aws-sdk-kms 1.72.0 → 1.96.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -242,6 +242,21 @@ module Aws::KMS
242
242
  include Aws::Structure
243
243
  end
244
244
 
245
+ # The request was rejected because an automatic rotation of this key is
246
+ # currently in progress or scheduled to begin within the next 20
247
+ # minutes.
248
+ #
249
+ # @!attribute [rw] message
250
+ # @return [String]
251
+ #
252
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConflictException AWS API Documentation
253
+ #
254
+ class ConflictException < Struct.new(
255
+ :message)
256
+ SENSITIVE = []
257
+ include Aws::Structure
258
+ end
259
+
245
260
  # @!attribute [rw] custom_key_store_id
246
261
  # Enter the key store ID of the custom key store that you want to
247
262
  # connect. To find the ID of a custom key store, use the
@@ -418,7 +433,7 @@ module Aws::KMS
418
433
  #
419
434
  # * An external key store with `PUBLIC_ENDPOINT` connectivity cannot
420
435
  # use the same `XksProxyUriEndpoint` value as an external key store
421
- # with `VPC_ENDPOINT_SERVICE` connectivity in the same Amazon Web
436
+ # with `VPC_ENDPOINT_SERVICE` connectivity in this Amazon Web
422
437
  # Services Region.
423
438
  #
424
439
  # * Each external key store with `VPC_ENDPOINT_SERVICE` connectivity
@@ -826,14 +841,17 @@ module Aws::KMS
826
841
  #
827
842
  # * For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
828
843
  #
829
- # * For asymmetric KMS keys with RSA key material, specify
844
+ # * For asymmetric KMS keys with RSA key pairs, specify
830
845
  # `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
831
846
  #
832
- # * For asymmetric KMS keys with ECC key material, specify
847
+ # * For asymmetric KMS keys with NIST-recommended elliptic curve key
848
+ # pairs, specify `SIGN_VERIFY` or `KEY_AGREEMENT`.
849
+ #
850
+ # * For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs specify
833
851
  # `SIGN_VERIFY`.
834
852
  #
835
- # * For asymmetric KMS keys with SM2 key material (China Regions
836
- # only), specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
853
+ # * For asymmetric KMS keys with SM2 key pairs (China Regions only),
854
+ # specify `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, or `KEY_AGREEMENT`.
837
855
  #
838
856
  #
839
857
  #
@@ -878,7 +896,6 @@ module Aws::KMS
878
896
  # * `SYMMETRIC_DEFAULT`
879
897
  #
880
898
  # ^
881
- #
882
899
  # * HMAC keys (symmetric)
883
900
  #
884
901
  # * `HMAC_224`
@@ -888,33 +905,33 @@ module Aws::KMS
888
905
  # * `HMAC_384`
889
906
  #
890
907
  # * `HMAC_512`
891
- #
892
- # * Asymmetric RSA key pairs
908
+ # * Asymmetric RSA key pairs (encryption and decryption -or- signing
909
+ # and verification)
893
910
  #
894
911
  # * `RSA_2048`
895
912
  #
896
913
  # * `RSA_3072`
897
914
  #
898
915
  # * `RSA_4096`
899
- #
900
- # * Asymmetric NIST-recommended elliptic curve key pairs
916
+ # * Asymmetric NIST-recommended elliptic curve key pairs (signing and
917
+ # verification -or- deriving shared secrets)
901
918
  #
902
919
  # * `ECC_NIST_P256` (secp256r1)
903
920
  #
904
921
  # * `ECC_NIST_P384` (secp384r1)
905
922
  #
906
923
  # * `ECC_NIST_P521` (secp521r1)
907
- #
908
- # * Other asymmetric elliptic curve key pairs
924
+ # * Other asymmetric elliptic curve key pairs (signing and
925
+ # verification)
909
926
  #
910
927
  # * `ECC_SECG_P256K1` (secp256k1), commonly used for
911
928
  # cryptocurrencies.
912
929
  #
913
930
  # ^
931
+ # * SM2 key pairs (encryption and decryption -or- signing and
932
+ # verification -or- deriving shared secrets)
914
933
  #
915
- # * SM2 key pairs (China Regions only)
916
- #
917
- # * `SM2`
934
+ # * `SM2` (China Regions only)
918
935
  #
919
936
  # ^
920
937
  #
@@ -992,12 +1009,13 @@ module Aws::KMS
992
1009
  # Management Service Developer Guide*.
993
1010
  #
994
1011
  # Use this parameter only when you intend to prevent the principal
995
- # that is making the request from making a subsequent PutKeyPolicy
996
- # request on the KMS key.
1012
+ # that is making the request from making a subsequent
1013
+ # [PutKeyPolicy][2] request on the KMS key.
