aws-sdk-kms 1.32.0 → 1.33.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 429d3556c6ee6342d08a47f751e42a23793659d358624e577d274986f58627ef
-  data.tar.gz: 7c5044014048141ca656e23cb3bea94088c46cfd599e21dbbec4527fadedf0cd
+  metadata.gz: d4e112f00791aa0e345fbcdc072a47a194819797673c861ec6a24a5677a18ce4
+  data.tar.gz: 6ddeb2ce04dc1eb8a04e2a5aa5fb70b7ae21d1ba82b1264b983a8bc5383f920f
 SHA512:
-  metadata.gz: b4f4e02a1259bb6b804089bf8666ef9430be50deae769ee10d95ead6d50ab1ab11c9dc1f820b74bff70208c933edc1c169b5d30c17772957b3ae85ce9e470544
-  data.tar.gz: ebb3e1f0e58e309e16bd5b12a2b8612533b71c2e890da215adf67df84011c9d99b1fc4def32d968f04870c623ddc04b1464e930f8d92f437e404308ef6867e5c
+  metadata.gz: 144354c2e93fd55c5030c48b25fb29ff8fd6dd2438407ab4d90b82bec8d0d54e5bd9a5f20be66b7314966e9d15a6591f89865b1ab8567892a5d7c5233f1e9a22
+  data.tar.gz: 16ed20ef755168ba9820ebaec3b7327234760dbbd77d25eb84cf9394b18792318e862618befdcfdb653f82914c25e8cc538d457368415c5d22411af85cd83f40

data/lib/aws-sdk-kms.rb

@@ -45,6 +45,6 @@ require_relative 'aws-sdk-kms/customizations'
 # @service
 module Aws::KMS
 
-  GEM_VERSION = '1.32.0'
+  GEM_VERSION = '1.33.0'
 
