aws-sdk-kms 1.2.0 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 66ef1350526ff89b6cf22efb5194abfe93a0d647
-  data.tar.gz: 89c67d77d294ef78eacbd07960a28d7658e6fb1b
+  metadata.gz: ccbfd96a2bbd42fa8033c0813d07dfb7081aa59c
+  data.tar.gz: c880a357714e7a9d132d2a2ed3065e97deedf991
 SHA512:
-  metadata.gz: 0be62001f3601a81d4fc5d3ca7e3661df53a06a1254fe3c9d6bb5cd334209146f1fb754ad0406f2d05ac3ef67f35d99c5e4543a04a1197dd9d889da997a4b433
-  data.tar.gz: 1c149c1657e8e3100d249c3c36a1d3fb5216254989bf6905f0fcda2c9549fc046a2ea4ebf9fa2ac22dd6a830d6e73e4d4ebfc4e0c4ccda8c38175b3aa32b4073
+  metadata.gz: 6d9dd353274e67852e1e154abd08ed67d3aeb9870567a5b0806da5d7c39574e2000d659f47e0e5efa341a2575719fbf6209206f42d9127fe5d33a473276f00b6
+  data.tar.gz: 1461631a9f78a18a44938c72e794f33b14a4539712bbaaf028ca8cb9563ab271441b2548a1844924ccc6c3ba535f3124ae6f8ac4f4fc38fe70c2d46c09781d10

data/lib/aws-sdk-kms.rb

@@ -42,6 +42,6 @@ require_relative 'aws-sdk-kms/customizations'
 # @service
 module Aws::KMS
 
-  GEM_VERSION = '1.2.0'
+  GEM_VERSION = '1.3.0'
 
 end

data/lib/aws-sdk-kms/client.rb

@@ -157,7 +157,8 @@ module Aws::KMS
 
     # Cancels the deletion of a customer master key (CMK). When this
     # operation is successful, the CMK is set to the `Disabled` state. To
-    # enable a CMK, use EnableKey.
+    # enable a CMK, use EnableKey. You cannot perform this operation on a
+    # CMK in a different AWS account.
     #
     # For more information about scheduling and canceling deletion of a CMK,
     # see [Deleting Customer Master Keys][1] in the *AWS Key Management
@@ -171,16 +172,16 @@ module Aws::KMS
     #   The unique identifier for the customer master key (CMK) for which to
     #   cancel deletion.
     #
-    #   To specify this value, use the unique key ID or the Amazon Resource
-    #   Name (ARN) of the CMK. Examples:
+    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
     #
-    #   * Unique key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
     #
     #   * Key ARN:
-    #     arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   To obtain the unique key ID and key ARN for a given CMK, use ListKeys
-    #   or DescribeKey.
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
     #
     # @return [Types::CancelKeyDeletionResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -219,19 +220,31 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Creates a display name for a customer master key. An alias can be used
-    # to identify a key and should be unique. The console enforces a
-    # one-to-one mapping between the alias and a key. An alias name can
-    # contain only alphanumeric characters, forward slashes (/), underscores
-    # (\_), and dashes (-). An alias must start with the word "alias"
-    # followed by a forward slash (alias/). An alias that begins with
-    # "aws" after the forward slash (alias/aws...) is reserved by Amazon
+    # Creates a display name for a customer master key (CMK). You can use an
+    # alias to identify a CMK in selected operations, such as Encrypt and
+    # GenerateDataKey.
+    #
+    # Each CMK can have multiple aliases, but each alias points to only one
+    # CMK. The alias name must be unique in the AWS account and region. To
+    # simplify code that runs in multiple regions, use the same alias name,
+    # but point it to a different CMK in each region.
+    #
+    # Because an alias is not a property of a CMK, you can delete and change
+    # the aliases of a CMK without affecting the CMK. Also, aliases do not
+    # appear in the response from the DescribeKey operation. To get the
+    # aliases of all CMKs, use the ListAliases operation.
+    #
+    # An alias must start with the word `alias` followed by a forward slash
+    # (`alias/`). The alias name can contain only alphanumeric characters,
+    # forward slashes (/), underscores (\_), and dashes (-). Alias names
+    # cannot begin with `aws`; that alias name prefix is reserved by Amazon
     # Web Services (AWS).
     #
-    # The alias and the key it is mapped to must be in the same AWS account
-    # and the same region.
+    # The alias and the CMK it is mapped to must be in the same AWS account
+    # and the same region. You cannot perform this operation on an alias in
+    # a different AWS account.
     #
-    # To map an alias to a different key, call UpdateAlias.
+    # To map an existing alias to a different CMK, call UpdateAlias.
     #
     # @option params [required, String] :alias_name
     #   String that contains the display name. The name must start with the
@@ -239,15 +252,19 @@ module Aws::KMS
     #   begin with "alias/AWS" are reserved.
     #
     # @option params [required, String] :target_key_id
-    #   An identifier of the key for which you are creating the alias. This
-    #   value cannot be another alias but can be a globally unique identifier
-    #   or a fully specified ARN to a key.
+    #   Identifies the CMK for which you are creating the alias. This value
+    #   cannot be an alias.
+    #
+    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #
+    #   For example:
     #
-    #   * Key ARN Example -
-    #     arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   * Globally Unique Key ID Example -
-    #     12345678-1234-1234-1234-123456789012
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -277,12 +294,14 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Adds a grant to a key to specify who can use the key and under what
-    # conditions. Grants are alternate permission mechanisms to key
-    # policies.
