aws-sdk-kms 1.39.0 → 1.40.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/aws-sdk-kms.rb +1 -1
- data/lib/aws-sdk-kms/client.rb +954 -229
- data/lib/aws-sdk-kms/client_api.rb +2 -0
- data/lib/aws-sdk-kms/types.rb +123 -55
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6bf5d7d6190e97a932c923b974e00336bd9f011ce2a0f109a44897f6a19fc876
|
4
|
+
data.tar.gz: 62336c63a81cc1542c704405bc28156b43e90475444d12b97f647a2a98d56c33
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 5e1e0ff07094584becfe74a24f482fa936b9819d5c2dca733a50c171254fffab3978d0828149a8ce85a0eab03e1b7b3969c0342253b42d8333ad213e7ce33da0
|
7
|
+
data.tar.gz: ad825d989dd35a99d9f7663e62591c7d926b4bd8ff583d4d8e750ccb9e3cd3009f80046a000239f238bd0faf19e3a386f84fb20b02b8e87c3c85d7a73345946a
|
data/lib/aws-sdk-kms.rb
CHANGED
data/lib/aws-sdk-kms/client.rb
CHANGED
@@ -339,8 +339,7 @@ module Aws::KMS
|
|
339
339
|
|
340
340
|
# Cancels the deletion of a customer master key (CMK). When this
|
341
341
|
# operation succeeds, the key state of the CMK is `Disabled`. To enable
|
342
|
-
# the CMK, use EnableKey.
|
343
|
-
# a different AWS account.
|
342
|
+
# the CMK, use EnableKey.
|
344
343
|
#
|
345
344
|
# For more information about scheduling and canceling deletion of a CMK,
|
346
345
|
# see [Deleting Customer Master Keys][1] in the *AWS Key Management
|
@@ -350,10 +349,18 @@ module Aws::KMS
|
|
350
349
|
# state. For details, see [How Key State Affects Use of a Customer
|
351
350
|
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
352
351
|
#
|
352
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
353
|
+
# in a different AWS account.
|
354
|
+
#
|
355
|
+
# **Required permissions**\: [kms:CancelKeyDeletion][3] (key policy)
|
356
|
+
#
|
357
|
+
# **Related operations**\: ScheduleKeyDeletion
|
358
|
+
#
|
353
359
|
#
|
354
360
|
#
|
355
361
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
|
356
362
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
363
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
357
364
|
#
|
358
365
|
# @option params [required, String] :key_id
|
359
366
|
# The unique identifier for the customer master key (CMK) for which to
|
@@ -448,6 +455,23 @@ module Aws::KMS
|
|
448
455
|
# store, see [Troubleshooting a Custom Key Store][5] in the *AWS Key
|
449
456
|
# Management Service Developer Guide*.
|
450
457
|
#
|
458
|
+
# **Cross-account use**\: No. You cannot perform this operation on a
|
459
|
+
# custom key store in a different AWS account.
|
460
|
+
#
|
461
|
+
# **Required permissions**\: [kms:ConnectCustomKeyStore][6] (IAM policy)
|
462
|
+
#
|
463
|
+
# **Related operations**
|
464
|
+
#
|
465
|
+
# * CreateCustomKeyStore
|
466
|
+
#
|
467
|
+
# * DeleteCustomKeyStore
|
468
|
+
#
|
469
|
+
# * DescribeCustomKeyStores
|
470
|
+
#
|
471
|
+
# * DisconnectCustomKeyStore
|
472
|
+
#
|
473
|
+
# * UpdateCustomKeyStore
|
474
|
+
#
|
451
475
|
#
|
452
476
|
#
|
453
477
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
@@ -455,6 +479,7 @@ module Aws::KMS
|
|
455
479
|
# [3]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html
|
456
480
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
|
457
481
|
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
|
482
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
458
483
|
#
|
459
484
|
# @option params [required, String] :custom_key_store_id
|
460
485
|
# Enter the key store ID of the custom key store that you want to
|
@@ -478,96 +503,98 @@ module Aws::KMS
|
|
478
503
|
req.send_request(options)
