aws-sdk-kms 1.76.0 → 1.122.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +230 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-kms/client.rb +1922 -825
- data/lib/aws-sdk-kms/client_api.rb +180 -8
- data/lib/aws-sdk-kms/customizations.rb +0 -8
- data/lib/aws-sdk-kms/endpoint_parameters.rb +13 -10
- data/lib/aws-sdk-kms/endpoint_provider.rb +13 -17
- data/lib/aws-sdk-kms/endpoints.rb +2 -698
- data/lib/aws-sdk-kms/errors.rb +16 -0
- data/lib/aws-sdk-kms/plugins/endpoints.rb +20 -112
- data/lib/aws-sdk-kms/types.rb +1178 -320
- data/lib/aws-sdk-kms.rb +15 -11
- data/sig/client.rbs +830 -0
- data/sig/errors.rbs +160 -0
- data/sig/resource.rbs +86 -0
- data/sig/types.rbs +1069 -0
- data/sig/waiters.rbs +13 -0
- metadata +13 -11
data/lib/aws-sdk-kms/types.rb
CHANGED
|
@@ -242,6 +242,21 @@ module Aws::KMS
|
|
|
242
242
|
include Aws::Structure
|
|
243
243
|
end
|
|
244
244
|
|
|
245
|
+
# The request was rejected because an automatic rotation of this key is
|
|
246
|
+
# currently in progress or scheduled to begin within the next 20
|
|
247
|
+
# minutes.
|
|
248
|
+
#
|
|
249
|
+
# @!attribute [rw] message
|
|
250
|
+
# @return [String]
|
|
251
|
+
#
|
|
252
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConflictException AWS API Documentation
|
|
253
|
+
#
|
|
254
|
+
class ConflictException < Struct.new(
|
|
255
|
+
:message)
|
|
256
|
+
SENSITIVE = []
|
|
257
|
+
include Aws::Structure
|
|
258
|
+
end
|
|
259
|
+
|
|
245
260
|
# @!attribute [rw] custom_key_store_id
|
|
246
261
|
# Enter the key store ID of the custom key store that you want to
|
|
247
262
|
# connect. To find the ID of a custom key store, use the
|
|
@@ -276,7 +291,7 @@ module Aws::KMS
|
|
|
276
291
|
#
|
|
277
292
|
#
|
|
278
293
|
#
|
|
279
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-
|
|
294
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-key
|
|
280
295
|
# @return [String]
|
|
281
296
|
#
|
|
282
297
|
# @!attribute [rw] target_key_id
|
|
@@ -286,7 +301,7 @@ module Aws::KMS
|
|
|
286
301
|
# A valid key ID is required. If you supply a null or empty string
|
|
287
302
|
# value, this operation returns an error.
|
|
288
303
|
#
|
|
289
|
-
# For help finding the key ID and ARN, see [
|
|
304
|
+
# For help finding the key ID and ARN, see [Find the key ID and key
|
|
290
305
|
# ARN][2] in the <i> <i>Key Management Service Developer Guide</i>
|
|
291
306
|
# </i>.
|
|
292
307
|
#
|
|
@@ -304,8 +319,8 @@ module Aws::KMS
|
|
|
304
319
|
#
|
|
305
320
|
#
|
|
306
321
|
#
|
|
307
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-
|
|
308
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
322
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-mgn-key
|
|
323
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/find-cmk-id-arn.html
|
|
309
324
|
# @return [String]
|
|
310
325
|
#
|
|
311
326
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateAliasRequest AWS API Documentation
|
|
@@ -372,7 +387,7 @@ module Aws::KMS
|
|
|
372
387
|
#
|
|
373
388
|
#
|
|
374
389
|
#
|
|
375
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
390
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html#concept-kmsuser
|
|
376
391
|
# @return [String]
|
|
377
392
|
#
|
|
378
393
|
# @!attribute [rw] custom_key_store_type
|
|
@@ -470,6 +485,14 @@ module Aws::KMS
|
|
|
470
485
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirements
|
|
471
486
|
# @return [String]
|
|
472
487
|
#
|
|
488
|
+
# @!attribute [rw] xks_proxy_vpc_endpoint_service_owner
|
|
489
|
+
# Specifies the Amazon Web Services account ID that owns the Amazon
|
|
490
|
+
# VPC service endpoint for the interface that is used to communicate
|
|
491
|
+
# with your external key store proxy (XKS proxy). This parameter is
|
|
492
|
+
# optional. If not provided, the Amazon Web Services account ID
|
|
493
|
+
# calling the action will be used.
|
|
494
|
+
# @return [String]
|
|
495
|
+
#
|
|
473
496
|
# @!attribute [rw] xks_proxy_authentication_credential
|
|
474
497
|
# Specifies an authentication credential for the external key store
|
|
475
498
|
# proxy (XKS proxy). This parameter is required for all custom key
|
|
@@ -479,7 +502,7 @@ module Aws::KMS
|
|
|
479
502
|
# `RawSecretAccessKey`, a secret key, and `AccessKeyId`, a unique
|
|
480
503
|
# identifier for the `RawSecretAccessKey`. For character requirements,
|
|
481
504
|
# see
|
|
482
|
-
# [XksProxyAuthenticationCredentialType](
|
|
505
|
+
# [XksProxyAuthenticationCredentialType](API_XksProxyAuthenticationCredentialType.html).
|
|
483
506
|
#
|
|
484
507
|
# KMS uses this authentication credential to sign requests to the
|
|
485
508
|
# external key store proxy on your behalf. This credential is
|
|
@@ -520,7 +543,7 @@ module Aws::KMS
|
|
|
520
543
|
#
|
|
521
544
|
#
|
|
522
545
|
#
|
|
523
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
546
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/choose-xks-connectivity.html
|
|
524
547
|
# @return [String]
|
|
525
548
|
#
|
|
526
549
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStoreRequest AWS API Documentation
|
|
@@ -534,6 +557,7 @@ module Aws::KMS
|
|
|
534
557
|
:xks_proxy_uri_endpoint,
|
|
535
558
|
:xks_proxy_uri_path,
|
|
536
559
|
:xks_proxy_vpc_endpoint_service_name,
|
|
560
|
+
:xks_proxy_vpc_endpoint_service_owner,
|
|
537
561
|
:xks_proxy_authentication_credential,
|
|
538
562
|
:xks_proxy_connectivity)
|
|
539
563
|
SENSITIVE = [:key_store_password]
|
|
@@ -606,7 +630,7 @@ module Aws::KMS
|
|
|
606
630
|
#
|
|
607
631
|
# [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
|
608
632
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
|
|
609
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-
|
|
633
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-delete.html
|
|
610
634
|
# @return [String]
|
|
611
635
|
#
|
|
612
636
|
# @!attribute [rw] operations
|
|
@@ -679,7 +703,7 @@ module Aws::KMS
|
|
|
679
703
|
#
|
|
680
704
|
#
|
|
681
705
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
682
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
706
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
|
|
683
707
|
# @return [Array<String>]
|
|
684
708
|
#
|
|
685
709
|
# @!attribute [rw] name
|
|
@@ -707,12 +731,12 @@ module Aws::KMS
|
|
|
707
731
|
# Checks if your request will succeed. `DryRun` is an optional
|
|
708
732
|
# parameter.
|
|
709
733
|
#
|
|
710
|
-
# To learn more about how to use this parameter, see [Testing your
|
|
711
|
-
#
|
|
734
|
+
# To learn more about how to use this parameter, see [Testing your
|
|
735
|
+
# permissions][1] in the *Key Management Service Developer Guide*.
|
|
712
736
|
#
|
|
713
737
|
#
|
|
714
738
|
#
|
|
715
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
739
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
|
|
716
740
|
# @return [Boolean]
|
|
717
741
|
#
|
|
718
742
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrantRequest AWS API Documentation