+    # Adds a grant to a customer master key (CMK). The grant specifies who
+    # can use the CMK and under what conditions. When setting permissions,
+    # grants are an alternative to key policies.
     #
-    # For more information about grants, see [Grants][1] in the *AWS Key
-    # Management Service Developer Guide*.
+    # To perform this operation on a CMK in a different AWS account, specify
+    # the key ARN in the value of the KeyId parameter. For more information
+    # about grants, see [Grants][1] in the *AWS Key Management Service
+    # Developer Guide*.
     #
     #
     #
@@ -292,13 +311,17 @@ module Aws::KMS
     #   The unique identifier for the customer master key (CMK) that the grant
     #   applies to.
     #
-    #   To specify this value, use the globally unique key ID or the Amazon
-    #   Resource Name (ARN) of the key. Examples:
+    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
+    #   specify a CMK in a different AWS account, you must use the key ARN.
+    #
+    #   For example:
     #
-    #   * Globally unique key ID: 12345678-1234-1234-1234-123456789012
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
     #
     #   * Key ARN:
-    #     arn:aws:kms:us-west-2:123456789012:key/12345678-1234-1234-1234-123456789012
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
     #
     # @option params [required, String] :grantee_principal
     #   The principal that is given permission to perform the operations that
@@ -332,7 +355,7 @@ module Aws::KMS
     #   [1]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
     #   [2]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
     #
-    # @option params [Array<String>] :operations
+    # @option params [required, Array<String>] :operations
     #   A list of operations that the grant permits.
     #
     # @option params [Types::GrantConstraints] :constraints
@@ -403,7 +426,7 @@ module Aws::KMS
     #     key_id: "KeyIdType", # required
     #     grantee_principal: "PrincipalIdType", # required
     #     retiring_principal: "PrincipalIdType",
-    #     operations: ["Decrypt"], # accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant, RetireGrant, DescribeKey
+    #     operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant, RetireGrant, DescribeKey
     #     constraints: {
     #       encryption_context_subset: {
     #         "EncryptionContextKey" => "EncryptionContextValue",
@@ -430,7 +453,7 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Creates a customer master key (CMK).
+    # Creates a customer master key (CMK) in the caller's AWS account.
     #
     # You can use a CMK to encrypt small amounts of data (4 KiB or less)
     # directly, but CMKs are more commonly used to encrypt data encryption
@@ -443,6 +466,9 @@ module Aws::KMS
     # * [AWS Key Management Service Concepts][1] in the *AWS Key Management
     #   Service Developer Guide*
     #
+    # You cannot use this operation to create a CMK in a different AWS
+    # account.
+    #
     #
     #
     # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
@@ -472,7 +498,7 @@ module Aws::KMS
     #   to the CMK. For more information, see [Default Key Policy][3] in the
     #   *AWS Key Management Service Developer Guide*.
     #
-    #   The policy size limit is 32 KiB (32768 bytes).
+    #   The policy size limit is 32 kilobytes (32768 bytes).
     #
     #
     #
@@ -560,10 +586,11 @@ module Aws::KMS
     #     key_metadata: {
     #       aws_account_id: "111122223333", 
     #       arn: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", 
-    #       creation_date: Time.parse("2017-01-09T12:00:07-08:00"), 
+    #       creation_date: Time.parse("2017-07-05T14:04:55-07:00"), 
     #       description: "", 
     #       enabled: true, 
     #       key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", 
+    #       key_manager: "CUSTOMER", 
     #       key_state: "Enabled", 
     #       key_usage: "ENCRYPT_DECRYPT", 
     #       origin: "AWS_KMS", 
@@ -612,7 +639,7 @@ module Aws::KMS
     end
 
     # Decrypts ciphertext. Ciphertext is plaintext that has been previously
-    # encrypted by using any of the following functions:
+    # encrypted by using any of the following operations:
     #
     # * GenerateDataKey
     #
@@ -696,13 +723,23 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Deletes the specified alias. To map an alias to a different key, call
-    # UpdateAlias.
+    # Deletes the specified alias. You cannot perform this operation on an
+    # alias in a different AWS account.
+    #
+    # Because an alias is not a property of a CMK, you can delete and change
+    # the aliases of a CMK without affecting the CMK. Also, aliases do not
+    # appear in the response from the DescribeKey operation. To get the
+    # aliases of all CMKs, use the ListAliases operation.
+    #
+    # Each CMK can have multiple aliases. To change the alias of a CMK, use
+    # DeleteAlias to delete the current alias and CreateAlias to create a
+    # new alias. To associate an existing alias with a different customer
+    # master key (CMK), call UpdateAlias.
     #
     # @option params [required, String] :alias_name
     #   The alias to be deleted. The name must start with the word "alias"
     #   followed by a forward slash (alias/). Aliases that begin with
-    #   "alias/AWS" are reserved.
+    #   "alias/aws" are reserved.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -730,10 +767,11 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Deletes key material that you previously imported and makes the
-    # specified customer master key (CMK) unusable. For more information
-    # about importing key material into AWS KMS, see [Importing Key
-    # Material][1] in the *AWS Key Management Service Developer Guide*.
+    # Deletes key material that you previously imported. This operation
+    # makes the specified customer master key (CMK) unusable. For more
+    # information about importing key material into AWS KMS, see [Importing
+    # Key Material][1] in the *AWS Key Management Service Developer Guide*.
+    # You cannot perform this operation on a CMK in a different AWS account.
