aws-sdk-kms 1.72.0 → 1.96.0

data/lib/aws-sdk-kms/client.rb

@@ -22,6 +22,7 @@ require 'aws-sdk-core/plugins/endpoint_pattern.rb'
 require 'aws-sdk-core/plugins/response_paging.rb'
 require 'aws-sdk-core/plugins/stub_responses.rb'
 require 'aws-sdk-core/plugins/idempotency_token.rb'
+require 'aws-sdk-core/plugins/invocation_id.rb'
 require 'aws-sdk-core/plugins/jsonvalue_converter.rb'
 require 'aws-sdk-core/plugins/client_metrics_plugin.rb'
 require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
@@ -31,11 +32,10 @@ require 'aws-sdk-core/plugins/checksum_algorithm.rb'
 require 'aws-sdk-core/plugins/request_compression.rb'
 require 'aws-sdk-core/plugins/defaults_mode.rb'
 require 'aws-sdk-core/plugins/recursion_detection.rb'
+require 'aws-sdk-core/plugins/telemetry.rb'
 require 'aws-sdk-core/plugins/sign.rb'
 require 'aws-sdk-core/plugins/protocols/json_rpc.rb'
 
-Aws::Plugins::GlobalConfiguration.add_identifier(:kms)
-
 module Aws::KMS
   # An API client for KMS.  To construct a client, you need to configure a `:region` and `:credentials`.
   #
@@ -72,6 +72,7 @@ module Aws::KMS
     add_plugin(Aws::Plugins::ResponsePaging)
     add_plugin(Aws::Plugins::StubResponses)
     add_plugin(Aws::Plugins::IdempotencyToken)
+    add_plugin(Aws::Plugins::InvocationId)
     add_plugin(Aws::Plugins::JsonvalueConverter)
     add_plugin(Aws::Plugins::ClientMetricsPlugin)
     add_plugin(Aws::Plugins::ClientMetricsSendPlugin)
@@ -81,12 +82,18 @@ module Aws::KMS
     add_plugin(Aws::Plugins::RequestCompression)
     add_plugin(Aws::Plugins::DefaultsMode)
     add_plugin(Aws::Plugins::RecursionDetection)
+    add_plugin(Aws::Plugins::Telemetry)
     add_plugin(Aws::Plugins::Sign)
     add_plugin(Aws::Plugins::Protocols::JsonRpc)
     add_plugin(Aws::KMS::Plugins::Endpoints)
 
     # @overload initialize(options)
     #   @param [Hash] options
+    #
+    #   @option options [Array<Seahorse::Client::Plugin>] :plugins ([]])
+    #     A list of plugins to apply to the client. Each plugin is either a
+    #     class name or an instance of a plugin class.
+    #
     #   @option options [required, Aws::CredentialProvider] :credentials
     #     Your AWS credentials. This can be an instance of any one of the
     #     following classes:
@@ -121,13 +128,15 @@ module Aws::KMS
     #     locations will be searched for credentials:
     #
     #     * `Aws.config[:credentials]`
-    #     * The `:access_key_id`, `:secret_access_key`, and `:session_token` options.
-    #     * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
+    #     * The `:access_key_id`, `:secret_access_key`, `:session_token`, and
+    #       `:account_id` options.
+    #     * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY'],
+    #       ENV['AWS_SESSION_TOKEN'], and ENV['AWS_ACCOUNT_ID']
     #     * `~/.aws/credentials`
     #     * `~/.aws/config`
     #     * EC2/ECS IMDS instance profile - When used by default, the timeouts
     #       are very aggressive. Construct and pass an instance of
-    #       `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
+    #       `Aws::InstanceProfileCredentials` or `Aws::ECSCredentials` to
     #       enable retries and extended timeouts. Instance profile credential
     #       fetching can be disabled by setting ENV['AWS_EC2_METADATA_DISABLED']
     #       to true.
@@ -146,6 +155,8 @@ module Aws::KMS
     #
     #   @option options [String] :access_key_id
     #
+    #   @option options [String] :account_id
+    #
     #   @option options [Boolean] :active_endpoint_cache (false)
     #     When set to `true`, a thread polling for endpoints will be running in
     #     the background every 60 secs (default). Defaults to `false`.
@@ -196,10 +207,16 @@ module Aws::KMS
     #     When set to 'true' the request body will not be compressed
     #     for supported operations.
     #
-    #   @option options [String] :endpoint
-    #     The client endpoint is normally constructed from the `:region`
-    #     option. You should only configure an `:endpoint` when connecting
-    #     to test or custom endpoints. This should be a valid HTTP(S) URI.
+    #   @option options [String, URI::HTTPS, URI::HTTP] :endpoint
+    #     Normally you should not configure the `:endpoint` option
+    #     directly. This is normally constructed from the `:region`
+    #     option. Configuring `:endpoint` is normally reserved for
+    #     connecting to test or custom endpoints. The endpoint should
+    #     be a URI formatted like:
+    #
+    #         'http://example.com'
+    #         'https://example.com'
+    #         'http://example.com:123'
     #
     #   @option options [Integer] :endpoint_cache_max_entries (1000)
     #     Used for the maximum size limit of the LRU cache storing endpoints data
@@ -289,25 +306,31 @@ module Aws::KMS
     #       throttling.  This is a provisional mode that may change behavior
     #       in the future.
     #
-    #
     #   @option options [String] :sdk_ua_app_id
     #     A unique and opaque application ID that is appended to the
-    #     User-Agent header as app/<sdk_ua_app_id>. It should have a
-    #     maximum length of 50.
+    #     User-Agent header as app/sdk_ua_app_id. It should have a
+    #     maximum length of 50. This variable is sourced from environment
+    #     variable AWS_SDK_UA_APP_ID or the shared config profile attribute sdk_ua_app_id.
     #
     #   @option options [String] :secret_access_key
     #
     #   @option options [String] :session_token
     #
+    #   @option options [Array] :sigv4a_signing_region_set
+    #     A list of regions that should be signed with SigV4a signing. When
+    #     not passed, a default `:sigv4a_signing_region_set` is searched for
+    #     in the following locations:
+    #
+    #     * `Aws.config[:sigv4a_signing_region_set]`
+    #     * `ENV['AWS_SIGV4A_SIGNING_REGION_SET']`
+    #     * `~/.aws/config`
+    #
     #   @option options [Boolean] :simple_json (false)
     #     Disables request parameter conversion, validation, and formatting.
-    #     Also disable response data type conversions. This option is useful
-    #     when you want to ensure the highest level of performance by
-    #     avoiding overhead of walking request parameters and response data
-    #     structures.
-    #
-    #     When `:simple_json` is enabled, the request parameters hash must
-    #     be formatted exactly as the DynamoDB API expects.
+    #     Also disables response data type conversions. The request parameters
+    #     hash must be formatted exactly as the API expects.This option is useful
+    #     when you want to ensure the highest level of performance by avoiding
+    #     overhead of walking request parameters and response data structures.
     #
     #   @option options [Boolean] :stub_responses (false)
     #     Causes the client to return stubbed responses. By default
@@ -318,6 +341,16 @@ module Aws::KMS
     #     ** Please note ** When response stubbing is enabled, no HTTP
     #     requests are made, and retries are disabled.
     #
+    #   @option options [Aws::Telemetry::TelemetryProviderBase] :telemetry_provider (Aws::Telemetry::NoOpTelemetryProvider)
+    #     Allows you to provide a telemetry provider, which is used to
+    #     emit telemetry data. By default, uses `NoOpTelemetryProvider` which
+    #     will not record or emit any telemetry data. The SDK supports the
+    #     following telemetry providers:
+    #
+    #     * OpenTelemetry (OTel) - To use the OTel provider, install and require the
+    #     `opentelemetry-sdk` gem and then, pass in an instance of a
+    #     `Aws::Telemetry::OTelProvider` for telemetry provider.
+    #
     #   @option options [Aws::TokenProvider] :token_provider
     #     A Bearer Token Provider. This can be an instance of any one of the
     #     following classes:
@@ -345,52 +378,75 @@ module Aws::KMS
     #     sending the request.
     #
     #   @option options [Aws::KMS::EndpointProvider] :endpoint_provider
-    #     The endpoint provider used to resolve endpoints. Any object that responds to `#resolve_endpoint(parameters)` where `parameters` is a Struct similar to `Aws::KMS::EndpointParameters`
-    #
-    #   @option options [URI::HTTP,String] :http_proxy A proxy to send
-    #     requests through.  Formatted like 'http://proxy.com:123'.
-    #
-    #   @option options [Float] :http_open_timeout (15) The number of
-    #     seconds to wait when opening a HTTP session before raising a
-    #     `Timeout::Error`.
-    #
-    #   @option options [Float] :http_read_timeout (60) The default
-    #     number of seconds to wait for response data.  This value can
-    #     safely be set per-request on the session.
-    #
-    #   @option options [Float] :http_idle_timeout (5) The number of
-    #     seconds a connection is allowed to sit idle before it is
-    #     considered stale.  Stale connections are closed and removed
-    #     from the pool before making a request.
+    #     The endpoint provider used to resolve endpoints. Any object that responds to
+    #     `#resolve_endpoint(parameters)` where `parameters` is a Struct similar to
+    #     `Aws::KMS::EndpointParameters`.
+    #
+    #   @option options [Float] :http_continue_timeout (1)
+    #     The number of seconds to wait for a 100-continue response before sending the
+    #     request body.  This option has no effect unless the request has "Expect"
+    #     header set to "100-continue".  Defaults to `nil` which  disables this
+    #     behaviour.  This value can safely be set per request on the session.
+    #
+    #   @option options [Float] :http_idle_timeout (5)
+    #     The number of seconds a connection is allowed to sit idle before it
+    #     is considered stale.  Stale connections are closed and removed from the
+    #     pool before making a request.
+    #
+    #   @option options [Float] :http_open_timeout (15)
+    #     The default number of seconds to wait for response data.
+    #     This value can safely be set per-request on the session.
+    #
+    #   @option options [URI::HTTP,String] :http_proxy
+    #     A proxy to send requests through.  Formatted like 'http://proxy.com:123'.