997
1014
  #
998
1015
  #
999
1016
  #
1000
1017
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
1018
+ # [2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html
1001
1019
  # @return [Boolean]
1002
1020
  #
1003
1021
  # @!attribute [rw] tags
@@ -1429,7 +1447,6 @@ module Aws::KMS
1429
1447
  #
1430
1448
  # * The [TLS certificate][6] specifies the private DNS hostname at
1431
1449
  # which the endpoint is reachable.
1432
- #
1433
1450
  # * `XKS_VPC_ENDPOINT_SERVICE_NOT_FOUND` — KMS can't find the VPC
1434
1451
  # endpoint service that it uses to communicate with the external key
1435
1452
  # store proxy. Verify that the `XksProxyVpcEndpointServiceName` is
@@ -1596,7 +1613,7 @@ module Aws::KMS
1596
1613
  #
1597
1614
  #
1598
1615
  #
1599
- # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
1616
+ # [1]: https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-concepts.html#term-attestdoc
1600
1617
  # [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
1601
1618
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
1602
1619
  # @return [Types::RecipientInfo]
@@ -1745,6 +1762,195 @@ module Aws::KMS
1745
1762
  include Aws::Structure
1746
1763
  end
1747
1764
 
1765
+ # @!attribute [rw] key_id
1766
+ # Identifies an asymmetric NIST-recommended ECC or SM2 (China Regions
1767
+ # only) KMS key. KMS uses the private key in the specified key pair to
1768
+ # derive the shared secret. The key usage of the KMS key must be
1769
+ # `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS key, use the
1770
+ # DescribeKey operation.
1771
+ #
1772
+ # To specify a KMS key, use its key ID, key ARN, alias name, or alias
1773
+ # ARN. When using an alias name, prefix it with `"alias/"`. To specify
1774
+ # a KMS key in a different Amazon Web Services account, you must use
1775
+ # the key ARN or alias ARN.
1776
+ #
1777
+ # For example:
1778
+ #
1779
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
1780
+ #
1781
+ # * Key ARN:
1782
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
1783
+ #
1784
+ # * Alias name: `alias/ExampleAlias`
1785
+ #
1786
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
1787
+ #
1788
+ # To get the key ID and key ARN for a KMS key, use ListKeys or
1789
+ # DescribeKey. To get the alias name and alias ARN, use ListAliases.
1790
+ # @return [String]
1791
+ #
1792
+ # @!attribute [rw] key_agreement_algorithm
1793
+ # Specifies the key agreement algorithm used to derive the shared
1794
+ # secret. The only valid value is `ECDH`.
1795
+ # @return [String]
1796
+ #
1797
+ # @!attribute [rw] public_key
1798
+ # Specifies the public key in your peer's NIST-recommended elliptic
1799
+ # curve (ECC) or SM2 (China Regions only) key pair.
1800
+ #
1801
+ # The public key must be a DER-encoded X.509 public key, also known as
1802
+ # `SubjectPublicKeyInfo` (SPKI), as defined in [RFC 5280][1].
1803
+ #
1804
+ # GetPublicKey returns the public key of an asymmetric KMS key pair in
1805
+ # the required DER-encoded format.
1806
+ #
1807
+ # <note markdown="1"> If you use [Amazon Web Services CLI version 1][2], you must provide
1808
+ # the DER-encoded X.509 public key in a file. Otherwise, the Amazon
1809
+ # Web Services CLI Base64-encodes the public key a second time,
1810
+ # resulting in a `ValidationException`.
1811
+ #
1812
+ # </note>
1813
+ #
1814
+ # You can specify the public key as binary data in a file using fileb
1815
+ # (`fileb://<path-to-file>`) or in-line using a Base64 encoded string.
1816
+ #
1817
+ #
1818
+ #
1819
+ # [1]: https://tools.ietf.org/html/rfc5280
1820
+ # [2]: https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-welcome.html
1821
+ # @return [String]
1822
+ #
1823
+ # @!attribute [rw] grant_tokens
1824
+ # A list of grant tokens.
1825
+ #
1826
+ # Use a grant token when your permission to call this operation comes
1827
+ # from a new grant that has not yet achieved *eventual consistency*.
1828
+ # For more information, see [Grant token][1] and [Using a grant
1829
+ # token][2] in the *Key Management Service Developer Guide*.
1830
+ #
1831
+ #
1832
+ #
1833
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
1834
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
1835
+ # @return [Array<String>]
1836
+ #
1837
+ # @!attribute [rw] dry_run
1838
+ # Checks if your request will succeed. `DryRun` is an optional
1839
+ # parameter.
1840
+ #
1841
+ # To learn more about how to use this parameter, see [Testing your KMS
1842
+ # API calls][1] in the *Key Management Service Developer Guide*.
1843
+ #
1844
+ #
1845
+ #
1846
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
1847
+ # @return [Boolean]
1848
+ #
1849
+ # @!attribute [rw] recipient
1850
+ # A signed [attestation document][1] from an Amazon Web Services Nitro
1851
+ # enclave and the encryption algorithm to use with the enclave's
1852
+ # public key. The only valid encryption algorithm is
1853
+ # `RSAES_OAEP_SHA_256`.