 end

data/lib/aws-sdk-kms/client.rb

@@ -460,9 +460,9 @@ module Aws::KMS
     end
 
     # Creates a display name for a customer managed customer master key
-    # (CMK). You can use an alias to identify a CMK in cryptographic
-    # operations, such as Encrypt and GenerateDataKey. You can change the
-    # CMK associated with the alias at any time.
+    # (CMK). You can use an alias to identify a CMK in [cryptographic
+    # operations][1], such as Encrypt and GenerateDataKey. You can change
+    # the CMK associated with the alias at any time.
     #
     # Aliases are easier to remember than key IDs. They can also help to
     # simplify your applications. For example, if you use an alias in your
@@ -486,8 +486,8 @@ module Aws::KMS
     #
     # * You can associate an alias with any customer managed CMK in the same
     #   AWS account and Region. However, you do not have permission to
-    #   associate an alias with an [AWS managed CMK][1] or an [AWS owned
-    #   CMK][2].
+    #   associate an alias with an [AWS managed CMK][2] or an [AWS owned
+    #   CMK][3].
     #
     # * To change the CMK associated with an alias, use the UpdateAlias
     #   operation. The current CMK and the new CMK must be the same type
@@ -499,7 +499,7 @@ module Aws::KMS
     #   `alias/ExampleAlias`. It can contain only alphanumeric characters,
     #   forward slashes (/), underscores (\_), and dashes (-). The alias
     #   name cannot begin with `alias/aws/`. The `alias/aws/` prefix is
-    #   reserved for [AWS managed CMKs][1].
+    #   reserved for [AWS managed CMKs][2].
     #
     # * The alias name must be unique within an AWS Region. However, you can
     #   use the same alias name in multiple Regions of the same AWS account.
@@ -510,12 +510,12 @@ module Aws::KMS
     #   and then create a new alias with the desired name.
     #
     # * You can use an alias name or alias ARN to identify a CMK in AWS KMS
-    #   cryptographic operations and in the DescribeKey operation. However,
-    #   you cannot use alias names or alias ARNs in API operations that
-    #   manage CMKs, such as DisableKey or GetKeyPolicy. For information
-    #   about the valid CMK identifiers for each AWS KMS API operation, see
-    #   the descriptions of the `KeyId` parameter in the API operation
-    #   documentation.
+    #   [cryptographic operations][1] and in the DescribeKey operation.
+    #   However, you cannot use alias names or alias ARNs in API operations
+    #   that manage CMKs, such as DisableKey or GetKeyPolicy. For
+    #   information about the valid CMK identifiers for each AWS KMS API
+    #   operation, see the descriptions of the `KeyId` parameter in the API
+    #   operation documentation.
     #
     # Because an alias is not a property of a CMK, you can delete and change
     # the aliases of a CMK without affecting the CMK. Also, aliases do not
@@ -525,13 +525,14 @@ module Aws::KMS
     #
     # The CMK that you use for this operation must be in a compatible key
     # state. For details, see [How Key State Affects Use of a Customer
-    # Master Key][3] in the *AWS Key Management Service Developer Guide*.
+    # Master Key][4] in the *AWS Key Management Service Developer Guide*.
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
-    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
-    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :alias_name
     #   Specifies the alias name. This value must begin with `alias/` followed
@@ -677,8 +678,8 @@ module Aws::KMS
     # grant are met. When setting permissions, grants are an alternative to
     # key policies.
     #
-    # To create a grant that allows a cryptographic operation only when the
-    # request includes a particular [encryption context][1], use the
+    # To create a grant that allows a [cryptographic operation][1] only when
+    # the request includes a particular [encryption context][2], use the
     # `Constraints` parameter. For details, see GrantConstraints.
     #
     # You can create grants on symmetric and asymmetric CMKs. However, if
@@ -693,9 +694,9 @@ module Aws::KMS
     #
     # * Grants for asymmetric CMKs cannot allow operations that are not
     #   supported for asymmetric CMKs, including operations that [generate
-    #   data keys][2] or [data key pairs][3], or operations related to
-    #   [automatic key rotation][4], [imported key material][5], or CMKs in
-    #   [custom key stores][6].
+    #   data keys][3] or [data key pairs][4], or operations related to
+    #   [automatic key rotation][5], [imported key material][6], or CMKs in
+    #   [custom key stores][7].
     #
     # * Grants for asymmetric CMKs with a `KeyUsage` of `ENCRYPT_DECRYPT`
     #   cannot allow the Sign or Verify operations. Grants for asymmetric
@@ -707,29 +708,30 @@ module Aws::KMS
     #   asymmetric CMKs.
     #
     # For information about symmetric and asymmetric CMKs, see [Using
-    # Symmetric and Asymmetric CMKs][7] in the *AWS Key Management Service
+    # Symmetric and Asymmetric CMKs][8] in the *AWS Key Management Service
     # Developer Guide*.
     #
     # To perform this operation on a CMK in a different AWS account, specify
     # the key ARN in the value of the `KeyId` parameter. For more
-    # information about grants, see [Grants][8] in the <i> <i>AWS Key
+    # information about grants, see [Grants][9] in the <i> <i>AWS Key
     # Management Service Developer Guide</i> </i>.
     #
     # The CMK that you use for this operation must be in a compatible key
     # state. For details, see [How Key State Affects Use of a Customer
-    # Master Key][9] in the *AWS Key Management Service Developer Guide*.
+    # Master Key][10] in the *AWS Key Management Service Developer Guide*.
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
-    # [2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey
-    # [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair
-    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
-    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
-    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
-    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
-    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    # [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey
+    # [4]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
+    # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
+    # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :key_id
     #   The unique identifier for the customer master key (CMK) that the grant
@@ -783,15 +785,16 @@ module Aws::KMS
     #   A list of operations that the grant permits.
     #
     # @option params [Types::GrantConstraints] :constraints
-    #   Allows a cryptographic operation only when the encryption context
+    #   Allows a [cryptographic operation][1] only when the encryption context
     #   matches or includes the encryption context specified in this
     #   structure. For more information about encryption context, see
-    #   [Encryption Context][1] in the <i> <i>AWS Key Management Service
+    #   [Encryption Context][2] in the <i> <i>AWS Key Management Service
     #   Developer Guide</i> </i>.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -1006,10 +1009,10 @@ module Aws::KMS
     #   for a task.
     #
     # @option params [String] :key_usage
-    #   Determines the cryptographic operations for which you can use the CMK.
-    #   The default value is `ENCRYPT_DECRYPT`. This parameter is required
-    #   only for asymmetric CMKs. You can't change the `KeyUsage` value after
-    #   the CMK is created.
+    #   Determines the [cryptographic operations][1] for which you can use the
+    #   CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
+    #   required only for asymmetric CMKs. You can't change the `KeyUsage`
+    #   value after the CMK is created.
     #
     #   Select only one valid value.
     #
@@ -1020,6 +1023,10 @@ module Aws::KMS
     #
     #   * For asymmetric CMKs with ECC key material, specify `SIGN_VERIFY`.
     #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #
     # @option params [String] :customer_master_key_spec
     #   Specifies the type of CMK to create. The default value,
     #   `SYMMETRIC_DEFAULT`, creates a CMK with a 256-bit symmetric key for
@@ -1310,9 +1317,9 @@ module Aws::KMS
     #
     # @option params [Hash<String,String>] :encryption_context
     #   Specifies the encryption context to use when decrypting the data. An
-    #   encryption context is valid only for cryptographic operations with a
-    #   symmetric CMK. The standard asymmetric encryption algorithms that AWS
-    #   KMS uses do not support an encryption context.
+    #   encryption context is valid only for [cryptographic operations][1]
+    #   with a symmetric CMK. The standard asymmetric encryption algorithms
+    #   that AWS KMS uses do not support an encryption context.
     #
     #   An *encryption context* is a collection of non-secret key-value pairs
     #   that represents additional authenticated data. When you use an
@@ -1321,12 +1328,13 @@ module Aws::KMS
     #   encryption context is optional when encrypting with a symmetric CMK,
     #   but it is highly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *AWS Key
+    #   For more information, see [Encryption Context][2] in the *AWS Key
     #   Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -1479,13 +1487,13 @@ module Aws::KMS
     # The custom key store that you delete cannot contain any AWS KMS
     # [customer master keys (CMKs)][2]. Before deleting the key store,
     # verify that you will never need to use any of the CMKs in the key
-    # store for any cryptographic operations. Then, use ScheduleKeyDeletion
-    # to delete the AWS KMS customer master keys (CMKs) from the key store.
-    # When the scheduled waiting period expires, the `ScheduleKeyDeletion`
-    # operation deletes the CMKs. Then it makes a best effort to delete the
-    # key material from the associated cluster. However, you might need to
-    # manually [delete the orphaned key material][3] from the cluster and
-    # its backups.
+    # store for any [cryptographic operations][3]. Then, use
+    # ScheduleKeyDeletion to delete the AWS KMS customer master keys (CMKs)
+    # from the key store. When the scheduled waiting period expires, the
+    # `ScheduleKeyDeletion` operation deletes the CMKs. Then it makes a best
+    # effort to delete the key material from the associated cluster.
+    # However, you might need to manually [delete the orphaned key
+    # material][4] from the cluster and its backups.
     #
     # After all CMKs are deleted from AWS KMS, use DisconnectCustomKeyStore
     # to disconnect the key store from AWS KMS. Then, you can delete the
@@ -1508,7 +1516,8 @@ module Aws::KMS
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
-    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
     #
     # @option params [required, String] :custom_key_store_id
     #   Enter the ID of the custom key store you want to delete. To find the
@@ -1848,20 +1857,21 @@ module Aws::KMS
     end
 
