetParametersForImport to get a new public
5890
6052
  # key and import token for the KMS key and repeat the import procedure.
5891
- # For help, see [How To Import Key Material][3] in the *Key Management
6053
+ # For help, see [How To Import Key Material][4] in the *Key Management
5892
6054
  # Service Developer Guide*.
5893
6055
  #
5894
6056
  # The KMS key that you use for this operation must be in a compatible
5895
- # key state. For details, see [Key states of KMS keys][4] in the *Key
6057
+ # key state. For details, see [Key states of KMS keys][5] in the *Key
5896
6058
  # Management Service Developer Guide*.
5897
6059
  #
5898
6060
  # **Cross-account use**: No. You cannot perform this operation on a KMS
5899
6061
  # key in a different Amazon Web Services account.
5900
6062
  #
5901
- # **Required permissions**: [kms:ImportKeyMaterial][5] (key policy)
6063
+ # **Required permissions**: [kms:ImportKeyMaterial][6] (key policy)
5902
6064
  #
5903
6065
  # **Related operations:**
5904
6066
  #
@@ -5908,20 +6070,27 @@ module Aws::KMS
5908
6070
  #
5909
6071
  #
5910
6072
  #
5911
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material
5912
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
5913
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-overview
5914
- # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
5915
- # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
6073
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
6074
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material
6075
+ # [3]: https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration
6076
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-overview
6077
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
6078
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
5916
6079
  #
5917
6080
  # @option params [required, String] :key_id
5918
- # The identifier of the symmetric encryption KMS key that receives the
6081
+ # The identifier of the KMS key that will be associated with the
5919
6082
  # imported key material. This must be the same KMS key specified in the
5920
6083
  # `KeyID` parameter of the corresponding GetParametersForImport request.
5921
- # The `Origin` of the KMS key must be `EXTERNAL`. You cannot perform
5922
- # this operation on an asymmetric KMS key, an HMAC KMS key, a KMS key in
5923
- # a custom key store, or on a KMS key in a different Amazon Web Services
5924
- # account
6084
+ # The `Origin` of the KMS key must be `EXTERNAL` and its `KeyState` must
6085
+ # be `PendingImport`.
6086
+ #
6087
+ # The KMS key can be a symmetric encryption KMS key, HMAC KMS key,
6088
+ # asymmetric encryption KMS key, or asymmetric signing KMS key,
6089
+ # including a [multi-Region
6090
+ # key](kms/latest/developerguide/multi-region-keys-overview.html) of any
6091
+ # supported type. You cannot perform this operation on a KMS key in a
6092
+ # custom key store, or on a KMS key in a different Amazon Web Services
6093
+ # account.
5925
6094
  #
5926
6095
  # Specify the key ID or key ARN of the KMS key.
5927
6096
  #
@@ -5942,7 +6111,7 @@ module Aws::KMS
5942
6111
  #
5943
6112
  # @option params [required, String, StringIO, File] :encrypted_key_material
5944
6113
  # The encrypted key material to import. The key material must be
5945
- # encrypted with the public wrapping key that GetParametersForImport
6114
+ # encrypted under the public wrapping key that GetParametersForImport
5946
6115
  # returned, using the wrapping algorithm that you specified in the same
5947
6116
  # `GetParametersForImport` request.
5948
6117
  #
@@ -5966,7 +6135,8 @@ module Aws::KMS
5966
6135
  #
5967
6136
  # @option params [String] :expiration_model
5968
6137
  # Specifies whether the key material expires. The default is
5969
- # `KEY_MATERIAL_EXPIRES`.
6138
+ # `KEY_MATERIAL_EXPIRES`. For help with this choice, see [Setting an
6139
+ # expiration time][1] in the *Key Management Service Developer Guide*.
5970
6140
  #
5971
6141
  # When the value of `ExpirationModel` is `KEY_MATERIAL_EXPIRES`, you
5972
6142
  # must specify a value for the `ValidTo` parameter. When value is
@@ -5974,8 +6144,11 @@ module Aws::KMS
5974
6144
  #
5975
6145
  # You cannot change the `ExpirationModel` or `ValidTo` values for the
5976
6146
  # current import after the request completes. To change either value,
5977
- # you must delete (DeleteImportedKeyMaterial) and reimport the key
5978
- # material.
6147
+ # you must reimport the key material.