|
479
504
|
end
|
480
505
|
|
481
|
-
# Creates a
|
482
|
-
#
|
483
|
-
# operations][1], such as Encrypt and
|
484
|
-
#
|
485
|
-
#
|
486
|
-
#
|
487
|
-
#
|
488
|
-
#
|
489
|
-
#
|
490
|
-
#
|
491
|
-
#
|
492
|
-
#
|
493
|
-
# an
|
494
|
-
#
|
495
|
-
#
|
506
|
+
# Creates a friendly name for a customer master key (CMK). You can use
|
507
|
+
# an alias to identify a CMK in the AWS KMS console, in the DescribeKey
|
508
|
+
# operation and in [cryptographic operations][1], such as Encrypt and
|
509
|
+
# GenerateDataKey.
|
510
|
+
#
|
511
|
+
# You can also change the CMK that's associated with the alias
|
512
|
+
# (UpdateAlias) or delete the alias (DeleteAlias) at any time. These
|
513
|
+
# operations don't affect the underlying CMK.
|
514
|
+
#
|
515
|
+
# You can associate the alias with any customer managed CMK in the same
|
516
|
+
# AWS Region. Each alias is associated with only on CMK at a time, but a
|
517
|
+
# CMK can have multiple aliases. A valid CMK is required. You can't
|
518
|
+
# create an alias without a CMK.
|
519
|
+
#
|
520
|
+
# The alias must be unique in the account and Region, but you can have
|
521
|
+
# aliases with the same name in different Regions. For detailed
|
522
|
+
# information about aliases, see [Using aliases][2] in the *AWS Key
|
523
|
+
# Management Service Developer Guide*.
|
496
524
|
#
|
497
525
|
# This operation does not return a response. To get the alias that you
|
498
526
|
# created, use the ListAliases operation.
|
499
527
|
#
|
500
|
-
#
|
528
|
+
# The CMK that you use for this operation must be in a compatible key
|
529
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
530
|
+
# Master Key][3] in the *AWS Key Management Service Developer Guide*.
|
531
|
+
#
|
532
|
+
# **Cross-account use**\: No. You cannot perform this operation on an
|
533
|
+
# alias in a different AWS account.
|
501
534
|
#
|
502
|
-
#
|
503
|
-
# can have multiple aliases. The alias and its associated CMK must be
|
504
|
-
# in the same AWS account and Region.
|
535
|
+
# **Required permissions**
|
505
536
|
#
|
506
|
-
# *
|
507
|
-
# AWS account and Region. However, you do not have permission to
|
508
|
-
# associate an alias with an [AWS managed CMK][2] or an [AWS owned
|
509
|
-
# CMK][3].
|
537
|
+
# * [kms:CreateAlias][4] on the alias (IAM policy).
|
510
538
|
#
|
511
|
-
# *
|
512
|
-
# operation. The current CMK and the new CMK must be the same type
|
513
|
-
# (both symmetric or both asymmetric) and they must have the same key
|
514
|
-
# usage (`ENCRYPT_DECRYPT` or `SIGN_VERIFY`). This restriction
|
515
|
-
# prevents cryptographic errors in code that uses aliases.
|
516
|
-
#
|
517
|
-
# * The alias name must begin with `alias/` followed by a name, such as
|
518
|
-
# `alias/ExampleAlias`. It can contain only alphanumeric characters,
|
519
|
-
# forward slashes (/), underscores (\_), and dashes (-). The alias
|
520
|
-
# name cannot begin with `alias/aws/`. The `alias/aws/` prefix is
|
521
|
-
# reserved for [AWS managed CMKs][2].
|
522
|
-
#
|
523
|
-
# * The alias name must be unique within an AWS Region. However, you can
|
524
|
-
# use the same alias name in multiple Regions of the same AWS account.
|
525
|
-
# Each instance of the alias is associated with a CMK in its Region.
|
526
|
-
#
|
527
|
-
# * After you create an alias, you cannot change its alias name.
|
528
|
-
# However, you can use the DeleteAlias operation to delete the alias
|
529
|
-
# and then create a new alias with the desired name.
|
530
|
-
#
|
531
|
-
# * You can use an alias name or alias ARN to identify a CMK in AWS KMS
|
532
|
-
# [cryptographic operations][1] and in the DescribeKey operation.
|
533
|
-
# However, you cannot use alias names or alias ARNs in API operations
|
534
|
-
# that manage CMKs, such as DisableKey or GetKeyPolicy. For
|
535
|
-
# information about the valid CMK identifiers for each AWS KMS API
|
536
|
-
# operation, see the descriptions of the `KeyId` parameter in the API
|
537
|
-
# operation documentation.
|
539
|
+
# * [kms:CreateAlias][4] on the CMK (key policy).
|
538
540
|
#
|
539
|
-
#
|
540
|
-
#
|
541
|
-
# appear in the response from the DescribeKey operation. To get the
|
542
|
-
# aliases and alias ARNs of CMKs in each AWS account and Region, use the
|
543
|
-
# ListAliases operation.
|
541
|
+
# For details, see [Controlling access to aliases][5] in the *AWS Key
|
542
|
+
# Management Service Developer Guide*.
|
544
543
|
#
|
545
|
-
#
|
546
|
-
#
|
547
|
-
#
|
544
|
+
# **Related operations:**
|
545
|
+
#
|
546
|
+
# * DeleteAlias
|
547
|
+
#
|
548
|
+
# * ListAliases
|
549
|
+
#
|
550
|
+
# * UpdateAlias
|
548
551
|
#
|
549
552
|
#
|
550
553
|
#
|
551
554
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
552
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
553
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
554
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
555
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html
|
556
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
557
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
558
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
|
555
559
|
#
|
556
560
|
# @option params [required, String] :alias_name
|
557
561
|
# Specifies the alias name. This value must begin with `alias/` followed
|
558
|
-
# by a name, such as `alias/ExampleAlias`.
|
559
|
-
#
|
560
|
-
#
|
562
|
+
# by a name, such as `alias/ExampleAlias`.
|
563
|
+
#
|
564
|
+
# The `AliasName` value must be string of 1-256 characters. It can
|
565
|
+
# contain only alphanumeric characters, forward slashes (/), underscores
|
566
|
+
# (\_), and dashes (-). The alias name cannot begin with `alias/aws/`.
|
567
|
+
# The `alias/aws/` prefix is reserved for [AWS managed CMKs][1].
|
568
|
+
#
|
569
|
+
#
|
570
|
+
#
|
571
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
561
572
|
#
|
562
573
|
# @option params [required, String] :target_key_id
|
563
|
-
#
|
564
|
-
#
|
565
|
-
#
|
566
|
-
#
|
574
|
+
# Associates the alias with the specified [customer managed CMK][1]. The
|
575
|
+
# CMK must be in the same AWS Region.
|
576
|
+
#
|
577
|
+
# A valid CMK ID is required. If you supply a null or empty string
|
578
|
+
# value, this operation returns an error.
|
579
|
+
#
|
580
|
+
# For help finding the key ID and ARN, see [Finding the Key ID and
|
581
|
+
# ARN][2] in the *AWS Key Management Service Developer Guide*.
|
582
|
+
#
|
583
|
+
# Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
|
584
|
+
#
|
585
|
+
# For example:
|
586
|
+
#
|
587
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
588
|
+
#
|
589
|
+
# * Key ARN:
|
590
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
591
|
+
#
|
592
|
+
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
567
593
|
#
|
568
594
|
#
|
569
595
|
#
|
570
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
596
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
597
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn
|
571
598
|
#
|
572
599
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
573
600
|
#
|
@@ -621,12 +648,30 @@ module Aws::KMS
|
|
621
648
|
# For help with failures, see [Troubleshooting a Custom Key Store][4] in
|
622
649
|
# the *AWS Key Management Service Developer Guide*.
|
623
650
|
#
|
651
|
+
# **Cross-account use**\: No. You cannot perform this operation on a
|
652
|
+
# custom key store in a different AWS account.
|
653
|
+
#
|
654
|
+
# **Required permissions**\: [kms:CreateCustomKeyStore][5] (IAM policy).
|
655
|
+
#
|
656
|
+
# **Related operations:**
|
657
|
+
#
|
658
|
+
# * ConnectCustomKeyStore
|
659
|
+
#
|
660
|
+
# * DeleteCustomKeyStore
|
661
|
+
#
|
662
|
+
# * DescribeCustomKeyStores
|
663
|
+
#
|
664
|
+
# * DisconnectCustomKeyStore
|
665
|
+
#
|
666
|
+
# * UpdateCustomKeyStore
|
667
|
+
#
|
624
668
|
#
|
625
669
|
#
|
626
670
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
627
671
|
# [2]: https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html
|
628
672
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore
|
629
673
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
|
674
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
630
675
|
#
|
631
676
|
# @option params [required, String] :custom_key_store_name
|
632
677
|
# Specifies a friendly name for the custom key store. The name must be
|
@@ -728,17 +773,29 @@ module Aws::KMS
|
|
728
773
|
#
|
729
774
|
# For information about symmetric and asymmetric CMKs, see [Using
|
730
775
|
# Symmetric and Asymmetric CMKs][8] in the *AWS Key Management Service
|
731
|
-
# Developer Guide*.
|
732
|
-
#
|
733
|
-
# To perform this operation on a CMK in a different AWS account, specify
|
734
|
-
# the key ARN in the value of the `KeyId` parameter. For more
|
735
|
-
# information about grants, see [Grants][9] in the <i> <i>AWS Key
|
736
|
-
# Management Service Developer Guide</i> </i>.
|
776
|
+
# Developer Guide*. For more information about grants, see [Grants][9]
|
777
|
+
# in the <i> <i>AWS Key Management Service Developer Guide</i> </i>.
|
737
778
|
#
|
738
779
|
# The CMK that you use for this operation must be in a compatible key
|
739
780
|
# state. For details, see [How Key State Affects Use of a Customer
|
740
781
|
# Master Key][10] in the *AWS Key Management Service Developer Guide*.
|
741
782
|
#
|
783
|
+
# **Cross-account use**\: Yes. To perform this operation on a CMK in a
|
784
|
+
# different AWS account, specify the key ARN in the value of the `KeyId`
|
785
|
+
# parameter.
|
786
|
+
#
|
787
|
+
# **Required permissions**\: [kms:CreateGrant][11] (key policy)
|
788
|
+
#
|
789
|
+
# **Related operations:**
|
790
|
+
#
|
791
|
+
# * ListGrants
|
792
|
+
#
|
793
|
+
# * ListRetirableGrants
|
794
|
+
#
|
795
|
+
# * RetireGrant
|
796
|
+
#
|
797
|
+
# * RevokeGrant
|
798
|
+
#
|
742
799
|
#
|
743
800
|
#
|
744
801
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
@@ -751,6 +808,7 @@ module Aws::KMS
|
|
751
808
|
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
752
809
|
# [9]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
|
753
810
|
# [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
811
|
+
# [11]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
754
812
|
#
|
755
813
|
# @option params [required, String] :key_id
|
756
814
|
# The unique identifier for the customer master key (CMK) that the grant
|
@@ -810,6 +868,10 @@ module Aws::KMS
|
|
810
868
|
# [Encryption Context][2] in the <i> <i>AWS Key Management Service
|
811
869
|
# Developer Guide</i> </i>.
|
812
870
|
#
|
871
|
+
# Grant constraints are not applied to operations that do not support an
|
872
|
+
# encryption context, such as cryptographic operations with asymmetric
|
873
|
+
# CMKs and management operations, such as DescribeKey or RetireGrant.
|
874
|
+
#
|
813
875
|
#
|
814
876
|
#
|
815
877
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
@@ -826,9 +888,8 @@ module Aws::KMS
|
|
826
888
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
|
827
889
|
#
|
828
890
|
# @option params [String] :name
|
829
|
-
# A friendly name for
|
830
|
-
#
|
831
|
-
# request.
|
891
|
+
# A friendly name for the grant. Use this value to prevent the
|
892
|
+
# unintended creation of duplicate grants when retrying this request.
|
832
893
|
#
|
833
894
|
# When this value is absent, all `CreateGrant` requests result in a new
|
834
895
|
# grant with a unique `GrantId` even if all the supplied parameters are
|
@@ -839,8 +900,8 @@ module Aws::KMS
|
|
839
900
|
# identical parameters; if the grant already exists, the original
|
840
901
|
# `GrantId` is returned without creating a new grant. Note that the
|
841
902
|
# returned grant token is unique with every `CreateGrant` request, even
|
842
|
-
# when a duplicate `GrantId` is returned. All grant tokens
|
843
|
-
#
|
903
|
+
# when a duplicate `GrantId` is returned. All grant tokens for the same
|
904
|
+
# grant ID can be used interchangeably.
|
844
905
|
#
|
845
906
|
# @return [Types::CreateGrantResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
846
907
|
#
|
@@ -902,8 +963,7 @@ module Aws::KMS
|
|
902
963
|
end
|
903
964
|
|
904
965
|
# Creates a unique customer managed [customer master key][1] (CMK) in
|
905
|
-
# your AWS account and Region.
|
906
|
-
# CMK in a different AWS account.
|
966
|
+
# your AWS account and Region.
|
907
967
|
#
|
908
968
|
# You can use the `CreateKey` operation to create symmetric or
|
909
969
|
# asymmetric CMKs.
|
@@ -978,6 +1038,22 @@ module Aws::KMS
|
|
978
1038
|
# Stores][6] in the <i> <i>AWS Key Management Service Developer
|
979
1039
|
# Guide</i> </i>.
|
980
1040
|
#
|
1041
|
+
# **Cross-account use**\: No. You cannot use this operation to create a
|
1042
|
+
# CMK in a different AWS account.
|
1043
|
+
#
|
1044
|
+
# **Required permissions**\: [kms:CreateKey][7] (IAM policy). To use the
|
1045
|
+
# `Tags` parameter, [kms:TagResource][7] (IAM policy). For examples and
|
1046
|
+
# information about related permissions, see [Allow a user to create
|
1047
|
+
# CMKs][8] in the *AWS Key Management Service Developer Guide*.
|
1048
|
+
#
|
1049
|
+
# **Related operations:**
|
1050
|
+
#
|
1051
|
+
# * DescribeKey
|
1052
|
+
#
|
1053
|
+
# * ListKeys
|
1054
|
+
#
|
1055
|
+
# * ScheduleKeyDeletion
|
1056
|
+
#
|
981
1057
|
#
|
982
1058
|
#
|
983
1059
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master-keys
|
@@ -986,6 +1062,8 @@ module Aws::KMS
|
|
986
1062
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
987
1063
|
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
988
1064
|
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
1065
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1066
|
+
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key
|
989
1067
|
#
|
990
1068
|
# @option params [String] :policy
|
991
1069
|
