aws-sdk-kms 1.72.0 → 1.96.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -242,6 +242,21 @@ module Aws::KMS
242
242
  include Aws::Structure
243
243
  end
244
244
 
245
+ # The request was rejected because an automatic rotation of this key is
246
+ # currently in progress or scheduled to begin within the next 20
247
+ # minutes.
248
+ #
249
+ # @!attribute [rw] message
250
+ # @return [String]
251
+ #
252
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConflictException AWS API Documentation
253
+ #
254
+ class ConflictException < Struct.new(
255
+ :message)
256
+ SENSITIVE = []
257
+ include Aws::Structure
258
+ end
259
+
245
260
  # @!attribute [rw] custom_key_store_id
246
261
  # Enter the key store ID of the custom key store that you want to
247
262
  # connect. To find the ID of a custom key store, use the
@@ -418,7 +433,7 @@ module Aws::KMS
418
433
  #
419
434
  # * An external key store with `PUBLIC_ENDPOINT` connectivity cannot
420
435
  # use the same `XksProxyUriEndpoint` value as an external key store
421
- # with `VPC_ENDPOINT_SERVICE` connectivity in the same Amazon Web
436
+ # with `VPC_ENDPOINT_SERVICE` connectivity in this Amazon Web
422
437
  # Services Region.
423
438
  #
424
439
  # * Each external key store with `VPC_ENDPOINT_SERVICE` connectivity
@@ -826,14 +841,17 @@ module Aws::KMS
826
841
  #
827
842
  # * For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
828
843
  #
829
- # * For asymmetric KMS keys with RSA key material, specify
844
+ # * For asymmetric KMS keys with RSA key pairs, specify
830
845
  # `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
831
846
  #
832
- # * For asymmetric KMS keys with ECC key material, specify
847
+ # * For asymmetric KMS keys with NIST-recommended elliptic curve key
848
+ # pairs, specify `SIGN_VERIFY` or `KEY_AGREEMENT`.
849
+ #
850
+ # * For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs specify
833
851
  # `SIGN_VERIFY`.
834
852
  #
835
- # * For asymmetric KMS keys with SM2 key material (China Regions
836
- # only), specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
853
+ # * For asymmetric KMS keys with SM2 key pairs (China Regions only),
854
+ # specify `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, or `KEY_AGREEMENT`.
837
855
  #
838
856
  #
839
857
  #
@@ -878,7 +896,6 @@ module Aws::KMS
878
896
  # * `SYMMETRIC_DEFAULT`
879
897
  #
880
898
  # ^
881
- #
882
899
  # * HMAC keys (symmetric)
883
900
  #
884
901
  # * `HMAC_224`
@@ -888,33 +905,33 @@ module Aws::KMS
888
905
  # * `HMAC_384`
889
906
  #
890
907
  # * `HMAC_512`
891
- #
892
- # * Asymmetric RSA key pairs
908
+ # * Asymmetric RSA key pairs (encryption and decryption -or- signing
909
+ # and verification)
893
910
  #
894
911
  # * `RSA_2048`
895
912
  #
896
913
  # * `RSA_3072`
897
914
  #
898
915
  # * `RSA_4096`
899
- #
900
- # * Asymmetric NIST-recommended elliptic curve key pairs
916
+ # * Asymmetric NIST-recommended elliptic curve key pairs (signing and
917
+ # verification -or- deriving shared secrets)
901
918
  #
902
919
  # * `ECC_NIST_P256` (secp256r1)
903
920
  #
904
921
  # * `ECC_NIST_P384` (secp384r1)
905
922
  #
906
923
  # * `ECC_NIST_P521` (secp521r1)
907
- #
908
- # * Other asymmetric elliptic curve key pairs
924
+ # * Other asymmetric elliptic curve key pairs (signing and
925
+ # verification)
909
926
  #
910
927
  # * `ECC_SECG_P256K1` (secp256k1), commonly used for
911
928
  # cryptocurrencies.
912
929
  #
913
930
  # ^
931
+ # * SM2 key pairs (encryption and decryption -or- signing and
932
+ # verification -or- deriving shared secrets)
914
933
  #
915
- # * SM2 key pairs (China Regions only)
916
- #
917
- # * `SM2`
934
+ # * `SM2` (China Regions only)
918
935
  #
919
936
  # ^
920
937
  #
@@ -992,12 +1009,13 @@ module Aws::KMS
992
1009
  # Management Service Developer Guide*.
993
1010
  #
994
1011
  # Use this parameter only when you intend to prevent the principal
995
- # that is making the request from making a subsequent PutKeyPolicy
996
- # request on the KMS key.
1012
+ # that is making the request from making a subsequent
1013
+ # [PutKeyPolicy][2] request on the KMS key.