1854
+ #
1855
+ # This parameter only supports attestation documents for Amazon Web
1856
+ # Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon
1857
+ # Web Services Nitro Enclaves, use the [Amazon Web Services Nitro
1858
+ # Enclaves SDK][2] to generate the attestation document and then use
1859
+ # the Recipient parameter from any Amazon Web Services SDK to provide
1860
+ # the attestation document for the enclave.
1861
+ #
1862
+ # When you use this parameter, instead of returning a plaintext copy
1863
+ # of the shared secret, KMS encrypts the plaintext shared secret under
1864
+ # the public key in the attestation document, and returns the
1865
+ # resulting ciphertext in the `CiphertextForRecipient` field in the
1866
+ # response. This ciphertext can be decrypted only with the private key
1867
+ # in the enclave. The `CiphertextBlob` field in the response contains
1868
+ # the encrypted shared secret derived from the KMS key specified by
1869
+ # the `KeyId` parameter and public key specified by the `PublicKey`
1870
+ # parameter. The `SharedSecret` field in the response is null or
1871
+ # empty.
1872
+ #
1873
+ # For information about the interaction between KMS and Amazon Web
1874
+ # Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
1875
+ # uses KMS][3] in the *Key Management Service Developer Guide*.
1876
+ #
1877
+ #
1878
+ #
1879
+ # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
1880
+ # [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
1881
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
1882
+ # @return [Types::RecipientInfo]
1883
+ #
1884
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecretRequest AWS API Documentation
1885
+ #
1886
+ class DeriveSharedSecretRequest < Struct.new(
1887
+ :key_id,
1888
+ :key_agreement_algorithm,
1889
+ :public_key,
1890
+ :grant_tokens,
1891
+ :dry_run,
1892
+ :recipient)
1893
+ SENSITIVE = []
1894
+ include Aws::Structure
1895
+ end
1896
+
1897
+ # @!attribute [rw] key_id
1898
+ # Identifies the KMS key used to derive the shared secret.
1899
+ # @return [String]
1900
+ #
1901
+ # @!attribute [rw] shared_secret
1902
+ # The raw secret derived from the specified key agreement algorithm,
1903
+ # private key in the asymmetric KMS key, and your peer's public key.
1904
+ #
1905
+ # If the response includes the `CiphertextForRecipient` field, the
1906
+ # `SharedSecret` field is null or empty.
1907
+ # @return [String]
1908
+ #
1909
+ # @!attribute [rw] ciphertext_for_recipient
1910
+ # The plaintext shared secret encrypted with the public key in the
1911
+ # attestation document.
1912
+ #
1913
+ # This field is included in the response only when the `Recipient`
1914
+ # parameter in the request includes a valid attestation document from
1915
+ # an Amazon Web Services Nitro enclave. For information about the
1916
+ # interaction between KMS and Amazon Web Services Nitro Enclaves, see
1917
+ # [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
1918
+ # Management Service Developer Guide*.
1919
+ #
1920
+ #
1921
+ #
1922
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
1923
+ # @return [String]
1924
+ #
1925
+ # @!attribute [rw] key_agreement_algorithm
1926
+ # Identifies the key agreement algorithm used to derive the shared
1927
+ # secret.
1928
+ # @return [String]
1929
+ #
1930
+ # @!attribute [rw] key_origin
1931
+ # The source of the key material for the specified KMS key.
1932
+ #
1933
+ # When this value is `AWS_KMS`, KMS created the key material. When
1934
+ # this value is `EXTERNAL`, the key material was imported or the KMS
1935
+ # key doesn't have any key material.
1936
+ #
1937
+ # The only valid values for DeriveSharedSecret are `AWS_KMS` and
1938
+ # `EXTERNAL`. DeriveSharedSecret does not support KMS keys with a
1939
+ # `KeyOrigin` value of `AWS_CLOUDHSM` or `EXTERNAL_KEY_STORE`.
1940
+ # @return [String]
1941
+ #
1942
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecretResponse AWS API Documentation
1943
+ #
1944
+ class DeriveSharedSecretResponse < Struct.new(
1945
+ :key_id,
1946
+ :shared_secret,
1947
+ :ciphertext_for_recipient,
1948
+ :key_agreement_algorithm,
1949
+ :key_origin)
1950
+ SENSITIVE = [:shared_secret]
1951
+ include Aws::Structure
1952
+ end
1953
+
1748
1954
  # @!attribute [rw] custom_key_store_id
1749
1955
  # Gets only information about the specified custom key store. Enter
1750
1956
  # the key store ID.
@@ -1800,8 +2006,8 @@ module Aws::KMS
1800
2006
  # @!attribute [rw] truncated
1801
2007
  # A flag that indicates whether there are more items in the list. When
1802
2008
  # this value is true, the list in this response is truncated. To get
1803
- # more items, pass the value of the `NextMarker` element in
1804
- # thisresponse to the `Marker` parameter in a subsequent request.
2009
+ # more items, pass the value of the `NextMarker` element in this
2010
+ # response to the `Marker` parameter in a subsequent request.