|
|
@@ -741,7 +765,7 @@ module Aws::KMS
|
|
|
741
765
|
#
|
|
742
766
|
#
|
|
743
767
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
744
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
768
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
|
|
745
769
|
# @return [String]
|
|
746
770
|
#
|
|
747
771
|
# @!attribute [rw] grant_id
|
|
@@ -781,22 +805,38 @@ module Aws::KMS
|
|
|
781
805
|
# that I make are not always immediately visible][2] in the *Amazon
|
|
782
806
|
# Web Services Identity and Access Management User Guide*.
|
|
783
807
|
#
|
|
808
|
+
# <note markdown="1"> If either of the required `Resource` or `Action` elements are
|
|
809
|
+
# missing from a key policy statement, the policy statement has no
|
|
810
|
+
# effect. When a key policy statement is missing one of these
|
|
811
|
+
# elements, the KMS console correctly reports an error, but the
|
|
812
|
+
# `CreateKey` and `PutKeyPolicy` API requests succeed, even though the
|
|
813
|
+
# policy statement is ineffective.
|
|
814
|
+
#
|
|
815
|
+
# For more information on required key policy elements, see [Elements
|
|
816
|
+
# in a key policy][3] in the *Key Management Service Developer Guide*.
|
|
817
|
+
#
|
|
818
|
+
# </note>
|
|
819
|
+
#
|
|
784
820
|
# If you do not provide a key policy, KMS attaches a default key
|
|
785
821
|
# policy to the KMS key. For more information, see [Default key
|
|
786
|
-
# policy][
|
|
822
|
+
# policy][4] in the *Key Management Service Developer Guide*.
|
|
823
|
+
#
|
|
824
|
+
# <note markdown="1"> If the key policy exceeds the length constraint, KMS returns a
|
|
825
|
+
# `LimitExceededException`.
|
|
787
826
|
#
|
|
788
|
-
#
|
|
827
|
+
# </note>
|
|
789
828
|
#
|
|
790
829
|
# For help writing and formatting a JSON policy document, see the [IAM
|
|
791
|
-
# JSON Policy Reference][
|
|
830
|
+
# JSON Policy Reference][5] in the <i> <i>Identity and Access
|
|
792
831
|
# Management User Guide</i> </i>.
|
|
793
832
|
#
|
|
794
833
|
#
|
|
795
834
|
#
|
|
796
835
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
|
|
797
836
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
|
798
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-
|
|
799
|
-
# [4]: https://docs.aws.amazon.com/
|
|
837
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html#key-policy-elements
|
|
838
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html
|
|
839
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
|
800
840
|
# @return [String]
|
|
801
841
|
#
|
|
802
842
|
# @!attribute [rw] description
|
|
@@ -816,8 +856,11 @@ module Aws::KMS
|
|
|
816
856
|
# Determines the [cryptographic operations][1] for which you can use
|
|
817
857
|
# the KMS key. The default value is `ENCRYPT_DECRYPT`. This parameter
|
|
818
858
|
# is optional when you are creating a symmetric encryption KMS key;
|
|
819
|
-
# otherwise, it is required. You can't change the `KeyUsage`
|
|
820
|
-
# after the KMS key is created.
|
|
859
|
+
# otherwise, it is required. You can't change the [ `KeyUsage` ][2]
|
|
860
|
+
# value after the KMS key is created. Each KMS key can have only one
|
|
861
|
+
# key usage. This follows key usage best practices according to [NIST
|
|
862
|
+
# SP 800-57 Recommendations for Key Management][3], section 5.2, Key
|
|
863
|
+
# usage.
|
|
821
864
|
#
|
|
822
865
|
# Select only one valid value.
|
|
823
866
|
#
|
|
@@ -826,18 +869,26 @@ module Aws::KMS
|
|
|
826
869
|
#
|
|
827
870
|
# * For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
|
|
828
871
|
#
|
|
829
|
-
# * For asymmetric KMS keys with RSA key
|
|
872
|
+
# * For asymmetric KMS keys with RSA key pairs, specify
|
|
830
873
|
# `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
|
|
831
874
|
#
|
|
832
|
-
# * For asymmetric KMS keys with
|
|
875
|
+
# * For asymmetric KMS keys with NIST-standard elliptic curve key
|
|
876
|
+
# pairs, specify `SIGN_VERIFY` or `KEY_AGREEMENT`.
|
|
877
|
+
#
|
|
878
|
+
# * For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs, specify
|
|
879
|
+
# `SIGN_VERIFY`.
|
|
880
|
+
#
|
|
881
|
+
# * For asymmetric KMS keys with ML-DSA key pairs, specify
|
|
833
882
|
# `SIGN_VERIFY`.
|
|
834
883
|
#
|
|
835
|
-
# * For asymmetric KMS keys with SM2 key
|
|
836
|
-
#
|
|
884
|
+
# * For asymmetric KMS keys with SM2 key pairs (China Regions only),
|
|
885
|
+
# specify `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, or `KEY_AGREEMENT`.
|
|
837
886
|
#
|
|
838
887
|
#
|
|
839
888
|
#
|
|
840
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
889
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
|
|
890
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#key-usage
|
|
891
|
+
# [3]: https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final
|
|
841
892
|
# @return [String]
|
|
842
893
|
#
|
|
843
894
|
# @!attribute [rw] customer_master_key_spec
|
|
@@ -854,8 +905,8 @@ module Aws::KMS
|
|
|
854
905
|
# `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit AES-GCM key
|
|
855
906
|
# that is used for encryption and decryption, except in China Regions,
|
|
856
907
|
# where it creates a 128-bit symmetric key that uses SM4 encryption.
|
|
857
|
-
# For
|
|
858
|
-
#
|
|
908
|
+
# For a detailed description of all supported key specs, see [Key spec
|
|
909
|
+
# reference][1] in the <i> <i>Key Management Service Developer
|
|
859
910
|
# Guide</i> </i>.
|
|
860
911
|
#
|
|
861
912
|
# The `KeySpec` determines whether the KMS key contains a symmetric
|
|
@@ -864,10 +915,11 @@ module Aws::KMS
|
|
|
864
915
|
# KMS key is created. To further restrict the algorithms that can be
|
|
865
916
|
# used with the KMS key, use a condition key in its key policy or IAM
|
|
866
917
|
# policy. For more information, see [kms:EncryptionAlgorithm][2],
|
|
867
|
-
# [kms:MacAlgorithm][3]
|
|
868
|
-
# <i>Key Management Service
|
|
918
|
+
# [kms:MacAlgorithm][3], [kms:KeyAgreementAlgorithm][4], or
|
|
919
|
+
# [kms:SigningAlgorithm][5] in the <i> <i>Key Management Service
|
|
920
|
+
# Developer Guide</i> </i>.
|
|
869
921
|
#
|
|
870
|
-
# [Amazon Web Services services that are integrated with KMS][
|
|
922
|
+
# [Amazon Web Services services that are integrated with KMS][6] use
|
|
871
923
|
# symmetric encryption KMS keys to protect your data. These services
|
|
872
924
|
# do not support asymmetric KMS keys or HMAC KMS keys.
|
|
873
925
|
#
|
|
@@ -878,7 +930,6 @@ module Aws::KMS
|
|
|
878
930
|
# * `SYMMETRIC_DEFAULT`
|
|
879
931
|
#
|
|
880
932
|
# ^
|
|
881
|
-
#
|
|
882
933
|
# * HMAC keys (symmetric)
|
|
883
934
|
#
|
|
884
935
|
# * `HMAC_224`
|
|
@@ -888,16 +939,16 @@ module Aws::KMS
|
|
|
888
939
|
# * `HMAC_384`
|
|
889
940
|
#
|
|
890
941
|
# * `HMAC_512`
|
|
891
|
-
#
|
|
892
|
-
#
|
|
942
|
+
# * Asymmetric RSA key pairs (encryption and decryption -or- signing
|
|
943
|
+
# and verification)
|
|
893
944
|
#
|
|
894
945
|
# * `RSA_2048`
|
|
895
946
|
#
|
|
896
947
|
# * `RSA_3072`
|
|
897
948
|
#
|
|
898
949
|
# * `RSA_4096`
|
|
899
|
-
#
|
|
900
|
-
#
|
|
950
|
+
# * Asymmetric NIST-standard elliptic curve key pairs (signing and
|
|
951
|
+
# verification -or- deriving shared secrets)
|
|
901
952
|
#
|
|
902
953
|
# * `ECC_NIST_P256` (secp256r1)
|
|
903
954
|
#
|
|
@@ -905,26 +956,47 @@ module Aws::KMS
|
|
|
905
956
|
#
|
|
906
957
|
# * `ECC_NIST_P521` (secp521r1)
|
|
907
958
|
#
|
|
908
|
-
#
|
|
959
|
+
# * `ECC_NIST_EDWARDS25519` (ed25519) - signing and verification
|
|
960
|
+
# only
|
|
961
|
+
#
|
|
962
|
+
# * **Note:** For ECC\_NIST\_EDWARDS25519 KMS keys, the
|
|
963
|
+
# ED25519\_SHA\_512 signing algorithm requires [
|
|
964
|
+
# `MessageType:RAW`
|
|
965
|
+
# ](kms/latest/APIReference/API_Sign.html#KMS-Sign-request-MessageType),
|
|
966
|
+
# while ED25519\_PH\_SHA\_512 requires [ `MessageType:DIGEST`
|
|
967
|
+
# ](kms/latest/APIReference/API_Sign.html#KMS-Sign-request-MessageType).
|
|
968
|
+
# These message types cannot be used interchangeably.
|
|
969
|
+
#
|
|
970
|
+
# ^
|
|
971
|
+
# * Other asymmetric elliptic curve key pairs (signing and
|
|
972
|
+
# verification)
|
|
909
973
|
#
|
|
910
974
|
# * `ECC_SECG_P256K1` (secp256k1), commonly used for
|
|
911
975
|
# cryptocurrencies.
|
|
912
976
|
#
|
|
913
977
|
# ^
|
|
978
|
+
# * Asymmetric ML-DSA key pairs (signing and verification)
|
|
979
|
+
#
|
|
980
|
+
# * `ML_DSA_44`
|
|
914
981
|
#
|
|
915
|
-
#
|
|
982
|
+
# * `ML_DSA_65`
|
|
916
983
|
#
|
|
917
|
-
# * `
|
|
984
|
+
# * `ML_DSA_87`
|
|
985
|
+
# * SM2 key pairs (encryption and decryption -or- signing and
|
|
986
|
+
# verification -or- deriving shared secrets)
|
|
987
|
+
#
|
|
988
|
+
# * `SM2` (China Regions only)
|
|
918
989
|
#
|
|
919
990
|
# ^
|
|
920
991
|
#
|
|
921
992
|
#
|
|
922
993
|
#
|
|
923
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
924
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
925
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
926
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
927
|
-
# [5]:
|
|
994
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose-key-spec.html
|
|
995
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-encryption-algorithm
|
|
996
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-mac-algorithm
|
|
997
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-key-agreement-algorithm
|
|
998
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-signing-algorithm
|
|
999
|
+
# [6]: http://aws.amazon.com/kms/features/#AWS_Service_Integration
|
|
928
1000
|
# @return [String]
|
|
929
1001
|
#
|
|
930
1002
|
# @!attribute [rw] origin
|
|
@@ -977,7 +1049,7 @@ module Aws::KMS
|
|
|
977
1049
|
#
|
|
978
1050
|
#
|
|
979
1051
|
#
|
|
980
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1052
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
|
981
1053
|
# @return [String]
|
|
982
1054
|
#
|
|
983
1055
|
# @!attribute [rw] bypass_policy_lockout_safety_check
|
|
@@ -1028,7 +1100,7 @@ module Aws::KMS
|
|
|
1028
1100
|
# When you add tags to an Amazon Web Services resource, Amazon Web
|
|
1029
1101
|
# Services generates a cost allocation report with usage and costs
|
|
1030
1102
|
# aggregated by tags. Tags can also be used to control access to a KMS
|
|
1031
|
-
# key. For details, see [
|
|
1103
|
+
# key. For details, see [Tags in KMS][3].
|
|
1032
1104
|
#
|
|
1033
1105
|
#
|
|
1034
1106
|
#
|
|
@@ -1101,7 +1173,7 @@ module Aws::KMS
|
|
|
1101
1173
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
|
|
1102
1174
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html
|
|
1103
1175
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-xks-proxy
|
|
1104
|
-
# [4]: https://docs.aws.amazon.com/create-xks-keys.html#xks-key-requirements
|
|
1176
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keys.html#xks-key-requirements
|
|
1105
1177
|
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-double-encryption
|
|
1106
1178
|
# @return [String]
|
|
1107
1179
|
#
|
|
@@ -1430,7 +1502,6 @@ module Aws::KMS
|
|
|
1430
1502
|
#
|
|
1431
1503
|
# * The [TLS certificate][6] specifies the private DNS hostname at
|
|
1432
1504
|
# which the endpoint is reachable.
|
|
1433
|
-
#
|
|
1434
1505
|
# * `XKS_VPC_ENDPOINT_SERVICE_NOT_FOUND` — KMS can't find the VPC
|
|
1435
1506
|
# endpoint service that it uses to communicate with the external key
|
|
1436
1507
|
# store proxy. Verify that the `XksProxyVpcEndpointServiceName` is
|
|
@@ -1487,6 +1558,9 @@ module Aws::KMS
|
|
|
1487
1558
|
|
|
1488
1559
|
# @!attribute [rw] ciphertext_blob
|
|
1489
1560
|
# Ciphertext to be decrypted. The blob includes metadata.
|
|
1561
|
+
#
|
|
1562
|
+
# This parameter is required in all cases except when `DryRun` is
|
|
1563
|
+
# `true` and `DryRunModifiers` is set to `IGNORE_CIPHERTEXT`.
|
|
1490
1564
|
# @return [String]
|
|
1491
1565
|
#
|
|
1492
1566
|
# @!attribute [rw] encryption_context
|
|
@@ -1510,8 +1584,8 @@ module Aws::KMS
|
|
|
1510
1584
|
#
|
|
1511
1585
|
#
|
|
1512
1586
|
#
|
|
1513
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1514
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1587
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
|
|
1588
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
|
|
1515
1589
|
# @return [Hash<String,String>]
|
|
1516
1590
|
#
|
|
1517
1591
|
# @!attribute [rw] grant_tokens
|
|
@@ -1525,7 +1599,7 @@ module Aws::KMS
|
|
|
1525
1599
|
#
|
|
1526
1600
|
#
|
|
1527
1601
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
1528
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1602
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
|
|
1529
1603
|
# @return [Array<String>]
|
|
1530
1604
|
#
|
|
1531
1605
|
# @!attribute [rw] key_id
|
|
@@ -1536,11 +1610,12 @@ module Aws::KMS
|
|
|
1536
1610
|
# operation throws an `IncorrectKeyException`.
|
|
1537
1611
|
#
|
|
1538
1612
|
# This parameter is required only when the ciphertext was encrypted
|
|
1539
|
-
# under an asymmetric KMS key
|
|
1540
|
-
#
|
|
1541
|
-
# symmetric
|
|
1542
|
-
#
|
|
1543
|
-
# you
|
|
1613
|
+
# under an asymmetric KMS key or when `DryRun` is `true` and
|
|
1614
|
+
# `DryRunModifiers` is set to `IGNORE_CIPHERTEXT`. If you used a
|
|
1615
|
+
# symmetric encryption KMS key, KMS can get the KMS key from metadata
|
|
1616
|
+
# that it adds to the symmetric ciphertext blob. However, it is always
|
|
1617
|
+
# recommended as a best practice. This practice ensures that you use
|
|
1618
|
+
# the KMS key that you intend.
|
|
1544
1619
|
#
|
|
1545
1620
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
1546
1621
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -1576,44 +1651,63 @@ module Aws::KMS
|
|
|
1576
1651
|
#
|
|
1577
1652
|
# @!attribute [rw] recipient
|
|
1578
1653
|
# A signed [attestation document][1] from an Amazon Web Services Nitro
|
|
1579
|
-
# enclave and the encryption algorithm to use with the
|
|
1580
|
-
# public key. The only valid encryption
|
|
1581
|
-
# `RSAES_OAEP_SHA_256`.
|
|
1654
|
+
# enclave or NitroTPM, and the encryption algorithm to use with the
|
|
1655
|
+
# public key in the attestation document. The only valid encryption
|
|
1656
|
+
# algorithm is `RSAES_OAEP_SHA_256`.
|
|
1582
1657
|
#
|
|
1583
|
-
# This parameter
|
|
1584
|
-
#
|
|
1585
|
-
#
|
|
1658
|
+
# This parameter supports the [Amazon Web Services Nitro Enclaves
|
|
1659
|
+
# SDK][2] or any Amazon Web Services SDK for Amazon Web Services Nitro
|
|
1660
|
+
# Enclaves. It supports any Amazon Web Services SDK for Amazon Web
|
|
1661
|
+
# Services NitroTPM.
|
|
1586
1662
|
#
|
|
1587
1663
|
# When you use this parameter, instead of returning the plaintext
|
|
1588
1664
|
# data, KMS encrypts the plaintext data with the public key in the
|
|
1589
1665
|
# attestation document, and returns the resulting ciphertext in the
|
|
1590
1666
|
# `CiphertextForRecipient` field in the response. This ciphertext can
|
|
1591
|
-
# be decrypted only with the private key in the
|
|
1592
|
-
# `Plaintext` field in the response is null or empty.
|
|
1667
|
+
# be decrypted only with the private key in the attested environment.
|
|
1668
|
+
# The `Plaintext` field in the response is null or empty.
|
|
1593
1669
|
#
|
|
1594
1670
|
# For information about the interaction between KMS and Amazon Web
|
|
1595
|
-
# Services Nitro Enclaves
|
|
1596
|
-
#
|
|
1671
|
+
# Services Nitro Enclaves or Amazon Web Services NitroTPM, see
|
|
1672
|
+
# [Cryptographic attestation support in KMS][3] in the *Key Management
|
|
1673
|
+
# Service Developer Guide*.
|
|
1597
1674
|
#
|
|
1598
1675
|
#
|
|
1599
1676
|
#
|
|
1600
1677
|
# [1]: https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-concepts.html#term-attestdoc
|
|
1601
1678
|
# [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
|
|
1602
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1679
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
|
|
1603
1680
|
# @return [Types::RecipientInfo]
|
|
1604
1681
|
#
|
|
1605
1682
|
# @!attribute [rw] dry_run
|
|
1606
1683
|
# Checks if your request will succeed. `DryRun` is an optional
|
|
1607
1684
|
# parameter.
|
|
1608
1685
|
#
|
|
1609
|
-
# To learn more about how to use this parameter, see [Testing your
|
|
1610
|
-
#
|
|
1686
|
+
# To learn more about how to use this parameter, see [Testing your
|
|
1687
|
+
# permissions][1] in the *Key Management Service Developer Guide*.
|
|
1611
1688
|
#
|
|
1612
1689
|
#
|
|
1613
1690
|
#
|
|
1614
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1691
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
|
|
1615
1692
|
# @return [Boolean]
|
|
1616
1693
|
#
|
|
1694
|
+
# @!attribute [rw] dry_run_modifiers
|
|
1695
|
+
# Specifies the modifiers to apply to the dry run operation.
|
|
1696
|
+
# `DryRunModifiers` is an optional parameter that only applies when
|
|
1697
|
+
# `DryRun` is set to `true`.
|
|
1698
|
+
#
|
|
1699
|
+
# When set to `IGNORE_CIPHERTEXT`, KMS performs only authorization
|
|
1700
|
+
# validation without ciphertext validation. This allows you to test
|
|
1701
|
+
# permissions without requiring a valid ciphertext blob.
|
|
1702
|
+
#
|
|
1703
|
+
# To learn more about how to use this parameter, see [Testing your
|
|
1704
|
+
# permissions][1] in the *Key Management Service Developer Guide*.
|
|
1705
|
+
#
|
|
1706
|
+
#
|
|
1707
|
+
#
|
|
1708
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
|
|
1709
|
+
# @return [Array<String>]
|
|
1710
|
+
#
|
|
1617
1711
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptRequest AWS API Documentation
|
|
1618
1712
|
#
|
|
1619
1713
|
class DecryptRequest < Struct.new(
|
|
@@ -1623,7 +1717,8 @@ module Aws::KMS
|
|
|
1623
1717
|
:key_id,
|
|
1624
1718
|
:encryption_algorithm,
|
|
1625
1719
|
:recipient,
|
|
1626
|
-
:dry_run
|
|
1720
|
+
:dry_run,
|
|
1721
|
+
:dry_run_modifiers)
|
|
1627
1722
|
SENSITIVE = []
|
|
1628
1723
|
include Aws::Structure
|
|
1629
1724
|
end
|
|
@@ -1651,19 +1746,28 @@ module Aws::KMS
|
|
|
1651
1746
|
# @return [String]
|
|
1652
1747
|
#
|
|
1653
1748
|
# @!attribute [rw] ciphertext_for_recipient
|
|
1654
|
-
# The plaintext data encrypted with the public key
|
|
1655
|
-
# document.
|
|
1749
|
+
# The plaintext data encrypted with the public key from the
|
|
1750
|
+
# attestation document. This ciphertext can be decrypted only by using
|
|
1751
|
+
# a private key from the attested environment.
|
|
1656
1752
|
#
|
|
1657
1753
|
# This field is included in the response only when the `Recipient`
|
|
1658
1754
|
# parameter in the request includes a valid attestation document from
|
|
1659
|
-
# an Amazon Web Services Nitro enclave. For information
|
|
1660
|
-
# interaction between KMS and Amazon Web Services Nitro
|
|
1661
|
-
#
|
|
1662
|
-
# Management Service
|
|
1755
|
+
# an Amazon Web Services Nitro enclave or NitroTPM. For information
|
|
1756
|
+
# about the interaction between KMS and Amazon Web Services Nitro
|
|
1757
|
+
# Enclaves or Amazon Web Services NitroTPM, see [Cryptographic
|
|
1758
|
+
# attestation support in KMS][1] in the *Key Management Service
|
|
1759
|
+
# Developer Guide*.
|
|
1663
1760
|
#
|
|
1664
1761
|
#
|
|
1665
1762
|
#
|
|
1666
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1763
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
|
|
1764
|
+
# @return [String]
|
|
1765
|
+
#
|
|
1766
|
+
# @!attribute [rw] key_material_id
|
|
1767
|
+
# The identifier of the key material used to decrypt the ciphertext.
|
|
1768
|
+
# This field is present only when the operation uses a symmetric
|
|
1769
|
+
# encryption KMS key. This field is omitted if the request includes
|
|
1770
|
+
# the `Recipient` parameter.
|
|
1667
1771
|
# @return [String]
|
|
1668
1772
|
#
|
|
1669
1773
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptResponse AWS API Documentation
|
|
@@ -1672,7 +1776,8 @@ module Aws::KMS
|
|
|
1672
1776
|
:key_id,
|
|
1673
1777
|
:plaintext,
|
|
1674
1778
|
:encryption_algorithm,
|
|
1675
|
-
:ciphertext_for_recipient
|
|
1779
|
+
:ciphertext_for_recipient,
|
|
1780
|
+
:key_material_id)
|
|
1676
1781
|
SENSITIVE = [:plaintext]
|
|
1677
1782
|
include Aws::Structure
|
|
1678
1783
|
end
|
|
@@ -1724,10 +1829,43 @@ module Aws::KMS
|
|
|
1724
1829
|
# DescribeKey.
|
|
1725
1830
|
# @return [String]
|
|
1726
1831
|
#
|
|
1832
|
+
# @!attribute [rw] key_material_id
|
|
1833
|
+
# Identifies the imported key material you are deleting.
|
|
1834
|
+
#
|
|
1835
|
+
# If no KeyMaterialId is specified, KMS deletes the current key
|
|
1836
|
+
# material.
|
|
1837
|
+
#
|
|
1838
|
+
# To get the list of key material IDs associated with a KMS key, use
|
|
1839
|
+
# ListKeyRotations.
|
|
1840
|
+
# @return [String]
|
|
1841
|
+
#
|
|
1727
1842
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteImportedKeyMaterialRequest AWS API Documentation
|
|
1728
1843
|
#
|
|
1729
1844
|
class DeleteImportedKeyMaterialRequest < Struct.new(
|
|
1730
|
-
:key_id
|
|
1845
|
+
:key_id,
|
|
1846
|
+
:key_material_id)
|
|
1847
|
+
SENSITIVE = []
|
|
1848
|
+
include Aws::Structure
|
|
1849
|
+
end
|
|
1850
|
+
|
|
1851
|
+
# @!attribute [rw] key_id
|
|
1852
|
+
# The Amazon Resource Name ([key ARN][1]) of the KMS key from which
|
|
1853
|
+
# the key material was deleted.
|
|
1854
|
+
#
|
|
1855
|
+
#
|
|
1856
|
+
#
|
|
1857
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
|
1858
|
+
# @return [String]
|
|
1859
|
+
#
|
|
1860
|
+
# @!attribute [rw] key_material_id
|
|
1861
|
+
# Identifies the deleted key material.
|
|
1862
|
+
# @return [String]
|
|
1863
|
+
#
|
|
1864
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteImportedKeyMaterialResponse AWS API Documentation
|
|
1865
|
+
#
|
|
1866
|
+
class DeleteImportedKeyMaterialResponse < Struct.new(
|
|
1867
|
+
:key_id,
|
|
1868
|
+
:key_material_id)
|
|
1731
1869
|
SENSITIVE = []
