aws-sdk-kms 1.76.0 → 1.122.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -242,6 +242,21 @@ module Aws::KMS
242
242
  include Aws::Structure
243
243
  end
244
244
 
245
+ # The request was rejected because an automatic rotation of this key is
246
+ # currently in progress or scheduled to begin within the next 20
247
+ # minutes.
248
+ #
249
+ # @!attribute [rw] message
250
+ # @return [String]
251
+ #
252
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConflictException AWS API Documentation
253
+ #
254
+ class ConflictException < Struct.new(
255
+ :message)
256
+ SENSITIVE = []
257
+ include Aws::Structure
258
+ end
259
+
245
260
  # @!attribute [rw] custom_key_store_id
246
261
  # Enter the key store ID of the custom key store that you want to
247
262
  # connect. To find the ID of a custom key store, use the
@@ -276,7 +291,7 @@ module Aws::KMS
276
291
  #
277
292
  #
278
293
  #
279
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
294
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-key
280
295
  # @return [String]
281
296
  #
282
297
  # @!attribute [rw] target_key_id
@@ -286,7 +301,7 @@ module Aws::KMS
286
301
  # A valid key ID is required. If you supply a null or empty string
287
302
  # value, this operation returns an error.
288
303
  #
289
- # For help finding the key ID and ARN, see [Finding the Key ID and
304
+ # For help finding the key ID and ARN, see [Find the key ID and key
290
305
  # ARN][2] in the <i> <i>Key Management Service Developer Guide</i>
291
306
  # </i>.
292
307
  #
@@ -304,8 +319,8 @@ module Aws::KMS
304
319
  #
305
320
  #
306
321
  #
307
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
308
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn
322
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-mgn-key
323
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/find-cmk-id-arn.html
309
324
  # @return [String]
310
325
  #
311
326
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateAliasRequest AWS API Documentation
@@ -372,7 +387,7 @@ module Aws::KMS
372
387
  #
373
388
  #
374
389
  #
375
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
390
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html#concept-kmsuser
376
391
  # @return [String]
377
392
  #
378
393
  # @!attribute [rw] custom_key_store_type
@@ -470,6 +485,14 @@ module Aws::KMS
470
485
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirements
471
486
  # @return [String]
472
487
  #
488
+ # @!attribute [rw] xks_proxy_vpc_endpoint_service_owner
489
+ # Specifies the Amazon Web Services account ID that owns the Amazon
490
+ # VPC service endpoint for the interface that is used to communicate
491
+ # with your external key store proxy (XKS proxy). This parameter is
492
+ # optional. If not provided, the Amazon Web Services account ID
493
+ # calling the action will be used.
494
+ # @return [String]
495
+ #
473
496
  # @!attribute [rw] xks_proxy_authentication_credential
474
497
  # Specifies an authentication credential for the external key store
475
498
  # proxy (XKS proxy). This parameter is required for all custom key
@@ -479,7 +502,7 @@ module Aws::KMS
479
502
  # `RawSecretAccessKey`, a secret key, and `AccessKeyId`, a unique
480
503
  # identifier for the `RawSecretAccessKey`. For character requirements,
481
504
  # see
482
- # [XksProxyAuthenticationCredentialType](kms/latest/APIReference/API_XksProxyAuthenticationCredentialType.html).
505
+ # [XksProxyAuthenticationCredentialType](API_XksProxyAuthenticationCredentialType.html).
483
506
  #
484
507
  # KMS uses this authentication credential to sign requests to the
485
508
  # external key store proxy on your behalf. This credential is
@@ -520,7 +543,7 @@ module Aws::KMS
520
543
  #
521
544
  #
522
545
  #
523
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/plan-xks-keystore.html#choose-xks-connectivity
546
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/choose-xks-connectivity.html
524
547
  # @return [String]
525
548
  #
526
549
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStoreRequest AWS API Documentation
@@ -534,6 +557,7 @@ module Aws::KMS
534
557
  :xks_proxy_uri_endpoint,
535
558
  :xks_proxy_uri_path,
536
559
  :xks_proxy_vpc_endpoint_service_name,
560
+ :xks_proxy_vpc_endpoint_service_owner,
537
561
  :xks_proxy_authentication_credential,
538
562
  :xks_proxy_connectivity)
539
563
  SENSITIVE = [:key_store_password]
@@ -606,7 +630,7 @@ module Aws::KMS
606
630
  #
607
631
  # [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
608
632
  # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
609
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete
633
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-delete.html
610
634
  # @return [String]
611
635
  #
612
636
  # @!attribute [rw] operations
@@ -679,7 +703,7 @@ module Aws::KMS
679
703
  #
680
704
  #
681
705
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
682
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
706
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
683
707
  # @return [Array<String>]
684
708
  #
685
709
  # @!attribute [rw] name
@@ -707,12 +731,12 @@ module Aws::KMS
707
731
  # Checks if your request will succeed. `DryRun` is an optional
708
732
  # parameter.
709
733
  #
710
- # To learn more about how to use this parameter, see [Testing your KMS
711
- # API calls][1] in the *Key Management Service Developer Guide*.
734
+ # To learn more about how to use this parameter, see [Testing your
735
+ # permissions][1] in the *Key Management Service Developer Guide*.
712
736
  #
713
737
  #
714
738
  #
715
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
739
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
716
740
  # @return [Boolean]
717
741
  #
718
742
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrantRequest AWS API Documentation
@@ -741,7 +765,7 @@ module Aws::KMS
741
765
  #
742
766
  #
743
767
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
744
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
768
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
745
769
  # @return [String]
746
770
  #
747
771
  # @!attribute [rw] grant_id
@@ -781,22 +805,38 @@ module Aws::KMS
781
805
  # that I make are not always immediately visible][2] in the *Amazon
782
806
  # Web Services Identity and Access Management User Guide*.
783
807
  #
808
+ # <note markdown="1"> If either of the required `Resource` or `Action` elements are
809
+ # missing from a key policy statement, the policy statement has no
810
+ # effect. When a key policy statement is missing one of these
811
+ # elements, the KMS console correctly reports an error, but the
812
+ # `CreateKey` and `PutKeyPolicy` API requests succeed, even though the
813
+ # policy statement is ineffective.
814
+ #
815
+ # For more information on required key policy elements, see [Elements
816
+ # in a key policy][3] in the *Key Management Service Developer Guide*.
817
+ #
818
+ # </note>
819
+ #
784
820
  # If you do not provide a key policy, KMS attaches a default key
785
821
  # policy to the KMS key. For more information, see [Default key
786
- # policy][3] in the *Key Management Service Developer Guide*.
822
+ # policy][4] in the *Key Management Service Developer Guide*.
823
+ #
824
+ # <note markdown="1"> If the key policy exceeds the length constraint, KMS returns a
825
+ # `LimitExceededException`.
787
826
  #
788
- # The key policy size quota is 32 kilobytes (32768 bytes).
827
+ # </note>
789
828
  #
790
829
  # For help writing and formatting a JSON policy document, see the [IAM
791
- # JSON Policy Reference][4] in the <i> <i>Identity and Access
830
+ # JSON Policy Reference][5] in the <i> <i>Identity and Access
792
831
  # Management User Guide</i> </i>.
793
832
  #
794
833
  #
795
834
  #
796
835
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
797
836
  # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
798
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
799
- # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
837
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html#key-policy-elements
838
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html
839
+ # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
800
840
  # @return [String]
801
841
  #
802
842
  # @!attribute [rw] description
@@ -816,8 +856,11 @@ module Aws::KMS
816
856
  # Determines the [cryptographic operations][1] for which you can use
817
857
  # the KMS key. The default value is `ENCRYPT_DECRYPT`. This parameter
818
858
  # is optional when you are creating a symmetric encryption KMS key;
819
- # otherwise, it is required. You can't change the `KeyUsage` value
820
- # after the KMS key is created.
859
+ # otherwise, it is required. You can't change the [ `KeyUsage` ][2]
860
+ # value after the KMS key is created. Each KMS key can have only one
861
+ # key usage. This follows key usage best practices according to [NIST
862
+ # SP 800-57 Recommendations for Key Management][3], section 5.2, Key
863
+ # usage.
821
864
  #
822
865
  # Select only one valid value.
823
866
  #
@@ -826,18 +869,26 @@ module Aws::KMS
826
869
  #
827
870
  # * For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
828
871
  #
829
- # * For asymmetric KMS keys with RSA key material, specify
872
+ # * For asymmetric KMS keys with RSA key pairs, specify
830
873
  # `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
831
874
  #
832
- # * For asymmetric KMS keys with ECC key material, specify
875
+ # * For asymmetric KMS keys with NIST-standard elliptic curve key
876
+ # pairs, specify `SIGN_VERIFY` or `KEY_AGREEMENT`.
877
+ #
878
+ # * For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs, specify
879
+ # `SIGN_VERIFY`.
880
+ #
881
+ # * For asymmetric KMS keys with ML-DSA key pairs, specify
833
882
  # `SIGN_VERIFY`.
834
883
  #
835
- # * For asymmetric KMS keys with SM2 key material (China Regions
836
- # only), specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
884
+ # * For asymmetric KMS keys with SM2 key pairs (China Regions only),
885
+ # specify `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, or `KEY_AGREEMENT`.
837
886
  #
838
887
  #
839
888
  #
840
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
889
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
890
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#key-usage
891
+ # [3]: https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final
841
892
  # @return [String]
842
893
  #
843
894
  # @!attribute [rw] customer_master_key_spec
@@ -854,8 +905,8 @@ module Aws::KMS
854
905
  # `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit AES-GCM key
855
906
  # that is used for encryption and decryption, except in China Regions,
856
907
  # where it creates a 128-bit symmetric key that uses SM4 encryption.
857
- # For help choosing a key spec for your KMS key, see [Choosing a KMS
858
- # key type][1] in the <i> <i>Key Management Service Developer
908
+ # For a detailed description of all supported key specs, see [Key spec
909
+ # reference][1] in the <i> <i>Key Management Service Developer
859
910
  # Guide</i> </i>.
860
911
  #
861
912
  # The `KeySpec` determines whether the KMS key contains a symmetric
@@ -864,10 +915,11 @@ module Aws::KMS
864
915
  # KMS key is created. To further restrict the algorithms that can be
865
916
  # used with the KMS key, use a condition key in its key policy or IAM
866
917
  # policy. For more information, see [kms:EncryptionAlgorithm][2],
867
- # [kms:MacAlgorithm][3] or [kms:Signing Algorithm][4] in the <i>
868
- # <i>Key Management Service Developer Guide</i> </i>.
918
+ # [kms:MacAlgorithm][3], [kms:KeyAgreementAlgorithm][4], or
919
+ # [kms:SigningAlgorithm][5] in the <i> <i>Key Management Service
920
+ # Developer Guide</i> </i>.
869
921
  #
870
- # [Amazon Web Services services that are integrated with KMS][5] use
922
+ # [Amazon Web Services services that are integrated with KMS][6] use
871
923
  # symmetric encryption KMS keys to protect your data. These services
872
924
  # do not support asymmetric KMS keys or HMAC KMS keys.
873
925
  #
@@ -878,7 +930,6 @@ module Aws::KMS
878
930
  # * `SYMMETRIC_DEFAULT`
879
931
  #
880
932
  # ^
881
- #
882
933
  # * HMAC keys (symmetric)
883
934
  #
884
935
  # * `HMAC_224`
@@ -888,16 +939,16 @@ module Aws::KMS
888
939
  # * `HMAC_384`
889
940
  #
890
941
  # * `HMAC_512`
891
- #
892
- # * Asymmetric RSA key pairs
942
+ # * Asymmetric RSA key pairs (encryption and decryption -or- signing
943
+ # and verification)
893
944
  #
894
945
  # * `RSA_2048`
895
946
  #
896
947
  # * `RSA_3072`
897
948
  #
898
949
  # * `RSA_4096`
899
- #
900
- # * Asymmetric NIST-recommended elliptic curve key pairs
950
+ # * Asymmetric NIST-standard elliptic curve key pairs (signing and
951
+ # verification -or- deriving shared secrets)
901
952
  #
902
953
  # * `ECC_NIST_P256` (secp256r1)
903
954
  #
@@ -905,26 +956,47 @@ module Aws::KMS
905
956
  #
906
957
  # * `ECC_NIST_P521` (secp521r1)
907
958
  #
908
- # * Other asymmetric elliptic curve key pairs
959
+ # * `ECC_NIST_EDWARDS25519` (ed25519) - signing and verification
960
+ # only
961
+ #
962
+ # * **Note:** For ECC\_NIST\_EDWARDS25519 KMS keys, the
963
+ # ED25519\_SHA\_512 signing algorithm requires [
964
+ # `MessageType:RAW`
965
+ # ](kms/latest/APIReference/API_Sign.html#KMS-Sign-request-MessageType),
966
+ # while ED25519\_PH\_SHA\_512 requires [ `MessageType:DIGEST`
967
+ # ](kms/latest/APIReference/API_Sign.html#KMS-Sign-request-MessageType).
968
+ # These message types cannot be used interchangeably.
969
+ #
970
+ # ^
971
+ # * Other asymmetric elliptic curve key pairs (signing and
972
+ # verification)
909
973
  #
910
974
  # * `ECC_SECG_P256K1` (secp256k1), commonly used for
911
975
  # cryptocurrencies.
912
976
  #
913
977
  # ^
978
+ # * Asymmetric ML-DSA key pairs (signing and verification)
979
+ #
980
+ # * `ML_DSA_44`
914
981
  #
915
- # * SM2 key pairs (China Regions only)
982
+ # * `ML_DSA_65`
916
983
  #
917
- # * `SM2`
984
+ # * `ML_DSA_87`
985
+ # * SM2 key pairs (encryption and decryption -or- signing and
986
+ # verification -or- deriving shared secrets)
987
+ #
988
+ # * `SM2` (China Regions only)
918
989
  #
919
990
  # ^
920
991
  #
921
992
  #
922
993
  #
923
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose
924
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm
925
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-mac-algorithm
926
- # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm
927
- # [5]: http://aws.amazon.com/kms/features/#AWS_Service_Integration
994
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose-key-spec.html
995
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-encryption-algorithm
996
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-mac-algorithm
997
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-key-agreement-algorithm
998
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-signing-algorithm
999
+ # [6]: http://aws.amazon.com/kms/features/#AWS_Service_Integration
928
1000
  # @return [String]
929
1001
  #
930
1002
  # @!attribute [rw] origin
@@ -977,7 +1049,7 @@ module Aws::KMS
977
1049
  #
978
1050
  #
979
1051
  #
980
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1052
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
981
1053
  # @return [String]
982
1054
  #
983
1055
  # @!attribute [rw] bypass_policy_lockout_safety_check
@@ -1028,7 +1100,7 @@ module Aws::KMS
1028
1100
  # When you add tags to an Amazon Web Services resource, Amazon Web
1029
1101
  # Services generates a cost allocation report with usage and costs
1030
1102
  # aggregated by tags. Tags can also be used to control access to a KMS
1031
- # key. For details, see [Tagging Keys][3].
1103
+ # key. For details, see [Tags in KMS][3].