     # Sets the state of a customer master key (CMK) to disabled, thereby
-    # preventing its use for cryptographic operations. You cannot perform
-    # this operation on a CMK in a different AWS account.
+    # preventing its use for [cryptographic operations][1]. You cannot
+    # perform this operation on a CMK in a different AWS account.
     #
     # For more information about how key state affects the use of a CMK, see
-    # [How Key State Affects the Use of a Customer Master Key][1] in the <i>
+    # [How Key State Affects the Use of a Customer Master Key][2] in the <i>
     # <i>AWS Key Management Service Developer Guide</i> </i>.
     #
     # The CMK that you use for this operation must be in a compatible key
     # state. For details, see [How Key State Affects Use of a Customer
-    # Master Key][1] in the *AWS Key Management Service Developer Guide*.
+    # Master Key][2] in the *AWS Key Management Service Developer Guide*.
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :key_id
     #   A unique identifier for the customer master key (CMK).
@@ -1976,8 +1986,8 @@ module Aws::KMS
     #
     # <note markdown="1"> While a custom key store is disconnected, all attempts to create
     # customer master keys (CMKs) in the custom key store or to use existing
-    # CMKs in cryptographic operations will fail. This action can prevent
-    # users from storing and accessing sensitive data.
+    # CMKs in [cryptographic operations][2] will fail. This action can
+    # prevent users from storing and accessing sensitive data.
     #
     #  </note>
     #
@@ -1997,6 +2007,7 @@ module Aws::KMS
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     #
     # @option params [required, String] :custom_key_store_id
     #   Enter the ID of the custom key store you want to disconnect. To find
@@ -2021,16 +2032,17 @@ module Aws::KMS
     end
 
     # Sets the key state of a customer master key (CMK) to enabled. This
-    # allows you to use the CMK for cryptographic operations. You cannot
-    # perform this operation on a CMK in a different AWS account.
+    # allows you to use the CMK for [cryptographic operations][1]. You
+    # cannot perform this operation on a CMK in a different AWS account.
     #
     # The CMK that you use for this operation must be in a compatible key
     # state. For details, see [How Key State Affects Use of a Customer
-    # Master Key][1] in the *AWS Key Management Service Developer Guide*.
+    # Master Key][2] in the *AWS Key Management Service Developer Guide*.
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String] :key_id
     #   A unique identifier for the customer master key (CMK).
@@ -2142,11 +2154,13 @@ module Aws::KMS
     #   identifier or database password, or other sensitive information.
     #
     # * You can use the `Encrypt` operation to move encrypted data from one
-    #   AWS region to another. In the first region, generate a data key and
-    #   use the plaintext key to encrypt the data. Then, in the new region,
-    #   call the `Encrypt` method on same plaintext data key. Now, you can
-    #   safely move the encrypted data and encrypted data key to the new
-    #   region, and decrypt in the new region when necessary.
+    #   AWS Region to another. For example, in Region A, generate a data key
+    #   and use the plaintext key to encrypt your data. Then, in Region A,
+    #   use the `Encrypt` operation to encrypt the plaintext data key under
+    #   a CMK in Region B. Now, you can move the encrypted data and the
+    #   encrypted data key to Region B. When necessary, you can decrypt the
+    #   encrypted data key and the encrypted data entirely within in Region
+    #   B.
     #
     # You don't need to use the `Encrypt` operation to encrypt a data key.
     # The GenerateDataKey and GenerateDataKeyPair operations return a
@@ -2246,9 +2260,10 @@ module Aws::KMS
     #
     # @option params [Hash<String,String>] :encryption_context
     #   Specifies the encryption context that will be used to encrypt the
-    #   data. An encryption context is valid only for cryptographic operations
-    #   with a symmetric CMK. The standard asymmetric encryption algorithms
-    #   that AWS KMS uses do not support an encryption context.
+    #   data. An encryption context is valid only for [cryptographic
+    #   operations][1] with a symmetric CMK. The standard asymmetric
+    #   encryption algorithms that AWS KMS uses do not support an encryption
+    #   context.
     #
     #   An *encryption context* is a collection of non-secret key-value pairs
     #   that represents additional authenticated data. When you use an
@@ -2257,12 +2272,13 @@ module Aws::KMS
     #   encryption context is optional when encrypting with a symmetric CMK,
     #   but it is highly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *AWS Key
+    #   For more information, see [Encryption Context][2] in the *AWS Key
     #   Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -2333,28 +2349,22 @@ module Aws::KMS
       req.send_request(options)
     end
 