997
1014
  #
998
1015
  #
999
1016
  #
1000
1017
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
1018
+ # [2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html
1001
1019
  # @return [Boolean]
1002
1020
  #
1003
1021
  # @!attribute [rw] tags
@@ -1429,7 +1447,6 @@ module Aws::KMS
1429
1447
  #
1430
1448
  # * The [TLS certificate][6] specifies the private DNS hostname at
1431
1449
  # which the endpoint is reachable.
1432
- #
1433
1450
  # * `XKS_VPC_ENDPOINT_SERVICE_NOT_FOUND` — KMS can't find the VPC
1434
1451
  # endpoint service that it uses to communicate with the external key
1435
1452
  # store proxy. Verify that the `XksProxyVpcEndpointServiceName` is
@@ -1596,7 +1613,7 @@ module Aws::KMS
1596
1613
  #
1597
1614
  #
1598
1615
  #
1599
- # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
1616
+ # [1]: https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-concepts.html#term-attestdoc
1600
1617
  # [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
1601
1618
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
1602
1619
  # @return [Types::RecipientInfo]
@@ -1745,6 +1762,195 @@ module Aws::KMS
1745
1762
  include Aws::Structure
1746
1763
  end
1747
1764
 
1765
+ # @!attribute [rw] key_id
1766
+ # Identifies an asymmetric NIST-recommended ECC or SM2 (China Regions
1767
+ # only) KMS key. KMS uses the private key in the specified key pair to
1768
+ # derive the shared secret. The key usage of the KMS key must be
1769
+ # `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS key, use the
1770
+ # DescribeKey operation.
1771
+ #
1772
+ # To specify a KMS key, use its key ID, key ARN, alias name, or alias
1773
+ # ARN. When using an alias name, prefix it with `"alias/"`. To specify
1774
+ # a KMS key in a different Amazon Web Services account, you must use
1775
+ # the key ARN or alias ARN.
1776
+ #
1777
+ # For example:
1778
+ #
1779
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
1780
+ #
1781
+ # * Key ARN:
1782
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
1783
+ #
1784
+ # * Alias name: `alias/ExampleAlias`
1785
+ #
1786
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
1787
+ #
1788
+ # To get the key ID and key ARN for a KMS key, use ListKeys or
1789
+ # DescribeKey. To get the alias name and alias ARN, use ListAliases.
1790
+ # @return [String]
1791
+ #
1792
+ # @!attribute [rw] key_agreement_algorithm
1793
+ # Specifies the key agreement algorithm used to derive the shared
1794
+ # secret. The only valid value is `ECDH`.
1795
+ # @return [String]
1796
+ #
1797
+ # @!attribute [rw] public_key
1798
+ # Specifies the public key in your peer's NIST-recommended elliptic
1799
+ # curve (ECC) or SM2 (China Regions only) key pair.
1800
+ #
1801
+ # The public key must be a DER-encoded X.509 public key, also known as
1802
+ # `SubjectPublicKeyInfo` (SPKI), as defined in [RFC 5280][1].
1803
+ #
1804
+ # GetPublicKey returns the public key of an asymmetric KMS key pair in
1805
+ # the required DER-encoded format.
1806
+ #
1807
+ # <note markdown="1"> If you use [Amazon Web Services CLI version 1][2], you must provide
1808
+ # the DER-encoded X.509 public key in a file. Otherwise, the Amazon
1809
+ # Web Services CLI Base64-encodes the public key a second time,
1810
+ # resulting in a `ValidationException`.
1811
+ #
1812
+ # </note>
1813
+ #
1814
+ # You can specify the public key as binary data in a file using fileb
1815
+ # (`fileb://<path-to-file>`) or in-line using a Base64 encoded string.
1816
+ #
1817
+ #
1818
+ #
1819
+ # [1]: https://tools.ietf.org/html/rfc5280
1820
+ # [2]: https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-welcome.html
1821
+ # @return [String]
1822
+ #
1823
+ # @!attribute [rw] grant_tokens
1824
+ # A list of grant tokens.
1825
+ #
1826
+ # Use a grant token when your permission to call this operation comes
1827
+ # from a new grant that has not yet achieved *eventual consistency*.
1828
+ # For more information, see [Grant token][1] and [Using a grant
1829
+ # token][2] in the *Key Management Service Developer Guide*.
1830
+ #
1831
+ #
1832
+ #
1833
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
1834
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
1835
+ # @return [Array<String>]
1836
+ #
1837
+ # @!attribute [rw] dry_run
1838
+ # Checks if your request will succeed. `DryRun` is an optional
1839
+ # parameter.
1840
+ #
1841
+ # To learn more about how to use this parameter, see [Testing your KMS
1842
+ # API calls][1] in the *Key Management Service Developer Guide*.
1843
+ #
1844
+ #
1845
+ #
1846
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
1847
+ # @return [Boolean]
1848
+ #
1849
+ # @!attribute [rw] recipient
1850
+ # A signed [attestation document][1] from an Amazon Web Services Nitro
1851
+ # enclave and the encryption algorithm to use with the enclave's
1852
+ # public key. The only valid encryption algorithm is
1853
+ # `RSAES_OAEP_SHA_256`.