1032
1104
  #
1033
1105
  #
1034
1106
  #
@@ -1101,7 +1173,7 @@ module Aws::KMS
1101
1173
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
1102
1174
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html
1103
1175
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-xks-proxy
1104
- # [4]: https://docs.aws.amazon.com/create-xks-keys.html#xks-key-requirements
1176
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keys.html#xks-key-requirements
1105
1177
  # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-double-encryption
1106
1178
  # @return [String]
1107
1179
  #
@@ -1430,7 +1502,6 @@ module Aws::KMS
1430
1502
  #
1431
1503
  # * The [TLS certificate][6] specifies the private DNS hostname at
1432
1504
  # which the endpoint is reachable.
1433
- #
1434
1505
  # * `XKS_VPC_ENDPOINT_SERVICE_NOT_FOUND` — KMS can't find the VPC
1435
1506
  # endpoint service that it uses to communicate with the external key
1436
1507
  # store proxy. Verify that the `XksProxyVpcEndpointServiceName` is
@@ -1487,6 +1558,9 @@ module Aws::KMS
1487
1558
 
1488
1559
  # @!attribute [rw] ciphertext_blob
1489
1560
  # Ciphertext to be decrypted. The blob includes metadata.
1561
+ #
1562
+ # This parameter is required in all cases except when `DryRun` is
1563
+ # `true` and `DryRunModifiers` is set to `IGNORE_CIPHERTEXT`.
1490
1564
  # @return [String]
1491
1565
  #
1492
1566
  # @!attribute [rw] encryption_context
@@ -1510,8 +1584,8 @@ module Aws::KMS
1510
1584
  #
1511
1585
  #
1512
1586
  #
1513
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
1514
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1587
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
1588
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
1515
1589
  # @return [Hash<String,String>]
1516
1590
  #
1517
1591
  # @!attribute [rw] grant_tokens
@@ -1525,7 +1599,7 @@ module Aws::KMS
1525
1599
  #
1526
1600
  #
1527
1601
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
1528
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
1602
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
1529
1603
  # @return [Array<String>]
1530
1604
  #
1531
1605
  # @!attribute [rw] key_id
@@ -1536,11 +1610,12 @@ module Aws::KMS
1536
1610
  # operation throws an `IncorrectKeyException`.
1537
1611
  #
1538
1612
  # This parameter is required only when the ciphertext was encrypted
1539
- # under an asymmetric KMS key. If you used a symmetric encryption KMS
1540
- # key, KMS can get the KMS key from metadata that it adds to the
1541
- # symmetric ciphertext blob. However, it is always recommended as a
1542
- # best practice. This practice ensures that you use the KMS key that
1543
- # you intend.
1613
+ # under an asymmetric KMS key or when `DryRun` is `true` and
1614
+ # `DryRunModifiers` is set to `IGNORE_CIPHERTEXT`. If you used a
1615
+ # symmetric encryption KMS key, KMS can get the KMS key from metadata
1616
+ # that it adds to the symmetric ciphertext blob. However, it is always
1617
+ # recommended as a best practice. This practice ensures that you use
1618
+ # the KMS key that you intend.
1544
1619
  #
1545
1620
  # To specify a KMS key, use its key ID, key ARN, alias name, or alias
1546
1621
  # ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -1576,44 +1651,63 @@ module Aws::KMS
1576
1651
  #
1577
1652
  # @!attribute [rw] recipient
1578
1653
  # A signed [attestation document][1] from an Amazon Web Services Nitro
1579
- # enclave and the encryption algorithm to use with the enclave's
1580
- # public key. The only valid encryption algorithm is
1581
- # `RSAES_OAEP_SHA_256`.
1654
+ # enclave or NitroTPM, and the encryption algorithm to use with the
1655
+ # public key in the attestation document. The only valid encryption
1656
+ # algorithm is `RSAES_OAEP_SHA_256`.
1582
1657
  #
1583
- # This parameter only supports attestation documents for Amazon Web
1584
- # Services Nitro Enclaves. To include this parameter, use the [Amazon
1585
- # Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
1658
+ # This parameter supports the [Amazon Web Services Nitro Enclaves
1659
+ # SDK][2] or any Amazon Web Services SDK for Amazon Web Services Nitro
1660
+ # Enclaves. It supports any Amazon Web Services SDK for Amazon Web
1661
+ # Services NitroTPM.
1586
1662
  #
1587
1663
  # When you use this parameter, instead of returning the plaintext
1588
1664
  # data, KMS encrypts the plaintext data with the public key in the
1589
1665
  # attestation document, and returns the resulting ciphertext in the
1590
1666
  # `CiphertextForRecipient` field in the response. This ciphertext can
1591
- # be decrypted only with the private key in the enclave. The
1592
- # `Plaintext` field in the response is null or empty.
1667
+ # be decrypted only with the private key in the attested environment.
1668
+ # The `Plaintext` field in the response is null or empty.
1593
1669
  #
1594
1670
  # For information about the interaction between KMS and Amazon Web
1595
- # Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
1596
- # uses KMS][3] in the *Key Management Service Developer Guide*.
1671
+ # Services Nitro Enclaves or Amazon Web Services NitroTPM, see
1672
+ # [Cryptographic attestation support in KMS][3] in the *Key Management
1673
+ # Service Developer Guide*.
1597
1674
  #
1598
1675
  #
1599
1676
  #
1600
1677
  # [1]: https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-concepts.html#term-attestdoc
1601
1678
  # [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
1602
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
1679
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
1603
1680
  # @return [Types::RecipientInfo]
1604
1681
  #
1605
1682
  # @!attribute [rw] dry_run
1606
1683
  # Checks if your request will succeed. `DryRun` is an optional
1607
1684
  # parameter.
1608
1685
  #
1609
- # To learn more about how to use this parameter, see [Testing your KMS
1610
- # API calls][1] in the *Key Management Service Developer Guide*.
1686
+ # To learn more about how to use this parameter, see [Testing your
1687
+ # permissions][1] in the *Key Management Service Developer Guide*.
1611
1688
  #
1612
1689
  #
1613
1690
  #
1614
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
1691
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
1615
1692
  # @return [Boolean]
1616
1693
  #
1694
+ # @!attribute [rw] dry_run_modifiers
1695
+ # Specifies the modifiers to apply to the dry run operation.
1696
+ # `DryRunModifiers` is an optional parameter that only applies when
1697
+ # `DryRun` is set to `true`.
1698
+ #
1699
+ # When set to `IGNORE_CIPHERTEXT`, KMS performs only authorization
1700
+ # validation without ciphertext validation. This allows you to test
1701
+ # permissions without requiring a valid ciphertext blob.
1702
+ #
1703
+ # To learn more about how to use this parameter, see [Testing your
1704
+ # permissions][1] in the *Key Management Service Developer Guide*.
1705
+ #
1706
+ #
1707
+ #
1708
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
1709
+ # @return [Array<String>]
1710
+ #
1617
1711
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptRequest AWS API Documentation
1618
1712
  #
1619
1713
  class DecryptRequest < Struct.new(
@@ -1623,7 +1717,8 @@ module Aws::KMS
1623
1717
  :key_id,
1624
1718
  :encryption_algorithm,
1625
1719
  :recipient,
1626
- :dry_run)
1720
+ :dry_run,
1721
+ :dry_run_modifiers)
1627
1722
  SENSITIVE = []
1628
1723
  include Aws::Structure
1629
1724
  end
@@ -1651,19 +1746,28 @@ module Aws::KMS
1651
1746
  # @return [String]
1652
1747
  #
1653
1748
  # @!attribute [rw] ciphertext_for_recipient
1654
- # The plaintext data encrypted with the public key in the attestation
1655
- # document.
1749
+ # The plaintext data encrypted with the public key from the
1750
+ # attestation document. This ciphertext can be decrypted only by using
1751
+ # a private key from the attested environment.
1656
1752
  #
1657
1753
  # This field is included in the response only when the `Recipient`
1658
1754
  # parameter in the request includes a valid attestation document from
1659
- # an Amazon Web Services Nitro enclave. For information about the
1660
- # interaction between KMS and Amazon Web Services Nitro Enclaves, see
1661
- # [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
1662
- # Management Service Developer Guide*.
1755
+ # an Amazon Web Services Nitro enclave or NitroTPM. For information
1756
+ # about the interaction between KMS and Amazon Web Services Nitro
1757
+ # Enclaves or Amazon Web Services NitroTPM, see [Cryptographic
1758
+ # attestation support in KMS][1] in the *Key Management Service
1759
+ # Developer Guide*.
1663
1760
  #
1664
1761
  #
1665
1762
  #
1666
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
1763
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
1764
+ # @return [String]
1765
+ #
1766
+ # @!attribute [rw] key_material_id
1767
+ # The identifier of the key material used to decrypt the ciphertext.
1768
+ # This field is present only when the operation uses a symmetric
1769
+ # encryption KMS key. This field is omitted if the request includes
1770
+ # the `Recipient` parameter.
1667
1771
  # @return [String]
1668
1772
  #
1669
1773
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptResponse AWS API Documentation
@@ -1672,7 +1776,8 @@ module Aws::KMS
1672
1776
  :key_id,
1673
1777
  :plaintext,
1674
1778
  :encryption_algorithm,
1675
- :ciphertext_for_recipient)
1779
+ :ciphertext_for_recipient,
1780
+ :key_material_id)
1676
1781
  SENSITIVE = [:plaintext]
1677
1782
  include Aws::Structure
1678
1783
  end
@@ -1724,10 +1829,43 @@ module Aws::KMS
1724
1829
  # DescribeKey.
1725
1830
  # @return [String]
1726
1831
  #
1832
+ # @!attribute [rw] key_material_id
1833
+ # Identifies the imported key material you are deleting.
1834
+ #
1835
+ # If no KeyMaterialId is specified, KMS deletes the current key
1836
+ # material.
1837
+ #
1838
+ # To get the list of key material IDs associated with a KMS key, use
1839
+ # ListKeyRotations.
1840
+ # @return [String]
1841
+ #
1727
1842
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteImportedKeyMaterialRequest AWS API Documentation
1728
1843
  #
1729
1844
  class DeleteImportedKeyMaterialRequest < Struct.new(
1730
- :key_id)
1845
+ :key_id,
1846
+ :key_material_id)
1847
+ SENSITIVE = []
1848
+ include Aws::Structure
1849
+ end
1850
+
1851
+ # @!attribute [rw] key_id
1852
+ # The Amazon Resource Name ([key ARN][1]) of the KMS key from which
1853
+ # the key material was deleted.
1854
+ #
1855
+ #
1856
+ #
1857
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
1858
+ # @return [String]
1859
+ #
1860
+ # @!attribute [rw] key_material_id
1861
+ # Identifies the deleted key material.
1862
+ # @return [String]
1863
+ #
1864
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteImportedKeyMaterialResponse AWS API Documentation
1865
+ #
1866
+ class DeleteImportedKeyMaterialResponse < Struct.new(
1867
+ :key_id,
1868
+ :key_material_id)
1731
1869
  SENSITIVE = []
1732
1870
  include Aws::Structure
1733
1871
  end
@@ -1746,6 +1884,201 @@ module Aws::KMS
1746
1884
  include Aws::Structure
1747
1885
  end
1748
1886
 
1887
+ # @!attribute [rw] key_id
1888
+ # Identifies an asymmetric NIST-standard ECC or SM2 (China Regions
1889
+ # only) KMS key. KMS uses the private key in the specified key pair to
1890
+ # derive the shared secret. The key usage of the KMS key must be
1891
+ # `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS key, use the
1892
+ # DescribeKey operation.
1893
+ #
1894
+ # To specify a KMS key, use its key ID, key ARN, alias name, or alias
1895
+ # ARN. When using an alias name, prefix it with `"alias/"`. To specify
1896
+ # a KMS key in a different Amazon Web Services account, you must use
1897
+ # the key ARN or alias ARN.
1898
+ #
1899
+ # For example:
1900
+ #
1901
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
1902
+ #
1903
+ # * Key ARN:
1904
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
1905
+ #
1906
+ # * Alias name: `alias/ExampleAlias`
1907
+ #
1908
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
1909
+ #
1910
+ # To get the key ID and key ARN for a KMS key, use ListKeys or
1911
+ # DescribeKey. To get the alias name and alias ARN, use ListAliases.
1912
+ # @return [String]
1913
+ #
1914
+ # @!attribute [rw] key_agreement_algorithm
1915
+ # Specifies the key agreement algorithm used to derive the shared
1916
+ # secret. The only valid value is `ECDH`.
1917
+ # @return [String]
1918
+ #
1919
+ # @!attribute [rw] public_key
1920
+ # Specifies the public key in your peer's NIST-standard elliptic
1921
+ # curve (ECC) or SM2 (China Regions only) key pair.
1922
+ #
1923
+ # The public key must be a DER-encoded X.509 public key, also known as
1924
+ # `SubjectPublicKeyInfo` (SPKI), as defined in [RFC 5280][1].
1925
+ #
1926
+ # GetPublicKey returns the public key of an asymmetric KMS key pair in
1927
+ # the required DER-encoded format.
1928
+ #
1929
+ # <note markdown="1"> If you use [Amazon Web Services CLI version 1][2], you must provide
1930
+ # the DER-encoded X.509 public key in a file. Otherwise, the Amazon
1931
+ # Web Services CLI Base64-encodes the public key a second time,
1932
+ # resulting in a `ValidationException`.
1933
+ #
1934
+ # </note>
1935
+ #
1936
+ # You can specify the public key as binary data in a file using fileb
1937
+ # (`fileb://<path-to-file>`) or in-line using a Base64 encoded string.
1938
+ #
1939
+ #
1940
+ #
1941
+ # [1]: https://tools.ietf.org/html/rfc5280
1942
+ # [2]: https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-welcome.html
1943
+ # @return [String]
1944
+ #
1945
+ # @!attribute [rw] grant_tokens
1946
+ # A list of grant tokens.
1947
+ #
1948
+ # Use a grant token when your permission to call this operation comes
1949
+ # from a new grant that has not yet achieved *eventual consistency*.
1950
+ # For more information, see [Grant token][1] and [Using a grant
1951
+ # token][2] in the *Key Management Service Developer Guide*.
1952
+ #
1953
+ #
1954
+ #
1955
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
1956
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
1957
+ # @return [Array<String>]
1958
+ #
1959
+ # @!attribute [rw] dry_run
1960
+ # Checks if your request will succeed. `DryRun` is an optional
1961
+ # parameter.
1962
+ #
1963
+ # To learn more about how to use this parameter, see [Testing your
1964
+ # permissions][1] in the *Key Management Service Developer Guide*.
1965
+ #
1966
+ #
1967
+ #
1968
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
1969
+ # @return [Boolean]
1970
+ #
1971
+ # @!attribute [rw] recipient
1972
+ # A signed [attestation document][1] from an Amazon Web Services Nitro
1973
+ # enclave or NitroTPM, and the encryption algorithm to use with the
1974
+ # public key in the attestation document. The only valid encryption
1975
+ # algorithm is `RSAES_OAEP_SHA_256`.
