aws-sdk-kms 1.43.0 → 1.44.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 6a12f7e0f0c6456ad794104d0ff80cd604710362b377afa9002ab77f57eb3122
4
- data.tar.gz: 7e02f4d54ba00e879fa4ba432d0f7099cd2177a63c73d4e832acbeaa9d798d6b
3
+ metadata.gz: 665dc12ff757ea9a86e3ccc0a5cd47a765995c244f26a3d8f80f5957d2e3b5b4
4
+ data.tar.gz: 3092a6af153e84241145fb3e194b946fa73afb714ad60437c586268a1725b2bd
5
5
  SHA512:
6
- metadata.gz: eedb1b4f2756b40b8ca928740186f516aeb23eb7505fa47992f84950930570d3ab1f0270c6755ac946e3aa4749c25e1cb3b16f8738ff69a9064233b7a5f4b7e5
7
- data.tar.gz: 1b595fd867e90a284d1054f9901a95b507f74b77aada49254c554481d2b549b528c9af18b242b6fc81c0d9253cdf28abb449c2be961e0c5fdf50d816a69cf927
6
+ metadata.gz: 7b7bd88e8eb8f74c97c7a524c0cf0012e1855cb434c2264a470881fe49ee497d40fe291cd2e7bcabac8e7b137ff2c8f3630c31c6c1f78ecff3c88f7259bb7486
7
+ data.tar.gz: 7e358e400fb315128c5b596e5455804ff2a2d23cbf80e33cc8fb520b71f3f401c19b6164abec74a7e06e2d7b7c38c60497d6dfddaa64bee2c7ed6ce17c0e6c74
data/CHANGELOG.md CHANGED
@@ -1,6 +1,11 @@
1
1
  Unreleased Changes
2
2
  ------------------
3
3
 
4
+ 1.44.0 (2021-06-16)
5
+ ------------------
6
+
7
+ * Feature - Adds support for multi-Region keys
8
+
4
9
  1.43.0 (2021-03-10)
5
10
  ------------------
6
11
 
data/VERSION CHANGED
@@ -1 +1 @@
1
- 1.43.0
1
+ 1.44.0
data/lib/aws-sdk-kms.rb CHANGED
@@ -48,6 +48,6 @@ require_relative 'aws-sdk-kms/customizations'
48
48
  # @!group service
49
49
  module Aws::KMS
50
50
 
51
- GEM_VERSION = '1.43.0'
51
+ GEM_VERSION = '1.44.0'
52
52
 
53
53
  end
@@ -346,8 +346,8 @@ module Aws::KMS
346
346
  # Service Developer Guide*.
347
347
  #
348
348
  # The CMK that you use for this operation must be in a compatible key
349
- # state. For details, see [How Key State Affects Use of a Customer
350
- # Master Key][2] in the *AWS Key Management Service Developer Guide*.
349
+ # state. For details, see [Key state: Effect on your CMK][2] in the *AWS
350
+ # Key Management Service Developer Guide*.
351
351
  #
352
352
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
353
353
  # in a different AWS account.
@@ -363,10 +363,10 @@ module Aws::KMS
363
363
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
364
364
  #
365
365
  # @option params [required, String] :key_id
366
- # The unique identifier for the customer master key (CMK) for which to
367
- # cancel deletion.
366
+ # Identifies the customer master key (CMK) whose deletion is being
367
+ # canceled.
368
368
  #
369
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
369
+ # Specify the key ID or key ARN of the CMK.
370
370
  #
371
371
  # For example:
372
372
  #
@@ -503,42 +503,48 @@ module Aws::KMS
503
503
  req.send_request(options)
504
504
  end
505
505
 
506
- # Creates a friendly name for a customer master key (CMK). You can use
507
- # an alias to identify a CMK in the AWS KMS console, in the DescribeKey
508
- # operation and in [cryptographic operations][1], such as Encrypt and
509
- # GenerateDataKey.
506
+ # Creates a friendly name for a customer master key (CMK).
510
507
  #
511
- # You can also change the CMK that's associated with the alias
512
- # (UpdateAlias) or delete the alias (DeleteAlias) at any time. These
513
- # operations don't affect the underlying CMK.
508
+ # <note markdown="1"> Adding, deleting, or updating an alias can allow or deny permission to
509
+ # the CMK. For details, see [Using ABAC in AWS KMS][1] in the *AWS Key
510
+ # Management Service Developer Guide*.
511
+ #
512
+ # </note>
513
+ #
514
+ # You can use an alias to identify a CMK in the AWS KMS console, in the
515
+ # DescribeKey operation and in [cryptographic operations][2], such as
516
+ # Encrypt and GenerateDataKey. You can also change the CMK that's
517
+ # associated with the alias (UpdateAlias) or delete the alias
518
+ # (DeleteAlias) at any time. These operations don't affect the
519
+ # underlying CMK.
514
520
  #
515
521
  # You can associate the alias with any customer managed CMK in the same
516
- # AWS Region. Each alias is associated with only on CMK at a time, but a
517
- # CMK can have multiple aliases. A valid CMK is required. You can't
522
+ # AWS Region. Each alias is associated with only one CMK at a time, but
523
+ # a CMK can have multiple aliases. A valid CMK is required. You can't
518
524
  # create an alias without a CMK.
519
525
  #
520
526
  # The alias must be unique in the account and Region, but you can have
521
527
  # aliases with the same name in different Regions. For detailed
522
- # information about aliases, see [Using aliases][2] in the *AWS Key
528
+ # information about aliases, see [Using aliases][3] in the *AWS Key
523
529
  # Management Service Developer Guide*.
524
530
  #
525
531
  # This operation does not return a response. To get the alias that you
526
532
  # created, use the ListAliases operation.
527
533
  #
528
534
  # The CMK that you use for this operation must be in a compatible key
529
- # state. For details, see [How Key State Affects Use of a Customer
530
- # Master Key][3] in the *AWS Key Management Service Developer Guide*.
535
+ # state. For details, see [Key state: Effect on your CMK][4] in the *AWS
536
+ # Key Management Service Developer Guide*.
531
537
  #
532
538
  # **Cross-account use**\: No. You cannot perform this operation on an
533
539
  # alias in a different AWS account.
534
540
  #
535
541
  # **Required permissions**
536
542
  #
537
- # * [kms:CreateAlias][4] on the alias (IAM policy).
543
+ # * [kms:CreateAlias][5] on the alias (IAM policy).
538
544
  #
539
- # * [kms:CreateAlias][4] on the CMK (key policy).
545
+ # * [kms:CreateAlias][5] on the CMK (key policy).
540
546
  #
541
- # For details, see [Controlling access to aliases][5] in the *AWS Key
547
+ # For details, see [Controlling access to aliases][6] in the *AWS Key
542
548
  # Management Service Developer Guide*.
543
549
  #
544
550
  # **Related operations:**
@@ -551,11 +557,12 @@ module Aws::KMS
551
557
  #
552
558
  #
553
559
  #
554
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
555
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html
556
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
557
- # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
558
- # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
560
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
561
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
562
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html
563
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
564
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
565
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
559
566
  #
560
567
  # @option params [required, String] :alias_name
561
568
  # Specifies the alias name. This value must begin with `alias/` followed
@@ -580,7 +587,7 @@ module Aws::KMS
580
587
  # For help finding the key ID and ARN, see [Finding the Key ID and
581
588
  # ARN][2] in the *AWS Key Management Service Developer Guide*.
582
589
  #
583
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
590
+ # Specify the key ID or key ARN of the CMK.
584
591
  #
585
592
  # For example:
586
593
  #
@@ -737,54 +744,54 @@ module Aws::KMS
737
744
  req.send_request(options)
738
745
  end
739
746
 
740
- # Adds a grant to a customer master key (CMK). The grant allows the
741
- # grantee principal to use the CMK when the conditions specified in the
742
- # grant are met. When setting permissions, grants are an alternative to
743
- # key policies.
744
- #
745
- # To create a grant that allows a [cryptographic operation][1] only when
746
- # the request includes a particular [encryption context][2], use the
747
- # `Constraints` parameter. For details, see GrantConstraints.
748
- #
749
- # You can create grants on symmetric and asymmetric CMKs. However, if
750
- # the grant allows an operation that the CMK does not support,
751
- # `CreateGrant` fails with a `ValidationException`.
752
- #
753
- # * Grants for symmetric CMKs cannot allow operations that are not
754
- # supported for symmetric CMKs, including Sign, Verify, and
755
- # GetPublicKey. (There are limited exceptions to this rule for legacy
756
- # operations, but you should not create a grant for an operation that
757
- # AWS KMS does not support.)
758
- #
759
- # * Grants for asymmetric CMKs cannot allow operations that are not
760
- # supported for asymmetric CMKs, including operations that [generate
761
- # data keys][3] or [data key pairs][4], or operations related to
762
- # [automatic key rotation][5], [imported key material][6], or CMKs in
763
- # [custom key stores][7].
764
- #
765
- # * Grants for asymmetric CMKs with a `KeyUsage` of `ENCRYPT_DECRYPT`
766
- # cannot allow the Sign or Verify operations. Grants for asymmetric
767
- # CMKs with a `KeyUsage` of `SIGN_VERIFY` cannot allow the Encrypt or
768
- # Decrypt operations.
769
- #
770
- # * Grants for asymmetric CMKs cannot include an encryption context
771
- # grant constraint. An encryption context is not supported on
772
- # asymmetric CMKs.
747
+ # Adds a grant to a customer master key (CMK).
748
+ #
749
+ # A *grant* is a policy instrument that allows AWS principals to use AWS
750
+ # KMS customer master keys (CMKs) in cryptographic operations. It also
751
+ # can allow them to view a CMK (DescribeKey) and create and manage
752
+ # grants. When authorizing access to a CMK, grants are considered along
753
+ # with key policies and IAM policies. Grants are often used for
754
+ # temporary permissions because you can create one, use its permissions,
755
+ # and delete it without changing your key policies or IAM policies.
756
+ #
757
+ # For detailed information about grants, including grant terminology,
758
+ # see [Using grants][1] in the <i> <i>AWS Key Management Service
759
+ # Developer Guide</i> </i>. For examples of working with grants in
760
+ # several programming languages, see [Programming grants][2].
761
+ #
762
+ # The `CreateGrant` operation returns a `GrantToken` and a `GrantId`.
763
+ #
764
+ # * When you create, retire, or revoke a grant, there might be a brief
765
+ # delay, usually less than five minutes, until the grant is available
766
+ # throughout AWS KMS. This state is known as *eventual consistency*.
767
+ # Once the grant has achieved eventual consistency, the grantee
768
+ # principal can use the permissions in the grant without identifying
769
+ # the grant.
770
+ #
771
+ # However, to use the permissions in the grant immediately, use the
772
+ # `GrantToken` that `CreateGrant` returns. For details, see [Using a
773
+ # grant token][3] in the <i> <i>AWS Key Management Service Developer
774
+ # Guide</i> </i>.
775
+ #
776
+ # * The `CreateGrant` operation also returns a `GrantId`. You can use
777
+ # the `GrantId` and a key identifier to identify the grant in the
778
+ # RetireGrant and RevokeGrant operations. To find the grant ID, use
779
+ # the ListGrants or ListRetirableGrants operations.
773
780
  #
774
781
  # For information about symmetric and asymmetric CMKs, see [Using
775
- # Symmetric and Asymmetric CMKs][8] in the *AWS Key Management Service
776
- # Developer Guide*. For more information about grants, see [Grants][9]
782
+ # Symmetric and Asymmetric CMKs][4] in the *AWS Key Management Service
783
+ # Developer Guide*. For more information about grants, see [Grants][1]
777
784
  # in the <i> <i>AWS Key Management Service Developer Guide</i> </i>.
778
785
  #
779
786
  # The CMK that you use for this operation must be in a compatible key
780
- # state. For details, see [How Key State Affects Use of a Customer
781
- # Master Key][10] in the *AWS Key Management Service Developer Guide*.
787
+ # state. For details, see [Key state: Effect on your CMK][5] in the *AWS
788
+ # Key Management Service Developer Guide*.
782
789
  #
783
790
  # **Cross-account use**\: Yes. To perform this operation on a CMK in a
784
791
  # different AWS account, specify the key ARN in the value of the `KeyId`
785
792
  # parameter.
786
793
  #
787
- # **Required permissions**\: [kms:CreateGrant][11] (key policy)
794
+ # **Required permissions**\: [kms:CreateGrant][6] (key policy)
788
795
  #
789
796
  # **Related operations:**
790
797
  #
@@ -798,24 +805,19 @@ module Aws::KMS
798
805
  #
799
806
  #
800
807
  #
801
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
802
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
803
- # [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey
804
- # [4]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair
805
- # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
806
- # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
807
- # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
808
- # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
809
- # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
810
- # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
811
- # [11]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
808
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
809
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html
810
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
811
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
812
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
813
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
812
814
  #
813
815
  # @option params [required, String] :key_id
814
- # The unique identifier for the customer master key (CMK) that the grant
815
- # applies to.
816
+ # Identifies the customer master key (CMK) for the grant. The grant
817
+ # gives principals permission to use this CMK.
816
818
  #
817
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
818
- # specify a CMK in a different AWS account, you must use the key ARN.
819
+ # Specify the key ID or key ARN of the CMK. To specify a CMK in a
820
+ # different AWS account, you must use the key ARN.
819
821
  #
820
822
  # For example:
821
823
  #
@@ -827,8 +829,7 @@ module Aws::KMS
827
829
  # To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
828
830
  #
829
831
  # @option params [required, String] :grantee_principal
830
- # The principal that is given permission to perform the operations that
831
- # the grant permits.
832
+ # The identity that gets the permissions specified in the grant.
832
833
  #
833
834
  # To specify the principal, use the [Amazon Resource Name (ARN)][1] of
834
835
  # an AWS principal. Valid AWS principals include AWS accounts (root),
@@ -861,26 +862,52 @@ module Aws::KMS
861
862
  # @option params [required, Array<String>] :operations
862
863
  # A list of operations that the grant permits.
863
864
  #
865
+ # The operation must be supported on the CMK. For example, you cannot
866
+ # create a grant for a symmetric CMK that allows the Sign operation, or
867
+ # a grant for an asymmetric CMK that allows the GenerateDataKey
868
+ # operation. If you try, AWS KMS returns a `ValidationError` exception.
869
+ # For details, see [Grant operations][1] in the *AWS Key Management
870
+ # Service Developer Guide*.
871
+ #
872
+ #
873
+ #
874
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
875
+ #
864
876
  # @option params [Types::GrantConstraints] :constraints
865
- # Allows a [cryptographic operation][1] only when the encryption context
866
- # matches or includes the encryption context specified in this
867
- # structure. For more information about encryption context, see
868
- # [Encryption Context][2] in the <i> <i>AWS Key Management Service
869
- # Developer Guide</i> </i>.