-    # Generates a unique symmetric data key. This operation returns a
-    # plaintext copy of the data key and a copy that is encrypted under a
-    # customer master key (CMK) that you specify. You can use the plaintext
-    # key to encrypt your data outside of AWS KMS and store the encrypted
-    # data key with the encrypted data.
+    # Generates a unique symmetric data key for client-side encryption. This
+    # operation returns a plaintext copy of the data key and a copy that is
+    # encrypted under a customer master key (CMK) that you specify. You can
+    # use the plaintext key to encrypt your data outside of AWS KMS and
+    # store the encrypted data key with the encrypted data.
     #
     # `GenerateDataKey` returns a unique data key for each request. The
-    # bytes in the key are not related to the caller or CMK that is used to
-    # encrypt the data key.
+    # bytes in the plaintext key are not related to the caller or the CMK.
     #
     # To generate a data key, specify the symmetric CMK that will be used to
     # encrypt the data key. You cannot use an asymmetric CMK to generate
     # data keys. To get the type of your CMK, use the DescribeKey operation.
-    #
     # You must also specify the length of the data key. Use either the
     # `KeySpec` or `NumberOfBytes` parameters (but not both). For 128-bit
     # and 256-bit data keys, use the `KeySpec` parameter.
     #
-    # If the operation succeeds, the plaintext copy of the data key is in
-    # the `Plaintext` field of the response, and the encrypted copy of the
-    # data key in the `CiphertextBlob` field.
-    #
     # To get only an encrypted copy of the data key, use
     # GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key
     # pair, use the GenerateDataKeyPair or
@@ -2365,7 +2375,7 @@ module Aws::KMS
     # to the encryption operation. If you specify an `EncryptionContext`,
     # you must specify the same encryption context (a case-sensitive exact
     # match) when decrypting the encrypted data key. Otherwise, the request
-    # to decrypt fails with an InvalidCiphertextException. For more
+    # to decrypt fails with an `InvalidCiphertextException`. For more
     # information, see [Encryption Context][1] in the *AWS Key Management
     # Service Developer Guide*.
     #
@@ -2373,30 +2383,40 @@ module Aws::KMS
     # state. For details, see [How Key State Affects Use of a Customer
     # Master Key][2] in the *AWS Key Management Service Developer Guide*.
     #
+    # **How to use your data key**
+    #
     # We recommend that you use the following pattern to encrypt data
-    # locally in your application:
+    # locally in your application. You can write your own code or use a
+    # client-side encryption library, such as the [AWS Encryption SDK][3],
+    # the [Amazon DynamoDB Encryption Client][4], or [Amazon S3 client-side
+    # encryption][5] to do these tasks for you.
     #
-    # 1.  Use the `GenerateDataKey` operation to get a data encryption key.
+    # To encrypt data outside of AWS KMS:
     #
-    # 2.  Use the plaintext data key (returned in the `Plaintext` field of
-    #     the response) to encrypt data locally, then erase the plaintext
-    #     data key from memory.
+    # 1.  Use the `GenerateDataKey` operation to get a data key.
+    #
+    # 2.  Use the plaintext data key (in the `Plaintext` field of the
+    #     response) to encrypt your data outside of AWS KMS. Then erase the
+    #     plaintext data key from memory.
     #
-    # 3.  Store the encrypted data key (returned in the `CiphertextBlob`
-    #     field of the response) alongside the locally encrypted data.
+    # 3.  Store the encrypted data key (in the `CiphertextBlob` field of the
+    #     response) with the encrypted data.
     #
-    # To decrypt data locally:
+    # To decrypt data outside of AWS KMS:
     #
     # 1.  Use the Decrypt operation to decrypt the encrypted data key. The
     #     operation returns a plaintext copy of the data key.
     #
-    # 2.  Use the plaintext data key to decrypt data locally, then erase the
-    #     plaintext data key from memory.
+    # 2.  Use the plaintext data key to decrypt data outside of AWS KMS,
+    #     then erase the plaintext data key from memory.
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [3]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
+    # [4]: https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/
+    # [5]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
     #
     # @option params [required, String] :key_id
     #   Identifies the symmetric CMK that encrypts the data key.
@@ -2534,8 +2554,8 @@ module Aws::KMS
     #
     # To generate a data key pair, you must specify a symmetric customer
     # master key (CMK) to encrypt the private key in a data key pair. You
-    # cannot use an asymmetric CMK. To get the type of your CMK, use the
-    # DescribeKey operation.
+    # cannot use an asymmetric CMK or a CMK in a custom key store. To get
+    # the type and origin of your CMK, use the DescribeKey operation.
     #
     # If you are using the data key pair to encrypt data, or for any
     # operation where you don't immediately need a private key, consider
@@ -2550,7 +2570,7 @@ module Aws::KMS
     # to the encryption operation. If you specify an `EncryptionContext`,
     # you must specify the same encryption context (a case-sensitive exact
     # match) when decrypting the encrypted data key. Otherwise, the request
-    # to decrypt fails with an InvalidCiphertextException. For more
+    # to decrypt fails with an `InvalidCiphertextException`. For more
     # information, see [Encryption Context][1] in the *AWS Key Management
     # Service Developer Guide*.
     #
@@ -2583,7 +2603,9 @@ module Aws::KMS
     #
     # @option params [required, String] :key_id
     #   Specifies the symmetric CMK that encrypts the private key in the data
-    #   key pair. You cannot specify an asymmetric CMKs.
+    #   key pair. You cannot specify an asymmetric CMK or a CMK in a custom
+    #   key store. To get the type and origin of your CMK, use the DescribeKey
+    #   operation.
     #
     #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
     #   name, or alias ARN. When using an alias name, prefix it with
@@ -2666,8 +2688,9 @@ module Aws::KMS
     #
     # To generate a data key pair, you must specify a symmetric customer
     # master key (CMK) to encrypt the private key in the data key pair. You
-    # cannot use an asymmetric CMK. To get the type of your CMK, use the