1976
+ #
1977
+ # This parameter only supports attestation documents for Amazon Web
1978
+ # Services Nitro Enclaves or Amazon Web Services NitroTPM. To call
1979
+ # DeriveSharedSecret generate an attestation document use either
1980
+ # [Amazon Web Services Nitro Enclaves SDK][2] for an Amazon Web
1981
+ # Services Nitro Enclaves or [Amazon Web Services NitroTPM tools][3]
1982
+ # for Amazon Web Services NitroTPM. Then use the Recipient parameter
1983
+ # from any Amazon Web Services SDK to provide the attestation document
1984
+ # for the attested environment.
1985
+ #
1986
+ # When you use this parameter, instead of returning a plaintext copy
1987
+ # of the shared secret, KMS encrypts the plaintext shared secret under
1988
+ # the public key in the attestation document, and returns the
1989
+ # resulting ciphertext in the `CiphertextForRecipient` field in the
1990
+ # response. This ciphertext can be decrypted only with the private key
1991
+ # in the attested environment. The `CiphertextBlob` field in the
1992
+ # response contains the encrypted shared secret derived from the KMS
1993
+ # key specified by the `KeyId` parameter and public key specified by
1994
+ # the `PublicKey` parameter. The `SharedSecret` field in the response
1995
+ # is null or empty.
1996
+ #
1997
+ # For information about the interaction between KMS and Amazon Web
1998
+ # Services Nitro Enclaves or Amazon Web Services NitroTPM, see
1999
+ # [Cryptographic attestation support in KMS][4] in the *Key Management
2000
+ # Service Developer Guide*.
2001
+ #
2002
+ #
2003
+ #
2004
+ # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
2005
+ # [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
2006
+ # [3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/attestation-get-doc.html
2007
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
2008
+ # @return [Types::RecipientInfo]
2009
+ #
2010
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecretRequest AWS API Documentation
2011
+ #
2012
+ class DeriveSharedSecretRequest < Struct.new(
2013
+ :key_id,
2014
+ :key_agreement_algorithm,
2015
+ :public_key,
2016
+ :grant_tokens,
2017
+ :dry_run,
2018
+ :recipient)
2019
+ SENSITIVE = []
2020
+ include Aws::Structure
2021
+ end
2022
+
2023
+ # @!attribute [rw] key_id
2024
+ # Identifies the KMS key used to derive the shared secret.
2025
+ # @return [String]
2026
+ #
2027
+ # @!attribute [rw] shared_secret
2028
+ # The raw secret derived from the specified key agreement algorithm,
2029
+ # private key in the asymmetric KMS key, and your peer's public key.
2030
+ #
2031
+ # If the response includes the `CiphertextForRecipient` field, the
2032
+ # `SharedSecret` field is null or empty.
2033
+ # @return [String]
2034
+ #
2035
+ # @!attribute [rw] ciphertext_for_recipient
2036
+ # The plaintext shared secret encrypted with the public key from the
2037
+ # attestation document. This ciphertext can be decrypted only by using
2038
+ # a private key from the attested environment.
2039
+ #
2040
+ # This field is included in the response only when the `Recipient`
2041
+ # parameter in the request includes a valid attestation document from
2042
+ # an Amazon Web Services Nitro enclave or NitroTPM. For information
2043
+ # about the interaction between KMS and Amazon Web Services Nitro
2044
+ # Enclaves or Amazon Web Services NitroTPM, see [Cryptographic
2045
+ # attestation support in KMS][1] in the *Key Management Service
2046
+ # Developer Guide*.
2047
+ #
2048
+ #
2049
+ #
2050
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
2051
+ # @return [String]
2052
+ #
2053
+ # @!attribute [rw] key_agreement_algorithm
2054
+ # Identifies the key agreement algorithm used to derive the shared
2055
+ # secret.
2056
+ # @return [String]
2057
+ #
2058
+ # @!attribute [rw] key_origin
2059
+ # The source of the key material for the specified KMS key.
2060
+ #
2061
+ # When this value is `AWS_KMS`, KMS created the key material. When
2062
+ # this value is `EXTERNAL`, the key material was imported or the KMS
2063
+ # key doesn't have any key material.
2064
+ #
2065
+ # The only valid values for DeriveSharedSecret are `AWS_KMS` and
2066
+ # `EXTERNAL`. DeriveSharedSecret does not support KMS keys with a
2067
+ # `KeyOrigin` value of `AWS_CLOUDHSM` or `EXTERNAL_KEY_STORE`.
2068
+ # @return [String]
2069
+ #
2070
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecretResponse AWS API Documentation
2071
+ #
2072
+ class DeriveSharedSecretResponse < Struct.new(
2073
+ :key_id,
2074
+ :shared_secret,
2075
+ :ciphertext_for_recipient,
2076
+ :key_agreement_algorithm,
2077
+ :key_origin)
2078
+ SENSITIVE = [:shared_secret]
2079
+ include Aws::Structure
2080
+ end
2081
+
1749
2082
  # @!attribute [rw] custom_key_store_id
1750
2083
  # Gets only information about the specified custom key store. Enter
1751
2084
  # the key store ID.
@@ -1801,8 +2134,8 @@ module Aws::KMS
1801
2134
  # @!attribute [rw] truncated
1802
2135
  # A flag that indicates whether there are more items in the list. When
1803
2136
  # this value is true, the list in this response is truncated. To get
1804
- # more items, pass the value of the `NextMarker` element in
1805
- # thisresponse to the `Marker` parameter in a subsequent request.
2137
+ # more items, pass the value of the `NextMarker` element in this
2138
+ # response to the `Marker` parameter in a subsequent request.
1806
2139
  # @return [Boolean]
1807
2140
  #
1808
2141
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStoresResponse AWS API Documentation
@@ -1844,7 +2177,7 @@ module Aws::KMS
1844
2177
  #
1845
2178
  #
1846
2179
  #
1847
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html##aws-managed-cmk
2180
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-key
1848
2181
  # @return [String]
1849
2182
  #
1850
2183
  # @!attribute [rw] grant_tokens
@@ -1858,7 +2191,7 @@ module Aws::KMS
1858
2191
  #
1859
2192
  #
1860
2193
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
1861
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
2194
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
1862
2195
  # @return [Array<String>]
1863
2196
  #
1864
2197
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKeyRequest AWS API Documentation
@@ -1929,7 +2262,7 @@ module Aws::KMS
1929
2262
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks
1930
2263
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
1931
2264
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1932
- # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
2265
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
1933
2266
  # @return [String]
1934
2267
  #
1935
2268
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotationRequest AWS API Documentation
@@ -2032,14 +2365,35 @@ module Aws::KMS
2032
2365
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
2033
2366
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
2034
2367
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
2035
- # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
2036
- # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
2368
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
2369
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#multi-region-rotate
2037
2370
  # @return [String]
2038
2371
  #
2372
+ # @!attribute [rw] rotation_period_in_days
2373
+ # Use this parameter to specify a custom period of time between each
2374
+ # rotation date. If no value is specified, the default value is 365
2375
+ # days.
2376
+ #
2377
+ # The rotation period defines the number of days after you enable
2378
+ # automatic key rotation that KMS will rotate your key material, and
2379
+ # the number of days between each automatic rotation thereafter.
2380
+ #
2381
+ # You can use the [ `kms:RotationPeriodInDays` ][1] condition key to
2382
+ # further constrain the values that principals can specify in the
2383
+ # `RotationPeriodInDays` parameter.
2384
+ #
2385
+ #
2386
+ #
2387
+ #
2388
+ #
2389
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-rotation-period-in-days
2390
+ # @return [Integer]
2391
+ #
2039
2392
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotationRequest AWS API Documentation
2040
2393
  #
2041
2394
  class EnableKeyRotationRequest < Struct.new(
2042
- :key_id)
2395
+ :key_id,
2396
+ :rotation_period_in_days)
2043
2397
  SENSITIVE = []
2044
2398
  include Aws::Structure
2045
2399
  end
@@ -2098,8 +2452,8 @@ module Aws::KMS
2098
2452
  #
2099
2453
  #
2100
2454
  #
2101
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
2102
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
2455
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
2456
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
2103
2457
  # @return [Hash<String,String>]
2104
2458
  #
2105
2459
  # @!attribute [rw] grant_tokens
@@ -2113,7 +2467,7 @@ module Aws::KMS
2113
2467
  #
2114
2468
  #
2115
2469
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
2116
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
2470
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
2117
2471
  # @return [Array<String>]
2118
2472
  #
2119
2473
  # @!attribute [rw] encryption_algorithm
@@ -2133,12 +2487,12 @@ module Aws::KMS
2133
2487
  # Checks if your request will succeed. `DryRun` is an optional
2134
2488
  # parameter.
2135
2489
  #
2136
- # To learn more about how to use this parameter, see [Testing your KMS
2137
- # API calls][1] in the *Key Management Service Developer Guide*.
2490
+ # To learn more about how to use this parameter, see [Testing your
2491
+ # permissions][1] in the *Key Management Service Developer Guide*.
2138
2492
  #
2139
2493
  #
2140
2494
  #
2141
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
2495
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
2142
2496
  # @return [Boolean]
2143
2497
  #
2144
2498
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptRequest AWS API Documentation
@@ -2221,7 +2575,7 @@ module Aws::KMS
2221
2575
  #
2222
2576
  #
2223
2577
  #
2224
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
2578
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
2225
2579
  # @return [Hash<String,String>]
2226
2580
  #
2227
2581
  # @!attribute [rw] key_id
@@ -2255,9 +2609,11 @@ module Aws::KMS
2255
2609
  #
2256
2610
  # The KMS rule that restricts the use of asymmetric RSA and SM2 KMS
2257
2611
  # keys to encrypt and decrypt or to sign and verify (but not both),
2258
- # and the rule that permits you to use ECC KMS keys only to sign and
2259
- # verify, are not effective on data key pairs, which are used outside
2260
- # of KMS. The SM2 key spec is only available in China Regions.
2612
+ # the rule that permits you to use ECC KMS keys only to sign and
2613
+ # verify, and the rule that permits you to use ML-DSA key pairs to
2614
+ # sign and verify only are not effective on data key pairs, which are
2615
+ # used outside of KMS. The SM2 key spec is only available in China
2616
+ # Regions.
2261
2617
  # @return [String]
2262
2618
  #
2263
2619
  # @!attribute [rw] grant_tokens
@@ -2271,50 +2627,57 @@ module Aws::KMS
2271
2627
  #
2272
2628
  #
2273
2629
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
2274
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
2630
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
2275
2631
  # @return [Array<String>]
2276
2632
  #
2277
2633
  # @!attribute [rw] recipient
2278
2634
  # A signed [attestation document][1] from an Amazon Web Services Nitro
2279
- # enclave and the encryption algorithm to use with the enclave's
2280
- # public key. The only valid encryption algorithm is
2281
- # `RSAES_OAEP_SHA_256`.
2635
+ # enclave or NitroTPM, and the encryption algorithm to use with the
2636
+ # public key in the attestation document. The only valid encryption
2637
+ # algorithm is `RSAES_OAEP_SHA_256`.
2282
2638
  #
2283
2639
  # This parameter only supports attestation documents for Amazon Web
2284
- # Services Nitro Enclaves. To include this parameter, use the [Amazon
2285
- # Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
2640
+ # Services Nitro Enclaves or Amazon Web Services NitroTPM. To call
2641
+ # GenerateDataKeyPair generate an attestation document use either
2642
+ # [Amazon Web Services Nitro Enclaves SDK][2] for an Amazon Web
2643
+ # Services Nitro Enclaves or [Amazon Web Services NitroTPM tools][3]
2644
+ # for Amazon Web Services NitroTPM. Then use the Recipient parameter
2645
+ # from any Amazon Web Services SDK to provide the attestation document
2646
+ # for the attested environment.
2286
2647
  #
2287
2648
  # When you use this parameter, instead of returning a plaintext copy
2288
2649
  # of the private data key, KMS encrypts the plaintext private data key
2289
2650
  # under the public key in the attestation document, and returns the
2290
2651
  # resulting ciphertext in the `CiphertextForRecipient` field in the
2291
2652
  # response. This ciphertext can be decrypted only with the private key
2292
- # in the enclave. The `CiphertextBlob` field in the response contains
2293
- # a copy of the private data key encrypted under the KMS key specified
2294
- # by the `KeyId` parameter. The `PrivateKeyPlaintext` field in the
2295
- # response is null or empty.
2653
+ # in the attested environment. The `CiphertextBlob` field in the
2654
+ # response contains a copy of the private data key encrypted under the
2655
+ # KMS key specified by the `KeyId` parameter. The
2656
+ # `PrivateKeyPlaintext` field in the response is null or empty.
2296
2657
  #
2297
2658
  # For information about the interaction between KMS and Amazon Web
2298
- # Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
2299
- # uses KMS][3] in the *Key Management Service Developer Guide*.
2659
+ # Services Nitro Enclaves or Amazon Web Services NitroTPM, see
2660
+ # [Cryptographic attestation support in KMS][4] in the *Key Management
2661
+ # Service Developer Guide*.
2300
2662
  #
2301
2663
  #
2302
2664
  #
2303
2665
  # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
2304
2666
  # [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
2305
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
2667
+ # [3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/attestation-get-doc.html
2668
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
2306
2669
  # @return [Types::RecipientInfo]
2307
2670
  #
2308
2671
  # @!attribute [rw] dry_run
2309
2672
  # Checks if your request will succeed. `DryRun` is an optional
2310
2673
  # parameter.
2311
2674
  #
2312
- # To learn more about how to use this parameter, see [Testing your KMS
2313
- # API calls][1] in the *Key Management Service Developer Guide*.
2675
+ # To learn more about how to use this parameter, see [Testing your
2676
+ # permissions][1] in the *Key Management Service Developer Guide*.
2314
2677
  #
2315
2678
  #
2316
2679
  #
2317
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
2680
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
2318
2681
  # @return [Boolean]
2319
2682
  #
2320
2683
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairRequest AWS API Documentation
@@ -2366,19 +2729,24 @@ module Aws::KMS
2366
2729
  #
2367
2730
  # @!attribute [rw] ciphertext_for_recipient
2368
2731
  # The plaintext private data key encrypted with the public key from
2369
- # the Nitro enclave. This ciphertext can be decrypted only by using a
2370
- # private key in the Nitro enclave.
2732
+ # the attestation document. This ciphertext can be decrypted only by
2733
+ # using a private key from the attested environment.
2371
2734
  #
2372
2735
  # This field is included in the response only when the `Recipient`
2373
2736
  # parameter in the request includes a valid attestation document from
2374
- # an Amazon Web Services Nitro enclave. For information about the
2375
- # interaction between KMS and Amazon Web Services Nitro Enclaves, see
2376
- # [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
2377
- # Management Service Developer Guide*.
2737
+ # an Amazon Web Services Nitro enclave or NitroTPM. For information
2738
+ # about the interaction between KMS and Amazon Web Services Nitro
2739
+ # Enclaves or Amazon Web Services NitroTPM, see [Cryptographic
2740
+ # attestation support in KMS][1] in the *Key Management Service
2741
+ # Developer Guide*.