     #
     # When the specified CMK is in the `PendingDeletion` state, this
     # operation does not change the CMK's state. Otherwise, it changes the
@@ -750,14 +788,17 @@ module Aws::KMS
     #   The identifier of the CMK whose key material to delete. The CMK's
     #   `Origin` must be `EXTERNAL`.
     #
-    #   A valid identifier is the unique key ID or the Amazon Resource Name
-    #   (ARN) of the CMK. Examples:
+    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #
+    #   For example:
     #
-    #   * Unique key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
     #
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+    #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
     #
@@ -784,23 +825,33 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Provides detailed information about the specified customer master key.
+    # Provides detailed information about the specified customer master key
+    # (CMK).
+    #
+    # To perform this operation on a CMK in a different AWS account, specify
+    # the key ARN or alias ARN in the value of the KeyId parameter.
     #
     # @option params [required, String] :key_id
-    #   A unique identifier for the customer master key. This value can be a
-    #   globally unique identifier, a fully specified ARN to either an alias
-    #   or a key, or an alias name prefixed by "alias/".
+    #   A unique identifier for the customer master key (CMK).
+    #
+    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
+    #   name, or alias ARN. When using an alias name, prefix it with
+    #   "alias/". To specify a CMK in a different AWS account, you must use
+    #   the key ARN or alias ARN.
     #
-    #   * Key ARN Example -
-    #     arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
+    #   For example:
     #
-    #   * Alias ARN Example -
-    #     arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   * Globally Unique Key ID Example -
-    #     12345678-1234-1234-1234-123456789012
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   * Alias Name Example - alias/MyAliasName
+    #   * Alias name: `alias/ExampleAlias`
+    #
+    #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
+    #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+    #   To get the alias name and alias ARN, use ListAliases.
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -829,11 +880,12 @@ module Aws::KMS
     #   {
     #     key_metadata: {
     #       aws_account_id: "111122223333", 
-    #       arn: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", 
-    #       creation_date: Time.parse("2015-10-12T11:45:07-07:00"), 
+    #       arn: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", 
+    #       creation_date: Time.parse("2017-07-05T14:04:55-07:00"), 
     #       description: "", 
     #       enabled: true, 
     #       key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", 
+    #       key_manager: "CUSTOMER", 
     #       key_state: "Enabled", 
     #       key_usage: "ENCRYPT_DECRYPT", 
     #       origin: "AWS_KMS", 
@@ -873,25 +925,30 @@ module Aws::KMS
     end
 
     # Sets the state of a customer master key (CMK) to disabled, thereby
-    # preventing its use for cryptographic operations. For more information
-    # about how key state affects the use of a CMK, see [How Key State
-    # Affects the Use of a Customer Master Key][1] in the *AWS Key
-    # Management Service Developer Guide*.
+    # preventing its use for cryptographic operations. You cannot perform
+    # this operation on a CMK in a different AWS account.
+    #
+    # For more information about how key state affects the use of a CMK, see
+    # [How Key State Affects the Use of a Customer Master Key][1] in the
+    # *AWS Key Management Service Developer Guide*.
     #
     #
     #
     # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :key_id
-    #   A unique identifier for the CMK.
+    #   A unique identifier for the customer master key (CMK).
+    #
+    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
     #
-    #   Use the CMK's unique identifier or its Amazon Resource Name (ARN).
     #   For example:
     #
-    #   * Unique ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   * ARN:
-    #     arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -919,17 +976,23 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Disables rotation of the specified key.
+    # Disables automatic rotation of the key material for the specified
+    # customer master key (CMK). You cannot perform this operation on a CMK
+    # in a different AWS account.
     #
     # @option params [required, String] :key_id
-    #   A unique identifier for the customer master key. This value can be a
-    #   globally unique identifier or the fully specified ARN to a key.
+    #   A unique identifier for the customer master key (CMK).
+    #
+    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
     #
-    #   * Key ARN Example -
-    #     arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   * Globally Unique Key ID Example -
-    #     12345678-1234-1234-1234-123456789012
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -957,17 +1020,23 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Marks a key as enabled, thereby permitting its use.
+    # Sets the state of a customer master key (CMK) to enabled, thereby
+    # permitting its use for cryptographic operations. You cannot perform
+    # this operation on a CMK in a different AWS account.
     #
     # @option params [required, String] :key_id
-    #   A unique identifier for the customer master key. This value can be a
-    #   globally unique identifier or the fully specified ARN to a key.
+    #   A unique identifier for the customer master key (CMK).
     #
-    #   * Key ARN Example -
-    #     arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
+    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
     #
-    #   * Globally Unique Key ID Example -
-    #     12345678-1234-1234-1234-123456789012
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -995,17 +1064,23 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Enables rotation of the specified customer master key.
+    # Enables automatic rotation of the key material for the specified
+    # customer master key (CMK). You cannot perform this operation on a CMK
+    # in a different AWS account.
     #
     # @option params [required, String] :key_id
-    #   A unique identifier for the customer master key. This value can be a
-    #   globally unique identifier or the fully specified ARN to a key.
+    #   A unique identifier for the customer master key (CMK).
     #
-    #   * Key ARN Example -
-    #     arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
+    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   * Globally Unique Key ID Example -
-    #     12345678-1234-1234-1234-123456789012
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -1033,45 +1108,54 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Encrypts plaintext into ciphertext by using a customer master key. The
-    # `Encrypt` function has two primary use cases:
+    # Encrypts plaintext into ciphertext by using a customer master key
+    # (CMK). The `Encrypt` operation has two primary use cases:
     #
-    # * You can encrypt up to 4 KB of arbitrary data such as an RSA key, a
-    #   database password, or other sensitive customer information.
+    # * You can encrypt up to 4 kilobytes (4096 bytes) of arbitrary data
+    #   such as an RSA key, a database password, or other sensitive
+    #   information.