+    #
+    #   @option options [Float] :http_read_timeout (60)
+    #     The default number of seconds to wait for response data.
+    #     This value can safely be set per-request on the session.
+    #
+    #   @option options [Boolean] :http_wire_trace (false)
+    #     When `true`,  HTTP debug output will be sent to the `:logger`.
+    #
+    #   @option options [Proc] :on_chunk_received
+    #     When a Proc object is provided, it will be used as callback when each chunk
+    #     of the response body is received. It provides three arguments: the chunk,
+    #     the number of bytes received, and the total number of
+    #     bytes in the response (or nil if the server did not send a `content-length`).
+    #
+    #   @option options [Proc] :on_chunk_sent
+    #     When a Proc object is provided, it will be used as callback when each chunk
+    #     of the request body is sent. It provides three arguments: the chunk,
+    #     the number of bytes read from the body, and the total number of
+    #     bytes in the body.
+    #
+    #   @option options [Boolean] :raise_response_errors (true)
+    #     When `true`, response errors are raised.
+    #
+    #   @option options [String] :ssl_ca_bundle
+    #     Full path to the SSL certificate authority bundle file that should be used when
+    #     verifying peer certificates.  If you do not pass `:ssl_ca_bundle` or
+    #     `:ssl_ca_directory` the the system default will be used if available.
+    #
+    #   @option options [String] :ssl_ca_directory
+    #     Full path of the directory that contains the unbundled SSL certificate
+    #     authority files for verifying peer certificates.  If you do
+    #     not pass `:ssl_ca_bundle` or `:ssl_ca_directory` the the system
+    #     default will be used if available.
     #
-    #   @option options [Float] :http_continue_timeout (1) The number of
-    #     seconds to wait for a 100-continue response before sending the
-    #     request body.  This option has no effect unless the request has
-    #     "Expect" header set to "100-continue".  Defaults to `nil` which
-    #     disables this behaviour.  This value can safely be set per
-    #     request on the session.
+    #   @option options [String] :ssl_ca_store
+    #     Sets the X509::Store to verify peer certificate.
     #
-    #   @option options [Float] :ssl_timeout (nil) Sets the SSL timeout
-    #     in seconds.
+    #   @option options [OpenSSL::X509::Certificate] :ssl_cert
+    #     Sets a client certificate when creating http connections.
     #
-    #   @option options [Boolean] :http_wire_trace (false) When `true`,
-    #     HTTP debug output will be sent to the `:logger`.
+    #   @option options [OpenSSL::PKey] :ssl_key
+    #     Sets a client key when creating http connections.
     #
-    #   @option options [Boolean] :ssl_verify_peer (true) When `true`,
-    #     SSL peer certificates are verified when establishing a
-    #     connection.
+    #   @option options [Float] :ssl_timeout
+    #     Sets the SSL timeout in seconds
     #
-    #   @option options [String] :ssl_ca_bundle Full path to the SSL
-    #     certificate authority bundle file that should be used when
-    #     verifying peer certificates.  If you do not pass
-    #     `:ssl_ca_bundle` or `:ssl_ca_directory` the the system default
-    #     will be used if available.
-    #
-    #   @option options [String] :ssl_ca_directory Full path of the
-    #     directory that contains the unbundled SSL certificate
-    #     authority files for verifying peer certificates.  If you do
-    #     not pass `:ssl_ca_bundle` or `:ssl_ca_directory` the the
-    #     system default will be used if available.
+    #   @option options [Boolean] :ssl_verify_peer (true)
+    #     When `true`, SSL peer certificates are verified when establishing a connection.
     #
     def initialize(*args)
       super
@@ -417,11 +473,15 @@ module Aws::KMS
     #
     # **Related operations**: ScheduleKeyDeletion
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][4].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies the KMS key whose deletion is being canceled.
@@ -564,6 +624,9 @@ module Aws::KMS
     #
     # * UpdateCustomKeyStore
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][8].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
@@ -573,6 +636,7 @@ module Aws::KMS
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
     # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html
     # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :custom_key_store_id
     #   Enter the key store ID of the custom key store that you want to
@@ -664,6 +728,9 @@ module Aws::KMS
     #
     # * UpdateAlias
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][7].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
@@ -672,6 +739,7 @@ module Aws::KMS
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :alias_name
     #   Specifies the alias name. This value must begin with `alias/` followed
@@ -829,6 +897,9 @@ module Aws::KMS
     #
     # * UpdateCustomKeyStore
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][10].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
@@ -840,6 +911,7 @@ module Aws::KMS
     # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
     # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html
     # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :custom_key_store_name
     #   Specifies a friendly name for the custom key store. The name must be
@@ -936,7 +1008,7 @@ module Aws::KMS
     #
     #   * An external key store with `PUBLIC_ENDPOINT` connectivity cannot use
     #     the same `XksProxyUriEndpoint` value as an external key store with
-    #     `VPC_ENDPOINT_SERVICE` connectivity in the same Amazon Web Services
+    #     `VPC_ENDPOINT_SERVICE` connectivity in this Amazon Web Services
     #     Region.
     #
     #   * Each external key store with `VPC_ENDPOINT_SERVICE` connectivity
@@ -1184,6 +1256,9 @@ module Aws::KMS
     #
     # * RevokeGrant
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][6].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
@@ -1191,6 +1266,7 @@ module Aws::KMS
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies the KMS key for the grant. The grant gives principals
@@ -1376,7 +1452,7 @@ module Aws::KMS
     #     key_id: "KeyIdType", # required
     #     grantee_principal: "PrincipalIdType", # required
     #     retiring_principal: "PrincipalIdType",
-    #     operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateMac, VerifyMac
+    #     operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateMac, VerifyMac, DeriveSharedSecret
     #     constraints: {
     #       encryption_context_subset: {
     #         "EncryptionContextKey" => "EncryptionContextValue",
@@ -1463,12 +1539,17 @@ module Aws::KMS
     #   key pair, or an SM2 key pair (China Regions only). The private key
     #   in an asymmetric KMS key never leaves KMS unencrypted. However, you
     #   can use the GetPublicKey operation to download the public key so it
-    #   can be used outside of KMS. KMS keys with RSA or SM2 key pairs can
-    #   be used to encrypt or decrypt data or sign and verify messages (but
-    #   not both). KMS keys with ECC key pairs can be used only to sign and
-    #   verify messages. For information about asymmetric KMS keys, see
-    #   [Asymmetric KMS keys][3] in the *Key Management Service Developer
-    #   Guide*.
+    #   can be used outside of KMS. Each KMS key can have only one key
+    #   usage. KMS keys with RSA key pairs can be used to encrypt and
+    #   decrypt data or sign and verify messages (but not both). KMS keys
+    #   with NIST-recommended ECC key pairs can be used to sign and verify
+    #   messages or derive shared secrets (but not both). KMS keys with
+    #   `ECC_SECG_P256K1` can be used only to sign and verify messages. KMS
+    #   keys with SM2 key pairs (China Regions only) can be used to either
+    #   encrypt and decrypt data, sign and verify messages, or derive shared
+    #   secrets (you must choose one key usage type). For information about
+    #   asymmetric KMS keys, see [Asymmetric KMS keys][3] in the *Key
+    #   Management Service Developer Guide*.
     #
     #
     #
@@ -1609,6 +1690,9 @@ module Aws::KMS
     #
     # * ScheduleKeyDeletion
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][12].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys
@@ -1622,6 +1706,7 @@ module Aws::KMS
     # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html
     # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key
+    # [12]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [String] :policy
     #   The key policy to attach to the KMS key.
@@ -1686,14 +1771,17 @@ module Aws::KMS
     #
     #   * For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
     #
-    #   * For asymmetric KMS keys with RSA key material, specify
+    #   * For asymmetric KMS keys with RSA key pairs, specify
     #     `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
     #
-    #   * For asymmetric KMS keys with ECC key material, specify
+    #   * For asymmetric KMS keys with NIST-recommended elliptic curve key
+    #     pairs, specify `SIGN_VERIFY` or `KEY_AGREEMENT`.
+    #
+    #   * For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs specify
     #     `SIGN_VERIFY`.
     #
-    #   * For asymmetric KMS keys with SM2 key material (China Regions only),
-    #     specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
+    #   * For asymmetric KMS keys with SM2 key pairs (China Regions only),
+    #     specify `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, or `KEY_AGREEMENT`.
     #
     #
     #
@@ -1735,7 +1823,6 @@ module Aws::KMS
     #     * `SYMMETRIC_DEFAULT`
     #
     #     ^
-    #
     #   * HMAC keys (symmetric)
     #
     #     * `HMAC_224`
@@ -1745,32 +1832,31 @@ module Aws::KMS
     #     * `HMAC_384`
     #
     #     * `HMAC_512`
-    #
-    #   * Asymmetric RSA key pairs
+    #   * Asymmetric RSA key pairs (encryption and decryption -or- signing and
+    #     verification)
     #
     #     * `RSA_2048`
     #
     #     * `RSA_3072`
     #
     #     * `RSA_4096`
-    #
-    #   * Asymmetric NIST-recommended elliptic curve key pairs
+    #   * Asymmetric NIST-recommended elliptic curve key pairs (signing and
+    #     verification -or- deriving shared secrets)
     #
     #     * `ECC_NIST_P256` (secp256r1)
     #
     #     * `ECC_NIST_P384` (secp384r1)
     #
     #     * `ECC_NIST_P521` (secp521r1)
-    #
-    #   * Other asymmetric elliptic curve key pairs
+    #   * Other asymmetric elliptic curve key pairs (signing and verification)
     #
     #     * `ECC_SECG_P256K1` (secp256k1), commonly used for cryptocurrencies.
     #
     #     ^
+    #   * SM2 key pairs (encryption and decryption -or- signing and
+    #     verification -or- deriving shared secrets)
     #
-    #   * SM2 key pairs (China Regions only)
-    #
-    #     * `SM2`
+    #     * `SM2` (China Regions only)
     #
     #     ^
     #
@@ -1843,12 +1929,13 @@ module Aws::KMS
     #   Management Service Developer Guide*.
     #
     #   Use this parameter only when you intend to prevent the principal that
-    #   is making the request from making a subsequent PutKeyPolicy request on
-    #   the KMS key.