2742
+ #
2378
2743
  #
2379
2744
  #
2745
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
2746
+ # @return [String]
2380
2747
  #
2381
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
2748
+ # @!attribute [rw] key_material_id
2749
+ # The identifier of the key material used to encrypt the private key.
2382
2750
  # @return [String]
2383
2751
  #
2384
2752
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairResponse AWS API Documentation
@@ -2389,7 +2757,8 @@ module Aws::KMS
2389
2757
  :public_key,
2390
2758
  :key_id,
2391
2759
  :key_pair_spec,
2392
- :ciphertext_for_recipient)
2760
+ :ciphertext_for_recipient,
2761
+ :key_material_id)
2393
2762
  SENSITIVE = [:private_key_plaintext]
2394
2763
  include Aws::Structure
2395
2764
  end
@@ -2416,7 +2785,7 @@ module Aws::KMS
2416
2785
  #
2417
2786
  #
2418
2787
  #
2419
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
2788
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
2420
2789
  # @return [Hash<String,String>]
2421
2790
  #
2422
2791
  # @!attribute [rw] key_id
@@ -2450,9 +2819,11 @@ module Aws::KMS
2450
2819
  #
2451
2820
  # The KMS rule that restricts the use of asymmetric RSA and SM2 KMS
2452
2821
  # keys to encrypt and decrypt or to sign and verify (but not both),
2453
- # and the rule that permits you to use ECC KMS keys only to sign and
2454
- # verify, are not effective on data key pairs, which are used outside
2455
- # of KMS. The SM2 key spec is only available in China Regions.
2822
+ # the rule that permits you to use ECC KMS keys only to sign and
2823
+ # verify, and the rule that permits you to use ML-DSA key pairs to
2824
+ # sign and verify only are not effective on data key pairs, which are
2825
+ # used outside of KMS. The SM2 key spec is only available in China
2826
+ # Regions.
2456
2827
  # @return [String]
2457
2828
  #
2458
2829
  # @!attribute [rw] grant_tokens
@@ -2466,19 +2837,19 @@ module Aws::KMS
2466
2837
  #
2467
2838
  #
2468
2839
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
2469
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
2840
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
2470
2841
  # @return [Array<String>]
2471
2842
  #
2472
2843
  # @!attribute [rw] dry_run
2473
2844
  # Checks if your request will succeed. `DryRun` is an optional
2474
2845
  # parameter.
2475
2846
  #
2476
- # To learn more about how to use this parameter, see [Testing your KMS
2477
- # API calls][1] in the *Key Management Service Developer Guide*.
2847
+ # To learn more about how to use this parameter, see [Testing your
2848
+ # permissions][1] in the *Key Management Service Developer Guide*.
2478
2849
  #
2479
2850
  #
2480
2851
  #
2481
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
2852
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
2482
2853
  # @return [Boolean]
2483
2854
  #
2484
2855
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintextRequest AWS API Documentation
@@ -2518,13 +2889,18 @@ module Aws::KMS
2518
2889
  # The type of data key pair that was generated.
2519
2890
  # @return [String]
2520
2891
  #
2892
+ # @!attribute [rw] key_material_id
2893
+ # The identifier of the key material used to encrypt the private key.
2894
+ # @return [String]
2895
+ #
2521
2896
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintextResponse AWS API Documentation
2522
2897
  #
2523
2898
  class GenerateDataKeyPairWithoutPlaintextResponse < Struct.new(
2524
2899
  :private_key_ciphertext_blob,
2525
2900
  :public_key,
2526
2901
  :key_id,
2527
- :key_pair_spec)
2902
+ :key_pair_spec,
2903
+ :key_material_id)
2528
2904
  SENSITIVE = []
2529
2905
  include Aws::Structure
2530
2906
  end
@@ -2577,7 +2953,7 @@ module Aws::KMS
2577
2953
  #
2578
2954
  #
2579
2955
  #
2580
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
2956
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
2581
2957
  # @return [Hash<String,String>]
2582
2958
  #
2583
2959
  # @!attribute [rw] number_of_bytes
@@ -2610,18 +2986,19 @@ module Aws::KMS
2610
2986
  #
2611
2987
  #
2612
2988
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
2613
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
2989
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
2614
2990
  # @return [Array<String>]
2615
2991
  #
2616
2992
  # @!attribute [rw] recipient
2617
2993
  # A signed [attestation document][1] from an Amazon Web Services Nitro
2618
- # enclave and the encryption algorithm to use with the enclave's
2619
- # public key. The only valid encryption algorithm is
2620
- # `RSAES_OAEP_SHA_256`.
2994
+ # enclave or NitroTPM, and the encryption algorithm to use with the
2995
+ # public key in the attestation document. The only valid encryption
2996
+ # algorithm is `RSAES_OAEP_SHA_256`.
2621
2997
  #
2622
- # This parameter only supports attestation documents for Amazon Web
2623
- # Services Nitro Enclaves. To include this parameter, use the [Amazon
2624
- # Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
2998
+ # This parameter supports the [Amazon Web Services Nitro Enclaves
2999
+ # SDK][2] or any Amazon Web Services SDK for Amazon Web Services Nitro
3000
+ # Enclaves. It supports any Amazon Web Services SDK for Amazon Web
3001
+ # Services NitroTPM.
2625
3002
  #
2626
3003
  # When you use this parameter, instead of returning the plaintext data
2627
3004
  # key, KMS encrypts the plaintext data key under the public key in the
@@ -2633,26 +3010,27 @@ module Aws::KMS
2633
3010
  # The `Plaintext` field in the response is null or empty.
2634
3011
  #
2635
3012
  # For information about the interaction between KMS and Amazon Web
2636
- # Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
2637
- # uses KMS][3] in the *Key Management Service Developer Guide*.
3013
+ # Services Nitro Enclaves or Amazon Web Services NitroTPM, see
3014
+ # [Cryptographic attestation support in KMS][3] in the *Key Management
3015
+ # Service Developer Guide*.
2638
3016
  #
2639
3017
  #
2640
3018
  #
2641
3019
  # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
2642
3020
  # [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
2643
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
3021
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
2644
3022
  # @return [Types::RecipientInfo]
2645
3023
  #
2646
3024
  # @!attribute [rw] dry_run
2647
3025
  # Checks if your request will succeed. `DryRun` is an optional
2648
3026
  # parameter.
2649
3027
  #
2650
- # To learn more about how to use this parameter, see [Testing your KMS
2651
- # API calls][1] in the *Key Management Service Developer Guide*.
3028
+ # To learn more about how to use this parameter, see [Testing your
3029
+ # permissions][1] in the *Key Management Service Developer Guide*.
2652
3030
  #
2653
3031
  #
2654
3032
  #
2655
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
3033
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
2656
3034
  # @return [Boolean]
2657
3035
  #
2658
3036
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyRequest AWS API Documentation
@@ -2695,20 +3073,27 @@ module Aws::KMS
2695
3073
  # @return [String]
2696
3074
  #
2697
3075
  # @!attribute [rw] ciphertext_for_recipient
2698
- # The plaintext data key encrypted with the public key from the Nitro
2699
- # enclave. This ciphertext can be decrypted only by using a private
2700
- # key in the Nitro enclave.
3076
+ # The plaintext data key encrypted with the public key from the
3077
+ # attestation document. This ciphertext can be decrypted only by using
3078
+ # a private key from the attested environment.
2701
3079
  #
2702
3080
  # This field is included in the response only when the `Recipient`
2703
3081
  # parameter in the request includes a valid attestation document from
2704
- # an Amazon Web Services Nitro enclave. For information about the
2705
- # interaction between KMS and Amazon Web Services Nitro Enclaves, see
2706
- # [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
2707
- # Management Service Developer Guide*.
3082
+ # an Amazon Web Services Nitro enclave or NitroTPM. For information
3083
+ # about the interaction between KMS and Amazon Web Services Nitro
3084
+ # Enclaves or Amazon Web Services NitroTPM, see [Cryptographic
3085
+ # attestation support in KMS][1] in the *Key Management Service
3086
+ # Developer Guide*.
3087
+ #
2708
3088
  #
2709
3089
  #
3090
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
3091
+ # @return [String]
2710
3092
  #
2711
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
3093
+ # @!attribute [rw] key_material_id
3094
+ # The identifier of the key material used to encrypt the data key.
3095
+ # This field is omitted if the request includes the `Recipient`
3096
+ # parameter.
2712
3097
  # @return [String]
2713
3098
  #
2714
3099
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyResponse AWS API Documentation
@@ -2717,7 +3102,8 @@ module Aws::KMS
2717
3102
  :ciphertext_blob,
2718
3103
  :plaintext,
2719
3104
  :key_id,
2720
- :ciphertext_for_recipient)
3105
+ :ciphertext_for_recipient,
3106
+ :key_material_id)
2721
3107
  SENSITIVE = [:plaintext]
2722
3108
  include Aws::Structure
2723
3109
  end
@@ -2770,7 +3156,7 @@ module Aws::KMS
2770
3156
  #
2771
3157
  #
2772
3158
  #
2773
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
3159
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
2774
3160
  # @return [Hash<String,String>]
2775
3161
  #
2776
3162
  # @!attribute [rw] key_spec
@@ -2796,19 +3182,19 @@ module Aws::KMS
2796
3182
  #
2797
3183
  #
2798
3184
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
2799
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
3185
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
2800
3186
  # @return [Array<String>]
2801
3187
  #
2802
3188
  # @!attribute [rw] dry_run
2803
3189
  # Checks if your request will succeed. `DryRun` is an optional
2804
3190
  # parameter.
2805
3191
  #
2806
- # To learn more about how to use this parameter, see [Testing your KMS
2807
- # API calls][1] in the *Key Management Service Developer Guide*.
3192
+ # To learn more about how to use this parameter, see [Testing your
3193
+ # permissions][1] in the *Key Management Service Developer Guide*.
2808
3194
  #
2809
3195
  #
2810
3196
  #
2811
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
3197
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
2812
3198
  # @return [Boolean]
2813
3199
  #
2814
3200
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextRequest AWS API Documentation
@@ -2839,11 +3225,16 @@ module Aws::KMS
2839
3225
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
2840
3226
  # @return [String]
2841
3227
  #
3228
+ # @!attribute [rw] key_material_id
3229
+ # The identifier of the key material used to encrypt the data key.
3230
+ # @return [String]
3231
+ #
2842
3232
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextResponse AWS API Documentation
2843
3233
  #
2844
3234
  class GenerateDataKeyWithoutPlaintextResponse < Struct.new(
2845
3235
  :ciphertext_blob,
2846
- :key_id)
3236
+ :key_id,
3237
+ :key_material_id)
2847
3238
  SENSITIVE = []
2848
3239
  include Aws::Structure
2849
3240
  end
@@ -2888,19 +3279,19 @@ module Aws::KMS
2888
3279
  #
2889
3280
  #
2890
3281
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
2891
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
3282
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
2892
3283
  # @return [Array<String>]
2893
3284
  #
2894
3285
  # @!attribute [rw] dry_run
2895
3286
  # Checks if your request will succeed. `DryRun` is an optional
2896
3287
  # parameter.
2897
3288
  #
2898
- # To learn more about how to use this parameter, see [Testing your KMS
2899
- # API calls][1] in the *Key Management Service Developer Guide*.
3289
+ # To learn more about how to use this parameter, see [Testing your
3290
+ # permissions][1] in the *Key Management Service Developer Guide*.
2900
3291
  #
2901
3292
  #
2902
3293
  #
2903
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
3294
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
2904
3295
  # @return [Boolean]
2905
3296
  #
2906
3297
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMacRequest AWS API Documentation
@@ -2960,30 +3351,32 @@ module Aws::KMS
2960
3351
  #
2961
3352
  # @!attribute [rw] recipient
2962
3353
  # A signed [attestation document][1] from an Amazon Web Services Nitro
2963
- # enclave and the encryption algorithm to use with the enclave's
2964
- # public key. The only valid encryption algorithm is
2965
- # `RSAES_OAEP_SHA_256`.
3354
+ # enclave or NitroTPM, and the encryption algorithm to use with the
3355
+ # public key in the attestation document. The only valid encryption
3356
+ # algorithm is `RSAES_OAEP_SHA_256`.
2966
3357
  #
2967
- # This parameter only supports attestation documents for Amazon Web
2968
- # Services Nitro Enclaves. To include this parameter, use the [Amazon
2969
- # Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
3358
+ # This parameter supports the [Amazon Web Services Nitro Enclaves
3359
+ # SDK][2] or any Amazon Web Services SDK for Amazon Web Services Nitro
3360
+ # Enclaves. It supports any Amazon Web Services SDK for Amazon Web
3361
+ # Services NitroTPM.
2970
3362
  #
2971
3363
  # When you use this parameter, instead of returning plaintext bytes,
2972
3364
  # KMS encrypts the plaintext bytes under the public key in the
2973
3365
  # attestation document, and returns the resulting ciphertext in the
2974
3366
  # `CiphertextForRecipient` field in the response. This ciphertext can
2975
- # be decrypted only with the private key in the enclave. The
2976
- # `Plaintext` field in the response is null or empty.
3367
+ # be decrypted only with the private key in the attested environment.
3368
+ # The `Plaintext` field in the response is null or empty.
2977
3369
  #
2978
3370
  # For information about the interaction between KMS and Amazon Web
2979
- # Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
2980
- # uses KMS][3] in the *Key Management Service Developer Guide*.
3371
+ # Services Nitro Enclaves or Amazon Web Services NitroTPM, see
3372
+ # [Cryptographic attestation support in KMS][3] in the *Key Management
3373
+ # Service Developer Guide*.
2981
3374
  #
2982
3375
  #
2983
3376
  #
2984
3377
  # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
2985
3378
  # [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
2986
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
3379
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
2987
3380
  # @return [Types::RecipientInfo]
2988
3381
  #
2989
3382
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomRequest AWS API Documentation
@@ -3007,19 +3400,20 @@ module Aws::KMS
3007
3400
  #
3008
3401
  # @!attribute [rw] ciphertext_for_recipient
3009
3402
  # The plaintext random bytes encrypted with the public key from the
3010
- # Nitro enclave. This ciphertext can be decrypted only by using a
3011
- # private key in the Nitro enclave.
3403
+ # attestation document. This ciphertext can be decrypted only by using
3404
+ # a private key from the attested environment.
3012
3405
  #
3013
3406
  # This field is included in the response only when the `Recipient`
3014
3407
  # parameter in the request includes a valid attestation document from
3015
- # an Amazon Web Services Nitro enclave. For information about the
3016
- # interaction between KMS and Amazon Web Services Nitro Enclaves, see
3017
- # [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
3018
- # Management Service Developer Guide*.
3408
+ # an Amazon Web Services Nitro enclave or NitroTPM. For information
3409
+ # about the interaction between KMS and Amazon Web Services Nitro
3410
+ # Enclaves or Amazon Web Services NitroTPM, see [Cryptographic
3411
+ # attestation support in KMS][1] in the *Key Management Service
3412
+ # Developer Guide*.