877
+ # Specifies a grant constraint.
878
+ #
879
+ # AWS KMS supports the `EncryptionContextEquals` and
880
+ # `EncryptionContextSubset` grant constraints. Each constraint value can
881
+ # include up to 8 encryption context pairs. The encryption context value
882
+ # in each constraint cannot exceed 384 characters.
883
+ #
884
+ # These grant constraints allow a [cryptographic operation][1] only when
885
+ # the encryption context in the request matches
886
+ # (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
887
+ # the encryption context specified in this structure. For more
888
+ # information about encryption context, see [Encryption Context][2] in
889
+ # the <i> <i>AWS Key Management Service Developer Guide</i> </i>. For
890
+ # information about grant constraints, see [Using grant constraints][3]
891
+ # in the *AWS Key Management Service Developer Guide*.
870
892
  #
871
- # Grant constraints are not applied to operations that do not support an
872
- # encryption context, such as cryptographic operations with asymmetric
873
- # CMKs and management operations, such as DescribeKey or RetireGrant.
893
+ # The encryption context grant constraints are supported only on
894
+ # operations that include an encryption context. You cannot use an
895
+ # encryption context grant constraint for cryptographic operations with
896
+ # asymmetric CMKs or for management operations, such as DescribeKey or
897
+ # RetireGrant.
874
898
  #
875
899
  #
876
900
  #
877
901
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
878
902
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
903
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
879
904
  #
880
905
  # @option params [Array<String>] :grant_tokens
881
906
  # A list of grant tokens.
882
907
  #
883
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
908
+ # Use a grant token when your permission to call this operation comes
909
+ # from a new grant that has not yet achieved *eventual consistency*. For
910
+ # more information, see [Grant token][1] in the *AWS Key Management
884
911
  # Service Developer Guide*.
885
912
  #
886
913
  #
@@ -1009,7 +1036,31 @@ module Aws::KMS
1009
1036
  #
1010
1037
  #
1011
1038
  #
1012
- # Imported Key Material
1039
+ # Multi-Region primary keys
1040
+ # Imported key material
1041
+ #
1042
+ # : To create a multi-Region *primary key* in the local AWS Region, use
1043
+ # the `MultiRegion` parameter with a value of `True`. To create a
1044
+ # multi-Region *replica key*, that is, a CMK with the same key ID and
1045
+ # key material as a primary key, but in a different AWS Region, use
1046
+ # the ReplicateKey operation. To change a replica key to a primary
1047
+ # key, and its primary key to a replica key, use the
1048
+ # UpdatePrimaryRegion operation.
1049
+ #
1050
+ # This operation supports *multi-Region keys*, an AWS KMS feature that
1051
+ # lets you create multiple interoperable CMKs in different AWS
1052
+ # Regions. Because these CMKs have the same key ID, key material, and
1053
+ # other metadata, you can use them to encrypt data in one AWS Region
1054
+ # and decrypt it in a different AWS Region without making a
1055
+ # cross-Region call or exposing the plaintext data. For more
1056
+ # information about multi-Region keys, see [Using multi-Region
1057
+ # keys][5] in the *AWS Key Management Service Developer Guide*.
1058
+ #
1059
+ # You can create symmetric and asymmetric multi-Region keys and
1060
+ # multi-Region keys with imported key material. You cannot create
1061
+ # multi-Region keys in a custom key store.
1062
+ #
1063
+ #
1013
1064
  #
1014
1065
  # : To import your own key material, begin by creating a symmetric CMK
1015
1066
  # with no key material. To do this, use the `Origin` parameter of
@@ -1018,33 +1069,41 @@ module Aws::KMS
1018
1069
  # token, and use the public key to encrypt your key material. Then,
1019
1070
  # use ImportKeyMaterial with your import token to import the key
1020
1071
  # material. For step-by-step instructions, see [Importing Key
1021
- # Material][5] in the <i> <i>AWS Key Management Service Developer
1072
+ # Material][6] in the <i> <i>AWS Key Management Service Developer
1022
1073
  # Guide</i> </i>. You cannot import the key material into an
1023
1074
  # asymmetric CMK.
1024
1075
  #
1076
+ # To create a multi-Region primary key with imported key material, use
1077
+ # the `Origin` parameter of `CreateKey` with a value of `EXTERNAL` and
1078
+ # the `MultiRegion` parameter with a value of `True`. To create
1079
+ # replicas of the multi-Region primary key, use the ReplicateKey
1080
+ # operation. For more information about multi-Region keys, see [Using
1081
+ # multi-Region keys][5] in the *AWS Key Management Service Developer
1082
+ # Guide*.
1083
+ #
1025
1084
  #
1026
1085
  #
1027
- # Custom Key Stores
1086
+ # Custom key store
1028
1087
  #
1029
- # : To create a symmetric CMK in a [custom key store][6], use the
1088
+ # : To create a symmetric CMK in a [custom key store][7], use the
1030
1089
  # `CustomKeyStoreId` parameter to specify the custom key store. You
1031
1090
  # must also use the `Origin` parameter with a value of `AWS_CLOUDHSM`.
1032
1091
  # The AWS CloudHSM cluster that is associated with the custom key
1033
1092
  # store must have at least two active HSMs in different Availability
1034
1093
  # Zones in the AWS Region.
1035
1094
  #
1036
- # You cannot create an asymmetric CMK in a custom key store. For
1037
- # information about custom key stores in AWS KMS see [Using Custom Key
1038
- # Stores][6] in the <i> <i>AWS Key Management Service Developer
1039
- # Guide</i> </i>.
1095
+ # You cannot create an asymmetric CMK or a multi-Region CMK in a
1096
+ # custom key store. For information about custom key stores in AWS KMS
1097
+ # see [Using Custom Key Stores][7] in the <i> <i>AWS Key Management
1098
+ # Service Developer Guide</i> </i>.
1040
1099
  #
1041
1100
  # **Cross-account use**\: No. You cannot use this operation to create a
1042
1101
  # CMK in a different AWS account.
1043
1102
  #
1044
- # **Required permissions**\: [kms:CreateKey][7] (IAM policy). To use the
1045
- # `Tags` parameter, [kms:TagResource][7] (IAM policy). For examples and
1103
+ # **Required permissions**\: [kms:CreateKey][8] (IAM policy). To use the
1104
+ # `Tags` parameter, [kms:TagResource][8] (IAM policy). For examples and
1046
1105
  # information about related permissions, see [Allow a user to create
1047
- # CMKs][8] in the *AWS Key Management Service Developer Guide*.
1106
+ # CMKs][9] in the *AWS Key Management Service Developer Guide*.
1048
1107
  #
1049
1108
  # **Related operations:**
1050
1109
  #
@@ -1060,10 +1119,11 @@ module Aws::KMS
1060
1119
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys
1061
1120
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-key-pairs
1062
1121
  # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
1063
- # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1064
- # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1065
- # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
1066
- # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key
1122
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
1123
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1124
+ # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
1125
+ # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
1126
+ # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key
1067
1127
  #
1068
1128
  # @option params [String] :policy
1069
1129
  # The key policy to attach to the CMK.
@@ -1107,7 +1167,7 @@ module Aws::KMS
1107
1167
  # A description of the CMK.
1108
1168
  #
1109
1169
  # Use a description that helps you decide whether the CMK is appropriate
1110
- # for a task.
1170
+ # for a task. The default value is an empty string (no description).
1111
1171
  #
1112
1172
  # @option params [String] :key_usage
1113
1173
  # Determines the [cryptographic operations][1] for which you can use the
@@ -1191,20 +1251,19 @@ module Aws::KMS
1191
1251
  # @option params [String] :origin
1192
1252
  # The source of the key material for the CMK. You cannot change the
1193
1253
  # origin after you create the CMK. The default is `AWS_KMS`, which means
1194
- # AWS KMS creates the key material.
1254
+ # that AWS KMS creates the key material.
1195
1255
  #
1196
- # When the parameter value is `EXTERNAL`, AWS KMS creates a CMK without
1197
- # key material so that you can import key material from your existing
1198
- # key management infrastructure. For more information about importing
1199
- # key material into AWS KMS, see [Importing Key Material][1] in the *AWS
1200
- # Key Management Service Developer Guide*. This value is valid only for
1256
+ # To create a CMK with no key material (for imported key material), set
1257
+ # the value to `EXTERNAL`. For more information about importing key
1258
+ # material into AWS KMS, see [Importing Key Material][1] in the *AWS Key
1259
+ # Management Service Developer Guide*. This value is valid only for
1201
1260
  # symmetric CMKs.
1202
1261
  #
1203
- # When the parameter value is `AWS_CLOUDHSM`, AWS KMS creates the CMK in
1204
- # an AWS KMS [custom key store][2] and creates its key material in the
1205
- # associated AWS CloudHSM cluster. You must also use the
1206
- # `CustomKeyStoreId` parameter to identify the custom key store. This
1207
- # value is valid only for symmetric CMKs.
1262
+ # To create a CMK in an AWS KMS [custom key store][2] and create its key
1263
+ # material in the associated AWS CloudHSM cluster, set this value to
1264
+ # `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId` parameter to
1265
+ # identify the custom key store. This value is valid only for symmetric
1266
+ # CMKs.
1208
1267
  #
1209
1268
  #
1210
1269
  #
@@ -1219,8 +1278,9 @@ module Aws::KMS
1219
1278
  # with the custom key store must have at least two active HSMs, each in
1220
1279
  # a different Availability Zone in the Region.
1221
1280
  #
1222
- # This parameter is valid only for symmetric CMKs. You cannot create an
1223
- # asymmetric CMK in a custom key store.
1281
+ # This parameter is valid only for symmetric CMKs and regional CMKs. You
1282
+ # cannot create an asymmetric CMK or a multi-Region CMK in a custom key
1283
+ # store.
1224
1284
  #
1225
1285
  # To find the ID of a custom key store, use the DescribeCustomKeyStores
1226
1286
  # operation.
@@ -1258,25 +1318,63 @@ module Aws::KMS
1258
1318
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
1259
1319
  #
1260
1320
  # @option params [Array<Types::Tag>] :tags
1261
- # One or more tags. Each tag consists of a tag key and a tag value. Both
1262
- # the tag key and the tag value are required, but the tag value can be
1263
- # an empty (null) string.
1321
+ # Assigns one or more tags to the CMK. Use this parameter to tag the CMK
1322
+ # when it is created. To tag an existing CMK, use the TagResource
1323
+ # operation.
1264
1324
  #
1265
- # When you add tags to an AWS resource, AWS generates a cost allocation
1266
- # report with usage and costs aggregated by tags. For information about
1267
- # adding, changing, deleting and listing tags for CMKs, see [Tagging
1268
- # Keys][1].
1325
+ # <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
1326
+ # For details, see [Using ABAC in AWS KMS][1] in the *AWS Key Management
1327
+ # Service Developer Guide*.
1269
1328
  #
1270
- # Use this parameter to tag the CMK when it is created. To add tags to
1271
- # an existing CMK, use the TagResource operation.
1329
+ # </note>
1272
1330
  #
1273
1331
  # To use this parameter, you must have [kms:TagResource][2] permission
1274
1332
  # in an IAM policy.
1275
1333
  #
1334
+ # Each tag consists of a tag key and a tag value. Both the tag key and
1335
+ # the tag value are required, but the tag value can be an empty (null)
1336
+ # string. You cannot have more than one tag on a CMK with the same tag
1337
+ # key. If you specify an existing tag key with a different tag value,
1338
+ # AWS KMS replaces the current tag value with the specified one.
1276
1339
  #
1340
+ # When you assign tags to an AWS resource, AWS generates a cost
1341
+ # allocation report with usage and costs aggregated by tags. Tags can
1342
+ # also be used to control access to a CMK. For details, see [Tagging
1343
+ # Keys][3].
1277
1344
  #
1278
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
1345
+ #
1346
+ #
1347
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
1279
1348
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
1349
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
1350
+ #
1351
+ # @option params [Boolean] :multi_region
1352
+ # Creates a multi-Region primary key that you can replicate into other
1353
+ # AWS Regions. You cannot change this value after you create the CMK.
1354
+ #
1355
+ # For a multi-Region key, set this parameter to `True`. For a
1356
+ # single-Region CMK, omit this parameter or set it to `False`. The
1357
+ # default value is `False`.
1358
+ #
1359
+ # This operation supports *multi-Region keys*, an AWS KMS feature that
1360
+ # lets you create multiple interoperable CMKs in different AWS Regions.
1361
+ # Because these CMKs have the same key ID, key material, and other
1362
+ # metadata, you can use them to encrypt data in one AWS Region and
1363
+ # decrypt it in a different AWS Region without making a cross-Region
1364
+ # call or exposing the plaintext data. For more information about
1365
+ # multi-Region keys, see [Using multi-Region keys][1] in the *AWS Key
1366
+ # Management Service Developer Guide*.
1367
+ #
1368
+ # This value creates a *primary key*, not a replica. To create a
1369
+ # *replica key*, use the ReplicateKey operation.
1370
+ #
1371
+ # You can create a symmetric or asymmetric multi-Region CMK, and you can
1372
+ # create a multi-Region CMK with imported key material. However, you
1373
+ # cannot create a multi-Region CMK in a custom key store.
1374
+ #
1375
+ #
1376
+ #
1377
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
1280
1378
  #
1281
1379
  # @return [Types::CreateKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1282
1380
  #
@@ -1328,6 +1426,7 @@ module Aws::KMS
1328
1426
  # tag_value: "TagValueType", # required
1329
1427
  # },
1330
1428
  # ],
1429
+ # multi_region: false,
1331
1430
  # })
1332
1431
  #
1333
1432
  # @example Response structure
@@ -1339,7 +1438,7 @@ module Aws::KMS
1339
1438
  # resp.key_metadata.enabled #=> Boolean
1340
1439
  # resp.key_metadata.description #=> String
1341
1440
  # resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
1342
- # resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport", "Unavailable"
1441
+ # resp.key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
1343
1442
  # resp.key_metadata.deletion_date #=> Time
1344
1443
  # resp.key_metadata.valid_to #=> Time
1345
1444
  # resp.key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL", "AWS_CLOUDHSM"
@@ -1352,6 +1451,14 @@ module Aws::KMS
1352
1451
  # resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
1353
1452
  # resp.key_metadata.signing_algorithms #=> Array
1354
1453
  # resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
1454
+ # resp.key_metadata.multi_region #=> Boolean
1455
+ # resp.key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
1456
+ # resp.key_metadata.multi_region_configuration.primary_key.arn #=> String
1457
+ # resp.key_metadata.multi_region_configuration.primary_key.region #=> String
1458
+ # resp.key_metadata.multi_region_configuration.replica_keys #=> Array
1459
+ # resp.key_metadata.multi_region_configuration.replica_keys[0].arn #=> String
1460
+ # resp.key_metadata.multi_region_configuration.replica_keys[0].region #=> String
1461
+ # resp.key_metadata.pending_deletion_window_in_days #=> Integer
1355
1462
  #
1356
1463
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey AWS API Documentation
1357
1464
  #
@@ -1412,8 +1519,8 @@ module Aws::KMS
1412
1519
  # policies][4] in the *AWS Key Management Service Developer Guide*.
1413
1520
  #
1414
1521
  # The CMK that you use for this operation must be in a compatible key
1415
- # state. For details, see [How Key State Affects Use of a Customer
1416
- # Master Key][5] in the *AWS Key Management Service Developer Guide*.