+    #   is making the request from making a subsequent [PutKeyPolicy][2]
+    #   request on the KMS key.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
+    #   [2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html
     #
     # @option params [Array<Types::Tag>] :tags
     #   Assigns one or more tags to the KMS key. Use this parameter to tag the
@@ -2233,7 +2320,7 @@ module Aws::KMS
     #   resp = client.create_key({
     #     policy: "PolicyType",
     #     description: "DescriptionType",
-    #     key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC
+    #     key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC, KEY_AGREEMENT
     #     customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
     #     key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
     #     origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM, EXTERNAL_KEY_STORE
@@ -2257,7 +2344,7 @@ module Aws::KMS
     #   resp.key_metadata.creation_date #=> Time
     #   resp.key_metadata.enabled #=> Boolean
     #   resp.key_metadata.description #=> String
-    #   resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
+    #   resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC", "KEY_AGREEMENT"
     #   resp.key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
     #   resp.key_metadata.deletion_date #=> Time
     #   resp.key_metadata.valid_to #=> Time
@@ -2272,6 +2359,8 @@ module Aws::KMS
     #   resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #   resp.key_metadata.signing_algorithms #=> Array
     #   resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
+    #   resp.key_metadata.key_agreement_algorithms #=> Array
+    #   resp.key_metadata.key_agreement_algorithms[0] #=> String, one of "ECDH"
     #   resp.key_metadata.multi_region #=> Boolean
     #   resp.key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
     #   resp.key_metadata.multi_region_configuration.primary_key.arn #=> String
@@ -2350,10 +2439,10 @@ module Aws::KMS
     # parameter to provide the attestation document for the enclave. Instead
     # of the plaintext data, the response includes the plaintext data
     # encrypted with the public key from the attestation document
-    # (`CiphertextForRecipient`).For information about the interaction
+    # (`CiphertextForRecipient`). For information about the interaction
     # between KMS and Amazon Web Services Nitro Enclaves, see [How Amazon
     # Web Services Nitro Enclaves uses KMS][7] in the *Key Management
-    # Service Developer Guide*..
+    # Service Developer Guide*.
     #
     # The KMS key that you use for this operation must be in a compatible
     # key state. For details, see [Key states of KMS keys][8] in the *Key
@@ -2375,6 +2464,9 @@ module Aws::KMS
     #
     # * ReEncrypt
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][10].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
@@ -2386,6 +2478,7 @@ module Aws::KMS
     # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
     # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String, StringIO, File] :ciphertext_blob
     #   Ciphertext to be decrypted. The blob includes metadata.
@@ -2492,7 +2585,7 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
+    #   [1]: https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-concepts.html#term-attestdoc
     #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
     #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
     #
@@ -2643,11 +2736,15 @@ module Aws::KMS
     #
     # * UpdateAlias
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][4].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :alias_name
     #   The alias to be deleted. The alias name must begin with `alias/`
@@ -2734,6 +2831,9 @@ module Aws::KMS
     #
     # * UpdateCustomKeyStore
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][6].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
@@ -2741,6 +2841,7 @@ module Aws::KMS
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :custom_key_store_id
     #   Enter the ID of the custom key store you want to delete. To find the
@@ -2804,11 +2905,15 @@ module Aws::KMS
     #
     # * ImportKeyMaterial
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][4].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies the KMS key from which you are deleting imported key
@@ -2852,6 +2957,270 @@ module Aws::KMS
       req.send_request(options)
     end
 
+    # Derives a shared secret using a key agreement algorithm.
+    #
+    # <note markdown="1"> You must use an asymmetric NIST-recommended elliptic curve (ECC) or
+    # SM2 (China Regions only) KMS key pair with a `KeyUsage` value of
+    # `KEY_AGREEMENT` to call DeriveSharedSecret.
+    #
+    #  </note>
+    #
+    # DeriveSharedSecret uses the [Elliptic Curve Cryptography Cofactor
+    # Diffie-Hellman Primitive][1] (ECDH) to establish a key agreement
+    # between two peers by deriving a shared secret from their elliptic
+    # curve public-private key pairs. You can use the raw shared secret that
+    # DeriveSharedSecret returns to derive a symmetric key that can encrypt
+    # and decrypt data that is sent between the two peers, or that can
+    # generate and verify HMACs. KMS recommends that you follow [NIST
+    # recommendations for key derivation][2] when using the raw shared
+    # secret to derive a symmetric key.
+    #
+    # The following workflow demonstrates how to establish key agreement
+    # over an insecure communication channel using DeriveSharedSecret.
+    #
+    # 1.  **Alice** calls CreateKey to create an asymmetric KMS key pair
+    #     with a `KeyUsage` value of `KEY_AGREEMENT`.
+    #
+    #     The asymmetric KMS key must use a NIST-recommended elliptic curve
+    #     (ECC) or SM2 (China Regions only) key spec.
+    #
+    # 2.  **Bob** creates an elliptic curve key pair.
+    #
+    #     Bob can call CreateKey to create an asymmetric KMS key pair or
+    #     generate a key pair outside of KMS. Bob's key pair must use the
+    #     same NIST-recommended elliptic curve (ECC) or SM2 (China Regions
+    #     ony) curve as Alice.
+    #
+    # 3.  Alice and Bob **exchange their public keys** through an insecure
+    #     communication channel (like the internet).
+    #
+    #     Use GetPublicKey to download the public key of your asymmetric KMS
+    #     key pair.
+    #
+    #     <note markdown="1"> KMS strongly recommends verifying that the public key you receive
+    #     came from the expected party before using it to derive a shared
+    #     secret.
+    #
+    #      </note>
+    #
+    # 4.  **Alice** calls DeriveSharedSecret.
+    #
+    #     KMS uses the private key from the KMS key pair generated in **Step
+    #     1**, Bob's public key, and the Elliptic Curve Cryptography
+    #     Cofactor Diffie-Hellman Primitive to derive the shared secret. The
+    #     private key in your KMS key pair never leaves KMS unencrypted.
+    #     DeriveSharedSecret returns the raw shared secret.
+    #
+    # 5.  **Bob** uses the Elliptic Curve Cryptography Cofactor
+    #     Diffie-Hellman Primitive to calculate the same raw secret using
+    #     his private key and Alice's public key.
+    #
+    # To derive a shared secret you must provide a key agreement algorithm,
+    # the private key of the caller's asymmetric NIST-recommended elliptic
+    # curve or SM2 (China Regions only) KMS key pair, and the public key
+    # from your peer's NIST-recommended elliptic curve or SM2 (China
+    # Regions only) key pair. The public key can be from another asymmetric
+    # KMS key pair or from a key pair generated outside of KMS, but both key
+    # pairs must be on the same elliptic curve.
+    #
+    # The KMS key that you use for this operation must be in a compatible
+    # key state. For details, see [Key states of KMS keys][3] in the *Key
+    # Management Service Developer Guide*.
+    #
+    # **Cross-account use**: Yes. To perform this operation with a KMS key
+    # in a different Amazon Web Services account, specify the key ARN or
+    # alias ARN in the value of the `KeyId` parameter.
+    #
+    # **Required permissions**: [kms:DeriveSharedSecret][4] (key policy)
+    #
+    # **Related operations:**
+    #
+    # * CreateKey
+    #
+    # * GetPublicKey
+    #
+    # * DescribeKey
+    #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][5].
+    #
+    #
+    #
+    # [1]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf#page=60
+    # [2]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
+    #
+    # @option params [required, String] :key_id
+    #   Identifies an asymmetric NIST-recommended ECC or SM2 (China Regions
+    #   only) KMS key. KMS uses the private key in the specified key pair to
+    #   derive the shared secret. The key usage of the KMS key must be
+    #   `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS key, use the
+    #   DescribeKey operation.
+    #
+    #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
+    #   ARN. When using an alias name, prefix it with `"alias/"`. To specify a
+    #   KMS key in a different Amazon Web Services account, you must use the
+    #   key ARN or alias ARN.
+    #
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Alias name: `alias/ExampleAlias`
+    #
+    #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
+    #
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
+    #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
+    #
+    # @option params [required, String] :key_agreement_algorithm
+    #   Specifies the key agreement algorithm used to derive the shared
+    #   secret. The only valid value is `ECDH`.
+    #
+    # @option params [required, String, StringIO, File] :public_key
+    #   Specifies the public key in your peer's NIST-recommended elliptic
+    #   curve (ECC) or SM2 (China Regions only) key pair.
+    #
+    #   The public key must be a DER-encoded X.509 public key, also known as
+    #   `SubjectPublicKeyInfo` (SPKI), as defined in [RFC 5280][1].
+    #
+    #   GetPublicKey returns the public key of an asymmetric KMS key pair in
+    #   the required DER-encoded format.
+    #
+    #   <note markdown="1"> If you use [Amazon Web Services CLI version 1][2], you must provide
+    #   the DER-encoded X.509 public key in a file. Otherwise, the Amazon Web
+    #   Services CLI Base64-encodes the public key a second time, resulting in
+    #   a `ValidationException`.
+    #
+    #    </note>
+    #
+    #   You can specify the public key as binary data in a file using fileb
+    #   (`fileb://<path-to-file>`) or in-line using a Base64 encoded string.
+    #
+    #
+    #
+    #   [1]: https://tools.ietf.org/html/rfc5280
+    #   [2]: https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-welcome.html
+    #
+    # @option params [Array<String>] :grant_tokens
+    #   A list of grant tokens.
+    #
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*. For
+    #   more information, see [Grant token][1] and [Using a grant token][2] in
+    #   the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
+    #
+    # @option params [Boolean] :dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #
+    # @option params [Types::RecipientInfo] :recipient
+    #   A signed [attestation document][1] from an Amazon Web Services Nitro
+    #   enclave and the encryption algorithm to use with the enclave's public
+    #   key. The only valid encryption algorithm is `RSAES_OAEP_SHA_256`.