1854
+ #
1855
+ # This parameter only supports attestation documents for Amazon Web
1856
+ # Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon
1857
+ # Web Services Nitro Enclaves, use the [Amazon Web Services Nitro
1858
+ # Enclaves SDK][2] to generate the attestation document and then use
1859
+ # the Recipient parameter from any Amazon Web Services SDK to provide
1860
+ # the attestation document for the enclave.
1861
+ #
1862
+ # When you use this parameter, instead of returning a plaintext copy
1863
+ # of the shared secret, KMS encrypts the plaintext shared secret under
1864
+ # the public key in the attestation document, and returns the
1865
+ # resulting ciphertext in the `CiphertextForRecipient` field in the
1866
+ # response. This ciphertext can be decrypted only with the private key
1867
+ # in the enclave. The `CiphertextBlob` field in the response contains
1868
+ # the encrypted shared secret derived from the KMS key specified by
1869
+ # the `KeyId` parameter and public key specified by the `PublicKey`
1870
+ # parameter. The `SharedSecret` field in the response is null or
1871
+ # empty.
1872
+ #
1873
+ # For information about the interaction between KMS and Amazon Web
1874
+ # Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
1875
+ # uses KMS][3] in the *Key Management Service Developer Guide*.
1876
+ #
1877
+ #
1878
+ #
1879
+ # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
1880
+ # [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
1881
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
1882
+ # @return [Types::RecipientInfo]
1883
+ #
1884
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecretRequest AWS API Documentation
1885
+ #
1886
+ class DeriveSharedSecretRequest < Struct.new(
1887
+ :key_id,
1888
+ :key_agreement_algorithm,
1889
+ :public_key,
1890
+ :grant_tokens,
1891
+ :dry_run,
1892
+ :recipient)
1893
+ SENSITIVE = []
1894
+ include Aws::Structure
1895
+ end
1896
+
1897
+ # @!attribute [rw] key_id
1898
+ # Identifies the KMS key used to derive the shared secret.
1899
+ # @return [String]
1900
+ #
1901
+ # @!attribute [rw] shared_secret
1902
+ # The raw secret derived from the specified key agreement algorithm,
1903
+ # private key in the asymmetric KMS key, and your peer's public key.
1904
+ #
1905
+ # If the response includes the `CiphertextForRecipient` field, the
1906
+ # `SharedSecret` field is null or empty.
1907
+ # @return [String]
1908
+ #
1909
+ # @!attribute [rw] ciphertext_for_recipient
1910
+ # The plaintext shared secret encrypted with the public key in the
1911
+ # attestation document.
1912
+ #
1913
+ # This field is included in the response only when the `Recipient`
1914
+ # parameter in the request includes a valid attestation document from
1915
+ # an Amazon Web Services Nitro enclave. For information about the
1916
+ # interaction between KMS and Amazon Web Services Nitro Enclaves, see
1917
+ # [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
1918
+ # Management Service Developer Guide*.
1919
+ #
1920
+ #
1921
+ #
1922
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
1923
+ # @return [String]
1924
+ #
1925
+ # @!attribute [rw] key_agreement_algorithm
1926
+ # Identifies the key agreement algorithm used to derive the shared
1927
+ # secret.
1928
+ # @return [String]
1929
+ #
1930
+ # @!attribute [rw] key_origin
1931
+ # The source of the key material for the specified KMS key.
1932
+ #
1933
+ # When this value is `AWS_KMS`, KMS created the key material. When
1934
+ # this value is `EXTERNAL`, the key material was imported or the KMS
1935
+ # key doesn't have any key material.
1936
+ #
1937
+ # The only valid values for DeriveSharedSecret are `AWS_KMS` and
1938
+ # `EXTERNAL`. DeriveSharedSecret does not support KMS keys with a
1939
+ # `KeyOrigin` value of `AWS_CLOUDHSM` or `EXTERNAL_KEY_STORE`.
1940
+ # @return [String]
1941
+ #
1942
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecretResponse AWS API Documentation
1943
+ #
1944
+ class DeriveSharedSecretResponse < Struct.new(
1945
+ :key_id,
1946
+ :shared_secret,
1947
+ :ciphertext_for_recipient,
1948
+ :key_agreement_algorithm,
1949
+ :key_origin)
1950
+ SENSITIVE = [:shared_secret]
1951
+ include Aws::Structure
1952
+ end
1953
+
1748
1954
  # @!attribute [rw] custom_key_store_id
1749
1955
  # Gets only information about the specified custom key store. Enter
1750
1956
  # the key store ID.
@@ -1800,8 +2006,8 @@ module Aws::KMS
1800
2006
  # @!attribute [rw] truncated
1801
2007
  # A flag that indicates whether there are more items in the list. When
1802
2008
  # this value is true, the list in this response is truncated. To get
1803
- # more items, pass the value of the `NextMarker` element in
1804
- # thisresponse to the `Marker` parameter in a subsequent request.
2009
+ # more items, pass the value of the `NextMarker` element in this
2010
+ # response to the `Marker` parameter in a subsequent request.
