aws-sdk-kms 1.76.0 → 1.91.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -22,6 +22,7 @@ require 'aws-sdk-core/plugins/endpoint_pattern.rb'
22
22
  require 'aws-sdk-core/plugins/response_paging.rb'
23
23
  require 'aws-sdk-core/plugins/stub_responses.rb'
24
24
  require 'aws-sdk-core/plugins/idempotency_token.rb'
25
+ require 'aws-sdk-core/plugins/invocation_id.rb'
25
26
  require 'aws-sdk-core/plugins/jsonvalue_converter.rb'
26
27
  require 'aws-sdk-core/plugins/client_metrics_plugin.rb'
27
28
  require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
@@ -31,6 +32,7 @@ require 'aws-sdk-core/plugins/checksum_algorithm.rb'
31
32
  require 'aws-sdk-core/plugins/request_compression.rb'
32
33
  require 'aws-sdk-core/plugins/defaults_mode.rb'
33
34
  require 'aws-sdk-core/plugins/recursion_detection.rb'
35
+ require 'aws-sdk-core/plugins/telemetry.rb'
34
36
  require 'aws-sdk-core/plugins/sign.rb'
35
37
  require 'aws-sdk-core/plugins/protocols/json_rpc.rb'
36
38
 
@@ -72,6 +74,7 @@ module Aws::KMS
72
74
  add_plugin(Aws::Plugins::ResponsePaging)
73
75
  add_plugin(Aws::Plugins::StubResponses)
74
76
  add_plugin(Aws::Plugins::IdempotencyToken)
77
+ add_plugin(Aws::Plugins::InvocationId)
75
78
  add_plugin(Aws::Plugins::JsonvalueConverter)
76
79
  add_plugin(Aws::Plugins::ClientMetricsPlugin)
77
80
  add_plugin(Aws::Plugins::ClientMetricsSendPlugin)
@@ -81,12 +84,18 @@ module Aws::KMS
81
84
  add_plugin(Aws::Plugins::RequestCompression)
82
85
  add_plugin(Aws::Plugins::DefaultsMode)
83
86
  add_plugin(Aws::Plugins::RecursionDetection)
87
+ add_plugin(Aws::Plugins::Telemetry)
84
88
  add_plugin(Aws::Plugins::Sign)
85
89
  add_plugin(Aws::Plugins::Protocols::JsonRpc)
86
90
  add_plugin(Aws::KMS::Plugins::Endpoints)
87
91
 
88
92
  # @overload initialize(options)
89
93
  # @param [Hash] options
94
+ #
95
+ # @option options [Array<Seahorse::Client::Plugin>] :plugins ([]])
96
+ # A list of plugins to apply to the client. Each plugin is either a
97
+ # class name or an instance of a plugin class.
98
+ #
90
99
  # @option options [required, Aws::CredentialProvider] :credentials
91
100
  # Your AWS credentials. This can be an instance of any one of the
92
101
  # following classes:
@@ -196,10 +205,16 @@ module Aws::KMS
196
205
  # When set to 'true' the request body will not be compressed
197
206
  # for supported operations.
198
207
  #
199
- # @option options [String] :endpoint
200
- # The client endpoint is normally constructed from the `:region`
201
- # option. You should only configure an `:endpoint` when connecting
202
- # to test or custom endpoints. This should be a valid HTTP(S) URI.
208
+ # @option options [String, URI::HTTPS, URI::HTTP] :endpoint
209
+ # Normally you should not configure the `:endpoint` option
210
+ # directly. This is normally constructed from the `:region`
211
+ # option. Configuring `:endpoint` is normally reserved for
212
+ # connecting to test or custom endpoints. The endpoint should
213
+ # be a URI formatted like:
214
+ #
215
+ # 'http://example.com'
216
+ # 'https://example.com'
217
+ # 'http://example.com:123'
203
218
  #
204
219
  # @option options [Integer] :endpoint_cache_max_entries (1000)
205
220
  # Used for the maximum size limit of the LRU cache storing endpoints data
@@ -289,25 +304,31 @@ module Aws::KMS
289
304
  # throttling. This is a provisional mode that may change behavior
290
305
  # in the future.
291
306
  #
292
- #
293
307
  # @option options [String] :sdk_ua_app_id
294
308
  # A unique and opaque application ID that is appended to the
295
- # User-Agent header as app/<sdk_ua_app_id>. It should have a
296
- # maximum length of 50.
309
+ # User-Agent header as app/sdk_ua_app_id. It should have a
310
+ # maximum length of 50. This variable is sourced from environment
311
+ # variable AWS_SDK_UA_APP_ID or the shared config profile attribute sdk_ua_app_id.
297
312
  #
298
313
  # @option options [String] :secret_access_key
299
314
  #
300
315
  # @option options [String] :session_token
301
316
  #
317
+ # @option options [Array] :sigv4a_signing_region_set
318
+ # A list of regions that should be signed with SigV4a signing. When
319
+ # not passed, a default `:sigv4a_signing_region_set` is searched for
320
+ # in the following locations:
321
+ #
322
+ # * `Aws.config[:sigv4a_signing_region_set]`
323
+ # * `ENV['AWS_SIGV4A_SIGNING_REGION_SET']`
324
+ # * `~/.aws/config`
325
+ #
302
326
  # @option options [Boolean] :simple_json (false)
303
327
  # Disables request parameter conversion, validation, and formatting.
304
- # Also disable response data type conversions. This option is useful
305
- # when you want to ensure the highest level of performance by
306
- # avoiding overhead of walking request parameters and response data
307
- # structures.
308
- #
309
- # When `:simple_json` is enabled, the request parameters hash must
310
- # be formatted exactly as the DynamoDB API expects.
328
+ # Also disables response data type conversions. The request parameters
329
+ # hash must be formatted exactly as the API expects.This option is useful
330
+ # when you want to ensure the highest level of performance by avoiding
331
+ # overhead of walking request parameters and response data structures.
311
332
  #
312
333
  # @option options [Boolean] :stub_responses (false)
313
334
  # Causes the client to return stubbed responses. By default
@@ -318,6 +339,16 @@ module Aws::KMS
318
339
  # ** Please note ** When response stubbing is enabled, no HTTP
319
340
  # requests are made, and retries are disabled.
320
341
  #
342
+ # @option options [Aws::Telemetry::TelemetryProviderBase] :telemetry_provider (Aws::Telemetry::NoOpTelemetryProvider)
343
+ # Allows you to provide a telemetry provider, which is used to
344
+ # emit telemetry data. By default, uses `NoOpTelemetryProvider` which
345
+ # will not record or emit any telemetry data. The SDK supports the
346
+ # following telemetry providers:
347
+ #
348
+ # * OpenTelemetry (OTel) - To use the OTel provider, install and require the
349
+ # `opentelemetry-sdk` gem and then, pass in an instance of a
350
+ # `Aws::Telemetry::OTelProvider` for telemetry provider.
351
+ #
321
352
  # @option options [Aws::TokenProvider] :token_provider
322
353
  # A Bearer Token Provider. This can be an instance of any one of the
323
354
  # following classes:
@@ -347,50 +378,71 @@ module Aws::KMS
347
378
  # @option options [Aws::KMS::EndpointProvider] :endpoint_provider
348
379
  # The endpoint provider used to resolve endpoints. Any object that responds to `#resolve_endpoint(parameters)` where `parameters` is a Struct similar to `Aws::KMS::EndpointParameters`
349
380
  #
350
- # @option options [URI::HTTP,String] :http_proxy A proxy to send
351
- # requests through. Formatted like 'http://proxy.com:123'.
352
- #
353
- # @option options [Float] :http_open_timeout (15) The number of
354
- # seconds to wait when opening a HTTP session before raising a
355
- # `Timeout::Error`.
356
- #
357
- # @option options [Float] :http_read_timeout (60) The default
358
- # number of seconds to wait for response data. This value can
359
- # safely be set per-request on the session.
360
- #
361
- # @option options [Float] :http_idle_timeout (5) The number of
362
- # seconds a connection is allowed to sit idle before it is
363
- # considered stale. Stale connections are closed and removed
364
- # from the pool before making a request.
365
- #
366
- # @option options [Float] :http_continue_timeout (1) The number of
367
- # seconds to wait for a 100-continue response before sending the
368
- # request body. This option has no effect unless the request has
369
- # "Expect" header set to "100-continue". Defaults to `nil` which
370
- # disables this behaviour. This value can safely be set per
371
- # request on the session.