+    #
+    #   This parameter only supports attestation documents for Amazon Web
+    #   Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon Web
+    #   Services Nitro Enclaves, use the [Amazon Web Services Nitro Enclaves
+    #   SDK][2] to generate the attestation document and then use the
+    #   Recipient parameter from any Amazon Web Services SDK to provide the
+    #   attestation document for the enclave.
+    #
+    #   When you use this parameter, instead of returning a plaintext copy of
+    #   the shared secret, KMS encrypts the plaintext shared secret under the
+    #   public key in the attestation document, and returns the resulting
+    #   ciphertext in the `CiphertextForRecipient` field in the response. This
+    #   ciphertext can be decrypted only with the private key in the enclave.
+    #   The `CiphertextBlob` field in the response contains the encrypted
+    #   shared secret derived from the KMS key specified by the `KeyId`
+    #   parameter and public key specified by the `PublicKey` parameter. The
+    #   `SharedSecret` field in the response is null or empty.
+    #
+    #   For information about the interaction between KMS and Amazon Web
+    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
+    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
+    #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #
+    # @return [Types::DeriveSharedSecretResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::DeriveSharedSecretResponse#key_id #key_id} => String
+    #   * {Types::DeriveSharedSecretResponse#shared_secret #shared_secret} => String
+    #   * {Types::DeriveSharedSecretResponse#ciphertext_for_recipient #ciphertext_for_recipient} => String
+    #   * {Types::DeriveSharedSecretResponse#key_agreement_algorithm #key_agreement_algorithm} => String
+    #   * {Types::DeriveSharedSecretResponse#key_origin #key_origin} => String
+    #
+    #
+    # @example Example: To derive a shared secret
+    #
+    #   # The following example derives a shared secret using a key agreement algorithm.
+    #
+    #   resp = client.derive_shared_secret({
+    #     key_agreement_algorithm: "ECDH", # The key agreement algorithm used to derive the shared secret. The only valid value is ECDH.
+    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The key identifier for an asymmetric KMS key pair. The private key in the specified key pair is used to derive the shared secret.
+    #     public_key: "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvH3Yj0wbkLEpUl95Cv1cJVjsVNSjwGq3tCLnzXfhVwVvmzGN8pYj3U8nKwgouaHbBWNJYjP5VutbbkKS4Kv4GojwZBJyHN17kmxo8yTjRmjR15SKIQ8cqRA2uaERMLnpztIXdZp232PQPbWGxDyXYJ0aJ5EFSag", # The public key in your peer's asymmetric key pair.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     key_agreement_algorithm: "ECDH", # The key agreement algorithm used to derive the shared secret.
+    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The asymmetric KMS key pair used to derive the shared secret.
+    #     key_origin: "AWS_KMS", # The source of the key material for the specified KMS key.
+    #     shared_secret: "MEYCIQCKZLWyTk5runarx6XiAkU9gv3lbwPO/pHa+DXFehzdDwIhANwpsIV2g/9SPWLLsF6p/hiSskuIXMTRwqrMdVKWTMHG", # The raw secret derived from the specified key agreement algorithm, private key in the asymmetric KMS key, and your peer's public key.
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.derive_shared_secret({
+    #     key_id: "KeyIdType", # required
+    #     key_agreement_algorithm: "ECDH", # required, accepts ECDH
+    #     public_key: "data", # required
+    #     grant_tokens: ["GrantTokenType"],
+    #     dry_run: false,
+    #     recipient: {
+    #       key_encryption_algorithm: "RSAES_OAEP_SHA_256", # accepts RSAES_OAEP_SHA_256
+    #       attestation_document: "data",
+    #     },
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.key_id #=> String
+    #   resp.shared_secret #=> String
+    #   resp.ciphertext_for_recipient #=> String
+    #   resp.key_agreement_algorithm #=> String, one of "ECDH"
+    #   resp.key_origin #=> String, one of "AWS_KMS", "EXTERNAL", "AWS_CLOUDHSM", "EXTERNAL_KEY_STORE"
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecret AWS API Documentation
+    #
+    # @overload derive_shared_secret(params = {})
+    # @param [Hash] params ({})
+    def derive_shared_secret(params = {}, options = {})
+      req = build_request(:derive_shared_secret, params)
+      req.send_request(options)
+    end
+
     # Gets information about [custom key stores][1] in the account and
     # Region.
     #
@@ -2905,12 +3274,16 @@ module Aws::KMS
     #
     # * UpdateCustomKeyStore
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][5].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [String] :custom_key_store_id
     #   Gets only information about the specified custom key store. Enter the
@@ -3094,15 +3467,11 @@ module Aws::KMS
     # also displays the key usage (encryption, signing, or generating and
     # verifying MACs) and the algorithms that the KMS key supports.
     #
-    # For [multi-Region
-    # keys](kms/latest/developerguide/multi-region-keys-overview.html),
-    # `DescribeKey` displays the primary key and all related replica keys.
-    # For KMS keys in [CloudHSM key
-    # stores](kms/latest/developerguide/keystore-cloudhsm.html), it includes
-    # information about the key store, such as the key store ID and the
-    # CloudHSM cluster ID. For KMS keys in [external key
-    # stores](kms/latest/developerguide/keystore-external.html), it includes
-    # the custom key store ID and the ID of the external key.
+    # For [multi-Region keys][3], `DescribeKey` displays the primary key and
+    # all related replica keys. For KMS keys in [CloudHSM key stores][4], it
+    # includes information about the key store, such as the key store ID and
+    # the CloudHSM cluster ID. For KMS keys in [external key stores][5], it
+    # includes the custom key store ID and the ID of the external key.
     #
     # `DescribeKey` does not return the following information:
     #
@@ -3112,7 +3481,7 @@ module Aws::KMS
     # * Whether automatic key rotation is enabled on the KMS key. To get
     #   this information, use GetKeyRotationStatus. Also, some key states
     #   prevent a KMS key from being automatically rotated. For details, see
-    #   [How Automatic Key Rotation Works][3] in the *Key Management Service
+    #   [How Automatic Key Rotation Works][6] in the *Key Management Service
     #   Developer Guide*.
     #
     # * Tags on the KMS key. To get this information, use ListResourceTags.
@@ -3129,7 +3498,7 @@ module Aws::KMS
     # in a different Amazon Web Services account, specify the key ARN or
     # alias ARN in the value of the `KeyId` parameter.
     #
-    # **Required permissions**: [kms:DescribeKey][4] (key policy)
+    # **Required permissions**: [kms:DescribeKey][7] (key policy)
     #
     # **Related operations:**
     #
@@ -3147,12 +3516,19 @@ module Aws::KMS
     #
     # * ListRetirableGrants
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][8].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
-    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works
-    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Describes the specified KMS key.
@@ -3429,7 +3805,7 @@ module Aws::KMS
     #   resp.key_metadata.creation_date #=> Time
     #   resp.key_metadata.enabled #=> Boolean
     #   resp.key_metadata.description #=> String
-    #   resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
+    #   resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC", "KEY_AGREEMENT"
     #   resp.key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
     #   resp.key_metadata.deletion_date #=> Time
     #   resp.key_metadata.valid_to #=> Time
@@ -3444,6 +3820,8 @@ module Aws::KMS
     #   resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #   resp.key_metadata.signing_algorithms #=> Array
     #   resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
+    #   resp.key_metadata.key_agreement_algorithms #=> Array
+    #   resp.key_metadata.key_agreement_algorithms[0] #=> String, one of "ECDH"
     #   resp.key_metadata.multi_region #=> Boolean
     #   resp.key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
     #   resp.key_metadata.multi_region_configuration.primary_key.arn #=> String
@@ -3483,11 +3861,15 @@ module Aws::KMS
     #
     # **Related operations**: EnableKey
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][4].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies the KMS key to disable.
@@ -3567,6 +3949,13 @@ module Aws::KMS
     #
     # * GetKeyRotationStatus
     #
+    # * ListKeyRotations
+    #
+    # * RotateKeyOnDemand
+    #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][12].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
@@ -3580,6 +3969,7 @@ module Aws::KMS
     # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
     # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [12]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies a symmetric encryption KMS key. You cannot enable or
@@ -3679,11 +4069,15 @@ module Aws::KMS
     #
     # * UpdateCustomKeyStore
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][4].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :custom_key_store_id
     #   Enter the ID of the custom key store you want to disconnect. To find
@@ -3737,11 +4131,15 @@ module Aws::KMS
     #
     # **Related operations**: DisableKey
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][4].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies the KMS key to enable.
@@ -3787,12 +4185,20 @@ module Aws::KMS
     # Enables [automatic rotation of the key material][1] of the specified
     # symmetric encryption KMS key.
     #
-    # When you enable automatic rotation of a[customer managed KMS key][2],
-    # KMS rotates the key material of the KMS key one year (approximately
-    # 365 days) from the enable date and every year thereafter. You can
-    # monitor rotation of the key material for your KMS keys in CloudTrail
-    # and Amazon CloudWatch. To disable rotation of the key material in a
-    # customer managed KMS key, use the DisableKeyRotation operation.
+    # By default, when you enable automatic rotation of a [customer managed
+    # KMS key][2], KMS rotates the key material of the KMS key one year
+    # (approximately 365 days) from the enable date and every year
+    # thereafter. You can use the optional `RotationPeriodInDays` parameter
+    # to specify a custom rotation period when you enable key rotation, or
+    # you can use `RotationPeriodInDays` to modify the rotation period of a
+    # key that you previously enabled automatic key rotation on.
+    #
+    # You can monitor rotation of the key material for your KMS keys in
+    # CloudTrail and Amazon CloudWatch. To disable rotation of the key
+    # material in a customer managed KMS key, use the DisableKeyRotation
+    # operation. You can use the GetKeyRotationStatus operation to identify
+    # any in progress rotations. You can use the ListKeyRotations operation
+    # to view the details of completed rotations.