1805
2011
  # @return [Boolean]
1806
2012
  #
1807
2013
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStoresResponse AWS API Documentation
@@ -2035,10 +2241,31 @@ module Aws::KMS
2035
2241
  # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
2036
2242
  # @return [String]
2037
2243
  #
2244
+ # @!attribute [rw] rotation_period_in_days
2245
+ # Use this parameter to specify a custom period of time between each
2246
+ # rotation date. If no value is specified, the default value is 365
2247
+ # days.
2248
+ #
2249
+ # The rotation period defines the number of days after you enable
2250
+ # automatic key rotation that KMS will rotate your key material, and
2251
+ # the number of days between each automatic rotation thereafter.
2252
+ #
2253
+ # You can use the [ `kms:RotationPeriodInDays` ][1] condition key to
2254
+ # further constrain the values that principals can specify in the
2255
+ # `RotationPeriodInDays` parameter.
2256
+ #
2257
+ #
2258
+ #
2259
+ #
2260
+ #
2261
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-rotation-period-in-days
2262
+ # @return [Integer]
2263
+ #
2038
2264
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotationRequest AWS API Documentation
2039
2265
  #
2040
2266
  class EnableKeyRotationRequest < Struct.new(
2041
- :key_id)
2267
+ :key_id,
2268
+ :rotation_period_in_days)
2042
2269
  SENSITIVE = []
2043
2270
  include Aws::Structure
2044
2271
  end
@@ -2280,8 +2507,11 @@ module Aws::KMS
2280
2507
  # `RSAES_OAEP_SHA_256`.
2281
2508
  #
2282
2509
  # This parameter only supports attestation documents for Amazon Web
2283
- # Services Nitro Enclaves. To include this parameter, use the [Amazon
2284
- # Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
2510
+ # Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon
2511
+ # Web Services Nitro Enclaves, use the [Amazon Web Services Nitro
2512
+ # Enclaves SDK][2] to generate the attestation document and then use
2513
+ # the Recipient parameter from any Amazon Web Services SDK to provide
2514
+ # the attestation document for the enclave.
2285
2515
  #
2286
2516
  # When you use this parameter, instead of returning a plaintext copy
2287
2517
  # of the private data key, KMS encrypts the plaintext private data key
@@ -3047,7 +3277,8 @@ module Aws::KMS
3047
3277
  # @return [String]
3048
3278
  #
3049
3279
  # @!attribute [rw] policy_name
3050
- # Specifies the name of the key policy. The only valid name is
3280
+ # Specifies the name of the key policy. If no policy name is
3281
+ # specified, the default value is `default`. The only valid name is
3051
3282
  # `default`. To get the names of key policies, use ListKeyPolicies.
3052
3283
  # @return [String]
3053
3284
  #
@@ -3064,10 +3295,15 @@ module Aws::KMS
3064
3295
  # A key policy document in JSON format.
3065
3296
  # @return [String]
3066
3297
  #
3298
+ # @!attribute [rw] policy_name
3299
+ # The name of the key policy. The only valid value is `default`.
3300
+ # @return [String]
3301
+ #
3067
3302
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicyResponse AWS API Documentation
3068
3303
  #
3069
3304
  class GetKeyPolicyResponse < Struct.new(
3070
- :policy)
3305
+ :policy,
3306
+ :policy_name)
3071
3307
  SENSITIVE = []
3072
3308
  include Aws::Structure
3073
3309
  end
@@ -3102,10 +3338,42 @@ module Aws::KMS
3102
3338
  # A Boolean value that specifies whether key rotation is enabled.
3103
3339
  # @return [Boolean]
3104
3340
  #
3341
+ # @!attribute [rw] key_id
3342
+ # Identifies the specified symmetric encryption KMS key.
3343
+ # @return [String]
3344
+ #
3345
+ # @!attribute [rw] rotation_period_in_days
3346
+ # The number of days between each automatic rotation. The default
3347
+ # value is 365 days.
3348
+ # @return [Integer]
3349
+ #
3350
+ # @!attribute [rw] next_rotation_date
3351
+ # The next date that KMS will automatically rotate the key material.
3352
+ # @return [Time]
3353
+ #
3354
+ # @!attribute [rw] on_demand_rotation_start_date
3355
+ # Identifies the date and time that an in progress on-demand rotation
3356
+ # was initiated.
3357
+ #
3358
+ # The KMS API follows an [eventual consistency][1] model due to the
3359
+ # distributed nature of the system. As a result, there might be a
3360
+ # slight delay between initiating on-demand key rotation and the
3361
+ # rotation's completion. Once the on-demand rotation is complete, use
3362
+ # ListKeyRotations to view the details of the on-demand rotation.