1522
+ # state. For details, see [Key state: Effect on your CMK][5] in the *AWS
1523
+ # Key Management Service Developer Guide*.
1417
1524
  #
1418
1525
  # **Cross-account use**\: Yes. You can decrypt a ciphertext using a CMK
1419
1526
  # in a different AWS account.
@@ -1466,8 +1573,12 @@ module Aws::KMS
1466
1573
  # @option params [Array<String>] :grant_tokens
1467
1574
  # A list of grant tokens.
1468
1575
  #
1469
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
1470
- # Service Developer Guide*.
1576
+ # Use a grant token when your permission to call this operation comes
1577
+ # from a newly created grant that has not yet achieved eventual
1578
+ # consistency. Use a grant token when your permission to call this
1579
+ # operation comes from a new grant that has not yet achieved *eventual
1580
+ # consistency*. For more information, see [Grant token][1] in the *AWS
1581
+ # Key Management Service Developer Guide*.
1471
1582
  #
1472
1583
  #
1473
1584
  #
@@ -1484,10 +1595,9 @@ module Aws::KMS
1484
1595
  # However, it is always recommended as a best practice. This practice
1485
1596
  # ensures that you use the CMK that you intend.
1486
1597
  #
1487
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1488
- # name, or alias ARN. When using an alias name, prefix it with
1489
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
1490
- # the key ARN or alias ARN.
1598
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
1599
+ # When using an alias name, prefix it with `"alias/"`. To specify a CMK
1600
+ # in a different AWS account, you must use the key ARN or alias ARN.
1491
1601
  #
1492
1602
  # For example:
1493
1603
  #
@@ -1565,6 +1675,12 @@ module Aws::KMS
1565
1675
 
1566
1676
  # Deletes the specified alias.
1567
1677
  #
1678
+ # <note markdown="1"> Adding, deleting, or updating an alias can allow or deny permission to
1679
+ # the CMK. For details, see [Using ABAC in AWS KMS][1] in the *AWS Key
1680
+ # Management Service Developer Guide*.
1681
+ #
1682
+ # </note>
1683
+ #
1568
1684
  # Because an alias is not a property of a CMK, you can delete and change
1569
1685
  # the aliases of a CMK without affecting the CMK. Also, aliases do not
1570
1686
  # appear in the response from the DescribeKey operation. To get the
@@ -1580,11 +1696,11 @@ module Aws::KMS
1580
1696
  #
1581
1697
  # **Required permissions**
1582
1698
  #
1583
- # * [kms:DeleteAlias][1] on the alias (IAM policy).
1699
+ # * [kms:DeleteAlias][2] on the alias (IAM policy).
1584
1700
  #
1585
- # * [kms:DeleteAlias][1] on the CMK (key policy).
1701
+ # * [kms:DeleteAlias][2] on the CMK (key policy).
1586
1702
  #
1587
- # For details, see [Controlling access to aliases][2] in the *AWS Key
1703
+ # For details, see [Controlling access to aliases][3] in the *AWS Key
1588
1704
  # Management Service Developer Guide*.
1589
1705
  #
1590
1706
  # **Related operations:**
@@ -1597,8 +1713,9 @@ module Aws::KMS
1597
1713
  #
1598
1714
  #
1599
1715
  #
1600
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
1601
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
1716
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
1717
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
1718
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
1602
1719
  #
1603
1720
  # @option params [required, String] :alias_name
1604
1721
  # The alias to be deleted. The alias name must begin with `alias/`
@@ -1721,8 +1838,8 @@ module Aws::KMS
1721
1838
  # reimport the same key material into the CMK.
1722
1839
  #
1723
1840
  # The CMK that you use for this operation must be in a compatible key
1724
- # state. For details, see [How Key State Affects Use of a Customer
1725
- # Master Key][2] in the *AWS Key Management Service Developer Guide*.
1841
+ # state. For details, see [Key state: Effect on your CMK][2] in the *AWS
1842
+ # Key Management Service Developer Guide*.
1726
1843
  #
1727
1844
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
1728
1845
  # in a different AWS account.
@@ -1746,7 +1863,7 @@ module Aws::KMS
1746
1863
  # Identifies the CMK from which you are deleting imported key material.
1747
1864
  # The `Origin` of the CMK must be `EXTERNAL`.
1748
1865
  #
1749
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
1866
+ # Specify the key ID or key ARN of the CMK.
1750
1867
  #
1751
1868
  # For example:
1752
1869
  #
@@ -1784,14 +1901,14 @@ module Aws::KMS
1784
1901
  end
1785
1902
 
1786
1903
  # Gets information about [custom key stores][1] in the account and
1787
- # region.
1904
+ # Region.
1788
1905
  #
1789
1906
  # This operation is part of the [Custom Key Store feature][1] feature in
1790
1907
  # AWS KMS, which combines the convenience and extensive integration of
1791
1908
  # AWS KMS with the isolation and control of a single-tenant key store.
1792
1909
  #
1793
1910
  # By default, this operation returns information about all custom key
1794
- # stores in the account and region. To get only information about a
1911
+ # stores in the account and Region. To get only information about a
1795
1912
  # particular custom key store, use either the `CustomKeyStoreName` or
1796
1913
  # `CustomKeyStoreId` parameter (but not both).
1797
1914
  #
@@ -1842,7 +1959,7 @@ module Aws::KMS
1842
1959
  # key store ID.
1843
1960
  #
1844
1961
  # By default, this operation gets information about all custom key
1845
- # stores in the account and region. To limit the output to a particular
1962
+ # stores in the account and Region. To limit the output to a particular
1846
1963
  # custom key store, you can use either the `CustomKeyStoreId` or
1847
1964
  # `CustomKeyStoreName` parameter, but not both.
1848
1965
  #
@@ -1851,7 +1968,7 @@ module Aws::KMS
1851
1968
  # friendly name of the custom key store.
1852
1969
  #
1853
1970
  # By default, this operation gets information about all custom key
1854
- # stores in the account and region. To limit the output to a particular
1971
+ # stores in the account and Region. To limit the output to a particular
1855
1972
  # custom key store, you can use either the `CustomKeyStoreId` or
1856
1973
  # `CustomKeyStoreName` parameter, but not both.
1857
1974
  #
@@ -1974,10 +2091,9 @@ module Aws::KMS
1974
2091
  # KMS associates the alias with an [AWS managed CMK][1] and returns its
1975
2092
  # `KeyId` and `Arn` in the response.
1976
2093
  #
1977
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1978
- # name, or alias ARN. When using an alias name, prefix it with
1979
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
1980
- # the key ARN or alias ARN.
2094
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
2095
+ # When using an alias name, prefix it with `"alias/"`. To specify a CMK
2096
+ # in a different AWS account, you must use the key ARN or alias ARN.
1981
2097
  #
1982
2098
  # For example:
1983
2099
  #
@@ -2000,7 +2116,9 @@ module Aws::KMS
2000
2116
  # @option params [Array<String>] :grant_tokens
2001
2117
  # A list of grant tokens.
2002
2118
  #
2003
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
2119
+ # Use a grant token when your permission to call this operation comes
2120
+ # from a new grant that has not yet achieved *eventual consistency*. For
2121
+ # more information, see [Grant token][1] in the *AWS Key Management
2004
2122
  # Service Developer Guide*.
2005
2123
  #
2006
2124
  #
@@ -2012,9 +2130,9 @@ module Aws::KMS
2012
2130
  # * {Types::DescribeKeyResponse#key_metadata #key_metadata} => Types::KeyMetadata
2013
2131
  #
2014
2132
  #
2015
- # @example Example: To obtain information about a customer master key (CMK)
2133
+ # @example Example: To get details about a customer master key (CMK)
2016
2134
  #
2017
- # # The following example returns information (metadata) about the specified CMK.
2135
+ # # The following example gets metadata about a symmetric CMK.
2018
2136
  #
2019
2137
  # resp = client.describe_key({
2020
2138
  # key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the CMK that you want information about. You can use the key ID or the Amazon Resource Name (ARN) of the CMK.
@@ -2026,12 +2144,17 @@ module Aws::KMS
2026
2144
  # aws_account_id: "111122223333",
2027
2145
  # arn: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
2028
2146
  # creation_date: Time.parse("2017-07-05T14:04:55-07:00"),
2147
+ # customer_master_key_spec: "SYMMETRIC_DEFAULT",
2029
2148
  # description: "",
2030
2149
  # enabled: true,
2150
+ # encryption_algorithms: [
2151
+ # "SYMMETRIC_DEFAULT",
2152
+ # ],
2031
2153
  # key_id: "1234abcd-12ab-34cd-56ef-1234567890ab",
2032
2154
  # key_manager: "CUSTOMER",
2033
2155
  # key_state: "Enabled",
2034
2156
  # key_usage: "ENCRYPT_DECRYPT",
2157
+ # multi_region: false,
2035
2158
  # origin: "AWS_KMS",
2036
2159
  # }, # An object that contains information about the specified CMK.
2037
2160
  # }
@@ -2052,7 +2175,7 @@ module Aws::KMS
2052
2175
  # resp.key_metadata.enabled #=> Boolean
2053
2176
  # resp.key_metadata.description #=> String
2054
2177
  # resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
2055
- # resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport", "Unavailable"
2178
+ # resp.key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
2056
2179
  # resp.key_metadata.deletion_date #=> Time
2057
2180
  # resp.key_metadata.valid_to #=> Time
2058
2181
  # resp.key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL", "AWS_CLOUDHSM"
@@ -2065,6 +2188,14 @@ module Aws::KMS
2065
2188
  # resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
2066
2189
  # resp.key_metadata.signing_algorithms #=> Array
2067
2190
  # resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
2191
+ # resp.key_metadata.multi_region #=> Boolean
2192
+ # resp.key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
2193
+ # resp.key_metadata.multi_region_configuration.primary_key.arn #=> String
2194
+ # resp.key_metadata.multi_region_configuration.primary_key.region #=> String
2195
+ # resp.key_metadata.multi_region_configuration.replica_keys #=> Array
2196
+ # resp.key_metadata.multi_region_configuration.replica_keys[0].arn #=> String
2197
+ # resp.key_metadata.multi_region_configuration.replica_keys[0].region #=> String
2198
+ # resp.key_metadata.pending_deletion_window_in_days #=> Integer
2068
2199
  #
2069
2200
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey AWS API Documentation
2070
2201
  #
@@ -2079,12 +2210,12 @@ module Aws::KMS
2079
2210
  # temporarily prevents use of the CMK for [cryptographic operations][1].
2080
2211
  #
2081
2212
  # For more information about how key state affects the use of a CMK, see
2082
- # [How Key State Affects the Use of a Customer Master Key][2] in the <i>
2083
- # <i>AWS Key Management Service Developer Guide</i> </i>.
2213
+ # [Key state: Effect on your CMK][2] in the <i> <i>AWS Key Management
2214
+ # Service Developer Guide</i> </i>.
2084
2215
  #
2085
2216
  # The CMK that you use for this operation must be in a compatible key
2086
- # state. For details, see [How Key State Affects Use of a Customer
2087
- # Master Key][2] in the *AWS Key Management Service Developer Guide*.
2217
+ # state. For details, see [Key state: Effect on your CMK][2] in the *AWS
2218
+ # Key Management Service Developer Guide*.
2088
2219
  #
2089
2220
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
2090
2221
  # in a different AWS account.
@@ -2100,9 +2231,9 @@ module Aws::KMS
2100
2231
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
2101
2232
  #
2102
2233
  # @option params [required, String] :key_id
2103
- # A unique identifier for the customer master key (CMK).
2234
+ # Identifies the customer master key (CMK) to disable.
2104
2235
  #
2105
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
2236
+ # Specify the key ID or key ARN of the CMK.
2106
2237
  #
2107
2238
  # For example:
2108
2239
  #
@@ -2142,17 +2273,19 @@ module Aws::KMS
2142
2273
  # Disables [automatic rotation of the key material][1] for the specified
2143
2274
  # symmetric customer master key (CMK).
2144
2275
  #
2145
- # You cannot enable automatic rotation of asymmetric CMKs, CMKs with
2146
- # imported key material, or CMKs in a [custom key store][2].
2276
+ # You cannot enable automatic rotation of [asymmetric CMKs][2], CMKs
2277
+ # with [imported key material][3], or CMKs in a [custom key store][4].
2278
+ # To enable or disable automatic rotation of a set of related
2279
+ # [multi-Region keys][5], set the property on the primary key.
2147
2280
  #
2148
2281
  # The CMK that you use for this operation must be in a compatible key
2149
- # state. For details, see [How Key State Affects Use of a Customer
2150
- # Master Key][3] in the *AWS Key Management Service Developer Guide*.
2282
+ # state. For details, see [Key state: Effect on your CMK][6] in the *AWS
2283
+ # Key Management Service Developer Guide*.
2151
2284
  #
2152
2285
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
2153
2286
  # in a different AWS account.
2154
2287
  #
2155
- # **Required permissions**\: [kms:DisableKeyRotation][4] (key policy)
2288
+ # **Required permissions**\: [kms:DisableKeyRotation][7] (key policy)
2156
2289
  #
2157
2290
  # **Related operations:**
2158
2291
  #
@@ -2163,16 +2296,19 @@ module Aws::KMS
2163
2296
  #
2164
2297
  #
2165
2298
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
2166
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
2167
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2168
- # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
2299
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
2300
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
2301
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
2302
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
2303
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2304
+ # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
2169
2305
  #
2170
2306
  # @option params [required, String] :key_id
2171
2307
  # Identifies a symmetric customer master key (CMK). You cannot enable or
2172
2308
  # disable automatic rotation of [asymmetric CMKs][1], CMKs with
2173
2309
  # [imported key material][2], or CMKs in a [custom key store][3].
2174
2310
  #
2175
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
2311
+ # Specify the key ID or key ARN of the CMK.