|
|
1732
1870
|
include Aws::Structure
|
|
1733
1871
|
end
|
|
@@ -1746,6 +1884,201 @@ module Aws::KMS
|
|
|
1746
1884
|
include Aws::Structure
|
|
1747
1885
|
end
|
|
1748
1886
|
|
|
1887
|
+
# @!attribute [rw] key_id
|
|
1888
|
+
# Identifies an asymmetric NIST-standard ECC or SM2 (China Regions
|
|
1889
|
+
# only) KMS key. KMS uses the private key in the specified key pair to
|
|
1890
|
+
# derive the shared secret. The key usage of the KMS key must be
|
|
1891
|
+
# `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS key, use the
|
|
1892
|
+
# DescribeKey operation.
|
|
1893
|
+
#
|
|
1894
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
1895
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
1896
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
|
1897
|
+
# the key ARN or alias ARN.
|
|
1898
|
+
#
|
|
1899
|
+
# For example:
|
|
1900
|
+
#
|
|
1901
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
|
1902
|
+
#
|
|
1903
|
+
# * Key ARN:
|
|
1904
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
|
1905
|
+
#
|
|
1906
|
+
# * Alias name: `alias/ExampleAlias`
|
|
1907
|
+
#
|
|
1908
|
+
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
|
1909
|
+
#
|
|
1910
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
|
1911
|
+
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
|
1912
|
+
# @return [String]
|
|
1913
|
+
#
|
|
1914
|
+
# @!attribute [rw] key_agreement_algorithm
|
|
1915
|
+
# Specifies the key agreement algorithm used to derive the shared
|
|
1916
|
+
# secret. The only valid value is `ECDH`.
|
|
1917
|
+
# @return [String]
|
|
1918
|
+
#
|
|
1919
|
+
# @!attribute [rw] public_key
|
|
1920
|
+
# Specifies the public key in your peer's NIST-standard elliptic
|
|
1921
|
+
# curve (ECC) or SM2 (China Regions only) key pair.
|
|
1922
|
+
#
|
|
1923
|
+
# The public key must be a DER-encoded X.509 public key, also known as
|
|
1924
|
+
# `SubjectPublicKeyInfo` (SPKI), as defined in [RFC 5280][1].
|
|
1925
|
+
#
|
|
1926
|
+
# GetPublicKey returns the public key of an asymmetric KMS key pair in
|
|
1927
|
+
# the required DER-encoded format.
|
|
1928
|
+
#
|
|
1929
|
+
# <note markdown="1"> If you use [Amazon Web Services CLI version 1][2], you must provide
|
|
1930
|
+
# the DER-encoded X.509 public key in a file. Otherwise, the Amazon
|
|
1931
|
+
# Web Services CLI Base64-encodes the public key a second time,
|
|
1932
|
+
# resulting in a `ValidationException`.
|
|
1933
|
+
#
|
|
1934
|
+
# </note>
|
|
1935
|
+
#
|
|
1936
|
+
# You can specify the public key as binary data in a file using fileb
|
|
1937
|
+
# (`fileb://<path-to-file>`) or in-line using a Base64 encoded string.
|
|
1938
|
+
#
|
|
1939
|
+
#
|
|
1940
|
+
#
|
|
1941
|
+
# [1]: https://tools.ietf.org/html/rfc5280
|
|
1942
|
+
# [2]: https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-welcome.html
|
|
1943
|
+
# @return [String]
|
|
1944
|
+
#
|
|
1945
|
+
# @!attribute [rw] grant_tokens
|
|
1946
|
+
# A list of grant tokens.
|
|
1947
|
+
#
|
|
1948
|
+
# Use a grant token when your permission to call this operation comes
|
|
1949
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
|
1950
|
+
# For more information, see [Grant token][1] and [Using a grant
|
|
1951
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
|
1952
|
+
#
|
|
1953
|
+
#
|
|
1954
|
+
#
|
|
1955
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
1956
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
|
|
1957
|
+
# @return [Array<String>]
|
|
1958
|
+
#
|
|
1959
|
+
# @!attribute [rw] dry_run
|
|
1960
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
|
1961
|
+
# parameter.
|
|
1962
|
+
#
|
|
1963
|
+
# To learn more about how to use this parameter, see [Testing your
|
|
1964
|
+
# permissions][1] in the *Key Management Service Developer Guide*.
|
|
1965
|
+
#
|
|
1966
|
+
#
|
|
1967
|
+
#
|
|
1968
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
|
|
1969
|
+
# @return [Boolean]
|
|
1970
|
+
#
|
|
1971
|
+
# @!attribute [rw] recipient
|
|
1972
|
+
# A signed [attestation document][1] from an Amazon Web Services Nitro
|
|
1973
|
+
# enclave or NitroTPM, and the encryption algorithm to use with the
|
|
1974
|
+
# public key in the attestation document. The only valid encryption
|
|
1975
|
+
# algorithm is `RSAES_OAEP_SHA_256`.
|
|
1976
|
+
#
|
|
1977
|
+
# This parameter only supports attestation documents for Amazon Web
|
|
1978
|
+
# Services Nitro Enclaves or Amazon Web Services NitroTPM. To call
|
|
1979
|
+
# DeriveSharedSecret generate an attestation document use either
|
|
1980
|
+
# [Amazon Web Services Nitro Enclaves SDK][2] for an Amazon Web
|
|
1981
|
+
# Services Nitro Enclaves or [Amazon Web Services NitroTPM tools][3]
|
|
1982
|
+
# for Amazon Web Services NitroTPM. Then use the Recipient parameter
|
|
1983
|
+
# from any Amazon Web Services SDK to provide the attestation document
|
|
1984
|
+
# for the attested environment.
|
|
1985
|
+
#
|
|
1986
|
+
# When you use this parameter, instead of returning a plaintext copy
|
|
1987
|
+
# of the shared secret, KMS encrypts the plaintext shared secret under
|
|
1988
|
+
# the public key in the attestation document, and returns the
|
|
1989
|
+
# resulting ciphertext in the `CiphertextForRecipient` field in the
|
|
1990
|
+
# response. This ciphertext can be decrypted only with the private key
|
|
1991
|
+
# in the attested environment. The `CiphertextBlob` field in the
|
|
1992
|
+
# response contains the encrypted shared secret derived from the KMS
|
|
1993
|
+
# key specified by the `KeyId` parameter and public key specified by
|
|
1994
|
+
# the `PublicKey` parameter. The `SharedSecret` field in the response
|
|
1995
|
+
# is null or empty.
|
|
1996
|
+
#
|
|
1997
|
+
# For information about the interaction between KMS and Amazon Web
|
|
1998
|
+
# Services Nitro Enclaves or Amazon Web Services NitroTPM, see
|
|
1999
|
+
# [Cryptographic attestation support in KMS][4] in the *Key Management
|
|
2000
|
+
# Service Developer Guide*.
|
|
2001
|
+
#
|
|
2002
|
+
#
|
|
2003
|
+
#
|
|
2004
|
+
# [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
|
|
2005
|
+
# [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
|
|
2006
|
+
# [3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/attestation-get-doc.html
|
|
2007
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
|
|
2008
|
+
# @return [Types::RecipientInfo]
|
|
2009
|
+
#
|
|
2010
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecretRequest AWS API Documentation
|
|
2011
|
+
#
|
|
2012
|
+
class DeriveSharedSecretRequest < Struct.new(
|
|
2013
|
+
:key_id,
|
|
2014
|
+
:key_agreement_algorithm,
|
|
2015
|
+
:public_key,
|
|
2016
|
+
:grant_tokens,
|
|
2017
|
+
:dry_run,
|
|
2018
|
+
:recipient)
|
|
2019
|
+
SENSITIVE = []
|
|
2020
|
+
include Aws::Structure
|
|
2021
|
+
end
|
|
2022
|
+
|
|
2023
|
+
# @!attribute [rw] key_id
|
|
2024
|
+
# Identifies the KMS key used to derive the shared secret.
|
|
2025
|
+
# @return [String]
|
|
2026
|
+
#
|
|
2027
|
+
# @!attribute [rw] shared_secret
|
|
2028
|
+
# The raw secret derived from the specified key agreement algorithm,
|
|
2029
|
+
# private key in the asymmetric KMS key, and your peer's public key.
|
|
2030
|
+
#
|
|
2031
|
+
# If the response includes the `CiphertextForRecipient` field, the
|
|
2032
|
+
# `SharedSecret` field is null or empty.
|
|
2033
|
+
# @return [String]
|
|
2034
|
+
#
|
|
2035
|
+
# @!attribute [rw] ciphertext_for_recipient
|
|
2036
|
+
# The plaintext shared secret encrypted with the public key from the
|
|
2037
|
+
# attestation document. This ciphertext can be decrypted only by using
|
|
2038
|
+
# a private key from the attested environment.
|
|
2039
|
+
#
|
|
2040
|
+
# This field is included in the response only when the `Recipient`
|
|
2041
|
+
# parameter in the request includes a valid attestation document from
|
|
2042
|
+
# an Amazon Web Services Nitro enclave or NitroTPM. For information
|
|
2043
|
+
# about the interaction between KMS and Amazon Web Services Nitro
|
|
2044
|
+
# Enclaves or Amazon Web Services NitroTPM, see [Cryptographic
|
|
2045
|
+
# attestation support in KMS][1] in the *Key Management Service
|
|
2046
|
+
# Developer Guide*.
|
|
2047
|
+
#
|
|
2048
|
+
#
|
|
2049
|
+
#
|
|
2050
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
|
|
2051
|
+
# @return [String]
|
|
2052
|
+
#
|
|
2053
|
+
# @!attribute [rw] key_agreement_algorithm
|
|
2054
|
+
# Identifies the key agreement algorithm used to derive the shared
|
|
2055
|
+
# secret.
|
|
2056
|
+
# @return [String]
|
|
2057
|
+
#
|
|
2058
|
+
# @!attribute [rw] key_origin
|
|
2059
|
+
# The source of the key material for the specified KMS key.
|
|
2060
|
+
#
|
|
2061
|
+
# When this value is `AWS_KMS`, KMS created the key material. When
|
|
2062
|
+
# this value is `EXTERNAL`, the key material was imported or the KMS
|
|
2063
|
+
# key doesn't have any key material.
|
|
2064
|
+
#
|
|
2065
|
+
# The only valid values for DeriveSharedSecret are `AWS_KMS` and
|
|
2066
|
+
# `EXTERNAL`. DeriveSharedSecret does not support KMS keys with a
|
|
2067
|
+
# `KeyOrigin` value of `AWS_CLOUDHSM` or `EXTERNAL_KEY_STORE`.
|
|
2068
|
+
# @return [String]
|
|
2069
|
+
#
|
|
2070
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecretResponse AWS API Documentation
|
|
2071
|
+
#
|
|
2072
|
+
class DeriveSharedSecretResponse < Struct.new(
|
|
2073
|
+
:key_id,
|
|
2074
|
+
:shared_secret,
|
|
2075
|
+
:ciphertext_for_recipient,
|
|
2076
|
+
:key_agreement_algorithm,
|
|
2077
|
+
:key_origin)
|
|
2078
|
+
SENSITIVE = [:shared_secret]
|
|
2079
|
+
include Aws::Structure
|
|
2080
|
+
end
|
|
2081
|
+
|
|
1749
2082
|
# @!attribute [rw] custom_key_store_id
|
|
1750
2083
|
# Gets only information about the specified custom key store. Enter
|
|
1751
2084
|
# the key store ID.
|
|
@@ -1801,8 +2134,8 @@ module Aws::KMS
|
|
|
1801
2134
|
# @!attribute [rw] truncated
|
|
1802
2135
|
# A flag that indicates whether there are more items in the list. When
|
|
1803
2136
|
# this value is true, the list in this response is truncated. To get
|
|
1804
|
-
# more items, pass the value of the `NextMarker` element in
|
|
1805
|
-
#
|
|
2137
|
+
# more items, pass the value of the `NextMarker` element in this
|
|
2138
|
+
# response to the `Marker` parameter in a subsequent request.
|
|
1806
2139
|
# @return [Boolean]
|
|
1807
2140
|
#
|
|
1808
2141
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStoresResponse AWS API Documentation
|
|
@@ -1844,7 +2177,7 @@ module Aws::KMS
|
|
|
1844
2177
|
#
|
|
1845
2178
|
#
|
|
1846
2179
|
#
|
|
1847
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
|
|
2180
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-key
|
|
1848
2181
|
# @return [String]
|
|
1849
2182
|
#
|
|
1850
2183
|
# @!attribute [rw] grant_tokens
|
|
@@ -1858,7 +2191,7 @@ module Aws::KMS
|
|
|
1858
2191
|
#
|
|
1859
2192
|
#
|
|
1860
2193
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
1861
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
2194
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
|
|
1862
2195
|
# @return [Array<String>]
|
|
1863
2196
|
#
|
|
1864
2197
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKeyRequest AWS API Documentation
|
|
@@ -1929,7 +2262,7 @@ module Aws::KMS
|
|
|
1929
2262
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks
|
|
1930
2263
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
|
|
1931
2264
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
|
1932
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
2265
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
|
1933
2266
|
# @return [String]
|
|
1934
2267
|
#
|
|
1935
2268
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotationRequest AWS API Documentation
|
|
@@ -2032,14 +2365,35 @@ module Aws::KMS
|
|
|
2032
2365
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
|
2033
2366
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
|
|
2034
2367
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
|
2035
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
2036
|
-
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
2368
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
|
2369
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#multi-region-rotate
|
|
2037
2370
|
# @return [String]
|
|
2038
2371
|
#
|
|
2372
|
+
# @!attribute [rw] rotation_period_in_days
|
|
2373
|
+
# Use this parameter to specify a custom period of time between each
|
|
2374
|
+
# rotation date. If no value is specified, the default value is 365
|
|
2375
|
+
# days.
|
|
2376
|
+
#
|
|
2377
|
+
# The rotation period defines the number of days after you enable
|
|
2378
|
+
# automatic key rotation that KMS will rotate your key material, and
|
|
2379
|
+
# the number of days between each automatic rotation thereafter.
|
|
2380
|
+
#
|
|
2381
|
+
# You can use the [ `kms:RotationPeriodInDays` ][1] condition key to
|
|
2382
|
+
# further constrain the values that principals can specify in the
|
|
2383
|
+
# `RotationPeriodInDays` parameter.
|
|
2384
|
+
#
|
|
2385
|
+
#
|
|
2386
|
+
#
|
|
2387
|
+
#
|
|
2388
|
+
#
|
|
2389
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-rotation-period-in-days
|
|
2390
|
+
# @return [Integer]
|
|
2391
|
+
#
|
|
2039
2392
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotationRequest AWS API Documentation
|
|
2040
2393
|
#
|
|
2041
2394
|
class EnableKeyRotationRequest < Struct.new(
|
|
2042
|
-
:key_id
|
|
2395
|
+
:key_id,
|
|
2396
|
+
:rotation_period_in_days)
|
|
2043
2397
|
SENSITIVE = []
|
|
2044
2398
|
include Aws::Structure
|
|
2045
2399
|
end
|
|
@@ -2098,8 +2452,8 @@ module Aws::KMS
|
|
|
2098
2452
|
#
|
|
2099
2453
|
#
|
|
2100
2454
|
#
|
|
2101
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
2102
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
2455
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
|
|
2456
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
|
|
2103
2457
|
# @return [Hash<String,String>]
|
|
2104
2458
|
#
|
|
2105
2459
|
# @!attribute [rw] grant_tokens
|
|
@@ -2113,7 +2467,7 @@ module Aws::KMS
|
|
|
2113
2467
|
#
|
|
2114
2468
|
#
|
|
2115
2469
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
2116
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
2470
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
|
|
2117
2471
|
# @return [Array<String>]
|
|
2118
2472
|
#
|
|
2119
2473
|
# @!attribute [rw] encryption_algorithm
|
|
@@ -2133,12 +2487,12 @@ module Aws::KMS
|
|
|
2133
2487
|
# Checks if your request will succeed. `DryRun` is an optional
|
|
2134
2488
|
# parameter.
|
|
2135
2489
|
#
|
|
2136
|
-
# To learn more about how to use this parameter, see [Testing your
|
|
2137
|
-
#
|
|
2490
|
+
# To learn more about how to use this parameter, see [Testing your
|
|
2491
|
+
# permissions][1] in the *Key Management Service Developer Guide*.
|
|
2138
2492
|
#
|
|
2139
2493
|
#
|
|
2140
2494
|
#
|
|
2141
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
2495
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
|
|
2142
2496
|
# @return [Boolean]
|
|
2143
2497
|
#
|
|
2144
2498
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptRequest AWS API Documentation
|
|
@@ -2221,7 +2575,7 @@ module Aws::KMS
|
|
|
2221
2575
|
#
|
|
2222
2576
|
#
|
|
2223
2577
|
#
|
|
2224
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
2578
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
|
|
2225
2579
|
# @return [Hash<String,String>]
|
|
2226
2580
|
#
|
|
2227
2581
|
# @!attribute [rw] key_id
|
|
@@ -2255,9 +2609,11 @@ module Aws::KMS
|
|
|
2255
2609
|
#
|
|
2256
2610
|
# The KMS rule that restricts the use of asymmetric RSA and SM2 KMS
|
|
2257
2611
|
# keys to encrypt and decrypt or to sign and verify (but not both),
|
|
2258
|
-
#
|
|
2259
|
-
# verify,
|
|
2260
|
-
#
|
|
2612
|
+
# the rule that permits you to use ECC KMS keys only to sign and
|
|
2613
|
+
# verify, and the rule that permits you to use ML-DSA key pairs to
|
|
2614
|
+
# sign and verify only are not effective on data key pairs, which are
|
|
2615
|
+
# used outside of KMS. The SM2 key spec is only available in China
|
|
2616
|
+
# Regions.
|
|
2261
2617
|
# @return [String]
|
|
2262
2618
|
#
|
|
2263
2619
|
# @!attribute [rw] grant_tokens
|
|
@@ -2271,50 +2627,57 @@ module Aws::KMS
|
|
|
2271
2627
|
#
|
|
2272
2628
|
#
|
|
2273
2629
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
2274
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
2630
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
|
|
2275
2631
|
# @return [Array<String>]
|
|
2276
2632
|
#
|
|
2277
2633
|
# @!attribute [rw] recipient
|
|
2278
2634
|
# A signed [attestation document][1] from an Amazon Web Services Nitro
|
|
2279
|
-
# enclave and the encryption algorithm to use with the
|
|
2280
|
-
# public key. The only valid encryption
|
|
2281
|
-
# `RSAES_OAEP_SHA_256`.
|
|
2635
|
+
# enclave or NitroTPM, and the encryption algorithm to use with the
|
|
2636
|
+
# public key in the attestation document. The only valid encryption
|
|
2637
|
+
# algorithm is `RSAES_OAEP_SHA_256`.
|
|
2282
2638
|
#
|
|
2283
2639
|
# This parameter only supports attestation documents for Amazon Web
|
|
2284
|
-
# Services Nitro Enclaves
|
|
2285
|
-
#
|
|
2640
|
+
# Services Nitro Enclaves or Amazon Web Services NitroTPM. To call
|
|
2641
|
+
# GenerateDataKeyPair generate an attestation document use either
|
|
2642
|
+
# [Amazon Web Services Nitro Enclaves SDK][2] for an Amazon Web
|
|
2643
|
+
# Services Nitro Enclaves or [Amazon Web Services NitroTPM tools][3]
|
|
2644
|
+
# for Amazon Web Services NitroTPM. Then use the Recipient parameter
|
|
2645
|
+
# from any Amazon Web Services SDK to provide the attestation document
|
|
2646
|
+
# for the attested environment.
|
|
2286
2647
|
#
|
|
2287
2648
|
# When you use this parameter, instead of returning a plaintext copy
|
|
2288
2649
|
# of the private data key, KMS encrypts the plaintext private data key
|
|
2289
2650
|
# under the public key in the attestation document, and returns the
|
|
2290
2651
|
# resulting ciphertext in the `CiphertextForRecipient` field in the
|
|
2291
2652
|
# response. This ciphertext can be decrypted only with the private key
|
|
2292
|
-
# in the
|
|
2293
|
-
# a copy of the private data key encrypted under the
|
|
2294
|
-
# by the `KeyId` parameter. The
|
|
2295
|
-
# response is null or empty.
|
|
2653
|
+
# in the attested environment. The `CiphertextBlob` field in the
|
|
2654
|
+
# response contains a copy of the private data key encrypted under the
|
|
2655
|
+
# KMS key specified by the `KeyId` parameter. The
|
|
2656
|
+
# `PrivateKeyPlaintext` field in the response is null or empty.
|
|
2296
2657
|
#
|
|
2297
2658
|
# For information about the interaction between KMS and Amazon Web
|
|
2298
|
-
# Services Nitro Enclaves
|
|
2299
|
-
#
|
|
2659
|
+
# Services Nitro Enclaves or Amazon Web Services NitroTPM, see
|
|
2660
|
+
# [Cryptographic attestation support in KMS][4] in the *Key Management
|
|
2661
|
+
# Service Developer Guide*.
|
|
2300
2662
|
#
|
|
2301
2663
|
#
|
|
2302
2664
|
#
|
|
2303
2665
|
# [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
|
|
2304
2666
|
# [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
|
|
2305
|
-
# [3]: https://docs.aws.amazon.com/
|
|
2667
|
+
# [3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/attestation-get-doc.html
|
|
2668
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
|
|
2306
2669
|
# @return [Types::RecipientInfo]
|
|
2307
2670
|
#
|
|
2308
2671
|
# @!attribute [rw] dry_run
|
|
2309
2672
|
# Checks if your request will succeed. `DryRun` is an optional
|
|
2310
2673
|
# parameter.
|
|
2311
2674
|
#
|
|
2312
|
-
# To learn more about how to use this parameter, see [Testing your
|
|
2313
|
-
#
|
|
2675
|
+
# To learn more about how to use this parameter, see [Testing your
|
|
2676
|
+
# permissions][1] in the *Key Management Service Developer Guide*.
|
|
2314
2677
|
#
|
|
2315
2678
|
#
|
|
2316
2679
|
#
|
|
2317
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
2680
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
|
|
2318
2681
|
# @return [Boolean]
|
|
2319
2682
|
#
|
|
2320
2683
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairRequest AWS API Documentation