-    # `KeySpec` field in the DescribeKey response.
+    # cannot use an asymmetric CMK or a CMK in a custom key store. To get
+    # the type and origin of your CMK, use the `KeySpec` field in the
+    # DescribeKey response.
     #
     # You can use the public key that `GenerateDataKeyPairWithoutPlaintext`
     # returns to encrypt data or verify a signature outside of AWS KMS.
@@ -2683,7 +2706,7 @@ module Aws::KMS
     # to the encryption operation. If you specify an `EncryptionContext`,
     # you must specify the same encryption context (a case-sensitive exact
     # match) when decrypting the encrypted data key. Otherwise, the request
-    # to decrypt fails with an InvalidCiphertextException. For more
+    # to decrypt fails with an `InvalidCiphertextException`. For more
     # information, see [Encryption Context][1] in the *AWS Key Management
     # Service Developer Guide*.
     #
@@ -2716,8 +2739,9 @@ module Aws::KMS
     #
     # @option params [required, String] :key_id
     #   Specifies the CMK that encrypts the private key in the data key pair.
-    #   You must specify a symmetric CMK. You cannot use an asymmetric CMK. To
-    #   get the type of your CMK, use the DescribeKey operation.
+    #   You must specify a symmetric CMK. You cannot use an asymmetric CMK or
+    #   a CMK in a custom key store. To get the type and origin of your CMK,
+    #   use the DescribeKey operation.
     #
     #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
     #   name, or alias ARN. When using an alias name, prefix it with
@@ -2826,7 +2850,7 @@ module Aws::KMS
     # to the encryption operation. If you specify an `EncryptionContext`,
     # you must specify the same encryption context (a case-sensitive exact
     # match) when decrypting the encrypted data key. Otherwise, the request
-    # to decrypt fails with an InvalidCiphertextException. For more
+    # to decrypt fails with an `InvalidCiphertextException`. For more
     # information, see [Encryption Context][1] in the *AWS Key Management
     # Service Developer Guide*.
     #
@@ -3660,6 +3684,19 @@ module Aws::KMS
     # To perform this operation on a CMK in a different AWS account, specify
     # the key ARN in the value of the `KeyId` parameter.
     #
+    # <note markdown="1"> The `GranteePrincipal` field in the `ListGrants` response usually
+    # contains the user or role designated as the grantee principal in the
+    # grant. However, when the grantee principal in the grant is an AWS
+    # service, the `GranteePrincipal` field contains the [service
+    # principal][1], which might represent several different grantee
+    # principals.
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
+    #
     # @option params [Integer] :limit
     #   Use this parameter to specify the maximum number of items to return.
     #   When this value is present, AWS KMS does not return more than the
@@ -4289,16 +4326,16 @@ module Aws::KMS
     # under which data is encrypted, such as when you [manually rotate][1] a
     # CMK or change the CMK that protects a ciphertext. You can also use it
     # to reencrypt ciphertext under the same CMK, such as to change the
-    # encryption context of a ciphertext.
+    # [encryption context][2] of a ciphertext.
     #
     # The `ReEncrypt` operation can decrypt ciphertext that was encrypted by
     # using an AWS KMS CMK in an AWS KMS operation, such as Encrypt or
     # GenerateDataKey. It can also decrypt ciphertext that was encrypted by
-    # using the public key of an asymmetric CMK outside of AWS KMS. However,
-    # it cannot decrypt ciphertext produced by other libraries, such as the
-    # [AWS Encryption SDK][2] or [Amazon S3 client-side encryption][3].
-    # These libraries return a ciphertext format that is incompatible with
-    # AWS KMS.
+    # using the public key of an [asymmetric CMK][3] outside of AWS KMS.
+    # However, it cannot decrypt ciphertext produced by other libraries,
+    # such as the [AWS Encryption SDK][4] or [Amazon S3 client-side
+    # encryption][5]. These libraries return a ciphertext format that is
+    # incompatible with AWS KMS.
     #
     # When you use the `ReEncrypt` operation, you need to provide
     # information for the decrypt operation and the subsequent encrypt
@@ -4336,29 +4373,30 @@ module Aws::KMS
     # Unlike other AWS KMS API operations, `ReEncrypt` callers must have two
     # permissions:
     #
-    # * `kms:EncryptFrom` permission on the source CMK
-    #
-    # * `kms:EncryptTo` permission on the destination CMK
+    # * `kms:ReEncryptFrom` permission on the source CMK
     #
-    # To permit reencryption from
+    # * `kms:ReEncryptTo` permission on the destination CMK
     #
-    # or to a CMK, include the `"kms:ReEncrypt*"` permission in your [key
-    # policy][4]. This permission is automatically included in the key
-    # policy when you use the console to create a CMK. But you must include
-    # it manually when you create a CMK programmatically or when you use the
-    # PutKeyPolicy operation set a key policy.
+    # To permit reencryption from or to a CMK, include the
+    # `"kms:ReEncrypt*"` permission in your [key policy][6]. This permission
+    # is automatically included in the key policy when you use the console
+    # to create a CMK. But you must include it manually when you create a
+    # CMK programmatically or when you use the PutKeyPolicy operation to set
+    # a key policy.
     #
     # The CMK that you use for this operation must be in a compatible key
     # state. For details, see [How Key State Affects Use of a Customer
-    # Master Key][5] in the *AWS Key Management Service Developer Guide*.
+    # Master Key][7] in the *AWS Key Management Service Developer Guide*.
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually
-    # [2]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
-    # [3]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
-    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
-    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
+    # [4]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
+    # [5]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
+    # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @option params [required, String, IO] :ciphertext_blob
     #   Ciphertext of the data to reencrypt.
@@ -5437,7 +5475,7 @@ module Aws::KMS
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-kms'
-      context[:gem_version] = '1.32.0'
+      context[:gem_version] = '1.33.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-kms/client_api.rb