2176
2312
  #
2177
2313
  # For example:
2178
2314
  #
@@ -2291,8 +2427,8 @@ module Aws::KMS
2291
2427
  # allows you to use the CMK for [cryptographic operations][1].
2292
2428
  #
2293
2429
  # The CMK that you use for this operation must be in a compatible key
2294
- # state. For details, see [How Key State Affects Use of a Customer
2295
- # Master Key][2] in the *AWS Key Management Service Developer Guide*.
2430
+ # state. For details, see [Key state: Effect on your CMK][2] in the *AWS
2431
+ # Key Management Service Developer Guide*.
2296
2432
  #
2297
2433
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
2298
2434
  # in a different AWS account.
@@ -2308,9 +2444,9 @@ module Aws::KMS
2308
2444
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
2309
2445
  #
2310
2446
  # @option params [required, String] :key_id
2311
- # A unique identifier for the customer master key (CMK).
2447
+ # Identifies the customer master key (CMK) to enable.
2312
2448
  #
2313
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
2449
+ # Specify the key ID or key ARN of the CMK.
2314
2450
  #
2315
2451
  # For example:
2316
2452
  #
@@ -2350,17 +2486,19 @@ module Aws::KMS
2350
2486
  # Enables [automatic rotation of the key material][1] for the specified
2351
2487
  # symmetric customer master key (CMK).
2352
2488
  #
2353
- # You cannot enable automatic rotation of asymmetric CMKs, CMKs with
2354
- # imported key material, or CMKs in a [custom key store][2].
2489
+ # You cannot enable automatic rotation of [asymmetric CMKs][2], CMKs
2490
+ # with [imported key material][3], or CMKs in a [custom key store][4].
2491
+ # To enable or disable automatic rotation of a set of related
2492
+ # [multi-Region keys][5], set the property on the primary key.
2355
2493
  #
2356
2494
  # The CMK that you use for this operation must be in a compatible key
2357
- # state. For details, see [How Key State Affects Use of a Customer
2358
- # Master Key][3] in the *AWS Key Management Service Developer Guide*.
2495
+ # state. For details, see [Key state: Effect on your CMK][6] in the *AWS
2496
+ # Key Management Service Developer Guide*.
2359
2497
  #
2360
2498
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
2361
2499
  # in a different AWS account.
2362
2500
  #
2363
- # **Required permissions**\: [kms:EnableKeyRotation][4] (key policy)
2501
+ # **Required permissions**\: [kms:EnableKeyRotation][7] (key policy)
2364
2502
  #
2365
2503
  # **Related operations:**
2366
2504
  #
@@ -2371,16 +2509,21 @@ module Aws::KMS
2371
2509
  #
2372
2510
  #
2373
2511
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
2374
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
2375
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2376
- # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
2512
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
2513
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
2514
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
2515
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
2516
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
2517
+ # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
2377
2518
  #
2378
2519
  # @option params [required, String] :key_id
2379
2520
  # Identifies a symmetric customer master key (CMK). You cannot enable
2380
- # automatic rotation of asymmetric CMKs, CMKs with imported key
2381
- # material, or CMKs in a [custom key store][1].
2521
+ # automatic rotation of [asymmetric CMKs][1], CMKs with [imported key
2522
+ # material][2], or CMKs in a [custom key store][3]. To enable or disable
2523
+ # automatic rotation of a set of related [multi-Region keys][4], set the
2524
+ # property on the primary key.
2382
2525
  #
2383
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
2526
+ # Specify the key ID or key ARN of the CMK.
2384
2527
  #
2385
2528
  # For example:
2386
2529
  #
@@ -2393,7 +2536,10 @@ module Aws::KMS
2393
2536
  #
2394
2537
  #
2395
2538
  #
2396
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
2539
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
2540
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
2541
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
2542
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
2397
2543
  #
2398
2544
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
2399
2545
  #
@@ -2496,8 +2642,8 @@ module Aws::KMS
2496
2642
  # * `RSAES_OAEP_SHA_256`\: 446 bytes
2497
2643
  #
2498
2644
  # The CMK that you use for this operation must be in a compatible key
2499
- # state. For details, see [How Key State Affects Use of a Customer
2500
- # Master Key][2] in the *AWS Key Management Service Developer Guide*.
2645
+ # state. For details, see [Key state: Effect on your CMK][2] in the *AWS
2646
+ # Key Management Service Developer Guide*.
2501
2647
  #
2502
2648
  # **Cross-account use**\: Yes. To perform this operation with a CMK in a
2503
2649
  # different AWS account, specify the key ARN or alias ARN in the value
@@ -2520,12 +2666,12 @@ module Aws::KMS
2520
2666
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
2521
2667
  #
2522
2668
  # @option params [required, String] :key_id
2523
- # A unique identifier for the customer master key (CMK).
2669
+ # Identifies the customer master key (CMK) to use in the encryption
2670
+ # operation.
2524
2671
  #
2525
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2526
- # name, or alias ARN. When using an alias name, prefix it with
2527
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
2528
- # the key ARN or alias ARN.
2672
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
2673
+ # When using an alias name, prefix it with `"alias/"`. To specify a CMK
2674
+ # in a different AWS account, you must use the key ARN or alias ARN.
2529
2675
  #
2530
2676
  # For example:
2531
2677
  #
@@ -2569,7 +2715,9 @@ module Aws::KMS
2569
2715
  # @option params [Array<String>] :grant_tokens
2570
2716
  # A list of grant tokens.
2571
2717
  #
2572
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
2718
+ # Use a grant token when your permission to call this operation comes
2719
+ # from a new grant that has not yet achieved *eventual consistency*. For
2720
+ # more information, see [Grant token][1] in the *AWS Key Management
2573
2721
  # Service Developer Guide*.
2574
2722
  #
2575
2723
  #
@@ -2666,8 +2814,8 @@ module Aws::KMS
2666
2814
  # Service Developer Guide*.
2667
2815
  #
2668
2816
  # The CMK that you use for this operation must be in a compatible key
2669
- # state. For details, see [How Key State Affects Use of a Customer
2670
- # Master Key][2] in the *AWS Key Management Service Developer Guide*.
2817
+ # state. For details, see [Key state: Effect on your CMK][2] in the *AWS
2818
+ # Key Management Service Developer Guide*.
2671
2819
  #
2672
2820
  # **How to use your data key**
2673
2821
  #
@@ -2726,10 +2874,9 @@ module Aws::KMS
2726
2874
  # @option params [required, String] :key_id
2727
2875
  # Identifies the symmetric CMK that encrypts the data key.
2728
2876
  #
2729
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2730
- # name, or alias ARN. When using an alias name, prefix it with
2731
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
2732
- # the key ARN or alias ARN.
2877
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
2878
+ # When using an alias name, prefix it with `"alias/"`. To specify a CMK
2879
+ # in a different AWS account, you must use the key ARN or alias ARN.
2733
2880
  #
2734
2881
  # For example:
2735
2882
  #
@@ -2783,7 +2930,9 @@ module Aws::KMS
2783
2930
  # @option params [Array<String>] :grant_tokens
2784
2931
  # A list of grant tokens.
2785
2932
  #
2786
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
2933
+ # Use a grant token when your permission to call this operation comes
2934
+ # from a new grant that has not yet achieved *eventual consistency*. For
2935
+ # more information, see [Grant token][1] in the *AWS Key Management
2787
2936
  # Service Developer Guide*.
2788
2937
  #
2789
2938
  #
@@ -2880,8 +3029,8 @@ module Aws::KMS
2880
3029
  # Service Developer Guide*.
2881
3030
  #
2882
3031
  # The CMK that you use for this operation must be in a compatible key
2883
- # state. For details, see [How Key State Affects Use of a Customer
2884
- # Master Key][2] in the *AWS Key Management Service Developer Guide*.
3032
+ # state. For details, see [Key state: Effect on your CMK][2] in the *AWS
3033
+ # Key Management Service Developer Guide*.
2885
3034
  #
2886
3035
  # **Cross-account use**\: Yes. To perform this operation with a CMK in a
2887
3036
  # different AWS account, specify the key ARN or alias ARN in the value
@@ -2931,10 +3080,9 @@ module Aws::KMS
2931
3080
  # key store. To get the type and origin of your CMK, use the DescribeKey
2932
3081
  # operation.
2933
3082
  #
2934
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
2935
- # name, or alias ARN. When using an alias name, prefix it with
2936
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
2937
- # the key ARN or alias ARN.
3083
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
3084
+ # When using an alias name, prefix it with `"alias/"`. To specify a CMK
3085
+ # in a different AWS account, you must use the key ARN or alias ARN.
2938
3086
  #
2939
3087
  # For example:
2940
3088
  #
@@ -2961,7 +3109,9 @@ module Aws::KMS
2961
3109
  # @option params [Array<String>] :grant_tokens
2962
3110
  # A list of grant tokens.
2963
3111
  #
2964
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
3112
+ # Use a grant token when your permission to call this operation comes
3113
+ # from a new grant that has not yet achieved *eventual consistency*. For
3114
+ # more information, see [Grant token][1] in the *AWS Key Management
2965
3115
  # Service Developer Guide*.
2966
3116
  #
2967
3117
  #
@@ -3035,8 +3185,8 @@ module Aws::KMS
3035
3185
  # Service Developer Guide*.
3036
3186
  #
3037
3187
  # The CMK that you use for this operation must be in a compatible key
3038
- # state. For details, see [How Key State Affects Use of a Customer
3039
- # Master Key][2] in the *AWS Key Management Service Developer Guide*.
3188
+ # state. For details, see [Key state: Effect on your CMK][2] in the *AWS
3189
+ # Key Management Service Developer Guide*.
3040
3190
  #
3041
3191
  # **Cross-account use**\: Yes. To perform this operation with a CMK in a
3042
3192
  # different AWS account, specify the key ARN or alias ARN in the value
@@ -3087,10 +3237,9 @@ module Aws::KMS
3087
3237
  # a CMK in a custom key store. To get the type and origin of your CMK,
3088
3238
  # use the DescribeKey operation.
3089
3239
  #
3090
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
3091
- # name, or alias ARN. When using an alias name, prefix it with
3092
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
3093
- # the key ARN or alias ARN.
3240
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
3241
+ # When using an alias name, prefix it with `"alias/"`. To specify a CMK
3242
+ # in a different AWS account, you must use the key ARN or alias ARN.
3094
3243
  #
3095
3244
  # For example:
3096
3245
  #
@@ -3117,7 +3266,9 @@ module Aws::KMS
3117
3266
  # @option params [Array<String>] :grant_tokens
3118
3267
  # A list of grant tokens.
3119
3268
  #
3120
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
3269
+ # Use a grant token when your permission to call this operation comes
3270
+ # from a new grant that has not yet achieved *eventual consistency*. For
3271
+ # more information, see [Grant token][1] in the *AWS Key Management
3121
3272
  # Service Developer Guide*.
3122
3273
  #
3123
3274
  #
@@ -3200,8 +3351,8 @@ module Aws::KMS
3200
3351
  # Service Developer Guide*.
3201
3352
  #
3202
3353
  # The CMK that you use for this operation must be in a compatible key
3203
- # state. For details, see [How Key State Affects Use of a Customer
3204
- # Master Key][2] in the *AWS Key Management Service Developer Guide*.
3354
+ # state. For details, see [Key state: Effect on your CMK][2] in the *AWS
3355
+ # Key Management Service Developer Guide*.
3205
3356
  #
3206
3357
  # **Cross-account use**\: Yes. To perform this operation with a CMK in a
3207
3358
  # different AWS account, specify the key ARN or alias ARN in the value
@@ -3232,10 +3383,9 @@ module Aws::KMS
3232
3383
  # The identifier of the symmetric customer master key (CMK) that
3233
3384
  # encrypts the data key.
3234
3385
  #
3235
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
3236
- # name, or alias ARN. When using an alias name, prefix it with
3237
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
3238
- # the key ARN or alias ARN.
3386
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
3387
+ # When using an alias name, prefix it with `"alias/"`. To specify a CMK
3388
+ # in a different AWS account, you must use the key ARN or alias ARN.
3239
3389
  #
3240
3390
  # For example:
3241
3391
  #
@@ -3282,7 +3432,9 @@ module Aws::KMS
3282
3432
  # @option params [Array<String>] :grant_tokens
3283
3433
  # A list of grant tokens.
3284
3434
  #
3285
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
3435
+ # Use a grant token when your permission to call this operation comes
3436
+ # from a new grant that has not yet achieved *eventual consistency*. For
3437
+ # more information, see [Grant token][1] in the *AWS Key Management
3286
3438
  # Service Developer Guide*.
3287
3439
  #
3288
3440
  #
@@ -3345,14 +3497,14 @@ module Aws::KMS
3345
3497
  # ID.
3346
3498
  #
3347
3499
  # For more information about entropy and random number generation, see
3348
- # the [AWS Key Management Service Cryptographic Details][2] whitepaper.
3500
+ # [AWS Key Management Service Cryptographic Details][2].
3349
3501
  #
3350
3502
  # **Required permissions**\: [kms:GenerateRandom][3] (IAM policy)
3351
3503
  #
3352
3504
  #
3353
3505
  #
3354
3506
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
3355
- # [2]: https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
3507
+ # [2]: https://docs.aws.amazon.com/kms/latest/cryptographic-details/
3356
3508
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
3357
3509
  #
3358
3510
  # @option params [Integer] :number_of_bytes
@@ -3419,9 +3571,9 @@ module Aws::KMS
3419
3571
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
3420
3572
  #
3421
3573
  # @option params [required, String] :key_id
3422
- # A unique identifier for the customer master key (CMK).
3574
+ # Gets the key policy for the specified customer master key (CMK).
3423
3575
  #
3424
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
3576
+ # Specify the key ID or key ARN of the CMK.
3425
3577
  #
3426
3578
  # For example:
3427
3579
  #
@@ -3479,13 +3631,15 @@ module Aws::KMS
3479
3631
  # key material][1] is enabled for the specified customer master key
3480
3632
  # (CMK).
3481
3633
  #
3482
- # You cannot enable automatic rotation of asymmetric CMKs, CMKs with
3483
- # imported key material, or CMKs in a [custom key store][2]. The key
3634
+ # You cannot enable automatic rotation of [asymmetric CMKs][2], CMKs
3635
+ # with [imported key material][3], or CMKs in a [custom key store][4].
3636
+ # To enable or disable automatic rotation of a set of related
3637
+ # [multi-Region keys][5], set the property on the primary key. The key
3484
3638
  # rotation status for these CMKs is always `false`.
3485
3639
  #
3486
3640
  # The CMK that you use for this operation must be in a compatible key
3487
- # state. For details, see [How Key State Affects Use of a Customer
3488
- # Master Key][3] in the *AWS Key Management Service Developer Guide*.