     #
     # Automatic key rotation is supported only on [symmetric encryption KMS
     # keys][3]. You cannot enable automatic rotation of [asymmetric KMS
@@ -3801,10 +4207,11 @@ module Aws::KMS
     # disable automatic rotation of a set of related [multi-Region keys][8],
     # set the property on the primary key.
     #
-    # You cannot enable or disable automatic rotation [Amazon Web Services
-    # managed KMS keys][9]. KMS always rotates the key material of Amazon
-    # Web Services managed keys every year. Rotation of [Amazon Web Services
-    # owned KMS keys][10] varies.
+    # You cannot enable or disable automatic rotation of [Amazon Web
+    # Services managed KMS keys][9]. KMS always rotates the key material of
+    # Amazon Web Services managed keys every year. Rotation of [Amazon Web
+    # Services owned KMS keys][10] is managed by the Amazon Web Services
+    # service that owns the key.
     #
     # <note markdown="1"> In May 2022, KMS changed the rotation schedule for Amazon Web Services
     # managed keys from every three years (approximately 1,095 days) to
@@ -3833,9 +4240,22 @@ module Aws::KMS
     #
     # * GetKeyRotationStatus
     #
+    # * ListKeyRotations
     #
+    # * RotateKeyOnDemand
     #
-    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
+    #   <note markdown="1"> You can perform on-demand (RotateKeyOnDemand) rotation of the key
+    #   material in customer managed KMS keys, regardless of whether or not
+    #   automatic key rotation is enabled.
+    #
+    #    </note>
+    #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][13].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotating-keys-enable-disable
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
@@ -3847,6 +4267,7 @@ module Aws::KMS
     # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
     # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [12]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [13]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies a symmetric encryption KMS key. You cannot enable automatic
@@ -3875,21 +4296,42 @@ module Aws::KMS
     #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
     #   [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
     #
+    # @option params [Integer] :rotation_period_in_days
+    #   Use this parameter to specify a custom period of time between each
+    #   rotation date. If no value is specified, the default value is 365
+    #   days.
+    #
+    #   The rotation period defines the number of days after you enable
+    #   automatic key rotation that KMS will rotate your key material, and the
+    #   number of days between each automatic rotation thereafter.
+    #
+    #   You can use the [ `kms:RotationPeriodInDays` ][1] condition key to
+    #   further constrain the values that principals can specify in the
+    #   `RotationPeriodInDays` parameter.
+    #
+    #
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-rotation-period-in-days
+    #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
     #
     # @example Example: To enable automatic rotation of key material
     #
-    #   # The following example enables automatic annual rotation of the key material for the specified KMS key.
+    #   # The following example enables automatic rotation with a rotation period of 365 days for the specified KMS key.
     #
     #   resp = client.enable_key_rotation({
-    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key whose key material will be rotated annually. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
+    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key whose key material will be automatically rotated. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
+    #     rotation_period_in_days: 365, # The number of days between each rotation date. Specify a value between 9 and 2560. If no value is specified, the default value is 365 days.
     #   })
     #
     # @example Request syntax with placeholder values
     #
     #   resp = client.enable_key_rotation({
     #     key_id: "KeyIdType", # required
+    #     rotation_period_in_days: 1,
     #   })
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotation AWS API Documentation
@@ -3944,25 +4386,21 @@ module Aws::KMS
     #   * `SYMMETRIC_DEFAULT`: 4096 bytes
     #
     #   ^
-    #
     # * `RSA_2048`
     #
     #   * `RSAES_OAEP_SHA_1`: 214 bytes
     #
     #   * `RSAES_OAEP_SHA_256`: 190 bytes
-    #
     # * `RSA_3072`
     #
     #   * `RSAES_OAEP_SHA_1`: 342 bytes
     #
     #   * `RSAES_OAEP_SHA_256`: 318 bytes
-    #
     # * `RSA_4096`
     #
     #   * `RSAES_OAEP_SHA_1`: 470 bytes
     #
     #   * `RSAES_OAEP_SHA_256`: 446 bytes
-    #
     # * `SM2PKE`: 1024 bytes (China Regions only)
     #
     # The KMS key that you use for this operation must be in a compatible
@@ -3983,11 +4421,15 @@ module Aws::KMS
     #
     # * GenerateDataKeyPair
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][4].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies the KMS key to use in the encryption operation. The KMS key
@@ -4247,6 +4689,9 @@ module Aws::KMS
     #
     # * GenerateDataKeyWithoutPlaintext
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][10].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
@@ -4258,6 +4703,7 @@ module Aws::KMS
     # [7]: https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/
     # [8]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
     # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Specifies the symmetric encryption KMS key that encrypts the data key.
@@ -4464,8 +4910,9 @@ module Aws::KMS
     # a copy of the private key that is encrypted under the symmetric
     # encryption KMS key you specify. You can use the data key pair to
     # perform asymmetric cryptography and implement digital signatures
-    # outside of KMS. The bytes in the keys are random; they not related to
-    # the caller or to the KMS key that is used to encrypt the private key.
+    # outside of KMS. The bytes in the keys are random; they are not related
+    # to the caller or to the KMS key that is used to encrypt the private
+    # key.
     #
     # You can use the public key that `GenerateDataKeyPair` returns to
     # encrypt data or verify a signature outside of KMS. Then, store the
@@ -4546,6 +4993,9 @@ module Aws::KMS
     #
     # * GenerateDataKeyWithoutPlaintext
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][9].
+    #
     #
     #
     # [1]: https://tools.ietf.org/html/rfc5280
@@ -4556,6 +5006,7 @@ module Aws::KMS
     # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [Hash<String,String>] :encryption_context
     #   Specifies the encryption context that will be used when encrypting the
@@ -4633,8 +5084,11 @@ module Aws::KMS
     #   key. The only valid encryption algorithm is `RSAES_OAEP_SHA_256`.
     #
     #   This parameter only supports attestation documents for Amazon Web
-    #   Services Nitro Enclaves. To include this parameter, use the [Amazon
-    #   Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
+    #   Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon Web
+    #   Services Nitro Enclaves, use the [Amazon Web Services Nitro Enclaves
+    #   SDK][2] to generate the attestation document and then use the
+    #   Recipient parameter from any Amazon Web Services SDK to provide the
+    #   attestation document for the enclave.
     #
     #   When you use this parameter, instead of returning a plaintext copy of
     #   the private data key, KMS encrypts the plaintext private data key
@@ -4819,12 +5273,16 @@ module Aws::KMS
     #
     # * GenerateDataKeyWithoutPlaintext
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][5].
+    #
     #
     #
     # [1]: https://tools.ietf.org/html/rfc5280
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [Hash<String,String>] :encryption_context
     #   Specifies the encryption context that will be used when encrypting the
@@ -5035,11 +5493,15 @@ module Aws::KMS
     #
     # * GenerateDataKeyPairWithoutPlaintext
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][4].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Specifies the symmetric encryption KMS key that encrypts the data key.
@@ -5207,12 +5669,16 @@ module Aws::KMS
     #
     # **Related operations**: VerifyMac
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][5].
+    #
     #
     #
     # [1]: https://datatracker.ietf.org/doc/html/rfc2104
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String, StringIO, File] :message
     #   The message to be hashed. Specify a message of up to 4,096 bytes.
@@ -5343,6 +5809,9 @@ module Aws::KMS
     #
     # **Required permissions**: [kms:GenerateRandom][5] (IAM policy)
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][6].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html
@@ -5350,6 +5819,7 @@ module Aws::KMS
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
     # [4]: https://docs.aws.amazon.com/kms/latest/cryptographic-details/
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [Integer] :number_of_bytes
     #   The length of the random byte string. This parameter is required.
@@ -5460,11 +5930,16 @@ module Aws::KMS
     #
     # **Required permissions**: [kms:GetKeyPolicy][1] (key policy)
     #
-    # **Related operations**: PutKeyPolicy
+    # **Related operations**: [PutKeyPolicy][2]
+    #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][3].
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Gets the key policy for the specified KMS key.
@@ -5481,13 +5956,15 @@ module Aws::KMS
     #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #
-    # @option params [required, String] :policy_name
-    #   Specifies the name of the key policy. The only valid name is
-    #   `default`. To get the names of key policies, use ListKeyPolicies.
+    # @option params [String] :policy_name
+    #   Specifies the name of the key policy. If no policy name is specified,
+    #   the default value is `default`. The only valid name is `default`. To
+    #   get the names of key policies, use ListKeyPolicies.
     #
     # @return [Types::GetKeyPolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::GetKeyPolicyResponse#policy #policy} => String
+    #   * {Types::GetKeyPolicyResponse#policy_name #policy_name} => String
     #
     #
     # @example Example: To retrieve a key policy
@@ -5508,12 +5985,13 @@ module Aws::KMS
     #
     #   resp = client.get_key_policy({
     #     key_id: "KeyIdType", # required
-    #     policy_name: "PolicyNameType", # required
+    #     policy_name: "PolicyNameType",
     #   })
     #
     # @example Response structure
     #
     #   resp.policy #=> String
+    #   resp.policy_name #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicy AWS API Documentation
     #
@@ -5524,14 +6002,10 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Gets a Boolean value that indicates whether [automatic rotation of the
-    # key material][1] is enabled for the specified KMS key.
-    #
-    # When you enable automatic rotation for [customer managed KMS keys][2],
-    # KMS rotates the key material of the KMS key one year (approximately
-    # 365 days) from the enable date and every year thereafter. You can
-    # monitor rotation of the key material for your KMS keys in CloudTrail
-    # and Amazon CloudWatch.
+    # Provides detailed information about the rotation status for a KMS key,
+    # including whether [automatic rotation of the key material][1] is
+    # enabled for the specified KMS key, the [rotation period][2], and the
+    # next scheduled rotation date.
     #
     # Automatic key rotation is supported only on [symmetric encryption KMS
     # keys][3]. You cannot enable automatic rotation of [asymmetric KMS
@@ -5547,6 +6021,13 @@ module Aws::KMS
     # Services managed KMS keys every year. The key rotation status for
     # Amazon Web Services managed KMS keys is always `true`.
     #
+    # You can perform on-demand (RotateKeyOnDemand) rotation of the key
+    # material in customer managed KMS keys, regardless of whether or not
+    # automatic key rotation is enabled. You can use GetKeyRotationStatus to
+    # identify the date and time that an in progress on-demand rotation was
+    # initiated. You can use ListKeyRotations to view the details of
+    # completed rotations.