@@ -1032,6 +1032,7 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
+        o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
       end)
 
       api.add_operation(:generate_data_key_pair_without_plaintext, Seahorse::Model::Operation.new.tap do |o|
@@ -1048,6 +1049,7 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
+        o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
       end)
 
       api.add_operation(:generate_data_key_without_plaintext, Seahorse::Model::Operation.new.tap do |o|
@@ -1387,6 +1389,7 @@ module Aws::KMS
         o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
         o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
+        o.errors << Shapes::ShapeRef.new(shape: LimitExceededException)
         o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
       end)
 

data/lib/aws-sdk-kms/types.rb

@@ -76,8 +76,12 @@ module Aws::KMS
     end
 
     # @!attribute [rw] key_id
-    #   The unique identifier of the master key for which deletion is
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK whose deletion is
     #   canceled.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletionResponse AWS API Documentation
@@ -433,15 +437,16 @@ module Aws::KMS
     #   @return [Array<String>]
     #
     # @!attribute [rw] constraints
-    #   Allows a cryptographic operation only when the encryption context
-    #   matches or includes the encryption context specified in this
+    #   Allows a [cryptographic operation][1] only when the encryption
+    #   context matches or includes the encryption context specified in this
     #   structure. For more information about encryption context, see
-    #   [Encryption Context][1] in the <i> <i>AWS Key Management Service
+    #   [Encryption Context][2] in the <i> <i>AWS Key Management Service
     #   Developer Guide</i> </i>.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #   @return [Types::GrantConstraints]
     #
     # @!attribute [rw] grant_tokens
@@ -575,8 +580,8 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_usage
-    #   Determines the cryptographic operations for which you can use the
-    #   CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
+    #   Determines the [cryptographic operations][1] for which you can use
+    #   the CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
     #   required only for asymmetric CMKs. You can't change the `KeyUsage`
     #   value after the CMK is created.
     #
@@ -589,6 +594,10 @@ module Aws::KMS
     #     `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
     #
     #   * For asymmetric CMKs with ECC key material, specify `SIGN_VERIFY`.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     #   @return [String]
     #
     # @!attribute [rw] customer_master_key_spec
@@ -922,12 +931,13 @@ module Aws::KMS
     #
     #   * `SUBNET_NOT_FOUND` - A subnet in the AWS CloudHSM cluster
     #     configuration was deleted. If AWS KMS cannot find all of the
-    #     subnets that were configured for the cluster when the custom key
-    #     store was created, attempts to connect fail. To fix this error,
-    #     create a cluster from a backup and associate it with your custom
-    #     key store. This process includes selecting a VPC and subnets. For
-    #     details, see [How to Fix a Connection Failure][1] in the *AWS Key
-    #     Management Service Developer Guide*.
+    #     subnets in the cluster configuration, attempts to connect the
+    #     custom key store to the AWS CloudHSM cluster fail. To fix this
+    #     error, create a cluster from a recent backup and associate it with
+    #     your custom key store. (This process creates a new cluster
+    #     configuration with a VPC and private subnets.) For details, see
+    #     [How to Fix a Connection Failure][1] in the *AWS Key Management
+    #     Service Developer Guide*.
     #
     #   * `USER_LOCKED_OUT` - The `kmsuser` CU account is locked out of the
     #     associated AWS CloudHSM cluster due to too many failed password
@@ -993,9 +1003,9 @@ module Aws::KMS
     #
     # @!attribute [rw] encryption_context
     #   Specifies the encryption context to use when decrypting the data. An
-    #   encryption context is valid only for cryptographic operations with a
-    #   symmetric CMK. The standard asymmetric encryption algorithms that
-    #   AWS KMS uses do not support an encryption context.
+    #   encryption context is valid only for [cryptographic operations][1]
+    #   with a symmetric CMK. The standard asymmetric encryption algorithms
+    #   that AWS KMS uses do not support an encryption context.
     #
     #   An *encryption context* is a collection of non-secret key-value
     #   pairs that represents additional authenticated data. When you use an
@@ -1004,12 +1014,13 @@ module Aws::KMS
     #   An encryption context is optional when encrypting with a symmetric
     #   CMK, but it is highly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *AWS Key
+    #   For more information, see [Encryption Context][2] in the *AWS Key
     #   Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] grant_tokens
@@ -1081,8 +1092,12 @@ module Aws::KMS
     end
 