3641
+ # state. For details, see [Key state: Effect on your CMK][6] in the *AWS
3642
+ # Key Management Service Developer Guide*.
3489
3643
  #
3490
3644
  # * Disabled: The key rotation status does not change when you disable a
3491
3645
  # CMK. However, while the CMK is disabled, AWS KMS does not rotate the
@@ -3500,7 +3654,7 @@ module Aws::KMS
3500
3654
  # different AWS account, specify the key ARN in the value of the `KeyId`
3501
3655
  # parameter.
3502
3656
  #
3503
- # **Required permissions**\: [kms:GetKeyRotationStatus][4] (key policy)
3657
+ # **Required permissions**\: [kms:GetKeyRotationStatus][7] (key policy)
3504
3658
  #
3505
3659
  # **Related operations:**
3506
3660
  #
@@ -3511,15 +3665,18 @@ module Aws::KMS
3511
3665
  #
3512
3666
  #
3513
3667
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
3514
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
3515
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3516
- # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
3668
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
3669
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
3670
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
3671
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
3672
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3673
+ # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
3517
3674
  #
3518
3675
  # @option params [required, String] :key_id
3519
- # A unique identifier for the customer master key (CMK).
3676
+ # Gets the rotation status for the specified customer master key (CMK).
3520
3677
  #
3521
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
3522
- # specify a CMK in a different AWS account, you must use the key ARN.
3678
+ # Specify the key ID or key ARN of the CMK. To specify a CMK in a
3679
+ # different AWS account, you must use the key ARN.
3523
3680
  #
3524
3681
  # For example:
3525
3682
  #
@@ -3591,8 +3748,8 @@ module Aws::KMS
3591
3748
  # `GetParametersForImport` request.
3592
3749
  #
3593
3750
  # The CMK that you use for this operation must be in a compatible key
3594
- # state. For details, see [How Key State Affects Use of a Customer
3595
- # Master Key][2] in the *AWS Key Management Service Developer Guide*.
3751
+ # state. For details, see [Key state: Effect on your CMK][2] in the *AWS
3752
+ # Key Management Service Developer Guide*.
3596
3753
  #
3597
3754
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
3598
3755
  # in a different AWS account.
@@ -3616,7 +3773,7 @@ module Aws::KMS
3616
3773
  # The identifier of the symmetric CMK into which you will import key
3617
3774
  # material. The `Origin` of the CMK must be `EXTERNAL`.
3618
3775
  #
3619
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
3776
+ # Specify the key ID or key ARN of the CMK.
3620
3777
  #
3621
3778
  # For example:
3622
3779
  #
@@ -3730,8 +3887,8 @@ module Aws::KMS
3730
3887
  # algorithm in a verification operation.
3731
3888
  #
3732
3889
  # The CMK that you use for this operation must be in a compatible key
3733
- # state. For details, see [How Key State Affects Use of a Customer
3734
- # Master Key][7] in the *AWS Key Management Service Developer Guide*.
3890
+ # state. For details, see [Key state: Effect on your CMK][7] in the *AWS
3891
+ # Key Management Service Developer Guide*.
3735
3892
  #
3736
3893
  # **Cross-account use**\: Yes. To perform this operation with a CMK in a
3737
3894
  # different AWS account, specify the key ARN or alias ARN in the value
@@ -3755,10 +3912,9 @@ module Aws::KMS
3755
3912
  # @option params [required, String] :key_id
3756
3913
  # Identifies the asymmetric CMK that includes the public key.
3757
3914
  #
3758
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
3759
- # name, or alias ARN. When using an alias name, prefix it with
3760
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
3761
- # the key ARN or alias ARN.
3915
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
3916
+ # When using an alias name, prefix it with `"alias/"`. To specify a CMK
3917
+ # in a different AWS account, you must use the key ARN or alias ARN.
3762
3918
  #
3763
3919
  # For example:
3764
3920
  #
@@ -3777,7 +3933,9 @@ module Aws::KMS
3777
3933
  # @option params [Array<String>] :grant_tokens
3778
3934
  # A list of grant tokens.
3779
3935
  #
3780
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
3936
+ # Use a grant token when your permission to call this operation comes
3937
+ # from a new grant that has not yet achieved *eventual consistency*. For
3938
+ # more information, see [Grant token][1] in the *AWS Key Management
3781
3939
  # Service Developer Guide*.
3782
3940
  #
3783
3941
  #
@@ -3870,8 +4028,8 @@ module Aws::KMS
3870
4028
  # Service Developer Guide*.
3871
4029
  #
3872
4030
  # The CMK that you use for this operation must be in a compatible key
3873
- # state. For details, see [How Key State Affects Use of a Customer
3874
- # Master Key][4] in the *AWS Key Management Service Developer Guide*.
4031
+ # state. For details, see [Key state: Effect on your CMK][4] in the *AWS
4032
+ # Key Management Service Developer Guide*.
3875
4033
  #
3876
4034
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
3877
4035
  # in a different AWS account.
@@ -3898,7 +4056,7 @@ module Aws::KMS
3898
4056
  # same CMK specified in the `KeyID` parameter of the corresponding
3899
4057
  # GetParametersForImport request.
3900
4058
  #
3901
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
4059
+ # Specify the key ID or key ARN of the CMK.
3902
4060
  #
3903
4061
  # For example:
3904
4062
  #
@@ -4014,7 +4172,7 @@ module Aws::KMS
4014
4172
  # This parameter is optional. If you omit it, `ListAliases` returns all
4015
4173
  # aliases in the account and Region.
4016
4174
  #
4017
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
4175
+ # Specify the key ID or key ARN of the CMK.
4018
4176
  #
4019
4177
  # For example:
4020
4178
  #
@@ -4181,8 +4339,8 @@ module Aws::KMS
4181
4339
  # Returns only grants for the specified customer master key (CMK). This
4182
4340
  # parameter is required.
4183
4341
  #
4184
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
4185
- # specify a CMK in a different AWS account, you must use the key ARN.
4342
+ # Specify the key ID or key ARN of the CMK. To specify a CMK in a
4343
+ # different AWS account, you must use the key ARN.
4186
4344
  #
4187
4345
  # For example:
4188
4346
  #
@@ -4335,9 +4493,10 @@ module Aws::KMS
4335
4493
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
4336
4494
  #
4337
4495
  # @option params [required, String] :key_id
4338
- # A unique identifier for the customer master key (CMK).
4496
+ # Gets the names of key policies for the specified customer master key
4497
+ # (CMK).
4339
4498
  #
4340
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
4499
+ # Specify the key ID or key ARN of the CMK.
4341
4500
  #
4342
4501
  # For example:
4343
4502
  #
@@ -4538,6 +4697,10 @@ module Aws::KMS
4538
4697
  #
4539
4698
  # **Related operations:**
4540
4699
  #
4700
+ # * CreateKey
4701
+ #
4702
+ # * ReplicateKey
4703
+ #
4541
4704
  # * TagResource
4542
4705
  #
4543
4706
  # * UntagResource
@@ -4549,9 +4712,9 @@ module Aws::KMS
4549
4712
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
4550
4713
  #
4551
4714
  # @option params [required, String] :key_id
4552
- # A unique identifier for the customer master key (CMK).
4715
+ # Gets tags on the specified customer master key (CMK).
4553
4716
  #
4554
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
4717
+ # Specify the key ID or key ARN of the CMK.
4555
4718
  #
4556
4719
  # For example:
4557
4720
  #
@@ -4637,8 +4800,10 @@ module Aws::KMS
4637
4800
  req.send_request(options)
4638
4801
  end
4639
4802
 
4640
- # Returns all grants in which the specified principal is the
4641
- # `RetiringPrincipal` in the grant.
4803
+ # Returns information about all grants in the AWS account and Region
4804
+ # that have the specified retiring principal. For more information about
4805
+ # grants, see [Grants][1] in the <i> <i>AWS Key Management Service
4806
+ # Developer Guide</i> </i>.
4642
4807
  #
4643
4808
  # You can specify any principal in your AWS account. The grants that are
4644
4809
  # returned include grants for CMKs in your AWS account and other AWS
@@ -4652,7 +4817,7 @@ module Aws::KMS
4652
4817
  # You do not need `kms:ListRetirableGrants` permission (or any other
4653
4818
  # additional permission) in any AWS account other than your own.
4654
4819
  #
4655
- # **Required permissions**\: [kms:ListRetirableGrants][1] (IAM policy)
4820
+ # **Required permissions**\: [kms:ListRetirableGrants][2] (IAM policy)
4656
4821
  # in your AWS account.
4657
4822
  #
4658
4823
  # **Related operations:**
@@ -4667,7 +4832,8 @@ module Aws::KMS
4667
4832
  #
4668
4833
  #
4669
4834
  #
4670
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
4835
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
4836
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
4671
4837
  #
4672
4838
  # @option params [Integer] :limit
4673
4839
  # Use this parameter to specify the maximum number of items to return.
@@ -4792,9 +4958,9 @@ module Aws::KMS
4792
4958
  # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
4793
4959
  #
4794
4960
  # @option params [required, String] :key_id
4795
- # A unique identifier for the customer master key (CMK).
4961
+ # Sets the key policy on the specified customer master key (CMK).
4796
4962
  #
4797
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
4963
+ # Specify the key ID or key ARN of the CMK.
4798
4964
  #
4799
4965
  # For example:
4800
4966
  #
@@ -4947,8 +5113,8 @@ module Aws::KMS
4947
5113
  # asymmetric key ciphertext does not include configurable fields.
4948
5114
  #
4949
5115
  # The CMK that you use for this operation must be in a compatible key
4950
- # state. For details, see [How Key State Affects Use of a Customer
4951
- # Master Key][6] in the *AWS Key Management Service Developer Guide*.
5116
+ # state. For details, see [Key state: Effect on your CMK][6] in the *AWS
5117
+ # Key Management Service Developer Guide*.
4952
5118
  #
4953
5119
  # **Cross-account use**\: Yes. The source CMK and destination CMK can be
4954
5120
  # in different AWS accounts. Either or both CMKs can be in a different
@@ -5021,10 +5187,9 @@ module Aws::KMS
5021
5187
  # However, it is always recommended as a best practice. This practice
5022
5188
  # ensures that you use the CMK that you intend.
5023
5189
  #
5024
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
5025
- # name, or alias ARN. When using an alias name, prefix it with
5026
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
5027
- # the key ARN or alias ARN.
5190
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
5191
+ # When using an alias name, prefix it with `"alias/"`. To specify a CMK
5192
+ # in a different AWS account, you must use the key ARN or alias ARN.
5028
5193
  #
5029
5194
  # For example:
5030
5195
  #
@@ -5046,10 +5211,9 @@ module Aws::KMS
5046
5211
  # `ENCRYPT_DECRYPT`. To find the `KeyUsage` value of a CMK, use the
5047
5212
  # DescribeKey operation.
5048
5213
  #
5049
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
5050
- # name, or alias ARN. When using an alias name, prefix it with
5051
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
5052
- # the key ARN or alias ARN.
5214
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
5215
+ # When using an alias name, prefix it with `"alias/"`. To specify a CMK
5216
+ # in a different AWS account, you must use the key ARN or alias ARN.
5053
5217
  #
5054
5218
  # For example:
5055
5219
  #
@@ -5110,7 +5274,9 @@ module Aws::KMS
5110
5274
  # @option params [Array<String>] :grant_tokens
5111
5275
  # A list of grant tokens.
5112
5276
  #
5113
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
5277
+ # Use a grant token when your permission to call this operation comes
5278
+ # from a new grant that has not yet achieved *eventual consistency*. For
5279
+ # more information, see [Grant token][1] in the *AWS Key Management
5114
5280
  # Service Developer Guide*.
5115
5281
  #
5116
5282
  #
@@ -5176,31 +5342,331 @@ module Aws::KMS
5176
5342
  req.send_request(options)
5177
5343
  end
5178
5344
 
5179
- # Retires a grant. To clean up, you can retire a grant when you're done
5180
- # using it. You should revoke a grant when you intend to actively deny
5181
- # operations that depend on it. The following are permitted to call this
5182
- # API:
5345
+ # Replicates a multi-Region key into the specified Region. This
5346
+ # operation creates a multi-Region replica key based on a multi-Region
5347
+ # primary key in a different Region of the same AWS partition. You can
5348
+ # create multiple replicas of a primary key, but each must be in a
5349
+ # different Region. To create a multi-Region primary key, use the
5350
+ # CreateKey operation.
5351
+ #
5352
+ # This operation supports *multi-Region keys*, an AWS KMS feature that
5353
+ # lets you create multiple interoperable CMKs in different AWS Regions.
5354
+ # Because these CMKs have the same key ID, key material, and other
5355
+ # metadata, you can use them to encrypt data in one AWS Region and
5356
+ # decrypt it in a different AWS Region without making a cross-Region
5357
+ # call or exposing the plaintext data. For more information about
5358
+ # multi-Region keys, see [Using multi-Region keys][1] in the *AWS Key
5359
+ # Management Service Developer Guide*.
5360
+ #
5361
+ # A *replica key* is a fully-functional CMK that can be used
5362
+ # independently of its primary and peer replica keys. A primary key and
5363
+ # its replica keys share properties that make them interoperable. They
5364
+ # have the same [key ID][2] and key material. They also have the same
5365
+ # [key spec][3], [key usage][4], [key material origin][5], and
5366
+ # [automatic key rotation status][6]. AWS KMS automatically synchronizes
5367
+ # these shared properties among related multi-Region keys. All other
5368
+ # properties of a replica key can differ, including its [key policy][7],
5369
+ # [tags][8], [aliases][9], and [key state][10]. AWS KMS pricing and
5370
+ # quotas for CMKs apply to each primary key and replica key.
5371
+ #
5372
+ # When this operation completes, the new replica key has a transient key
5373
+ # state of `Creating`. This key state changes to `Enabled` (or
5374
+ # `PendingImport`) after a few seconds when the process of creating the
5375
+ # new replica key is complete. While the key state is `Creating`, you
5376
+ # can manage key, but you cannot yet use it in cryptographic operations.
5377
+ # If you are creating and using the replica key programmatically, retry
5378
+ # on `KMSInvalidStateException` or call `DescribeKey` to check its
5379
+ # `KeyState` value before using it. For details about the `Creating` key
5380
+ # state, see [Key state: Effect on your
5381
+ # CMK](kms/latest/developerguide/key-state.html) in the *AWS Key
5382
+ # Management Service Developer Guide*.
5383
+ #
5384
+ # The AWS CloudTrail log of a `ReplicateKey` operation records a
5385
+ # `ReplicateKey` operation in the primary key's Region and a CreateKey
5386
+ # operation in the replica key's Region.
5387
+ #
5388
+ # If you replicate a multi-Region primary key with imported key
5389
+ # material, the replica key is created with no key material. You must
5390
+ # import the same key material that you imported into the primary key.