6148
+ #
6149
+ #
6150
+ #
6151
+ # [1]: https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration
5979
6152
  #
5980
6153
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
5981
6154
  #
@@ -5991,6 +6164,19 @@ module Aws::KMS
5991
6164
  # key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key to import the key material into. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
5992
6165
  # })
5993
6166
  #
6167
+ # @example Example: To import key material into a KMS key
6168
+ #
6169
+ # # The following example imports key material that expires in 3 days. It might be part of an application that frequently
6170
+ # # reimports the same key material to comply with business rules or regulations.
6171
+ #
6172
+ # resp = client.import_key_material({
6173
+ # encrypted_key_material: "<binary data>", # The encrypted key material to import.
6174
+ # expiration_model: "KEY_MATERIAL_EXPIRES", # A value that specifies whether the key material expires.
6175
+ # import_token: "<binary data>", # The import token that you received in the response to a previous GetParametersForImport request.
6176
+ # key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key to import the key material into. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
6177
+ # valid_to: Time.parse("2023-09-30T00:00:00-00:00"), # Specifies the date and time when the imported key material expires.
6178
+ # })
6179
+ #
5994
6180
  # @example Request syntax with placeholder values
5995
6181
  #
5996
6182
  # resp = client.import_key_material({
@@ -7875,8 +8061,11 @@ module Aws::KMS
7875
8061
  # Deleting a KMS key is a destructive and potentially dangerous
7876
8062
  # operation. When a KMS key is deleted, all data that was encrypted
7877
8063
  # under the KMS key is unrecoverable. (The only exception is a
7878
- # multi-Region replica key.) To prevent the use of a KMS key without
7879
- # deleting it, use DisableKey.
8064
+ # [multi-Region replica
8065
+ # key](kms/latest/developerguide/multi-region-keys-delete.html), or an
8066
+ # asymmetric or HMAC KMS key with imported key material\[BUGBUG-link to
8067
+ # importing-keys-managing.html#import-delete-key.) To prevent the use of
8068
+ # a KMS key without deleting it, use DisableKey.
7880
8069
  #
7881
8070
  # You can schedule the deletion of a multi-Region primary key and its
7882
8071
  # replica keys at any time. However, KMS will not delete a multi-Region
@@ -7954,6 +8143,13 @@ module Aws::KMS
7954
8143
  #
7955
8144
  # This value is optional. If you include a value, it must be between 7
7956
8145
  # and 30, inclusive. If you do not include a value, it defaults to 30.
8146
+ # You can use the [ `kms:ScheduleKeyDeletionPendingWindowInDays` ][1]
8147
+ # condition key to further constrain the values that principals can
8148
+ # specify in the `PendingWindowInDays` parameter.
8149
+ #
8150
+ #
8151
+ #
8152
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-pending-deletion-window
7957
8153
  #
7958
8154
  # @return [Types::ScheduleKeyDeletionResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
7959
8155
  #
@@ -9509,7 +9705,7 @@ module Aws::KMS
9509
9705
  params: params,
9510
9706
  config: config)
9511
9707
  context[:gem_name] = 'aws-sdk-kms'
9512
- context[:gem_version] = '1.65.0'
9708
+ context[:gem_version] = '1.66.0'
9513
9709
  Seahorse::Client::Request.new(handlers, context)
9514
9710
  end
9515
9711
 
@@ -2994,10 +2994,14 @@ module Aws::KMS
2994
2994
  end
2995
2995
 
2996
2996
  # @!attribute [rw] key_id
2997
- # The identifier of the symmetric encryption KMS key into which you
2998
- # will import key material. The `Origin` of the KMS key must be
2997
+ # The identifier of the KMS key that will be associated with the
2998
+ # imported key material. The `Origin` of the KMS key must be
2999
2999
  # `EXTERNAL`.
3000
3000
  #
3001
+ # All KMS key types are supported, including multi-Region keys.
3002
+ # However, you cannot import key material into a KMS key in a custom
3003
+ # key store.
3004
+ #
3001
3005
  # Specify the key ID or key ARN of the KMS key.
3002
3006
  #
3003
3007
  # For example:
@@ -3012,26 +3016,54 @@ module Aws::KMS
3012
3016
  # @return [String]
3013
3017
  #
3014
3018
  # @!attribute [rw] wrapping_algorithm
3015
- # The algorithm you will use to encrypt the key material before using
3016
- # the ImportKeyMaterial operation to import it. For more information,
3017
- # see [Encrypt the key material][1] in the *Key Management Service
3018
- # Developer Guide*.