     #
-    # * If you are moving encrypted data from one region to another, you can
-    #   use this API to encrypt in the new region the plaintext data key
+    # * To move encrypted data from one AWS region to another, you can use
+    #   this operation to encrypt in the new region the plaintext data key
     #   that was used to encrypt the data in the original region. This
     #   provides you with an encrypted copy of the data key that can be
     #   decrypted in the new region and used there to decrypt the encrypted
     #   data.
     #
+    # To perform this operation on a CMK in a different AWS account, specify
+    # the key ARN or alias ARN in the value of the KeyId parameter.
+    #
     # Unless you are moving encrypted data from one region to another, you
-    # don't use this function to encrypt a generated data key within a
-    # region. You retrieve data keys already encrypted by calling the
-    # GenerateDataKey or GenerateDataKeyWithoutPlaintext function. Data keys
-    # don't need to be encrypted again by calling `Encrypt`.
+    # don't use this operation to encrypt a generated data key within a
+    # region. To get data keys that are already encrypted, call the
+    # GenerateDataKey or GenerateDataKeyWithoutPlaintext operation. Data
+    # keys don't need to be encrypted again by calling `Encrypt`.
     #
-    # If you want to encrypt data locally in your application, you can use
-    # the `GenerateDataKey` function to return a plaintext data encryption
-    # key and a copy of the key encrypted under the customer master key
-    # (CMK) of your choosing.
+    # To encrypt data locally in your application, use the GenerateDataKey
+    # operation to return a plaintext data encryption key and a copy of the
+    # key encrypted under the CMK of your choosing.
     #
     # @option params [required, String] :key_id
-    #   A unique identifier for the customer master key. This value can be a
-    #   globally unique identifier, a fully specified ARN to either an alias
-    #   or a key, or an alias name prefixed by "alias/".
+    #   A unique identifier for the customer master key (CMK).
+    #
+    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
+    #   name, or alias ARN. When using an alias name, prefix it with
+    #   "alias/". To specify a CMK in a different AWS account, you must use
+    #   the key ARN or alias ARN.
     #
-    #   * Key ARN Example -
-    #     arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
+    #   For example:
     #
-    #   * Alias ARN Example -
-    #     arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   * Globally Unique Key ID Example -
-    #     12345678-1234-1234-1234-123456789012
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   * Alias Name Example - alias/MyAliasName
+    #   * Alias name: `alias/ExampleAlias`
+    #
+    #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
+    #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+    #   To get the alias name and alias ARN, use ListAliases.
     #
     # @option params [required, String, IO] :plaintext
     #   Data to be encrypted.
@@ -1149,7 +1233,9 @@ module Aws::KMS
     # the data key. You must also specify the length of the data key using
     # either the `KeySpec` or `NumberOfBytes` field. You must specify one
     # field or the other, but not both. For common key lengths (128-bit and
-    # 256-bit symmetric keys), we recommend that you use `KeySpec`.
+    # 256-bit symmetric keys), we recommend that you use `KeySpec`. To
+    # perform this operation on a CMK in a different AWS account, specify
+    # the key ARN or alias ARN in the value of the KeyId parameter.
     #
     # This operation returns a plaintext copy of the data key in the
     # `Plaintext` field of the response, and an encrypted copy of the data
@@ -1159,8 +1245,8 @@ module Aws::KMS
     # We recommend that you use the following pattern to encrypt data
     # locally in your application:
     #
-    # 1.  Use this operation (`GenerateDataKey`) to retrieve a data
-    #     encryption key.
+    # 1.  Use this operation (`GenerateDataKey`) to get a data encryption
+    #     key.
     #
     # 2.  Use the plaintext data encryption key (returned in the `Plaintext`
     #     field of the response) to encrypt data locally, then erase the
@@ -1197,19 +1283,25 @@ module Aws::KMS
     #   The identifier of the CMK under which to generate and encrypt the data
     #   encryption key.
     #
-    #   A valid identifier is the unique key ID or the Amazon Resource Name
-    #   (ARN) of the CMK, or the alias name or ARN of an alias that refers to
-    #   the CMK. Examples:
+    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
+    #   name, or alias ARN. When using an alias name, prefix it with
+    #   "alias/". To specify a CMK in a different AWS account, you must use
+    #   the key ARN or alias ARN.
+    #
+    #   For example:
     #
-    #   * Unique key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   * CMK ARN:
+    #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
     #   * Alias name: `alias/ExampleAlias`
     #
     #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
     #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+    #   To get the alias name and alias ARN, use ListAliases.
+    #
     # @option params [Hash<String,String>] :encryption_context
     #   A set of key-value pairs that represents additional authenticated
     #   data.
@@ -1297,6 +1389,9 @@ module Aws::KMS
     # (CMK). This operation is identical to GenerateDataKey but returns only
     # the encrypted copy of the data key.
     #
+    # To perform this operation on a CMK in a different AWS account, specify
+    # the key ARN or alias ARN in the value of the KeyId parameter.
+    #
     # This operation is useful in a system that has multiple components with
     # different degrees of trust. For example, consider a system that stores
     # encrypted data in containers. Each container stores the encrypted data
@@ -1312,22 +1407,28 @@ module Aws::KMS
     # In this system, the control plane never sees the plaintext data key.
     #
     # @option params [required, String] :key_id
-    #   The identifier of the CMK under which to generate and encrypt the data
-    #   encryption key.
+    #   The identifier of the customer master key (CMK) under which to
+    #   generate and encrypt the data encryption key.