5391
+ # For details, see [Importing key material into multi-Region
5392
+ # keys](kms/latest/developerguide/multi-region-keys-import.html) in the
5393
+ # *AWS Key Management Service Developer Guide*.
5394
+ #
5395
+ # To convert a replica key to a primary key, use the UpdatePrimaryRegion
5396
+ # operation.
5397
+ #
5398
+ # <note markdown="1"> `ReplicateKey` uses different default values for the `KeyPolicy` and
5399
+ # `Tags` parameters than those used in the AWS KMS console. For details,
5400
+ # see the parameter descriptions.
5401
+ #
5402
+ # </note>
5403
+ #
5404
+ # **Cross-account use**\: No. You cannot use this operation to create a
5405
+ # CMK in a different AWS account.
5406
+ #
5407
+ # **Required permissions**\:
5408
+ #
5409
+ # * `kms:ReplicateKey` on the primary CMK (in the primary CMK's
5410
+ # Region). Include this permission in the primary CMK's key policy.
5411
+ #
5412
+ # * `kms:CreateKey` in an IAM policy in the replica Region.
5413
+ #
5414
+ # * To use the `Tags` parameter, `kms:TagResource` in an IAM policy in
5415
+ # the replica Region.
5416
+ #
5417
+ # **Related operations**
5418
+ #
5419
+ # * CreateKey
5420
+ #
5421
+ # * UpdatePrimaryRegion
5422
+ #
5423
+ #
5424
+ #
5425
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
5426
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id
5427
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec
5428
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage
5429
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin
5430
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
5431
+ # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
5432
+ # [8]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
5433
+ # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html
5434
+ # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
5435
+ #
5436
+ # @option params [required, String] :key_id
5437
+ # Identifies the multi-Region primary key that is being replicated. To
5438
+ # determine whether a CMK is a multi-Region primary key, use the
5439
+ # DescribeKey operation to check the value of the `MultiRegionKeyType`
5440
+ # property.
5441
+ #
5442
+ # Specify the key ID or key ARN of a multi-Region primary key.
5443
+ #
5444
+ # For example:
5445
+ #
5446
+ # * Key ID: `mrk-1234abcd12ab34cd56ef1234567890ab`
5447
+ #
5448
+ # * Key ARN:
5449
+ # `arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab`
5450
+ #
5451
+ # To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
5452
+ #
5453
+ # @option params [required, String] :replica_region
5454
+ # The Region ID of the AWS Region for this replica key.
5455
+ #
5456
+ # Enter the Region ID, such as `us-east-1` or `ap-southeast-2`. For a
5457
+ # list of AWS Regions in which AWS KMS is supported, see [AWS KMS
5458
+ # service endpoints][1] in the *Amazon Web Services General Reference*.
5459
+ #
5460
+ # The replica must be in a different AWS Region than its primary key and
5461
+ # other replicas of that primary key, but in the same AWS partition. AWS
5462
+ # KMS must be available in the replica Region. If the Region is not
5463
+ # enabled by default, the AWS account must be enabled in the Region.
5464
+ #
5465
+ # For information about AWS partitions, see [Amazon Resource Names
5466
+ # (ARNs) in the *Amazon Web Services General Reference*.][2] For
5467
+ # information about enabling and disabling Regions, see [Enabling a
5468
+ # Region][3] and [Disabling a Region][4] in the *Amazon Web Services
5469
+ # General Reference*.
5470
+ #
5471
+ #
5472
+ #
5473
+ # [1]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region
5474
+ # [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
5475
+ # [3]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
5476
+ # [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
5477
+ #
5478
+ # @option params [String] :policy
5479
+ # The key policy to attach to the CMK. This parameter is optional. If
5480
+ # you do not provide a key policy, AWS KMS attaches the [default key
5481
+ # policy][1] to the CMK.
5482
+ #
5483
+ # The key policy is not a shared property of multi-Region keys. You can
5484
+ # specify the same key policy or a different key policy for each key in
5485
+ # a set of related multi-Region keys. AWS KMS does not synchronize this
5486
+ # property.
5487
+ #
5488
+ # If you provide a key policy, it must meet the following criteria:
5489
+ #
5490
+ # * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the key
5491
+ # policy must give the caller `kms:PutKeyPolicy` permission on the
5492
+ # replica CMK. This reduces the risk that the CMK becomes
5493
+ # unmanageable. For more information, refer to the scenario in the
5494
+ # [Default Key Policy][2] section of the <i> <i>AWS Key Management
5495
+ # Service Developer Guide</i> </i>.
5496
+ #
5497
+ # * Each statement in the key policy must contain one or more
5498
+ # principals. The principals in the key policy must exist and be
5499
+ # visible to AWS KMS. When you create a new AWS principal (for
5500
+ # example, an IAM user or role), you might need to enforce a delay
5501
+ # before including the new principal in a key policy because the new
5502
+ # principal might not be immediately visible to AWS KMS. For more
5503
+ # information, see [Changes that I make are not always immediately
5504
+ # visible][3] in the *AWS Identity and Access Management User Guide*.
5505
+ #
5506
+ # * The key policy size quota is 32 kilobytes (32768 bytes).
5507
+ #
5508
+ #
5509
+ #
5510
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
5511
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
5512
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
5513
+ #
5514
+ # @option params [Boolean] :bypass_policy_lockout_safety_check
5515
+ # A flag to indicate whether to bypass the key policy lockout safety
5516
+ # check.
5517
+ #
5518
+ # Setting this value to true increases the risk that the CMK becomes
5519
+ # unmanageable. Do not set this value to true indiscriminately.
5520
+ #
5521
+ # For more information, refer to the scenario in the [Default Key
5522
+ # Policy][1] section in the *AWS Key Management Service Developer
5523
+ # Guide*.
5524
+ #
5525
+ # Use this parameter only when you intend to prevent the principal that
5526
+ # is making the request from making a subsequent `PutKeyPolicy` request
5527
+ # on the CMK.
5528
+ #
5529
+ # The default value is false.
5183
5530
  #
5184
- # * The AWS account (root user) under which the grant was created
5185
5531
  #
5186
- # * The `RetiringPrincipal`, if present in the grant
5187
5532
  #
5188
- # * The `GranteePrincipal`, if `RetireGrant` is an operation specified
5189
- # in the grant
5533
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
5534
+ #
5535
+ # @option params [String] :description
5536
+ # A description of the CMK. Use a description that helps you decide
5537
+ # whether the CMK is appropriate for a task. The default value is an
5538
+ # empty string (no description).
5539
+ #
5540
+ # The description is not a shared property of multi-Region keys. You can
5541
+ # specify the same description or a different description for each key
5542
+ # in a set of related multi-Region keys. AWS KMS does not synchronize
5543
+ # this property.
5544
+ #
5545
+ # @option params [Array<Types::Tag>] :tags
5546
+ # Assigns one or more tags to the replica key. Use this parameter to tag
5547
+ # the CMK when it is created. To tag an existing CMK, use the
5548
+ # TagResource operation.
5549
+ #
5550
+ # <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
5551
+ # For details, see [Using ABAC in AWS KMS][1] in the *AWS Key Management
5552
+ # Service Developer Guide*.
5190
5553
  #
5191
- # You must identify the grant to retire by its grant token or by a
5192
- # combination of the grant ID and the Amazon Resource Name (ARN) of the
5193
- # customer master key (CMK). A grant token is a unique variable-length
5194
- # base64-encoded string. A grant ID is a 64 character unique identifier
5195
- # of a grant. The CreateGrant operation returns both.
5554
+ # </note>
5555
+ #
5556
+ # To use this parameter, you must have [kms:TagResource][2] permission
5557
+ # in an IAM policy.
5558
+ #
5559
+ # Tags are not a shared property of multi-Region keys. You can specify
5560
+ # the same tags or different tags for each key in a set of related
5561
+ # multi-Region keys. AWS KMS does not synchronize this property.
5562
+ #
5563
+ # Each tag consists of a tag key and a tag value. Both the tag key and
5564
+ # the tag value are required, but the tag value can be an empty (null)
5565
+ # string. You cannot have more than one tag on a CMK with the same tag
5566
+ # key. If you specify an existing tag key with a different tag value,
5567
+ # AWS KMS replaces the current tag value with the specified one.
5568
+ #
5569
+ # When you assign tags to an AWS resource, AWS generates a cost
5570
+ # allocation report with usage and costs aggregated by tags. Tags can
5571
+ # also be used to control access to a CMK. For details, see [Tagging
5572
+ # Keys][3].
5573
+ #
5574
+ #
5575
+ #
5576
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
5577
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
5578
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
5579
+ #
5580
+ # @return [Types::ReplicateKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
5581
+ #
5582
+ # * {Types::ReplicateKeyResponse#replica_key_metadata #replica_key_metadata} => Types::KeyMetadata
5583
+ # * {Types::ReplicateKeyResponse#replica_policy #replica_policy} => String
5584
+ # * {Types::ReplicateKeyResponse#replica_tags #replica_tags} => Array&lt;Types::Tag&gt;
5585
+ #
5586
+ # @example Request syntax with placeholder values
5587
+ #
5588
+ # resp = client.replicate_key({
5589
+ # key_id: "KeyIdType", # required
5590
+ # replica_region: "RegionType", # required
5591
+ # policy: "PolicyType",
5592
+ # bypass_policy_lockout_safety_check: false,
5593
+ # description: "DescriptionType",
5594
+ # tags: [
5595
+ # {
5596
+ # tag_key: "TagKeyType", # required
5597
+ # tag_value: "TagValueType", # required
5598
+ # },
5599
+ # ],
5600
+ # })
5601
+ #
5602
+ # @example Response structure
5603
+ #
5604
+ # resp.replica_key_metadata.aws_account_id #=> String
5605
+ # resp.replica_key_metadata.key_id #=> String
5606
+ # resp.replica_key_metadata.arn #=> String
5607
+ # resp.replica_key_metadata.creation_date #=> Time
5608
+ # resp.replica_key_metadata.enabled #=> Boolean
5609
+ # resp.replica_key_metadata.description #=> String
5610
+ # resp.replica_key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
5611
+ # resp.replica_key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
5612
+ # resp.replica_key_metadata.deletion_date #=> Time
5613
+ # resp.replica_key_metadata.valid_to #=> Time
5614
+ # resp.replica_key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL", "AWS_CLOUDHSM"
5615
+ # resp.replica_key_metadata.custom_key_store_id #=> String
5616
+ # resp.replica_key_metadata.cloud_hsm_cluster_id #=> String
5617
+ # resp.replica_key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
5618
+ # resp.replica_key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
5619
+ # resp.replica_key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
5620
+ # resp.replica_key_metadata.encryption_algorithms #=> Array
5621
+ # resp.replica_key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
5622
+ # resp.replica_key_metadata.signing_algorithms #=> Array
5623
+ # resp.replica_key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
5624
+ # resp.replica_key_metadata.multi_region #=> Boolean
5625
+ # resp.replica_key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
5626
+ # resp.replica_key_metadata.multi_region_configuration.primary_key.arn #=> String
5627
+ # resp.replica_key_metadata.multi_region_configuration.primary_key.region #=> String
5628
+ # resp.replica_key_metadata.multi_region_configuration.replica_keys #=> Array
5629
+ # resp.replica_key_metadata.multi_region_configuration.replica_keys[0].arn #=> String
5630
+ # resp.replica_key_metadata.multi_region_configuration.replica_keys[0].region #=> String
5631
+ # resp.replica_key_metadata.pending_deletion_window_in_days #=> Integer
5632
+ # resp.replica_policy #=> String
5633
+ # resp.replica_tags #=> Array
5634
+ # resp.replica_tags[0].tag_key #=> String
5635
+ # resp.replica_tags[0].tag_value #=> String
5636
+ #
5637
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKey AWS API Documentation
5638
+ #
5639
+ # @overload replicate_key(params = {})
5640
+ # @param [Hash] params ({})
5641
+ def replicate_key(params = {}, options = {})
5642
+ req = build_request(:replicate_key, params)
5643
+ req.send_request(options)
5644
+ end
5645
+
5646
+ # Deletes a grant. Typically, you retire a grant when you no longer need
5647
+ # its permissions. To identify the grant to retire, use a [grant
5648
+ # token][1], or both the grant ID and a key identifier (key ID or key
5649
+ # ARN) of the customer master key (CMK). The CreateGrant operation
5650
+ # returns both values.
5651
+ #
5652
+ # This operation can be called by the *retiring principal* for a grant,
5653
+ # by the *grantee principal* if the grant allows the `RetireGrant`
5654
+ # operation, and by the AWS account (root user) in which the grant is
5655
+ # created. It can also be called by principals to whom permission for
5656
+ # retiring a grant is delegated. For details, see [Retiring and revoking
5657
+ # grants][2] in the *AWS Key Management Service Developer Guide*.
5658
+ #
5659
+ # For detailed information about grants, including grant terminology,
5660
+ # see [Using grants][3] in the <i> <i>AWS Key Management Service
5661
+ # Developer Guide</i> </i>. For examples of working with grants in
5662
+ # several programming languages, see [Programming grants][4].
5196
5663
  #
5197
5664
  # **Cross-account use**\: Yes. You can retire a grant on a CMK in a
5198
5665
  # different AWS account.
5199
5666
  #
5200
- # **Required permissions:**\: Permission to retire a grant is specified
5201
- # in the grant. You cannot control access to this operation in a policy.
5202
- # For more information, see [Using grants][1] in the *AWS Key Management
5203
- # Service Developer Guide*.
5667
+ # **Required permissions:**\:Permission to retire a grant is determined
5668
+ # primarily by the grant. For details, see [Retiring and revoking
5669
+ # grants][2] in the *AWS Key Management Service Developer Guide*.
5204
5670
  #
5205
5671
  # **Related operations:**
5206
5672
  #
@@ -5214,20 +5680,34 @@ module Aws::KMS
5214
5680
  #
5215
5681
  #
5216
5682
  #
5217
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
5683
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
5684
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete
5685
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
5686
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html
5218
5687
  #
5219
5688
  # @option params [String] :grant_token
5220
- # Token that identifies the grant to be retired.
5689
+ # Identifies the grant to be retired. You can use a grant token to
5690
+ # identify a new grant even before it has achieved eventual consistency.
5691
+ #
5692
+ # Only the CreateGrant operation returns a grant token. For details, see
5693
+ # [Grant token][1] and [Eventual consistency][2] in the *AWS Key
5694
+ # Management Service Developer Guide*.
5695
+ #
5696
+ #
5697
+ #
5698
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
5699
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency
5221
5700
  #
5222
5701
  # @option params [String] :key_id
5223
- # The Amazon Resource Name (ARN) of the CMK associated with the grant.