1805
2011
  # @return [Boolean]
1806
2012
  #
1807
2013
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStoresResponse AWS API Documentation
@@ -2035,10 +2241,31 @@ module Aws::KMS
2035
2241
  # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
2036
2242
  # @return [String]
2037
2243
  #
2244
+ # @!attribute [rw] rotation_period_in_days
2245
+ # Use this parameter to specify a custom period of time between each
2246
+ # rotation date. If no value is specified, the default value is 365
2247
+ # days.
2248
+ #
2249
+ # The rotation period defines the number of days after you enable
2250
+ # automatic key rotation that KMS will rotate your key material, and
2251
+ # the number of days between each automatic rotation thereafter.
2252
+ #
2253
+ # You can use the [ `kms:RotationPeriodInDays` ][1] condition key to
2254
+ # further constrain the values that principals can specify in the
2255
+ # `RotationPeriodInDays` parameter.
2256
+ #
2257
+ #
2258
+ #
2259
+ #
2260
+ #
2261
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-rotation-period-in-days
2262
+ # @return [Integer]
2263
+ #
2038
2264
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotationRequest AWS API Documentation
2039
2265
  #
2040
2266
  class EnableKeyRotationRequest < Struct.new(
2041
- :key_id)
2267
+ :key_id,
2268
+ :rotation_period_in_days)
2042
2269
  SENSITIVE = []
2043
2270
  include Aws::Structure
2044
2271
  end
@@ -2280,8 +2507,11 @@ module Aws::KMS
2280
2507
  # `RSAES_OAEP_SHA_256`.
2281
2508
  #
2282
2509
  # This parameter only supports attestation documents for Amazon Web
2283
- # Services Nitro Enclaves. To include this parameter, use the [Amazon
2284
- # Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
2510
+ # Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon
2511
+ # Web Services Nitro Enclaves, use the [Amazon Web Services Nitro
2512
+ # Enclaves SDK][2] to generate the attestation document and then use
2513
+ # the Recipient parameter from any Amazon Web Services SDK to provide
2514
+ # the attestation document for the enclave.
2285
2515
  #
2286
2516
  # When you use this parameter, instead of returning a plaintext copy
2287
2517
  # of the private data key, KMS encrypts the plaintext private data key
@@ -3047,7 +3277,8 @@ module Aws::KMS
3047
3277
  # @return [String]
3048
3278
  #
3049
3279
  # @!attribute [rw] policy_name
3050
- # Specifies the name of the key policy. The only valid name is
3280
+ # Specifies the name of the key policy. If no policy name is
3281
+ # specified, the default value is `default`. The only valid name is
3051
3282
  # `default`. To get the names of key policies, use ListKeyPolicies.
3052
3283
  # @return [String]
3053
3284
  #
@@ -3064,10 +3295,15 @@ module Aws::KMS
3064
3295
  # A key policy document in JSON format.
3065
3296
  # @return [String]
3066
3297
  #
3298
+ # @!attribute [rw] policy_name
3299
+ # The name of the key policy. The only valid value is `default`.
3300
+ # @return [String]
3301
+ #
3067
3302
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicyResponse AWS API Documentation
3068
3303
  #
3069
3304
  class GetKeyPolicyResponse < Struct.new(
3070
- :policy)
3305
+ :policy,
3306
+ :policy_name)
3071
3307
  SENSITIVE = []
3072
3308
  include Aws::Structure
3073
3309
  end
@@ -3102,10 +3338,42 @@ module Aws::KMS
3102
3338
  # A Boolean value that specifies whether key rotation is enabled.
3103
3339
  # @return [Boolean]
3104
3340
  #
3341
+ # @!attribute [rw] key_id
3342
+ # Identifies the specified symmetric encryption KMS key.
3343
+ # @return [String]
3344
+ #
3345
+ # @!attribute [rw] rotation_period_in_days
3346
+ # The number of days between each automatic rotation. The default
3347
+ # value is 365 days.
3348
+ # @return [Integer]
3349
+ #
3350
+ # @!attribute [rw] next_rotation_date
3351
+ # The next date that KMS will automatically rotate the key material.
3352
+ # @return [Time]
3353
+ #
3354
+ # @!attribute [rw] on_demand_rotation_start_date
3355
+ # Identifies the date and time that an in progress on-demand rotation
3356
+ # was initiated.
3357
+ #
3358
+ # The KMS API follows an [eventual consistency][1] model due to the
3359
+ # distributed nature of the system. As a result, there might be a
3360
+ # slight delay between initiating on-demand key rotation and the
3361
+ # rotation's completion. Once the on-demand rotation is complete, use
3362
+ # ListKeyRotations to view the details of the on-demand rotation.