3019
3413
  #
3020
3414
  #
3021
3415
  #
3022
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
3416
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
3023
3417
  # @return [String]
3024
3418
  #
3025
3419
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomResponse AWS API Documentation
@@ -3048,7 +3442,8 @@ module Aws::KMS
3048
3442
  # @return [String]
3049
3443
  #
3050
3444
  # @!attribute [rw] policy_name
3051
- # Specifies the name of the key policy. The only valid name is
3445
+ # Specifies the name of the key policy. If no policy name is
3446
+ # specified, the default value is `default`. The only valid name is
3052
3447
  # `default`. To get the names of key policies, use ListKeyPolicies.
3053
3448
  # @return [String]
3054
3449
  #
@@ -3065,10 +3460,15 @@ module Aws::KMS
3065
3460
  # A key policy document in JSON format.
3066
3461
  # @return [String]
3067
3462
  #
3463
+ # @!attribute [rw] policy_name
3464
+ # The name of the key policy. The only valid value is `default`.
3465
+ # @return [String]
3466
+ #
3068
3467
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicyResponse AWS API Documentation
3069
3468
  #
3070
3469
  class GetKeyPolicyResponse < Struct.new(
3071
- :policy)
3470
+ :policy,
3471
+ :policy_name)
3072
3472
  SENSITIVE = []
3073
3473
  include Aws::Structure
3074
3474
  end
@@ -3103,10 +3503,39 @@ module Aws::KMS
3103
3503
  # A Boolean value that specifies whether key rotation is enabled.
3104
3504
  # @return [Boolean]
3105
3505
  #
3506
+ # @!attribute [rw] key_id
3507
+ # Identifies the specified symmetric encryption KMS key.
3508
+ # @return [String]
3509
+ #
3510
+ # @!attribute [rw] rotation_period_in_days
3511
+ # The number of days between each automatic rotation. The default
3512
+ # value is 365 days.
3513
+ # @return [Integer]
3514
+ #
3515
+ # @!attribute [rw] next_rotation_date
3516
+ # The next date that KMS will automatically rotate the key material.
3517
+ # @return [Time]
3518
+ #
3519
+ # @!attribute [rw] on_demand_rotation_start_date
3520
+ # Identifies the date and time that an in progress on-demand rotation
3521
+ # was initiated.
3522
+ #
3523
+ # KMS uses a background process to perform rotations. As a result,
3524
+ # there might be a slight delay between initiating on-demand key
3525
+ # rotation and the rotation's completion. Once the on-demand rotation
3526
+ # is complete, KMS removes this field from the response. You can use
3527
+ # ListKeyRotations to view the details of the completed on-demand
3528
+ # rotation.
3529
+ # @return [Time]
3530
+ #
3106
3531
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyRotationStatusResponse AWS API Documentation
3107
3532
  #
3108
3533
  class GetKeyRotationStatusResponse < Struct.new(
3109
- :key_rotation_enabled)
3534
+ :key_rotation_enabled,
3535
+ :key_id,
3536
+ :rotation_period_in_days,
3537
+ :next_rotation_date,
3538
+ :on_demand_rotation_start_date)
3110
3539
  SENSITIVE = []
3111
3540
  include Aws::Structure
3112
3541
  end
@@ -3136,9 +3565,8 @@ module Aws::KMS
3136
3565
  # @!attribute [rw] wrapping_algorithm
3137
3566
  # The algorithm you will use with the RSA public key (`PublicKey`) in
3138
3567
  # the response to protect your key material during import. For more
3139
- # information, see [Select a wrapping
3140
- # algorithm](kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
3141
- # in the *Key Management Service Developer Guide*.
3568
+ # information, see [Select a wrapping algorithm][1] in the *Key
3569
+ # Management Service Developer Guide*.
3142
3570
  #
3143
3571
  # For RSA\_AES wrapping algorithms, you encrypt your key material with
3144
3572
  # an AES key that you generate, then encrypt your AES key with the RSA
@@ -3170,6 +3598,10 @@ module Aws::KMS
3170
3598
  #
3171
3599
  # * **RSAES\_PKCS1\_V1\_5** (Deprecated) — As of October 10, 2023, KMS
3172
3600
  # does not support the RSAES\_PKCS1\_V1\_5 wrapping algorithm.
3601
+ #
3602
+ #
3603
+ #
3604
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm
3173
3605
  # @return [String]
3174
3606
  #
3175
3607
  # @!attribute [rw] wrapping_key_spec
@@ -3265,7 +3697,7 @@ module Aws::KMS
3265
3697
  #
3266
3698
  #
3267
3699
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
3268
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
3700
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
3269
3701
  # @return [Array<String>]
3270
3702
  #
3271
3703
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKeyRequest AWS API Documentation
@@ -3314,12 +3746,12 @@ module Aws::KMS
3314
3746
  # @return [String]
3315
3747
  #
3316
3748
  # @!attribute [rw] key_usage
3317
- # The permitted use of the public key. Valid values are
3318
- # `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
3749
+ # The permitted use of the public key. Valid values for asymmetric key
3750
+ # pairs are `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, and `KEY_AGREEMENT`.
3319
3751
  #
3320
- # This information is critical. If a public key with `SIGN_VERIFY` key
3321
- # usage encrypts data outside of KMS, the ciphertext cannot be
3322
- # decrypted.
3752
+ # This information is critical. For example, if a public key with
3753
+ # `SIGN_VERIFY` key usage encrypts data outside of KMS, the ciphertext
3754
+ # cannot be decrypted.
3323
3755
  # @return [String]
3324
3756
  #
3325
3757
  # @!attribute [rw] encryption_algorithms
@@ -3340,6 +3772,12 @@ module Aws::KMS
3340
3772
  # public key is `SIGN_VERIFY`.
3341
3773
  # @return [Array<String>]
3342
3774
  #
3775
+ # @!attribute [rw] key_agreement_algorithms
3776
+ # The key agreement algorithm used to derive a shared secret. This
3777
+ # field is present only when the KMS key has a `KeyUsage` value of
3778
+ # `KEY_AGREEMENT`.
3779
+ # @return [Array<String>]
3780
+ #
3343
3781
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKeyResponse AWS API Documentation
3344
3782
  #
3345
3783
  class GetPublicKeyResponse < Struct.new(
@@ -3349,7 +3787,8 @@ module Aws::KMS
3349
3787
  :key_spec,
3350
3788
  :key_usage,
3351
3789
  :encryption_algorithms,
3352
- :signing_algorithms)
3790
+ :signing_algorithms,
3791
+ :key_agreement_algorithms)
3353
3792
  SENSITIVE = []
3354
3793
  include Aws::Structure
3355
3794
  end
@@ -3360,9 +3799,9 @@ module Aws::KMS
3360
3799
  #
3361
3800
  # KMS applies the grant constraints only to cryptographic operations
3362
3801
  # that support an encryption context, that is, all cryptographic
3363
- # operations with a [symmetric KMS key][3]. Grant constraints are not
3364
- # applied to operations that do not support an encryption context, such
3365
- # as cryptographic operations with asymmetric KMS keys and management
3802
+ # operations with a symmetric KMS key. Grant constraints are not applied
3803
+ # to operations that do not support an encryption context, such as
3804
+ # cryptographic operations with asymmetric KMS keys and management
3366
3805
  # operations, such as DescribeKey or RetireGrant.
3367
3806
  #
3368
3807
  # In a cryptographic operation, the encryption context in the decryption
@@ -3377,15 +3816,14 @@ module Aws::KMS
3377
3816
  # differ only by case. To require a fully case-sensitive encryption
3378
3817
  # context, use the `kms:EncryptionContext:` and
3379
3818
  # `kms:EncryptionContextKeys` conditions in an IAM or key policy. For
3380
- # details, see [kms:EncryptionContext:][4] in the <i> <i>Key Management
3381
- # Service Developer Guide</i> </i>.
3819
+ # details, see [kms:EncryptionContext:context-key][3] in the <i> <i>Key
3820
+ # Management Service Developer Guide</i> </i>.
3382
3821
  #
3383
3822
  #
3384
3823
  #
3385
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
3386
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
3387
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks
3388
- # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context
3824
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
3825
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
3826
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-encryption-context
3389
3827
  #
3390
3828
  # @!attribute [rw] encryption_context_subset
3391
3829
  # A list of key-value pairs that must be included in the encryption
@@ -3396,7 +3834,7 @@ module Aws::KMS
3396
3834
  #
3397
3835
  #
3398
3836
  #
3399
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
3837
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
3400
3838
  # @return [Hash<String,String>]
3401
3839
  #
3402
3840
  # @!attribute [rw] encryption_context_equals
@@ -3407,7 +3845,7 @@ module Aws::KMS
3407
3845
  #
3408
3846
  #
3409
3847
  #
3410
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
3848
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
3411
3849
  # @return [Hash<String,String>]
3412
3850
  #
3413
3851
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GrantConstraints AWS API Documentation
@@ -3496,11 +3934,9 @@ module Aws::KMS
3496
3934
  #
3497
3935
  # The KMS key can be a symmetric encryption KMS key, HMAC KMS key,
3498
3936
  # asymmetric encryption KMS key, or asymmetric signing KMS key,
3499
- # including a [multi-Region
3500
- # key](kms/latest/developerguide/multi-region-keys-overview.html) of
3501
- # any supported type. You cannot perform this operation on a KMS key
3502
- # in a custom key store, or on a KMS key in a different Amazon Web
3503
- # Services account.
3937
+ # including a [multi-Region key][1] of any supported type. You cannot
3938
+ # perform this operation on a KMS key in a custom key store, or on a
3939
+ # KMS key in a different Amazon Web Services account.
3504
3940
  #
3505
3941
  # Specify the key ID or key ARN of the KMS key.
3506
3942
  #
@@ -3513,6 +3949,10 @@ module Aws::KMS
3513
3949
  #
3514
3950
  # To get the key ID and key ARN for a KMS key, use ListKeys or
3515
3951
  # DescribeKey.
3952
+ #
3953
+ #
3954
+ #
3955
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
3516
3956
  # @return [String]
3517
3957
  #
3518
3958
  # @!attribute [rw] import_token
@@ -3564,7 +4004,53 @@ module Aws::KMS
3564
4004
  #
3565
4005
  #
3566
4006
  #
3567
- # [1]: https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration
4007
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-import-key-material.html#importing-keys-expiration
4008
+ # @return [String]
4009
+ #
4010
+ # @!attribute [rw] import_type
4011
+ # Indicates whether the key material being imported is previously
4012
+ # associated with this KMS key or not. This parameter is optional and
4013
+ # only usable with symmetric encryption keys. If no key material has
4014
+ # ever been imported into the KMS key, and this parameter is omitted,
4015
+ # the parameter defaults to `NEW_KEY_MATERIAL`. After the first key
4016
+ # material is imported, if this parameter is omitted then the
4017
+ # parameter defaults to `EXISTING_KEY_MATERIAL`.
4018
+ #
4019
+ # For multi-Region keys, you must first import new key material into
4020
+ # the primary Region key. You should use the `NEW_KEY_MATERIAL` import
4021
+ # type when importing key material into the primary Region key. Then,
4022
+ # you can import the same key material into the replica Region key.
4023
+ # The import type for the replica Region key should be
4024
+ # `EXISTING_KEY_MATERIAL`.
4025
+ # @return [String]
4026
+ #
4027
+ # @!attribute [rw] key_material_description
4028
+ # Description for the key material being imported. This parameter is
4029
+ # optional and only usable with symmetric encryption keys. If you do
4030
+ # not specify a key material description, KMS retains the value you
4031
+ # specified when you last imported the same key material into this KMS
4032
+ # key.
4033
+ # @return [String]
4034
+ #
4035
+ # @!attribute [rw] key_material_id
4036
+ # Identifies the key material being imported. This parameter is
4037
+ # optional and only usable with symmetric encryption keys. You cannot
4038
+ # specify a key material ID with `ImportType` set to
4039
+ # `NEW_KEY_MATERIAL`. Whenever you import key material into a
4040
+ # symmetric encryption key, KMS assigns a unique identifier to the key
4041
+ # material based on the KMS key ID and the imported key material. When
4042
+ # you re-import key material with a specified key material ID, KMS:
4043
+ #
4044
+ # * Computes the identifier for the key material
4045
+ #
4046
+ # * Matches the computed identifier against the specified key material
4047
+ # ID
4048
+ #
4049
+ # * Verifies that the key material ID is already associated with the
4050
+ # KMS key
4051
+ #
4052
+ # To get the list of key material IDs associated with a KMS key, use
4053
+ # ListKeyRotations.
3568
4054
  # @return [String]
3569
4055
  #
3570
4056
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterialRequest AWS API Documentation
@@ -3574,14 +4060,35 @@ module Aws::KMS
3574
4060
  :import_token,
3575
4061
  :encrypted_key_material,
3576
4062
  :valid_to,
3577
- :expiration_model)
4063
+ :expiration_model,
4064
+ :import_type,
4065
+ :key_material_description,
4066
+ :key_material_id)
3578
4067
  SENSITIVE = []
3579
4068
  include Aws::Structure
3580
4069
  end
3581
4070
 
4071
+ # @!attribute [rw] key_id
4072
+ # The Amazon Resource Name ([key ARN][1]) of the KMS key into which
4073
+ # key material was imported.
4074
+ #
4075
+ #
4076
+ #
4077
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
4078
+ # @return [String]
4079
+ #
4080
+ # @!attribute [rw] key_material_id
4081
+ # Identifies the imported key material.
4082
+ # @return [String]
4083
+ #
3582
4084
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterialResponse AWS API Documentation
3583
4085
  #
3584
- class ImportKeyMaterialResponse < Aws::EmptyStructure; end
4086
+ class ImportKeyMaterialResponse < Struct.new(
4087
+ :key_id,
4088
+ :key_material_id)
4089
+ SENSITIVE = []
4090
+ include Aws::Structure
4091
+ end
3585
4092
 
3586
4093
  # The request was rejected because the specified KMS key cannot decrypt
3587
4094
  # the data. The `KeyId` in a Decrypt request and the `SourceKeyId` in a
@@ -3600,8 +4107,10 @@ module Aws::KMS
3600
4107
  end
3601
4108
 
3602
4109
  # The request was rejected because the key material in the request is,
3603
- # expired, invalid, or is not the same key material that was previously
3604
- # imported into this KMS key.
4110
+ # expired, invalid, or does not meet expectations. For example, it is
4111
+ # not the same key material that was previously imported or KMS expected
4112
+ # new key material but the key material being imported is already
4113
+ # associated with the KMS key.
3605
4114
  #
3606
4115
  # @!attribute [rw] message
3607
4116
  # @return [String]
@@ -3737,8 +4246,9 @@ module Aws::KMS
3737
4246
  # the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying
3738
4247
  # messages, the `KeyUsage` must be `SIGN_VERIFY`. For generating and
3739
4248
  # verifying message authentication codes (MACs), the `KeyUsage` must be
3740
- # `GENERATE_VERIFY_MAC`. To find the `KeyUsage` of a KMS key, use the
3741
- # DescribeKey operation.
4249
+ # `GENERATE_VERIFY_MAC`. For deriving key agreement secrets, the
4250
+ # `KeyUsage` must be `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS
4251
+ # key, use the DescribeKey operation.