|
|
@@ -2366,19 +2729,24 @@ module Aws::KMS
|
|
|
2366
2729
|
#
|
|
2367
2730
|
# @!attribute [rw] ciphertext_for_recipient
|
|
2368
2731
|
# The plaintext private data key encrypted with the public key from
|
|
2369
|
-
# the
|
|
2370
|
-
# private key
|
|
2732
|
+
# the attestation document. This ciphertext can be decrypted only by
|
|
2733
|
+
# using a private key from the attested environment.
|
|
2371
2734
|
#
|
|
2372
2735
|
# This field is included in the response only when the `Recipient`
|
|
2373
2736
|
# parameter in the request includes a valid attestation document from
|
|
2374
|
-
# an Amazon Web Services Nitro enclave. For information
|
|
2375
|
-
# interaction between KMS and Amazon Web Services Nitro
|
|
2376
|
-
#
|
|
2377
|
-
# Management Service
|
|
2737
|
+
# an Amazon Web Services Nitro enclave or NitroTPM. For information
|
|
2738
|
+
# about the interaction between KMS and Amazon Web Services Nitro
|
|
2739
|
+
# Enclaves or Amazon Web Services NitroTPM, see [Cryptographic
|
|
2740
|
+
# attestation support in KMS][1] in the *Key Management Service
|
|
2741
|
+
# Developer Guide*.
|
|
2742
|
+
#
|
|
2378
2743
|
#
|
|
2379
2744
|
#
|
|
2745
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
|
|
2746
|
+
# @return [String]
|
|
2380
2747
|
#
|
|
2381
|
-
#
|
|
2748
|
+
# @!attribute [rw] key_material_id
|
|
2749
|
+
# The identifier of the key material used to encrypt the private key.
|
|
2382
2750
|
# @return [String]
|
|
2383
2751
|
#
|
|
2384
2752
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairResponse AWS API Documentation
|
|
@@ -2389,7 +2757,8 @@ module Aws::KMS
|
|
|
2389
2757
|
:public_key,
|
|
2390
2758
|
:key_id,
|
|
2391
2759
|
:key_pair_spec,
|
|
2392
|
-
:ciphertext_for_recipient
|
|
2760
|
+
:ciphertext_for_recipient,
|
|
2761
|
+
:key_material_id)
|
|
2393
2762
|
SENSITIVE = [:private_key_plaintext]
|
|
2394
2763
|
include Aws::Structure
|
|
2395
2764
|
end
|
|
@@ -2416,7 +2785,7 @@ module Aws::KMS
|
|
|
2416
2785
|
#
|
|
2417
2786
|
#
|
|
2418
2787
|
#
|
|
2419
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
2788
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
|
|
2420
2789
|
# @return [Hash<String,String>]
|
|
2421
2790
|
#
|
|
2422
2791
|
# @!attribute [rw] key_id
|
|
@@ -2450,9 +2819,11 @@ module Aws::KMS
|
|
|
2450
2819
|
#
|
|
2451
2820
|
# The KMS rule that restricts the use of asymmetric RSA and SM2 KMS
|
|
2452
2821
|
# keys to encrypt and decrypt or to sign and verify (but not both),
|
|
2453
|
-
#
|
|
2454
|
-
# verify,
|
|
2455
|
-
#
|
|
2822
|
+
# the rule that permits you to use ECC KMS keys only to sign and
|
|
2823
|
+
# verify, and the rule that permits you to use ML-DSA key pairs to
|
|
2824
|
+
# sign and verify only are not effective on data key pairs, which are
|
|
2825
|
+
# used outside of KMS. The SM2 key spec is only available in China
|
|
2826
|
+
# Regions.
|
|
2456
2827
|
# @return [String]
|
|
2457
2828
|
#
|
|
2458
2829
|
# @!attribute [rw] grant_tokens
|
|
@@ -2466,19 +2837,19 @@ module Aws::KMS
|
|
|
2466
2837
|
#
|
|
2467
2838
|
#
|
|
2468
2839
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
2469
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
2840
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
|
|
2470
2841
|
# @return [Array<String>]
|
|
2471
2842
|
#
|
|
2472
2843
|
# @!attribute [rw] dry_run
|
|
2473
2844
|
# Checks if your request will succeed. `DryRun` is an optional
|
|
2474
2845
|
# parameter.
|
|
2475
2846
|
#
|
|
2476
|
-
# To learn more about how to use this parameter, see [Testing your
|
|
2477
|
-
#
|
|
2847
|
+
# To learn more about how to use this parameter, see [Testing your
|
|
2848
|
+
# permissions][1] in the *Key Management Service Developer Guide*.
|
|
2478
2849
|
#
|
|
2479
2850
|
#
|
|
2480
2851
|
#
|
|
2481
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
2852
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
|
|
2482
2853
|
# @return [Boolean]
|
|
2483
2854
|
#
|
|
2484
2855
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintextRequest AWS API Documentation
|
|
@@ -2518,13 +2889,18 @@ module Aws::KMS
|
|
|
2518
2889
|
# The type of data key pair that was generated.
|
|
2519
2890
|
# @return [String]
|
|
2520
2891
|
#
|
|
2892
|
+
# @!attribute [rw] key_material_id
|
|
2893
|
+
# The identifier of the key material used to encrypt the private key.
|
|
2894
|
+
# @return [String]
|
|
2895
|
+
#
|
|
2521
2896
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintextResponse AWS API Documentation
|
|
2522
2897
|
#
|
|
2523
2898
|
class GenerateDataKeyPairWithoutPlaintextResponse < Struct.new(
|
|
2524
2899
|
:private_key_ciphertext_blob,
|
|
2525
2900
|
:public_key,
|
|
2526
2901
|
:key_id,
|
|
2527
|
-
:key_pair_spec
|
|
2902
|
+
:key_pair_spec,
|
|
2903
|
+
:key_material_id)
|
|
2528
2904
|
SENSITIVE = []
|
|
2529
2905
|
include Aws::Structure
|
|
2530
2906
|
end
|
|
@@ -2577,7 +2953,7 @@ module Aws::KMS
|
|
|
2577
2953
|
#
|
|
2578
2954
|
#
|
|
2579
2955
|
#
|
|
2580
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
2956
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
|
|
2581
2957
|
# @return [Hash<String,String>]
|
|
2582
2958
|
#
|
|
2583
2959
|
# @!attribute [rw] number_of_bytes
|
|
@@ -2610,18 +2986,19 @@ module Aws::KMS
|
|
|
2610
2986
|
#
|
|
2611
2987
|
#
|
|
2612
2988
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
2613
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
2989
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
|
|
2614
2990
|
# @return [Array<String>]
|
|
2615
2991
|
#
|
|
2616
2992
|
# @!attribute [rw] recipient
|
|
2617
2993
|
# A signed [attestation document][1] from an Amazon Web Services Nitro
|
|
2618
|
-
# enclave and the encryption algorithm to use with the
|
|
2619
|
-
# public key. The only valid encryption
|
|
2620
|
-
# `RSAES_OAEP_SHA_256`.
|
|
2994
|
+
# enclave or NitroTPM, and the encryption algorithm to use with the
|
|
2995
|
+
# public key in the attestation document. The only valid encryption
|
|
2996
|
+
# algorithm is `RSAES_OAEP_SHA_256`.
|
|
2621
2997
|
#
|
|
2622
|
-
# This parameter
|
|
2623
|
-
#
|
|
2624
|
-
#
|
|
2998
|
+
# This parameter supports the [Amazon Web Services Nitro Enclaves
|
|
2999
|
+
# SDK][2] or any Amazon Web Services SDK for Amazon Web Services Nitro
|
|
3000
|
+
# Enclaves. It supports any Amazon Web Services SDK for Amazon Web
|
|
3001
|
+
# Services NitroTPM.
|
|
2625
3002
|
#
|
|
2626
3003
|
# When you use this parameter, instead of returning the plaintext data
|
|
2627
3004
|
# key, KMS encrypts the plaintext data key under the public key in the
|
|
@@ -2633,26 +3010,27 @@ module Aws::KMS
|
|
|
2633
3010
|
# The `Plaintext` field in the response is null or empty.
|
|
2634
3011
|
#
|
|
2635
3012
|
# For information about the interaction between KMS and Amazon Web
|
|
2636
|
-
# Services Nitro Enclaves
|
|
2637
|
-
#
|
|
3013
|
+
# Services Nitro Enclaves or Amazon Web Services NitroTPM, see
|
|
3014
|
+
# [Cryptographic attestation support in KMS][3] in the *Key Management
|
|
3015
|
+
# Service Developer Guide*.
|
|
2638
3016
|
#
|
|
2639
3017
|
#
|
|
2640
3018
|
#
|
|
2641
3019
|
# [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
|
|
2642
3020
|
# [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
|
|
2643
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
3021
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
|
|
2644
3022
|
# @return [Types::RecipientInfo]
|
|
2645
3023
|
#
|
|
2646
3024
|
# @!attribute [rw] dry_run
|
|
2647
3025
|
# Checks if your request will succeed. `DryRun` is an optional
|
|
2648
3026
|
# parameter.
|
|
2649
3027
|
#
|
|
2650
|
-
# To learn more about how to use this parameter, see [Testing your
|
|
2651
|
-
#
|
|
3028
|
+
# To learn more about how to use this parameter, see [Testing your
|
|
3029
|
+
# permissions][1] in the *Key Management Service Developer Guide*.
|
|
2652
3030
|
#
|
|
2653
3031
|
#
|
|
2654
3032
|
#
|
|
2655
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
3033
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
|
|
2656
3034
|
# @return [Boolean]
|
|
2657
3035
|
#
|
|
2658
3036
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyRequest AWS API Documentation
|
|
@@ -2695,20 +3073,27 @@ module Aws::KMS
|
|
|
2695
3073
|
# @return [String]
|
|
2696
3074
|
#
|
|
2697
3075
|
# @!attribute [rw] ciphertext_for_recipient
|
|
2698
|
-
# The plaintext data key encrypted with the public key from the
|
|
2699
|
-
#
|
|
2700
|
-
# key
|
|
3076
|
+
# The plaintext data key encrypted with the public key from the
|
|
3077
|
+
# attestation document. This ciphertext can be decrypted only by using
|
|
3078
|
+
# a private key from the attested environment.
|
|
2701
3079
|
#
|
|
2702
3080
|
# This field is included in the response only when the `Recipient`
|
|
2703
3081
|
# parameter in the request includes a valid attestation document from
|
|
2704
|
-
# an Amazon Web Services Nitro enclave. For information
|
|
2705
|
-
# interaction between KMS and Amazon Web Services Nitro
|
|
2706
|
-
#
|
|
2707
|
-
# Management Service
|
|
3082
|
+
# an Amazon Web Services Nitro enclave or NitroTPM. For information
|
|
3083
|
+
# about the interaction between KMS and Amazon Web Services Nitro
|
|
3084
|
+
# Enclaves or Amazon Web Services NitroTPM, see [Cryptographic
|
|
3085
|
+
# attestation support in KMS][1] in the *Key Management Service
|
|
3086
|
+
# Developer Guide*.
|
|
3087
|
+
#
|
|
2708
3088
|
#
|
|
2709
3089
|
#
|
|
3090
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
|
|
3091
|
+
# @return [String]
|
|
2710
3092
|
#
|
|
2711
|
-
#
|
|
3093
|
+
# @!attribute [rw] key_material_id
|
|
3094
|
+
# The identifier of the key material used to encrypt the data key.
|
|
3095
|
+
# This field is omitted if the request includes the `Recipient`
|
|
3096
|
+
# parameter.
|
|
2712
3097
|
# @return [String]
|
|
2713
3098
|
#
|
|
2714
3099
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyResponse AWS API Documentation
|
|
@@ -2717,7 +3102,8 @@ module Aws::KMS
|
|
|
2717
3102
|
:ciphertext_blob,
|
|
2718
3103
|
:plaintext,
|
|
2719
3104
|
:key_id,
|
|
2720
|
-
:ciphertext_for_recipient
|
|
3105
|
+
:ciphertext_for_recipient,
|
|
3106
|
+
:key_material_id)
|
|
2721
3107
|
SENSITIVE = [:plaintext]
|
|
2722
3108
|
include Aws::Structure
|
|
2723
3109
|
end
|
|
@@ -2770,7 +3156,7 @@ module Aws::KMS
|
|
|
2770
3156
|
#
|
|
2771
3157
|
#
|
|
2772
3158
|
#
|
|
2773
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
3159
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
|
|
2774
3160
|
# @return [Hash<String,String>]
|
|
2775
3161
|
#
|
|
2776
3162
|
# @!attribute [rw] key_spec
|
|
@@ -2796,19 +3182,19 @@ module Aws::KMS
|
|
|
2796
3182
|
#
|
|
2797
3183
|
#
|
|
2798
3184
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
2799
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
3185
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
|
|
2800
3186
|
# @return [Array<String>]
|
|
2801
3187
|
#
|
|
2802
3188
|
# @!attribute [rw] dry_run
|
|
2803
3189
|
# Checks if your request will succeed. `DryRun` is an optional
|
|
2804
3190
|
# parameter.
|
|
2805
3191
|
#
|
|
2806
|
-
# To learn more about how to use this parameter, see [Testing your
|
|
2807
|
-
#
|
|
3192
|
+
# To learn more about how to use this parameter, see [Testing your
|
|
3193
|
+
# permissions][1] in the *Key Management Service Developer Guide*.
|
|
2808
3194
|
#
|
|
2809
3195
|
#
|
|
2810
3196
|
#
|
|
2811
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
3197
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
|
|
2812
3198
|
# @return [Boolean]
|
|
2813
3199
|
#
|
|
2814
3200
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextRequest AWS API Documentation
|
|
@@ -2839,11 +3225,16 @@ module Aws::KMS
|
|
|
2839
3225
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
|
2840
3226
|
# @return [String]
|
|
2841
3227
|
#
|
|
3228
|
+
# @!attribute [rw] key_material_id
|
|
3229
|
+
# The identifier of the key material used to encrypt the data key.
|
|
3230
|
+
# @return [String]
|
|
3231
|
+
#
|
|
2842
3232
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextResponse AWS API Documentation
|
|
2843
3233
|
#
|
|
2844
3234
|
class GenerateDataKeyWithoutPlaintextResponse < Struct.new(
|
|
2845
3235
|
:ciphertext_blob,
|
|
2846
|
-
:key_id
|
|
3236
|
+
:key_id,
|
|
3237
|
+
:key_material_id)
|
|
2847
3238
|
SENSITIVE = []
|
|
2848
3239
|
include Aws::Structure
|
|
2849
3240
|
end
|
|
@@ -2888,19 +3279,19 @@ module Aws::KMS
|
|
|
2888
3279
|
#
|
|
2889
3280
|
#
|
|
2890
3281
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
2891
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
3282
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
|
|
2892
3283
|
# @return [Array<String>]
|
|
2893
3284
|
#
|
|
2894
3285
|
# @!attribute [rw] dry_run
|
|
2895
3286
|
# Checks if your request will succeed. `DryRun` is an optional
|
|
2896
3287
|
# parameter.
|
|
2897
3288
|
#
|
|
2898
|
-
# To learn more about how to use this parameter, see [Testing your
|
|
2899
|
-
#
|
|
3289
|
+
# To learn more about how to use this parameter, see [Testing your
|
|
3290
|
+
# permissions][1] in the *Key Management Service Developer Guide*.
|
|
2900
3291
|
#
|
|
2901
3292
|
#
|
|
2902
3293
|
#
|
|
2903
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
3294
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
|
|
2904
3295
|
# @return [Boolean]
|
|
2905
3296
|
#
|
|
2906
3297
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMacRequest AWS API Documentation
|
|
@@ -2960,30 +3351,32 @@ module Aws::KMS
|
|
|
2960
3351
|
#
|
|
2961
3352
|
# @!attribute [rw] recipient
|
|
2962
3353
|
# A signed [attestation document][1] from an Amazon Web Services Nitro
|
|
2963
|
-
# enclave and the encryption algorithm to use with the
|
|
2964
|
-
# public key. The only valid encryption
|
|
2965
|
-
# `RSAES_OAEP_SHA_256`.
|
|
3354
|
+
# enclave or NitroTPM, and the encryption algorithm to use with the
|
|
3355
|
+
# public key in the attestation document. The only valid encryption
|
|
3356
|
+
# algorithm is `RSAES_OAEP_SHA_256`.
|
|
2966
3357
|
#
|
|
2967
|
-
# This parameter
|
|
2968
|
-
#
|
|
2969
|
-
#
|
|
3358
|
+
# This parameter supports the [Amazon Web Services Nitro Enclaves
|
|
3359
|
+
# SDK][2] or any Amazon Web Services SDK for Amazon Web Services Nitro
|
|
3360
|
+
# Enclaves. It supports any Amazon Web Services SDK for Amazon Web
|
|
3361
|
+
# Services NitroTPM.
|
|
2970
3362
|
#
|
|
2971
3363
|
# When you use this parameter, instead of returning plaintext bytes,
|
|
2972
3364
|
# KMS encrypts the plaintext bytes under the public key in the
|
|
2973
3365
|
# attestation document, and returns the resulting ciphertext in the
|
|
2974
3366
|
# `CiphertextForRecipient` field in the response. This ciphertext can
|
|
2975
|
-
# be decrypted only with the private key in the
|
|
2976
|
-
# `Plaintext` field in the response is null or empty.
|
|
3367
|
+
# be decrypted only with the private key in the attested environment.
|
|
3368
|
+
# The `Plaintext` field in the response is null or empty.
|
|
2977
3369
|
#
|
|
2978
3370
|
# For information about the interaction between KMS and Amazon Web
|
|
2979
|
-
# Services Nitro Enclaves
|
|
2980
|
-
#
|
|
3371
|
+
# Services Nitro Enclaves or Amazon Web Services NitroTPM, see
|
|
3372
|
+
# [Cryptographic attestation support in KMS][3] in the *Key Management
|
|
3373
|
+
# Service Developer Guide*.
|
|
2981
3374
|
#
|
|
2982
3375
|
#
|
|
2983
3376
|
#
|
|
2984
3377
|
# [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
|
|
2985
3378
|
# [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
|
|
2986
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
3379
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
|
|
2987
3380
|
# @return [Types::RecipientInfo]
|
|
2988
3381
|
#
|
|
2989
3382
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomRequest AWS API Documentation