# The key policy to attach to the CMK.
|
@@ -1015,11 +1093,15 @@ module Aws::KMS
|
|
1015
1093
|
#
|
1016
1094
|
# The key policy size quota is 32 kilobytes (32768 bytes).
|
1017
1095
|
#
|
1096
|
+
# For help writing and formatting a JSON policy document, see the [IAM
|
1097
|
+
# JSON Policy Reference][4] in the <i> <i>IAM User Guide</i> </i>.
|
1098
|
+
#
|
1018
1099
|
#
|
1019
1100
|
#
|
1020
1101
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
1021
1102
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
1022
1103
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
|
1104
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
1023
1105
|
#
|
1024
1106
|
# @option params [String] :description
|
1025
1107
|
# A description of the CMK.
|
@@ -1188,9 +1270,13 @@ module Aws::KMS
|
|
1188
1270
|
# Use this parameter to tag the CMK when it is created. To add tags to
|
1189
1271
|
# an existing CMK, use the TagResource operation.
|
1190
1272
|
#
|
1273
|
+
# To use this parameter, you must have [kms:TagResource][2] permission
|
1274
|
+
# in an IAM policy.
|
1275
|
+
#
|
1191
1276
|
#
|
1192
1277
|
#
|
1193
1278
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
|
1279
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1194
1280
|
#
|
1195
1281
|
# @return [Types::CreateKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1196
1282
|
#
|
@@ -1303,33 +1389,55 @@ module Aws::KMS
|
|
1303
1389
|
# encryption][3]. These libraries return a ciphertext format that is
|
1304
1390
|
# incompatible with AWS KMS.
|
1305
1391
|
#
|
1306
|
-
# If the ciphertext was encrypted under a symmetric CMK,
|
1307
|
-
#
|
1308
|
-
#
|
1309
|
-
#
|
1310
|
-
#
|
1311
|
-
#
|
1312
|
-
# the `
|
1392
|
+
# If the ciphertext was encrypted under a symmetric CMK, the `KeyId`
|
1393
|
+
# parameter is optional. AWS KMS can get this information from metadata
|
1394
|
+
# that it adds to the symmetric ciphertext blob. This feature adds
|
1395
|
+
# durability to your implementation by ensuring that authorized users
|
1396
|
+
# can decrypt ciphertext decades after it was encrypted, even if
|
1397
|
+
# they've lost track of the CMK ID. However, specifying the CMK is
|
1398
|
+
# always recommended as a best practice. When you use the `KeyId`
|
1399
|
+
# parameter to specify a CMK, AWS KMS only uses the CMK you specify. If
|
1400
|
+
# the ciphertext was encrypted under a different CMK, the `Decrypt`
|
1401
|
+
# operation fails. This practice ensures that you use the CMK that you
|
1402
|
+
# intend.
|
1313
1403
|
#
|
1314
1404
|
# Whenever possible, use key policies to give users permission to call
|
1315
|
-
# the Decrypt operation on a particular CMK, instead of using IAM
|
1405
|
+
# the `Decrypt` operation on a particular CMK, instead of using IAM
|
1316
1406
|
# policies. Otherwise, you might create an IAM user policy that gives
|
1317
|
-
# the user Decrypt permission on all CMKs. This user could decrypt
|
1407
|
+
# the user `Decrypt` permission on all CMKs. This user could decrypt
|
1318
1408
|
# ciphertext that was encrypted by CMKs in other accounts if the key
|
1319
1409
|
# policy for the cross-account CMK permits it. If you must use an IAM
|
1320
1410
|
# policy for `Decrypt` permissions, limit the user to particular CMKs or
|
1321
|
-
# particular trusted accounts.
|
1411
|
+
# particular trusted accounts. For details, see [Best practices for IAM
|
1412
|
+
# policies][4] in the *AWS Key Management Service Developer Guide*.
|
1322
1413
|
#
|
1323
1414
|
# The CMK that you use for this operation must be in a compatible key
|
1324
1415
|
# state. For details, see [How Key State Affects Use of a Customer
|
1325
|
-
# Master Key][
|
1416
|
+
# Master Key][5] in the *AWS Key Management Service Developer Guide*.
|
1417
|
+
#
|
1418
|
+
# **Cross-account use**\: Yes. You can decrypt a ciphertext using a CMK
|
1419
|
+
# in a different AWS account.
|
1420
|
+
#
|
1421
|
+
# **Required permissions**\: [kms:Decrypt][6] (key policy)
|
1422
|
+
#
|
1423
|
+
# **Related operations:**
|
1424
|
+
#
|
1425
|
+
# * Encrypt
|
1426
|
+
#
|
1427
|
+
# * GenerateDataKey
|
1428
|
+
#
|
1429
|
+
# * GenerateDataKeyPair
|
1430
|
+
#
|
1431
|
+
# * ReEncrypt
|
1326
1432
|
#
|
1327
1433
|
#
|
1328
1434
|
#
|
1329
1435
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
1330
1436
|
# [2]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
|
1331
1437
|
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
|
1332
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1438
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policies-best-practices
|
1439
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
1440
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1333
1441
|
#
|
1334
1442
|
# @option params [required, String, StringIO, File] :ciphertext_blob
|
1335
1443
|
# Ciphertext to be decrypted. The blob includes metadata.
|
@@ -1366,22 +1474,20 @@ module Aws::KMS
|
|
1366
1474
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
|
1367
1475
|
#
|
1368
1476
|
# @option params [String] :key_id
|
1369
|
-
# Specifies the customer master key (CMK) that AWS KMS
|
1370
|
-
#
|
1371
|
-
#
|
1372
|
-
#
|
1373
|
-
# If you specify a `KeyId` value, the `Decrypt` operation succeeds only
|
1374
|
-
# if the specified CMK was used to encrypt the ciphertext.
|
1477
|
+
# Specifies the customer master key (CMK) that AWS KMS uses to decrypt
|
1478
|
+
# the ciphertext. Enter a key ID of the CMK that was used to encrypt the
|
1479
|
+
# ciphertext.
|
1375
1480
|
#
|
1376
1481
|
# This parameter is required only when the ciphertext was encrypted
|
1377
|
-
# under an asymmetric CMK.
|
1378
|
-
#
|
1379
|
-
#
|
1380
|
-
#
|
1482
|
+
# under an asymmetric CMK. If you used a symmetric CMK, AWS KMS can get
|
1483
|
+
# the CMK from metadata that it adds to the symmetric ciphertext blob.
|
1484
|
+
# However, it is always recommended as a best practice. This practice
|
1485
|
+
# ensures that you use the CMK that you intend.
|
1381
1486
|
#
|
1382
1487
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
1383
1488
|
# name, or alias ARN. When using an alias name, prefix it with
|
1384
|
-
# `"alias/"`.
|
1489
|
+
# `"alias/"`. To specify a CMK in a different AWS account, you must use
|
1490
|
+
# the key ARN or alias ARN.
|
1385
1491
|
#
|
1386
1492
|
# For example:
|
1387
1493
|
#
|
@@ -1421,6 +1527,7 @@ module Aws::KMS
|
|
1421
1527
|
#
|
1422
1528
|
# resp = client.decrypt({
|
1423
1529
|
# ciphertext_blob: "<binary data>", # The encrypted data (ciphertext).
|
1530
|
+
# key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # A key identifier for the CMK to use to decrypt the data.
|
1424
1531
|
# })
|
1425
1532
|
#
|
1426
1533
|
# resp.to_h outputs the following:
|
@@ -1456,8 +1563,7 @@ module Aws::KMS
|
|
1456
1563
|
req.send_request(options)
|
1457
1564
|
end
|
1458
1565
|
|
1459
|
-
# Deletes the specified alias.
|
1460
|
-
# alias in a different AWS account.
|
1566
|
+
# Deletes the specified alias.
|
1461
1567
|
#
|
1462
1568
|
# Because an alias is not a property of a CMK, you can delete and change
|
1463
1569
|
# the aliases of a CMK without affecting the CMK. Also, aliases do not
|
@@ -1469,6 +1575,31 @@ module Aws::KMS
|
|
1469
1575
|
# new alias. To associate an existing alias with a different customer
|
1470
1576
|
# master key (CMK), call UpdateAlias.
|
1471
1577
|
#
|
1578
|
+
# **Cross-account use**\: No. You cannot perform this operation on an
|
1579
|
+
# alias in a different AWS account.
|
1580
|
+
#
|
1581
|
+
# **Required permissions**
|
1582
|
+
#
|
1583
|
+
# * [kms:DeleteAlias][1] on the alias (IAM policy).
|
1584
|
+
#
|
1585
|
+
# * [kms:DeleteAlias][1] on the CMK (key policy).
|
1586
|
+
#
|
1587
|
+
# For details, see [Controlling access to aliases][2] in the *AWS Key
|
1588
|
+
# Management Service Developer Guide*.
|
1589
|
+
#
|
1590
|
+
# **Related operations:**
|
1591
|
+
#
|
1592
|
+
# * CreateAlias
|
1593
|
+
#
|
1594
|
+
# * ListAliases
|
1595
|
+
#
|
1596
|
+
# * UpdateAlias
|
1597
|
+
#
|
1598
|
+
#
|
1599
|
+
#
|
1600
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1601
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
|
1602
|
+
#
|
1472
1603
|
# @option params [required, String] :alias_name
|
1473
1604
|
# The alias to be deleted. The alias name must begin with `alias/`
|
1474
1605
|
# followed by the alias name, such as `alias/ExampleAlias`.
|
@@ -1531,12 +1662,30 @@ module Aws::KMS
|
|
1531
1662
|
# AWS KMS, which combines the convenience and extensive integration of
|
1532
1663
|
# AWS KMS with the isolation and control of a single-tenant key store.
|
1533
1664
|
#
|
1665
|
+
# **Cross-account use**\: No. You cannot perform this operation on a
|
1666
|
+
# custom key store in a different AWS account.
|
1667
|
+
#
|
1668
|
+
# **Required permissions**\: [kms:DeleteCustomKeyStore][5] (IAM policy)
|
1669
|
+
#
|
1670
|
+
# **Related operations:**
|
1671
|
+
#
|
1672
|
+
# * ConnectCustomKeyStore
|
1673
|
+
#
|
1674
|
+
# * CreateCustomKeyStore
|
1675
|
+
#
|
1676
|
+
# * DescribeCustomKeyStores
|
1677
|
+
#
|
1678
|
+
# * DisconnectCustomKeyStore
|
1679
|
+
#
|
1680
|
+
# * UpdateCustomKeyStore
|
1681
|
+
#
|
1534
1682
|
#
|
1535
1683
|
#
|
1536
1684
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
1537
1685
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
|
1538
1686
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1539
1687
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
|
1688
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1540
1689
|
#
|
1541
1690
|
# @option params [required, String] :custom_key_store_id
|
1542
1691
|
# Enter the ID of the custom key store you want to delete. To find the
|
@@ -1563,7 +1712,6 @@ module Aws::KMS
|
|
1563
1712
|
# makes the specified customer master key (CMK) unusable. For more
|
1564
1713
|
# information about importing key material into AWS KMS, see [Importing
|
1565
1714
|
# Key Material][1] in the *AWS Key Management Service Developer Guide*.
|
1566
|
-
# You cannot perform this operation on a CMK in a different AWS account.
|
1567
1715
|
#
|
1568
1716
|
# When the specified CMK is in the `PendingDeletion` state, this
|
1569
1717
|
# operation does not change the CMK's state. Otherwise, it changes the
|
@@ -1576,10 +1724,23 @@ module Aws::KMS
|
|
1576
1724
|
# state. For details, see [How Key State Affects Use of a Customer
|
1577
1725
|
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
1578
1726
|
#
|
1727
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
1728
|
+
# in a different AWS account.
|
1729
|
+
#
|
1730
|
+
# **Required permissions**\: [kms:DeleteImportedKeyMaterial][3] (key
|
1731
|
+
# policy)
|
1732
|
+
#
|
1733
|
+
# **Related operations:**
|
1734
|
+
#
|
1735
|
+
# * GetParametersForImport
|
1736
|
+
#
|
1737
|
+
# * ImportKeyMaterial
|
1738
|
+
#
|
1579
1739
|
#
|
1580
1740
|
#
|
1581
1741
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
1582
1742
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
1743
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1583
1744
|
#
|
1584
1745
|
# @option params [required, String] :key_id
|
1585
1746
|
# Identifies the CMK from which you are deleting imported key material.
|
@@ -1652,10 +1813,29 @@ module Aws::KMS
|
|
1652
1813
|
# Custom Key Stores][2] topic in the *AWS Key Management Service
|
1653
1814
|
# Developer Guide*.
|
1654
1815
|
#
|
1816
|
+
# **Cross-account use**\: No. You cannot perform this operation on a
|
1817
|
+
# custom key store in a different AWS account.
|
1818
|
+
#
|
1819
|
+
# **Required permissions**\: [kms:DescribeCustomKeyStores][3] (IAM
|
1820
|
+
# policy)
|
1821
|
+
#
|
1822
|
+
# **Related operations:**
|
1823
|
+
#
|
1824
|
+
# * ConnectCustomKeyStore
|
1825
|
+
#
|
1826
|
+
# * CreateCustomKeyStore
|
1827
|
+
#
|
1828
|
+
# * DeleteCustomKeyStore
|
1829
|
+
#
|
1830
|
+
# * DisconnectCustomKeyStore
|
1831
|
+
#
|
1832
|
+
# * UpdateCustomKeyStore
|
1833
|
+
#
|
1655
1834
|
#
|
1656
1835
|
#
|
1657
1836
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
1658
1837
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
|
1838
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1659
1839
|
#
|
1660
1840
|
# @option params [String] :custom_key_store_id
|
1661
1841
|
# Gets only information about the specified custom key store. Enter the
|
@@ -1757,8 +1937,27 @@ module Aws::KMS
|
|
1757
1937
|
# CMK][4]. Then, it associates the alias with the new CMK, and returns
|
1758
1938
|
# the `KeyId` and `Arn` of the new CMK in the response.
|
1759
1939
|
#
|
1760
|
-
# To perform this operation
|
1761
|
-
# the key ARN or alias ARN in the value
|
1940
|
+
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
1941
|
+
# different AWS account, specify the key ARN or alias ARN in the value
|
1942
|
+
# of the `KeyId` parameter.
|
1943
|
+
#
|
1944
|
+
# **Required permissions**\: [kms:DescribeKey][5] (key policy)
|
1945
|
+
#
|
1946
|
+
# **Related operations:**
|
1947
|
+
#
|
1948
|
+
# * GetKeyPolicy
|
1949
|
+
#
|
1950
|
+
# * GetKeyRotationStatus
|
1951
|
+
#
|
1952
|
+
# * ListAliases
|
1953
|
+
#
|
1954
|
+
# * ListGrants
|
1955
|
+
#
|
1956
|
+
# * ListKeys
|
1957
|
+
#
|
1958
|
+
# * ListResourceTags
|
1959
|
+
#
|
1960
|
+
# * ListRetirableGrants
|
1762
1961
|
#
|
1763
1962
|
#
|
1764
1963
|
#
|
@@ -1766,6 +1965,7 @@ module Aws::KMS
|
|
1766
1965
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
1767
1966
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works
|
1768
1967
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
|
1968
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1769
1969
|
#
|
1770
1970
|
# @option params [required, String] :key_id
|
1771
1971
|
# Describes the specified customer master key (CMK).
|
@@ -1875,9 +2075,8 @@ module Aws::KMS
|
|
1875
2075
|
req.send_request(options)