3363
+ #
3364
+ #
3365
+ #
3366
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
3367
+ # @return [Time]
3368
+ #
3105
3369
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyRotationStatusResponse AWS API Documentation
3106
3370
  #
3107
3371
  class GetKeyRotationStatusResponse < Struct.new(
3108
- :key_rotation_enabled)
3372
+ :key_rotation_enabled,
3373
+ :key_id,
3374
+ :rotation_period_in_days,
3375
+ :next_rotation_date,
3376
+ :on_demand_rotation_start_date)
3109
3377
  SENSITIVE = []
3110
3378
  include Aws::Structure
3111
3379
  end
@@ -3167,8 +3435,8 @@ module Aws::KMS
3167
3435
  # You cannot use the RSAES\_OAEP\_SHA\_1 wrapping algorithm with the
3168
3436
  # RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key material.
3169
3437
  #
3170
- # * **RSAES\_PKCS1\_V1\_5** (Deprecated) — Supported only for
3171
- # symmetric encryption key material (and only in legacy mode).
3438
+ # * **RSAES\_PKCS1\_V1\_5** (Deprecated) — As of October 10, 2023, KMS
3439
+ # does not support the RSAES\_PKCS1\_V1\_5 wrapping algorithm.
3172
3440
  # @return [String]
3173
3441
  #
3174
3442
  # @!attribute [rw] wrapping_key_spec
@@ -3313,12 +3581,12 @@ module Aws::KMS
3313
3581
  # @return [String]
3314
3582
  #
3315
3583
  # @!attribute [rw] key_usage
3316
- # The permitted use of the public key. Valid values are
3317
- # `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
3584
+ # The permitted use of the public key. Valid values for asymmetric key
3585
+ # pairs are `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, and `KEY_AGREEMENT`.
3318
3586
  #
3319
- # This information is critical. If a public key with `SIGN_VERIFY` key
3320
- # usage encrypts data outside of KMS, the ciphertext cannot be
3321
- # decrypted.
3587
+ # This information is critical. For example, if a public key with
3588
+ # `SIGN_VERIFY` key usage encrypts data outside of KMS, the ciphertext
3589
+ # cannot be decrypted.
3322
3590
  # @return [String]
3323
3591
  #
3324
3592
  # @!attribute [rw] encryption_algorithms
@@ -3339,6 +3607,12 @@ module Aws::KMS
3339
3607
  # public key is `SIGN_VERIFY`.
3340
3608
  # @return [Array<String>]
3341
3609
  #
3610
+ # @!attribute [rw] key_agreement_algorithms
3611
+ # The key agreement algorithm used to derive a shared secret. This
3612
+ # field is present only when the KMS key has a `KeyUsage` value of
3613
+ # `KEY_AGREEMENT`.
3614
+ # @return [Array<String>]
3615
+ #
3342
3616
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKeyResponse AWS API Documentation
3343
3617
  #
3344
3618
  class GetPublicKeyResponse < Struct.new(
@@ -3348,7 +3622,8 @@ module Aws::KMS
3348
3622
  :key_spec,
3349
3623
  :key_usage,
3350
3624
  :encryption_algorithms,
3351
- :signing_algorithms)
3625
+ :signing_algorithms,
3626
+ :key_agreement_algorithms)
3352
3627
  SENSITIVE = []
3353
3628
  include Aws::Structure
3354
3629
  end
@@ -3736,8 +4011,9 @@ module Aws::KMS
3736
4011
  # the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying
3737
4012
  # messages, the `KeyUsage` must be `SIGN_VERIFY`. For generating and
3738
4013
  # verifying message authentication codes (MACs), the `KeyUsage` must be
3739
- # `GENERATE_VERIFY_MAC`. To find the `KeyUsage` of a KMS key, use the
3740
- # DescribeKey operation.
4014
+ # `GENERATE_VERIFY_MAC`. For deriving key agreement secrets, the
4015
+ # `KeyUsage` must be `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS
4016
+ # key, use the DescribeKey operation.
3741
4017
  #
3742
4018
  # To find the encryption or signing algorithms supported for a
3743
4019
  # particular KMS key, use the DescribeKey operation.
@@ -4016,6 +4292,10 @@ module Aws::KMS
4016
4292
  # `SIGN_VERIFY`.
4017
4293
  # @return [Array<String>]
4018
4294
  #
4295
+ # @!attribute [rw] key_agreement_algorithms
4296
+ # The key agreement algorithm used to derive a shared secret.
4297
+ # @return [Array<String>]
4298
+ #
4019
4299
  # @!attribute [rw] multi_region
4020
4300
  # Indicates whether the KMS key is a multi-Region (`True`) or regional
4021
4301
  # (`False`) key. This value is `True` for multi-Region primary and
@@ -4109,6 +4389,7 @@ module Aws::KMS
4109
4389
  :key_spec,
4110
4390
  :encryption_algorithms,
4111
4391
  :signing_algorithms,
4392
+ :key_agreement_algorithms,
4112
4393
  :multi_region,
4113
4394
  :multi_region_configuration,
4114
4395
  :pending_deletion_window_in_days,
@@ -4209,8 +4490,8 @@ module Aws::KMS
4209
4490
  # @!attribute [rw] truncated
4210
4491
  # A flag that indicates whether there are more items in the list. When
4211
4492
  # this value is true, the list in this response is truncated. To get
4212
- # more items, pass the value of the `NextMarker` element in
4213
- # thisresponse to the `Marker` parameter in a subsequent request.