     #
-    #   A valid identifier is the unique key ID or the Amazon Resource Name
-    #   (ARN) of the CMK, or the alias name or ARN of an alias that refers to
-    #   the CMK. Examples:
+    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
+    #   name, or alias ARN. When using an alias name, prefix it with
+    #   "alias/". To specify a CMK in a different AWS account, you must use
+    #   the key ARN or alias ARN.
     #
-    #   * Unique key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #   For example:
     #
-    #   * CMK ARN:
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
     #   * Alias name: `alias/ExampleAlias`
     #
     #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
     #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+    #   To get the alias name and alias ARN, use ListAliases.
+    #
     # @option params [Hash<String,String>] :encryption_context
     #   A set of key-value pairs that represents additional authenticated
     #   data.
@@ -1457,22 +1558,26 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Retrieves a policy attached to the specified key.
+    # Gets a key policy attached to the specified customer master key (CMK).
+    # You cannot perform this operation on a CMK in a different AWS account.
     #
     # @option params [required, String] :key_id
-    #   A unique identifier for the customer master key. This value can be a
-    #   globally unique identifier or the fully specified ARN to a key.
+    #   A unique identifier for the customer master key (CMK).
+    #
+    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   * Key ARN Example -
-    #     arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   * Globally Unique Key ID Example -
-    #     12345678-1234-1234-1234-123456789012
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
     #
     # @option params [required, String] :policy_name
-    #   String that contains the name of the policy. Currently, this must be
-    #   "default". Policy names can be discovered by calling
-    #   ListKeyPolicies.
+    #   Specifies the name of the policy. The only valid name is `default`. To
+    #   get the names of key policies, use ListKeyPolicies.
     #
     # @return [Types::GetKeyPolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -1513,18 +1618,26 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Retrieves a Boolean value that indicates whether key rotation is
-    # enabled for the specified key.
+    # Gets a Boolean value that indicates whether automatic rotation of the
+    # key material is enabled for the specified customer master key (CMK).
+    #
+    # To perform this operation on a CMK in a different AWS account, specify
+    # the key ARN in the value of the KeyId parameter.
     #
     # @option params [required, String] :key_id
-    #   A unique identifier for the customer master key. This value can be a
-    #   globally unique identifier or the fully specified ARN to a key.
+    #   A unique identifier for the customer master key (CMK).
+    #
+    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
+    #   specify a CMK in a different AWS account, you must use the key ARN.
     #
-    #   * Key ARN Example -
-    #     arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   * Globally Unique Key ID Example -
-    #     12345678-1234-1234-1234-123456789012
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
     #
     # @return [Types::GetKeyRotationStatusResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -1572,14 +1685,15 @@ module Aws::KMS
     # which you will import key material. This CMK's `Origin` must be
     # `EXTERNAL`. You must also specify the wrapping algorithm and type of
     # wrapping key (public key) that you will use to encrypt the key
-    # material.
+    # material. You cannot perform this operation on a CMK in a different
+    # AWS account.
     #
     # This operation returns a public key and an import token. Use the
     # public key to encrypt the key material. Store the import token to send
     # with a subsequent ImportKeyMaterial request. The public key and import
     # token from the same response must be used together. These items are
-    # valid for 24 hours, after which they cannot be used for a subsequent
-    # ImportKeyMaterial request. To retrieve new ones, send another
+    # valid for 24 hours. When they expire, they cannot be used for a
+    # subsequent ImportKeyMaterial request. To get new ones, send another
     # `GetParametersForImport` request.
     #
     #
@@ -1590,14 +1704,17 @@ module Aws::KMS
     #   The identifier of the CMK into which you will import key material. The
     #   CMK's `Origin` must be `EXTERNAL`.
     #
-    #   A valid identifier is the unique key ID or the Amazon Resource Name
-    #   (ARN) of the CMK. Examples:
+    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #
+    #   For example:
     #
-    #   * Unique key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
     #
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+    #
     # @option params [required, String] :wrapping_algorithm
     #   The algorithm you will use to encrypt the key material before
     #   importing it with ImportKeyMaterial. For more information, see
@@ -1662,29 +1779,46 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Imports key material into an AWS KMS customer master key (CMK) from
-    # your existing key management infrastructure. For more information
-    # about importing key material into AWS KMS, see [Importing Key
-    # Material][1] in the *AWS Key Management Service Developer Guide*.
+    # Imports key material into an existing AWS KMS customer master key
+    # (CMK) that was created without key material. You cannot perform this
+    # operation on a CMK in a different AWS account. For more information
+    # about creating CMKs with no key material and then importing key
+    # material, see [Importing Key Material][1] in the *AWS Key Management
+    # Service Developer Guide*.
+    #
+    # Before using this operation, call GetParametersForImport. Its response
+    # includes a public key and an import token. Use the public key to
+    # encrypt the key material. Then, submit the import token from the same
+    # `GetParametersForImport` response.
     #
-    # You must specify the key ID of the CMK to import the key material
-    # into. This CMK's `Origin` must be `EXTERNAL`. You must also send an
-    # import token and the encrypted key material. Send the import token
-    # that you received in the same GetParametersForImport response that
-    # contained the public key that you used to encrypt the key material.
-    # You must also specify whether the key material expires and if so,
-    # when. When the key material expires, AWS KMS deletes the key material
-    # and the CMK becomes unusable. To use the CMK again, you can reimport
-    # the same key material. If you set an expiration date, you can change
-    # it only by reimporting the same key material and specifying a new
-    # expiration date.