|
1876
2076
|
end
|
1877
2077
|
|
1878
|
-
# Sets the state of a customer master key (CMK) to disabled
|
1879
|
-
#
|
1880
|
-
# perform this operation on a CMK in a different AWS account.
|
2078
|
+
# Sets the state of a customer master key (CMK) to disabled. This change
|
2079
|
+
# temporarily prevents use of the CMK for [cryptographic operations][1].
|
1881
2080
|
#
|
1882
2081
|
# For more information about how key state affects the use of a CMK, see
|
1883
2082
|
# [How Key State Affects the Use of a Customer Master Key][2] in the <i>
|
@@ -1887,10 +2086,18 @@ module Aws::KMS
|
|
1887
2086
|
# state. For details, see [How Key State Affects Use of a Customer
|
1888
2087
|
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
1889
2088
|
#
|
2089
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
2090
|
+
# in a different AWS account.
|
2091
|
+
#
|
2092
|
+
# **Required permissions**\: [kms:DisableKey][3] (key policy)
|
2093
|
+
#
|
2094
|
+
# **Related operations**\: EnableKey
|
2095
|
+
#
|
1890
2096
|
#
|
1891
2097
|
#
|
1892
2098
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1893
2099
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2100
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1894
2101
|
#
|
1895
2102
|
# @option params [required, String] :key_id
|
1896
2103
|
# A unique identifier for the customer master key (CMK).
|
@@ -1936,23 +2143,34 @@ module Aws::KMS
|
|
1936
2143
|
# symmetric customer master key (CMK).
|
1937
2144
|
#
|
1938
2145
|
# You cannot enable automatic rotation of asymmetric CMKs, CMKs with
|
1939
|
-
# imported key material, or CMKs in a [custom key store][2].
|
1940
|
-
# perform this operation on a CMK in a different AWS account.
|
2146
|
+
# imported key material, or CMKs in a [custom key store][2].
|
1941
2147
|
#
|
1942
2148
|
# The CMK that you use for this operation must be in a compatible key
|
1943
2149
|
# state. For details, see [How Key State Affects Use of a Customer
|
1944
2150
|
# Master Key][3] in the *AWS Key Management Service Developer Guide*.
|
1945
2151
|
#
|
2152
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
2153
|
+
# in a different AWS account.
|
2154
|
+
#
|
2155
|
+
# **Required permissions**\: [kms:DisableKeyRotation][4] (key policy)
|
2156
|
+
#
|
2157
|
+
# **Related operations:**
|
2158
|
+
#
|
2159
|
+
# * EnableKeyRotation
|
2160
|
+
#
|
2161
|
+
# * GetKeyRotationStatus
|
2162
|
+
#
|
1946
2163
|
#
|
1947
2164
|
#
|
1948
2165
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
1949
2166
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
1950
2167
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2168
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1951
2169
|
#
|
1952
2170
|
# @option params [required, String] :key_id
|
1953
|
-
# Identifies a symmetric customer master key (CMK). You cannot enable
|
1954
|
-
# automatic rotation of [asymmetric CMKs][1], CMKs with
|
1955
|
-
# material][2], or CMKs in a [custom key store][3].
|
2171
|
+
# Identifies a symmetric customer master key (CMK). You cannot enable or
|
2172
|
+
# disable automatic rotation of [asymmetric CMKs][1], CMKs with
|
2173
|
+
# [imported key material][2], or CMKs in a [custom key store][3].
|
1956
2174
|
#
|
1957
2175
|
# Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
|
1958
2176
|
#
|
@@ -2023,10 +2241,29 @@ module Aws::KMS
|
|
2023
2241
|
# AWS KMS, which combines the convenience and extensive integration of
|
2024
2242
|
# AWS KMS with the isolation and control of a single-tenant key store.
|
2025
2243
|
#
|
2244
|
+
# **Cross-account use**\: No. You cannot perform this operation on a
|
2245
|
+
# custom key store in a different AWS account.
|
2246
|
+
#
|
2247
|
+
# **Required permissions**\: [kms:DisconnectCustomKeyStore][3] (IAM
|
2248
|
+
# policy)
|
2249
|
+
#
|
2250
|
+
# **Related operations:**
|
2251
|
+
#
|
2252
|
+
# * ConnectCustomKeyStore
|
2253
|
+
#
|
2254
|
+
# * CreateCustomKeyStore
|
2255
|
+
#
|
2256
|
+
# * DeleteCustomKeyStore
|
2257
|
+
#
|
2258
|
+
# * DescribeCustomKeyStores
|
2259
|
+
#
|
2260
|
+
# * UpdateCustomKeyStore
|
2261
|
+
#
|
2026
2262
|
#
|
2027
2263
|
#
|
2028
2264
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
2029
2265
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
2266
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2030
2267
|
#
|
2031
2268
|
# @option params [required, String] :custom_key_store_id
|
2032
2269
|
# Enter the ID of the custom key store you want to disconnect. To find
|
@@ -2051,17 +2288,24 @@ module Aws::KMS
|
|
2051
2288
|
end
|
2052
2289
|
|
2053
2290
|
# Sets the key state of a customer master key (CMK) to enabled. This
|
2054
|
-
# allows you to use the CMK for [cryptographic operations][1].
|
2055
|
-
# cannot perform this operation on a CMK in a different AWS account.
|
2291
|
+
# allows you to use the CMK for [cryptographic operations][1].
|
2056
2292
|
#
|
2057
2293
|
# The CMK that you use for this operation must be in a compatible key
|
2058
2294
|
# state. For details, see [How Key State Affects Use of a Customer
|
2059
2295
|
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
2060
2296
|
#
|
2297
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
2298
|
+
# in a different AWS account.
|
2299
|
+
#
|
2300
|
+
# **Required permissions**\: [kms:EnableKey][3] (key policy)
|
2301
|
+
#
|
2302
|
+
# **Related operations**\: DisableKey
|
2303
|
+
#
|
2061
2304
|
#
|
2062
2305
|
#
|
2063
2306
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
2064
2307
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2308
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2065
2309
|
#
|
2066
2310
|
# @option params [required, String] :key_id
|
2067
2311
|
# A unique identifier for the customer master key (CMK).
|
@@ -2104,8 +2348,7 @@ module Aws::KMS
|
|
2104
2348
|
end
|
2105
2349
|
|
2106
2350
|
# Enables [automatic rotation of the key material][1] for the specified
|
2107
|
-
# symmetric customer master key (CMK).
|
2108
|
-
# on a CMK in a different AWS account.
|
2351
|
+
# symmetric customer master key (CMK).
|
2109
2352
|
#
|
2110
2353
|
# You cannot enable automatic rotation of asymmetric CMKs, CMKs with
|
2111
2354
|
# imported key material, or CMKs in a [custom key store][2].
|
@@ -2114,11 +2357,23 @@ module Aws::KMS
|
|
2114
2357
|
# state. For details, see [How Key State Affects Use of a Customer
|
2115
2358
|
# Master Key][3] in the *AWS Key Management Service Developer Guide*.
|
2116
2359
|
#
|
2360
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
2361
|
+
# in a different AWS account.
|
2362
|
+
#
|
2363
|
+
# **Required permissions**\: [kms:EnableKeyRotation][4] (key policy)
|
2364
|
+
#
|
2365
|
+
# **Related operations:**
|
2366
|
+
#
|
2367
|
+
# * DisableKeyRotation
|
2368
|
+
#
|
2369
|
+
# * GetKeyRotationStatus
|
2370
|
+
#
|
2117
2371
|
#
|
2118
2372
|
#
|
2119
2373
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
2120
2374
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
2121
2375
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2376
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2122
2377
|
#
|
2123
2378
|
# @option params [required, String] :key_id
|
2124
2379
|
# Identifies a symmetric customer master key (CMK). You cannot enable
|
@@ -2244,13 +2499,25 @@ module Aws::KMS
|
|
2244
2499
|
# state. For details, see [How Key State Affects Use of a Customer
|
2245
2500
|
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
2246
2501
|
#
|
2247
|
-
# To perform this operation
|
2248
|
-
# the key ARN or alias ARN in the value
|
2502
|
+
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
2503
|
+
# different AWS account, specify the key ARN or alias ARN in the value
|
2504
|
+
# of the `KeyId` parameter.
|
2505
|
+
#
|
2506
|
+
# **Required permissions**\: [kms:Encrypt][3] (key policy)
|
2507
|
+
#
|
2508
|
+
# **Related operations:**
|
2509
|
+
#
|
2510
|
+
# * Decrypt
|
2511
|
+
#
|
2512
|
+
# * GenerateDataKey
|
2513
|
+
#
|
2514
|
+
# * GenerateDataKeyPair
|
2249
2515
|
#
|
2250
2516
|
#
|
2251
2517
|
#
|
2252
2518
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
2253
2519
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2520
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2254
2521
|
#
|
2255
2522
|
# @option params [required, String] :key_id
|
2256
2523
|
# A unique identifier for the customer master key (CMK).
|
@@ -2429,6 +2696,24 @@ module Aws::KMS
|
|
2429
2696
|
# 2. Use the plaintext data key to decrypt data outside of AWS KMS,
|
2430
2697
|
# then erase the plaintext data key from memory.
|
2431
2698
|
#
|
2699
|
+
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
2700
|
+
# different AWS account, specify the key ARN or alias ARN in the value
|
2701
|
+
# of the `KeyId` parameter.
|
2702
|
+
#
|
2703
|
+
# **Required permissions**\: [kms:GenerateDataKey][6] (key policy)
|
2704
|
+
#
|
2705
|
+
# **Related operations:**
|
2706
|
+
#
|
2707
|
+
# * Decrypt
|
2708
|
+
#
|
2709
|
+
# * Encrypt
|
2710
|
+
#
|
2711
|
+
# * GenerateDataKeyPair
|
2712
|
+
#
|
2713
|
+
# * GenerateDataKeyPairWithoutPlaintext
|
2714
|
+
#
|
2715
|
+
# * GenerateDataKeyWithoutPlaintext
|
2716
|
+
#
|
2432
2717
|
#
|
2433
2718
|
#
|
2434
2719
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
@@ -2436,6 +2721,7 @@ module Aws::KMS
|
|
2436
2721
|
# [3]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
|
2437
2722
|
# [4]: https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/
|
2438
2723
|
# [5]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
|
2724
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2439
2725
|
#
|
2440
2726
|
# @option params [required, String] :key_id
|
2441
2727
|
# Identifies the symmetric CMK that encrypts the data key.
|