4493
+ # more items, pass the value of the `NextMarker` element in this
4494
+ # response to the `Marker` parameter in a subsequent request.
4214
4495
  # @return [Boolean]
4215
4496
  #
4216
4497
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliasesResponse AWS API Documentation
@@ -4292,8 +4573,8 @@ module Aws::KMS
4292
4573
  # @!attribute [rw] truncated
4293
4574
  # A flag that indicates whether there are more items in the list. When
4294
4575
  # this value is true, the list in this response is truncated. To get
4295
- # more items, pass the value of the `NextMarker` element in
4296
- # thisresponse to the `Marker` parameter in a subsequent request.
4576
+ # more items, pass the value of the `NextMarker` element in this
4577
+ # response to the `Marker` parameter in a subsequent request.
4297
4578
  # @return [Boolean]
4298
4579
  #
4299
4580
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrantsResponse AWS API Documentation
@@ -4362,8 +4643,8 @@ module Aws::KMS
4362
4643
  # @!attribute [rw] truncated
4363
4644
  # A flag that indicates whether there are more items in the list. When
4364
4645
  # this value is true, the list in this response is truncated. To get
4365
- # more items, pass the value of the `NextMarker` element in
4366
- # thisresponse to the `Marker` parameter in a subsequent request.
4646
+ # more items, pass the value of the `NextMarker` element in this
4647
+ # response to the `Marker` parameter in a subsequent request.
4367
4648
  # @return [Boolean]
4368
4649
  #
4369
4650
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPoliciesResponse AWS API Documentation
@@ -4376,6 +4657,74 @@ module Aws::KMS
4376
4657
  include Aws::Structure
4377
4658
  end
4378
4659
 
4660
+ # @!attribute [rw] key_id
4661
+ # Gets the key rotations for the specified KMS key.
4662
+ #
4663
+ # Specify the key ID or key ARN of the KMS key.
4664
+ #
4665
+ # For example:
4666
+ #
4667
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
4668
+ #
4669
+ # * Key ARN:
4670
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
4671
+ #
4672
+ # To get the key ID and key ARN for a KMS key, use ListKeys or
4673
+ # DescribeKey.
4674
+ # @return [String]
4675
+ #
4676
+ # @!attribute [rw] limit
4677
+ # Use this parameter to specify the maximum number of items to return.
4678
+ # When this value is present, KMS does not return more than the
4679
+ # specified number of items, but it might return fewer.
4680
+ #
4681
+ # This value is optional. If you include a value, it must be between 1
4682
+ # and 1000, inclusive. If you do not include a value, it defaults to
4683
+ # 100.
4684
+ # @return [Integer]
4685
+ #
4686
+ # @!attribute [rw] marker
4687
+ # Use this parameter in a subsequent request after you receive a
4688
+ # response with truncated results. Set it to the value of `NextMarker`
4689
+ # from the truncated response you just received.
4690
+ # @return [String]
4691
+ #
4692
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyRotationsRequest AWS API Documentation
4693
+ #
4694
+ class ListKeyRotationsRequest < Struct.new(
4695
+ :key_id,
4696
+ :limit,
4697
+ :marker)
4698
+ SENSITIVE = []
4699
+ include Aws::Structure
4700
+ end
4701
+
4702
+ # @!attribute [rw] rotations
4703
+ # A list of completed key material rotations.
4704
+ # @return [Array<Types::RotationsListEntry>]
4705
+ #
4706
+ # @!attribute [rw] next_marker
4707
+ # When `Truncated` is true, this element is present and contains the
4708
+ # value to use for the `Marker` parameter in a subsequent request.
4709
+ # @return [String]
4710
+ #
4711
+ # @!attribute [rw] truncated
4712
+ # A flag that indicates whether there are more items in the list. When
4713
+ # this value is true, the list in this response is truncated. To get
4714
+ # more items, pass the value of the `NextMarker` element in this
4715
+ # response to the `Marker` parameter in a subsequent request.
4716
+ # @return [Boolean]
4717
+ #
4718
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyRotationsResponse AWS API Documentation
4719
+ #
4720
+ class ListKeyRotationsResponse < Struct.new(
4721
+ :rotations,
4722
+ :next_marker,
4723
+ :truncated)
4724
+ SENSITIVE = []
4725
+ include Aws::Structure
4726
+ end
4727
+
4379
4728
  # @!attribute [rw] limit
4380
4729
  # Use this parameter to specify the maximum number of items to return.
4381
4730
  # When this value is present, KMS does not return more than the
@@ -4413,8 +4762,8 @@ module Aws::KMS
4413
4762
  # @!attribute [rw] truncated
4414
4763
  # A flag that indicates whether there are more items in the list. When
4415
4764
  # this value is true, the list in this response is truncated. To get
4416
- # more items, pass the value of the `NextMarker` element in
4417
- # thisresponse to the `Marker` parameter in a subsequent request.