|
|
@@ -3007,19 +3400,20 @@ module Aws::KMS
|
|
|
3007
3400
|
#
|
|
3008
3401
|
# @!attribute [rw] ciphertext_for_recipient
|
|
3009
3402
|
# The plaintext random bytes encrypted with the public key from the
|
|
3010
|
-
#
|
|
3011
|
-
# private key
|
|
3403
|
+
# attestation document. This ciphertext can be decrypted only by using
|
|
3404
|
+
# a private key from the attested environment.
|
|
3012
3405
|
#
|
|
3013
3406
|
# This field is included in the response only when the `Recipient`
|
|
3014
3407
|
# parameter in the request includes a valid attestation document from
|
|
3015
|
-
# an Amazon Web Services Nitro enclave. For information
|
|
3016
|
-
# interaction between KMS and Amazon Web Services Nitro
|
|
3017
|
-
#
|
|
3018
|
-
# Management Service
|
|
3408
|
+
# an Amazon Web Services Nitro enclave or NitroTPM. For information
|
|
3409
|
+
# about the interaction between KMS and Amazon Web Services Nitro
|
|
3410
|
+
# Enclaves or Amazon Web Services NitroTPM, see [Cryptographic
|
|
3411
|
+
# attestation support in KMS][1] in the *Key Management Service
|
|
3412
|
+
# Developer Guide*.
|
|
3019
3413
|
#
|
|
3020
3414
|
#
|
|
3021
3415
|
#
|
|
3022
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
3416
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
|
|
3023
3417
|
# @return [String]
|
|
3024
3418
|
#
|
|
3025
3419
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomResponse AWS API Documentation
|
|
@@ -3048,7 +3442,8 @@ module Aws::KMS
|
|
|
3048
3442
|
# @return [String]
|
|
3049
3443
|
#
|
|
3050
3444
|
# @!attribute [rw] policy_name
|
|
3051
|
-
# Specifies the name of the key policy.
|
|
3445
|
+
# Specifies the name of the key policy. If no policy name is
|
|
3446
|
+
# specified, the default value is `default`. The only valid name is
|
|
3052
3447
|
# `default`. To get the names of key policies, use ListKeyPolicies.
|
|
3053
3448
|
# @return [String]
|
|
3054
3449
|
#
|
|
@@ -3065,10 +3460,15 @@ module Aws::KMS
|
|
|
3065
3460
|
# A key policy document in JSON format.
|
|
3066
3461
|
# @return [String]
|
|
3067
3462
|
#
|
|
3463
|
+
# @!attribute [rw] policy_name
|
|
3464
|
+
# The name of the key policy. The only valid value is `default`.
|
|
3465
|
+
# @return [String]
|
|
3466
|
+
#
|
|
3068
3467
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicyResponse AWS API Documentation
|
|
3069
3468
|
#
|
|
3070
3469
|
class GetKeyPolicyResponse < Struct.new(
|
|
3071
|
-
:policy
|
|
3470
|
+
:policy,
|
|
3471
|
+
:policy_name)
|
|
3072
3472
|
SENSITIVE = []
|
|
3073
3473
|
include Aws::Structure
|
|
3074
3474
|
end
|
|
@@ -3103,10 +3503,39 @@ module Aws::KMS
|
|
|
3103
3503
|
# A Boolean value that specifies whether key rotation is enabled.
|
|
3104
3504
|
# @return [Boolean]
|
|
3105
3505
|
#
|
|
3506
|
+
# @!attribute [rw] key_id
|
|
3507
|
+
# Identifies the specified symmetric encryption KMS key.
|
|
3508
|
+
# @return [String]
|
|
3509
|
+
#
|
|
3510
|
+
# @!attribute [rw] rotation_period_in_days
|
|
3511
|
+
# The number of days between each automatic rotation. The default
|
|
3512
|
+
# value is 365 days.
|
|
3513
|
+
# @return [Integer]
|
|
3514
|
+
#
|
|
3515
|
+
# @!attribute [rw] next_rotation_date
|
|
3516
|
+
# The next date that KMS will automatically rotate the key material.
|
|
3517
|
+
# @return [Time]
|
|
3518
|
+
#
|
|
3519
|
+
# @!attribute [rw] on_demand_rotation_start_date
|
|
3520
|
+
# Identifies the date and time that an in progress on-demand rotation
|
|
3521
|
+
# was initiated.
|
|
3522
|
+
#
|
|
3523
|
+
# KMS uses a background process to perform rotations. As a result,
|
|
3524
|
+
# there might be a slight delay between initiating on-demand key
|
|
3525
|
+
# rotation and the rotation's completion. Once the on-demand rotation
|
|
3526
|
+
# is complete, KMS removes this field from the response. You can use
|
|
3527
|
+
# ListKeyRotations to view the details of the completed on-demand
|
|
3528
|
+
# rotation.
|
|
3529
|
+
# @return [Time]
|
|
3530
|
+
#
|
|
3106
3531
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyRotationStatusResponse AWS API Documentation
|
|
3107
3532
|
#
|
|
3108
3533
|
class GetKeyRotationStatusResponse < Struct.new(
|
|
3109
|
-
:key_rotation_enabled
|
|
3534
|
+
:key_rotation_enabled,
|
|
3535
|
+
:key_id,
|
|
3536
|
+
:rotation_period_in_days,
|
|
3537
|
+
:next_rotation_date,
|
|
3538
|
+
:on_demand_rotation_start_date)
|
|
3110
3539
|
SENSITIVE = []
|
|
3111
3540
|
include Aws::Structure
|
|
3112
3541
|
end
|
|
@@ -3136,9 +3565,8 @@ module Aws::KMS
|
|
|
3136
3565
|
# @!attribute [rw] wrapping_algorithm
|
|
3137
3566
|
# The algorithm you will use with the RSA public key (`PublicKey`) in
|
|
3138
3567
|
# the response to protect your key material during import. For more
|
|
3139
|
-
# information, see [Select a wrapping
|
|
3140
|
-
#
|
|
3141
|
-
# in the *Key Management Service Developer Guide*.
|
|
3568
|
+
# information, see [Select a wrapping algorithm][1] in the *Key
|
|
3569
|
+
# Management Service Developer Guide*.
|
|
3142
3570
|
#
|
|
3143
3571
|
# For RSA\_AES wrapping algorithms, you encrypt your key material with
|
|
3144
3572
|
# an AES key that you generate, then encrypt your AES key with the RSA
|
|
@@ -3170,6 +3598,10 @@ module Aws::KMS
|
|
|
3170
3598
|
#
|
|
3171
3599
|
# * **RSAES\_PKCS1\_V1\_5** (Deprecated) — As of October 10, 2023, KMS
|
|
3172
3600
|
# does not support the RSAES\_PKCS1\_V1\_5 wrapping algorithm.
|
|
3601
|
+
#
|
|
3602
|
+
#
|
|
3603
|
+
#
|
|
3604
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm
|
|
3173
3605
|
# @return [String]
|
|
3174
3606
|
#
|
|
3175
3607
|
# @!attribute [rw] wrapping_key_spec
|
|
@@ -3265,7 +3697,7 @@ module Aws::KMS
|
|
|
3265
3697
|
#
|
|
3266
3698
|
#
|
|
3267
3699
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
3268
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
3700
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
|
|
3269
3701
|
# @return [Array<String>]
|
|
3270
3702
|
#
|
|
3271
3703
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKeyRequest AWS API Documentation
|
|
@@ -3314,12 +3746,12 @@ module Aws::KMS
|
|
|
3314
3746
|
# @return [String]
|
|
3315
3747
|
#
|
|
3316
3748
|
# @!attribute [rw] key_usage
|
|
3317
|
-
# The permitted use of the public key. Valid values
|
|
3318
|
-
# `ENCRYPT_DECRYPT`
|
|
3749
|
+
# The permitted use of the public key. Valid values for asymmetric key
|
|
3750
|
+
# pairs are `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, and `KEY_AGREEMENT`.
|
|
3319
3751
|
#
|
|
3320
|
-
# This information is critical.
|
|
3321
|
-
# usage encrypts data outside of KMS, the ciphertext
|
|
3322
|
-
# decrypted.
|
|
3752
|
+
# This information is critical. For example, if a public key with
|
|
3753
|
+
# `SIGN_VERIFY` key usage encrypts data outside of KMS, the ciphertext
|
|
3754
|
+
# cannot be decrypted.
|
|
3323
3755
|
# @return [String]
|
|
3324
3756
|
#
|
|
3325
3757
|
# @!attribute [rw] encryption_algorithms
|
|
@@ -3340,6 +3772,12 @@ module Aws::KMS
|
|
|
3340
3772
|
# public key is `SIGN_VERIFY`.
|
|
3341
3773
|
# @return [Array<String>]
|
|
3342
3774
|
#
|
|
3775
|
+
# @!attribute [rw] key_agreement_algorithms
|
|
3776
|
+
# The key agreement algorithm used to derive a shared secret. This
|
|
3777
|
+
# field is present only when the KMS key has a `KeyUsage` value of
|
|
3778
|
+
# `KEY_AGREEMENT`.
|
|
3779
|
+
# @return [Array<String>]
|
|
3780
|
+
#
|
|
3343
3781
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKeyResponse AWS API Documentation
|
|
3344
3782
|
#
|
|
3345
3783
|
class GetPublicKeyResponse < Struct.new(
|
|
@@ -3349,7 +3787,8 @@ module Aws::KMS
|
|
|
3349
3787
|
:key_spec,
|
|
3350
3788
|
:key_usage,
|
|
3351
3789
|
:encryption_algorithms,
|
|
3352
|
-
:signing_algorithms
|
|
3790
|
+
:signing_algorithms,
|
|
3791
|
+
:key_agreement_algorithms)
|
|
3353
3792
|
SENSITIVE = []
|
|
3354
3793
|
include Aws::Structure
|
|
3355
3794
|
end
|
|
@@ -3360,9 +3799,9 @@ module Aws::KMS
|
|
|
3360
3799
|
#
|
|
3361
3800
|
# KMS applies the grant constraints only to cryptographic operations
|
|
3362
3801
|
# that support an encryption context, that is, all cryptographic
|
|
3363
|
-
# operations with a
|
|
3364
|
-
#
|
|
3365
|
-
#
|
|
3802
|
+
# operations with a symmetric KMS key. Grant constraints are not applied
|
|
3803
|
+
# to operations that do not support an encryption context, such as
|
|
3804
|
+
# cryptographic operations with asymmetric KMS keys and management
|
|
3366
3805
|
# operations, such as DescribeKey or RetireGrant.
|
|
3367
3806
|
#
|
|
3368
3807
|
# In a cryptographic operation, the encryption context in the decryption
|
|
@@ -3377,15 +3816,14 @@ module Aws::KMS
|
|
|
3377
3816
|
# differ only by case. To require a fully case-sensitive encryption
|
|
3378
3817
|
# context, use the `kms:EncryptionContext:` and
|
|
3379
3818
|
# `kms:EncryptionContextKeys` conditions in an IAM or key policy. For
|
|
3380
|
-
# details, see [kms:EncryptionContext:][
|
|
3381
|
-
# Service Developer Guide</i> </i>.
|
|
3819
|
+
# details, see [kms:EncryptionContext:context-key][3] in the <i> <i>Key
|
|
3820
|
+
# Management Service Developer Guide</i> </i>.
|
|
3382
3821
|
#
|
|
3383
3822
|
#
|
|
3384
3823
|
#
|
|
3385
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
3386
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
3387
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
3388
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context
|
|
3824
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
|
|
3825
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
|
|
3826
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-encryption-context
|
|
3389
3827
|
#
|
|
3390
3828
|
# @!attribute [rw] encryption_context_subset
|
|
3391
3829
|
# A list of key-value pairs that must be included in the encryption
|
|
@@ -3396,7 +3834,7 @@ module Aws::KMS
|
|
|
3396
3834
|
#
|
|
3397
3835
|
#
|
|
3398
3836
|
#
|
|
3399
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
3837
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
|
|
3400
3838
|
# @return [Hash<String,String>]
|
|
3401
3839
|
#
|
|
3402
3840
|
# @!attribute [rw] encryption_context_equals
|
|
@@ -3407,7 +3845,7 @@ module Aws::KMS
|
|
|
3407
3845
|
#
|
|
3408
3846
|
#
|
|
3409
3847
|
#
|
|
3410
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
3848
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
|
|
3411
3849
|
# @return [Hash<String,String>]
|
|
3412
3850
|
#
|
|
3413
3851
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GrantConstraints AWS API Documentation
|
|
@@ -3496,11 +3934,9 @@ module Aws::KMS
|
|
|
3496
3934
|
#
|
|
3497
3935
|
# The KMS key can be a symmetric encryption KMS key, HMAC KMS key,
|
|
3498
3936
|
# asymmetric encryption KMS key, or asymmetric signing KMS key,
|
|
3499
|
-
# including a [multi-Region
|
|
3500
|
-
# key
|
|
3501
|
-
#
|
|
3502
|
-
# in a custom key store, or on a KMS key in a different Amazon Web
|
|
3503
|
-
# Services account.
|
|
3937
|
+
# including a [multi-Region key][1] of any supported type. You cannot
|
|
3938
|
+
# perform this operation on a KMS key in a custom key store, or on a
|
|
3939
|
+
# KMS key in a different Amazon Web Services account.
|
|
3504
3940
|
#
|
|
3505
3941
|
# Specify the key ID or key ARN of the KMS key.
|
|
3506
3942
|
#
|
|
@@ -3513,6 +3949,10 @@ module Aws::KMS
|
|
|
3513
3949
|
#
|
|
3514
3950
|
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
|
3515
3951
|
# DescribeKey.
|
|
3952
|
+
#
|
|
3953
|
+
#
|
|
3954
|
+
#
|
|
3955
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
|
|
3516
3956
|
# @return [String]
|
|
3517
3957
|
#
|
|
3518
3958
|
# @!attribute [rw] import_token
|
|
@@ -3564,7 +4004,53 @@ module Aws::KMS
|
|
|
3564
4004
|
#
|
|
3565
4005
|
#
|
|
3566
4006
|
#
|
|
3567
|
-
# [1]: https://docs.aws.amazon.com/
|
|
4007
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-import-key-material.html#importing-keys-expiration
|
|
4008
|
+
# @return [String]
|
|
4009
|
+
#
|
|
4010
|
+
# @!attribute [rw] import_type
|
|
4011
|
+
# Indicates whether the key material being imported is previously
|
|
4012
|
+
# associated with this KMS key or not. This parameter is optional and
|
|
4013
|
+
# only usable with symmetric encryption keys. If no key material has
|
|
4014
|
+
# ever been imported into the KMS key, and this parameter is omitted,
|
|
4015
|
+
# the parameter defaults to `NEW_KEY_MATERIAL`. After the first key
|
|
4016
|
+
# material is imported, if this parameter is omitted then the
|
|
4017
|
+
# parameter defaults to `EXISTING_KEY_MATERIAL`.
|
|
4018
|
+
#
|
|
4019
|
+
# For multi-Region keys, you must first import new key material into
|
|
4020
|
+
# the primary Region key. You should use the `NEW_KEY_MATERIAL` import
|
|
4021
|
+
# type when importing key material into the primary Region key. Then,
|
|
4022
|
+
# you can import the same key material into the replica Region key.
|
|
4023
|
+
# The import type for the replica Region key should be
|
|
4024
|
+
# `EXISTING_KEY_MATERIAL`.
|
|
4025
|
+
# @return [String]
|
|
4026
|
+
#
|
|
4027
|
+
# @!attribute [rw] key_material_description
|
|
4028
|
+
# Description for the key material being imported. This parameter is
|
|
4029
|
+
# optional and only usable with symmetric encryption keys. If you do
|
|
4030
|
+
# not specify a key material description, KMS retains the value you
|
|
4031
|
+
# specified when you last imported the same key material into this KMS
|
|
4032
|
+
# key.
|
|
4033
|
+
# @return [String]
|
|
4034
|
+
#
|
|
4035
|
+
# @!attribute [rw] key_material_id
|
|
4036
|
+
# Identifies the key material being imported. This parameter is
|
|
4037
|
+
# optional and only usable with symmetric encryption keys. You cannot
|
|
4038
|
+
# specify a key material ID with `ImportType` set to
|
|
4039
|
+
# `NEW_KEY_MATERIAL`. Whenever you import key material into a
|
|
4040
|
+
# symmetric encryption key, KMS assigns a unique identifier to the key
|
|
4041
|
+
# material based on the KMS key ID and the imported key material. When
|
|
4042
|
+
# you re-import key material with a specified key material ID, KMS:
|
|
4043
|
+
#
|
|
4044
|
+
# * Computes the identifier for the key material
|
|
4045
|
+
#
|
|
4046
|
+
# * Matches the computed identifier against the specified key material
|
|
4047
|
+
# ID
|
|
4048
|
+
#
|
|
4049
|
+
# * Verifies that the key material ID is already associated with the
|
|
4050
|
+
# KMS key
|
|
4051
|
+
#
|
|
4052
|
+
# To get the list of key material IDs associated with a KMS key, use
|
|
4053
|
+
# ListKeyRotations.
|
|
3568
4054
|
# @return [String]
|
|
3569
4055
|
#
|
|
3570
4056
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterialRequest AWS API Documentation
|
|
@@ -3574,14 +4060,35 @@ module Aws::KMS
|
|
|
3574
4060
|
:import_token,
|
|
3575
4061
|
:encrypted_key_material,
|
|
3576
4062
|
:valid_to,
|
|
3577
|
-
:expiration_model
|
|
4063
|
+
:expiration_model,
|
|
4064
|
+
:import_type,
|
|
4065
|
+
:key_material_description,
|
|
4066
|
+
:key_material_id)
|
|
3578
4067
|
SENSITIVE = []
|
|
3579
4068
|
include Aws::Structure
|
|
3580
4069
|
end
|
|
3581
4070
|
|
|
4071
|
+
# @!attribute [rw] key_id
|
|
4072
|
+
# The Amazon Resource Name ([key ARN][1]) of the KMS key into which
|
|
4073
|
+
# key material was imported.
|
|
4074
|
+
#
|
|
4075
|
+
#
|
|
4076
|
+
#
|
|
4077
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
|
4078
|
+
# @return [String]
|
|
4079
|
+
#
|
|
4080
|
+
# @!attribute [rw] key_material_id
|
|
4081
|
+
# Identifies the imported key material.
|
|
4082
|
+
# @return [String]
|
|
4083
|
+
#
|
|
3582
4084
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterialResponse AWS API Documentation
|
|
3583
4085
|
#
|
|
3584
|
-
class ImportKeyMaterialResponse <
|
|
4086
|
+
class ImportKeyMaterialResponse < Struct.new(
|
|
4087
|
+
:key_id,
|
|
4088
|
+
:key_material_id)
|
|
4089
|
+
SENSITIVE = []