@@ -2597,10 +2883,29 @@ module Aws::KMS
|
|
2597
2883
|
# state. For details, see [How Key State Affects Use of a Customer
|
2598
2884
|
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
2599
2885
|
#
|
2886
|
+
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
2887
|
+
# different AWS account, specify the key ARN or alias ARN in the value
|
2888
|
+
# of the `KeyId` parameter.
|
2889
|
+
#
|
2890
|
+
# **Required permissions**\: [kms:GenerateDataKeyPair][3] (key policy)
|
2891
|
+
#
|
2892
|
+
# **Related operations:**
|
2893
|
+
#
|
2894
|
+
# * Decrypt
|
2895
|
+
#
|
2896
|
+
# * Encrypt
|
2897
|
+
#
|
2898
|
+
# * GenerateDataKey
|
2899
|
+
#
|
2900
|
+
# * GenerateDataKeyPairWithoutPlaintext
|
2901
|
+
#
|
2902
|
+
# * GenerateDataKeyWithoutPlaintext
|
2903
|
+
#
|
2600
2904
|
#
|
2601
2905
|
#
|
2602
2906
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
2603
2907
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2908
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2604
2909
|
#
|
2605
2910
|
# @option params [Hash<String,String>] :encryption_context
|
2606
2911
|
# Specifies the encryption context that will be used when encrypting the
|
@@ -2733,10 +3038,30 @@ module Aws::KMS
|
|
2733
3038
|
# state. For details, see [How Key State Affects Use of a Customer
|
2734
3039
|
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
2735
3040
|
#
|
3041
|
+
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
3042
|
+
# different AWS account, specify the key ARN or alias ARN in the value
|
3043
|
+
# of the `KeyId` parameter.
|
3044
|
+
#
|
3045
|
+
# **Required permissions**\:
|
3046
|
+
# [kms:GenerateDataKeyPairWithoutPlaintext][3] (key policy)
|
3047
|
+
#
|
3048
|
+
# **Related operations:**
|
3049
|
+
#
|
3050
|
+
# * Decrypt
|
3051
|
+
#
|
3052
|
+
# * Encrypt
|
3053
|
+
#
|
3054
|
+
# * GenerateDataKey
|
3055
|
+
#
|
3056
|
+
# * GenerateDataKeyPair
|
3057
|
+
#
|
3058
|
+
# * GenerateDataKeyWithoutPlaintext
|
3059
|
+
#
|
2736
3060
|
#
|
2737
3061
|
#
|
2738
3062
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
2739
3063
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
3064
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2740
3065
|
#
|
2741
3066
|
# @option params [Hash<String,String>] :encryption_context
|
2742
3067
|
# Specifies the encryption context that will be used when encrypting the
|
@@ -2764,7 +3089,8 @@ module Aws::KMS
|
|
2764
3089
|
#
|
2765
3090
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
2766
3091
|
# name, or alias ARN. When using an alias name, prefix it with
|
2767
|
-
# `"alias/"`.
|
3092
|
+
# `"alias/"`. To specify a CMK in a different AWS account, you must use
|
3093
|
+
# the key ARN or alias ARN.
|
2768
3094
|
#
|
2769
3095
|
# For example:
|
2770
3096
|
#
|
@@ -2877,10 +3203,30 @@ module Aws::KMS
|
|
2877
3203
|
# state. For details, see [How Key State Affects Use of a Customer
|
2878
3204
|
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
2879
3205
|
#
|
3206
|
+
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
3207
|
+
# different AWS account, specify the key ARN or alias ARN in the value
|
3208
|
+
# of the `KeyId` parameter.
|
3209
|
+
#
|
3210
|
+
# **Required permissions**\: [kms:GenerateDataKeyWithoutPlaintext][3]
|
3211
|
+
# (key policy)
|
3212
|
+
#
|
3213
|
+
# **Related operations:**
|
3214
|
+
#
|
3215
|
+
# * Decrypt
|
3216
|
+
#
|
3217
|
+
# * Encrypt
|
3218
|
+
#
|
3219
|
+
# * GenerateDataKey
|
3220
|
+
#
|
3221
|
+
# * GenerateDataKeyPair
|
3222
|
+
#
|
3223
|
+
# * GenerateDataKeyPairWithoutPlaintext
|
3224
|
+
#
|
2880
3225
|
#
|
2881
3226
|
#
|
2882
3227
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
2883
3228
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
3229
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2884
3230
|
#
|
2885
3231
|
# @option params [required, String] :key_id
|
2886
3232
|
# The identifier of the symmetric customer master key (CMK) that
|
@@ -3001,10 +3347,13 @@ module Aws::KMS
|
|
3001
3347
|
# For more information about entropy and random number generation, see
|
3002
3348
|
# the [AWS Key Management Service Cryptographic Details][2] whitepaper.
|
3003
3349
|
#
|
3350
|
+
# **Required permissions**\: [kms:GenerateRandom][3] (IAM policy)
|
3351
|
+
#
|
3004
3352
|
#
|
3005
3353
|
#
|
3006
3354
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
3007
3355
|
# [2]: https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
|
3356
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
3008
3357
|
#
|
3009
3358
|
# @option params [Integer] :number_of_bytes
|
3010
3359
|
# The length of the byte string.
|
@@ -3057,7 +3406,17 @@ module Aws::KMS
|
|
3057
3406
|
end
|
3058
3407
|
|
3059
3408
|
# Gets a key policy attached to the specified customer master key (CMK).
|
3060
|
-
#
|
3409
|
+
#
|
3410
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
3411
|
+
# in a different AWS account.
|
3412
|
+
#
|
3413
|
+
# **Required permissions**\: [kms:GetKeyPolicy][1] (key policy)
|
3414
|
+
#
|
3415
|
+
# **Related operations**\: PutKeyPolicy
|
3416
|
+
#
|
3417
|
+
#
|
3418
|
+
#
|
3419
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
3061
3420
|
#
|
3062
3421
|
# @option params [required, String] :key_id
|
3063
3422
|
# A unique identifier for the customer master key (CMK).
|
@@ -3137,14 +3496,24 @@ module Aws::KMS
|
|
3137
3496
|
# you cancel the deletion, the original key rotation status is
|
3138
3497
|
# restored.
|
3139
3498
|
#
|
3140
|
-
# To perform this operation on a CMK in a
|
3141
|
-
# the key ARN in the value of the `KeyId`
|
3499
|
+
# **Cross-account use**\: Yes. To perform this operation on a CMK in a
|
3500
|
+
# different AWS account, specify the key ARN in the value of the `KeyId`
|
3501
|
+
# parameter.
|
3502
|
+
#
|
3503
|
+
# **Required permissions**\: [kms:GetKeyRotationStatus][4] (key policy)
|
3504
|
+
#
|
3505
|
+
# **Related operations:**
|
3506
|
+
#
|
3507
|
+
# * DisableKeyRotation
|
3508
|
+
#
|
3509
|
+
# * EnableKeyRotation
|
3142
3510
|
#
|
3143
3511
|
#
|
3144
3512
|
#
|
3145
3513
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
3146
3514
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
3147
3515
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
3516
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
3148
3517
|
#
|
3149
3518
|
# @option params [required, String] :key_id
|
3150
3519
|
# A unique identifier for the customer master key (CMK).
|
@@ -3225,10 +3594,23 @@ module Aws::KMS
|
|
3225
3594
|
# state. For details, see [How Key State Affects Use of a Customer
|
3226
3595
|
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
3227
3596
|
#
|
3597
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
3598
|
+
# in a different AWS account.
|
3599
|
+
#
|
3600
|
+
# **Required permissions**\: [kms:GetParametersForImport][3] (key
|
3601
|
+
# policy)
|
3602
|
+
#
|
3603
|
+
# **Related operations:**
|
3604
|
+
#
|
3605
|
+
# * ImportKeyMaterial
|
3606
|
+
#
|
3607
|
+
# * DeleteImportedKeyMaterial
|
3608
|
+
#
|
3228
3609
|
#
|
3229
3610
|
#
|
3230
3611
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
3231
3612
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
3613
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
3232
3614
|
#
|
3233
3615
|
# @option params [required, String] :key_id
|
3234
3616
|
# The identifier of the symmetric CMK into which you will import key
|
@@ -3351,6 +3733,14 @@ module Aws::KMS
|
|
3351
3733
|
# state. For details, see [How Key State Affects Use of a Customer
|
3352
3734
|
# Master Key][7] in the *AWS Key Management Service Developer Guide*.
|
3353
3735
|
#
|
3736
|
+
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
3737
|
+
# different AWS account, specify the key ARN or alias ARN in the value
|
3738
|
+
# of the `KeyId` parameter.
|
3739
|
+
#
|
3740
|
+
# **Required permissions**\: [kms:GetPublicKey][8] (key policy)
|
3741
|
+
#
|
3742
|
+
# **Related operations**\: CreateKey
|
3743
|
+
#
|
3354
3744
|
#
|
3355
3745
|
#
|
3356
3746
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
@@ -3360,6 +3750,7 @@ module Aws::KMS
|
|
3360
3750
|
# [5]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms
|
3361
3751
|
# [6]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-SigningAlgorithms
|
3362
3752
|
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
3753
|
+
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
3363
3754
|
#
|
3364
3755
|
# @option params [required, String] :key_id
|
3365
3756
|
# Identifies the asymmetric CMK that includes the public key.
|
@@ -3482,12 +3873,24 @@ module Aws::KMS
|
|
3482
3873
|
# state. For details, see [How Key State Affects Use of a Customer
|
3483
3874
|
# Master Key][4] in the *AWS Key Management Service Developer Guide*.
|
3484
3875
|
#
|
3876
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
3877
|
+
# in a different AWS account.
|
3878
|
+
#
|
3879
|
+
# **Required permissions**\: [kms:ImportKeyMaterial][5] (key policy)
|
3880
|
+
#
|
3881
|
+
# **Related operations:**
|
3882
|
+
#
|
3883
|
+
# * DeleteImportedKeyMaterial
|
3884
|
+
#
|
3885
|
+
# * GetParametersForImport
|
3886
|
+
#
|
3485
3887
|
#
|
3486
3888
|
#
|
3487
3889
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material
|
3488
3890
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
3489
3891
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-overview
|
3490
3892
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
3893
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
3491
3894
|
#
|
3492
3895
|
# @option params [required, String] :key_id
|
3493
3896
|
# The identifier of the symmetric CMK that receives the imported key
|
@@ -3563,13 +3966,12 @@ module Aws::KMS
|
|
3563
3966
|
req.send_request(options)