3742
4252
  #
3743
4253
  # To find the encryption or signing algorithms supported for a
3744
4254
  # particular KMS key, use the DescribeKey operation.
@@ -3907,7 +4417,7 @@ module Aws::KMS
3907
4417
  #
3908
4418
  #
3909
4419
  #
3910
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
4420
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
3911
4421
  # @return [String]
3912
4422
  #
3913
4423
  # @!attribute [rw] key_state
@@ -3934,11 +4444,12 @@ module Aws::KMS
3934
4444
  # @return [Time]
3935
4445
  #
3936
4446
  # @!attribute [rw] valid_to
3937
- # The time at which the imported key material expires. When the key
3938
- # material expires, KMS deletes the key material and the KMS key
3939
- # becomes unusable. This value is present only for KMS keys whose
3940
- # `Origin` is `EXTERNAL` and whose `ExpirationModel` is
3941
- # `KEY_MATERIAL_EXPIRES`, otherwise this value is omitted.
4447
+ # The earliest time at which any imported key material permanently
4448
+ # associated with this KMS key expires. When a key material expires,
4449
+ # KMS deletes the key material and the KMS key becomes unusable. This
4450
+ # value is present only for KMS keys whose `Origin` is `EXTERNAL` and
4451
+ # the `ExpirationModel` is `KEY_MATERIAL_EXPIRES`, otherwise this
4452
+ # value is omitted.
3942
4453
  # @return [Time]
3943
4454
  #
3944
4455
  # @!attribute [rw] origin
@@ -3957,7 +4468,7 @@ module Aws::KMS
3957
4468
  #
3958
4469
  #
3959
4470
  #
3960
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
4471
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
3961
4472
  # @return [String]
3962
4473
  #
3963
4474
  # @!attribute [rw] cloud_hsm_cluster_id
@@ -3969,7 +4480,7 @@ module Aws::KMS
3969
4480
  #
3970
4481
  #
3971
4482
  #
3972
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
4483
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
3973
4484
  # @return [String]
3974
4485
  #
3975
4486
  # @!attribute [rw] expiration_model
@@ -4017,6 +4528,10 @@ module Aws::KMS
4017
4528
  # `SIGN_VERIFY`.
4018
4529
  # @return [Array<String>]
4019
4530
  #
4531
+ # @!attribute [rw] key_agreement_algorithms
4532
+ # The key agreement algorithm used to derive a shared secret.
4533
+ # @return [Array<String>]
4534
+ #
4020
4535
  # @!attribute [rw] multi_region
4021
4536
  # Indicates whether the KMS key is a multi-Region (`True`) or regional
4022
4537
  # (`False`) key. This value is `True` for multi-Region primary and
@@ -4088,6 +4603,15 @@ module Aws::KMS
4088
4603
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
4089
4604
  # @return [Types::XksKeyConfigurationType]
4090
4605
  #
4606
+ # @!attribute [rw] current_key_material_id
4607
+ # Identifies the current key material. This value is present for
4608
+ # symmetric encryption keys with `AWS_KMS` or `EXTERNAL` origin. These
4609
+ # KMS keys support automatic or on-demand key rotation and can have
4610
+ # multiple key materials associated with them. KMS uses the current
4611
+ # key material for both encryption and decryption, and the non-current
4612
+ # key material for decryption operations only.
4613
+ # @return [String]
4614
+ #
4091
4615
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
4092
4616
  #
4093
4617
  class KeyMetadata < Struct.new(
@@ -4110,11 +4634,13 @@ module Aws::KMS
4110
4634
  :key_spec,
4111
4635
  :encryption_algorithms,
4112
4636
  :signing_algorithms,
4637
+ :key_agreement_algorithms,
4113
4638
  :multi_region,
4114
4639
  :multi_region_configuration,
4115
4640
  :pending_deletion_window_in_days,
4116
4641
  :mac_algorithms,
4117
- :xks_key_configuration)
4642
+ :xks_key_configuration,
4643
+ :current_key_material_id)
4118
4644
  SENSITIVE = []
4119
4645
  include Aws::Structure
4120
4646
  end
@@ -4133,9 +4659,9 @@ module Aws::KMS
4133
4659
  include Aws::Structure
4134
4660
  end
4135
4661
 
4136
- # The request was rejected because a quota was exceeded. For more
4137
- # information, see [Quotas][1] in the *Key Management Service Developer
4138
- # Guide*.
4662
+ # The request was rejected because a length constraint or quota was
4663
+ # exceeded. For more information, see [Quotas][1] in the *Key Management
4664
+ # Service Developer Guide*.
4139
4665
  #
4140
4666
  #
4141
4667
  #
@@ -4210,8 +4736,8 @@ module Aws::KMS
4210
4736
  # @!attribute [rw] truncated
4211
4737
  # A flag that indicates whether there are more items in the list. When
4212
4738
  # this value is true, the list in this response is truncated. To get
4213
- # more items, pass the value of the `NextMarker` element in
4214
- # thisresponse to the `Marker` parameter in a subsequent request.
4739
+ # more items, pass the value of the `NextMarker` element in this
4740
+ # response to the `Marker` parameter in a subsequent request.
4215
4741
  # @return [Boolean]
4216
4742
  #
4217
4743
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliasesResponse AWS API Documentation
@@ -4293,8 +4819,8 @@ module Aws::KMS
4293
4819
  # @!attribute [rw] truncated
4294
4820
  # A flag that indicates whether there are more items in the list. When
4295
4821
  # this value is true, the list in this response is truncated. To get
4296
- # more items, pass the value of the `NextMarker` element in
4297
- # thisresponse to the `Marker` parameter in a subsequent request.
4822
+ # more items, pass the value of the `NextMarker` element in this
4823
+ # response to the `Marker` parameter in a subsequent request.
4298
4824
  # @return [Boolean]
4299
4825
  #
4300
4826
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrantsResponse AWS API Documentation
@@ -4363,8 +4889,8 @@ module Aws::KMS
4363
4889
  # @!attribute [rw] truncated
4364
4890
  # A flag that indicates whether there are more items in the list. When
4365
4891
  # this value is true, the list in this response is truncated. To get
4366
- # more items, pass the value of the `NextMarker` element in
4367
- # thisresponse to the `Marker` parameter in a subsequent request.
4892
+ # more items, pass the value of the `NextMarker` element in this
4893
+ # response to the `Marker` parameter in a subsequent request.
4368
4894
  # @return [Boolean]
4369
4895
  #
4370
4896
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPoliciesResponse AWS API Documentation
@@ -4377,6 +4903,90 @@ module Aws::KMS
4377
4903
  include Aws::Structure
4378
4904
  end
4379
4905
 
4906
+ # @!attribute [rw] key_id
4907
+ # Gets the key rotations for the specified KMS key.
4908
+ #
4909
+ # Specify the key ID or key ARN of the KMS key.
4910
+ #
4911
+ # For example:
4912
+ #
4913
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
4914
+ #
4915
+ # * Key ARN:
4916
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
4917
+ #
4918
+ # To get the key ID and key ARN for a KMS key, use ListKeys or
4919
+ # DescribeKey.
4920
+ # @return [String]
4921
+ #
4922
+ # @!attribute [rw] include_key_material
4923
+ # Use this optional parameter to control which key materials
4924
+ # associated with this key are listed in the response. The default
4925
+ # value of this parameter is `ROTATIONS_ONLY`. If you omit this
4926
+ # parameter, KMS returns information on the key materials created by
4927
+ # automatic or on-demand key rotation. When you specify a value of
4928
+ # `ALL_KEY_MATERIAL`, KMS adds the first key material and any imported
4929
+ # key material pending rotation to the response. This parameter can
4930
+ # only be used with KMS keys that support automatic or on-demand key
4931
+ # rotation.
4932
+ # @return [String]
4933
+ #
4934
+ # @!attribute [rw] limit
4935
+ # Use this parameter to specify the maximum number of items to return.
4936
+ # When this value is present, KMS does not return more than the
4937
+ # specified number of items, but it might return fewer.
4938
+ #
4939
+ # This value is optional. If you include a value, it must be between 1
4940
+ # and 1000, inclusive. If you do not include a value, it defaults to
4941
+ # 100.
4942
+ # @return [Integer]
4943
+ #
4944
+ # @!attribute [rw] marker
4945
+ # Use this parameter in a subsequent request after you receive a
4946
+ # response with truncated results. Set it to the value of `NextMarker`
4947
+ # from the truncated response you just received.
4948
+ # @return [String]
4949
+ #
4950
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyRotationsRequest AWS API Documentation
4951
+ #
4952
+ class ListKeyRotationsRequest < Struct.new(
4953
+ :key_id,
4954
+ :include_key_material,
4955
+ :limit,
4956
+ :marker)
4957
+ SENSITIVE = []
4958
+ include Aws::Structure
4959
+ end
4960
+
4961
+ # @!attribute [rw] rotations
4962
+ # A list of completed key material rotations. When the optional input
4963
+ # parameter `IncludeKeyMaterial` is specified with a value of
4964
+ # `ALL_KEY_MATERIAL`, this list includes the first key material and
4965
+ # any imported key material pending rotation.
4966
+ # @return [Array<Types::RotationsListEntry>]
4967
+ #
4968
+ # @!attribute [rw] next_marker
4969
+ # When `Truncated` is true, this element is present and contains the
4970
+ # value to use for the `Marker` parameter in a subsequent request.
4971
+ # @return [String]
4972
+ #
4973
+ # @!attribute [rw] truncated
4974
+ # A flag that indicates whether there are more items in the list. When
4975
+ # this value is true, the list in this response is truncated. To get
4976
+ # more items, pass the value of the `NextMarker` element in this
4977
+ # response to the `Marker` parameter in a subsequent request.
4978
+ # @return [Boolean]
4979
+ #
4980
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyRotationsResponse AWS API Documentation
4981
+ #
4982
+ class ListKeyRotationsResponse < Struct.new(
4983
+ :rotations,
4984
+ :next_marker,
4985
+ :truncated)
4986
+ SENSITIVE = []
4987
+ include Aws::Structure
4988
+ end
4989
+
4380
4990
  # @!attribute [rw] limit
4381
4991
  # Use this parameter to specify the maximum number of items to return.
4382
4992
  # When this value is present, KMS does not return more than the
@@ -4414,8 +5024,8 @@ module Aws::KMS
4414
5024
  # @!attribute [rw] truncated
4415
5025
  # A flag that indicates whether there are more items in the list. When
4416
5026
  # this value is true, the list in this response is truncated. To get
4417
- # more items, pass the value of the `NextMarker` element in
4418
- # thisresponse to the `Marker` parameter in a subsequent request.
5027
+ # more items, pass the value of the `NextMarker` element in this
5028
+ # response to the `Marker` parameter in a subsequent request.
4419
5029
  # @return [Boolean]
4420
5030
  #
4421
5031
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeysResponse AWS API Documentation
@@ -4496,8 +5106,8 @@ module Aws::KMS
4496
5106
  # @!attribute [rw] truncated
4497
5107
  # A flag that indicates whether there are more items in the list. When
4498
5108
  # this value is true, the list in this response is truncated. To get
4499
- # more items, pass the value of the `NextMarker` element in
4500
- # thisresponse to the `Marker` parameter in a subsequent request.
5109
+ # more items, pass the value of the `NextMarker` element in this
5110
+ # response to the `Marker` parameter in a subsequent request.
4501
5111
  # @return [Boolean]
4502
5112
  #
4503
5113
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTagsResponse AWS API Documentation
@@ -4650,7 +5260,8 @@ module Aws::KMS
4650
5260
  # @return [String]
4651
5261
  #
4652
5262
  # @!attribute [rw] policy_name
4653
- # The name of the key policy. The only valid value is `default`.
5263
+ # The name of the key policy. If no policy name is specified, the
5264
+ # default value is `default`. The only valid value is `default`.
4654
5265
  # @return [String]
4655
5266
  #
4656
5267
  # @!attribute [rw] policy
@@ -4674,6 +5285,18 @@ module Aws::KMS
4674
5285
  # that I make are not always immediately visible][2] in the *Amazon
4675
5286
  # Web Services Identity and Access Management User Guide*.
4676
5287
  #
5288
+ # <note markdown="1"> If either of the required `Resource` or `Action` elements are
5289
+ # missing from a key policy statement, the policy statement has no
5290
+ # effect. When a key policy statement is missing one of these
5291
+ # elements, the KMS console correctly reports an error, but the
5292
+ # `PutKeyPolicy` API request succeeds, even though the policy
5293
+ # statement is ineffective.
5294
+ #
5295
+ # For more information on required key policy elements, see [Elements
5296
+ # in a key policy][3] in the *Key Management Service Developer Guide*.
5297
+ #
5298
+ # </note>
5299
+ #
4677
5300
  # A key policy document can include only the following characters:
4678
5301
  #
4679
5302
  # * Printable ASCII characters from the space character (`\u0020`)
@@ -4685,18 +5308,24 @@ module Aws::KMS
4685
5308
  # * The tab (`\u0009`), line feed (`\u000A`), and carriage return
4686
5309
  # (`\u000D`) special characters
4687
5310
  #
4688
- # For information about key policies, see [Key policies in KMS][3] in
5311
+ # <note markdown="1"> If the key policy exceeds the length constraint, KMS returns a
5312
+ # `LimitExceededException`.
5313
+ #
5314
+ # </note>
5315
+ #
5316
+ # For information about key policies, see [Key policies in KMS][4] in
4689
5317
  # the *Key Management Service Developer Guide*.For help writing and
4690
5318
  # formatting a JSON policy document, see the [IAM JSON Policy
4691
- # Reference][4] in the <i> <i>Identity and Access Management User
5319
+ # Reference][5] in the <i> <i>Identity and Access Management User
4692
5320
  # Guide</i> </i>.
4693
5321
  #
4694
5322
  #
4695
5323
  #
4696
5324
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
4697
5325
  # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
4698
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
4699
- # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
5326
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html#key-policy-elements
5327
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
5328
+ # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
4700
5329
  # @return [String]
4701
5330
  #
4702
5331
  # @!attribute [rw] bypass_policy_lockout_safety_check
@@ -4733,6 +5362,9 @@ module Aws::KMS
4733
5362
 
4734
5363
  # @!attribute [rw] ciphertext_blob
4735
5364
  # Ciphertext of the data to reencrypt.
5365
+ #
5366
+ # This parameter is required in all cases except when `DryRun` is
5367
+ # `true` and `DryRunModifiers` is set to `IGNORE_CIPHERTEXT`.
4736
5368
  # @return [String]
4737
5369
  #
4738
5370
  # @!attribute [rw] source_encryption_context
@@ -4754,7 +5386,7 @@ module Aws::KMS
4754
5386
  #
4755
5387
  #
4756
5388
  #
4757
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
5389
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
4758
5390
  # @return [Hash<String,String>]
4759
5391
  #
4760
5392
  # @!attribute [rw] source_key_id
@@ -4766,11 +5398,12 @@ module Aws::KMS
4766
5398
  # operation throws an `IncorrectKeyException`.
4767
5399
  #
4768
5400
  # This parameter is required only when the ciphertext was encrypted
4769
- # under an asymmetric KMS key. If you used a symmetric encryption KMS
4770
- # key, KMS can get the KMS key from metadata that it adds to the
4771
- # symmetric ciphertext blob. However, it is always recommended as a
4772
- # best practice. This practice ensures that you use the KMS key that
4773
- # you intend.