|
|
4090
|
+
include Aws::Structure
|
|
4091
|
+
end
|
|
3585
4092
|
|
|
3586
4093
|
# The request was rejected because the specified KMS key cannot decrypt
|
|
3587
4094
|
# the data. The `KeyId` in a Decrypt request and the `SourceKeyId` in a
|
|
@@ -3600,8 +4107,10 @@ module Aws::KMS
|
|
|
3600
4107
|
end
|
|
3601
4108
|
|
|
3602
4109
|
# The request was rejected because the key material in the request is,
|
|
3603
|
-
# expired, invalid, or
|
|
3604
|
-
# imported
|
|
4110
|
+
# expired, invalid, or does not meet expectations. For example, it is
|
|
4111
|
+
# not the same key material that was previously imported or KMS expected
|
|
4112
|
+
# new key material but the key material being imported is already
|
|
4113
|
+
# associated with the KMS key.
|
|
3605
4114
|
#
|
|
3606
4115
|
# @!attribute [rw] message
|
|
3607
4116
|
# @return [String]
|
|
@@ -3737,8 +4246,9 @@ module Aws::KMS
|
|
|
3737
4246
|
# the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying
|
|
3738
4247
|
# messages, the `KeyUsage` must be `SIGN_VERIFY`. For generating and
|
|
3739
4248
|
# verifying message authentication codes (MACs), the `KeyUsage` must be
|
|
3740
|
-
# `GENERATE_VERIFY_MAC`.
|
|
3741
|
-
#
|
|
4249
|
+
# `GENERATE_VERIFY_MAC`. For deriving key agreement secrets, the
|
|
4250
|
+
# `KeyUsage` must be `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS
|
|
4251
|
+
# key, use the DescribeKey operation.
|
|
3742
4252
|
#
|
|
3743
4253
|
# To find the encryption or signing algorithms supported for a
|
|
3744
4254
|
# particular KMS key, use the DescribeKey operation.
|
|
@@ -3907,7 +4417,7 @@ module Aws::KMS
|
|
|
3907
4417
|
#
|
|
3908
4418
|
#
|
|
3909
4419
|
#
|
|
3910
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
4420
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
|
|
3911
4421
|
# @return [String]
|
|
3912
4422
|
#
|
|
3913
4423
|
# @!attribute [rw] key_state
|
|
@@ -3934,11 +4444,12 @@ module Aws::KMS
|
|
|
3934
4444
|
# @return [Time]
|
|
3935
4445
|
#
|
|
3936
4446
|
# @!attribute [rw] valid_to
|
|
3937
|
-
# The time at which
|
|
3938
|
-
#
|
|
3939
|
-
#
|
|
3940
|
-
# `Origin` is `EXTERNAL` and
|
|
3941
|
-
# `KEY_MATERIAL_EXPIRES`, otherwise this
|
|
4447
|
+
# The earliest time at which any imported key material permanently
|
|
4448
|
+
# associated with this KMS key expires. When a key material expires,
|
|
4449
|
+
# KMS deletes the key material and the KMS key becomes unusable. This
|
|
4450
|
+
# value is present only for KMS keys whose `Origin` is `EXTERNAL` and
|
|
4451
|
+
# the `ExpirationModel` is `KEY_MATERIAL_EXPIRES`, otherwise this
|
|
4452
|
+
# value is omitted.
|
|
3942
4453
|
# @return [Time]
|
|
3943
4454
|
#
|
|
3944
4455
|
# @!attribute [rw] origin
|
|
@@ -3957,7 +4468,7 @@ module Aws::KMS
|
|
|
3957
4468
|
#
|
|
3958
4469
|
#
|
|
3959
4470
|
#
|
|
3960
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
4471
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
|
3961
4472
|
# @return [String]
|
|
3962
4473
|
#
|
|
3963
4474
|
# @!attribute [rw] cloud_hsm_cluster_id
|
|
@@ -3969,7 +4480,7 @@ module Aws::KMS
|
|
|
3969
4480
|
#
|
|
3970
4481
|
#
|
|
3971
4482
|
#
|
|
3972
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
4483
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
|
3973
4484
|
# @return [String]
|
|
3974
4485
|
#
|
|
3975
4486
|
# @!attribute [rw] expiration_model
|
|
@@ -4017,6 +4528,10 @@ module Aws::KMS
|
|
|
4017
4528
|
# `SIGN_VERIFY`.
|
|
4018
4529
|
# @return [Array<String>]
|
|
4019
4530
|
#
|
|
4531
|
+
# @!attribute [rw] key_agreement_algorithms
|
|
4532
|
+
# The key agreement algorithm used to derive a shared secret.
|
|
4533
|
+
# @return [Array<String>]
|
|
4534
|
+
#
|
|
4020
4535
|
# @!attribute [rw] multi_region
|
|
4021
4536
|
# Indicates whether the KMS key is a multi-Region (`True`) or regional
|
|
4022
4537
|
# (`False`) key. This value is `True` for multi-Region primary and
|
|
@@ -4088,6 +4603,15 @@ module Aws::KMS
|
|
|
4088
4603
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
|
|
4089
4604
|
# @return [Types::XksKeyConfigurationType]
|
|
4090
4605
|
#
|
|
4606
|
+
# @!attribute [rw] current_key_material_id
|
|
4607
|
+
# Identifies the current key material. This value is present for
|
|
4608
|
+
# symmetric encryption keys with `AWS_KMS` or `EXTERNAL` origin. These
|
|
4609
|
+
# KMS keys support automatic or on-demand key rotation and can have
|
|
4610
|
+
# multiple key materials associated with them. KMS uses the current
|
|
4611
|
+
# key material for both encryption and decryption, and the non-current
|
|
4612
|
+
# key material for decryption operations only.
|
|
4613
|
+
# @return [String]
|
|
4614
|
+
#
|
|
4091
4615
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
|
|
4092
4616
|
#
|
|
4093
4617
|
class KeyMetadata < Struct.new(
|
|
@@ -4110,11 +4634,13 @@ module Aws::KMS
|
|
|
4110
4634
|
:key_spec,
|
|
4111
4635
|
:encryption_algorithms,
|
|
4112
4636
|
:signing_algorithms,
|
|
4637
|
+
:key_agreement_algorithms,
|
|
4113
4638
|
:multi_region,
|
|
4114
4639
|
:multi_region_configuration,
|
|
4115
4640
|
:pending_deletion_window_in_days,
|
|
4116
4641
|
:mac_algorithms,
|
|
4117
|
-
:xks_key_configuration
|
|
4642
|
+
:xks_key_configuration,
|
|
4643
|
+
:current_key_material_id)
|
|
4118
4644
|
SENSITIVE = []
|
|
4119
4645
|
include Aws::Structure
|
|
4120
4646
|
end
|
|
@@ -4133,9 +4659,9 @@ module Aws::KMS
|
|
|
4133
4659
|
include Aws::Structure
|
|
4134
4660
|
end
|
|
4135
4661
|
|
|
4136
|
-
# The request was rejected because a
|
|
4137
|
-
# information, see [Quotas][1] in the *Key Management
|
|
4138
|
-
# Guide*.
|
|
4662
|
+
# The request was rejected because a length constraint or quota was
|
|
4663
|
+
# exceeded. For more information, see [Quotas][1] in the *Key Management
|
|
4664
|
+
# Service Developer Guide*.
|
|
4139
4665
|
#
|
|
4140
4666
|
#
|
|
4141
4667
|
#
|
|
@@ -4210,8 +4736,8 @@ module Aws::KMS
|
|
|
4210
4736
|
# @!attribute [rw] truncated
|
|
4211
4737
|
# A flag that indicates whether there are more items in the list. When
|
|
4212
4738
|
# this value is true, the list in this response is truncated. To get
|
|
4213
|
-
# more items, pass the value of the `NextMarker` element in
|
|
4214
|
-
#
|
|
4739
|
+
# more items, pass the value of the `NextMarker` element in this
|
|
4740
|
+
# response to the `Marker` parameter in a subsequent request.
|
|
4215
4741
|
# @return [Boolean]
|
|
4216
4742
|
#
|
|
4217
4743
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliasesResponse AWS API Documentation
|
|
@@ -4293,8 +4819,8 @@ module Aws::KMS
|
|
|
4293
4819
|
# @!attribute [rw] truncated
|
|
4294
4820
|
# A flag that indicates whether there are more items in the list. When
|
|
4295
4821
|
# this value is true, the list in this response is truncated. To get
|
|
4296
|
-
# more items, pass the value of the `NextMarker` element in
|
|
4297
|
-
#
|
|
4822
|
+
# more items, pass the value of the `NextMarker` element in this
|
|
4823
|
+
# response to the `Marker` parameter in a subsequent request.
|
|
4298
4824
|
# @return [Boolean]
|
|
4299
4825
|
#
|
|
4300
4826
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrantsResponse AWS API Documentation
|
|
@@ -4363,8 +4889,8 @@ module Aws::KMS
|
|
|
4363
4889
|
# @!attribute [rw] truncated
|
|
4364
4890
|
# A flag that indicates whether there are more items in the list. When
|
|
4365
4891
|
# this value is true, the list in this response is truncated. To get
|
|
4366
|
-
# more items, pass the value of the `NextMarker` element in
|
|
4367
|
-
#
|
|
4892
|
+
# more items, pass the value of the `NextMarker` element in this
|
|
4893
|
+
# response to the `Marker` parameter in a subsequent request.
|
|
4368
4894
|
# @return [Boolean]
|
|
4369
4895
|
#
|
|
4370
4896
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPoliciesResponse AWS API Documentation
|
|
@@ -4377,6 +4903,90 @@ module Aws::KMS
|
|
|
4377
4903
|
include Aws::Structure
|
|
4378
4904
|
end
|
|
4379
4905
|
|
|
4906
|
+
# @!attribute [rw] key_id
|
|
4907
|
+
# Gets the key rotations for the specified KMS key.
|
|
4908
|
+
#
|
|
4909
|
+
# Specify the key ID or key ARN of the KMS key.
|
|
4910
|
+
#
|
|
4911
|
+
# For example:
|
|
4912
|
+
#
|
|
4913
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
|
4914
|
+
#
|
|
4915
|
+
# * Key ARN:
|
|
4916
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
|
4917
|
+
#
|
|
4918
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
|
4919
|
+
# DescribeKey.
|
|
4920
|
+
# @return [String]
|
|
4921
|
+
#
|
|
4922
|
+
# @!attribute [rw] include_key_material
|
|
4923
|
+
# Use this optional parameter to control which key materials
|
|
4924
|
+
# associated with this key are listed in the response. The default
|
|
4925
|
+
# value of this parameter is `ROTATIONS_ONLY`. If you omit this
|
|
4926
|
+
# parameter, KMS returns information on the key materials created by
|
|
4927
|
+
# automatic or on-demand key rotation. When you specify a value of
|
|
4928
|
+
# `ALL_KEY_MATERIAL`, KMS adds the first key material and any imported
|
|
4929
|
+
# key material pending rotation to the response. This parameter can
|
|
4930
|
+
# only be used with KMS keys that support automatic or on-demand key
|
|
4931
|
+
# rotation.
|
|
4932
|
+
# @return [String]
|
|
4933
|
+
#
|
|
4934
|
+
# @!attribute [rw] limit
|
|
4935
|
+
# Use this parameter to specify the maximum number of items to return.
|
|
4936
|
+
# When this value is present, KMS does not return more than the
|
|
4937
|
+
# specified number of items, but it might return fewer.
|
|
4938
|
+
#
|
|
4939
|
+
# This value is optional. If you include a value, it must be between 1
|
|
4940
|
+
# and 1000, inclusive. If you do not include a value, it defaults to
|
|
4941
|
+
# 100.
|
|
4942
|
+
# @return [Integer]
|
|
4943
|
+
#
|
|
4944
|
+
# @!attribute [rw] marker
|
|
4945
|
+
# Use this parameter in a subsequent request after you receive a
|
|
4946
|
+
# response with truncated results. Set it to the value of `NextMarker`
|
|
4947
|
+
# from the truncated response you just received.
|
|
4948
|
+
# @return [String]
|
|
4949
|
+
#
|
|
4950
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyRotationsRequest AWS API Documentation
|
|
4951
|
+
#
|
|
4952
|
+
class ListKeyRotationsRequest < Struct.new(
|
|
4953
|
+
:key_id,
|
|
4954
|
+
:include_key_material,
|
|
4955
|
+
:limit,
|
|
4956
|
+
:marker)
|
|
4957
|
+
SENSITIVE = []
|
|
4958
|
+
include Aws::Structure
|
|
4959
|
+
end
|
|
4960
|
+
|
|
4961
|
+
# @!attribute [rw] rotations
|
|
4962
|
+
# A list of completed key material rotations. When the optional input
|
|
4963
|
+
# parameter `IncludeKeyMaterial` is specified with a value of
|
|
4964
|
+
# `ALL_KEY_MATERIAL`, this list includes the first key material and
|
|
4965
|
+
# any imported key material pending rotation.
|
|
4966
|
+
# @return [Array<Types::RotationsListEntry>]
|
|
4967
|
+
#
|
|
4968
|
+
# @!attribute [rw] next_marker
|
|
4969
|
+
# When `Truncated` is true, this element is present and contains the
|
|
4970
|
+
# value to use for the `Marker` parameter in a subsequent request.
|
|
4971
|
+
# @return [String]
|
|
4972
|
+
#
|
|
4973
|
+
# @!attribute [rw] truncated
|
|
4974
|
+
# A flag that indicates whether there are more items in the list. When
|
|
4975
|
+
# this value is true, the list in this response is truncated. To get
|
|
4976
|
+
# more items, pass the value of the `NextMarker` element in this
|
|
4977
|
+
# response to the `Marker` parameter in a subsequent request.
|
|
4978
|
+
# @return [Boolean]
|
|
4979
|
+
#
|
|
4980
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyRotationsResponse AWS API Documentation
|
|
4981
|
+
#
|
|
4982
|
+
class ListKeyRotationsResponse < Struct.new(
|
|
4983
|
+
:rotations,
|
|
4984
|
+
:next_marker,
|
|
4985
|
+
:truncated)
|
|
4986
|
+
SENSITIVE = []
|
|
4987
|
+
include Aws::Structure
|
|
4988
|
+
end
|
|
4989
|
+
|
|
4380
4990
|
# @!attribute [rw] limit
|
|
4381
4991
|
# Use this parameter to specify the maximum number of items to return.
|
|
4382
4992
|
# When this value is present, KMS does not return more than the
|
|
@@ -4414,8 +5024,8 @@ module Aws::KMS
|
|
|
4414
5024
|
# @!attribute [rw] truncated
|
|
4415
5025
|
# A flag that indicates whether there are more items in the list. When
|
|
4416
5026
|
# this value is true, the list in this response is truncated. To get
|
|
4417
|
-
# more items, pass the value of the `NextMarker` element in
|
|
4418
|
-
#
|
|
5027
|
+
# more items, pass the value of the `NextMarker` element in this
|
|
5028
|
+
# response to the `Marker` parameter in a subsequent request.
|
|
4419
5029
|
# @return [Boolean]
|
|
4420
5030
|
#
|
|
4421
5031
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeysResponse AWS API Documentation
|
|
@@ -4496,8 +5106,8 @@ module Aws::KMS
|
|
|
4496
5106
|
# @!attribute [rw] truncated
|
|
4497
5107
|
# A flag that indicates whether there are more items in the list. When
|
|
4498
5108
|
# this value is true, the list in this response is truncated. To get
|
|
4499
|
-
# more items, pass the value of the `NextMarker` element in
|
|
4500
|
-
#
|
|
5109
|
+
# more items, pass the value of the `NextMarker` element in this
|
|
5110
|
+
# response to the `Marker` parameter in a subsequent request.
|
|
4501
5111
|
# @return [Boolean]
|
|
4502
5112
|
#
|
|
4503
5113
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTagsResponse AWS API Documentation