381
+ # @option options [Float] :http_continue_timeout (1)
382
+ # The number of seconds to wait for a 100-continue response before sending the
383
+ # request body. This option has no effect unless the request has "Expect"
384
+ # header set to "100-continue". Defaults to `nil` which disables this
385
+ # behaviour. This value can safely be set per request on the session.
386
+ #
387
+ # @option options [Float] :http_idle_timeout (5)
388
+ # The number of seconds a connection is allowed to sit idle before it
389
+ # is considered stale. Stale connections are closed and removed from the
390
+ # pool before making a request.
391
+ #
392
+ # @option options [Float] :http_open_timeout (15)
393
+ # The default number of seconds to wait for response data.
394
+ # This value can safely be set per-request on the session.
395
+ #
396
+ # @option options [URI::HTTP,String] :http_proxy
397
+ # A proxy to send requests through. Formatted like 'http://proxy.com:123'.
398
+ #
399
+ # @option options [Float] :http_read_timeout (60)
400
+ # The default number of seconds to wait for response data.
401
+ # This value can safely be set per-request on the session.
402
+ #
403
+ # @option options [Boolean] :http_wire_trace (false)
404
+ # When `true`, HTTP debug output will be sent to the `:logger`.
405
+ #
406
+ # @option options [Proc] :on_chunk_received
407
+ # When a Proc object is provided, it will be used as callback when each chunk
408
+ # of the response body is received. It provides three arguments: the chunk,
409
+ # the number of bytes received, and the total number of
410
+ # bytes in the response (or nil if the server did not send a `content-length`).
411
+ #
412
+ # @option options [Proc] :on_chunk_sent
413
+ # When a Proc object is provided, it will be used as callback when each chunk
414
+ # of the request body is sent. It provides three arguments: the chunk,
415
+ # the number of bytes read from the body, and the total number of
416
+ # bytes in the body.
417
+ #
418
+ # @option options [Boolean] :raise_response_errors (true)
419
+ # When `true`, response errors are raised.
420
+ #
421
+ # @option options [String] :ssl_ca_bundle
422
+ # Full path to the SSL certificate authority bundle file that should be used when
423
+ # verifying peer certificates. If you do not pass `:ssl_ca_bundle` or
424
+ # `:ssl_ca_directory` the the system default will be used if available.
425
+ #
426
+ # @option options [String] :ssl_ca_directory
427
+ # Full path of the directory that contains the unbundled SSL certificate
428
+ # authority files for verifying peer certificates. If you do
429
+ # not pass `:ssl_ca_bundle` or `:ssl_ca_directory` the the system
430
+ # default will be used if available.
372
431
  #
373
- # @option options [Float] :ssl_timeout (nil) Sets the SSL timeout
374
- # in seconds.
432
+ # @option options [String] :ssl_ca_store
433
+ # Sets the X509::Store to verify peer certificate.
375
434
  #
376
- # @option options [Boolean] :http_wire_trace (false) When `true`,
377
- # HTTP debug output will be sent to the `:logger`.
435
+ # @option options [OpenSSL::X509::Certificate] :ssl_cert
436
+ # Sets a client certificate when creating http connections.
378
437
  #
379
- # @option options [Boolean] :ssl_verify_peer (true) When `true`,
380
- # SSL peer certificates are verified when establishing a
381
- # connection.
438
+ # @option options [OpenSSL::PKey] :ssl_key
439
+ # Sets a client key when creating http connections.
382
440
  #
383
- # @option options [String] :ssl_ca_bundle Full path to the SSL
384
- # certificate authority bundle file that should be used when
385
- # verifying peer certificates. If you do not pass
386
- # `:ssl_ca_bundle` or `:ssl_ca_directory` the the system default
387
- # will be used if available.
441
+ # @option options [Float] :ssl_timeout
442
+ # Sets the SSL timeout in seconds
388
443
  #
389
- # @option options [String] :ssl_ca_directory Full path of the
390
- # directory that contains the unbundled SSL certificate
391
- # authority files for verifying peer certificates. If you do
392
- # not pass `:ssl_ca_bundle` or `:ssl_ca_directory` the the
393
- # system default will be used if available.
444
+ # @option options [Boolean] :ssl_verify_peer (true)
445
+ # When `true`, SSL peer certificates are verified when establishing a connection.
394
446
  #
395
447
  def initialize(*args)
396
448
  super
@@ -1396,7 +1448,7 @@ module Aws::KMS
1396
1448
  # key_id: "KeyIdType", # required
1397
1449
  # grantee_principal: "PrincipalIdType", # required
1398
1450
  # retiring_principal: "PrincipalIdType",
1399
- # operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateMac, VerifyMac
1451
+ # operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateMac, VerifyMac, DeriveSharedSecret
1400
1452
  # constraints: {
1401
1453
  # encryption_context_subset: {
1402
1454
  # "EncryptionContextKey" => "EncryptionContextValue",
@@ -1483,12 +1535,17 @@ module Aws::KMS
1483
1535
  # key pair, or an SM2 key pair (China Regions only). The private key
1484
1536
  # in an asymmetric KMS key never leaves KMS unencrypted. However, you
1485
1537
  # can use the GetPublicKey operation to download the public key so it
1486
- # can be used outside of KMS. KMS keys with RSA or SM2 key pairs can
1487
- # be used to encrypt or decrypt data or sign and verify messages (but
1488
- # not both). KMS keys with ECC key pairs can be used only to sign and
1489
- # verify messages. For information about asymmetric KMS keys, see
1490
- # [Asymmetric KMS keys][3] in the *Key Management Service Developer
1491
- # Guide*.
1538
+ # can be used outside of KMS. Each KMS key can have only one key
1539
+ # usage. KMS keys with RSA key pairs can be used to encrypt and
1540
+ # decrypt data or sign and verify messages (but not both). KMS keys
1541
+ # with NIST-recommended ECC key pairs can be used to sign and verify
1542
+ # messages or derive shared secrets (but not both). KMS keys with
1543
+ # `ECC_SECG_P256K1` can be used only to sign and verify messages. KMS
1544
+ # keys with SM2 key pairs (China Regions only) can be used to either
1545
+ # encrypt and decrypt data, sign and verify messages, or derive shared
1546
+ # secrets (you must choose one key usage type). For information about
1547
+ # asymmetric KMS keys, see [Asymmetric KMS keys][3] in the *Key
1548
+ # Management Service Developer Guide*.
1492
1549
  #
1493
1550
  #
1494
1551
  #
@@ -1710,14 +1767,17 @@ module Aws::KMS
1710
1767
  #
1711
1768
  # * For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
1712
1769
  #
1713
- # * For asymmetric KMS keys with RSA key material, specify
1770
+ # * For asymmetric KMS keys with RSA key pairs, specify
1714
1771
  # `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
1715
1772
  #
1716
- # * For asymmetric KMS keys with ECC key material, specify
1773
+ # * For asymmetric KMS keys with NIST-recommended elliptic curve key
1774
+ # pairs, specify `SIGN_VERIFY` or `KEY_AGREEMENT`.
1775
+ #
1776
+ # * For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs specify
1717
1777
  # `SIGN_VERIFY`.
1718
1778
  #
1719
- # * For asymmetric KMS keys with SM2 key material (China Regions only),
1720
- # specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
1779
+ # * For asymmetric KMS keys with SM2 key pairs (China Regions only),
1780
+ # specify `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, or `KEY_AGREEMENT`.