5401
+ # under an asymmetric KMS key or when `DryRun` is `true` and
5402
+ # `DryRunModifiers` is set to `IGNORE_CIPHERTEXT`. If you used a
5403
+ # symmetric encryption KMS key, KMS can get the KMS key from metadata
5404
+ # that it adds to the symmetric ciphertext blob. However, it is always
5405
+ # recommended as a best practice. This practice ensures that you use
5406
+ # the KMS key that you intend.
4774
5407
  #
4775
5408
  # To specify a KMS key, use its key ID, key ARN, alias name, or alias
4776
5409
  # ARN. When using an alias name, prefix it with `"alias/"`. To specify
@@ -4844,7 +5477,7 @@ module Aws::KMS
4844
5477
  #
4845
5478
  #
4846
5479
  #
4847
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
5480
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
4848
5481
  # @return [Hash<String,String>]
4849
5482
  #
4850
5483
  # @!attribute [rw] source_encryption_algorithm
@@ -4881,21 +5514,38 @@ module Aws::KMS
4881
5514
  #
4882
5515
  #
4883
5516
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
4884
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
5517
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
4885
5518
  # @return [Array<String>]
4886
5519
  #
4887
5520
  # @!attribute [rw] dry_run
4888
5521
  # Checks if your request will succeed. `DryRun` is an optional
4889
5522
  # parameter.
4890
5523
  #
4891
- # To learn more about how to use this parameter, see [Testing your KMS
4892
- # API calls][1] in the *Key Management Service Developer Guide*.
5524
+ # To learn more about how to use this parameter, see [Testing your
5525
+ # permissions][1] in the *Key Management Service Developer Guide*.
4893
5526
  #
4894
5527
  #
4895
5528
  #
4896
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
5529
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
4897
5530
  # @return [Boolean]
4898
5531
  #
5532
+ # @!attribute [rw] dry_run_modifiers
5533
+ # Specifies the modifiers to apply to the dry run operation.
5534
+ # `DryRunModifiers` is an optional parameter that only applies when
5535
+ # `DryRun` is set to `true`.
5536
+ #
5537
+ # When set to `IGNORE_CIPHERTEXT`, KMS performs only authorization
5538
+ # validation without ciphertext validation. This allows you to test
5539
+ # permissions without requiring a valid ciphertext blob.
5540
+ #
5541
+ # To learn more about how to use this parameter, see [Testing your
5542
+ # permissions][1] in the *Key Management Service Developer Guide*.
5543
+ #
5544
+ #
5545
+ #
5546
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
5547
+ # @return [Array<String>]
5548
+ #
4899
5549
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncryptRequest AWS API Documentation
4900
5550
  #
4901
5551
  class ReEncryptRequest < Struct.new(
@@ -4907,7 +5557,8 @@ module Aws::KMS
4907
5557
  :source_encryption_algorithm,
4908
5558
  :destination_encryption_algorithm,
4909
5559
  :grant_tokens,
4910
- :dry_run)
5560
+ :dry_run,
5561
+ :dry_run_modifiers)
4911
5562
  SENSITIVE = []
4912
5563
  include Aws::Structure
4913
5564
  end
@@ -4941,6 +5592,18 @@ module Aws::KMS
4941
5592
  # The encryption algorithm that was used to reencrypt the data.
4942
5593
  # @return [String]
4943
5594
  #
5595
+ # @!attribute [rw] source_key_material_id
5596
+ # The identifier of the key material used to originally encrypt the
5597
+ # data. This field is present only when the original encryption used a
5598
+ # symmetric encryption KMS key.
5599
+ # @return [String]
5600
+ #
5601
+ # @!attribute [rw] destination_key_material_id
5602
+ # The identifier of the key material used to reencrypt the data. This
5603
+ # field is present only when data is reencrypted using a symmetric
5604
+ # encryption KMS key.
5605
+ # @return [String]
5606
+ #
4944
5607
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncryptResponse AWS API Documentation
4945
5608
  #
4946
5609
  class ReEncryptResponse < Struct.new(
@@ -4948,7 +5611,9 @@ module Aws::KMS
4948
5611
  :source_key_id,
4949
5612
  :key_id,
4950
5613
  :source_encryption_algorithm,
4951
- :destination_encryption_algorithm)
5614
+ :destination_encryption_algorithm,
5615
+ :source_key_material_id,
5616
+ :destination_key_material_id)
4952
5617
  SENSITIVE = []
4953
5618
  include Aws::Structure
4954
5619
  end
@@ -4957,24 +5622,26 @@ module Aws::KMS
4957
5622
  # the API operation.
4958
5623
  #
4959
5624
  # This data type is designed to support Amazon Web Services Nitro
4960
- # Enclaves, which lets you create an isolated compute environment in
4961
- # Amazon EC2. For information about the interaction between KMS and
4962
- # Amazon Web Services Nitro Enclaves, see [How Amazon Web Services Nitro
4963
- # Enclaves uses KMS][1] in the *Key Management Service Developer Guide*.
5625
+ # Enclaves and Amazon Web Services NitroTPM, which lets you create an
5626
+ # attested environment in Amazon EC2. For information about the
5627
+ # interaction between KMS and Amazon Web Services Nitro Enclaves or
5628
+ # Amazon Web Services NitroTPM, see [Cryptographic attestation support
5629
+ # in KMS][1] in the *Key Management Service Developer Guide*.
4964
5630
  #
4965
5631
  #
4966
5632
  #
4967
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
5633
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
4968
5634
  #
4969
5635
  # @!attribute [rw] key_encryption_algorithm
4970
5636
  # The encryption algorithm that KMS should use with the public key for
4971
- # an Amazon Web Services Nitro Enclave to encrypt plaintext values for
4972
- # the response. The only valid value is `RSAES_OAEP_SHA_256`.
5637
+ # an Amazon Web Services Nitro Enclave or NitroTPM to encrypt
5638
+ # plaintext values for the response. The only valid value is
5639
+ # `RSAES_OAEP_SHA_256`.
4973
5640
  # @return [String]
4974
5641
  #
4975
5642
  # @!attribute [rw] attestation_document
4976
- # The attestation document for an Amazon Web Services Nitro Enclave.
4977
- # This document includes the enclave's public key.
5643
+ # The attestation document for an Amazon Web Services Nitro Enclave or
5644
+ # a NitroTPM. This document includes the enclave's public key.
4978
5645
  # @return [String]
4979
5646
  #
4980
5647
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RecipientInfo AWS API Documentation
@@ -5014,33 +5681,23 @@ module Aws::KMS
5014
5681
  # [KMS service endpoints][1] in the *Amazon Web Services General
5015
5682
  # Reference*.
5016
5683
  #
5017
- # <note markdown="1"> HMAC KMS keys are not supported in all Amazon Web Services Regions.
5018
- # If you try to replicate an HMAC KMS key in an Amazon Web Services
5019
- # Region in which HMAC keys are not supported, the `ReplicateKey`
5020
- # operation returns an `UnsupportedOperationException`. For a list of
5021
- # Regions in which HMAC KMS keys are supported, see [HMAC keys in
5022
- # KMS][2] in the *Key Management Service Developer Guide*.
5023
- #
5024
- # </note>
5025
- #
5026
5684
  # The replica must be in a different Amazon Web Services Region than
5027
5685
  # its primary key and other replicas of that primary key, but in the
5028
5686
  # same Amazon Web Services partition. KMS must be available in the
5029
5687
  # replica Region. If the Region is not enabled by default, the Amazon
5030
5688
  # Web Services account must be enabled in the Region. For information
5031
5689
  # about Amazon Web Services partitions, see [Amazon Resource Names
5032
- # (ARNs)][3] in the *Amazon Web Services General Reference*. For
5690
+ # (ARNs)][2] in the *Amazon Web Services General Reference*. For
5033
5691
  # information about enabling and disabling Regions, see [Enabling a
5034
- # Region][4] and [Disabling a Region][5] in the *Amazon Web Services
5692
+ # Region][3] and [Disabling a Region][4] in the *Amazon Web Services
5035
5693
  # General Reference*.
5036
5694
  #
5037
5695
  #
5038
5696
  #
5039
5697
  # [1]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region
5040
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
5041
- # [3]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
5042
- # [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
5043
- # [5]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
5698
+ # [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
5699
+ # [3]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
5700
+ # [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
5044
5701
  # @return [String]
5045
5702
  #
5046
5703
  # @!attribute [rw] policy
@@ -5090,7 +5747,7 @@ module Aws::KMS
5090
5747
  #
5091
5748
  #
5092
5749
  #
5093
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
5750
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html
5094
5751
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
5095
5752
  # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
5096
5753
  # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
@@ -5163,7 +5820,7 @@ module Aws::KMS
5163
5820
  # When you add tags to an Amazon Web Services resource, Amazon Web
5164
5821
  # Services generates a cost allocation report with usage and costs
5165
5822
  # aggregated by tags. Tags can also be used to control access to a KMS
5166
- # key. For details, see [Tagging Keys][3].
5823
+ # key. For details, see [Tags in KMS][3].
5167
5824
  #
5168
5825
  #
5169
5826
  #
@@ -5254,12 +5911,12 @@ module Aws::KMS
5254
5911
  # Checks if your request will succeed. `DryRun` is an optional
5255
5912
  # parameter.
5256
5913
  #
5257
- # To learn more about how to use this parameter, see [Testing your KMS
5258
- # API calls][1] in the *Key Management Service Developer Guide*.
5914
+ # To learn more about how to use this parameter, see [Testing your
5915
+ # permissions][1] in the *Key Management Service Developer Guide*.
5259
5916
  #
5260
5917
  #
5261
5918
  #
5262
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
5919
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
5263
5920
  # @return [Boolean]
5264
5921
  #
5265
5922
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrantRequest AWS API Documentation
@@ -5302,12 +5959,12 @@ module Aws::KMS
5302
5959
  # Checks if your request will succeed. `DryRun` is an optional
5303
5960
  # parameter.
5304
5961
  #
5305
- # To learn more about how to use this parameter, see [Testing your KMS
5306
- # API calls][1] in the *Key Management Service Developer Guide*.
5962
+ # To learn more about how to use this parameter, see [Testing your
5963
+ # permissions][1] in the *Key Management Service Developer Guide*.
5307
5964
  #
5308
5965
  #
5309
5966
  #
5310
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
5967
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
5311
5968
  # @return [Boolean]
5312
5969
  #
5313
5970
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrantRequest AWS API Documentation
@@ -5320,6 +5977,153 @@ module Aws::KMS
5320
5977
  include Aws::Structure
5321
5978
  end
5322
5979
 
5980
+ # @!attribute [rw] key_id
5981
+ # Identifies a symmetric encryption KMS key. You cannot perform
5982
+ # on-demand rotation of [asymmetric KMS keys][1], [HMAC KMS keys][2],
5983
+ # multi-Region KMS keys with [imported key material][3], or KMS keys
5984
+ # in a [custom key store][4]. To perform on-demand rotation of a set
5985
+ # of related [multi-Region keys][5], invoke the on-demand rotation on
5986
+ # the primary key.
5987
+ #
5988
+ # Specify the key ID or key ARN of the KMS key.
5989
+ #
5990
+ # For example:
5991
+ #
5992
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
5993
+ #
5994
+ # * Key ARN:
5995
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
5996
+ #
5997
+ # To get the key ID and key ARN for a KMS key, use ListKeys or
5998
+ # DescribeKey.
5999
+ #
6000
+ #
6001
+ #
6002
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
6003
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
6004
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
6005
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html
6006
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#multi-region-rotate
6007
+ # @return [String]
6008
+ #
6009
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RotateKeyOnDemandRequest AWS API Documentation
6010
+ #
6011
+ class RotateKeyOnDemandRequest < Struct.new(
6012
+ :key_id)
6013
+ SENSITIVE = []
6014
+ include Aws::Structure
6015
+ end
6016
+
6017
+ # @!attribute [rw] key_id
6018
+ # Identifies the symmetric encryption KMS key that you initiated
6019
+ # on-demand rotation on.
6020
+ # @return [String]
6021
+ #
6022
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RotateKeyOnDemandResponse AWS API Documentation
6023
+ #
6024
+ class RotateKeyOnDemandResponse < Struct.new(
6025
+ :key_id)
6026
+ SENSITIVE = []
6027
+ include Aws::Structure
6028
+ end
6029
+
6030
+ # Each entry contains information about one of the key materials
6031
+ # associated with a KMS key.
6032
+ #
6033
+ # @!attribute [rw] key_id
6034
+ # Unique identifier of the key.
6035
+ # @return [String]
6036
+ #
6037
+ # @!attribute [rw] key_material_id
6038
+ # Unique identifier of the key material.
6039
+ # @return [String]
6040
+ #
6041
+ # @!attribute [rw] key_material_description
6042
+ # User-specified description of the key material. This field is only
6043
+ # present for symmetric encryption KMS keys with `EXTERNAL` origin.
6044
+ # @return [String]
6045
+ #
6046
+ # @!attribute [rw] import_state
6047
+ # Indicates if the key material is currently imported into KMS. It has
6048
+ # two possible values: `IMPORTED` or `PENDING_IMPORT`. This field is
6049
+ # only present for symmetric encryption KMS keys with `EXTERNAL`
6050
+ # origin.
6051
+ # @return [String]
6052
+ #
6053
+ # @!attribute [rw] key_material_state
6054
+ # There are four possible values for this field: `CURRENT`,
6055
+ # `NON_CURRENT`, `PENDING_MULTI_REGION_IMPORT_AND_ROTATION` and
6056
+ # `PENDING_ROTATION`. KMS uses `CURRENT` key material for both
6057
+ # encryption and decryption and `NON_CURRENT` key material only for
6058
+ # decryption. `PENDING_ROTATION` identifies key material that has been
6059
+ # imported for on-demand key rotation but the rotation hasn't
6060
+ # completed. The key material state
6061
+ # `PENDING_MULTI_REGION_IMPORT_AND_ROTATION` is unique to
6062
+ # multi-region, symmetric encryption keys with imported key material.
6063
+ # It indicates key material that has been imported into the primary
6064
+ # Region key but not all of the replica Region keys. When this key
6065
+ # material is imported in to all of the replica Region keys, the key
6066
+ # material state will change to `PENDING_ROTATION`. Key material in
6067
+ # `PENDING_MULTI_REGION_IMPORT_AND_ROTATION` or `PENDING_ROTATION`
6068
+ # state is not permanently associated with the KMS key. You can delete
6069
+ # this key material and import different key material in its place.
6070
+ # The `PENDING_MULTI_REGION_IMPORT_AND_ROTATION` and
6071
+ # `PENDING_ROTATION` values are only used in symmetric encryption keys
6072
+ # with imported key material. The other values, `CURRENT` and
6073
+ # `NON_CURRENT`, are used for all KMS keys that support automatic or
6074
+ # on-demand key rotation.