     # @!attribute [rw] key_id
-    #   The ARN of the customer master key that was used to perform the
-    #   decryption.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
+    #   decrypt the ciphertext.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] plaintext
@@ -1547,9 +1562,10 @@ module Aws::KMS
     #
     # @!attribute [rw] encryption_context
     #   Specifies the encryption context that will be used to encrypt the
-    #   data. An encryption context is valid only for cryptographic
-    #   operations with a symmetric CMK. The standard asymmetric encryption
-    #   algorithms that AWS KMS uses do not support an encryption context.
+    #   data. An encryption context is valid only for [cryptographic
+    #   operations][1] with a symmetric CMK. The standard asymmetric
+    #   encryption algorithms that AWS KMS uses do not support an encryption
+    #   context.
     #
     #   An *encryption context* is a collection of non-secret key-value
     #   pairs that represents additional authenticated data. When you use an
@@ -1558,12 +1574,13 @@ module Aws::KMS
     #   An encryption context is optional when encrypting with a symmetric
     #   CMK, but it is highly recommended.
     #
-    #   For more information, see [Encryption Context][1] in the *AWS Key
+    #   For more information, see [Encryption Context][2] in the *AWS Key
     #   Management Service Developer Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] grant_tokens
@@ -1605,7 +1622,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   The ID of the key used during encryption.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
+    #   encrypt the plaintext.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] encryption_algorithm
@@ -1669,7 +1691,9 @@ module Aws::KMS
     #
     # @!attribute [rw] key_id
     #   Specifies the symmetric CMK that encrypts the private key in the
-    #   data key pair. You cannot specify an asymmetric CMKs.
+    #   data key pair. You cannot specify an asymmetric CMK or a CMK in a
+    #   custom key store. To get the type and origin of your CMK, use the
+    #   DescribeKey operation.
     #
     #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
     #   name, or alias ARN. When using an alias name, prefix it with
@@ -1738,7 +1762,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   The identifier of the CMK that encrypted the private key.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
+    #   the private key.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] key_pair_spec
@@ -1790,7 +1819,8 @@ module Aws::KMS
     # @!attribute [rw] key_id
     #   Specifies the CMK that encrypts the private key in the data key
     #   pair. You must specify a symmetric CMK. You cannot use an asymmetric
-    #   CMK. To get the type of your CMK, use the DescribeKey operation.
+    #   CMK or a CMK in a custom key store. To get the type and origin of
+    #   your CMK, use the DescribeKey operation.
     #
     #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
     #   name, or alias ARN. When using an alias name, prefix it with
@@ -1852,27 +1882,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   Specifies the CMK that encrypted the private key in the data key
-    #   pair. You must specify a symmetric CMK. You cannot use an asymmetric
-    #   CMK. To get the type of your CMK, use the DescribeKey operation.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
+    #   the private key.
     #
-    #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
-    #   name, or alias ARN. When using an alias name, prefix it with
-    #   `"alias/"`.
     #
-    #   For example:
     #
-    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
-    #
-    #   * Key ARN:
-    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
-    #
-    #   * Alias name: `alias/ExampleAlias`
-    #
-    #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
-    #
-    #   To get the key ID and key ARN for a CMK, use ListKeys or
-    #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] key_pair_spec
@@ -1999,7 +2014,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   The identifier of the CMK that encrypted the data key.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
+    #   the data key.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyResponse AWS API Documentation
@@ -2107,7 +2127,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   The identifier of the CMK that encrypted the data key.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
+    #   the data key.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextResponse AWS API Documentation
@@ -2302,9 +2327,13 @@ module Aws::KMS
     end
 
     # @!attribute [rw] key_id
-    #   The identifier of the CMK to use in a subsequent ImportKeyMaterial
-    #   request. This is the same CMK specified in the
-    #   `GetParametersForImport` request.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK to use in a
+    #   subsequent ImportKeyMaterial request. This is the same CMK specified
+    #   in the `GetParametersForImport` request.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] import_token
@@ -2384,8 +2413,12 @@ module Aws::KMS
     end
 