1721
1781
  #
1722
1782
  #
1723
1783
  #
@@ -1770,7 +1830,8 @@ module Aws::KMS
1770
1830
  #
1771
1831
  # * `HMAC_512`
1772
1832
  #
1773
- # * Asymmetric RSA key pairs
1833
+ # * Asymmetric RSA key pairs (encryption and decryption -or- signing and
1834
+ # verification)
1774
1835
  #
1775
1836
  # * `RSA_2048`
1776
1837
  #
@@ -1778,7 +1839,8 @@ module Aws::KMS
1778
1839
  #
1779
1840
  # * `RSA_4096`
1780
1841
  #
1781
- # * Asymmetric NIST-recommended elliptic curve key pairs
1842
+ # * Asymmetric NIST-recommended elliptic curve key pairs (signing and
1843
+ # verification -or- deriving shared secrets)
1782
1844
  #
1783
1845
  # * `ECC_NIST_P256` (secp256r1)
1784
1846
  #
@@ -1786,15 +1848,16 @@ module Aws::KMS
1786
1848
  #
1787
1849
  # * `ECC_NIST_P521` (secp521r1)
1788
1850
  #
1789
- # * Other asymmetric elliptic curve key pairs
1851
+ # * Other asymmetric elliptic curve key pairs (signing and verification)
1790
1852
  #
1791
1853
  # * `ECC_SECG_P256K1` (secp256k1), commonly used for cryptocurrencies.
1792
1854
  #
1793
1855
  # ^
1794
1856
  #
1795
- # * SM2 key pairs (China Regions only)
1857
+ # * SM2 key pairs (encryption and decryption -or- signing and
1858
+ # verification -or- deriving shared secrets)
1796
1859
  #
1797
- # * `SM2`
1860
+ # * `SM2` (China Regions only)
1798
1861
  #
1799
1862
  # ^
1800
1863
  #
@@ -2258,7 +2321,7 @@ module Aws::KMS
2258
2321
  # resp = client.create_key({
2259
2322
  # policy: "PolicyType",
2260
2323
  # description: "DescriptionType",
2261
- # key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC
2324
+ # key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC, KEY_AGREEMENT
2262
2325
  # customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
2263
2326
  # key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
2264
2327
  # origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM, EXTERNAL_KEY_STORE
@@ -2282,7 +2345,7 @@ module Aws::KMS
2282
2345
  # resp.key_metadata.creation_date #=> Time
2283
2346
  # resp.key_metadata.enabled #=> Boolean
2284
2347
  # resp.key_metadata.description #=> String
2285
- # resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
2348
+ # resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC", "KEY_AGREEMENT"
2286
2349
  # resp.key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
2287
2350
  # resp.key_metadata.deletion_date #=> Time
2288
2351
  # resp.key_metadata.valid_to #=> Time
@@ -2297,6 +2360,8 @@ module Aws::KMS
2297
2360
  # resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
2298
2361
  # resp.key_metadata.signing_algorithms #=> Array
2299
2362
  # resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
2363
+ # resp.key_metadata.key_agreement_algorithms #=> Array
2364
+ # resp.key_metadata.key_agreement_algorithms[0] #=> String, one of "ECDH"
2300
2365
  # resp.key_metadata.multi_region #=> Boolean
2301
2366
  # resp.key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
2302
2367
  # resp.key_metadata.multi_region_configuration.primary_key.arn #=> String
@@ -2893,6 +2958,270 @@ module Aws::KMS
2893
2958
  req.send_request(options)
2894
2959
  end
2895
2960
 
2961
+ # Derives a shared secret using a key agreement algorithm.
2962
+ #
2963
+ # <note markdown="1"> You must use an asymmetric NIST-recommended elliptic curve (ECC) or
2964
+ # SM2 (China Regions only) KMS key pair with a `KeyUsage` value of
2965
+ # `KEY_AGREEMENT` to call DeriveSharedSecret.
2966
+ #
2967
+ # </note>
2968
+ #
2969
+ # DeriveSharedSecret uses the [Elliptic Curve Cryptography Cofactor
2970
+ # Diffie-Hellman Primitive][1] (ECDH) to establish a key agreement
2971
+ # between two peers by deriving a shared secret from their elliptic
2972
+ # curve public-private key pairs. You can use the raw shared secret that
2973
+ # DeriveSharedSecret returns to derive a symmetric key that can encrypt
2974
+ # and decrypt data that is sent between the two peers, or that can
2975
+ # generate and verify HMACs. KMS recommends that you follow [NIST
2976
+ # recommendations for key derivation][2] when using the raw shared
2977
+ # secret to derive a symmetric key.
2978
+ #
2979
+ # The following workflow demonstrates how to establish key agreement
2980
+ # over an insecure communication channel using DeriveSharedSecret.
2981
+ #
2982
+ # 1. **Alice** calls CreateKey to create an asymmetric KMS key pair
2983
+ # with a `KeyUsage` value of `KEY_AGREEMENT`.
2984
+ #
2985
+ # The asymmetric KMS key must use a NIST-recommended elliptic curve
2986
+ # (ECC) or SM2 (China Regions only) key spec.
2987
+ #
2988
+ # 2. **Bob** creates an elliptic curve key pair.
2989
+ #
2990
+ # Bob can call CreateKey to create an asymmetric KMS key pair or
2991
+ # generate a key pair outside of KMS. Bob's key pair must use the
2992
+ # same NIST-recommended elliptic curve (ECC) or SM2 (China Regions
2993
+ # ony) curve as Alice.
2994
+ #
2995
+ # 3. Alice and Bob **exchange their public keys** through an insecure
2996
+ # communication channel (like the internet).
2997
+ #
2998
+ # Use GetPublicKey to download the public key of your asymmetric KMS
2999
+ # key pair.
3000
+ #
3001
+ # <note markdown="1"> KMS strongly recommends verifying that the public key you receive
3002
+ # came from the expected party before using it to derive a shared
3003
+ # secret.
3004
+ #
3005
+ # </note>
3006
+ #
3007
+ # 4. **Alice** calls DeriveSharedSecret.
3008
+ #
3009
+ # KMS uses the private key from the KMS key pair generated in **Step
3010
+ # 1**, Bob's public key, and the Elliptic Curve Cryptography
3011
+ # Cofactor Diffie-Hellman Primitive to derive the shared secret. The
3012
+ # private key in your KMS key pair never leaves KMS unencrypted.
3013
+ # DeriveSharedSecret returns the raw shared secret.
3014
+ #
3015
+ # 5. **Bob** uses the Elliptic Curve Cryptography Cofactor
3016
+ # Diffie-Hellman Primitive to calculate the same raw secret using
3017
+ # his private key and Alice's public key.
3018
+ #
3019
+ # To derive a shared secret you must provide a key agreement algorithm,
3020
+ # the private key of the caller's asymmetric NIST-recommended elliptic
3021
+ # curve or SM2 (China Regions only) KMS key pair, and the public key
3022
+ # from your peer's NIST-recommended elliptic curve or SM2 (China
3023
+ # Regions only) key pair. The public key can be from another asymmetric
3024
+ # KMS key pair or from a key pair generated outside of KMS, but both key
3025
+ # pairs must be on the same elliptic curve.
3026
+ #
3027
+ # The KMS key that you use for this operation must be in a compatible
3028
+ # key state. For details, see [Key states of KMS keys][3] in the *Key
3029
+ # Management Service Developer Guide*.
3030
+ #
3031
+ # **Cross-account use**: Yes. To perform this operation with a KMS key
3032
+ # in a different Amazon Web Services account, specify the key ARN or
3033
+ # alias ARN in the value of the `KeyId` parameter.
3034
+ #
3035
+ # **Required permissions**: [kms:DeriveSharedSecret][4] (key policy)
3036
+ #
3037
+ # **Related operations:**
3038
+ #
3039
+ # * CreateKey
3040
+ #
3041
+ # * GetPublicKey
3042
+ #
3043
+ # * DescribeKey
3044
+ #
3045
+ # **Eventual consistency**: The KMS API follows an eventual consistency
3046
+ # model. For more information, see [KMS eventual consistency][5].
3047
+ #
3048
+ #
3049
+ #
3050
+ # [1]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf#page=60
3051
+ # [2]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf
3052
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3053
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
3054
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
3055
+ #
3056
+ # @option params [required, String] :key_id
3057
+ # Identifies an asymmetric NIST-recommended ECC or SM2 (China Regions
3058
+ # only) KMS key. KMS uses the private key in the specified key pair to
3059
+ # derive the shared secret. The key usage of the KMS key must be
3060
+ # `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS key, use the
3061
+ # DescribeKey operation.
3062
+ #
3063
+ # To specify a KMS key, use its key ID, key ARN, alias name, or alias
3064
+ # ARN. When using an alias name, prefix it with `"alias/"`. To specify a
3065
+ # KMS key in a different Amazon Web Services account, you must use the
3066
+ # key ARN or alias ARN.
3067
+ #
3068
+ # For example:
3069
+ #
3070
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
3071
+ #
3072
+ # * Key ARN:
3073
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
3074
+ #
3075
+ # * Alias name: `alias/ExampleAlias`
3076
+ #
3077
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
3078
+ #
3079
+ # To get the key ID and key ARN for a KMS key, use ListKeys or
3080
+ # DescribeKey. To get the alias name and alias ARN, use ListAliases.
3081
+ #
3082
+ # @option params [required, String] :key_agreement_algorithm
3083
+ # Specifies the key agreement algorithm used to derive the shared
3084
+ # secret. The only valid value is `ECDH`.
3085
+ #
3086
+ # @option params [required, String, StringIO, File] :public_key
3087
+ # Specifies the public key in your peer's NIST-recommended elliptic
3088
+ # curve (ECC) or SM2 (China Regions only) key pair.