+    #
     # <note markdown="1"> In May 2022, KMS changed the rotation schedule for Amazon Web Services
     # managed keys from every three years to every year. For details, see
     # EnableKeyRotation.
@@ -5583,10 +6064,17 @@ module Aws::KMS
     #
     # * EnableKeyRotation
     #
+    # * ListKeyRotations
+    #
+    # * RotateKeyOnDemand
+    #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][12].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
-    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotation-period
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
@@ -5596,6 +6084,7 @@ module Aws::KMS
     # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
     # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [12]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Gets the rotation status for the specified KMS key.
@@ -5616,11 +6105,16 @@ module Aws::KMS
     # @return [Types::GetKeyRotationStatusResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::GetKeyRotationStatusResponse#key_rotation_enabled #key_rotation_enabled} => Boolean
+    #   * {Types::GetKeyRotationStatusResponse#key_id #key_id} => String
+    #   * {Types::GetKeyRotationStatusResponse#rotation_period_in_days #rotation_period_in_days} => Integer
+    #   * {Types::GetKeyRotationStatusResponse#next_rotation_date #next_rotation_date} => Time
+    #   * {Types::GetKeyRotationStatusResponse#on_demand_rotation_start_date #on_demand_rotation_start_date} => Time
     #
     #
     # @example Example: To retrieve the rotation status for a KMS key
     #
-    #   # The following example retrieves the status of automatic annual rotation of the key material for the specified KMS key.
+    #   # The following example retrieves detailed information about the rotation status for a KMS key, including whether
+    #   # automatic key rotation is enabled for the specified KMS key, the rotation period, and the next scheduled rotation date.
     #
     #   resp = client.get_key_rotation_status({
     #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key whose key material rotation status you want to retrieve. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
@@ -5628,7 +6122,11 @@ module Aws::KMS
     #
     #   resp.to_h outputs the following:
     #   {
-    #     key_rotation_enabled: true, # A boolean that indicates the key material rotation status. Returns true when automatic annual rotation of the key material is enabled, or false when it is not.
+    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # Identifies the specified symmetric encryption KMS key.
+    #     key_rotation_enabled: true, # A boolean that indicates the key material rotation status. Returns true when automatic rotation of the key material is enabled, or false when it is not.
+    #     next_rotation_date: Time.parse("2024-04-05T15:14:47.757000+00:00"), # The next date that the key material will be automatically rotated.
+    #     on_demand_rotation_start_date: Time.parse("2024-03-02T10:11:36.564000+00:00"), # Identifies the date and time that an in progress on-demand rotation was initiated.
+    #     rotation_period_in_days: 365, # The number of days between each automatic rotation. The default value is 365 days.
     #   }
     #
     # @example Request syntax with placeholder values
@@ -5640,6 +6138,10 @@ module Aws::KMS
     # @example Response structure
     #
     #   resp.key_rotation_enabled #=> Boolean
+    #   resp.key_id #=> String
+    #   resp.rotation_period_in_days #=> Integer
+    #   resp.next_rotation_date #=> Time
+    #   resp.on_demand_rotation_start_date #=> Time
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyRotationStatus AWS API Documentation
     #
@@ -5665,14 +6167,11 @@ module Aws::KMS
     # material. You can import key material for a symmetric encryption KMS
     # key, HMAC KMS key, asymmetric encryption KMS key, or asymmetric
     # signing KMS key. You can also import key material into a [multi-Region
-    # key](kms/latest/developerguide/multi-region-keys-overview.html) of any
-    # supported type. However, you can't import key material into a KMS key
-    # in a [custom key
-    # store](kms/latest/developerguide/custom-key-store-overview.html). You
-    # can also use `GetParametersForImport` to get a public key and import
-    # token to [reimport the original key
-    # material](kms/latest/developerguide/importing-keys.html#reimport-key-material)
-    # into a KMS key whose key material expired or was deleted.
+    # key][2] of any supported type. However, you can't import key material
+    # into a KMS key in a [custom key store][3]. You can also use
+    # `GetParametersForImport` to get a public key and import token to
+    # [reimport the original key material][4] into a KMS key whose key
+    # material expired or was deleted.
     #
     # `GetParametersForImport` returns the items that you need to import
     # your key material.
@@ -5709,13 +6208,13 @@ module Aws::KMS
     # algorithm each time you import or reimport the same key material.
     #
     # The KMS key that you use for this operation must be in a compatible
-    # key state. For details, see [Key states of KMS keys][2] in the *Key
+    # key state. For details, see [Key states of KMS keys][5] in the *Key
     # Management Service Developer Guide*.
     #
     # **Cross-account use**: No. You cannot perform this operation on a KMS
     # key in a different Amazon Web Services account.
     #
-    # **Required permissions**: [kms:GetParametersForImport][3] (key policy)
+    # **Required permissions**: [kms:GetParametersForImport][6] (key policy)
     #
     # **Related operations:**
     #
@@ -5723,11 +6222,18 @@ module Aws::KMS
     #
     # * DeleteImportedKeyMaterial
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][7].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
-    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   The identifier of the KMS key that will be associated with the
@@ -5782,8 +6288,8 @@ module Aws::KMS
     #     You cannot use the RSAES\_OAEP\_SHA\_1 wrapping algorithm with the
     #     RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key material.
     #
-    #   * **RSAES\_PKCS1\_V1\_5** (Deprecated) — Supported only for symmetric
-    #     encryption key material (and only in legacy mode).
+    #   * **RSAES\_PKCS1\_V1\_5** (Deprecated) — As of October 10, 2023, KMS
+    #     does not support the RSAES\_PKCS1\_V1\_5 wrapping algorithm.
     #
     # @option params [required, String] :wrapping_key_spec
     #   The type of RSA public key to return in the response. You will use
@@ -5886,8 +6392,8 @@ module Aws::KMS
     #
     #   resp = client.get_parameters_for_import({
     #     key_id: "KeyIdType", # required
-    #     wrapping_algorithm: "RSAES_PKCS1_V1_5", # required, accepts RSAES_PKCS1_V1_5, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, RSA_AES_KEY_WRAP_SHA_1, RSA_AES_KEY_WRAP_SHA_256
-    #     wrapping_key_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096
+    #     wrapping_algorithm: "RSAES_PKCS1_V1_5", # required, accepts RSAES_PKCS1_V1_5, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, RSA_AES_KEY_WRAP_SHA_1, RSA_AES_KEY_WRAP_SHA_256, SM2PKE
+    #     wrapping_key_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, SM2
     #   })
     #
     # @example Response structure
@@ -5929,7 +6435,8 @@ module Aws::KMS
     # * [KeySpec][2]: The type of key material in the public key, such as
     #   `RSA_4096` or `ECC_NIST_P521`.
     #
-    # * [KeyUsage][3]: Whether the key is used for encryption or signing.
+    # * [KeyUsage][3]: Whether the key is used for encryption, signing, or
+    #   deriving a shared secret.
     #
     # * [EncryptionAlgorithms][4] or [SigningAlgorithms][5]: A list of the
     #   encryption algorithms or the signing algorithms for the key.
@@ -5959,6 +6466,9 @@ module Aws::KMS
     #
     # **Related operations**: CreateKey
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][9].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
@@ -5969,6 +6479,7 @@ module Aws::KMS
     # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
     # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies the asymmetric KMS key that includes the public key.
@@ -6014,6 +6525,7 @@ module Aws::KMS
     #   * {Types::GetPublicKeyResponse#key_usage #key_usage} => String
     #   * {Types::GetPublicKeyResponse#encryption_algorithms #encryption_algorithms} => Array&lt;String&gt;
     #   * {Types::GetPublicKeyResponse#signing_algorithms #signing_algorithms} => Array&lt;String&gt;
+    #   * {Types::GetPublicKeyResponse#key_agreement_algorithms #key_agreement_algorithms} => Array&lt;String&gt;
     #
     #
     # @example Example: To download the public key of an asymmetric KMS key
@@ -6051,11 +6563,13 @@ module Aws::KMS
     #   resp.public_key #=> String
     #   resp.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
     #   resp.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
-    #   resp.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
+    #   resp.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC", "KEY_AGREEMENT"
     #   resp.encryption_algorithms #=> Array
     #   resp.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #   resp.signing_algorithms #=> Array
     #   resp.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
+    #   resp.key_agreement_algorithms #=> Array
+    #   resp.key_agreement_algorithms[0] #=> String, one of "ECDH"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKey AWS API Documentation
     #
@@ -6082,9 +6596,7 @@ module Aws::KMS
     # import different key material. You might reimport key material to
     # replace key material that expired or key material that you deleted.
     # You might also reimport key material to change the expiration model or
-    # expiration date of the key material. Before reimporting key material,
-    # if necessary, call DeleteImportedKeyMaterial to delete the current
-    # imported key material.
+    # expiration date of the key material.
     #
     # Each time you import key material into KMS, you can determine whether
     # (`ExpirationModel`) and when (`ValidTo`) the key material expires. To
@@ -6179,6 +6691,9 @@ module Aws::KMS
     #
     # * GetParametersForImport
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][7].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
@@ -6187,6 +6702,7 @@ module Aws::KMS
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-overview
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   The identifier of the KMS key that will be associated with the
@@ -6343,11 +6859,15 @@ module Aws::KMS
     #
     # * UpdateAlias
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][4].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [String] :key_id
     #   Lists only aliases that are associated with the specified KMS key.
@@ -6507,12 +7027,16 @@ module Aws::KMS
     #
     # * RevokeGrant
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][5].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html
     # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [Integer] :limit
     #   Use this parameter to specify the maximum number of items to return.
@@ -6648,7 +7172,7 @@ module Aws::KMS
     #   resp.grants[0].retiring_principal #=> String
     #   resp.grants[0].issuing_account #=> String
     #   resp.grants[0].operations #=> Array
-    #   resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateMac", "VerifyMac"
+    #   resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateMac", "VerifyMac", "DeriveSharedSecret"
     #   resp.grants[0].constraints.encryption_context_subset #=> Hash
     #   resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
     #   resp.grants[0].constraints.encryption_context_equals #=> Hash
@@ -6679,11 +7203,16 @@ module Aws::KMS
     #
     # * GetKeyPolicy
     #
-    # * PutKeyPolicy
+    # * [PutKeyPolicy][2]
+    #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][3].