5702
+ # The key ARN CMK associated with the grant. To find the key ARN, use
5703
+ # the ListKeys operation.
5224
5704
  #
5225
5705
  # For example:
5226
5706
  # `arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab`
5227
5707
  #
5228
5708
  # @option params [String] :grant_id
5229
- # Unique identifier of the grant to retire. The grant ID is returned in
5230
- # the response to a `CreateGrant` operation.
5709
+ # Identifies the grant to retire. To get the grant ID, use CreateGrant,
5710
+ # ListGrants, or ListRetirableGrants.
5231
5711
  #
5232
5712
  # * Grant ID Example -
5233
5713
  # 0123456789012345678901234567890123456789012345678901234567890123
@@ -5263,15 +5743,22 @@ module Aws::KMS
5263
5743
  req.send_request(options)
5264
5744
  end
5265
5745
 
5266
- # Revokes the specified grant for the specified customer master key
5267
- # (CMK). You can revoke a grant to actively deny operations that depend
5268
- # on it.
5746
+ # Deletes the specified grant. You revoke a grant to terminate the
5747
+ # permissions that the grant allows. For more information, see [Retiring
5748
+ # and revoking grants][1] in the <i> <i>AWS Key Management Service
5749
+ # Developer Guide</i> </i>.
5750
+ #
5751
+ # When you create, retire, or revoke a grant, there might be a brief
5752
+ # delay, usually less than five minutes, until the grant is available
5753
+ # throughout AWS KMS. This state is known as *eventual consistency*. For
5754
+ # details, see [Eventual consistency][2] in the <i> <i>AWS Key
5755
+ # Management Service Developer Guide</i> </i>.
5269
5756
  #
5270
5757
  # **Cross-account use**\: Yes. To perform this operation on a CMK in a
5271
5758
  # different AWS account, specify the key ARN in the value of the `KeyId`
5272
5759
  # parameter.
5273
5760
  #
5274
- # **Required permissions**\: [kms:RevokeGrant][1] (key policy)
5761
+ # **Required permissions**\: [kms:RevokeGrant][3] (key policy).
5275
5762
  #
5276
5763
  # **Related operations:**
5277
5764
  #
@@ -5285,14 +5772,17 @@ module Aws::KMS
5285
5772
  #
5286
5773
  #
5287
5774
  #
5288
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
5775
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/managing-grants.html#grant-delete
5776
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency
5777
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
5289
5778
  #
5290
5779
  # @option params [required, String] :key_id
5291
- # A unique identifier for the customer master key associated with the
5292
- # grant.
5780
+ # A unique identifier for the customer master key (CMK) associated with
5781
+ # the grant. To get the key ID and key ARN for a CMK, use ListKeys or
5782
+ # DescribeKey.
5293
5783
  #
5294
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To
5295
- # specify a CMK in a different AWS account, you must use the key ARN.
5784
+ # Specify the key ID or key ARN of the CMK. To specify a CMK in a
5785
+ # different AWS account, you must use the key ARN.
5296
5786
  #
5297
5787
  # For example:
5298
5788
  #
@@ -5304,7 +5794,8 @@ module Aws::KMS
5304
5794
  # To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
5305
5795
  #
5306
5796
  # @option params [required, String] :grant_id
5307
- # Identifier of the grant to be revoked.
5797
+ # Identifies the grant to revoke. To get the grant ID, use CreateGrant,
5798
+ # ListGrants, or ListRetirableGrants.
5308
5799
  #
5309
5800
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
5310
5801
  #
@@ -5334,19 +5825,21 @@ module Aws::KMS
5334
5825
  req.send_request(options)
5335
5826
  end
5336
5827
 
5337
- # Schedules the deletion of a customer master key (CMK). You may provide
5338
- # a waiting period, specified in days, before deletion occurs. If you do
5339
- # not provide a waiting period, the default period of 30 days is used.
5340
- # When this operation is successful, the key state of the CMK changes to
5341
- # `PendingDeletion`. Before the waiting period ends, you can use
5342
- # CancelKeyDeletion to cancel the deletion of the CMK. After the waiting
5343
- # period ends, AWS KMS deletes the CMK and all AWS KMS data associated
5344
- # with it, including all aliases that refer to it.
5828
+ # Schedules the deletion of a customer master key (CMK). By default, AWS
5829
+ # KMS applies a waiting period of 30 days, but you can specify a waiting
5830
+ # period of 7-30 days. When this operation is successful, the key state
5831
+ # of the CMK changes to `PendingDeletion` and the key can't be used in
5832
+ # any cryptographic operations. It remains in this state for the
5833
+ # duration of the waiting period. Before the waiting period ends, you
5834
+ # can use CancelKeyDeletion to cancel the deletion of the CMK. After the
5835
+ # waiting period ends, AWS KMS deletes the CMK, its key material, and
5836
+ # all AWS KMS data associated with it, including all aliases that refer
5837
+ # to it.
5345
5838
  #
5346
5839
  # Deleting a CMK is a destructive and potentially dangerous operation.
5347
5840
  # When a CMK is deleted, all data that was encrypted under the CMK is
5348
- # unrecoverable. To prevent the use of a CMK without deleting it, use
5349
- # DisableKey.
5841
+ # unrecoverable. (The only exception is a multi-Region replica key.) To
5842
+ # prevent the use of a CMK without deleting it, use DisableKey.
5350
5843
  #
5351
5844
  # If you schedule deletion of a CMK from a [custom key store][1], when
5352
5845
  # the waiting period expires, `ScheduleKeyDeletion` deletes the CMK from
@@ -5355,18 +5848,30 @@ module Aws::KMS
5355
5848
  # manually [delete the orphaned key material][2] from the cluster and
5356
5849
  # its backups.
5357
5850
  #
5851
+ # You can schedule the deletion of a multi-Region primary key and its
5852
+ # replica keys at any time. However, AWS KMS will not delete a
5853
+ # multi-Region primary key with existing replica keys. If you schedule
5854
+ # the deletion of a primary key with replicas, its key state changes to
5855
+ # `PendingReplicaDeletion` and it cannot be replicated or used in
5856
+ # cryptographic operations. This status can continue indefinitely. When
5857
+ # the last of its replicas keys is deleted (not just scheduled), the key
5858
+ # state of the primary key changes to `PendingDeletion` and its waiting
5859
+ # period (`PendingWindowInDays`) begins. For details, see [Deleting
5860
+ # multi-Region keys][3] in the *AWS Key Management Service Developer
5861
+ # Guide*.
5862
+ #
5358
5863
  # For more information about scheduling a CMK for deletion, see
5359
- # [Deleting Customer Master Keys][3] in the *AWS Key Management Service
5864
+ # [Deleting Customer Master Keys][4] in the *AWS Key Management Service
5360
5865
  # Developer Guide*.
5361
5866
  #
5362
5867
  # The CMK that you use for this operation must be in a compatible key
5363
- # state. For details, see [How Key State Affects Use of a Customer
5364
- # Master Key][4] in the *AWS Key Management Service Developer Guide*.
5868
+ # state. For details, see [Key state: Effect on your CMK][5] in the *AWS
5869
+ # Key Management Service Developer Guide*.
5365
5870
  #
5366
5871
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
5367
5872
  # in a different AWS account.
5368
5873
  #
5369
- # **Required permissions**\: [kms:ScheduleKeyDeletion][5] (key policy)
5874
+ # **Required permissions**\: kms:ScheduleKeyDeletion (key policy)
5370
5875
  #
5371
5876
  # **Related operations**
5372
5877
  #
@@ -5378,14 +5883,14 @@ module Aws::KMS
5378
5883
  #
5379
5884
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
5380
5885
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
5381
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
5382
- # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
5383
- # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
5886
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html
5887
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
5888
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
5384
5889
  #
5385
5890
  # @option params [required, String] :key_id
5386
5891
  # The unique identifier of the customer master key (CMK) to delete.
5387
5892
  #
5388
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
5893
+ # Specify the key ID or key ARN of the CMK.
5389
5894
  #
5390
5895
  # For example:
5391
5896
  #
@@ -5400,6 +5905,10 @@ module Aws::KMS
5400
5905
  # The waiting period, specified in number of days. After the waiting
5401
5906
  # period ends, AWS KMS deletes the customer master key (CMK).
5402
5907
  #
5908
+ # If the CMK is a multi-Region primary key with replicas, the waiting
5909
+ # period begins when the last of its replica keys is deleted. Otherwise,
5910
+ # the waiting period begins immediately.
5911
+ #
5403
5912
  # This value is optional. If you include a value, it must be between 7
5404
5913
  # and 30, inclusive. If you do not include a value, it defaults to 30.
5405
5914
  #
@@ -5407,6 +5916,8 @@ module Aws::KMS
5407
5916
  #
5408
5917
  # * {Types::ScheduleKeyDeletionResponse#key_id #key_id} => String
5409
5918
  # * {Types::ScheduleKeyDeletionResponse#deletion_date #deletion_date} => Time
5919
+ # * {Types::ScheduleKeyDeletionResponse#key_state #key_state} => String
5920
+ # * {Types::ScheduleKeyDeletionResponse#pending_window_in_days #pending_window_in_days} => Integer
5410
5921
  #
5411
5922
  #
5412
5923
  # @example Example: To schedule a customer master key (CMK) for deletion
@@ -5435,6 +5946,8 @@ module Aws::KMS
5435
5946
  #
5436
5947
  # resp.key_id #=> String
5437
5948
  # resp.deletion_date #=> Time
5949
+ # resp.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
5950
+ # resp.pending_window_in_days #=> Integer
5438
5951
  #
5439
5952
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletion AWS API Documentation
5440
5953
  #
@@ -5484,8 +5997,8 @@ module Aws::KMS
5484
5997
  # KMS.
5485
5998
  #
5486
5999
  # The CMK that you use for this operation must be in a compatible key
5487
- # state. For details, see [How Key State Affects Use of a Customer
5488
- # Master Key][3] in the *AWS Key Management Service Developer Guide*.
6000
+ # state. For details, see [Key state: Effect on your CMK][3] in the *AWS
6001
+ # Key Management Service Developer Guide*.
5489
6002
  #
5490
6003
  # **Cross-account use**\: Yes. To perform this operation with a CMK in a
5491
6004
  # different AWS account, specify the key ARN or alias ARN in the value
@@ -5508,10 +6021,9 @@ module Aws::KMS
5508
6021
  # must be `SIGN_VERIFY`. To find the `KeyUsage` of a CMK, use the
5509
6022
  # DescribeKey operation.
5510
6023
  #
5511
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
5512
- # name, or alias ARN. When using an alias name, prefix it with
5513
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
5514
- # the key ARN or alias ARN.
6024
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
6025
+ # When using an alias name, prefix it with `"alias/"`. To specify a CMK
6026
+ # in a different AWS account, you must use the key ARN or alias ARN.
5515
6027
  #
5516
6028
  # For example:
5517
6029
  #
@@ -5542,7 +6054,9 @@ module Aws::KMS
5542
6054
  # @option params [Array<String>] :grant_tokens
5543
6055
  # A list of grant tokens.
5544
6056
  #
5545
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
6057
+ # Use a grant token when your permission to call this operation comes
6058
+ # from a new grant that has not yet achieved *eventual consistency*. For
6059
+ # more information, see [Grant token][1] in the *AWS Key Management
5546
6060
  # Service Developer Guide*.
5547
6061
  #
5548
6062
  #
@@ -5588,50 +6102,65 @@ module Aws::KMS
5588
6102
 
5589
6103
  # Adds or edits tags on a [customer managed CMK][1].
5590
6104
  #
6105
+ # <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
6106
+ # For details, see [Using ABAC in AWS KMS][2] in the *AWS Key Management
6107
+ # Service Developer Guide*.
6108
+ #
6109
+ # </note>
6110
+ #
5591
6111
  # Each tag consists of a tag key and a tag value, both of which are
5592
6112
  # case-sensitive strings. The tag value can be an empty (null) string.
5593
- #
5594
6113
  # To add a tag, specify a new tag key and a tag value. To edit a tag,
5595
6114
  # specify an existing tag key and a new tag value.
5596
6115
  #
5597
6116
  # You can use this operation to tag a [customer managed CMK][1], but you
5598
- # cannot tag an [AWS managed CMK][2], an [AWS owned CMK][3], or an
5599
- # alias.
6117
+ # cannot tag an [AWS managed CMK][3], an [AWS owned CMK][4], a [custom
6118
+ # key store][5], or an [alias][6].
5600
6119
  #
6120
+ # You can also add tags to a CMK while creating it (CreateKey) or
6121
+ # replicating it (ReplicateKey).
6122
+ #
6123
+ # For information about using tags in AWS KMS, see [Tagging keys][7].
5601
6124
  # For general information about tags, including the format and syntax,
5602
- # see [Tagging AWS resources][4] in the *Amazon Web Services General
5603
- # Reference*. For information about using tags in AWS KMS, see [Tagging
5604
- # keys][5].
6125
+ # see [Tagging AWS resources][8] in the *Amazon Web Services General
6126
+ # Reference*.
5605
6127
  #
5606
6128
  # The CMK that you use for this operation must be in a compatible key
5607
- # state. For details, see [How Key State Affects Use of a Customer
5608
- # Master Key][6] in the *AWS Key Management Service Developer Guide*.
6129
+ # state. For details, see [Key state: Effect on your CMK][9] in the *AWS
6130
+ # Key Management Service Developer Guide*.
5609
6131
  #
5610
6132
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
5611
6133
  # in a different AWS account.
5612
6134
  #
5613
- # **Required permissions**\: [kms:TagResource][7] (key policy)
6135
+ # **Required permissions**\: [kms:TagResource][10] (key policy)
5614
6136
  #
5615
6137
  # **Related operations**
5616
6138
  #
5617
- # * UntagResource
6139
+ # * CreateKey
5618
6140
  #
5619
6141
  # * ListResourceTags
5620
6142
  #
6143
+ # * ReplicateKey
6144
+ #
6145
+ # * UntagResource
6146
+ #
5621
6147
  #
5622
6148
  #
5623
6149
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
5624
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
5625
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
5626
- # [4]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
5627
- # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
5628
- # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
5629
- # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
6150
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
6151
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
6152
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
6153
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#keystore-concept
6154
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#alias-concept
6155
+ # [7]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
6156
+ # [8]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
6157
+ # [9]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
6158
+ # [10]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
5630
6159
  #
5631
6160
  # @option params [required, String] :key_id
5632
6161
  # Identifies a customer managed CMK in the account and Region.
5633
6162
  #
5634
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
6163
+ # Specify the key ID or key ARN of the CMK.