3089
+ #
3090
+ # The public key must be a DER-encoded X.509 public key, also known as
3091
+ # `SubjectPublicKeyInfo` (SPKI), as defined in [RFC 5280][1].
3092
+ #
3093
+ # GetPublicKey returns the public key of an asymmetric KMS key pair in
3094
+ # the required DER-encoded format.
3095
+ #
3096
+ # <note markdown="1"> If you use [Amazon Web Services CLI version 1][2], you must provide
3097
+ # the DER-encoded X.509 public key in a file. Otherwise, the Amazon Web
3098
+ # Services CLI Base64-encodes the public key a second time, resulting in
3099
+ # a `ValidationException`.
3100
+ #
3101
+ # </note>
3102
+ #
3103
+ # You can specify the public key as binary data in a file using fileb
3104
+ # (`fileb://<path-to-file>`) or in-line using a Base64 encoded string.
3105
+ #
3106
+ #
3107
+ #
3108
+ # [1]: https://tools.ietf.org/html/rfc5280
3109
+ # [2]: https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-welcome.html
3110
+ #
3111
+ # @option params [Array<String>] :grant_tokens
3112
+ # A list of grant tokens.
3113
+ #
3114
+ # Use a grant token when your permission to call this operation comes
3115
+ # from a new grant that has not yet achieved *eventual consistency*. For
3116
+ # more information, see [Grant token][1] and [Using a grant token][2] in
3117
+ # the *Key Management Service Developer Guide*.
3118
+ #
3119
+ #
3120
+ #
3121
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
3122
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
3123
+ #
3124
+ # @option params [Boolean] :dry_run
3125
+ # Checks if your request will succeed. `DryRun` is an optional
3126
+ # parameter.
3127
+ #
3128
+ # To learn more about how to use this parameter, see [Testing your KMS
3129
+ # API calls][1] in the *Key Management Service Developer Guide*.
3130
+ #
3131
+ #
3132
+ #
3133
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
3134
+ #
3135
+ # @option params [Types::RecipientInfo] :recipient
3136
+ # A signed [attestation document][1] from an Amazon Web Services Nitro
3137
+ # enclave and the encryption algorithm to use with the enclave's public
3138
+ # key. The only valid encryption algorithm is `RSAES_OAEP_SHA_256`.
3139
+ #
3140
+ # This parameter only supports attestation documents for Amazon Web
3141
+ # Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon Web
3142
+ # Services Nitro Enclaves, use the [Amazon Web Services Nitro Enclaves
3143
+ # SDK][2] to generate the attestation document and then use the
3144
+ # Recipient parameter from any Amazon Web Services SDK to provide the
3145
+ # attestation document for the enclave.
3146
+ #
3147
+ # When you use this parameter, instead of returning a plaintext copy of
3148
+ # the shared secret, KMS encrypts the plaintext shared secret under the
3149
+ # public key in the attestation document, and returns the resulting
3150
+ # ciphertext in the `CiphertextForRecipient` field in the response. This
3151
+ # ciphertext can be decrypted only with the private key in the enclave.
3152
+ # The `CiphertextBlob` field in the response contains the encrypted
3153
+ # shared secret derived from the KMS key specified by the `KeyId`
3154
+ # parameter and public key specified by the `PublicKey` parameter. The
3155
+ # `SharedSecret` field in the response is null or empty.
3156
+ #
3157
+ # For information about the interaction between KMS and Amazon Web
3158
+ # Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
3159
+ # uses KMS][3] in the *Key Management Service Developer Guide*.
3160
+ #
3161
+ #
3162
+ #
3163
+ # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
3164
+ # [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
3165
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
3166
+ #
3167
+ # @return [Types::DeriveSharedSecretResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
3168
+ #
3169
+ # * {Types::DeriveSharedSecretResponse#key_id #key_id} => String
3170
+ # * {Types::DeriveSharedSecretResponse#shared_secret #shared_secret} => String
3171
+ # * {Types::DeriveSharedSecretResponse#ciphertext_for_recipient #ciphertext_for_recipient} => String
3172
+ # * {Types::DeriveSharedSecretResponse#key_agreement_algorithm #key_agreement_algorithm} => String
3173
+ # * {Types::DeriveSharedSecretResponse#key_origin #key_origin} => String
3174
+ #
3175
+ #
3176
+ # @example Example: To derive a shared secret
3177
+ #
3178
+ # # The following example derives a shared secret using a key agreement algorithm.
3179
+ #
3180
+ # resp = client.derive_shared_secret({
3181
+ # key_agreement_algorithm: "ECDH", # The key agreement algorithm used to derive the shared secret. The only valid value is ECDH.
3182
+ # key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The key identifier for an asymmetric KMS key pair. The private key in the specified key pair is used to derive the shared secret.
3183
+ # public_key: "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvH3Yj0wbkLEpUl95Cv1cJVjsVNSjwGq3tCLnzXfhVwVvmzGN8pYj3U8nKwgouaHbBWNJYjP5VutbbkKS4Kv4GojwZBJyHN17kmxo8yTjRmjR15SKIQ8cqRA2uaERMLnpztIXdZp232PQPbWGxDyXYJ0aJ5EFSag", # The public key in your peer's asymmetric key pair.
3184
+ # })
3185
+ #
3186
+ # resp.to_h outputs the following:
3187
+ # {
3188
+ # key_agreement_algorithm: "ECDH", # The key agreement algorithm used to derive the shared secret.
3189
+ # key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The asymmetric KMS key pair used to derive the shared secret.
3190
+ # key_origin: "AWS_KMS", # The source of the key material for the specified KMS key.
3191
+ # shared_secret: "MEYCIQCKZLWyTk5runarx6XiAkU9gv3lbwPO/pHa+DXFehzdDwIhANwpsIV2g/9SPWLLsF6p/hiSskuIXMTRwqrMdVKWTMHG", # The raw secret derived from the specified key agreement algorithm, private key in the asymmetric KMS key, and your peer's public key.
3192
+ # }
3193
+ #
3194
+ # @example Request syntax with placeholder values
3195
+ #
3196
+ # resp = client.derive_shared_secret({
3197
+ # key_id: "KeyIdType", # required
3198
+ # key_agreement_algorithm: "ECDH", # required, accepts ECDH
3199
+ # public_key: "data", # required
3200
+ # grant_tokens: ["GrantTokenType"],
3201
+ # dry_run: false,
3202
+ # recipient: {
3203
+ # key_encryption_algorithm: "RSAES_OAEP_SHA_256", # accepts RSAES_OAEP_SHA_256
3204
+ # attestation_document: "data",
3205
+ # },
3206
+ # })
3207
+ #
3208
+ # @example Response structure
3209
+ #
3210
+ # resp.key_id #=> String
3211
+ # resp.shared_secret #=> String
3212
+ # resp.ciphertext_for_recipient #=> String
3213
+ # resp.key_agreement_algorithm #=> String, one of "ECDH"
3214
+ # resp.key_origin #=> String, one of "AWS_KMS", "EXTERNAL", "AWS_CLOUDHSM", "EXTERNAL_KEY_STORE"
3215
+ #
3216
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecret AWS API Documentation
3217
+ #
3218
+ # @overload derive_shared_secret(params = {})
3219
+ # @param [Hash] params ({})
3220
+ def derive_shared_secret(params = {}, options = {})
3221
+ req = build_request(:derive_shared_secret, params)
3222
+ req.send_request(options)
3223
+ end
3224
+
2896
3225
  # Gets information about [custom key stores][1] in the account and
2897
3226
  # Region.
2898
3227
  #
@@ -3477,7 +3806,7 @@ module Aws::KMS
3477
3806
  # resp.key_metadata.creation_date #=> Time
3478
3807
  # resp.key_metadata.enabled #=> Boolean
3479
3808
  # resp.key_metadata.description #=> String
3480
- # resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
3809
+ # resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC", "KEY_AGREEMENT"
3481
3810
  # resp.key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
3482
3811
  # resp.key_metadata.deletion_date #=> Time
3483
3812
  # resp.key_metadata.valid_to #=> Time
@@ -3492,6 +3821,8 @@ module Aws::KMS
3492
3821
  # resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
3493
3822
  # resp.key_metadata.signing_algorithms #=> Array
3494
3823
  # resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
3824
+ # resp.key_metadata.key_agreement_algorithms #=> Array
3825
+ # resp.key_metadata.key_agreement_algorithms[0] #=> String, one of "ECDH"
3495
3826
  # resp.key_metadata.multi_region #=> Boolean
3496
3827
  # resp.key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
3497
3828
  # resp.key_metadata.multi_region_configuration.primary_key.arn #=> String
@@ -3619,6 +3950,10 @@ module Aws::KMS
3619
3950
  #
3620
3951
  # * GetKeyRotationStatus
3621
3952
  #
3953
+ # * ListKeyRotations
3954
+ #
3955
+ # * RotateKeyOnDemand
3956
+ #
3622
3957
  # **Eventual consistency**: The KMS API follows an eventual consistency
3623
3958
  # model. For more information, see [KMS eventual consistency][12].
3624
3959
  #
@@ -3851,12 +4186,20 @@ module Aws::KMS
3851
4186
  # Enables [automatic rotation of the key material][1] of the specified
3852
4187
  # symmetric encryption KMS key.
3853
4188
  #
3854
- # When you enable automatic rotation of a [customer managed KMS key][2],
3855
- # KMS rotates the key material of the KMS key one year (approximately
3856
- # 365 days) from the enable date and every year thereafter. You can
3857
- # monitor rotation of the key material for your KMS keys in CloudTrail
3858
- # and Amazon CloudWatch. To disable rotation of the key material in a
3859
- # customer managed KMS key, use the DisableKeyRotation operation.