+    # When calling this operation, you must specify the following values:
     #
-    # When this operation is successful, the specified CMK's key state
-    # changes to `Enabled`, and you can use the CMK.
+    # * The key ID or key ARN of a CMK with no key material. Its `Origin`
+    #   must be `EXTERNAL`.
     #
-    # After you successfully import key material into a CMK, you can
-    # reimport the same key material into that CMK, but you cannot import
-    # different key material.
+    #   To create a CMK with no key material, call CreateKey and set the
+    #   value of its `Origin` parameter to `EXTERNAL`. To get the `Origin`
+    #   of a CMK, call DescribeKey.)
+    #
+    # * The encrypted key material. To get the public key to encrypt the key
+    #   material, call GetParametersForImport.
+    #
+    # * The import token that GetParametersForImport returned. This token
+    #   and the public key used to encrypt the key material must have come
+    #   from the same response.
+    #
+    # * Whether the key material expires and if so, when. If you set an
+    #   expiration date, you can change it only by reimporting the same key
+    #   material and specifying a new expiration date. If the key material
+    #   expires, AWS KMS deletes the key material and the CMK becomes
+    #   unusable. To use the CMK again, you must reimport the same key
+    #   material.
+    #
+    # When this operation is successful, the CMK's key state changes from
+    # `PendingImport` to `Enabled`, and you can use the CMK. After you
+    # successfully import key material into a CMK, you can reimport the same
+    # key material into that CMK, but you cannot import different key
+    # material.
     #
     #
     #
@@ -1694,14 +1828,17 @@ module Aws::KMS
     #   The identifier of the CMK to import the key material into. The CMK's
     #   `Origin` must be `EXTERNAL`.
     #
-    #   A valid identifier is the unique key ID or the Amazon Resource Name
-    #   (ARN) of the CMK. Examples:
+    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
     #
-    #   * Unique key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
     #
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+    #
     # @option params [required, String, IO] :import_token
     #   The import token that you received in the response to a previous
     #   GetParametersForImport request. It must be from the same response that
@@ -1759,7 +1896,19 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Lists all of the key aliases in the account.
+    # Gets a list of all aliases in the caller's AWS account and region.
+    # You cannot list aliases in other accounts. For more information about
+    # aliases, see CreateAlias.
+    #
+    # The response might include several aliases that do not have a
+    # `TargetKeyId` field because they are not associated with a CMK. These
+    # are predefined aliases that are reserved for CMKs managed by AWS
+    # services. If an alias is not associated with a CMK, the alias does not
+    # count against the [alias limit][1] for your account.
+    #
+    #
+    #
+    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit
     #
     # @option params [Integer] :limit
     #   Use this parameter to specify the maximum number of items to return.
@@ -1860,7 +2009,10 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # List the grants for a specified key.
+    # Gets a list of all grants for the specified customer master key (CMK).
+    #
+    # To perform this operation on a CMK in a different AWS account, specify
+    # the key ARN in the value of the KeyId parameter.
     #
     # @option params [Integer] :limit
     #   Use this parameter to specify the maximum number of items to return.
@@ -1876,14 +2028,19 @@ module Aws::KMS
     #   from the truncated response you just received.
     #
     # @option params [required, String] :key_id
-    #   A unique identifier for the customer master key. This value can be a
-    #   globally unique identifier or the fully specified ARN to a key.
+    #   A unique identifier for the customer master key (CMK).
+    #
+    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
+    #   specify a CMK in a different AWS account, you must use the key ARN.
     #
-    #   * Key ARN Example -
-    #     arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
+    #   For example:
     #
-    #   * Globally Unique Key ID Example -
-    #     12345678-1234-1234-1234-123456789012
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
     #
     # @return [Types::ListGrantsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -1994,17 +2151,26 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Retrieves a list of policies attached to a key.
+    # Gets the names of the key policies that are attached to a customer
+    # master key (CMK). This operation is designed to get policy names that
+    # you can use in a GetKeyPolicy operation. However, the only valid
+    # policy name is `default`. You cannot perform this operation on a CMK
+    # in a different AWS account.
     #
     # @option params [required, String] :key_id
-    #   A unique identifier for the customer master key (CMK). You can use the
-    #   unique key ID or the Amazon Resource Name (ARN) of the CMK. Examples:
+    #   A unique identifier for the customer master key (CMK).
+    #
+    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
     #
-    #   * Unique key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
     #
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+    #
     # @option params [Integer] :limit
     #   Use this parameter to specify the maximum number of items to return.
     #   When this value is present, AWS KMS does not return more than the
@@ -2068,7 +2234,8 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Lists the customer master keys.
+    # Gets a list of all customer master keys (CMKs) in the caller's AWS
+    # account and region.
     #
     # @option params [Integer] :limit
     #   Use this parameter to specify the maximum number of items to return.
@@ -2160,16 +2327,22 @@ module Aws::KMS
     # Returns a list of all tags for the specified customer master key
     # (CMK).
     #
+    # You cannot perform this operation on a CMK in a different AWS account.
+    #
     # @option params [required, String] :key_id
-    #   A unique identifier for the CMK whose tags you are listing. You can
-    #   use the unique key ID or the Amazon Resource Name (ARN) of the CMK.
-    #   Examples:
+    #   A unique identifier for the customer master key (CMK).
+    #
+    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
     #
-    #   * Unique key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
     #
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+    #
     # @option params [Integer] :limit
     #   Use this parameter to specify the maximum number of items to return.
     #   When this value is present, AWS KMS does not return more than the
@@ -2349,7 +2522,8 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Attaches a key policy to the specified customer master key (CMK).