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Gets the names of key policies for the specified KMS key.
@@ -6765,6 +7294,129 @@ module Aws::KMS
       req.send_request(options)
     end
 
+    # Returns information about all completed key material rotations for the
+    # specified KMS key.
+    #
+    # You must specify the KMS key in all requests. You can refine the key
+    # rotations list by limiting the number of rotations returned.
+    #
+    # For detailed information about automatic and on-demand key rotations,
+    # see [Rotating KMS keys][1] in the *Key Management Service Developer
+    # Guide*.
+    #
+    # **Cross-account use**: No. You cannot perform this operation on a KMS
+    # key in a different Amazon Web Services account.
+    #
+    # **Required permissions**: [kms:ListKeyRotations][2] (key policy)
+    #
+    # **Related operations:**
+    #
+    # * EnableKeyRotation
+    #
+    # * DisableKeyRotation
+    #
+    # * GetKeyRotationStatus
+    #
+    # * RotateKeyOnDemand
+    #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][3].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
+    #
+    # @option params [required, String] :key_id
+    #   Gets the key rotations for the specified KMS key.
+    #
+    #   Specify the key ID or key ARN of the KMS key.
+    #
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
+    #   DescribeKey.
+    #
+    # @option params [Integer] :limit
+    #   Use this parameter to specify the maximum number of items to return.
+    #   When this value is present, KMS does not return more than the
+    #   specified number of items, but it might return fewer.
+    #
+    #   This value is optional. If you include a value, it must be between 1
+    #   and 1000, inclusive. If you do not include a value, it defaults to
+    #   100.
+    #
+    # @option params [String] :marker
+    #   Use this parameter in a subsequent request after you receive a
+    #   response with truncated results. Set it to the value of `NextMarker`
+    #   from the truncated response you just received.
+    #
+    # @return [Types::ListKeyRotationsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::ListKeyRotationsResponse#rotations #rotations} => Array&lt;Types::RotationsListEntry&gt;
+    #   * {Types::ListKeyRotationsResponse#next_marker #next_marker} => String
+    #   * {Types::ListKeyRotationsResponse#truncated #truncated} => Boolean
+    #
+    # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
+    #
+    #
+    # @example Example: To retrieve information about all completed key material rotations
+    #
+    #   # The following example returns information about all completed key material rotations for the specified KMS key.
+    #
+    #   resp = client.list_key_rotations({
+    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     rotations: [
+    #       {
+    #         key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", 
+    #         rotation_date: Time.parse("2024-03-02T10:11:36.564000+00:00"), 
+    #         rotation_type: "AUTOMATIC", 
+    #       }, 
+    #       {
+    #         key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", 
+    #         rotation_date: Time.parse("2024-04-05T15:14:47.757000+00:00"), 
+    #         rotation_type: "ON_DEMAND", 
+    #       }, 
+    #     ], # A list of key rotations.
+    #     truncated: false, # A flag that indicates whether there are more items in the list. When the value is true, the list in this response is truncated. To get more items, pass the value of the NextMarker element in this response to the Marker parameter in a subsequent request.
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.list_key_rotations({
+    #     key_id: "KeyIdType", # required
+    #     limit: 1,
+    #     marker: "MarkerType",
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.rotations #=> Array
+    #   resp.rotations[0].key_id #=> String
+    #   resp.rotations[0].rotation_date #=> Time
+    #   resp.rotations[0].rotation_type #=> String, one of "AUTOMATIC", "ON_DEMAND"
+    #   resp.next_marker #=> String
+    #   resp.truncated #=> Boolean
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyRotations AWS API Documentation
+    #
+    # @overload list_key_rotations(params = {})
+    # @param [Hash] params ({})
+    def list_key_rotations(params = {}, options = {})
+      req = build_request(:list_key_rotations, params)
+      req.send_request(options)
+    end
+
     # Gets a list of all KMS keys in the caller's Amazon Web Services
     # account and Region.
     #
@@ -6783,9 +7435,13 @@ module Aws::KMS
     #
     # * ListResourceTags
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][2].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [Integer] :limit
     #   Use this parameter to specify the maximum number of items to return.
@@ -6898,11 +7554,15 @@ module Aws::KMS
     #
     # * UntagResource
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][4].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Gets tags on the specified KMS key.
@@ -7011,14 +7671,25 @@ module Aws::KMS
     # programming languages, see [Programming grants][2].
     #
     # **Cross-account use**: You must specify a principal in your Amazon Web
-    # Services account. However, this operation can return grants in any
-    # Amazon Web Services account. You do not need `kms:ListRetirableGrants`
-    # permission (or any other additional permission) in any Amazon Web
-    # Services account other than your own.
+    # Services account. This operation returns a list of grants where the
+    # retiring principal specified in the `ListRetirableGrants` request is
+    # the same retiring principal on the grant. This can include grants on
+    # KMS keys owned by other Amazon Web Services accounts, but you do not
+    # need `kms:ListRetirableGrants` permission (or any other additional
+    # permission) in any Amazon Web Services account other than your own.
     #
     # **Required permissions**: [kms:ListRetirableGrants][3] (IAM policy) in
     # your Amazon Web Services account.
     #
+    # <note markdown="1"> KMS authorizes `ListRetirableGrants` requests by evaluating the caller
+    # account's kms:ListRetirableGrants permissions. The authorized
+    # resource in `ListRetirableGrants` calls is the retiring principal
+    # specified in the request. KMS does not evaluate the caller's
+    # permissions to verify their access to any KMS keys or grants that
+    # might be returned by the `ListRetirableGrants` call.
+    #
+    #  </note>
+    #
     # **Related operations:**
     #
     # * CreateGrant
@@ -7029,11 +7700,15 @@ module Aws::KMS
     #
     # * RevokeGrant
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][4].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [Integer] :limit
     #   Use this parameter to specify the maximum number of items to return.
@@ -7119,7 +7794,7 @@ module Aws::KMS
     #   resp.grants[0].retiring_principal #=> String
     #   resp.grants[0].issuing_account #=> String
     #   resp.grants[0].operations #=> Array
-    #   resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateMac", "VerifyMac"
+    #   resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateMac", "VerifyMac", "DeriveSharedSecret"
     #   resp.grants[0].constraints.encryption_context_subset #=> Hash
     #   resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
     #   resp.grants[0].constraints.encryption_context_equals #=> Hash
@@ -7153,12 +7828,16 @@ module Aws::KMS
     #
     # **Related operations**: GetKeyPolicy
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][5].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
     # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-key-policies.html#put-policy
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Sets the key policy on the specified KMS key.
@@ -7175,8 +7854,9 @@ module Aws::KMS
     #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #
-    # @option params [required, String] :policy_name
-    #   The name of the key policy. The only valid value is `default`.
+    # @option params [String] :policy_name
+    #   The name of the key policy. If no policy name is specified, the
+    #   default value is `default`. The only valid value is `default`.
     #
     # @option params [required, String] :policy
     #   The key policy to attach to the KMS key.
@@ -7233,12 +7913,13 @@ module Aws::KMS
     #   Management Service Developer Guide*.
     #
     #   Use this parameter only when you intend to prevent the principal that
-    #   is making the request from making a subsequent PutKeyPolicy request on
-    #   the KMS key.
+    #   is making the request from making a subsequent [PutKeyPolicy][2]
+    #   request on the KMS key.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
+    #   [2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -7257,7 +7938,7 @@ module Aws::KMS
     #
     #   resp = client.put_key_policy({
     #     key_id: "KeyIdType", # required
-    #     policy_name: "PolicyNameType", # required
+    #     policy_name: "PolicyNameType",
     #     policy: "PolicyType", # required
     #     bypass_policy_lockout_safety_check: false,
     #   })
@@ -7363,6 +8044,9 @@ module Aws::KMS
     #
     # * GenerateDataKeyPair
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][9].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually
@@ -7373,6 +8057,7 @@ module Aws::KMS
     # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
+    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String, StringIO, File] :ciphertext_blob
     #   Ciphertext of the data to reencrypt.
@@ -7643,9 +8328,8 @@ module Aws::KMS
     # If you replicate a multi-Region primary key with imported key
     # material, the replica key is created with no key material. You must
     # import the same key material that you imported into the primary key.
-    # For details, see [Importing key material into multi-Region
-    # keys](kms/latest/developerguide/multi-region-keys-import.html) in the
-    # *Key Management Service Developer Guide*.
+    # For details, see [Importing key material into multi-Region keys][12]
+    # in the *Key Management Service Developer Guide*.
     #
     # To convert a replica key to a primary key, use the UpdatePrimaryRegion
     # operation.
@@ -7675,6 +8359,9 @@ module Aws::KMS
     #
     # * UpdatePrimaryRegion
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][13].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
@@ -7688,6 +8375,8 @@ module Aws::KMS
     # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html
     # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-sync-properties
+    # [12]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-import.html
+    # [13]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies the multi-Region primary key that is being replicated. To
@@ -7806,12 +8495,13 @@ module Aws::KMS
     #   Management Service Developer Guide*.
     #
     #   Use this parameter only when you intend to prevent the principal that
-    #   is making the request from making a subsequent PutKeyPolicy request on
-    #   the KMS key.