3363
+ #
3364
+ #
3365
+ #
3366
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
3367
+ # @return [Time]
3368
+ #
3105
3369
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyRotationStatusResponse AWS API Documentation
3106
3370
  #
3107
3371
  class GetKeyRotationStatusResponse < Struct.new(
3108
- :key_rotation_enabled)
3372
+ :key_rotation_enabled,
3373
+ :key_id,
3374
+ :rotation_period_in_days,
3375
+ :next_rotation_date,
3376
+ :on_demand_rotation_start_date)
3109
3377
  SENSITIVE = []
3110
3378
  include Aws::Structure
3111
3379
  end
@@ -3167,8 +3435,8 @@ module Aws::KMS
3167
3435
  # You cannot use the RSAES\_OAEP\_SHA\_1 wrapping algorithm with the
3168
3436
  # RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key material.
3169
3437
  #
3170
- # * **RSAES\_PKCS1\_V1\_5** (Deprecated) — Supported only for
3171
- # symmetric encryption key material (and only in legacy mode).
3438
+ # * **RSAES\_PKCS1\_V1\_5** (Deprecated) — As of October 10, 2023, KMS
3439
+ # does not support the RSAES\_PKCS1\_V1\_5 wrapping algorithm.
3172
3440
  # @return [String]
3173
3441
  #
3174
3442
  # @!attribute [rw] wrapping_key_spec
@@ -3313,12 +3581,12 @@ module Aws::KMS
3313
3581
  # @return [String]
3314
3582
  #
3315
3583
  # @!attribute [rw] key_usage
3316
- # The permitted use of the public key. Valid values are
3317
- # `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
3584
+ # The permitted use of the public key. Valid values for asymmetric key
3585
+ # pairs are `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, and `KEY_AGREEMENT`.
3318
3586
  #
3319
- # This information is critical. If a public key with `SIGN_VERIFY` key
3320
- # usage encrypts data outside of KMS, the ciphertext cannot be
3321
- # decrypted.
3587
+ # This information is critical. For example, if a public key with
3588
+ # `SIGN_VERIFY` key usage encrypts data outside of KMS, the ciphertext
3589
+ # cannot be decrypted.
3322
3590
  # @return [String]
3323
3591
  #
3324
3592
  # @!attribute [rw] encryption_algorithms
@@ -3339,6 +3607,12 @@ module Aws::KMS
3339
3607
  # public key is `SIGN_VERIFY`.
3340
3608
  # @return [Array<String>]
3341
3609
  #
3610
+ # @!attribute [rw] key_agreement_algorithms
3611
+ # The key agreement algorithm used to derive a shared secret. This
3612
+ # field is present only when the KMS key has a `KeyUsage` value of
3613
+ # `KEY_AGREEMENT`.
3614
+ # @return [Array<String>]
3615
+ #
3342
3616
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKeyResponse AWS API Documentation
3343
3617
  #
3344
3618
  class GetPublicKeyResponse < Struct.new(
@@ -3348,7 +3622,8 @@ module Aws::KMS
3348
3622
  :key_spec,
3349
3623
  :key_usage,
3350
3624
  :encryption_algorithms,
3351
- :signing_algorithms)
3625
+ :signing_algorithms,
3626
+ :key_agreement_algorithms)
3352
3627
  SENSITIVE = []
3353
3628
  include Aws::Structure
3354
3629
  end
@@ -3736,8 +4011,9 @@ module Aws::KMS
3736
4011
  # the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying
3737
4012
  # messages, the `KeyUsage` must be `SIGN_VERIFY`. For generating and
3738
4013
  # verifying message authentication codes (MACs), the `KeyUsage` must be
3739
- # `GENERATE_VERIFY_MAC`. To find the `KeyUsage` of a KMS key, use the
3740
- # DescribeKey operation.
4014
+ # `GENERATE_VERIFY_MAC`. For deriving key agreement secrets, the
4015
+ # `KeyUsage` must be `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS
4016
+ # key, use the DescribeKey operation.
3741
4017
  #
3742
4018
  # To find the encryption or signing algorithms supported for a
3743
4019
  # particular KMS key, use the DescribeKey operation.
@@ -4016,6 +4292,10 @@ module Aws::KMS
4016
4292
  # `SIGN_VERIFY`.
4017
4293
  # @return [Array<String>]
4018
4294
  #
4295
+ # @!attribute [rw] key_agreement_algorithms
4296
+ # The key agreement algorithm used to derive a shared secret.
4297
+ # @return [Array<String>]
4298
+ #
4019
4299
  # @!attribute [rw] multi_region
4020
4300
  # Indicates whether the KMS key is a multi-Region (`True`) or regional
4021
4301
  # (`False`) key. This value is `True` for multi-Region primary and
@@ -4109,6 +4389,7 @@ module Aws::KMS
4109
4389
  :key_spec,
4110
4390
  :encryption_algorithms,
4111
4391
  :signing_algorithms,
4392
+ :key_agreement_algorithms,
4112
4393
  :multi_region,
4113
4394
  :multi_region_configuration,
4114
4395
  :pending_deletion_window_in_days,
@@ -4209,8 +4490,8 @@ module Aws::KMS
4209
4490
  # @!attribute [rw] truncated
4210
4491
  # A flag that indicates whether there are more items in the list. When
4211
4492
  # this value is true, the list in this response is truncated. To get
4212
- # more items, pass the value of the `NextMarker` element in
4213
- # thisresponse to the `Marker` parameter in a subsequent request.