+    # Attaches a key policy to the specified customer master key (CMK). You
+    # cannot perform this operation on a CMK in a different AWS account.
     #
     # For more information about key policies, see [Key Policies][1] in the
     # *AWS Key Management Service Developer Guide*.
@@ -2359,20 +2533,21 @@ module Aws::KMS
     # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
     #
     # @option params [required, String] :key_id
-    #   A unique identifier for the CMK.
+    #   A unique identifier for the customer master key (CMK).
+    #
+    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
     #
-    #   Use the CMK's unique identifier or its Amazon Resource Name (ARN).
     #   For example:
     #
-    #   * Unique ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   * ARN:
-    #     arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
     #
     # @option params [required, String] :policy_name
-    #   The name of the key policy.
-    #
-    #   This value must be `default`.
+    #   The name of the key policy. The only valid value is `default`.
     #
     # @option params [required, String] :policy
     #   The key policy to attach to the CMK.
@@ -2394,7 +2569,7 @@ module Aws::KMS
     #     information, see [Changes that I make are not always immediately
     #     visible][2] in the *IAM User Guide*.
     #
-    #   The policy size limit is 32 KiB (32768 bytes).
+    #   The policy size limit is 32 kilobytes (32768 bytes).
     #
     #
     #
@@ -2458,6 +2633,8 @@ module Aws::KMS
     # data is first decrypted and then reencrypted. You can also use this
     # operation to change the encryption context of a ciphertext.
     #
+    # You can reencrypt data using CMKs in different AWS accounts.
+    #
     # Unlike other operations, `ReEncrypt` is authorized twice, once as
     # `ReEncryptFrom` on the source CMK and once as `ReEncryptTo` on the
     # destination CMK. We recommend that you include the `"kms:ReEncrypt*"`
@@ -2479,20 +2656,26 @@ module Aws::KMS
     #   the `CiphertextBlob` parameter.
     #
     # @option params [required, String] :destination_key_id
-    #   A unique identifier for the CMK to use to reencrypt the data. This
-    #   value can be a globally unique identifier, a fully specified ARN to
-    #   either an alias or a key, or an alias name prefixed by "alias/".
+    #   A unique identifier for the CMK that is used to reencrypt the data.
     #
-    #   * Key ARN Example -
-    #     arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
+    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
+    #   name, or alias ARN. When using an alias name, prefix it with
+    #   "alias/". To specify a CMK in a different AWS account, you must use
+    #   the key ARN or alias ARN.
     #
-    #   * Alias ARN Example -
-    #     arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
+    #   For example:
     #
-    #   * Globally Unique Key ID Example -
-    #     12345678-1234-1234-1234-123456789012
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   * Alias Name Example - alias/MyAliasName
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Alias name: `alias/ExampleAlias`
+    #
+    #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
+    #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+    #   To get the alias name and alias ARN, use ListAliases.
     #
     # @option params [Hash<String,String>] :destination_encryption_context
     #   Encryption context to use when the data is reencrypted.
@@ -2581,12 +2764,10 @@ module Aws::KMS
     #   Token that identifies the grant to be retired.
     #
     # @option params [String] :key_id
-    #   The Amazon Resource Name of the CMK associated with the grant.
-    #   Example:
+    #   The Amazon Resource Name (ARN) of the CMK associated with the grant.
     #
-    #   * arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab
-    #
-    #   ^
+    #   For example:
+    #   `arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
     # @option params [String] :grant_id
     #   Unique identifier of the grant to retire. The grant ID is returned in
@@ -2626,19 +2807,28 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Revokes a grant. You can revoke a grant to actively deny operations
-    # that depend on it.
+    # Revokes the specified grant for the specified customer master key
+    # (CMK). You can revoke a grant to actively deny operations that depend
+    # on it.
+    #
+    # To perform this operation on a CMK in a different AWS account, specify
+    # the key ARN in the value of the KeyId parameter.
     #
     # @option params [required, String] :key_id
     #   A unique identifier for the customer master key associated with the
-    #   grant. This value can be a globally unique identifier or the fully
-    #   specified ARN to a key.
+    #   grant.
+    #
+    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
+    #   specify a CMK in a different AWS account, you must use the key ARN.
+    #
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   * Key ARN Example -
-    #     arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   * Globally Unique Key ID Example -
-    #     12345678-1234-1234-1234-123456789012
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
     #
     # @option params [required, String] :grant_id
     #   Identifier of the grant to be revoked.
@@ -2680,6 +2870,8 @@ module Aws::KMS
     # period ends, AWS KMS deletes the CMK and all AWS KMS data associated
     # with it, including all aliases that refer to it.
     #
+    # You cannot perform this operation on a CMK in a different AWS account.
+    #
     # Deleting a CMK is a destructive and potentially dangerous operation.
     # When a CMK is deleted, all data that was encrypted under the CMK is
     # rendered unrecoverable. To restrict the use of a CMK without deleting
@@ -2694,18 +2886,18 @@ module Aws::KMS
     # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
     #
     # @option params [required, String] :key_id
-    #   The unique identifier for the customer master key (CMK) to delete.
+    #   The unique identifier of the customer master key (CMK) to delete.
     #
-    #   To specify this value, use the unique key ID or the Amazon Resource
-    #   Name (ARN) of the CMK. Examples:
+    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
     #
-    #   * Unique key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
     #
     #   * Key ARN:
-    #     arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   To obtain the unique key ID and key ARN for a given CMK, use ListKeys
-    #   or DescribeKey.