5635
6164
  #
5636
6165
  # For example:
5637
6166
  #
@@ -5693,43 +6222,54 @@ module Aws::KMS
5693
6222
  # Deletes tags from a [customer managed CMK][1]. To delete a tag,
5694
6223
  # specify the tag key and the CMK.
5695
6224
  #
6225
+ # <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
6226
+ # For details, see [Using ABAC in AWS KMS][2] in the *AWS Key Management
6227
+ # Service Developer Guide*.
6228
+ #
6229
+ # </note>
6230
+ #
5696
6231
  # When it succeeds, the `UntagResource` operation doesn't return any
5697
6232
  # output. Also, if the specified tag key isn't found on the CMK, it
5698
6233
  # doesn't throw an exception or return a response. To confirm that the
5699
6234
  # operation worked, use the ListResourceTags operation.
5700
6235
  #
6236
+ # For information about using tags in AWS KMS, see [Tagging keys][3].
5701
6237
  # For general information about tags, including the format and syntax,
5702
- # see [Tagging AWS resources][2] in the *Amazon Web Services General
5703
- # Reference*. For information about using tags in AWS KMS, see [Tagging
5704
- # keys][3].
6238
+ # see [Tagging AWS resources][4] in the *Amazon Web Services General
6239
+ # Reference*.
5705
6240
  #
5706
6241
  # The CMK that you use for this operation must be in a compatible key
5707
- # state. For details, see [How Key State Affects Use of a Customer
5708
- # Master Key][4] in the *AWS Key Management Service Developer Guide*.
6242
+ # state. For details, see [Key state: Effect on your CMK][5] in the *AWS
6243
+ # Key Management Service Developer Guide*.
5709
6244
  #
5710
6245
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
5711
6246
  # in a different AWS account.
5712
6247
  #
5713
- # **Required permissions**\: [kms:UntagResource][5] (key policy)
6248
+ # **Required permissions**\: [kms:UntagResource][6] (key policy)
5714
6249
  #
5715
6250
  # **Related operations**
5716
6251
  #
5717
- # * TagResource
6252
+ # * CreateKey
5718
6253
  #
5719
6254
  # * ListResourceTags
5720
6255
  #
6256
+ # * ReplicateKey
6257
+ #
6258
+ # * TagResource
6259
+ #
5721
6260
  #
5722
6261
  #
5723
6262
  # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
5724
- # [2]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
6263
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
5725
6264
  # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
5726
- # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
5727
- # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
6265
+ # [4]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
6266
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
6267
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
5728
6268
  #
5729
6269
  # @option params [required, String] :key_id
5730
6270
  # Identifies the CMK from which you are removing tags.
5731
6271
  #
5732
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
6272
+ # Specify the key ID or key ARN of the CMK.
5733
6273
  #
5734
6274
  # For example:
5735
6275
  #
@@ -5777,7 +6317,13 @@ module Aws::KMS
5777
6317
  # Associates an existing AWS KMS alias with a different customer master
5778
6318
  # key (CMK). Each alias is associated with only one CMK at a time,
5779
6319
  # although a CMK can have multiple aliases. The alias and the CMK must
5780
- # be in the same AWS account and region.
6320
+ # be in the same AWS account and Region.
6321
+ #
6322
+ # <note markdown="1"> Adding, deleting, or updating an alias can allow or deny permission to
6323
+ # the CMK. For details, see [Using ABAC in AWS KMS][1] in the *AWS Key
6324
+ # Management Service Developer Guide*.
6325
+ #
6326
+ # </note>
5781
6327
  #
5782
6328
  # The current and new CMK must be the same type (both symmetric or both
5783
6329
  # asymmetric), and they must have the same key usage (`ENCRYPT_DECRYPT`
@@ -5797,21 +6343,21 @@ module Aws::KMS
5797
6343
  # operation.
5798
6344
  #
5799
6345
  # The CMK that you use for this operation must be in a compatible key
5800
- # state. For details, see [How Key State Affects Use of a Customer
5801
- # Master Key][1] in the *AWS Key Management Service Developer Guide*.
6346
+ # state. For details, see [Key state: Effect on your CMK][2] in the *AWS
6347
+ # Key Management Service Developer Guide*.
5802
6348
  #
5803
6349
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
5804
6350
  # in a different AWS account.
5805
6351
  #
5806
6352
  # **Required permissions**
5807
6353
  #
5808
- # * [kms:UpdateAlias][2] on the alias (IAM policy).
6354
+ # * [kms:UpdateAlias][3] on the alias (IAM policy).
5809
6355
  #
5810
- # * [kms:UpdateAlias][2] on the current CMK (key policy).
6356
+ # * [kms:UpdateAlias][3] on the current CMK (key policy).
5811
6357
  #
5812
- # * [kms:UpdateAlias][2] on the new CMK (key policy).
6358
+ # * [kms:UpdateAlias][3] on the new CMK (key policy).
5813
6359
  #
5814
- # For details, see [Controlling access to aliases][3] in the *AWS Key
6360
+ # For details, see [Controlling access to aliases][4] in the *AWS Key
5815
6361
  # Management Service Developer Guide*.
5816
6362
  #
5817
6363
  # **Related operations:**
@@ -5824,9 +6370,10 @@ module Aws::KMS
5824
6370
  #
5825
6371
  #
5826
6372
  #
5827
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
5828
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
5829
- # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
6373
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
6374
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
6375
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
6376
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
5830
6377
  #
5831
6378
  # @option params [required, String] :alias_name
5832
6379
  # Identifies the alias that is changing its CMK. This value must begin
@@ -5844,7 +6391,7 @@ module Aws::KMS
5844
6391
  # (both symmetric or both asymmetric) and they must have the same key
5845
6392
  # usage.
5846
6393
  #
5847
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
6394
+ # Specify the key ID or key ARN of the CMK.
5848
6395
  #
5849
6396
  # For example:
5850
6397
  #
@@ -6015,8 +6562,8 @@ module Aws::KMS
6015
6562
  # description of a CMK, use DescribeKey.
6016
6563
  #
6017
6564
  # The CMK that you use for this operation must be in a compatible key
6018
- # state. For details, see [How Key State Affects Use of a Customer
6019
- # Master Key][1] in the *AWS Key Management Service Developer Guide*.
6565
+ # state. For details, see [Key state: Effect on your CMK][1] in the *AWS
6566
+ # Key Management Service Developer Guide*.
6020
6567
  #
6021
6568
  # **Cross-account use**\: No. You cannot perform this operation on a CMK
6022
6569
  # in a different AWS account.
@@ -6035,9 +6582,9 @@ module Aws::KMS
6035
6582
  # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
6036
6583
  #
6037
6584
  # @option params [required, String] :key_id
6038
- # A unique identifier for the customer master key (CMK).
6585
+ # Updates the description of the specified customer master key (CMK).
6039
6586
  #
6040
- # Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
6587
+ # Specify the key ID or key ARN of the CMK.
6041
6588
  #
6042
6589
  # For example:
6043
6590
  #
@@ -6079,6 +6626,128 @@ module Aws::KMS
6079
6626
  req.send_request(options)
6080
6627
  end
6081
6628
 
6629
+ # Changes the primary key of a multi-Region key.
6630
+ #
6631
+ # This operation changes the replica key in the specified Region to a
6632
+ # primary key and changes the former primary key to a replica key. For
6633
+ # example, suppose you have a primary key in `us-east-1` and a replica
6634
+ # key in `eu-west-2`. If you run `UpdatePrimaryRegion` with a
6635
+ # `PrimaryRegion` value of `eu-west-2`, the primary key is now the key
6636
+ # in `eu-west-2`, and the key in `us-east-1` becomes a replica key. For
6637
+ # details, see
6638
+ #
6639
+ # This operation supports *multi-Region keys*, an AWS KMS feature that
6640
+ # lets you create multiple interoperable CMKs in different AWS Regions.
6641
+ # Because these CMKs have the same key ID, key material, and other
6642
+ # metadata, you can use them to encrypt data in one AWS Region and
6643
+ # decrypt it in a different AWS Region without making a cross-Region
6644
+ # call or exposing the plaintext data. For more information about
6645
+ # multi-Region keys, see [Using multi-Region keys][1] in the *AWS Key
6646
+ # Management Service Developer Guide*.
6647
+ #
6648
+ # The *primary key* of a multi-Region key is the source for properties
6649
+ # that are always shared by primary and replica keys, including the key
6650
+ # material, [key ID][2], [key spec][3], [key usage][4], [key material
6651
+ # origin][5], and [automatic key rotation][6]. It's the only key that
6652
+ # can be replicated. You cannot [delete the primary key][7] until all
6653
+ # replicas are deleted.
6654
+ #
6655
+ # The key ID and primary Region that you specify uniquely identify the
6656
+ # replica key that will become the primary key. The primary Region must
6657
+ # already have a replica key. This operation does not create a CMK in
6658
+ # the specified Region. To find the replica keys, use the DescribeKey
6659
+ # operation on the primary key or any replica key. To create a replica
6660
+ # key, use the ReplicateKey operation.
6661
+ #
6662
+ # You can run this operation while using the affected multi-Region keys
6663
+ # in cryptographic operations. This operation should not delay,
6664
+ # interrupt, or cause failures in cryptographic operations.
6665
+ #
6666
+ # Even after this operation completes, the process of updating the
6667
+ # primary Region might still be in progress for a few more seconds.
6668
+ # Operations such as `DescribeKey` might display both the old and new
6669
+ # primary keys as replicas. The old and new primary keys have a
6670
+ # transient key state of `Updating`. The original key state is restored
6671
+ # when the update is complete. While the key state is `Updating`, you
6672
+ # can use the keys in cryptographic operations, but you cannot replicate
6673
+ # the new primary key or perform certain management operations, such as
6674
+ # enabling or disabling these keys. For details about the `Updating` key
6675
+ # state, see [Key state: Effect on your
6676
+ # CMK](kms/latest/developerguide/key-state.html) in the *AWS Key
6677
+ # Management Service Developer Guide*.
6678
+ #
6679
+ # This operation does not return any output. To verify that primary key
6680
+ # is changed, use the DescribeKey operation.
6681
+ #
6682
+ # **Cross-account use**\: No. You cannot use this operation in a
6683
+ # different AWS account.
6684
+ #
6685
+ # **Required permissions**\:
6686
+ #
6687
+ # * `kms:UpdatePrimaryRegion` on the current primary CMK (in the primary
6688
+ # CMK's Region). Include this permission primary CMK's key policy.
6689
+ #
6690
+ # * `kms:UpdatePrimaryRegion` on the current replica CMK (in the replica
6691
+ # CMK's Region). Include this permission in the replica CMK's key
6692
+ # policy.
6693
+ #
6694
+ # **Related operations**
6695
+ #
6696
+ # * CreateKey
6697
+ #
6698
+ # * ReplicateKey
6699
+ #
6700
+ #
6701
+ #
6702
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
6703
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id
6704
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec
6705
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage
6706
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin
6707
+ # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
6708
+ # [7]: https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html
6709
+ #
6710
+ # @option params [required, String] :key_id
6711
+ # Identifies the current primary key. When the operation completes, this
6712
+ # CMK will be a replica key.
6713
+ #
6714
+ # Specify the key ID or key ARN of a multi-Region primary key.
6715
+ #
6716
+ # For example:
6717
+ #
6718
+ # * Key ID: `mrk-1234abcd12ab34cd56ef1234567890ab`
6719
+ #
6720
+ # * Key ARN:
6721
+ # `arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab`
6722
+ #
6723
+ # To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
6724
+ #
6725
+ # @option params [required, String] :primary_region
6726
+ # The AWS Region of the new primary key. Enter the Region ID, such as
6727
+ # `us-east-1` or `ap-southeast-2`. There must be an existing replica key
6728
+ # in this Region.
6729
+ #
6730
+ # When the operation completes, the multi-Region key in this Region will
6731
+ # be the primary key.
6732
+ #
6733
+ # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
6734
+ #
6735
+ # @example Request syntax with placeholder values
6736
+ #
6737
+ # resp = client.update_primary_region({
6738
+ # key_id: "KeyIdType", # required
6739
+ # primary_region: "RegionType", # required
6740
+ # })
6741
+ #
6742
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdatePrimaryRegion AWS API Documentation
6743
+ #
6744
+ # @overload update_primary_region(params = {})
6745
+ # @param [Hash] params ({})
6746
+ def update_primary_region(params = {}, options = {})
6747
+ req = build_request(:update_primary_region, params)
6748
+ req.send_request(options)
6749
+ end
6750
+
6082
6751
  # Verifies a digital signature that was generated by the Sign operation.
6083
6752
  #
6084
6753
  #
@@ -6111,8 +6780,8 @@ module Aws::KMS
6111
6780
  # signatures.
6112
6781
  #
6113
6782
  # The CMK that you use for this operation must be in a compatible key
6114
- # state. For details, see [How Key State Affects Use of a Customer
6115
- # Master Key][2] in the *AWS Key Management Service Developer Guide*.
6783
+ # state. For details, see [Key state: Effect on your CMK][2] in the *AWS
6784
+ # Key Management Service Developer Guide*.
6116
6785
  #
6117
6786
  # **Cross-account use**\: Yes. To perform this operation with a CMK in a
6118
6787
  # different AWS account, specify the key ARN or alias ARN in the value
@@ -6134,10 +6803,9 @@ module Aws::KMS
6134
6803
  # signature. If you specify a different CMK, the signature verification
6135
6804
  # fails.
6136
6805
  #
6137
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
6138
- # name, or alias ARN. When using an alias name, prefix it with
6139
- # `"alias/"`. To specify a CMK in a different AWS account, you must use
6140
- # the key ARN or alias ARN.
6806
+ # To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
6807
+ # When using an alias name, prefix it with `"alias/"`. To specify a CMK
6808
+ # in a different AWS account, you must use the key ARN or alias ARN.
6141
6809
  #
6142
6810
  # For example:
6143
6811
  #
@@ -6181,7 +6849,9 @@ module Aws::KMS
6181
6849
  # @option params [Array<String>] :grant_tokens
6182
6850
  # A list of grant tokens.
6183
6851
  #
6184
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
6852
+ # Use a grant token when your permission to call this operation comes
6853
+ # from a new grant that has not yet achieved *eventual consistency*. For
6854
+ # more information, see [Grant token][1] in the *AWS Key Management
6185
6855
  # Service Developer Guide*.
6186
6856
  #
6187
6857
  #
@@ -6233,7 +6903,7 @@ module Aws::KMS
6233
6903
  params: params,
6234
6904
  config: config)
6235
6905
  context[:gem_name] = 'aws-sdk-kms'
6236
- context[:gem_version] = '1.43.0'
6906
+ context[:gem_version] = '1.44.0'
6237
6907
  Seahorse::Client::Request.new(handlers, context)
6238
6908
  end
6239
6909