4493
+ # more items, pass the value of the `NextMarker` element in this
4494
+ # response to the `Marker` parameter in a subsequent request.
4214
4495
  # @return [Boolean]
4215
4496
  #
4216
4497
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliasesResponse AWS API Documentation
@@ -4292,8 +4573,8 @@ module Aws::KMS
4292
4573
  # @!attribute [rw] truncated
4293
4574
  # A flag that indicates whether there are more items in the list. When
4294
4575
  # this value is true, the list in this response is truncated. To get
4295
- # more items, pass the value of the `NextMarker` element in
4296
- # thisresponse to the `Marker` parameter in a subsequent request.
4576
+ # more items, pass the value of the `NextMarker` element in this
4577
+ # response to the `Marker` parameter in a subsequent request.
4297
4578
  # @return [Boolean]
4298
4579
  #
4299
4580
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrantsResponse AWS API Documentation
@@ -4362,8 +4643,8 @@ module Aws::KMS
4362
4643
  # @!attribute [rw] truncated
4363
4644
  # A flag that indicates whether there are more items in the list. When
4364
4645
  # this value is true, the list in this response is truncated. To get
4365
- # more items, pass the value of the `NextMarker` element in
4366
- # thisresponse to the `Marker` parameter in a subsequent request.
4646
+ # more items, pass the value of the `NextMarker` element in this
4647
+ # response to the `Marker` parameter in a subsequent request.
4367
4648
  # @return [Boolean]
4368
4649
  #
4369
4650
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPoliciesResponse AWS API Documentation
@@ -4376,6 +4657,74 @@ module Aws::KMS
4376
4657
  include Aws::Structure
4377
4658
  end
4378
4659
 
4660
+ # @!attribute [rw] key_id
4661
+ # Gets the key rotations for the specified KMS key.
4662
+ #
4663
+ # Specify the key ID or key ARN of the KMS key.
4664
+ #
4665
+ # For example:
4666
+ #
4667
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
4668
+ #
4669
+ # * Key ARN:
4670
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
4671
+ #
4672
+ # To get the key ID and key ARN for a KMS key, use ListKeys or
4673
+ # DescribeKey.
4674
+ # @return [String]
4675
+ #
4676
+ # @!attribute [rw] limit
4677
+ # Use this parameter to specify the maximum number of items to return.
4678
+ # When this value is present, KMS does not return more than the
4679
+ # specified number of items, but it might return fewer.
4680
+ #
4681
+ # This value is optional. If you include a value, it must be between 1
4682
+ # and 1000, inclusive. If you do not include a value, it defaults to
4683
+ # 100.
4684
+ # @return [Integer]
4685
+ #
4686
+ # @!attribute [rw] marker
4687
+ # Use this parameter in a subsequent request after you receive a
4688
+ # response with truncated results. Set it to the value of `NextMarker`
4689
+ # from the truncated response you just received.
4690
+ # @return [String]
4691
+ #
4692
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyRotationsRequest AWS API Documentation
4693
+ #
4694
+ class ListKeyRotationsRequest < Struct.new(
4695
+ :key_id,
4696
+ :limit,
4697
+ :marker)
4698
+ SENSITIVE = []
4699
+ include Aws::Structure
4700
+ end
4701
+
4702
+ # @!attribute [rw] rotations
4703
+ # A list of completed key material rotations.
4704
+ # @return [Array<Types::RotationsListEntry>]
4705
+ #
4706
+ # @!attribute [rw] next_marker
4707
+ # When `Truncated` is true, this element is present and contains the
4708
+ # value to use for the `Marker` parameter in a subsequent request.
4709
+ # @return [String]
4710
+ #
4711
+ # @!attribute [rw] truncated
4712
+ # A flag that indicates whether there are more items in the list. When
4713
+ # this value is true, the list in this response is truncated. To get
4714
+ # more items, pass the value of the `NextMarker` element in this
4715
+ # response to the `Marker` parameter in a subsequent request.
4716
+ # @return [Boolean]
4717
+ #
4718
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyRotationsResponse AWS API Documentation
4719
+ #
4720
+ class ListKeyRotationsResponse < Struct.new(
4721
+ :rotations,
4722
+ :next_marker,
4723
+ :truncated)
4724
+ SENSITIVE = []
4725
+ include Aws::Structure
4726
+ end
4727
+
4379
4728
  # @!attribute [rw] limit
4380
4729
  # Use this parameter to specify the maximum number of items to return.
4381
4730
  # When this value is present, KMS does not return more than the
@@ -4413,8 +4762,8 @@ module Aws::KMS
4413
4762
  # @!attribute [rw] truncated
4414
4763
  # A flag that indicates whether there are more items in the list. When
4415
4764
  # this value is true, the list in this response is truncated. To get
4416
- # more items, pass the value of the `NextMarker` element in
4417
- # thisresponse to the `Marker` parameter in a subsequent request.