4189
+ # By default, when you enable automatic rotation of a [customer managed
4190
+ # KMS key][2], KMS rotates the key material of the KMS key one year
4191
+ # (approximately 365 days) from the enable date and every year
4192
+ # thereafter. You can use the optional `RotationPeriodInDays` parameter
4193
+ # to specify a custom rotation period when you enable key rotation, or
4194
+ # you can use `RotationPeriodInDays` to modify the rotation period of a
4195
+ # key that you previously enabled automatic key rotation on.
4196
+ #
4197
+ # You can monitor rotation of the key material for your KMS keys in
4198
+ # CloudTrail and Amazon CloudWatch. To disable rotation of the key
4199
+ # material in a customer managed KMS key, use the DisableKeyRotation
4200
+ # operation. You can use the GetKeyRotationStatus operation to identify
4201
+ # any in progress rotations. You can use the ListKeyRotations operation
4202
+ # to view the details of completed rotations.
3860
4203
  #
3861
4204
  # Automatic key rotation is supported only on [symmetric encryption KMS
3862
4205
  # keys][3]. You cannot enable automatic rotation of [asymmetric KMS
@@ -3865,10 +4208,11 @@ module Aws::KMS
3865
4208
  # disable automatic rotation of a set of related [multi-Region keys][8],
3866
4209
  # set the property on the primary key.
3867
4210
  #
3868
- # You cannot enable or disable automatic rotation [Amazon Web Services
3869
- # managed KMS keys][9]. KMS always rotates the key material of Amazon
3870
- # Web Services managed keys every year. Rotation of [Amazon Web Services
3871
- # owned KMS keys][10] varies.
4211
+ # You cannot enable or disable automatic rotation of [Amazon Web
4212
+ # Services managed KMS keys][9]. KMS always rotates the key material of
4213
+ # Amazon Web Services managed keys every year. Rotation of [Amazon Web
4214
+ # Services owned KMS keys][10] is managed by the Amazon Web Services
4215
+ # service that owns the key.
3872
4216
  #
3873
4217
  # <note markdown="1"> In May 2022, KMS changed the rotation schedule for Amazon Web Services
3874
4218
  # managed keys from every three years (approximately 1,095 days) to
@@ -3897,12 +4241,22 @@ module Aws::KMS
3897
4241
  #
3898
4242
  # * GetKeyRotationStatus
3899
4243
  #
4244
+ # * ListKeyRotations
4245
+ #
4246
+ # * RotateKeyOnDemand
4247
+ #
4248
+ # <note markdown="1"> You can perform on-demand (RotateKeyOnDemand) rotation of the key
4249
+ # material in customer managed KMS keys, regardless of whether or not
4250
+ # automatic key rotation is enabled.
4251
+ #
4252
+ # </note>
4253
+ #
3900
4254
  # **Eventual consistency**: The KMS API follows an eventual consistency
3901
4255
  # model. For more information, see [KMS eventual consistency][13].
3902
4256
  #
3903
4257
  #
3904
4258
  #
3905
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
4259
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotating-keys-enable-disable
3906
4260
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
3907
4261
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks
3908
4262
  # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
@@ -3943,21 +4297,42 @@ module Aws::KMS
3943
4297
  # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
3944
4298
  # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
3945
4299
  #
4300
+ # @option params [Integer] :rotation_period_in_days
4301
+ # Use this parameter to specify a custom period of time between each
4302
+ # rotation date. If no value is specified, the default value is 365
4303
+ # days.
4304
+ #
4305
+ # The rotation period defines the number of days after you enable
4306
+ # automatic key rotation that KMS will rotate your key material, and the
4307
+ # number of days between each automatic rotation thereafter.
4308
+ #
4309
+ # You can use the [ `kms:RotationPeriodInDays` ][1] condition key to
4310
+ # further constrain the values that principals can specify in the
4311
+ # `RotationPeriodInDays` parameter.
4312
+ #
4313
+ #
4314
+ #
4315
+ #
4316
+ #
4317
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-rotation-period-in-days
4318
+ #
3946
4319
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
3947
4320
  #
3948
4321
  #
3949
4322
  # @example Example: To enable automatic rotation of key material
3950
4323
  #
3951
- # # The following example enables automatic annual rotation of the key material for the specified KMS key.
4324
+ # # The following example enables automatic rotation with a rotation period of 365 days for the specified KMS key.
3952
4325
  #
3953
4326
  # resp = client.enable_key_rotation({
3954
- # key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key whose key material will be rotated annually. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
4327
+ # key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key whose key material will be automatically rotated. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
4328
+ # rotation_period_in_days: 365, # The number of days between each rotation date. Specify a value between 9 and 2560. If no value is specified, the default value is 365 days.
3955
4329
  # })
3956
4330
  #
3957
4331
  # @example Request syntax with placeholder values
3958
4332
  #
3959
4333
  # resp = client.enable_key_rotation({
3960
4334
  # key_id: "KeyIdType", # required
4335
+ # rotation_period_in_days: 1,
3961
4336
  # })
3962
4337
  #
3963
4338
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotation AWS API Documentation
@@ -4714,8 +5089,11 @@ module Aws::KMS
4714
5089
  # key. The only valid encryption algorithm is `RSAES_OAEP_SHA_256`.
4715
5090
  #
4716
5091
  # This parameter only supports attestation documents for Amazon Web
4717
- # Services Nitro Enclaves. To include this parameter, use the [Amazon
4718
- # Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
5092
+ # Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon Web
5093
+ # Services Nitro Enclaves, use the [Amazon Web Services Nitro Enclaves
5094
+ # SDK][2] to generate the attestation document and then use the
5095
+ # Recipient parameter from any Amazon Web Services SDK to provide the
5096
+ # attestation document for the enclave.
4719
5097
  #
4720
5098
  # When you use this parameter, instead of returning a plaintext copy of
4721
5099
  # the private data key, KMS encrypts the plaintext private data key
@@ -5583,13 +5961,15 @@ module Aws::KMS
5583
5961
  # To get the key ID and key ARN for a KMS key, use ListKeys or
5584
5962
  # DescribeKey.
5585
5963
  #
5586
- # @option params [required, String] :policy_name
5587
- # Specifies the name of the key policy. The only valid name is
5588
- # `default`. To get the names of key policies, use ListKeyPolicies.
5964
+ # @option params [String] :policy_name
5965
+ # Specifies the name of the key policy. If no policy name is specified,
5966
+ # the default value is `default`. The only valid name is `default`. To
5967
+ # get the names of key policies, use ListKeyPolicies.
5589
5968
  #
5590
5969
  # @return [Types::GetKeyPolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
5591
5970
  #
5592
5971
  # * {Types::GetKeyPolicyResponse#policy #policy} => String
5972
+ # * {Types::GetKeyPolicyResponse#policy_name #policy_name} => String
5593
5973
  #
5594
5974
  #
5595
5975
  # @example Example: To retrieve a key policy
@@ -5610,12 +5990,13 @@ module Aws::KMS
5610
5990
  #
5611
5991
  # resp = client.get_key_policy({
5612
5992
  # key_id: "KeyIdType", # required
5613
- # policy_name: "PolicyNameType", # required
5993
+ # policy_name: "PolicyNameType",
5614
5994
  # })
5615
5995
  #
5616
5996
  # @example Response structure
5617
5997
  #
5618
5998
  # resp.policy #=> String
5999
+ # resp.policy_name #=> String
5619
6000
  #
5620
6001
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicy AWS API Documentation
5621
6002
  #
@@ -5626,14 +6007,10 @@ module Aws::KMS
5626
6007
  req.send_request(options)
5627
6008
  end
5628
6009
 
5629
- # Gets a Boolean value that indicates whether [automatic rotation of the
5630
- # key material][1] is enabled for the specified KMS key.