|
3564
3967
|
end
|
3565
3968
|
|
3566
|
-
# Gets a list of aliases in the caller's AWS account and region.
|
3567
|
-
#
|
3568
|
-
# aliases, see CreateAlias.
|
3969
|
+
# Gets a list of aliases in the caller's AWS account and region. For
|
3970
|
+
# more information about aliases, see CreateAlias.
|
3569
3971
|
#
|
3570
|
-
# By default, the ListAliases
|
3571
|
-
# and region. To get only the aliases
|
3572
|
-
# customer master key (CMK), use the `KeyId` parameter.
|
3972
|
+
# By default, the `ListAliases` operation returns all aliases in the
|
3973
|
+
# account and region. To get only the aliases associated with a
|
3974
|
+
# particular customer master key (CMK), use the `KeyId` parameter.
|
3573
3975
|
#
|
3574
3976
|
# The `ListAliases` response can include aliases that you created and
|
3575
3977
|
# associated with your customer managed CMKs, and aliases that AWS
|
@@ -3583,18 +3985,45 @@ module Aws::KMS
|
|
3583
3985
|
# including predefined aliases, do not count against your [AWS KMS
|
3584
3986
|
# aliases quota][1].
|
3585
3987
|
#
|
3988
|
+
# **Cross-account use**\: No. `ListAliases` does not return aliases in
|
3989
|
+
# other AWS accounts.
|
3990
|
+
#
|
3991
|
+
# **Required permissions**\: [kms:ListAliases][2] (IAM policy)
|
3992
|
+
#
|
3993
|
+
# For details, see [Controlling access to aliases][3] in the *AWS Key
|
3994
|
+
# Management Service Developer Guide*.
|
3995
|
+
#
|
3996
|
+
# **Related operations:**
|
3997
|
+
#
|
3998
|
+
# * CreateAlias
|
3999
|
+
#
|
4000
|
+
# * DeleteAlias
|
4001
|
+
#
|
4002
|
+
# * UpdateAlias
|
4003
|
+
#
|
3586
4004
|
#
|
3587
4005
|
#
|
3588
4006
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit
|
4007
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4008
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
|
3589
4009
|
#
|
3590
4010
|
# @option params [String] :key_id
|
3591
|
-
# Lists only aliases that
|
3592
|
-
#
|
3593
|
-
# caller's account and region. You cannot use an alias name or alias
|
3594
|
-
# ARN in this value.
|
4011
|
+
# Lists only aliases that are associated with the specified CMK. Enter a
|
4012
|
+
# CMK in your AWS account.
|
3595
4013
|
#
|
3596
4014
|
# This parameter is optional. If you omit it, `ListAliases` returns all
|
3597
|
-
# aliases in the account and
|
4015
|
+
# aliases in the account and Region.
|
4016
|
+
#
|
4017
|
+
# Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
|
4018
|
+
#
|
4019
|
+
# For example:
|
4020
|
+
#
|
4021
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
4022
|
+
#
|
4023
|
+
# * Key ARN:
|
4024
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
4025
|
+
#
|
4026
|
+
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
3598
4027
|
#
|
3599
4028
|
# @option params [Integer] :limit
|
3600
4029
|
# Use this parameter to specify the maximum number of items to return.
|
@@ -3686,6 +4115,8 @@ module Aws::KMS
|
|
3686
4115
|
# resp.aliases[0].alias_name #=> String
|
3687
4116
|
# resp.aliases[0].alias_arn #=> String
|
3688
4117
|
# resp.aliases[0].target_key_id #=> String
|
4118
|
+
# resp.aliases[0].creation_date #=> Time
|
4119
|
+
# resp.aliases[0].last_updated_date #=> Time
|
3689
4120
|
# resp.next_marker #=> String
|
3690
4121
|
# resp.truncated #=> Boolean
|
3691
4122
|
#
|
@@ -3700,9 +4131,6 @@ module Aws::KMS
|
|
3700
4131
|
|
3701
4132
|
# Gets a list of all grants for the specified customer master key (CMK).
|
3702
4133
|
#
|
3703
|
-
# To perform this operation on a CMK in a different AWS account, specify
|
3704
|
-
# the key ARN in the value of the `KeyId` parameter.
|
3705
|
-
#
|
3706
4134
|
# <note markdown="1"> The `GranteePrincipal` field in the `ListGrants` response usually
|
3707
4135
|
# contains the user or role designated as the grantee principal in the
|
3708
4136
|
# grant. However, when the grantee principal in the grant is an AWS
|
@@ -3712,9 +4140,26 @@ module Aws::KMS
|
|
3712
4140
|
#
|
3713
4141
|
# </note>
|
3714
4142
|
#
|
4143
|
+
# **Cross-account use**\: Yes. To perform this operation on a CMK in a
|
4144
|
+
# different AWS account, specify the key ARN in the value of the `KeyId`
|
4145
|
+
# parameter.
|
4146
|
+
#
|
4147
|
+
# **Required permissions**\: [kms:ListGrants][2] (key policy)
|
4148
|
+
#
|
4149
|
+
# **Related operations:**
|
4150
|
+
#
|
4151
|
+
# * CreateGrant
|
4152
|
+
#
|
4153
|
+
# * ListRetirableGrants
|
4154
|
+
#
|
4155
|
+
# * RetireGrant
|
4156
|
+
#
|
4157
|
+
# * RevokeGrant
|
4158
|
+
#
|
3715
4159
|
#
|
3716
4160
|
#
|
3717
4161
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
|
4162
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
3718
4163
|
#
|
3719
4164
|
# @option params [Integer] :limit
|
3720
4165
|
# Use this parameter to specify the maximum number of items to return.
|
@@ -3858,9 +4303,23 @@ module Aws::KMS
|
|
3858
4303
|
# Gets the names of the key policies that are attached to a customer
|
3859
4304
|
# master key (CMK). This operation is designed to get policy names that
|
3860
4305
|
# you can use in a GetKeyPolicy operation. However, the only valid
|
3861
|
-
# policy name is `default`.
|
4306
|
+
# policy name is `default`.
|
4307
|
+
#
|
4308
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
3862
4309
|
# in a different AWS account.
|
3863
4310
|
#
|
4311
|
+
# **Required permissions**\: [kms:ListKeyPolicies][1] (key policy)
|
4312
|
+
#
|
4313
|
+
# **Related operations:**
|
4314
|
+
#
|
4315
|
+
# * GetKeyPolicy
|
4316
|
+
#
|
4317
|
+
# * PutKeyPolicy
|
4318
|
+
#
|
4319
|
+
#
|
4320
|
+
#
|
4321
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4322
|
+
#
|
3864
4323
|
# @option params [required, String] :key_id
|
3865
4324
|
# A unique identifier for the customer master key (CMK).
|
3866
4325
|
#
|
@@ -3943,6 +4402,25 @@ module Aws::KMS
|
|
3943
4402
|
# Gets a list of all customer master keys (CMKs) in the caller's AWS
|
3944
4403
|
# account and Region.
|
3945
4404
|
#
|
4405
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
4406
|
+
# in a different AWS account.
|
4407
|
+
#
|
4408
|
+
# **Required permissions**\: [kms:ListKeys][1] (IAM policy)
|
4409
|
+
#
|
4410
|
+
# **Related operations:**
|
4411
|
+
#
|
4412
|
+
# * CreateKey
|
4413
|
+
#
|
4414
|
+
# * DescribeKey
|
4415
|
+
#
|
4416
|
+
# * ListAliases
|
4417
|
+
#
|
4418
|
+
# * ListResourceTags
|
4419
|
+
#
|
4420
|
+
#
|
4421
|
+
#
|
4422
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4423
|
+
#
|
3946
4424
|
# @option params [Integer] :limit
|
3947
4425
|
# Use this parameter to specify the maximum number of items to return.
|
3948
4426
|
# When this value is present, AWS KMS does not return more than the
|
@@ -4032,10 +4510,29 @@ module Aws::KMS
|
|
4032
4510
|
req.send_request(options)
|
4033
4511
|
end
|
4034
4512
|
|
4035
|
-
# Returns
|
4036
|
-
#
|
4513
|
+
# Returns all tags on the specified customer master key (CMK).
|
4514
|
+
#
|
4515
|
+
# For general information about tags, including the format and syntax,
|
4516
|
+
# see [Tagging AWS resources][1] in the *Amazon Web Services General
|
4517
|
+
# Reference*. For information about using tags in AWS KMS, see [Tagging
|
4518
|
+
# keys][2].
|
4519
|
+
#
|
4520
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
4521
|
+
# in a different AWS account.
|
4522
|
+
#
|
4523
|
+
# **Required permissions**\: [kms:ListResourceTags][3] (key policy)
|
4524
|
+
#
|
4525
|
+
# **Related operations:**
|
4526
|
+
#
|
4527
|
+
# * TagResource
|
4037
4528
|
#
|
4038
|
-
#
|
4529
|
+
# * UntagResource
|
4530
|
+
#
|
4531
|
+
#
|
4532
|
+
#
|
4533
|
+
# [1]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
|
4534
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
|
4535
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4039
4536
|
#
|
4040
4537
|
# @option params [required, String] :key_id
|
4041
4538
|
# A unique identifier for the customer master key (CMK).
|
@@ -4126,11 +4623,37 @@ module Aws::KMS
|
|
4126
4623
|
req.send_request(options)
|
4127
4624
|
end
|
4128
4625
|
|
4129
|
-
# Returns
|
4130
|
-
# `RetiringPrincipal`
|
4626
|
+
# Returns all grants in which the specified principal is the
|
4627
|
+
# `RetiringPrincipal` in the grant.
|
4628
|
+
#
|
4629
|
+
# You can specify any principal in your AWS account. The grants that are
|
4630
|
+
# returned include grants for CMKs in your AWS account and other AWS
|
4631
|
+
# accounts.
|
4632
|
+
#
|
4633
|
+
# You might use this operation to determine which grants you may retire.
|
4634
|
+
# To retire a grant, use the RetireGrant operation.
|
4635
|
+
#
|
4636
|
+
# **Cross-account use**\: You must specify a principal in your AWS
|
4637
|
+
# account. However, this operation can return grants in any AWS account.
|
4638
|
+
# You do not need `kms:ListRetirableGrants` permission (or any other
|
4639
|
+
# additional permission) in any AWS account other than your own.
|
4640
|
+
#
|
4641
|
+
# **Required permissions**\: [kms:ListRetirableGrants][1] (IAM policy)
|
4642
|
+
# in your AWS account.
|
4131
4643
|
#
|
4132
|
-
#
|
4133
|
-
#
|
4644
|
+
# **Related operations:**
|
4645
|
+
#
|
4646
|
+
# * CreateGrant
|
4647
|
+
#
|
4648
|
+
# * ListGrants
|
4649
|
+
#
|
4650
|
+
# * RetireGrant
|
4651
|
+
#
|
4652
|
+
# * RevokeGrant
|
4653
|
+
#
|
4654
|
+
#
|
4655
|
+
#
|
4656
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4134
4657
|
#
|
4135
4658
|
# @option params [Integer] :limit
|
4136
4659
|
# Use this parameter to specify the maximum number of items to return.
|
@@ -4146,7 +4669,8 @@ module Aws::KMS
|
|
4146
4669
|
# from the truncated response you just received.
|
4147
4670
|
#
|
4148
4671
|
# @option params [required, String] :retiring_principal
|
4149
|
-
# The retiring principal for which to list grants.
|
4672
|
+
# The retiring principal for which to list grants. Enter a principal in
|
4673
|
+
# your AWS account.
|
4150
4674
|
#
|
4151
4675
|
# To specify the retiring principal, use the [Amazon Resource Name
|
4152
4676
|
# (ARN)][1] of an AWS principal. Valid AWS principals include AWS
|
@@ -4230,15 +4754,28 @@ module Aws::KMS
|
|
4230
4754
|
req.send_request(options)
|
4231
4755
|
end
|
4232
4756
|
|
4233
|
-
# Attaches a key policy to the specified customer master key (CMK).
|
4234
|
-
# cannot perform this operation on a CMK in a different AWS account.
|
4757
|
+
# Attaches a key policy to the specified customer master key (CMK).
|
4235
4758
|
#
|
4236
4759
|
# For more information about key policies, see [Key Policies][1] in the
|
4237
|
-
# *AWS Key Management Service Developer Guide*.
|
4760
|
+
# *AWS Key Management Service Developer Guide*. For help writing and
|
4761
|
+
# formatting a JSON policy document, see the [IAM JSON Policy
|
4762
|
+
# Reference][2] in the <i> <i>IAM User Guide</i> </i>. For examples of
|
4763
|
+
# adding a key policy in multiple programming languages, see [Setting a
|
4764
|
+
# key policy][3] in the *AWS Key Management Service Developer Guide*.
|
4765
|
+
#
|
4766
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
4767
|
+
# in a different AWS account.
|
4768
|
+
#
|
4769
|
+
# **Required permissions**\: [kms:PutKeyPolicy][4] (key policy)
|
4770
|
+
#
|
4771
|
+
# **Related operations**\: GetKeyPolicy
|
4238
4772
|
#
|
4239
4773
|
#
|
4240
4774
|
#
|
4241
4775
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
|
4776
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
4777
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-key-policies.html#put-policy