3019
+ # The algorithm you will use with the RSA public key (`PublicKey`) in
3020
+ # the response to protect your key material during import. For more
3021
+ # information, see [Select a wrapping
3022
+ # algorithm](kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
3023
+ # in the *Key Management Service Developer Guide*.
3024
+ #
3025
+ # For RSA\_AES wrapping algorithms, you encrypt your key material with
3026
+ # an AES key that you generate, then encrypt your AES key with the RSA
3027
+ # public key from KMS. For RSAES wrapping algorithms, you encrypt your
3028
+ # key material directly with the RSA public key from KMS.
3029
+ #
3030
+ # The wrapping algorithms that you can use depend on the type of key
3031
+ # material that you are importing. To import an RSA private key, you
3032
+ # must use an RSA\_AES wrapping algorithm.
3033
+ #
3034
+ # * **RSA\_AES\_KEY\_WRAP\_SHA\_256** — Supported for wrapping RSA and
3035
+ # ECC key material.
3019
3036
  #
3020
- # The `RSAES_PKCS1_V1_5` wrapping algorithm is deprecated. We
3021
- # recommend that you begin using a different wrapping algorithm
3022
- # immediately. KMS will end support for `RSAES_PKCS1_V1_5` by October
3023
- # 1, 2023 pursuant to [cryptographic key management guidance][2] from
3024
- # the National Institute of Standards and Technology (NIST).
3037
+ # * **RSA\_AES\_KEY\_WRAP\_SHA\_1** Supported for wrapping RSA and
3038
+ # ECC key material.
3025
3039
  #
3040
+ # * **RSAES\_OAEP\_SHA\_256** — Supported for all types of key
3041
+ # material, except RSA key material (private key).
3026
3042
  #
3043
+ # You cannot use the RSAES\_OAEP\_SHA\_256 wrapping algorithm with
3044
+ # the RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key
3045
+ # material.
3027
3046
  #
3028
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html
3029
- # [2]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
3047
+ # * **RSAES\_OAEP\_SHA\_1** — Supported for all types of key material,
3048
+ # except RSA key material (private key).
3049
+ #
3050
+ # You cannot use the RSAES\_OAEP\_SHA\_1 wrapping algorithm with the
3051
+ # RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key material.
3052
+ #
3053
+ # * **RSAES\_PKCS1\_V1\_5** (Deprecated) — Supported only for
3054
+ # symmetric encryption key material (and only in legacy mode).
3030
3055
  # @return [String]
3031
3056
  #
3032
3057
  # @!attribute [rw] wrapping_key_spec
3033
- # The type of wrapping key (public key) to return in the response.
3034
- # Only 2048-bit RSA public keys are supported.
3058
+ # The type of RSA public key to return in the response. You will use
3059
+ # this wrapping key with the specified wrapping algorithm to protect
3060
+ # your key material during import.
3061
+ #
3062
+ # Use the longest RSA wrapping key that is practical.
3063
+ #
3064
+ # You cannot use an RSA\_2048 public key to directly wrap an
3065
+ # ECC\_NIST\_P521 private key. Instead, use an RSA\_AES wrapping
3066
+ # algorithm or choose a longer RSA public key.
3035
3067
  # @return [String]
3036
3068
  #
3037
3069
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImportRequest AWS API Documentation
@@ -3338,13 +3370,19 @@ module Aws::KMS
3338
3370
  end
3339
3371
 
3340
3372
  # @!attribute [rw] key_id
3341
- # The identifier of the symmetric encryption KMS key that receives the
3373
+ # The identifier of the KMS key that will be associated with the
3342
3374
  # imported key material. This must be the same KMS key specified in
3343
3375
  # the `KeyID` parameter of the corresponding GetParametersForImport
3344
- # request. The `Origin` of the KMS key must be `EXTERNAL`. You cannot
3345
- # perform this operation on an asymmetric KMS key, an HMAC KMS key, a
3346
- # KMS key in a custom key store, or on a KMS key in a different Amazon
3347
- # Web Services account
3376
+ # request. The `Origin` of the KMS key must be `EXTERNAL` and its
3377
+ # `KeyState` must be `PendingImport`.