4765
+ # more items, pass the value of the `NextMarker` element in this
4766
+ # response to the `Marker` parameter in a subsequent request.
4418
4767
  # @return [Boolean]
4419
4768
  #
4420
4769
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeysResponse AWS API Documentation
@@ -4495,8 +4844,8 @@ module Aws::KMS
4495
4844
  # @!attribute [rw] truncated
4496
4845
  # A flag that indicates whether there are more items in the list. When
4497
4846
  # this value is true, the list in this response is truncated. To get
4498
- # more items, pass the value of the `NextMarker` element in
4499
- # thisresponse to the `Marker` parameter in a subsequent request.
4847
+ # more items, pass the value of the `NextMarker` element in this
4848
+ # response to the `Marker` parameter in a subsequent request.
4500
4849
  # @return [Boolean]
4501
4850
  #
4502
4851
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTagsResponse AWS API Documentation
@@ -4649,7 +4998,8 @@ module Aws::KMS
4649
4998
  # @return [String]
4650
4999
  #
4651
5000
  # @!attribute [rw] policy_name
4652
- # The name of the key policy. The only valid value is `default`.
5001
+ # The name of the key policy. If no policy name is specified, the
5002
+ # default value is `default`. The only valid value is `default`.
4653
5003
  # @return [String]
4654
5004
  #
4655
5005
  # @!attribute [rw] policy
@@ -4710,12 +5060,13 @@ module Aws::KMS
4710
5060
  # Management Service Developer Guide*.
4711
5061
  #
4712
5062
  # Use this parameter only when you intend to prevent the principal
4713
- # that is making the request from making a subsequent PutKeyPolicy
4714
- # request on the KMS key.
5063
+ # that is making the request from making a subsequent
5064
+ # [PutKeyPolicy][2] request on the KMS key.
4715
5065
  #
4716
5066
  #
4717
5067
  #
4718
5068
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
5069
+ # [2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html
4719
5070
  # @return [Boolean]
4720
5071
  #
4721
5072
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicyRequest AWS API Documentation
@@ -5107,12 +5458,13 @@ module Aws::KMS
5107
5458
  # Management Service Developer Guide*.
5108
5459
  #
5109
5460
  # Use this parameter only when you intend to prevent the principal
5110
- # that is making the request from making a subsequent PutKeyPolicy
5111
- # request on the KMS key.
5461
+ # that is making the request from making a subsequent
5462
+ # [PutKeyPolicy][2] request on the KMS key.
5112
5463
  #
5113
5464
  #
5114
5465
  #
5115
5466
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
5467
+ # [2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html
5116
5468
  # @return [Boolean]
5117
5469
  #
5118
5470
  # @!attribute [rw] description
@@ -5317,6 +5669,87 @@ module Aws::KMS
5317
5669
  include Aws::Structure
5318
5670
  end
5319
5671
 
5672
+ # @!attribute [rw] key_id
5673
+ # Identifies a symmetric encryption KMS key. You cannot perform
5674
+ # on-demand rotation of [asymmetric KMS keys][1], [HMAC KMS keys][2],
5675
+ # KMS keys with [imported key material][3], or KMS keys in a [custom
5676
+ # key store][4]. To perform on-demand rotation of a set of related
5677
+ # [multi-Region keys][5], invoke the on-demand rotation on the primary
5678
+ # key.
5679
+ #
5680
+ # Specify the key ID or key ARN of the KMS key.
5681
+ #
5682
+ # For example:
5683
+ #
5684
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
5685
+ #
5686
+ # * Key ARN:
5687
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
5688
+ #
5689
+ # To get the key ID and key ARN for a KMS key, use ListKeys or
5690
+ # DescribeKey.
5691
+ #
5692
+ #
5693
+ #
5694
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
5695
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
5696
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
5697
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
5698
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
5699
+ # @return [String]
5700
+ #
5701
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RotateKeyOnDemandRequest AWS API Documentation
5702
+ #
5703
+ class RotateKeyOnDemandRequest < Struct.new(
5704
+ :key_id)
5705
+ SENSITIVE = []
5706
+ include Aws::Structure
5707
+ end
5708
+
5709
+ # @!attribute [rw] key_id
5710
+ # Identifies the symmetric encryption KMS key that you initiated
5711
+ # on-demand rotation on.
5712
+ # @return [String]
5713
+ #
5714
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RotateKeyOnDemandResponse AWS API Documentation
5715
+ #
5716
+ class RotateKeyOnDemandResponse < Struct.new(
5717
+ :key_id)
5718
+ SENSITIVE = []
5719
+ include Aws::Structure
5720
+ end
5721
+
5722
+ # Contains information about completed key material rotations.
5723
+ #
5724
+ # @!attribute [rw] key_id
5725
+ # Unique identifier of the key.
5726
+ # @return [String]
5727
+ #
5728
+ # @!attribute [rw] rotation_date
5729
+ # Date and time that the key material rotation completed. Formatted as
5730
+ # Unix time.