5631
- #
5632
- # When you enable automatic rotation for [customer managed KMS keys][2],
5633
- # KMS rotates the key material of the KMS key one year (approximately
5634
- # 365 days) from the enable date and every year thereafter. You can
5635
- # monitor rotation of the key material for your KMS keys in CloudTrail
5636
- # and Amazon CloudWatch.
6010
+ # Provides detailed information about the rotation status for a KMS key,
6011
+ # including whether [automatic rotation of the key material][1] is
6012
+ # enabled for the specified KMS key, the [rotation period][2], and the
6013
+ # next scheduled rotation date.
5637
6014
  #
5638
6015
  # Automatic key rotation is supported only on [symmetric encryption KMS
5639
6016
  # keys][3]. You cannot enable automatic rotation of [asymmetric KMS
@@ -5649,6 +6026,13 @@ module Aws::KMS
5649
6026
  # Services managed KMS keys every year. The key rotation status for
5650
6027
  # Amazon Web Services managed KMS keys is always `true`.
5651
6028
  #
6029
+ # You can perform on-demand (RotateKeyOnDemand) rotation of the key
6030
+ # material in customer managed KMS keys, regardless of whether or not
6031
+ # automatic key rotation is enabled. You can use GetKeyRotationStatus to
6032
+ # identify the date and time that an in progress on-demand rotation was
6033
+ # initiated. You can use ListKeyRotations to view the details of
6034
+ # completed rotations.
6035
+ #
5652
6036
  # <note markdown="1"> In May 2022, KMS changed the rotation schedule for Amazon Web Services
5653
6037
  # managed keys from every three years to every year. For details, see
5654
6038
  # EnableKeyRotation.
@@ -5685,13 +6069,17 @@ module Aws::KMS
5685
6069
  #
5686
6070
  # * EnableKeyRotation
5687
6071
  #
6072
+ # * ListKeyRotations
6073
+ #
6074
+ # * RotateKeyOnDemand
6075
+ #
5688
6076
  # **Eventual consistency**: The KMS API follows an eventual consistency
5689
6077
  # model. For more information, see [KMS eventual consistency][12].
5690
6078
  #
5691
6079
  #
5692
6080
  #
5693
6081
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
5694
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
6082
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotation-period
5695
6083
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks
5696
6084
  # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
5697
6085
  # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
@@ -5722,11 +6110,16 @@ module Aws::KMS
5722
6110
  # @return [Types::GetKeyRotationStatusResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
5723
6111
  #
5724
6112
  # * {Types::GetKeyRotationStatusResponse#key_rotation_enabled #key_rotation_enabled} => Boolean
6113
+ # * {Types::GetKeyRotationStatusResponse#key_id #key_id} => String
6114
+ # * {Types::GetKeyRotationStatusResponse#rotation_period_in_days #rotation_period_in_days} => Integer
6115
+ # * {Types::GetKeyRotationStatusResponse#next_rotation_date #next_rotation_date} => Time
6116
+ # * {Types::GetKeyRotationStatusResponse#on_demand_rotation_start_date #on_demand_rotation_start_date} => Time
5725
6117
  #
5726
6118
  #
5727
6119
  # @example Example: To retrieve the rotation status for a KMS key
5728
6120
  #
5729
- # # The following example retrieves the status of automatic annual rotation of the key material for the specified KMS key.
6121
+ # # The following example retrieves detailed information about the rotation status for a KMS key, including whether
6122
+ # # automatic key rotation is enabled for the specified KMS key, the rotation period, and the next scheduled rotation date.
5730
6123
  #
5731
6124
  # resp = client.get_key_rotation_status({
5732
6125
  # key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key whose key material rotation status you want to retrieve. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
@@ -5734,7 +6127,11 @@ module Aws::KMS
5734
6127
  #
5735
6128
  # resp.to_h outputs the following:
5736
6129
  # {
5737
- # key_rotation_enabled: true, # A boolean that indicates the key material rotation status. Returns true when automatic annual rotation of the key material is enabled, or false when it is not.
6130
+ # key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # Identifies the specified symmetric encryption KMS key.
6131
+ # key_rotation_enabled: true, # A boolean that indicates the key material rotation status. Returns true when automatic rotation of the key material is enabled, or false when it is not.
6132
+ # next_rotation_date: Time.parse("2024-04-05T15:14:47.757000+00:00"), # The next date that the key material will be automatically rotated.
6133
+ # on_demand_rotation_start_date: Time.parse("2024-03-02T10:11:36.564000+00:00"), # Identifies the date and time that an in progress on-demand rotation was initiated.
6134
+ # rotation_period_in_days: 365, # The number of days between each automatic rotation. The default value is 365 days.
5738
6135
  # }
5739
6136
  #
5740
6137
  # @example Request syntax with placeholder values
@@ -5746,6 +6143,10 @@ module Aws::KMS
5746
6143
  # @example Response structure
5747
6144
  #
5748
6145
  # resp.key_rotation_enabled #=> Boolean
6146
+ # resp.key_id #=> String
6147
+ # resp.rotation_period_in_days #=> Integer
6148
+ # resp.next_rotation_date #=> Time
6149
+ # resp.on_demand_rotation_start_date #=> Time
5749
6150
  #
5750
6151
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyRotationStatus AWS API Documentation
5751
6152
  #
@@ -5996,8 +6397,8 @@ module Aws::KMS
5996
6397
  #
5997
6398
  # resp = client.get_parameters_for_import({
5998
6399
  # key_id: "KeyIdType", # required
5999
- # wrapping_algorithm: "RSAES_PKCS1_V1_5", # required, accepts RSAES_PKCS1_V1_5, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, RSA_AES_KEY_WRAP_SHA_1, RSA_AES_KEY_WRAP_SHA_256
6000
- # wrapping_key_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096
6400
+ # wrapping_algorithm: "RSAES_PKCS1_V1_5", # required, accepts RSAES_PKCS1_V1_5, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, RSA_AES_KEY_WRAP_SHA_1, RSA_AES_KEY_WRAP_SHA_256, SM2PKE
6401
+ # wrapping_key_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, SM2
6001
6402
  # })
6002
6403
  #
6003
6404
  # @example Response structure
@@ -6039,7 +6440,8 @@ module Aws::KMS
6039
6440
  # * [KeySpec][2]: The type of key material in the public key, such as
6040
6441
  # `RSA_4096` or `ECC_NIST_P521`.
6041
6442
  #
6042
- # * [KeyUsage][3]: Whether the key is used for encryption or signing.
6443
+ # * [KeyUsage][3]: Whether the key is used for encryption, signing, or
6444
+ # deriving a shared secret.
6043
6445
  #
6044
6446
  # * [EncryptionAlgorithms][4] or [SigningAlgorithms][5]: A list of the
6045
6447
  # encryption algorithms or the signing algorithms for the key.
@@ -6128,6 +6530,7 @@ module Aws::KMS
6128
6530
  # * {Types::GetPublicKeyResponse#key_usage #key_usage} => String
6129
6531
  # * {Types::GetPublicKeyResponse#encryption_algorithms #encryption_algorithms} => Array&lt;String&gt;
6130
6532
  # * {Types::GetPublicKeyResponse#signing_algorithms #signing_algorithms} => Array&lt;String&gt;
6533
+ # * {Types::GetPublicKeyResponse#key_agreement_algorithms #key_agreement_algorithms} => Array&lt;String&gt;
6131
6534
  #
6132
6535
  #
6133
6536
  # @example Example: To download the public key of an asymmetric KMS key
@@ -6165,11 +6568,13 @@ module Aws::KMS
6165
6568
  # resp.public_key #=> String
6166
6569
  # resp.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
6167
6570
  # resp.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
6168
- # resp.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
6571
+ # resp.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC", "KEY_AGREEMENT"
6169
6572
  # resp.encryption_algorithms #=> Array
6170
6573
  # resp.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
6171
6574
  # resp.signing_algorithms #=> Array
6172
6575
  # resp.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
6576
+ # resp.key_agreement_algorithms #=> Array
6577
+ # resp.key_agreement_algorithms[0] #=> String, one of "ECDH"
6173
6578
  #
6174
6579
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKey AWS API Documentation
6175
6580
  #
@@ -6196,9 +6601,7 @@ module Aws::KMS
6196
6601
  # import different key material. You might reimport key material to
6197
6602
  # replace key material that expired or key material that you deleted.
6198
6603
  # You might also reimport key material to change the expiration model or
6199
- # expiration date of the key material. Before reimporting key material,
6200
- # if necessary, call DeleteImportedKeyMaterial to delete the current
6201
- # imported key material.