6075
+ # @return [String]
6076
+ #
6077
+ # @!attribute [rw] expiration_model
6078
+ # Indicates if the key material is configured to automatically expire.
6079
+ # There are two possible values for this field: `KEY_MATERIAL_EXPIRES`
6080
+ # and `KEY_MATERIAL_DOES_NOT_EXPIRE`. For any key material that
6081
+ # expires, the expiration date and time is indicated in `ValidTo`.
6082
+ # This field is only present for symmetric encryption KMS keys with
6083
+ # `EXTERNAL` origin.
6084
+ # @return [String]
6085
+ #
6086
+ # @!attribute [rw] valid_to
6087
+ # Date and time at which the key material expires. This field is only
6088
+ # present for symmetric encryption KMS keys with `EXTERNAL` origin in
6089
+ # rotation list entries with an `ExpirationModel` value of
6090
+ # `KEY_MATERIAL_EXPIRES`.
6091
+ # @return [Time]
6092
+ #
6093
+ # @!attribute [rw] rotation_date
6094
+ # Date and time that the key material rotation completed. Formatted as
6095
+ # Unix time. This field is not present for the first key material or
6096
+ # an imported key material in `PENDING_ROTATION` state.
6097
+ # @return [Time]
6098
+ #
6099
+ # @!attribute [rw] rotation_type
6100
+ # Identifies whether the key material rotation was a scheduled
6101
+ # [automatic rotation][1] or an [on-demand rotation][2]. This field is
6102
+ # not present for the first key material or an imported key material
6103
+ # in `PENDING_ROTATION` state.
6104
+ #
6105
+ #
6106
+ #
6107
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotating-keys-enable-disable.html
6108
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/rotating-keys-on-demand.html
6109
+ # @return [String]
6110
+ #
6111
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RotationsListEntry AWS API Documentation
6112
+ #
6113
+ class RotationsListEntry < Struct.new(
6114
+ :key_id,
6115
+ :key_material_id,
6116
+ :key_material_description,
6117
+ :import_state,
6118
+ :key_material_state,
6119
+ :expiration_model,
6120
+ :valid_to,
6121
+ :rotation_date,
6122
+ :rotation_type)
6123
+ SENSITIVE = []
6124
+ include Aws::Structure
6125
+ end
6126
+
5323
6127
  # @!attribute [rw] key_id
5324
6128
  # The unique identifier of the KMS key to delete.
5325
6129
  #
@@ -5451,27 +6255,41 @@ module Aws::KMS
5451
6255
  # Tells KMS whether the value of the `Message` parameter should be
5452
6256
  # hashed as part of the signing algorithm. Use `RAW` for unhashed
5453
6257
  # messages; use `DIGEST` for message digests, which are already
5454
- # hashed.
6258
+ # hashed; use `EXTERNAL_MU` for 64-byte representative μ used in
6259
+ # ML-DSA signing as defined in NIST FIPS 204 Section 6.2.
5455
6260
  #
5456
6261
  # When the value of `MessageType` is `RAW`, KMS uses the standard
5457
6262
  # signing algorithm, which begins with a hash function. When the value
5458
6263
  # is `DIGEST`, KMS skips the hashing step in the signing algorithm.
6264
+ # When the value is `EXTERNAL_MU` KMS skips the concatenated hashing
6265
+ # of the public key hash and the message done in the ML-DSA signing
6266
+ # algorithm.
6267
+ #
6268
+ # Use the `DIGEST` or `EXTERNAL_MU` value only when the value of the
6269
+ # `Message` parameter is a message digest. If you use the `DIGEST`
6270
+ # value with an unhashed message, the security of the signing
6271
+ # operation can be compromised.
6272
+ #
6273
+ # When using ECC\_NIST\_EDWARDS25519 KMS keys:
6274
+ #
6275
+ # * ED25519\_SHA\_512 signing algorithm requires KMS `MessageType:RAW`
5459
6276
  #
5460
- # Use the `DIGEST` value only when the value of the `Message`
5461
- # parameter is a message digest. If you use the `DIGEST` value with an
5462
- # unhashed message, the security of the signing operation can be
5463
- # compromised.
6277
+ # * ED25519\_PH\_SHA\_512 signing algorithm requires KMS
6278
+ # `MessageType:DIGEST`
5464
6279
  #
5465
- # When the value of `MessageType`is `DIGEST`, the length of the
6280
+ # When the value of `MessageType` is `DIGEST`, the length of the
5466
6281
  # `Message` value must match the length of hashed messages for the
5467
6282
  # specified signing algorithm.
5468
6283
  #
6284
+ # When the value of `MessageType` is `EXTERNAL_MU` the length of the
6285
+ # `Message` value must be 64 bytes.
6286
+ #
5469
6287
  # You can submit a message digest and omit the `MessageType` or
5470
6288
  # specify `RAW` so the digest is hashed again while signing. However,
5471
6289
  # this can cause verification failures when verifying with a system
5472
6290
  # that assumes a single hash.
5473
6291
  #
5474
- # The hashing algorithm in that `Sign` uses is based on the
6292
+ # The hashing algorithm that `Sign` uses is based on the
5475
6293
  # `SigningAlgorithm` value.
5476
6294
  #
5477
6295
  # * Signing algorithms that end in SHA\_256 use the SHA\_256 hashing
@@ -5483,12 +6301,15 @@ module Aws::KMS
5483
6301
  # * Signing algorithms that end in SHA\_512 use the SHA\_512 hashing
5484
6302
  # algorithm.
5485
6303
  #
6304
+ # * Signing algorithms that end in SHAKE\_256 use the SHAKE\_256
6305
+ # hashing algorithm.
6306
+ #
5486
6307
  # * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
5487
6308
  # verification with SM2 key pairs][1].
5488
6309
  #
5489
6310
  #
5490
6311
  #
5491
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
6312
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/offline-operations.html#key-spec-sm-offline-verification
5492
6313
  # @return [String]
5493
6314
  #
5494
6315
  # @!attribute [rw] grant_tokens
@@ -5502,7 +6323,7 @@ module Aws::KMS
5502
6323
  #
5503
6324
  #
5504
6325
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
5505
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
6326
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
5506
6327
  # @return [Array<String>]
5507
6328
  #
5508
6329
  # @!attribute [rw] signing_algorithm
@@ -5518,12 +6339,12 @@ module Aws::KMS
5518
6339
  # Checks if your request will succeed. `DryRun` is an optional
5519
6340
  # parameter.
5520
6341
  #
5521
- # To learn more about how to use this parameter, see [Testing your KMS
5522
- # API calls][1] in the *Key Management Service Developer Guide*.
6342
+ # To learn more about how to use this parameter, see [Testing your
6343
+ # permissions][1] in the *Key Management Service Developer Guide*.
5523
6344
  #
5524
6345
  #
5525
6346
  #
5526
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
6347
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
5527
6348
  # @return [Boolean]
5528
6349
  #
5529
6350
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/SignRequest AWS API Documentation
@@ -5748,8 +6569,8 @@ module Aws::KMS
5748
6569
  #
5749
6570
  #
5750
6571
  #
5751
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
5752
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
6572
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-mgn-key
6573
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-key
5753
6574
  # @return [String]
5754
6575
  #
5755
6576
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateAliasRequest AWS API Documentation
@@ -5863,6 +6684,16 @@ module Aws::KMS
5863
6684
  # To change this value, the external key store must be disconnected.
5864
6685
  # @return [String]
5865
6686
  #
6687
+ # @!attribute [rw] xks_proxy_vpc_endpoint_service_owner
6688
+ # Changes the Amazon Web Services account ID that KMS uses to identify
6689
+ # the Amazon VPC endpoint service for your external key store proxy
6690
+ # (XKS proxy). This parameter is optional. If not specified, the
6691
+ # current Amazon Web Services account ID for the VPC endpoint service
6692
+ # will not be updated.
6693
+ #
6694
+ # To change this value, the external key store must be disconnected.
6695
+ # @return [String]
6696
+ #
5866
6697
  # @!attribute [rw] xks_proxy_authentication_credential
5867
6698
  # Changes the credentials that KMS uses to sign requests to the
5868
6699
  # external key store proxy (XKS proxy). This parameter is valid only
@@ -5910,6 +6741,7 @@ module Aws::KMS
5910
6741
  :xks_proxy_uri_endpoint,
5911
6742
  :xks_proxy_uri_path,
5912
6743
  :xks_proxy_vpc_endpoint_service_name,
6744
+ :xks_proxy_vpc_endpoint_service_owner,
5913
6745
  :xks_proxy_authentication_credential,
5914
6746
  :xks_proxy_connectivity)
5915
6747
  SENSITIVE = [:key_store_password]
@@ -6028,19 +6860,19 @@ module Aws::KMS
6028
6860
  #
6029
6861
  #
6030
6862
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
6031
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
6863
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
6032
6864
  # @return [Array<String>]
6033
6865
  #
6034
6866
  # @!attribute [rw] dry_run
6035
6867
  # Checks if your request will succeed. `DryRun` is an optional
6036
6868
  # parameter.
6037
6869
  #
6038
- # To learn more about how to use this parameter, see [Testing your KMS
6039
- # API calls][1] in the *Key Management Service Developer Guide*.
6870
+ # To learn more about how to use this parameter, see [Testing your
6871
+ # permissions][1] in the *Key Management Service Developer Guide*.
6040
6872
  #
6041
6873
  #
6042
6874
  #
6043
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
6875
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
6044
6876
  # @return [Boolean]
6045
6877
  #
6046
6878
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMacRequest AWS API Documentation
@@ -6124,28 +6956,42 @@ module Aws::KMS
6124
6956
  # Tells KMS whether the value of the `Message` parameter should be
6125
6957
  # hashed as part of the signing algorithm. Use `RAW` for unhashed
6126
6958
  # messages; use `DIGEST` for message digests, which are already
6127
- # hashed.
6959
+ # hashed; use `EXTERNAL_MU` for 64-byte representative μ used in
6960
+ # ML-DSA signing as defined in NIST FIPS 204 Section 6.2.
6128
6961
  #
6129
6962
  # When the value of `MessageType` is `RAW`, KMS uses the standard
6130
6963
  # signing algorithm, which begins with a hash function. When the value
6131
6964
  # is `DIGEST`, KMS skips the hashing step in the signing algorithm.
6965
+ # When the value is `EXTERNAL_MU` KMS skips the concatenated hashing
6966
+ # of the public key hash and the message done in the ML-DSA signing
6967
+ # algorithm.
6968
+ #
6969
+ # Use the `DIGEST` or `EXTERNAL_MU` value only when the value of the
6970
+ # `Message` parameter is a message digest. If you use the `DIGEST`
6971
+ # value with an unhashed message, the security of the signing
6972
+ # operation can be compromised.
6132
6973
  #
6133
- # Use the `DIGEST` value only when the value of the `Message`
6134
- # parameter is a message digest. If you use the `DIGEST` value with an
6135
- # unhashed message, the security of the verification operation can be
6136
- # compromised.
6974
+ # When using ECC\_NIST\_EDWARDS25519 KMS keys:
6137
6975
  #
6138
- # When the value of `MessageType`is `DIGEST`, the length of the
6976
+ # * ED25519\_SHA\_512 signing algorithm requires KMS `MessageType:RAW`
6977
+ #
6978
+ # * ED25519\_PH\_SHA\_512 signing algorithm requires KMS
6979
+ # `MessageType:DIGEST`
6980
+ #
6981
+ # When the value of `MessageType` is `DIGEST`, the length of the
6139
6982
  # `Message` value must match the length of hashed messages for the
6140
6983
  # specified signing algorithm.
6141
6984
  #
6985
+ # When the value of `MessageType` is `EXTERNAL_MU` the length of the
6986
+ # `Message` value must be 64 bytes.
6987
+ #
6142
6988
  # You can submit a message digest and omit the `MessageType` or
6143
6989
  # specify `RAW` so the digest is hashed again while signing. However,
6144
6990
  # if the signed message is hashed once while signing, but twice while
6145
6991
  # verifying, verification fails, even when the message hasn't
6146
6992
  # changed.
6147
6993
  #
6148
- # The hashing algorithm in that `Verify` uses is based on the
6994
+ # The hashing algorithm that `Verify` uses is based on the
6149
6995
  # `SigningAlgorithm` value.
6150
6996
  #
6151
6997
  # * Signing algorithms that end in SHA\_256 use the SHA\_256 hashing
@@ -6157,12 +7003,15 @@ module Aws::KMS
6157
7003
  # * Signing algorithms that end in SHA\_512 use the SHA\_512 hashing
6158
7004
  # algorithm.
6159
7005
  #
7006
+ # * Signing algorithms that end in SHAKE\_256 use the SHAKE\_256
7007
+ # hashing algorithm.
7008
+ #
6160
7009
  # * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
6161
7010
  # verification with SM2 key pairs][1].
6162
7011
  #
6163
7012
  #
6164
7013
  #
6165
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
7014
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/offline-operations.html#key-spec-sm-offline-verification
6166
7015
  # @return [String]
6167
7016
  #
6168
7017
  # @!attribute [rw] signature
@@ -6185,19 +7034,19 @@ module Aws::KMS
6185
7034
  #
6186
7035
  #
6187
7036
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
6188
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
7037
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
6189
7038
  # @return [Array<String>]
6190
7039
  #
6191
7040
  # @!attribute [rw] dry_run
6192
7041
  # Checks if your request will succeed. `DryRun` is an optional
6193
7042
  # parameter.
6194
7043
  #
6195
- # To learn more about how to use this parameter, see [Testing your KMS
6196
- # API calls][1] in the *Key Management Service Developer Guide*.
7044
+ # To learn more about how to use this parameter, see [Testing your
7045
+ # permissions][1] in the *Key Management Service Developer Guide*.
6197
7046
  #
6198
7047
  #
6199
7048
  #
6200
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
7049
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
6201
7050
  # @return [Boolean]
6202
7051
  #
6203
7052
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyRequest AWS API Documentation
@@ -6398,6 +7247,13 @@ module Aws::KMS
6398
7247
  # with KMS.
6399
7248
  # @return [String]
6400
7249
  #
7250
+ # @!attribute [rw] vpc_endpoint_service_owner
7251
+ # The Amazon Web Services account ID that owns the Amazon VPC endpoint
7252
+ # service used to communicate with the external key store proxy (XKS).
7253
+ # This field appears only when the XKS uses an VPC endpoint service to
7254
+ # communicate with KMS.
7255
+ # @return [String]
7256
+ #
6401
7257
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyConfigurationType AWS API Documentation
6402
7258
  #
6403
7259
  class XksProxyConfigurationType < Struct.new(
@@ -6405,7 +7261,8 @@ module Aws::KMS
6405
7261
  :access_key_id,
6406
7262
  :uri_endpoint,
6407
7263
  :uri_path,
6408
- :vpc_endpoint_service_name)
7264
+ :vpc_endpoint_service_name,
7265
+ :vpc_endpoint_service_owner)
6409
7266
  SENSITIVE = [:access_key_id]
6410
7267
  include Aws::Structure
6411
7268
  end
@@ -6567,3 +7424,4 @@ module Aws::KMS
6567
7424
 
6568
7425
  end
6569
7426
  end
7427
+