|
|
@@ -4650,7 +5260,8 @@ module Aws::KMS
|
|
|
4650
5260
|
# @return [String]
|
|
4651
5261
|
#
|
|
4652
5262
|
# @!attribute [rw] policy_name
|
|
4653
|
-
# The name of the key policy.
|
|
5263
|
+
# The name of the key policy. If no policy name is specified, the
|
|
5264
|
+
# default value is `default`. The only valid value is `default`.
|
|
4654
5265
|
# @return [String]
|
|
4655
5266
|
#
|
|
4656
5267
|
# @!attribute [rw] policy
|
|
@@ -4674,6 +5285,18 @@ module Aws::KMS
|
|
|
4674
5285
|
# that I make are not always immediately visible][2] in the *Amazon
|
|
4675
5286
|
# Web Services Identity and Access Management User Guide*.
|
|
4676
5287
|
#
|
|
5288
|
+
# <note markdown="1"> If either of the required `Resource` or `Action` elements are
|
|
5289
|
+
# missing from a key policy statement, the policy statement has no
|
|
5290
|
+
# effect. When a key policy statement is missing one of these
|
|
5291
|
+
# elements, the KMS console correctly reports an error, but the
|
|
5292
|
+
# `PutKeyPolicy` API request succeeds, even though the policy
|
|
5293
|
+
# statement is ineffective.
|
|
5294
|
+
#
|
|
5295
|
+
# For more information on required key policy elements, see [Elements
|
|
5296
|
+
# in a key policy][3] in the *Key Management Service Developer Guide*.
|
|
5297
|
+
#
|
|
5298
|
+
# </note>
|
|
5299
|
+
#
|
|
4677
5300
|
# A key policy document can include only the following characters:
|
|
4678
5301
|
#
|
|
4679
5302
|
# * Printable ASCII characters from the space character (`\u0020`)
|
|
@@ -4685,18 +5308,24 @@ module Aws::KMS
|
|
|
4685
5308
|
# * The tab (`\u0009`), line feed (`\u000A`), and carriage return
|
|
4686
5309
|
# (`\u000D`) special characters
|
|
4687
5310
|
#
|
|
4688
|
-
#
|
|
5311
|
+
# <note markdown="1"> If the key policy exceeds the length constraint, KMS returns a
|
|
5312
|
+
# `LimitExceededException`.
|
|
5313
|
+
#
|
|
5314
|
+
# </note>
|
|
5315
|
+
#
|
|
5316
|
+
# For information about key policies, see [Key policies in KMS][4] in
|
|
4689
5317
|
# the *Key Management Service Developer Guide*.For help writing and
|
|
4690
5318
|
# formatting a JSON policy document, see the [IAM JSON Policy
|
|
4691
|
-
# Reference][
|
|
5319
|
+
# Reference][5] in the <i> <i>Identity and Access Management User
|
|
4692
5320
|
# Guide</i> </i>.
|
|
4693
5321
|
#
|
|
4694
5322
|
#
|
|
4695
5323
|
#
|
|
4696
5324
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
|
|
4697
5325
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
|
4698
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-
|
|
4699
|
-
# [4]: https://docs.aws.amazon.com/
|
|
5326
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html#key-policy-elements
|
|
5327
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
|
|
5328
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
|
4700
5329
|
# @return [String]
|
|
4701
5330
|
#
|
|
4702
5331
|
# @!attribute [rw] bypass_policy_lockout_safety_check
|
|
@@ -4733,6 +5362,9 @@ module Aws::KMS
|
|
|
4733
5362
|
|
|
4734
5363
|
# @!attribute [rw] ciphertext_blob
|
|
4735
5364
|
# Ciphertext of the data to reencrypt.
|
|
5365
|
+
#
|
|
5366
|
+
# This parameter is required in all cases except when `DryRun` is
|
|
5367
|
+
# `true` and `DryRunModifiers` is set to `IGNORE_CIPHERTEXT`.
|
|
4736
5368
|
# @return [String]
|
|
4737
5369
|
#
|
|
4738
5370
|
# @!attribute [rw] source_encryption_context
|
|
@@ -4754,7 +5386,7 @@ module Aws::KMS
|
|
|
4754
5386
|
#
|
|
4755
5387
|
#
|
|
4756
5388
|
#
|
|
4757
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
5389
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
|
|
4758
5390
|
# @return [Hash<String,String>]
|
|
4759
5391
|
#
|
|
4760
5392
|
# @!attribute [rw] source_key_id
|
|
@@ -4766,11 +5398,12 @@ module Aws::KMS
|
|
|
4766
5398
|
# operation throws an `IncorrectKeyException`.
|
|
4767
5399
|
#
|
|
4768
5400
|
# This parameter is required only when the ciphertext was encrypted
|
|
4769
|
-
# under an asymmetric KMS key
|
|
4770
|
-
#
|
|
4771
|
-
# symmetric
|
|
4772
|
-
#
|
|
4773
|
-
# you
|
|
5401
|
+
# under an asymmetric KMS key or when `DryRun` is `true` and
|
|
5402
|
+
# `DryRunModifiers` is set to `IGNORE_CIPHERTEXT`. If you used a
|
|
5403
|
+
# symmetric encryption KMS key, KMS can get the KMS key from metadata
|
|
5404
|
+
# that it adds to the symmetric ciphertext blob. However, it is always
|
|
5405
|
+
# recommended as a best practice. This practice ensures that you use
|
|
5406
|
+
# the KMS key that you intend.
|
|
4774
5407
|
#
|
|
4775
5408
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
4776
5409
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -4844,7 +5477,7 @@ module Aws::KMS
|
|
|
4844
5477
|
#
|
|
4845
5478
|
#
|
|
4846
5479
|
#
|
|
4847
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
5480
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
|
|
4848
5481
|
# @return [Hash<String,String>]
|
|
4849
5482
|
#
|
|
4850
5483
|
# @!attribute [rw] source_encryption_algorithm
|
|
@@ -4881,21 +5514,38 @@ module Aws::KMS
|
|
|
4881
5514
|
#
|
|
4882
5515
|
#
|
|
4883
5516
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
4884
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
5517
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
|
|
4885
5518
|
# @return [Array<String>]
|
|
4886
5519
|
#
|
|
4887
5520
|
# @!attribute [rw] dry_run
|
|
4888
5521
|
# Checks if your request will succeed. `DryRun` is an optional
|
|
4889
5522
|
# parameter.
|
|
4890
5523
|
#
|
|
4891
|
-
# To learn more about how to use this parameter, see [Testing your
|
|
4892
|
-
#
|
|
5524
|
+
# To learn more about how to use this parameter, see [Testing your
|
|
5525
|
+
# permissions][1] in the *Key Management Service Developer Guide*.
|
|
4893
5526
|
#
|
|
4894
5527
|
#
|
|
4895
5528
|
#
|
|
4896
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
5529
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
|
|
4897
5530
|
# @return [Boolean]
|
|
4898
5531
|
#
|
|
5532
|
+
# @!attribute [rw] dry_run_modifiers
|
|
5533
|
+
# Specifies the modifiers to apply to the dry run operation.
|
|
5534
|
+
# `DryRunModifiers` is an optional parameter that only applies when
|
|
5535
|
+
# `DryRun` is set to `true`.
|
|
5536
|
+
#
|
|
5537
|
+
# When set to `IGNORE_CIPHERTEXT`, KMS performs only authorization
|
|
5538
|
+
# validation without ciphertext validation. This allows you to test
|
|
5539
|
+
# permissions without requiring a valid ciphertext blob.
|
|
5540
|
+
#
|
|
5541
|
+
# To learn more about how to use this parameter, see [Testing your
|
|
5542
|
+
# permissions][1] in the *Key Management Service Developer Guide*.
|
|
5543
|
+
#
|
|
5544
|
+
#
|
|
5545
|
+
#
|
|
5546
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
|
|
5547
|
+
# @return [Array<String>]
|
|
5548
|
+
#
|
|
4899
5549
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncryptRequest AWS API Documentation
|
|
4900
5550
|
#
|
|
4901
5551
|
class ReEncryptRequest < Struct.new(
|
|
@@ -4907,7 +5557,8 @@ module Aws::KMS
|
|
|
4907
5557
|
:source_encryption_algorithm,
|
|
4908
5558
|
:destination_encryption_algorithm,
|
|
4909
5559
|
:grant_tokens,
|
|
4910
|
-
:dry_run
|
|
5560
|
+
:dry_run,
|
|
5561
|
+
:dry_run_modifiers)
|
|
4911
5562
|
SENSITIVE = []
|
|
4912
5563
|
include Aws::Structure
|
|
4913
5564
|
end
|
|
@@ -4941,6 +5592,18 @@ module Aws::KMS
|
|
|
4941
5592
|
# The encryption algorithm that was used to reencrypt the data.
|
|
4942
5593
|
# @return [String]
|
|
4943
5594
|
#
|
|
5595
|
+
# @!attribute [rw] source_key_material_id
|
|
5596
|
+
# The identifier of the key material used to originally encrypt the
|
|
5597
|
+
# data. This field is present only when the original encryption used a
|
|
5598
|
+
# symmetric encryption KMS key.
|
|
5599
|
+
# @return [String]
|
|
5600
|
+
#
|
|
5601
|
+
# @!attribute [rw] destination_key_material_id
|
|
5602
|
+
# The identifier of the key material used to reencrypt the data. This
|
|
5603
|
+
# field is present only when data is reencrypted using a symmetric
|
|
5604
|
+
# encryption KMS key.
|
|
5605
|
+
# @return [String]
|
|
5606
|
+
#
|
|
4944
5607
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncryptResponse AWS API Documentation
|
|
4945
5608
|
#
|
|
4946
5609
|
class ReEncryptResponse < Struct.new(
|
|
@@ -4948,7 +5611,9 @@ module Aws::KMS
|
|
|
4948
5611
|
:source_key_id,
|
|
4949
5612
|
:key_id,
|
|
4950
5613
|
:source_encryption_algorithm,
|
|
4951
|
-
:destination_encryption_algorithm
|
|
5614
|
+
:destination_encryption_algorithm,
|
|
5615
|
+
:source_key_material_id,
|
|
5616
|
+
:destination_key_material_id)
|
|
4952
5617
|
SENSITIVE = []
|
|
4953
5618
|
include Aws::Structure
|
|
4954
5619
|
end
|
|
@@ -4957,24 +5622,26 @@ module Aws::KMS
|
|
|
4957
5622
|
# the API operation.
|
|
4958
5623
|
#
|
|
4959
5624
|
# This data type is designed to support Amazon Web Services Nitro
|
|
4960
|
-
# Enclaves, which lets you create an
|
|
4961
|
-
# Amazon EC2. For information about the
|
|
4962
|
-
#
|
|
4963
|
-
#
|
|
5625
|
+
# Enclaves and Amazon Web Services NitroTPM, which lets you create an
|
|
5626
|
+
# attested environment in Amazon EC2. For information about the
|
|
5627
|
+
# interaction between KMS and Amazon Web Services Nitro Enclaves or
|
|
5628
|
+
# Amazon Web Services NitroTPM, see [Cryptographic attestation support
|
|
5629
|
+
# in KMS][1] in the *Key Management Service Developer Guide*.
|
|
4964
5630
|
#
|
|
4965
5631
|
#
|
|
4966
5632
|
#
|
|
4967
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
5633
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
|
|
4968
5634
|
#
|
|
4969
5635
|
# @!attribute [rw] key_encryption_algorithm
|
|
4970
5636
|
# The encryption algorithm that KMS should use with the public key for
|
|
4971
|
-
# an Amazon Web Services Nitro Enclave to encrypt
|
|
4972
|
-
# the response. The only valid value is
|
|
5637
|
+
# an Amazon Web Services Nitro Enclave or NitroTPM to encrypt
|
|
5638
|
+
# plaintext values for the response. The only valid value is
|
|
5639
|
+
# `RSAES_OAEP_SHA_256`.
|
|
4973
5640
|
# @return [String]
|
|
4974
5641
|
#
|
|
4975
5642
|
# @!attribute [rw] attestation_document
|
|
4976
|
-
# The attestation document for an Amazon Web Services Nitro Enclave
|
|
4977
|
-
# This document includes the enclave's public key.
|
|
5643
|
+
# The attestation document for an Amazon Web Services Nitro Enclave or
|
|
5644
|
+
# a NitroTPM. This document includes the enclave's public key.
|
|
4978
5645
|
# @return [String]
|
|
4979
5646
|
#
|
|
4980
5647
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RecipientInfo AWS API Documentation
|
|
@@ -5014,33 +5681,23 @@ module Aws::KMS
|
|
|
5014
5681
|
# [KMS service endpoints][1] in the *Amazon Web Services General
|
|
5015
5682
|
# Reference*.
|
|
5016
5683
|
#
|
|
5017
|
-
# <note markdown="1"> HMAC KMS keys are not supported in all Amazon Web Services Regions.
|
|
5018
|
-
# If you try to replicate an HMAC KMS key in an Amazon Web Services
|
|
5019
|
-
# Region in which HMAC keys are not supported, the `ReplicateKey`
|
|
5020
|
-
# operation returns an `UnsupportedOperationException`. For a list of
|
|
5021
|
-
# Regions in which HMAC KMS keys are supported, see [HMAC keys in
|
|
5022
|
-
# KMS][2] in the *Key Management Service Developer Guide*.
|
|
5023
|
-
#
|
|
5024
|
-
# </note>
|
|
5025
|
-
#
|
|
5026
5684
|
# The replica must be in a different Amazon Web Services Region than
|
|
5027
5685
|
# its primary key and other replicas of that primary key, but in the
|
|
5028
5686
|
# same Amazon Web Services partition. KMS must be available in the
|
|
5029
5687
|
# replica Region. If the Region is not enabled by default, the Amazon
|
|
5030
5688
|
# Web Services account must be enabled in the Region. For information
|
|
5031
5689
|
# about Amazon Web Services partitions, see [Amazon Resource Names
|
|
5032
|
-
# (ARNs)][
|
|
5690
|
+
# (ARNs)][2] in the *Amazon Web Services General Reference*. For
|
|
5033
5691
|
# information about enabling and disabling Regions, see [Enabling a
|
|
5034
|
-
# Region][
|
|
5692
|
+
# Region][3] and [Disabling a Region][4] in the *Amazon Web Services
|
|
5035
5693
|
# General Reference*.
|
|
5036
5694
|
#
|
|
5037
5695
|
#
|
|
5038
5696
|
#
|
|
5039
5697
|
# [1]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region
|
|
5040
|
-
# [2]: https://docs.aws.amazon.com/
|
|
5041
|
-
# [3]: https://docs.aws.amazon.com/general/latest/gr/
|
|
5042
|
-
# [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-
|
|
5043
|
-
# [5]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
|
|
5698
|
+
# [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
|
5699
|
+
# [3]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
|
|
5700
|
+
# [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
|
|
5044
5701
|
# @return [String]
|
|
5045
5702
|
#
|
|
5046
5703
|
# @!attribute [rw] policy
|
|
@@ -5090,7 +5747,7 @@ module Aws::KMS
|
|
|
5090
5747
|
#
|
|
5091
5748
|
#
|
|
5092
5749
|
#
|
|
5093
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-
|
|
5750
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html
|
|
5094
5751
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
|
|
5095
5752
|
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
|
5096
5753
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
|
|
@@ -5163,7 +5820,7 @@ module Aws::KMS
|
|
|
5163
5820
|
# When you add tags to an Amazon Web Services resource, Amazon Web
|
|
5164
5821
|
# Services generates a cost allocation report with usage and costs
|
|
5165
5822
|
# aggregated by tags. Tags can also be used to control access to a KMS
|
|
5166
|
-
# key. For details, see [
|
|
5823
|
+
# key. For details, see [Tags in KMS][3].
|
|
5167
5824
|
#
|
|
5168
5825
|
#
|
|
5169
5826
|
#
|
|
@@ -5254,12 +5911,12 @@ module Aws::KMS
|
|
|
5254
5911
|
# Checks if your request will succeed. `DryRun` is an optional
|
|
5255
5912
|
# parameter.
|
|
5256
5913
|
#
|
|
5257
|
-
# To learn more about how to use this parameter, see [Testing your
|
|
5258
|
-
#
|
|
5914
|
+
# To learn more about how to use this parameter, see [Testing your
|
|
5915
|
+
# permissions][1] in the *Key Management Service Developer Guide*.
|
|
5259
5916
|
#
|
|
5260
5917
|
#
|
|
5261
5918
|
#
|
|
5262
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
5919
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
|
|
5263
5920
|
# @return [Boolean]
|
|
5264
5921
|
#
|
|
5265
5922
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrantRequest AWS API Documentation
|
|
@@ -5302,12 +5959,12 @@ module Aws::KMS
|
|
|
5302
5959
|
# Checks if your request will succeed. `DryRun` is an optional
|
|
5303
5960
|
# parameter.
|
|
5304
5961
|
#
|
|
5305
|
-
# To learn more about how to use this parameter, see [Testing your
|
|
5306
|
-
#
|
|
5962
|
+
# To learn more about how to use this parameter, see [Testing your
|
|
5963
|
+
# permissions][1] in the *Key Management Service Developer Guide*.
|
|
5307
5964
|
#
|
|
5308
5965
|
#
|
|
5309
5966
|
#
|
|
5310
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
5967
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
|
|
5311
5968
|
# @return [Boolean]
|
|
5312
5969
|
#
|
|
5313
5970
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrantRequest AWS API Documentation
|
|
@@ -5320,6 +5977,153 @@ module Aws::KMS
|
|
|
5320
5977
|
include Aws::Structure
|
|
5321
5978
|
end
|
|
5322
5979
|
|
|
5980
|
+
# @!attribute [rw] key_id
|
|
5981
|
+
# Identifies a symmetric encryption KMS key. You cannot perform
|
|
5982
|
+
# on-demand rotation of [asymmetric KMS keys][1], [HMAC KMS keys][2],
|
|
5983
|
+
# multi-Region KMS keys with [imported key material][3], or KMS keys
|
|
5984
|
+
# in a [custom key store][4]. To perform on-demand rotation of a set
|
|
5985
|
+
# of related [multi-Region keys][5], invoke the on-demand rotation on
|
|
5986
|
+
# the primary key.
|
|
5987
|
+
#
|
|
5988
|
+
# Specify the key ID or key ARN of the KMS key.
|
|
5989
|
+
#
|
|
5990
|
+
# For example:
|
|
5991
|
+
#
|
|
5992
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
|
5993
|
+
#
|
|
5994
|
+
# * Key ARN:
|
|
5995
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
|
5996
|
+
#
|
|
5997
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
|
5998
|
+
# DescribeKey.
|
|
5999
|
+
#
|
|
6000
|
+
#
|
|
6001
|
+
#
|
|
6002
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
|
6003
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
|
|
6004
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
|
6005
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
|
|
6006
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#multi-region-rotate
|
|
6007
|
+
# @return [String]
|
|
6008
|
+
#
|
|
6009
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RotateKeyOnDemandRequest AWS API Documentation
|
|
6010
|
+
#
|
|
6011
|
+
class RotateKeyOnDemandRequest < Struct.new(
|
|
6012
|
+
:key_id)
|
|
6013
|
+
SENSITIVE = []
|
|
6014
|
+
include Aws::Structure
|
|
6015
|
+
end
|
|
6016
|
+
|
|
6017
|
+
# @!attribute [rw] key_id
|
|
6018
|
+
# Identifies the symmetric encryption KMS key that you initiated
|
|
6019
|
+
# on-demand rotation on.
|
|
6020
|
+
# @return [String]
|
|
6021
|
+
#
|
|
6022
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RotateKeyOnDemandResponse AWS API Documentation
|
|
6023
|
+
#
|
|
6024
|
+
class RotateKeyOnDemandResponse < Struct.new(
|
|
6025
|
+
:key_id)
|
|
6026
|
+
SENSITIVE = []