6604
+ # expiration date of the key material.
6202
6605
  #
6203
6606
  # Each time you import key material into KMS, you can determine whether
6204
6607
  # (`ExpirationModel`) and when (`ValidTo`) the key material expires. To
@@ -6774,7 +7177,7 @@ module Aws::KMS
6774
7177
  # resp.grants[0].retiring_principal #=> String
6775
7178
  # resp.grants[0].issuing_account #=> String
6776
7179
  # resp.grants[0].operations #=> Array
6777
- # resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateMac", "VerifyMac"
7180
+ # resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateMac", "VerifyMac", "DeriveSharedSecret"
6778
7181
  # resp.grants[0].constraints.encryption_context_subset #=> Hash
6779
7182
  # resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
6780
7183
  # resp.grants[0].constraints.encryption_context_equals #=> Hash
@@ -6896,6 +7299,129 @@ module Aws::KMS
6896
7299
  req.send_request(options)
6897
7300
  end
6898
7301
 
7302
+ # Returns information about all completed key material rotations for the
7303
+ # specified KMS key.
7304
+ #
7305
+ # You must specify the KMS key in all requests. You can refine the key
7306
+ # rotations list by limiting the number of rotations returned.
7307
+ #
7308
+ # For detailed information about automatic and on-demand key rotations,
7309
+ # see [Rotating KMS keys][1] in the *Key Management Service Developer
7310
+ # Guide*.
7311
+ #
7312
+ # **Cross-account use**: No. You cannot perform this operation on a KMS
7313
+ # key in a different Amazon Web Services account.
7314
+ #
7315
+ # **Required permissions**: [kms:ListKeyRotations][2] (key policy)
7316
+ #
7317
+ # **Related operations:**
7318
+ #
7319
+ # * EnableKeyRotation
7320
+ #
7321
+ # * DisableKeyRotation
7322
+ #
7323
+ # * GetKeyRotationStatus
7324
+ #
7325
+ # * RotateKeyOnDemand
7326
+ #
7327
+ # **Eventual consistency**: The KMS API follows an eventual consistency
7328
+ # model. For more information, see [KMS eventual consistency][3].
7329
+ #
7330
+ #
7331
+ #
7332
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
7333
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
7334
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
7335
+ #
7336
+ # @option params [required, String] :key_id
7337
+ # Gets the key rotations for the specified KMS key.
7338
+ #
7339
+ # Specify the key ID or key ARN of the KMS key.
7340
+ #
7341
+ # For example:
7342
+ #
7343
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
7344
+ #
7345
+ # * Key ARN:
7346
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
7347
+ #
7348
+ # To get the key ID and key ARN for a KMS key, use ListKeys or
7349
+ # DescribeKey.
7350
+ #
7351
+ # @option params [Integer] :limit
7352
+ # Use this parameter to specify the maximum number of items to return.
7353
+ # When this value is present, KMS does not return more than the
7354
+ # specified number of items, but it might return fewer.
7355
+ #
7356
+ # This value is optional. If you include a value, it must be between 1
7357
+ # and 1000, inclusive. If you do not include a value, it defaults to
7358
+ # 100.
7359
+ #
7360
+ # @option params [String] :marker
7361
+ # Use this parameter in a subsequent request after you receive a
7362
+ # response with truncated results. Set it to the value of `NextMarker`
7363
+ # from the truncated response you just received.
7364
+ #
7365
+ # @return [Types::ListKeyRotationsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
7366
+ #
7367
+ # * {Types::ListKeyRotationsResponse#rotations #rotations} => Array&lt;Types::RotationsListEntry&gt;
7368
+ # * {Types::ListKeyRotationsResponse#next_marker #next_marker} => String
7369
+ # * {Types::ListKeyRotationsResponse#truncated #truncated} => Boolean
7370
+ #
7371
+ # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
7372
+ #
7373
+ #
7374
+ # @example Example: To retrieve information about all completed key material rotations
7375
+ #
7376
+ # # The following example returns information about all completed key material rotations for the specified KMS key.
7377
+ #
7378
+ # resp = client.list_key_rotations({
7379
+ # key_id: "1234abcd-12ab-34cd-56ef-1234567890ab",
7380
+ # })
7381
+ #
7382
+ # resp.to_h outputs the following:
7383
+ # {
7384
+ # rotations: [
7385
+ # {
7386
+ # key_id: "1234abcd-12ab-34cd-56ef-1234567890ab",
7387
+ # rotation_date: Time.parse("2024-03-02T10:11:36.564000+00:00"),
7388
+ # rotation_type: "AUTOMATIC",
7389
+ # },
7390
+ # {
7391
+ # key_id: "1234abcd-12ab-34cd-56ef-1234567890ab",
7392
+ # rotation_date: Time.parse("2024-04-05T15:14:47.757000+00:00"),
7393
+ # rotation_type: "ON_DEMAND",
7394
+ # },
7395
+ # ], # A list of key rotations.
7396
+ # truncated: false, # A flag that indicates whether there are more items in the list. When the value is true, the list in this response is truncated. To get more items, pass the value of the NextMarker element in this response to the Marker parameter in a subsequent request.
7397
+ # }
7398
+ #
7399
+ # @example Request syntax with placeholder values
7400
+ #
7401
+ # resp = client.list_key_rotations({
7402
+ # key_id: "KeyIdType", # required
7403
+ # limit: 1,
7404
+ # marker: "MarkerType",
7405
+ # })
7406
+ #
7407
+ # @example Response structure
7408
+ #
7409
+ # resp.rotations #=> Array
7410
+ # resp.rotations[0].key_id #=> String
7411
+ # resp.rotations[0].rotation_date #=> Time
7412
+ # resp.rotations[0].rotation_type #=> String, one of "AUTOMATIC", "ON_DEMAND"
7413
+ # resp.next_marker #=> String
7414
+ # resp.truncated #=> Boolean
7415
+ #
7416
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyRotations AWS API Documentation
7417
+ #
7418
+ # @overload list_key_rotations(params = {})
7419
+ # @param [Hash] params ({})
7420
+ def list_key_rotations(params = {}, options = {})
7421
+ req = build_request(:list_key_rotations, params)
7422
+ req.send_request(options)
7423
+ end
7424
+
6899
7425
  # Gets a list of all KMS keys in the caller's Amazon Web Services
6900
7426
  # account and Region.
6901
7427
  #
@@ -7273,7 +7799,7 @@ module Aws::KMS
7273
7799
  # resp.grants[0].retiring_principal #=> String
7274
7800
  # resp.grants[0].issuing_account #=> String
7275
7801
  # resp.grants[0].operations #=> Array
7276
- # resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateMac", "VerifyMac"
7802
+ # resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateMac", "VerifyMac", "DeriveSharedSecret"
7277
7803
  # resp.grants[0].constraints.encryption_context_subset #=> Hash
7278
7804
  # resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
7279
7805
  # resp.grants[0].constraints.encryption_context_equals #=> Hash
@@ -7333,8 +7859,9 @@ module Aws::KMS
7333
7859
  # To get the key ID and key ARN for a KMS key, use ListKeys or
7334
7860
  # DescribeKey.
7335
7861
  #
7336
- # @option params [required, String] :policy_name
7337
- # The name of the key policy. The only valid value is `default`.
7862
+ # @option params [String] :policy_name
7863
+ # The name of the key policy. If no policy name is specified, the
7864
+ # default value is `default`. The only valid value is `default`.