|
4778
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4242
4779
|
#
|
4243
4780
|
# @option params [required, String] :key_id
|
4244
4781
|
# A unique identifier for the customer master key (CMK).
|
@@ -4361,21 +4898,27 @@ module Aws::KMS
|
|
4361
4898
|
# operation.
|
4362
4899
|
#
|
4363
4900
|
# * If your ciphertext was encrypted under an asymmetric CMK, you must
|
4364
|
-
#
|
4365
|
-
# ciphertext. You must also supply the encryption algorithm that
|
4366
|
-
# used. This information is required to decrypt the data.
|
4367
|
-
#
|
4368
|
-
# *
|
4369
|
-
#
|
4370
|
-
#
|
4371
|
-
#
|
4372
|
-
#
|
4373
|
-
#
|
4374
|
-
#
|
4375
|
-
#
|
4376
|
-
#
|
4377
|
-
#
|
4378
|
-
#
|
4901
|
+
# use the `SourceKeyId` parameter to identify the CMK that encrypted
|
4902
|
+
# the ciphertext. You must also supply the encryption algorithm that
|
4903
|
+
# was used. This information is required to decrypt the data.
|
4904
|
+
#
|
4905
|
+
# * If your ciphertext was encrypted under a symmetric CMK, the
|
4906
|
+
# `SourceKeyId` parameter is optional. AWS KMS can get this
|
4907
|
+
# information from metadata that it adds to the symmetric ciphertext
|
4908
|
+
# blob. This feature adds durability to your implementation by
|
4909
|
+
# ensuring that authorized users can decrypt ciphertext decades after
|
4910
|
+
# it was encrypted, even if they've lost track of the CMK ID.
|
4911
|
+
# However, specifying the source CMK is always recommended as a best
|
4912
|
+
# practice. When you use the `SourceKeyId` parameter to specify a CMK,
|
4913
|
+
# AWS KMS uses only the CMK you specify. If the ciphertext was
|
4914
|
+
# encrypted under a different CMK, the `ReEncrypt` operation fails.
|
4915
|
+
# This practice ensures that you use the CMK that you intend.
|
4916
|
+
#
|
4917
|
+
# * To reencrypt the data, you must use the `DestinationKeyId` parameter
|
4918
|
+
# specify the CMK that re-encrypts the data after it is decrypted. You
|
4919
|
+
# can select a symmetric or asymmetric CMK. If the destination CMK is
|
4920
|
+
# an asymmetric CMK, you must also provide the encryption algorithm.
|
4921
|
+
# The algorithm that you choose must be compatible with the CMK.
|
4379
4922
|
#
|
4380
4923
|
# When you use an asymmetric CMK to encrypt or reencrypt data, be sure
|
4381
4924
|
# to record the CMK and encryption algorithm that you choose. You will
|
@@ -4389,23 +4932,36 @@ module Aws::KMS
|
|
4389
4932
|
# ciphertext generated with asymmetric keys. The standard format for
|
4390
4933
|
# asymmetric key ciphertext does not include configurable fields.
|
4391
4934
|
#
|
4392
|
-
#
|
4393
|
-
#
|
4935
|
+
# The CMK that you use for this operation must be in a compatible key
|
4936
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
4937
|
+
# Master Key][6] in the *AWS Key Management Service Developer Guide*.
|
4938
|
+
#
|
4939
|
+
# **Cross-account use**\: Yes. The source CMK and destination CMK can be
|
4940
|
+
# in different AWS accounts. Either or both CMKs can be in a different
|
4941
|
+
# account than the caller.
|
4394
4942
|
#
|
4395
|
-
#
|
4943
|
+
# **Required permissions**\:
|
4396
4944
|
#
|
4397
|
-
# *
|
4945
|
+
# * [kms:ReEncryptFrom][7] permission on the source CMK (key policy)
|
4946
|
+
#
|
4947
|
+
# * [kms:ReEncryptTo][7] permission on the destination CMK (key policy)
|
4398
4948
|
#
|
4399
4949
|
# To permit reencryption from or to a CMK, include the
|
4400
|
-
# `"kms:ReEncrypt*"` permission in your [key policy][
|
4950
|
+
# `"kms:ReEncrypt*"` permission in your [key policy][8]. This permission
|
4401
4951
|
# is automatically included in the key policy when you use the console
|
4402
4952
|
# to create a CMK. But you must include it manually when you create a
|
4403
4953
|
# CMK programmatically or when you use the PutKeyPolicy operation to set
|
4404
4954
|
# a key policy.
|
4405
4955
|
#
|
4406
|
-
#
|
4407
|
-
#
|
4408
|
-
#
|
4956
|
+
# **Related operations:**
|
4957
|
+
#
|
4958
|
+
# * Decrypt
|
4959
|
+
#
|
4960
|
+
# * Encrypt
|
4961
|
+
#
|
4962
|
+
# * GenerateDataKey
|
4963
|
+
#
|
4964
|
+
# * GenerateDataKeyPair
|
4409
4965
|
#
|
4410
4966
|
#
|
4411
4967
|
#
|
@@ -4414,8 +4970,9 @@ module Aws::KMS
|
|
4414
4970
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
|
4415
4971
|
# [4]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
|
4416
4972
|
# [5]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
|
4417
|
-
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-
|
4418
|
-
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
4973
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
4974
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4975
|
+
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
|
4419
4976
|
#
|
4420
4977
|
# @option params [required, String, StringIO, File] :ciphertext_blob
|
4421
4978
|
# Ciphertext of the data to reencrypt.
|
@@ -4440,23 +4997,20 @@ module Aws::KMS
|
|
4440
4997
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
4441
4998
|
#
|
4442
4999
|
# @option params [String] :source_key_id
|
4443
|
-
#
|
4444
|
-
# before it
|
5000
|
+
# Specifies the customer master key (CMK) that AWS KMS will use to
|
5001
|
+
# decrypt the ciphertext before it is re-encrypted. Enter a key ID of
|
5002
|
+
# the CMK that was used to encrypt the ciphertext.
|
4445
5003
|
#
|
4446
5004
|
# This parameter is required only when the ciphertext was encrypted
|
4447
|
-
# under an asymmetric CMK.
|
4448
|
-
#
|
4449
|
-
#
|
4450
|
-
#
|
4451
|
-
# it is reencrypted.
|
4452
|
-
#
|
4453
|
-
# If you specify a `KeyId` value, the decrypt part of the `ReEncrypt`
|
4454
|
-
# operation succeeds only if the specified CMK was used to encrypt the
|
4455
|
-
# ciphertext.
|
5005
|
+
# under an asymmetric CMK. If you used a symmetric CMK, AWS KMS can get
|
5006
|
+
# the CMK from metadata that it adds to the symmetric ciphertext blob.
|
5007
|
+
# However, it is always recommended as a best practice. This practice
|
5008
|
+
# ensures that you use the CMK that you intend.
|
4456
5009
|
#
|
4457
5010
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
4458
5011
|
# name, or alias ARN. When using an alias name, prefix it with
|
4459
|
-
# `"alias/"`.
|
5012
|
+
# `"alias/"`. To specify a CMK in a different AWS account, you must use
|
5013
|
+
# the key ARN or alias ARN.
|
4460
5014
|
#
|
4461
5015
|
# For example:
|
4462
5016
|
#
|
@@ -4564,14 +5118,14 @@ module Aws::KMS
|
|
4564
5118
|
#
|
4565
5119
|
# resp = client.re_encrypt({
|
4566
5120
|
# ciphertext_blob: "<binary data>", # The data to reencrypt.
|
4567
|
-
# destination_key_id: "0987dcba-09fe-87dc-65ba-ab0987654321", # The identifier of the CMK to use to reencrypt the data. You can use
|
5121
|
+
# destination_key_id: "0987dcba-09fe-87dc-65ba-ab0987654321", # The identifier of the CMK to use to reencrypt the data. You can use any valid key identifier.
|
4568
5122
|
# })
|
4569
5123
|
#
|
4570
5124
|
# resp.to_h outputs the following:
|
4571
5125
|
# {
|
4572
5126
|
# ciphertext_blob: "<binary data>", # The reencrypted data.
|
4573
5127
|
# key_id: "arn:aws:kms:us-east-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", # The ARN of the CMK that was used to reencrypt the data.
|
4574
|
-
# source_key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the CMK that was used to
|
5128
|
+
# source_key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the CMK that was originally used to encrypt the data.
|
4575
5129
|
# }
|
4576
5130
|
#
|
4577
5131
|
# @example Request syntax with placeholder values
|
@@ -4626,6 +5180,28 @@ module Aws::KMS
|
|
4626
5180
|
# base64-encoded string. A grant ID is a 64 character unique identifier
|
4627
5181
|
# of a grant. The CreateGrant operation returns both.
|
4628
5182
|
#
|
5183
|
+
# **Cross-account use**\: Yes. You can retire a grant on a CMK in a
|
5184
|
+
# different AWS account.
|
5185
|
+
#
|
5186
|
+
# **Required permissions:**\: Permission to retire a grant is specified
|
5187
|
+
# in the grant. You cannot control access to this operation in a policy.
|
5188
|
+
# For more information, see [Using grants][1] in the *AWS Key Management
|
5189
|
+
# Service Developer Guide*.
|
5190
|
+
#
|
5191
|
+
# **Related operations:**
|
5192
|
+
#
|
5193
|
+
# * CreateGrant
|
5194
|
+
#
|
5195
|
+
# * ListGrants
|
5196
|
+
#
|
5197
|
+
# * ListRetirableGrants
|
5198
|
+
#
|
5199
|
+
# * RevokeGrant
|
5200
|
+
#
|
5201
|
+
#
|
5202
|
+
#
|
5203
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
|
5204
|
+
#
|
4629
5205
|
# @option params [String] :grant_token
|
4630
5206
|
# Token that identifies the grant to be retired.
|
4631
5207
|
#
|
@@ -4677,8 +5253,25 @@ module Aws::KMS
|
|
4677
5253
|
# (CMK). You can revoke a grant to actively deny operations that depend
|
4678
5254
|
# on it.
|
4679
5255
|
#
|
4680
|
-
# To perform this operation on a CMK in a
|
4681
|
-
# the key ARN in the value of the `KeyId`
|
5256
|
+
# **Cross-account use**\: Yes. To perform this operation on a CMK in a
|
5257
|
+
# different AWS account, specify the key ARN in the value of the `KeyId`
|
5258
|
+
# parameter.
|
5259
|
+
#
|
5260
|
+
# **Required permissions**\: [kms:RevokeGrant][1] (key policy)
|
5261
|
+
#
|
5262
|
+
# **Related operations:**
|
5263
|
+
#
|
5264
|
+
# * CreateGrant
|
5265
|
+
#
|
5266
|
+
# * ListGrants
|
5267
|
+
#
|
5268
|
+
# * ListRetirableGrants
|
5269
|
+
#
|
5270
|
+
# * RetireGrant
|
5271
|
+
#
|
5272
|
+
#
|
5273
|
+
#
|
5274
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4682
5275
|
#
|
4683
5276
|
# @option params [required, String] :key_id
|
4684
5277
|
# A unique identifier for the customer master key associated with the
|
@@ -4748,8 +5341,6 @@ module Aws::KMS
|
|
4748
5341
|
# manually [delete the orphaned key material][2] from the cluster and
|
4749
5342
|
# its backups.
|
4750
5343
|
#
|
4751
|
-
# You cannot perform this operation on a CMK in a different AWS account.
|
4752
|
-
#
|
4753
5344
|
# For more information about scheduling a CMK for deletion, see
|
4754
5345
|
# [Deleting Customer Master Keys][3] in the *AWS Key Management Service
|
4755
5346
|
# Developer Guide*.
|
@@ -4758,12 +5349,24 @@ module Aws::KMS
|
|
4758
5349
|
# state. For details, see [How Key State Affects Use of a Customer
|
4759
5350
|
# Master Key][4] in the *AWS Key Management Service Developer Guide*.
|
4760
5351
|
#
|
5352
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
5353
|
+
# in a different AWS account.
|
5354
|
+
#
|
5355
|
+
# **Required permissions**\: [kms:ScheduleKeyDeletion][5] (key policy)
|
5356
|
+
#
|
5357
|
+
# **Related operations**
|
5358
|
+
#
|
5359
|
+
# * CancelKeyDeletion
|
5360
|
+
#
|
5361
|
+
# * DisableKey
|
5362
|
+
#
|
4761
5363
|
#
|
4762
5364
|
#
|
4763
5365
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
4764
5366
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
|
4765
5367
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
|
4766
5368
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
5369
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4767
5370
|
#
|
4768
5371
|
# @option params [required, String] :key_id
|
4769
5372
|
# The unique identifier of the customer master key (CMK) to delete.
|
@@ -4870,11 +5473,20 @@ module Aws::KMS
|
|
4870
5473
|
# state. For details, see [How Key State Affects Use of a Customer
|
4871
5474
|
# Master Key][3] in the *AWS Key Management Service Developer Guide*.
|
4872
5475
|
#
|
5476
|
+
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
5477
|
+
# different AWS account, specify the key ARN or alias ARN in the value
|
5478
|
+
# of the `KeyId` parameter.
|
5479
|
+
#
|
5480
|
+
# **Required permissions**\: [kms:Sign][4] (key policy)
|
5481
|
+
#
|
5482
|
+
# **Related operations**\: Verify
|
5483
|
+
#
|
4873
5484
|
#
|
4874
5485
|
#
|
4875
5486
|
# [1]: https://en.wikipedia.org/wiki/Digital_signature
|
4876
5487
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
4877
5488
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
5489
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4878
5490
|
#
|
4879
5491
|
# @option params [required, String] :key_id
|
4880
5492
|
# Identifies an asymmetric CMK. AWS KMS uses the private key in the
|
@@ -4960,31 +5572,50 @@ module Aws::KMS
|
|
4960
5572
|
req.send_request(options)