5731
+ # @return [Time]
5732
+ #
5733
+ # @!attribute [rw] rotation_type
5734
+ # Identifies whether the key material rotation was a scheduled
5735
+ # [automatic rotation][1] or an [on-demand rotation][2].
5736
+ #
5737
+ #
5738
+ #
5739
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotating-keys-enable-disable
5740
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotating-keys-on-demand
5741
+ # @return [String]
5742
+ #
5743
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RotationsListEntry AWS API Documentation
5744
+ #
5745
+ class RotationsListEntry < Struct.new(
5746
+ :key_id,
5747
+ :rotation_date,
5748
+ :rotation_type)
5749
+ SENSITIVE = []
5750
+ include Aws::Structure
5751
+ end
5752
+
5320
5753
  # @!attribute [rw] key_id
5321
5754
  # The unique identifier of the KMS key to delete.
5322
5755
  #
@@ -6243,9 +6676,9 @@ module Aws::KMS
6243
6676
  end
6244
6677
 
6245
6678
  # The request was rejected because the (`XksKeyId`) is already
6246
- # associated with a KMS key in this external key store. Each KMS key in
6247
- # an external key store must be associated with a different external
6248
- # key.
6679
+ # associated with another KMS key in this external key store. Each KMS
6680
+ # key in an external key store must be associated with a different
6681
+ # external key.
6249
6682
  #
6250
6683
  # @!attribute [rw] message
6251
6684
  # @return [String]
@@ -6424,9 +6857,9 @@ module Aws::KMS
6424
6857
  include Aws::Structure
6425
6858
  end
6426
6859
 
6427
- # The request was rejected because the Amazon VPC endpoint service
6428
- # configuration does not fulfill the requirements for an external key
6429
- # store proxy. For details, see the exception message.
6860
+ # The request was rejected because the external key store proxy is not
6861
+ # configured correctly. To identify the cause, see the error message
6862
+ # that accompanies the exception.
6430
6863
  #
6431
6864
  # @!attribute [rw] message
6432
6865
  # @return [String]
@@ -6455,11 +6888,10 @@ module Aws::KMS
6455
6888
  include Aws::Structure
6456
6889
  end
6457
6890
 
6458
- # The request was rejected because the concatenation of the
6459
- # `XksProxyUriEndpoint` is already associated with an external key store
6460
- # in the Amazon Web Services account and Region. Each external key store
6461
- # in an account and Region must use a unique external key store proxy
6462
- # address.
6891
+ # The request was rejected because the `XksProxyUriEndpoint` is already
6892
+ # associated with another external key store in this Amazon Web Services
6893
+ # Region. To identify the cause, see the error message that accompanies
6894
+ # the exception.
6463
6895
  #
6464
6896
  # @!attribute [rw] message
6465
6897
  # @return [String]
@@ -6474,9 +6906,9 @@ module Aws::KMS
6474
6906
 
6475
6907
  # The request was rejected because the concatenation of the
6476
6908
  # `XksProxyUriEndpoint` and `XksProxyUriPath` is already associated with
6477
- # an external key store in the Amazon Web Services account and Region.
6478
- # Each external key store in an account and Region must use a unique
6479
- # external key store proxy API address.
6909
+ # another external key store in this Amazon Web Services Region. Each
6910
+ # external key store in a Region must use a unique external key store
6911
+ # proxy API address.
6480
6912
  #
6481
6913
  # @!attribute [rw] message
6482
6914
  # @return [String]
@@ -6509,10 +6941,9 @@ module Aws::KMS
6509
6941
  end
6510
6942
 
6511
6943
  # The request was rejected because the specified Amazon VPC endpoint
6512
- # service is already associated with an external key store in the Amazon
6513
- # Web Services account and Region. Each external key store in an Amazon
6514
- # Web Services account and Region must use a different Amazon VPC
6515
- # endpoint service.
6944
+ # service is already associated with another external key store in this
6945
+ # Amazon Web Services Region. Each external key store in a Region must
6946
+ # use a different Amazon VPC endpoint service.
6516
6947
  #
6517
6948
  # @!attribute [rw] message
6518
6949
  # @return [String]
@@ -6527,10 +6958,13 @@ module Aws::KMS
6527
6958
 
6528
6959
  # The request was rejected because the Amazon VPC endpoint service
6529
6960
  # configuration does not fulfill the requirements for an external key
6530
- # store proxy. For details, see the exception message and [review the
6531
- # requirements](kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements)
6532
- # for Amazon VPC endpoint service connectivity for an external key
6533
- # store.
6961
+ # store. To identify the cause, see the error message that accompanies
6962
+ # the exception and [review the requirements][1] for Amazon VPC endpoint
6963
+ # service connectivity for an external key store.
6964
+ #
6965
+ #
6966
+ #
6967
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements
6534
6968
  #
6535
6969
  # @!attribute [rw] message
6536
6970
  # @return [String]
@@ -6563,3 +6997,4 @@ module Aws::KMS
6563
6997
 
6564
6998
  end
6565
6999
  end
7000
+