7338
7865
  #
7339
7866
  # @option params [required, String] :policy
7340
7867
  # The key policy to attach to the KMS key.
@@ -7416,7 +7943,7 @@ module Aws::KMS
7416
7943
  #
7417
7944
  # resp = client.put_key_policy({
7418
7945
  # key_id: "KeyIdType", # required
7419
- # policy_name: "PolicyNameType", # required
7946
+ # policy_name: "PolicyNameType",
7420
7947
  # policy: "PolicyType", # required
7421
7948
  # bypass_policy_lockout_safety_check: false,
7422
7949
  # })
@@ -8110,7 +8637,7 @@ module Aws::KMS
8110
8637
  # resp.replica_key_metadata.creation_date #=> Time
8111
8638
  # resp.replica_key_metadata.enabled #=> Boolean
8112
8639
  # resp.replica_key_metadata.description #=> String
8113
- # resp.replica_key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
8640
+ # resp.replica_key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC", "KEY_AGREEMENT"
8114
8641
  # resp.replica_key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
8115
8642
  # resp.replica_key_metadata.deletion_date #=> Time
8116
8643
  # resp.replica_key_metadata.valid_to #=> Time
@@ -8125,6 +8652,8 @@ module Aws::KMS
8125
8652
  # resp.replica_key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
8126
8653
  # resp.replica_key_metadata.signing_algorithms #=> Array
8127
8654
  # resp.replica_key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
8655
+ # resp.replica_key_metadata.key_agreement_algorithms #=> Array
8656
+ # resp.replica_key_metadata.key_agreement_algorithms[0] #=> String, one of "ECDH"
8128
8657
  # resp.replica_key_metadata.multi_region #=> Boolean
8129
8658
  # resp.replica_key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
8130
8659
  # resp.replica_key_metadata.multi_region_configuration.primary_key.arn #=> String
@@ -8302,7 +8831,7 @@ module Aws::KMS
8302
8831
  #
8303
8832
  #
8304
8833
  #
8305
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/managing-grants.html#grant-delete
8834
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete
8306
8835
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency
8307
8836
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
8308
8837
  # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html
@@ -8370,6 +8899,147 @@ module Aws::KMS
8370
8899
  req.send_request(options)
8371
8900
  end
8372
8901
 
8902
+ # Immediately initiates rotation of the key material of the specified
8903
+ # symmetric encryption KMS key.
8904
+ #
8905
+ # You can perform [on-demand rotation][1] of the key material in
8906
+ # customer managed KMS keys, regardless of whether or not [automatic key
8907
+ # rotation][2] is enabled. On-demand rotations do not change existing
8908
+ # automatic rotation schedules. For example, consider a KMS key that has
8909
+ # automatic key rotation enabled with a rotation period of 730 days. If
8910
+ # the key is scheduled to automatically rotate on April 14, 2024, and
8911
+ # you perform an on-demand rotation on April 10, 2024, the key will
8912
+ # automatically rotate, as scheduled, on April 14, 2024 and every 730
8913
+ # days thereafter.
8914
+ #
8915
+ # <note markdown="1"> You can perform on-demand key rotation a **maximum of 10 times** per
8916
+ # KMS key. You can use the KMS console to view the number of remaining
8917
+ # on-demand rotations available for a KMS key.
8918
+ #
8919
+ # </note>
8920
+ #
8921
+ # You can use GetKeyRotationStatus to identify any in progress on-demand
8922
+ # rotations. You can use ListKeyRotations to identify the date that
8923
+ # completed on-demand rotations were performed. You can monitor rotation
8924
+ # of the key material for your KMS keys in CloudTrail and Amazon
8925
+ # CloudWatch.
8926
+ #
8927
+ # On-demand key rotation is supported only on [symmetric encryption KMS
8928
+ # keys][3]. You cannot perform on-demand rotation of [asymmetric KMS
8929
+ # keys][4], [HMAC KMS keys][5], KMS keys with [imported key
8930
+ # material][6], or KMS keys in a [custom key store][7]. To perform
8931
+ # on-demand rotation of a set of related [multi-Region keys][8], invoke
8932
+ # the on-demand rotation on the primary key.
8933
+ #
8934
+ # You cannot initiate on-demand rotation of [Amazon Web Services managed
8935
+ # KMS keys][9]. KMS always rotates the key material of Amazon Web
8936
+ # Services managed keys every year. Rotation of [Amazon Web Services
8937
+ # owned KMS keys][10] is managed by the Amazon Web Services service that
8938
+ # owns the key.
8939
+ #
8940
+ # The KMS key that you use for this operation must be in a compatible
8941
+ # key state. For details, see [Key states of KMS keys][11] in the *Key
8942
+ # Management Service Developer Guide*.
8943
+ #
8944
+ # **Cross-account use**: No. You cannot perform this operation on a KMS
8945
+ # key in a different Amazon Web Services account.
8946
+ #
8947
+ # **Required permissions**: [kms:RotateKeyOnDemand][12] (key policy)
8948
+ #
8949
+ # **Related operations:**
8950
+ #
8951
+ # * EnableKeyRotation
8952
+ #
8953
+ # * DisableKeyRotation
8954
+ #
8955
+ # * GetKeyRotationStatus
8956
+ #
8957
+ # * ListKeyRotations
8958
+ #
8959
+ # **Eventual consistency**: The KMS API follows an eventual consistency
8960
+ # model. For more information, see [KMS eventual consistency][13].
8961
+ #
8962
+ #
8963
+ #
8964
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotating-keys-on-demand
8965
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotating-keys-enable-disable
8966
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks
8967
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
8968
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
8969
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
8970
+ # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
8971
+ # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
8972
+ # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
8973
+ # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
8974
+ # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
8975
+ # [12]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
8976
+ # [13]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
8977
+ #
8978
+ # @option params [required, String] :key_id
8979
+ # Identifies a symmetric encryption KMS key. You cannot perform
8980
+ # on-demand rotation of [asymmetric KMS keys][1], [HMAC KMS keys][2],
8981
+ # KMS keys with [imported key material][3], or KMS keys in a [custom key
8982
+ # store][4]. To perform on-demand rotation of a set of related
8983
+ # [multi-Region keys][5], invoke the on-demand rotation on the primary
8984
+ # key.
8985
+ #
8986
+ # Specify the key ID or key ARN of the KMS key.
8987
+ #
8988
+ # For example:
8989
+ #
8990
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
8991
+ #
8992
+ # * Key ARN:
8993
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
8994
+ #
8995
+ # To get the key ID and key ARN for a KMS key, use ListKeys or
8996
+ # DescribeKey.
8997
+ #
8998
+ #
8999
+ #
9000
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
9001
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
9002
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
9003
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
9004
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
9005
+ #
9006
+ # @return [Types::RotateKeyOnDemandResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
9007
+ #
9008
+ # * {Types::RotateKeyOnDemandResponse#key_id #key_id} => String
9009
+ #
9010
+ #
9011
+ # @example Example: To perform on-demand rotation of key material
9012
+ #
9013
+ # # The following example immediately initiates rotation of the key material for the specified KMS key.
9014
+ #
9015
+ # resp = client.rotate_key_on_demand({
9016
+ # key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key whose key material you want to initiate on-demand rotation on. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
9017
+ # })
9018
+ #
9019
+ # resp.to_h outputs the following:
9020
+ # {
9021
+ # key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The KMS key that you initiated on-demand rotation on.
9022
+ # }
9023
+ #
9024
+ # @example Request syntax with placeholder values
9025
+ #
9026
+ # resp = client.rotate_key_on_demand({
9027
+ # key_id: "KeyIdType", # required
9028
+ # })
9029
+ #
9030
+ # @example Response structure
9031
+ #
9032
+ # resp.key_id #=> String
9033
+ #
9034
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RotateKeyOnDemand AWS API Documentation
9035
+ #
9036
+ # @overload rotate_key_on_demand(params = {})
9037
+ # @param [Hash] params ({})
9038
+ def rotate_key_on_demand(params = {}, options = {})
9039
+ req = build_request(:rotate_key_on_demand, params)
9040
+ req.send_request(options)
9041
+ end
9042
+
8373
9043
  # Schedules the deletion of a KMS key. By default, KMS applies a waiting
8374
9044
  # period of 30 days, but you can specify a waiting period of 7-30 days.
8375
9045
  # When this operation is successful, the key state of the KMS key
@@ -10096,14 +10766,19 @@ module Aws::KMS
10096
10766
  # @api private
10097
10767
  def build_request(operation_name, params = {})
10098
10768
  handlers = @handlers.for(operation_name)
10769
+ tracer = config.telemetry_provider.tracer_provider.tracer(
10770
+ Aws::Telemetry.module_to_tracer_name('Aws::KMS')
10771
+ )
10099
10772
  context = Seahorse::Client::RequestContext.new(
10100
10773
  operation_name: operation_name,
10101
10774
  operation: config.api.operation(operation_name),
10102
10775
  client: self,
10103
10776
  params: params,
10104
- config: config)
10777
+ config: config,
10778
+ tracer: tracer
10779
+ )
10105
10780
  context[:gem_name] = 'aws-sdk-kms'
10106
- context[:gem_version] = '1.76.0'
10781
+ context[:gem_version] = '1.91.0'
10107
10782
  Seahorse::Client::Request.new(handlers, context)
10108
10783
  end
10109
10784