3378
+ #
3379
+ # The KMS key can be a symmetric encryption KMS key, HMAC KMS key,
3380
+ # asymmetric encryption KMS key, or asymmetric signing KMS key,
3381
+ # including a [multi-Region
3382
+ # key](kms/latest/developerguide/multi-region-keys-overview.html) of
3383
+ # any supported type. You cannot perform this operation on a KMS key
3384
+ # in a custom key store, or on a KMS key in a different Amazon Web
3385
+ # Services account.
3348
3386
  #
3349
3387
  # Specify the key ID or key ARN of the KMS key.
3350
3388
  #
@@ -3368,7 +3406,7 @@ module Aws::KMS
3368
3406
  #
3369
3407
  # @!attribute [rw] encrypted_key_material
3370
3408
  # The encrypted key material to import. The key material must be
3371
- # encrypted with the public wrapping key that GetParametersForImport
3409
+ # encrypted under the public wrapping key that GetParametersForImport
3372
3410
  # returned, using the wrapping algorithm that you specified in the
3373
3411
  # same `GetParametersForImport` request.
3374
3412
  # @return [String]
@@ -3394,7 +3432,8 @@ module Aws::KMS
3394
3432
  #
3395
3433
  # @!attribute [rw] expiration_model
3396
3434
  # Specifies whether the key material expires. The default is
3397
- # `KEY_MATERIAL_EXPIRES`.
3435
+ # `KEY_MATERIAL_EXPIRES`. For help with this choice, see [Setting an
3436
+ # expiration time][1] in the *Key Management Service Developer Guide*.
3398
3437
  #
3399
3438
  # When the value of `ExpirationModel` is `KEY_MATERIAL_EXPIRES`, you
3400
3439
  # must specify a value for the `ValidTo` parameter. When value is
@@ -3403,8 +3442,11 @@ module Aws::KMS
3403
3442
  #
3404
3443
  # You cannot change the `ExpirationModel` or `ValidTo` values for the
3405
3444
  # current import after the request completes. To change either value,
3406
- # you must delete (DeleteImportedKeyMaterial) and reimport the key
3407
- # material.
3445
+ # you must reimport the key material.
3446
+ #
3447
+ #
3448
+ #
3449
+ # [1]: https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration
3408
3450
  # @return [String]
3409
3451
  #
3410
3452
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterialRequest AWS API Documentation
@@ -5145,6 +5187,13 @@ module Aws::KMS
5145
5187
  #
5146
5188
  # This value is optional. If you include a value, it must be between 7
5147
5189
  # and 30, inclusive. If you do not include a value, it defaults to 30.
5190
+ # You can use the [ `kms:ScheduleKeyDeletionPendingWindowInDays` ][1]
5191
+ # condition key to further constrain the values that principals can
5192
+ # specify in the `PendingWindowInDays` parameter.
5193
+ #
5194
+ #
5195
+ #
5196
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-pending-deletion-window
5148
5197
  # @return [Integer]
5149
5198
  #
5150
5199
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletionRequest AWS API Documentation
@@ -5335,7 +5384,7 @@ module Aws::KMS
5335
5384
  #
5336
5385
  # * When used with the `ECDSA_SHA_256`, `ECDSA_SHA_384`, or
5337
5386
  # `ECDSA_SHA_512` signing algorithms, this value is a DER-encoded
5338
- # object as defined by ANS X9.62–2005 and [RFC 3279 Section
5387
+ # object as defined by ANSI X9.62–2005 and [RFC 3279 Section
5339
5388
  # 2.2.3][2]. This is the most commonly used signature format and is
5340
5389
  # appropriate for most uses.
5341
5390
  #
data/lib/aws-sdk-kms.rb CHANGED
@@ -52,6 +52,6 @@ require_relative 'aws-sdk-kms/customizations'
52
52
  # @!group service
53
53
  module Aws::KMS
54
54
 
55
- GEM_VERSION = '1.65.0'
55
+ GEM_VERSION = '1.66.0'
56
56
 
57
57
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: aws-sdk-kms
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.65.0
4
+ version: 1.66.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Amazon Web Services
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-05-31 00:00:00.000000000 Z
11
+ date: 2023-06-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: aws-sdk-core