     # @!attribute [rw] key_id
-    #   The identifier of the asymmetric CMK from which the public key was
-    #   downloaded.
+    #   The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK from
+    #   which the public key was downloaded.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] public_key
@@ -2446,26 +2479,16 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # Use this structure to allow cryptographic operations in the grant only
-    # when the operation request includes the specified [encryption
-    # context][1].
-    #
-    # AWS KMS applies the grant constraints only when the grant allows a
-    # cryptographic operation that accepts an encryption context as input,
-    # such as the following.
-    #
-    # * Encrypt
+    # Use this structure to allow [cryptographic operations][1] in the grant
+    # only when the operation request includes the specified [encryption
+    # context][2].
     #
-    # * Decrypt
-    #
-    # * GenerateDataKey
-    #
-    # * GenerateDataKeyWithoutPlaintext
-    #
-    # * ReEncrypt
-    #
-    # AWS KMS does not apply the grant constraints to other operations, such
-    # as DescribeKey or ScheduleKeyDeletion.
+    # AWS KMS applies the grant constraints only to cryptographic operations
+    # that support an encryption context, that is, all cryptographic
+    # operations with a [symmetric CMK][3]. Grant constraints are not
+    # applied to operations that do not support an encryption context, such
+    # as cryptographic operations with asymmetric CMKs and management
+    # operations, such as DescribeKey or ScheduleKeyDeletion.
     #
     # In a cryptographic operation, the encryption context in the decryption
     # operation must be an exact, case-sensitive match for the keys and
@@ -2479,13 +2502,15 @@ module Aws::KMS
     # differ only by case. To require a fully case-sensitive encryption
     # context, use the `kms:EncryptionContext:` and
     # `kms:EncryptionContextKeys` conditions in an IAM or key policy. For
-    # details, see [kms:EncryptionContext:][2] in the <i> <i>AWS Key
+    # details, see [kms:EncryptionContext:][4] in the <i> <i>AWS Key
     # Management Service Developer Guide</i> </i>.
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
-    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context
     #
     # @note When making an API call, you may pass GrantConstraints
     #   data as a hash:
@@ -2501,17 +2526,25 @@ module Aws::KMS
     #
     # @!attribute [rw] encryption_context_subset
     #   A list of key-value pairs that must be included in the encryption
-    #   context of the cryptographic operation request. The grant allows the
-    #   cryptographic operation only when the encryption context in the
-    #   request includes the key-value pairs specified in this constraint,
-    #   although it can include additional key-value pairs.
+    #   context of the [cryptographic operation][1] request. The grant
+    #   allows the cryptographic operation only when the encryption context
+    #   in the request includes the key-value pairs specified in this
+    #   constraint, although it can include additional key-value pairs.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] encryption_context_equals
     #   A list of key-value pairs that must match the encryption context in
-    #   the cryptographic operation request. The grant allows the operation
-    #   only when the encryption context in the request is the same as the
-    #   encryption context specified in this constraint.
+    #   the [cryptographic operation][1] request. The grant allows the
+    #   operation only when the encryption context in the request is the
+    #   same as the encryption context specified in this constraint.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     #   @return [Hash<String,String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GrantConstraints AWS API Documentation
@@ -2522,7 +2555,7 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # Contains information about an entry in a list of grants.
+    # Contains information about a grant.
     #
     # @!attribute [rw] key_id
     #   The unique identifier for the customer master key (CMK) to which the
@@ -2544,7 +2577,18 @@ module Aws::KMS
     #   @return [Time]
     #
     # @!attribute [rw] grantee_principal
-    #   The principal that receives the grant's permissions.
+    #   The identity that gets the permissions in the grant.
+    #
+    #   The `GranteePrincipal` field in the `ListGrants` response usually
+    #   contains the user or role designated as the grantee principal in the
+    #   grant. However, when the grantee principal in the grant is an AWS
+    #   service, the `GranteePrincipal` field contains the [service
+    #   principal][1], which might represent several different grantee
+    #   principals.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
     #   @return [String]
     #
     # @!attribute [rw] retiring_principal
@@ -2930,15 +2974,19 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_usage
-    #   The cryptographic operations for which you can use the CMK.
+    #   The [cryptographic operations][1] for which you can use the CMK.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
     #   @return [String]
     #
     # @!attribute [rw] key_state
-    #   The state of the CMK.
+    #   The current status of the CMK.
     #
     #   For more information about how key state affects the use of a CMK,
-    #   see [How Key State Affects the Use of a Customer Master Key][1] in
-    #   the *AWS Key Management Service Developer Guide*.
+    #   see [Key state: Effect on your CMK][1] in the *AWS Key Management
+    #   Service Developer Guide*.
     #
     #
     #
@@ -3011,16 +3059,16 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] encryption_algorithms
-    #   A list of encryption algorithms that the CMK supports. You cannot
-    #   use the CMK with other encryption algorithms within AWS KMS.
+    #   The encryption algorithms that the CMK supports. You cannot use the
+    #   CMK with other encryption algorithms within AWS KMS.
     #
     #   This field appears only when the `KeyUsage` of the CMK is
     #   `ENCRYPT_DECRYPT`.
     #   @return [Array<String>]
     #
     # @!attribute [rw] signing_algorithms
-    #   A list of signing algorithms that the CMK supports. You cannot use
-    #   the CMK with other signing algorithms within AWS KMS.
+    #   The signing algorithms that the CMK supports. You cannot use the CMK
+    #   with other signing algorithms within AWS KMS.
     #
     #   This field appears only when the `KeyUsage` of the CMK is
     #   `SIGN_VERIFY`.
@@ -3794,7 +3842,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_id
-    #   Unique identifier of the CMK used to reencrypt the data.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
+    #   reencrypt the data.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] source_encryption_algorithm
@@ -3935,8 +3988,12 @@ module Aws::KMS
     end
 
     # @!attribute [rw] key_id
-    #   The unique identifier of the customer master key (CMK) for which
-    #   deletion is scheduled.
+    #   The Amazon Resource Name ([key ARN][1]) of the CMK whose deletion is
+    #   scheduled.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] deletion_date
@@ -4033,8 +4090,12 @@ module Aws::KMS
     end
 
     # @!attribute [rw] key_id
-    #   The Amazon Resource Name (ARN) of the asymmetric CMK that was used
-    #   to sign the message.
+    #   The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK that
+    #   was used to sign the message.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] signature
@@ -4448,8 +4509,12 @@ module Aws::KMS
     end
 
     # @!attribute [rw] key_id
-    #   The unique identifier for the asymmetric CMK that was used to verify
-    #   the signature.
+    #   The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK that
+    #   was used to verify the signature.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
     #   @return [String]
     #
     # @!attribute [rw] signature_valid

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-kms
 version: !ruby/object:Gem::Version
-  version: 1.32.0
+  version: 1.33.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-28 00:00:00.000000000 Z
+date: 2020-06-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core