|
|
6027
|
+
include Aws::Structure
|
|
6028
|
+
end
|
|
6029
|
+
|
|
6030
|
+
# Each entry contains information about one of the key materials
|
|
6031
|
+
# associated with a KMS key.
|
|
6032
|
+
#
|
|
6033
|
+
# @!attribute [rw] key_id
|
|
6034
|
+
# Unique identifier of the key.
|
|
6035
|
+
# @return [String]
|
|
6036
|
+
#
|
|
6037
|
+
# @!attribute [rw] key_material_id
|
|
6038
|
+
# Unique identifier of the key material.
|
|
6039
|
+
# @return [String]
|
|
6040
|
+
#
|
|
6041
|
+
# @!attribute [rw] key_material_description
|
|
6042
|
+
# User-specified description of the key material. This field is only
|
|
6043
|
+
# present for symmetric encryption KMS keys with `EXTERNAL` origin.
|
|
6044
|
+
# @return [String]
|
|
6045
|
+
#
|
|
6046
|
+
# @!attribute [rw] import_state
|
|
6047
|
+
# Indicates if the key material is currently imported into KMS. It has
|
|
6048
|
+
# two possible values: `IMPORTED` or `PENDING_IMPORT`. This field is
|
|
6049
|
+
# only present for symmetric encryption KMS keys with `EXTERNAL`
|
|
6050
|
+
# origin.
|
|
6051
|
+
# @return [String]
|
|
6052
|
+
#
|
|
6053
|
+
# @!attribute [rw] key_material_state
|
|
6054
|
+
# There are four possible values for this field: `CURRENT`,
|
|
6055
|
+
# `NON_CURRENT`, `PENDING_MULTI_REGION_IMPORT_AND_ROTATION` and
|
|
6056
|
+
# `PENDING_ROTATION`. KMS uses `CURRENT` key material for both
|
|
6057
|
+
# encryption and decryption and `NON_CURRENT` key material only for
|
|
6058
|
+
# decryption. `PENDING_ROTATION` identifies key material that has been
|
|
6059
|
+
# imported for on-demand key rotation but the rotation hasn't
|
|
6060
|
+
# completed. The key material state
|
|
6061
|
+
# `PENDING_MULTI_REGION_IMPORT_AND_ROTATION` is unique to
|
|
6062
|
+
# multi-region, symmetric encryption keys with imported key material.
|
|
6063
|
+
# It indicates key material that has been imported into the primary
|
|
6064
|
+
# Region key but not all of the replica Region keys. When this key
|
|
6065
|
+
# material is imported in to all of the replica Region keys, the key
|
|
6066
|
+
# material state will change to `PENDING_ROTATION`. Key material in
|
|
6067
|
+
# `PENDING_MULTI_REGION_IMPORT_AND_ROTATION` or `PENDING_ROTATION`
|
|
6068
|
+
# state is not permanently associated with the KMS key. You can delete
|
|
6069
|
+
# this key material and import different key material in its place.
|
|
6070
|
+
# The `PENDING_MULTI_REGION_IMPORT_AND_ROTATION` and
|
|
6071
|
+
# `PENDING_ROTATION` values are only used in symmetric encryption keys
|
|
6072
|
+
# with imported key material. The other values, `CURRENT` and
|
|
6073
|
+
# `NON_CURRENT`, are used for all KMS keys that support automatic or
|
|
6074
|
+
# on-demand key rotation.
|
|
6075
|
+
# @return [String]
|
|
6076
|
+
#
|
|
6077
|
+
# @!attribute [rw] expiration_model
|
|
6078
|
+
# Indicates if the key material is configured to automatically expire.
|
|
6079
|
+
# There are two possible values for this field: `KEY_MATERIAL_EXPIRES`
|
|
6080
|
+
# and `KEY_MATERIAL_DOES_NOT_EXPIRE`. For any key material that
|
|
6081
|
+
# expires, the expiration date and time is indicated in `ValidTo`.
|
|
6082
|
+
# This field is only present for symmetric encryption KMS keys with
|
|
6083
|
+
# `EXTERNAL` origin.
|
|
6084
|
+
# @return [String]
|
|
6085
|
+
#
|
|
6086
|
+
# @!attribute [rw] valid_to
|
|
6087
|
+
# Date and time at which the key material expires. This field is only
|
|
6088
|
+
# present for symmetric encryption KMS keys with `EXTERNAL` origin in
|
|
6089
|
+
# rotation list entries with an `ExpirationModel` value of
|
|
6090
|
+
# `KEY_MATERIAL_EXPIRES`.
|
|
6091
|
+
# @return [Time]
|
|
6092
|
+
#
|
|
6093
|
+
# @!attribute [rw] rotation_date
|
|
6094
|
+
# Date and time that the key material rotation completed. Formatted as
|
|
6095
|
+
# Unix time. This field is not present for the first key material or
|
|
6096
|
+
# an imported key material in `PENDING_ROTATION` state.
|
|
6097
|
+
# @return [Time]
|
|
6098
|
+
#
|
|
6099
|
+
# @!attribute [rw] rotation_type
|
|
6100
|
+
# Identifies whether the key material rotation was a scheduled
|
|
6101
|
+
# [automatic rotation][1] or an [on-demand rotation][2]. This field is
|
|
6102
|
+
# not present for the first key material or an imported key material
|
|
6103
|
+
# in `PENDING_ROTATION` state.
|
|
6104
|
+
#
|
|
6105
|
+
#
|
|
6106
|
+
#
|
|
6107
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotating-keys-enable-disable.html
|
|
6108
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/rotating-keys-on-demand.html
|
|
6109
|
+
# @return [String]
|
|
6110
|
+
#
|
|
6111
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RotationsListEntry AWS API Documentation
|
|
6112
|
+
#
|
|
6113
|
+
class RotationsListEntry < Struct.new(
|
|
6114
|
+
:key_id,
|
|
6115
|
+
:key_material_id,
|
|
6116
|
+
:key_material_description,
|
|
6117
|
+
:import_state,
|
|
6118
|
+
:key_material_state,
|
|
6119
|
+
:expiration_model,
|
|
6120
|
+
:valid_to,
|
|
6121
|
+
:rotation_date,
|
|
6122
|
+
:rotation_type)
|
|
6123
|
+
SENSITIVE = []
|
|
6124
|
+
include Aws::Structure
|
|
6125
|
+
end
|
|
6126
|
+
|
|
5323
6127
|
# @!attribute [rw] key_id
|
|
5324
6128
|
# The unique identifier of the KMS key to delete.
|
|
5325
6129
|
#
|
|
@@ -5451,27 +6255,41 @@ module Aws::KMS
|
|
|
5451
6255
|
# Tells KMS whether the value of the `Message` parameter should be
|
|
5452
6256
|
# hashed as part of the signing algorithm. Use `RAW` for unhashed
|
|
5453
6257
|
# messages; use `DIGEST` for message digests, which are already
|
|
5454
|
-
# hashed
|
|
6258
|
+
# hashed; use `EXTERNAL_MU` for 64-byte representative μ used in
|
|
6259
|
+
# ML-DSA signing as defined in NIST FIPS 204 Section 6.2.
|
|
5455
6260
|
#
|
|
5456
6261
|
# When the value of `MessageType` is `RAW`, KMS uses the standard
|
|
5457
6262
|
# signing algorithm, which begins with a hash function. When the value
|
|
5458
6263
|
# is `DIGEST`, KMS skips the hashing step in the signing algorithm.
|
|
6264
|
+
# When the value is `EXTERNAL_MU` KMS skips the concatenated hashing
|
|
6265
|
+
# of the public key hash and the message done in the ML-DSA signing
|
|
6266
|
+
# algorithm.
|
|
6267
|
+
#
|
|
6268
|
+
# Use the `DIGEST` or `EXTERNAL_MU` value only when the value of the
|
|
6269
|
+
# `Message` parameter is a message digest. If you use the `DIGEST`
|
|
6270
|
+
# value with an unhashed message, the security of the signing
|
|
6271
|
+
# operation can be compromised.
|
|
6272
|
+
#
|
|
6273
|
+
# When using ECC\_NIST\_EDWARDS25519 KMS keys:
|
|
6274
|
+
#
|
|
6275
|
+
# * ED25519\_SHA\_512 signing algorithm requires KMS `MessageType:RAW`
|
|
5459
6276
|
#
|
|
5460
|
-
#
|
|
5461
|
-
#
|
|
5462
|
-
# unhashed message, the security of the signing operation can be
|
|
5463
|
-
# compromised.
|
|
6277
|
+
# * ED25519\_PH\_SHA\_512 signing algorithm requires KMS
|
|
6278
|
+
# `MessageType:DIGEST`
|
|
5464
6279
|
#
|
|
5465
|
-
# When the value of `MessageType`is `DIGEST`, the length of the
|
|
6280
|
+
# When the value of `MessageType` is `DIGEST`, the length of the
|
|
5466
6281
|
# `Message` value must match the length of hashed messages for the
|
|
5467
6282
|
# specified signing algorithm.
|
|
5468
6283
|
#
|
|
6284
|
+
# When the value of `MessageType` is `EXTERNAL_MU` the length of the
|
|
6285
|
+
# `Message` value must be 64 bytes.
|
|
6286
|
+
#
|
|
5469
6287
|
# You can submit a message digest and omit the `MessageType` or
|
|
5470
6288
|
# specify `RAW` so the digest is hashed again while signing. However,
|
|
5471
6289
|
# this can cause verification failures when verifying with a system
|
|
5472
6290
|
# that assumes a single hash.
|
|
5473
6291
|
#
|
|
5474
|
-
# The hashing algorithm
|
|
6292
|
+
# The hashing algorithm that `Sign` uses is based on the
|
|
5475
6293
|
# `SigningAlgorithm` value.
|
|
5476
6294
|
#
|
|
5477
6295
|
# * Signing algorithms that end in SHA\_256 use the SHA\_256 hashing
|
|
@@ -5483,12 +6301,15 @@ module Aws::KMS
|
|
|
5483
6301
|
# * Signing algorithms that end in SHA\_512 use the SHA\_512 hashing
|
|
5484
6302
|
# algorithm.
|
|
5485
6303
|
#
|
|
6304
|
+
# * Signing algorithms that end in SHAKE\_256 use the SHAKE\_256
|
|
6305
|
+
# hashing algorithm.
|
|
6306
|
+
#
|
|
5486
6307
|
# * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
|
|
5487
6308
|
# verification with SM2 key pairs][1].
|
|
5488
6309
|
#
|
|
5489
6310
|
#
|
|
5490
6311
|
#
|
|
5491
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
6312
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/offline-operations.html#key-spec-sm-offline-verification
|
|
5492
6313
|
# @return [String]
|
|
5493
6314
|
#
|
|
5494
6315
|
# @!attribute [rw] grant_tokens
|
|
@@ -5502,7 +6323,7 @@ module Aws::KMS
|
|
|
5502
6323
|
#
|
|
5503
6324
|
#
|
|
5504
6325
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
5505
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
6326
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
|
|
5506
6327
|
# @return [Array<String>]
|
|
5507
6328
|
#
|
|
5508
6329
|
# @!attribute [rw] signing_algorithm
|
|
@@ -5518,12 +6339,12 @@ module Aws::KMS
|
|
|
5518
6339
|
# Checks if your request will succeed. `DryRun` is an optional
|
|
5519
6340
|
# parameter.
|
|
5520
6341
|
#
|
|
5521
|
-
# To learn more about how to use this parameter, see [Testing your
|
|
5522
|
-
#
|
|
6342
|
+
# To learn more about how to use this parameter, see [Testing your
|
|
6343
|
+
# permissions][1] in the *Key Management Service Developer Guide*.
|
|
5523
6344
|
#
|
|
5524
6345
|
#
|
|
5525
6346
|
#
|
|
5526
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
6347
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
|
|
5527
6348
|
# @return [Boolean]
|
|
5528
6349
|
#
|
|
5529
6350
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/SignRequest AWS API Documentation
|
|
@@ -5748,8 +6569,8 @@ module Aws::KMS
|
|
|
5748
6569
|
#
|
|
5749
6570
|
#
|
|
5750
6571
|
#
|
|
5751
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-
|
|
5752
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-
|
|
6572
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-mgn-key
|
|
6573
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-key
|
|
5753
6574
|
# @return [String]
|
|
5754
6575
|
#
|
|
5755
6576
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateAliasRequest AWS API Documentation
|
|
@@ -5863,6 +6684,16 @@ module Aws::KMS
|
|
|
5863
6684
|
# To change this value, the external key store must be disconnected.
|
|
5864
6685
|
# @return [String]
|
|
5865
6686
|
#
|
|
6687
|
+
# @!attribute [rw] xks_proxy_vpc_endpoint_service_owner
|
|
6688
|
+
# Changes the Amazon Web Services account ID that KMS uses to identify
|
|
6689
|
+
# the Amazon VPC endpoint service for your external key store proxy
|
|
6690
|
+
# (XKS proxy). This parameter is optional. If not specified, the
|
|
6691
|
+
# current Amazon Web Services account ID for the VPC endpoint service
|
|
6692
|
+
# will not be updated.
|
|
6693
|
+
#
|
|
6694
|
+
# To change this value, the external key store must be disconnected.
|
|
6695
|
+
# @return [String]
|
|
6696
|
+
#
|
|
5866
6697
|
# @!attribute [rw] xks_proxy_authentication_credential
|
|
5867
6698
|
# Changes the credentials that KMS uses to sign requests to the
|
|
5868
6699
|
# external key store proxy (XKS proxy). This parameter is valid only
|
|
@@ -5910,6 +6741,7 @@ module Aws::KMS
|
|
|
5910
6741
|
:xks_proxy_uri_endpoint,
|
|
5911
6742
|
:xks_proxy_uri_path,
|
|
5912
6743
|
:xks_proxy_vpc_endpoint_service_name,
|
|
6744
|
+
:xks_proxy_vpc_endpoint_service_owner,
|
|
5913
6745
|
:xks_proxy_authentication_credential,
|
|
5914
6746
|
:xks_proxy_connectivity)
|
|
5915
6747
|
SENSITIVE = [:key_store_password]
|
|
@@ -6028,19 +6860,19 @@ module Aws::KMS
|
|
|
6028
6860
|
#
|
|
6029
6861
|
#
|
|
6030
6862
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
6031
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
6863
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
|
|
6032
6864
|
# @return [Array<String>]
|
|
6033
6865
|
#
|
|
6034
6866
|
# @!attribute [rw] dry_run
|
|
6035
6867
|
# Checks if your request will succeed. `DryRun` is an optional
|
|
6036
6868
|
# parameter.
|
|
6037
6869
|
#
|
|
6038
|
-
# To learn more about how to use this parameter, see [Testing your
|
|
6039
|
-
#
|
|
6870
|
+
# To learn more about how to use this parameter, see [Testing your
|
|
6871
|
+
# permissions][1] in the *Key Management Service Developer Guide*.
|
|
6040
6872
|
#
|
|
6041
6873
|
#
|
|
6042
6874
|
#
|
|
6043
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
6875
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
|
|
6044
6876
|
# @return [Boolean]
|
|
6045
6877
|
#
|
|
6046
6878
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMacRequest AWS API Documentation
|
|
@@ -6124,28 +6956,42 @@ module Aws::KMS
|
|
|
6124
6956
|
# Tells KMS whether the value of the `Message` parameter should be
|
|
6125
6957
|
# hashed as part of the signing algorithm. Use `RAW` for unhashed
|
|
6126
6958
|
# messages; use `DIGEST` for message digests, which are already
|
|
6127
|
-
# hashed
|
|
6959
|
+
# hashed; use `EXTERNAL_MU` for 64-byte representative μ used in
|
|
6960
|
+
# ML-DSA signing as defined in NIST FIPS 204 Section 6.2.
|
|
6128
6961
|
#
|
|
6129
6962
|
# When the value of `MessageType` is `RAW`, KMS uses the standard
|
|
6130
6963
|
# signing algorithm, which begins with a hash function. When the value
|
|
6131
6964
|
# is `DIGEST`, KMS skips the hashing step in the signing algorithm.
|
|
6965
|
+
# When the value is `EXTERNAL_MU` KMS skips the concatenated hashing
|
|
6966
|
+
# of the public key hash and the message done in the ML-DSA signing
|
|
6967
|
+
# algorithm.
|
|
6968
|
+
#
|
|
6969
|
+
# Use the `DIGEST` or `EXTERNAL_MU` value only when the value of the
|
|
6970
|
+
# `Message` parameter is a message digest. If you use the `DIGEST`
|
|
6971
|
+
# value with an unhashed message, the security of the signing
|
|
6972
|
+
# operation can be compromised.
|
|
6132
6973
|
#
|
|
6133
|
-
#
|
|
6134
|
-
# parameter is a message digest. If you use the `DIGEST` value with an
|
|
6135
|
-
# unhashed message, the security of the verification operation can be
|
|
6136
|
-
# compromised.
|
|
6974
|
+
# When using ECC\_NIST\_EDWARDS25519 KMS keys:
|
|
6137
6975
|
#
|
|
6138
|
-
#
|
|
6976
|
+
# * ED25519\_SHA\_512 signing algorithm requires KMS `MessageType:RAW`
|
|
6977
|
+
#
|
|
6978
|
+
# * ED25519\_PH\_SHA\_512 signing algorithm requires KMS
|
|
6979
|
+
# `MessageType:DIGEST`
|
|
6980
|
+
#
|
|
6981
|
+
# When the value of `MessageType` is `DIGEST`, the length of the
|
|
6139
6982
|
# `Message` value must match the length of hashed messages for the
|
|
6140
6983
|
# specified signing algorithm.
|
|
6141
6984
|
#
|
|
6985
|
+
# When the value of `MessageType` is `EXTERNAL_MU` the length of the
|
|
6986
|
+
# `Message` value must be 64 bytes.
|
|
6987
|
+
#
|
|
6142
6988
|
# You can submit a message digest and omit the `MessageType` or
|
|
6143
6989
|
# specify `RAW` so the digest is hashed again while signing. However,
|
|
6144
6990
|
# if the signed message is hashed once while signing, but twice while
|
|
6145
6991
|
# verifying, verification fails, even when the message hasn't
|
|
6146
6992
|
# changed.
|
|
6147
6993
|
#
|
|
6148
|
-
# The hashing algorithm
|
|
6994
|
+
# The hashing algorithm that `Verify` uses is based on the
|
|
6149
6995
|
# `SigningAlgorithm` value.
|
|
6150
6996
|
#
|
|
6151
6997
|
# * Signing algorithms that end in SHA\_256 use the SHA\_256 hashing
|
|
@@ -6157,12 +7003,15 @@ module Aws::KMS
|
|
|
6157
7003
|
# * Signing algorithms that end in SHA\_512 use the SHA\_512 hashing
|
|
6158
7004
|
# algorithm.
|
|
6159
7005
|
#
|
|
7006
|
+
# * Signing algorithms that end in SHAKE\_256 use the SHAKE\_256
|
|
7007
|
+
# hashing algorithm.
|
|
7008
|
+
#
|
|
6160
7009
|
# * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
|
|
6161
7010
|
# verification with SM2 key pairs][1].
|
|
6162
7011
|
#
|
|
6163
7012
|
#
|
|
6164
7013
|
#
|
|
6165
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
7014
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/offline-operations.html#key-spec-sm-offline-verification
|
|
6166
7015
|
# @return [String]
|
|
6167
7016
|
#
|
|
6168
7017
|
# @!attribute [rw] signature
|
|
@@ -6185,19 +7034,19 @@ module Aws::KMS
|
|
|
6185
7034
|
#
|
|
6186
7035
|
#
|
|
6187
7036
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
6188
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
7037
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
|
|
6189
7038
|
# @return [Array<String>]
|
|
6190
7039
|
#
|
|
6191
7040
|
# @!attribute [rw] dry_run
|
|
6192
7041
|
# Checks if your request will succeed. `DryRun` is an optional
|
|
6193
7042
|
# parameter.
|
|
6194
7043
|
#
|
|
6195
|
-
# To learn more about how to use this parameter, see [Testing your
|
|
6196
|
-
#
|
|
7044
|
+
# To learn more about how to use this parameter, see [Testing your
|
|
7045
|
+
# permissions][1] in the *Key Management Service Developer Guide*.
|
|
6197
7046
|
#
|
|
6198
7047
|
#
|
|
6199
7048
|
#
|
|
6200
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
7049
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
|
|
6201
7050
|
# @return [Boolean]
|
|
6202
7051
|
#
|
|
6203
7052
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyRequest AWS API Documentation
|
|
@@ -6398,6 +7247,13 @@ module Aws::KMS
|
|
|
6398
7247
|
# with KMS.
|
|
6399
7248
|
# @return [String]
|
|
6400
7249
|
#
|
|
7250
|
+
# @!attribute [rw] vpc_endpoint_service_owner
|
|
7251
|
+
# The Amazon Web Services account ID that owns the Amazon VPC endpoint
|
|
7252
|
+
# service used to communicate with the external key store proxy (XKS).
|
|
7253
|
+
# This field appears only when the XKS uses an VPC endpoint service to
|
|
7254
|
+
# communicate with KMS.
|
|
7255
|
+
# @return [String]
|
|
7256
|
+
#
|
|
6401
7257
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyConfigurationType AWS API Documentation
|
|
6402
7258
|
#
|
|
6403
7259
|
class XksProxyConfigurationType < Struct.new(
|
|
@@ -6405,7 +7261,8 @@ module Aws::KMS
|
|
|
6405
7261
|
:access_key_id,
|
|
6406
7262
|
:uri_endpoint,
|
|
6407
7263
|
:uri_path,
|
|
6408
|
-
:vpc_endpoint_service_name
|
|
7264
|
+
:vpc_endpoint_service_name,
|
|
7265
|
+
:vpc_endpoint_service_owner)
|
|
6409
7266
|
SENSITIVE = [:access_key_id]
|
|
6410
7267
|
include Aws::Structure
|
|
6411
7268
|
end
|
|
@@ -6567,3 +7424,4 @@ module Aws::KMS
|
|
|
6567
7424
|
|
|
6568
7425
|
end
|
|
6569
7426
|
end
|
|
7427
|
+
|