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
     #
     # @option params [Integer] :pending_window_in_days
     #   The waiting period, specified in number of days. After the waiting
@@ -2757,7 +2949,8 @@ module Aws::KMS
     end
 
     # Adds or overwrites one or more tags for the specified customer master
-    # key (CMK).
+    # key (CMK). You cannot perform this operation on a CMK in a different
+    # AWS account.
     #
     # Each tag consists of a tag key and a tag value. Tag keys and tag
     # values are both required, but tag values can be empty (null) strings.
@@ -2769,15 +2962,28 @@ module Aws::KMS
     # second tag. Instead, the original tag is overwritten with the new tag
     # value.
     #
+    # For information about the rules that apply to tag keys and tag values,
+    # see [User-Defined Tag Restrictions][1] in the *AWS Billing and Cost
+    # Management User Guide*.
+    #
+    #
+    #
+    # [1]: http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html
+    #
     # @option params [required, String] :key_id
-    #   A unique identifier for the CMK you are tagging. You can use the
-    #   unique key ID or the Amazon Resource Name (ARN) of the CMK. Examples:
+    #   A unique identifier for the CMK you are tagging.
+    #
+    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
     #
-    #   * Unique key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
     #
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+    #
     # @option params [required, Array<Types::Tag>] :tags
     #   One or more tags. Each tag consists of a tag key and a tag value.
     #
@@ -2820,22 +3026,27 @@ module Aws::KMS
     end
 
     # Removes the specified tag or tags from the specified customer master
-    # key (CMK).
+    # key (CMK). You cannot perform this operation on a CMK in a different
+    # AWS account.
     #
     # To remove a tag, you specify the tag key for each tag to remove. You
     # do not specify the tag value. To overwrite the tag value for an
     # existing tag, use TagResource.
     #
     # @option params [required, String] :key_id
-    #   A unique identifier for the CMK from which you are removing tags. You
-    #   can use the unique key ID or the Amazon Resource Name (ARN) of the
-    #   CMK. Examples:
+    #   A unique identifier for the CMK from which you are removing tags.
+    #
+    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #
+    #   For example:
     #
-    #   * Unique key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
     #
     #   * Key ARN:
     #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
+    #
     # @option params [required, Array<String>] :tag_keys
     #   One or more tag keys. Specify only the tag keys, not the tag values.
     #
@@ -2870,20 +3081,28 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Updates an alias to map it to a different key.
+    # Associates an existing alias with a different customer master key
+    # (CMK). Each CMK can have multiple aliases, but the aliases must be
+    # unique within the account and region. You cannot perform this
+    # operation on an alias in a different AWS account.
+    #
+    # This operation works only on existing aliases. To change the alias of
+    # a CMK to a new value, use CreateAlias to create a new alias and
+    # DeleteAlias to delete the old alias.
     #
-    # An alias is not a property of a key. Therefore, an alias can be mapped
-    # to and unmapped from an existing key without changing the properties
-    # of the key.
+    # Because an alias is not a property of a CMK, you can create, update,
+    # and delete the aliases of a CMK without affecting the CMK. Also,
+    # aliases do not appear in the response from the DescribeKey operation.
+    # To get the aliases of all CMKs in the account, use the ListAliases
+    # operation.
     #
     # An alias name can contain only alphanumeric characters, forward
     # slashes (/), underscores (\_), and dashes (-). An alias must start
-    # with the word "alias" followed by a forward slash (alias/). An alias
-    # that begins with "aws" after the forward slash (alias/aws...) is
-    # reserved by Amazon Web Services (AWS).
-    #
-    # The alias and the key it is mapped to must be in the same AWS account
-    # and the same region.
+    # with the word `alias` followed by a forward slash (`alias/`). The
+    # alias name can contain only alphanumeric characters, forward slashes
+    # (/), underscores (\_), and dashes (-). Alias names cannot begin with
+    # `aws`; that alias name prefix is reserved by Amazon Web Services
+    # (AWS).
     #
     # @option params [required, String] :alias_name
     #   String that contains the name of the alias to be modified. The name
@@ -2892,17 +3111,21 @@ module Aws::KMS
     #
     # @option params [required, String] :target_key_id
     #   Unique identifier of the customer master key to be mapped to the
-    #   alias. This value can be a globally unique identifier or the fully
-    #   specified ARN of a key.
+    #   alias.
+    #
+    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
+    #
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   * Key ARN Example -
-    #     arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   * Globally Unique Key ID Example -
-    #     12345678-1234-1234-1234-123456789012
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
     #
-    #   You can call ListAliases to verify that the alias is mapped to the
-    #   correct `TargetKeyId`.
+    #   To verify that the alias is mapped to the correct CMK, use
+    #   ListAliases.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -2932,17 +3155,24 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Updates the description of a customer master key (CMK).
+    # Updates the description of a customer master key (CMK). To see the
+    # decription of a CMK, use DescribeKey.
+    #
+    # You cannot perform this operation on a CMK in a different AWS account.
     #
     # @option params [required, String] :key_id
-    #   A unique identifier for the CMK. This value can be a globally unique
-    #   identifier or the fully specified ARN to a key.
+    #   A unique identifier for the customer master key (CMK).
+    #
+    #   Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
     #
-    #   * Key ARN Example -
-    #     arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
     #
-    #   * Globally Unique Key ID Example -
-    #     12345678-1234-1234-1234-123456789012
+    #   To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
     #
     # @option params [required, String] :description
     #   New description for the CMK.
@@ -2988,7 +3218,7 @@ module Aws::KMS
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-kms'
-      context[:gem_version] = '1.2.0'
+      context[:gem_version] = '1.3.0'
       Seahorse::Client::Request.new(handlers, context)
     end