|
4961
5573
|
end
|
4962
5574
|
|
4963
|
-
# Adds or edits tags
|
4964
|
-
# this operation on a CMK in a different AWS account.
|
5575
|
+
# Adds or edits tags on a [customer managed CMK][1].
|
4965
5576
|
#
|
4966
|
-
# Each tag consists of a tag key and a tag value
|
4967
|
-
#
|
5577
|
+
# Each tag consists of a tag key and a tag value, both of which are
|
5578
|
+
# case-sensitive strings. The tag value can be an empty (null) string.
|
4968
5579
|
#
|
4969
|
-
#
|
4970
|
-
#
|
4971
|
-
# value.
|
5580
|
+
# To add a tag, specify a new tag key and a tag value. To edit a tag,
|
5581
|
+
# specify an existing tag key and a new tag value.
|
4972
5582
|
#
|
4973
|
-
#
|
4974
|
-
#
|
4975
|
-
#
|
5583
|
+
# You can use this operation to tag a [customer managed CMK][1], but you
|
5584
|
+
# cannot tag an [AWS managed CMK][2], an [AWS owned CMK][3], or an
|
5585
|
+
# alias.
|
5586
|
+
#
|
5587
|
+
# For general information about tags, including the format and syntax,
|
5588
|
+
# see [Tagging AWS resources][4] in the *Amazon Web Services General
|
5589
|
+
# Reference*. For information about using tags in AWS KMS, see [Tagging
|
5590
|
+
# keys][5].
|
4976
5591
|
#
|
4977
5592
|
# The CMK that you use for this operation must be in a compatible key
|
4978
5593
|
# state. For details, see [How Key State Affects Use of a Customer
|
4979
|
-
# Master Key][
|
5594
|
+
# Master Key][6] in the *AWS Key Management Service Developer Guide*.
|
5595
|
+
#
|
5596
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
5597
|
+
# in a different AWS account.
|
4980
5598
|
#
|
5599
|
+
# **Required permissions**\: [kms:TagResource][7] (key policy)
|
4981
5600
|
#
|
5601
|
+
# **Related operations**
|
4982
5602
|
#
|
4983
|
-
#
|
4984
|
-
#
|
5603
|
+
# * UntagResource
|
5604
|
+
#
|
5605
|
+
# * ListResourceTags
|
5606
|
+
#
|
5607
|
+
#
|
5608
|
+
#
|
5609
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
5610
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
5611
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
|
5612
|
+
# [4]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
|
5613
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
|
5614
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
5615
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4985
5616
|
#
|
4986
5617
|
# @option params [required, String] :key_id
|
4987
|
-
#
|
5618
|
+
# Identifies a customer managed CMK in the account and Region.
|
4988
5619
|
#
|
4989
5620
|
# Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
|
4990
5621
|
#
|
@@ -4998,7 +5629,14 @@ module Aws::KMS
|
|
4998
5629
|
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
4999
5630
|
#
|
5000
5631
|
# @option params [required, Array<Types::Tag>] :tags
|
5001
|
-
# One or more tags.
|
5632
|
+
# One or more tags.
|
5633
|
+
#
|
5634
|
+
# Each tag consists of a tag key and a tag value. The tag value can be
|
5635
|
+
# an empty (null) string.
|
5636
|
+
#
|
5637
|
+
# You cannot have more than one tag on a CMK with the same tag key. If
|
5638
|
+
# you specify an existing tag key with a different tag value, AWS KMS
|
5639
|
+
# replaces the current tag value with the specified one.
|
5002
5640
|
#
|
5003
5641
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
5004
5642
|
#
|
@@ -5038,23 +5676,44 @@ module Aws::KMS
|
|
5038
5676
|
req.send_request(options)
|
5039
5677
|
end
|
5040
5678
|
|
5041
|
-
#
|
5042
|
-
#
|
5043
|
-
#
|
5679
|
+
# Deletes tags from a [customer managed CMK][1]. To delete a tag,
|
5680
|
+
# specify the tag key and the CMK.
|
5681
|
+
#
|
5682
|
+
# When it succeeds, the `UntagResource` operation doesn't return any
|
5683
|
+
# output. Also, if the specified tag key isn't found on the CMK, it
|
5684
|
+
# doesn't throw an exception or return a response. To confirm that the
|
5685
|
+
# operation worked, use the ListResourceTags operation.
|
5044
5686
|
#
|
5045
|
-
#
|
5046
|
-
#
|
5687
|
+
# For general information about tags, including the format and syntax,
|
5688
|
+
# see [Tagging AWS resources][2] in the *Amazon Web Services General
|
5689
|
+
# Reference*. For information about using tags in AWS KMS, see [Tagging
|
5690
|
+
# keys][3].
|
5047
5691
|
#
|
5048
5692
|
# The CMK that you use for this operation must be in a compatible key
|
5049
5693
|
# state. For details, see [How Key State Affects Use of a Customer
|
5050
|
-
# Master Key][
|
5694
|
+
# Master Key][4] in the *AWS Key Management Service Developer Guide*.
|
5695
|
+
#
|
5696
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
5697
|
+
# in a different AWS account.
|
5051
5698
|
#
|
5699
|
+
# **Required permissions**\: [kms:UntagResource][5] (key policy)
|
5052
5700
|
#
|
5701
|
+
# **Related operations**
|
5053
5702
|
#
|
5054
|
-
#
|
5703
|
+
# * TagResource
|
5704
|
+
#
|
5705
|
+
# * ListResourceTags
|
5706
|
+
#
|
5707
|
+
#
|
5708
|
+
#
|
5709
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
5710
|
+
# [2]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
|
5711
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
|
5712
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
5713
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
5055
5714
|
#
|
5056
5715
|
# @option params [required, String] :key_id
|
5057
|
-
#
|
5716
|
+
# Identifies the CMK from which you are removing tags.
|
5058
5717
|
#
|
5059
5718
|
# Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
|
5060
5719
|
#
|
@@ -5104,8 +5763,7 @@ module Aws::KMS
|
|
5104
5763
|
# Associates an existing AWS KMS alias with a different customer master
|
5105
5764
|
# key (CMK). Each alias is associated with only one CMK at a time,
|
5106
5765
|
# although a CMK can have multiple aliases. The alias and the CMK must
|
5107
|
-
# be in the same AWS account and region.
|
5108
|
-
# operation on an alias in a different AWS account.
|
5766
|
+
# be in the same AWS account and region.
|
5109
5767
|
#
|
5110
5768
|
# The current and new CMK must be the same type (both symmetric or both
|
5111
5769
|
# asymmetric), and they must have the same key usage (`ENCRYPT_DECRYPT`
|
@@ -5128,9 +5786,33 @@ module Aws::KMS
|
|
5128
5786
|
# state. For details, see [How Key State Affects Use of a Customer
|
5129
5787
|
# Master Key][1] in the *AWS Key Management Service Developer Guide*.
|
5130
5788
|
#
|
5789
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
5790
|
+
# in a different AWS account.
|
5791
|
+
#
|
5792
|
+
# **Required permissions**
|
5793
|
+
#
|
5794
|
+
# * [kms:UpdateAlias][2] on the alias (IAM policy).
|
5795
|
+
#
|
5796
|
+
# * [kms:UpdateAlias][2] on the current CMK (key policy).
|
5797
|
+
#
|
5798
|
+
# * [kms:UpdateAlias][2] on the new CMK (key policy).
|
5799
|
+
#
|
5800
|
+
# For details, see [Controlling access to aliases][3] in the *AWS Key
|
5801
|
+
# Management Service Developer Guide*.
|
5802
|
+
#
|
5803
|
+
# **Related operations:**
|
5804
|
+
#
|
5805
|
+
# * CreateAlias
|
5806
|
+
#
|
5807
|
+
# * DeleteAlias
|
5808
|
+
#
|
5809
|
+
# * ListAliases
|
5810
|
+
#
|
5131
5811
|
#
|
5132
5812
|
#
|
5133
5813
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
5814
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
5815
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
|
5134
5816
|
#
|
5135
5817
|
# @option params [required, String] :alias_name
|
5136
5818
|
# Identifies the alias that is changing its CMK. This value must begin
|
@@ -5139,8 +5821,9 @@ module Aws::KMS
|
|
5139
5821
|
# name.
|
5140
5822
|
#
|
5141
5823
|
# @option params [required, String] :target_key_id
|
5142
|
-
# Identifies the CMK to associate with the alias.
|
5143
|
-
#
|
5824
|
+
# Identifies the [customer managed CMK][1] to associate with the alias.
|
5825
|
+
# You don't have permission to associate an alias with an [AWS managed
|
5826
|
+
# CMK][2].
|
5144
5827
|
#
|
5145
5828
|
# The CMK must be in the same AWS account and Region as the alias. Also,
|
5146
5829
|
# the new target CMK must be the same type as the current target CMK
|
@@ -5161,6 +5844,11 @@ module Aws::KMS
|
|
5161
5844
|
# To verify that the alias is mapped to the correct CMK, use
|
5162
5845
|
# ListAliases.
|
5163
5846
|
#
|
5847
|
+
#
|
5848
|
+
#
|
5849
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
5850
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
5851
|
+
#
|
5164
5852
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
5165
5853
|
#
|
5166
5854
|
#
|
@@ -5230,11 +5918,29 @@ module Aws::KMS
|
|
5230
5918
|
# AWS KMS, which combines the convenience and extensive integration of
|
5231
5919
|
# AWS KMS with the isolation and control of a single-tenant key store.
|
5232
5920
|
#
|
5921
|
+
# **Cross-account use**\: No. You cannot perform this operation on a
|
5922
|
+
# custom key store in a different AWS account.
|
5923
|
+
#
|
5924
|
+
# **Required permissions**\: [kms:UpdateCustomKeyStore][4] (IAM policy)
|
5925
|
+
#
|
5926
|
+
# **Related operations:**
|
5927
|
+
#
|
5928
|
+
# * ConnectCustomKeyStore
|
5929
|
+
#
|
5930
|
+
# * CreateCustomKeyStore
|
5931
|
+
#
|
5932
|
+
# * DeleteCustomKeyStore
|
5933
|
+
#
|
5934
|
+
# * DescribeCustomKeyStores
|
5935
|
+
#
|
5936
|
+
# * DisconnectCustomKeyStore
|
5937
|
+
#
|
5233
5938
|
#
|
5234
5939
|
#
|
5235
5940
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
|
5236
5941
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-password
|
5237
5942
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
5943
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
5238
5944
|
#
|
5239
5945
|
# @option params [required, String] :custom_key_store_id
|
5240
5946
|
# Identifies the custom key store that you want to update. Enter the ID
|
@@ -5294,15 +6000,25 @@ module Aws::KMS
|
|
5294
6000
|
# Updates the description of a customer master key (CMK). To see the
|
5295
6001
|
# description of a CMK, use DescribeKey.
|
5296
6002
|
#
|
5297
|
-
# You cannot perform this operation on a CMK in a different AWS account.
|
5298
|
-
#
|
5299
6003
|
# The CMK that you use for this operation must be in a compatible key
|
5300
6004
|
# state. For details, see [How Key State Affects Use of a Customer
|
5301
6005
|
# Master Key][1] in the *AWS Key Management Service Developer Guide*.
|
5302
6006
|
#
|
6007
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
6008
|
+
# in a different AWS account.
|
6009
|
+
#
|
6010
|
+
# **Required permissions**\: [kms:UpdateKeyDescription][2] (key policy)
|
6011
|
+
#
|
6012
|
+
# **Related operations**
|
6013
|
+
#
|
6014
|
+
# * CreateKey
|
6015
|
+
#
|
6016
|
+
# * DescribeKey
|
6017
|
+
#
|
5303
6018
|
#
|
5304
6019
|
#
|
5305
6020
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
6021
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
5306
6022
|
#
|
5307
6023
|
# @option params [required, String] :key_id
|
5308
6024
|
# A unique identifier for the customer master key (CMK).
|
@@ -5384,10 +6100,19 @@ module Aws::KMS
|
|
5384
6100
|
# state. For details, see [How Key State Affects Use of a Customer
|
5385
6101
|
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
5386
6102
|
#
|
6103
|
+
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
6104
|
+
# different AWS account, specify the key ARN or alias ARN in the value
|
6105
|
+
# of the `KeyId` parameter.
|
6106
|
+
#
|
6107
|
+
# **Required permissions**\: [kms:Verify][3] (key policy)
|
6108
|
+
#
|
6109
|
+
# **Related operations**\: Sign
|
6110
|
+
#
|
5387
6111
|
#
|
5388
6112
|
#
|
5389
6113
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
5390
6114
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
6115
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
5391
6116
|
#
|
5392
6117
|
# @option params [required, String] :key_id
|
5393
6118
|
# Identifies the asymmetric CMK that will be used to verify the
|
@@ -5494,7 +6219,7 @@ module Aws::KMS
|
|
5494
6219
|
params: params,
|
5495
6220
|
config: config)
|
5496
6221
|
context[:gem_name] = 'aws-sdk-kms'
|
5497
|
-
context[:gem_version] = '1.
|
6222
|
+
context[:gem_version] = '1.40.0'
|
5498
6223
|
Seahorse::Client::Request.new(handlers, context)
|
5499
6224
|
end
|
5500
6225
|
|