4765
+ # more items, pass the value of the `NextMarker` element in this
4766
+ # response to the `Marker` parameter in a subsequent request.
4418
4767
  # @return [Boolean]
4419
4768
  #
4420
4769
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeysResponse AWS API Documentation
@@ -4495,8 +4844,8 @@ module Aws::KMS
4495
4844
  # @!attribute [rw] truncated
4496
4845
  # A flag that indicates whether there are more items in the list. When
4497
4846
  # this value is true, the list in this response is truncated. To get
4498
- # more items, pass the value of the `NextMarker` element in
4499
- # thisresponse to the `Marker` parameter in a subsequent request.
4847
+ # more items, pass the value of the `NextMarker` element in this
4848
+ # response to the `Marker` parameter in a subsequent request.
4500
4849
  # @return [Boolean]
4501
4850
  #
4502
4851
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTagsResponse AWS API Documentation
@@ -4649,7 +4998,8 @@ module Aws::KMS
4649
4998
  # @return [String]
4650
4999
  #
4651
5000
  # @!attribute [rw] policy_name
4652
- # The name of the key policy. The only valid value is `default`.
5001
+ # The name of the key policy. If no policy name is specified, the
5002
+ # default value is `default`. The only valid value is `default`.
4653
5003
  # @return [String]
4654
5004
  #
4655
5005
  # @!attribute [rw] policy
@@ -4710,12 +5060,13 @@ module Aws::KMS
4710
5060
  # Management Service Developer Guide*.
4711
5061
  #
4712
5062
  # Use this parameter only when you intend to prevent the principal
4713
- # that is making the request from making a subsequent PutKeyPolicy
4714
- # request on the KMS key.
5063
+ # that is making the request from making a subsequent
5064
+ # [PutKeyPolicy][2] request on the KMS key.
4715
5065
  #
4716
5066
  #
4717
5067
  #
4718
5068
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
5069
+ # [2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html
4719
5070
  # @return [Boolean]
4720
5071
  #
4721
5072
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicyRequest AWS API Documentation
@@ -5107,12 +5458,13 @@ module Aws::KMS
5107
5458
  # Management Service Developer Guide*.
5108
5459
  #
5109
5460
  # Use this parameter only when you intend to prevent the principal
5110
- # that is making the request from making a subsequent PutKeyPolicy
5111
- # request on the KMS key.
5461
+ # that is making the request from making a subsequent
5462
+ # [PutKeyPolicy][2] request on the KMS key.
5112
5463
  #
5113
5464
  #
5114
5465
  #
5115
5466
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
5467
+ # [2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html
5116
5468
  # @return [Boolean]
5117
5469
  #
5118
5470
  # @!attribute [rw] description
@@ -5317,6 +5669,87 @@ module Aws::KMS
5317
5669
  include Aws::Structure
5318
5670
  end
5319
5671
 
5672
+ # @!attribute [rw] key_id
5673
+ # Identifies a symmetric encryption KMS key. You cannot perform
5674
+ # on-demand rotation of [asymmetric KMS keys][1], [HMAC KMS keys][2],
5675
+ # KMS keys with [imported key material][3], or KMS keys in a [custom
5676
+ # key store][4]. To perform on-demand rotation of a set of related
5677
+ # [multi-Region keys][5], invoke the on-demand rotation on the primary
5678
+ # key.
5679
+ #
5680
+ # Specify the key ID or key ARN of the KMS key.
5681
+ #
5682
+ # For example:
5683
+ #
5684
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
5685
+ #
5686
+ # * Key ARN:
5687
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
5688
+ #
5689
+ # To get the key ID and key ARN for a KMS key, use ListKeys or
5690
+ # DescribeKey.
5691
+ #
5692
+ #
5693
+ #
5694
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
5695
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
5696
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
5697
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
5698
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
5699
+ # @return [String]
5700
+ #
5701
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RotateKeyOnDemandRequest AWS API Documentation
5702
+ #
5703
+ class RotateKeyOnDemandRequest < Struct.new(
5704
+ :key_id)
5705
+ SENSITIVE = []
5706
+ include Aws::Structure
5707
+ end
5708
+
5709
+ # @!attribute [rw] key_id
5710
+ # Identifies the symmetric encryption KMS key that you initiated
5711
+ # on-demand rotation on.
5712
+ # @return [String]
5713
+ #
5714
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RotateKeyOnDemandResponse AWS API Documentation
5715
+ #
5716
+ class RotateKeyOnDemandResponse < Struct.new(
5717
+ :key_id)
5718
+ SENSITIVE = []
5719
+ include Aws::Structure
5720
+ end
5721
+
5722
+ # Contains information about completed key material rotations.
5723
+ #
5724
+ # @!attribute [rw] key_id
5725
+ # Unique identifier of the key.
5726
+ # @return [String]
5727
+ #
5728
+ # @!attribute [rw] rotation_date
5729
+ # Date and time that the key material rotation completed. Formatted as
5730
+ # Unix time.