+    #   is making the request from making a subsequent [PutKeyPolicy][2]
+    #   request on the KMS key.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
+    #   [2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html
     #
     # @option params [String] :description
     #   A description of the KMS key. The default value is an empty string (no
@@ -7942,7 +8632,7 @@ module Aws::KMS
     #   resp.replica_key_metadata.creation_date #=> Time
     #   resp.replica_key_metadata.enabled #=> Boolean
     #   resp.replica_key_metadata.description #=> String
-    #   resp.replica_key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
+    #   resp.replica_key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC", "KEY_AGREEMENT"
     #   resp.replica_key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
     #   resp.replica_key_metadata.deletion_date #=> Time
     #   resp.replica_key_metadata.valid_to #=> Time
@@ -7957,6 +8647,8 @@ module Aws::KMS
     #   resp.replica_key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
     #   resp.replica_key_metadata.signing_algorithms #=> Array
     #   resp.replica_key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
+    #   resp.replica_key_metadata.key_agreement_algorithms #=> Array
+    #   resp.replica_key_metadata.key_agreement_algorithms[0] #=> String, one of "ECDH"
     #   resp.replica_key_metadata.multi_region #=> Boolean
     #   resp.replica_key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
     #   resp.replica_key_metadata.multi_region_configuration.primary_key.arn #=> String
@@ -8002,7 +8694,7 @@ module Aws::KMS
     # **Cross-account use**: Yes. You can retire a grant on a KMS key in a
     # different Amazon Web Services account.
     #
-    # **Required permissions:**:Permission to retire a grant is determined
+    # **Required permissions**: Permission to retire a grant is determined
     # primarily by the grant. For details, see [Retiring and revoking
     # grants][2] in the *Key Management Service Developer Guide*.
     #
@@ -8016,12 +8708,16 @@ module Aws::KMS
     #
     # * RevokeGrant
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][5].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [String] :grant_token
     #   Identifies the grant to be retired. You can use a grant token to
@@ -8125,13 +8821,17 @@ module Aws::KMS
     #
     # * RetireGrant
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][6].
+    #
     #
     #
-    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/managing-grants.html#grant-delete
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   A unique identifier for the KMS key associated with the grant. To get
@@ -8194,6 +8894,147 @@ module Aws::KMS
       req.send_request(options)
     end
 
+    # Immediately initiates rotation of the key material of the specified
+    # symmetric encryption KMS key.
+    #
+    # You can perform [on-demand rotation][1] of the key material in
+    # customer managed KMS keys, regardless of whether or not [automatic key
+    # rotation][2] is enabled. On-demand rotations do not change existing
+    # automatic rotation schedules. For example, consider a KMS key that has
+    # automatic key rotation enabled with a rotation period of 730 days. If
+    # the key is scheduled to automatically rotate on April 14, 2024, and
+    # you perform an on-demand rotation on April 10, 2024, the key will
+    # automatically rotate, as scheduled, on April 14, 2024 and every 730
+    # days thereafter.
+    #
+    # <note markdown="1"> You can perform on-demand key rotation a **maximum of 10 times** per
+    # KMS key. You can use the KMS console to view the number of remaining
+    # on-demand rotations available for a KMS key.
+    #
+    #  </note>
+    #
+    # You can use GetKeyRotationStatus to identify any in progress on-demand
+    # rotations. You can use ListKeyRotations to identify the date that
+    # completed on-demand rotations were performed. You can monitor rotation
+    # of the key material for your KMS keys in CloudTrail and Amazon
+    # CloudWatch.
+    #
+    # On-demand key rotation is supported only on [symmetric encryption KMS
+    # keys][3]. You cannot perform on-demand rotation of [asymmetric KMS
+    # keys][4], [HMAC KMS keys][5], KMS keys with [imported key
+    # material][6], or KMS keys in a [custom key store][7]. To perform
+    # on-demand rotation of a set of related [multi-Region keys][8], invoke
+    # the on-demand rotation on the primary key.
+    #
+    # You cannot initiate on-demand rotation of [Amazon Web Services managed
+    # KMS keys][9]. KMS always rotates the key material of Amazon Web
+    # Services managed keys every year. Rotation of [Amazon Web Services
+    # owned KMS keys][10] is managed by the Amazon Web Services service that
+    # owns the key.
+    #
+    # The KMS key that you use for this operation must be in a compatible
+    # key state. For details, see [Key states of KMS keys][11] in the *Key
+    # Management Service Developer Guide*.
+    #
+    # **Cross-account use**: No. You cannot perform this operation on a KMS
+    # key in a different Amazon Web Services account.
+    #
+    # **Required permissions**: [kms:RotateKeyOnDemand][12] (key policy)
+    #
+    # **Related operations:**
+    #
+    # * EnableKeyRotation
+    #
+    # * DisableKeyRotation
+    #
+    # * GetKeyRotationStatus
+    #
+    # * ListKeyRotations
+    #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][13].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotating-keys-on-demand
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotating-keys-enable-disable
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
+    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
+    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
+    # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [12]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [13]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
+    #
+    # @option params [required, String] :key_id
+    #   Identifies a symmetric encryption KMS key. You cannot perform
+    #   on-demand rotation of [asymmetric KMS keys][1], [HMAC KMS keys][2],
+    #   KMS keys with [imported key material][3], or KMS keys in a [custom key
+    #   store][4]. To perform on-demand rotation of a set of related
+    #   [multi-Region keys][5], invoke the on-demand rotation on the primary
+    #   key.
+    #
+    #   Specify the key ID or key ARN of the KMS key.
+    #
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
+    #   DescribeKey.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    #   [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    #   [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
+    #
+    # @return [Types::RotateKeyOnDemandResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::RotateKeyOnDemandResponse#key_id #key_id} => String
+    #
+    #
+    # @example Example: To perform on-demand rotation of key material
+    #
+    #   # The following example immediately initiates rotation of the key material for the specified KMS key.
+    #
+    #   resp = client.rotate_key_on_demand({
+    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key whose key material you want to initiate on-demand rotation on. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The KMS key that you initiated on-demand rotation on.
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.rotate_key_on_demand({
+    #     key_id: "KeyIdType", # required
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.key_id #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RotateKeyOnDemand AWS API Documentation
+    #
+    # @overload rotate_key_on_demand(params = {})
+    # @param [Hash] params ({})
+    def rotate_key_on_demand(params = {}, options = {})
+      req = build_request(:rotate_key_on_demand, params)
+      req.send_request(options)
+    end
+
     # Schedules the deletion of a KMS key. By default, KMS applies a waiting
     # period of 30 days, but you can specify a waiting period of 7-30 days.
     # When this operation is successful, the key state of the KMS key
@@ -8208,9 +9049,8 @@ module Aws::KMS
     # Deleting a KMS key is a destructive and potentially dangerous
     # operation. When a KMS key is deleted, all data that was encrypted
     # under the KMS key is unrecoverable. (The only exception is a
-    # [multi-Region replica
-    # key](kms/latest/developerguide/multi-region-keys-delete.html), or an
-    # [asymmetric or HMAC KMS key with imported key
+    # [multi-Region replica key][1], or an [asymmetric or HMAC KMS key with
+    # imported key
     # material](kms/latest/developerguide/importing-keys-managing.html#import-delete-key).)
     # To prevent the use of a KMS key without deleting it, use DisableKey.
     #
@@ -8256,6 +9096,9 @@ module Aws::KMS
     #
     # * DisableKey
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][7].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html
@@ -8264,6 +9107,7 @@ module Aws::KMS
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/delete-xks-key.html
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
     # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   The unique identifier of the KMS key to delete.
@@ -8403,12 +9247,16 @@ module Aws::KMS
     #
     # **Related operations**: Verify
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][5].
+    #
     #
     #
     # [1]: https://en.wikipedia.org/wiki/Digital_signature
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies an asymmetric KMS key. KMS uses the private key in the
@@ -8632,6 +9480,9 @@ module Aws::KMS
     #
     # * UntagResource
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][11].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
@@ -8644,6 +9495,7 @@ module Aws::KMS
     # [8]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
     # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies a customer managed key in the account and Region.
@@ -8748,6 +9600,9 @@ module Aws::KMS
     #
     # * TagResource
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][7].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
@@ -8756,6 +9611,7 @@ module Aws::KMS
     # [4]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
     # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies the KMS key from which you are removing tags.
@@ -8859,12 +9715,16 @@ module Aws::KMS
     #
     # * ListAliases
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][5].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :alias_name
     #   Identifies the alias that is changing its KMS key. This value must
@@ -9030,10 +9890,14 @@ module Aws::KMS
     #
     # * DisconnectCustomKeyStore
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][3].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :custom_key_store_id
     #   Identifies the custom key store that you want to update. Enter the ID
@@ -9304,10 +10168,14 @@ module Aws::KMS
     #
     # * DescribeKey
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][3].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Updates the description of the specified KMS key.
@@ -9431,6 +10299,9 @@ module Aws::KMS
     #
     # * ReplicateKey
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][10].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-update
@@ -9442,6 +10313,7 @@ module Aws::KMS
     # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
     # [8]: https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html
     # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies the current primary key. When the operation completes, this
@@ -9550,12 +10422,16 @@ module Aws::KMS
     #
     # **Related operations**: Sign
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][5].
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String] :key_id
     #   Identifies the asymmetric KMS key that will be used to verify the
@@ -9767,12 +10643,16 @@ module Aws::KMS
     #
     # **Related operations**: GenerateMac
     #
+    # **Eventual consistency**: The KMS API follows an eventual consistency
+    # model. For more information, see [KMS eventual consistency][5].
+    #
     #
     #
     # [1]: https://datatracker.ietf.org/doc/html/rfc2104
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
     # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
     #
     # @option params [required, String, StringIO, File] :message
     #   The message that will be used in the verification. Enter the same
@@ -9881,14 +10761,19 @@ module Aws::KMS
     # @api private
     def build_request(operation_name, params = {})
       handlers = @handlers.for(operation_name)
+      tracer = config.telemetry_provider.tracer_provider.tracer(
+        Aws::Telemetry.module_to_tracer_name('Aws::KMS')
+      )
       context = Seahorse::Client::RequestContext.new(
         operation_name: operation_name,
         operation: config.api.operation(operation_name),
         client: self,
         params: params,
-        config: config)
+        config: config,
+        tracer: tracer
+      )
       context[:gem_name] = 'aws-sdk-kms'
-      context[:gem_version] = '1.72.0'
+      context[:gem_version] = '1.96.0'
       Seahorse::Client::Request.new(handlers, context)
     end