5731
+ # @return [Time]
5732
+ #
5733
+ # @!attribute [rw] rotation_type
5734
+ # Identifies whether the key material rotation was a scheduled
5735
+ # [automatic rotation][1] or an [on-demand rotation][2].
5736
+ #
5737
+ #
5738
+ #
5739
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotating-keys-enable-disable
5740
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotating-keys-on-demand
5741
+ # @return [String]
5742
+ #
5743
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RotationsListEntry AWS API Documentation
5744
+ #
5745
+ class RotationsListEntry < Struct.new(
5746
+ :key_id,
5747
+ :rotation_date,
5748
+ :rotation_type)
5749
+ SENSITIVE = []
5750
+ include Aws::Structure
5751
+ end
5752
+
5320
5753
  # @!attribute [rw] key_id
5321
5754
  # The unique identifier of the KMS key to delete.
5322
5755
  #
@@ -6243,9 +6676,9 @@ module Aws::KMS
6243
6676
  end
6244
6677
 
6245
6678
  # The request was rejected because the (`XksKeyId`) is already
6246
- # associated with a KMS key in this external key store. Each KMS key in
6247
- # an external key store must be associated with a different external
6248
- # key.
6679
+ # associated with another KMS key in this external key store. Each KMS
6680
+ # key in an external key store must be associated with a different
6681
+ # external key.
6249
6682
  #
6250
6683
  # @!attribute [rw] message
6251
6684
  # @return [String]
@@ -6424,9 +6857,9 @@ module Aws::KMS
6424
6857
  include Aws::Structure
6425
6858
  end
6426
6859
 
6427
- # The request was rejected because the Amazon VPC endpoint service
6428
- # configuration does not fulfill the requirements for an external key
6429
- # store proxy. For details, see the exception message.
6860
+ # The request was rejected because the external key store proxy is not
6861
+ # configured correctly. To identify the cause, see the error message
6862
+ # that accompanies the exception.
6430
6863
  #
6431
6864
  # @!attribute [rw] message
6432
6865
  # @return [String]
@@ -6455,11 +6888,10 @@ module Aws::KMS
6455
6888
  include Aws::Structure
6456
6889
  end
6457
6890
 
6458
- # The request was rejected because the concatenation of the
6459
- # `XksProxyUriEndpoint` is already associated with an external key store
6460
- # in the Amazon Web Services account and Region. Each external key store
6461
- # in an account and Region must use a unique external key store proxy
6462
- # address.
6891
+ # The request was rejected because the `XksProxyUriEndpoint` is already
6892
+ # associated with another external key store in this Amazon Web Services
6893
+ # Region. To identify the cause, see the error message that accompanies
6894
+ # the exception.
6463
6895
  #
6464
6896
  # @!attribute [rw] message
6465
6897
  # @return [String]
@@ -6474,9 +6906,9 @@ module Aws::KMS
6474
6906
 
6475
6907
  # The request was rejected because the concatenation of the
6476
6908
  # `XksProxyUriEndpoint` and `XksProxyUriPath` is already associated with
6477
- # an external key store in the Amazon Web Services account and Region.
6478
- # Each external key store in an account and Region must use a unique
6479
- # external key store proxy API address.
6909
+ # another external key store in this Amazon Web Services Region. Each
6910
+ # external key store in a Region must use a unique external key store
6911
+ # proxy API address.
6480
6912
  #
6481
6913
  # @!attribute [rw] message
6482
6914
  # @return [String]
@@ -6509,10 +6941,9 @@ module Aws::KMS
6509
6941
  end
6510
6942
 
6511
6943
  # The request was rejected because the specified Amazon VPC endpoint
6512
- # service is already associated with an external key store in the Amazon
6513
- # Web Services account and Region. Each external key store in an Amazon
6514
- # Web Services account and Region must use a different Amazon VPC
6515
- # endpoint service.
6944
+ # service is already associated with another external key store in this
6945
+ # Amazon Web Services Region. Each external key store in a Region must
6946
+ # use a different Amazon VPC endpoint service.
6516
6947
  #
6517
6948
  # @!attribute [rw] message
6518
6949
  # @return [String]
@@ -6527,10 +6958,13 @@ module Aws::KMS
6527
6958
 
6528
6959
  # The request was rejected because the Amazon VPC endpoint service
6529
6960
  # configuration does not fulfill the requirements for an external key
6530
- # store proxy. For details, see the exception message and [review the
6531
- # requirements](kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements)
6532
- # for Amazon VPC endpoint service connectivity for an external key
6533
- # store.
6961
+ # store. To identify the cause, see the error message that accompanies
6962
+ # the exception and [review the requirements][1] for Amazon VPC endpoint
6963
+ # service connectivity for an external key store.
6964
+ #
6965
+ #
6966
+ #
6967
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements
6534
6968
  #
6535
6969
  # @!attribute [rw] message
6536
6970
  # @return [String]
@@ -6563,3 +6997,4 @@ module Aws::KMS
6563
6997
 
6564
6998
  end
6565
6999
  end
7000
+