aws-sdk-states 1.72.0 → 1.73.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 00b08b5d202e5c0093830505b4a551cac636fa117a152a1054dc770d6c903cd9
-  data.tar.gz: cbeb07668ca62a8913633fab31f9826830e6e4ece09d998a8f712d9bc34d386b
+  metadata.gz: 6d8470ffa769273e67d0bdaa85d2a1a708c850c61872d3ba2e1131ffa7c57b5f
+  data.tar.gz: e6f54fb3f66dead49cdbed514ee81d0dc52fe054f19548307f03d12cbb8971f2
 SHA512:
-  metadata.gz: a9a0c27a5c2dca0adce50d7b6faabde4ea722072c460f13ef8f4707f6c648cfc3fa51c39c9268a6e667d6be1e175d58932d3a94149d187153e88c59c9e0f14e5
-  data.tar.gz: d672c5864b66d8c7bdbe86ebb2ae6d00d256cadfc991e5f2cb5197563bdf79491f85d12662cdc814b33f18b32bb410b1c930c1f980e3c7a747002c6456a59cb2
+  metadata.gz: 20fdbcbd4e8e25721998f8c24a98e74ebbfa51e9fa418230b1983faa86295e007bd8b74c134cf7a1cfd5f72a8d421d6411ad2b5d17f1136bb6906956713f7420
+  data.tar.gz: 7e30d822a05a48cd28f5d6422205f15ead4a633d6ce13ef4a40cc0f0a180f1912584521466822b1012c70b8a10e0f0ce5d7f9480c264826b4c18d6c39e0511af

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+1.73.0 (2024-07-25)
+------------------
+
+* Feature - This release adds support to customer managed KMS key encryption in AWS Step Functions.
+
 1.72.0 (2024-07-02)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.72.0
+1.73.0

data/lib/aws-sdk-states/client.rb

@@ -495,6 +495,9 @@ module Aws::States
     #   [1]: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html
     #
+    # @option params [Types::EncryptionConfiguration] :encryption_configuration
+    #   Settings to configure server-side encryption.
+    #
     # @return [Types::CreateActivityOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::CreateActivityOutput#activity_arn #activity_arn} => String
@@ -510,6 +513,11 @@ module Aws::States
     #         value: "TagValue",
     #       },
     #     ],
+    #     encryption_configuration: {
+    #       kms_key_id: "KmsKeyId",
+    #       kms_data_key_reuse_period_seconds: 1,
+    #       type: "AWS_OWNED_KEY", # required, accepts AWS_OWNED_KEY, CUSTOMER_MANAGED_KMS_KEY
+    #     },
     #   })
     #
     # @example Response structure
@@ -536,6 +544,13 @@ module Aws::States
     # If you set the `publish` parameter of this API action to `true`, it
     # publishes version `1` as the first revision of the state machine.
     #
+    # For additional control over security, you can encrypt your data using
+    # a **customer-managed key** for Step Functions state machines. You can
+    # configure a symmetric KMS key and data key reuse period when creating
+    # or updating a **State Machine**. The execution history and state
+    # machine definition will be encrypted with the key applied to the State
+    # Machine.
+    #
     # <note markdown="1"> This operation is eventually consistent. The results are best effort
     # and may not reflect very recent updates and changes.
     #
@@ -544,13 +559,13 @@ module Aws::States
     # <note markdown="1"> `CreateStateMachine` is an idempotent API. Subsequent requests won’t
     # create a duplicate resource if it was already created.
     # `CreateStateMachine`'s idempotency check is based on the state
-    # machine `name`, `definition`, `type`, `LoggingConfiguration`, and
-    # `TracingConfiguration`. The check is also based on the `publish` and
-    # `versionDescription` parameters. If a following request has a
-    # different `roleArn` or `tags`, Step Functions will ignore these
-    # differences and treat it as an idempotent request of the previous. In
-    # this case, `roleArn` and `tags` will not be updated, even if they are
-    # different.
+    # machine `name`, `definition`, `type`, `LoggingConfiguration`,
+    # `TracingConfiguration`, and `EncryptionConfiguration` The check is
+    # also based on the `publish` and `versionDescription` parameters. If a
+    # following request has a different `roleArn` or `tags`, Step Functions
+    # will ignore these differences and treat it as an idempotent request of
+    # the previous. In this case, `roleArn` and `tags` will not be updated,
+    # even if they are different.
     #
     #  </note>
     #
@@ -634,6 +649,9 @@ module Aws::States
     #   you set `versionDescription`, but `publish` to `false`, this API
     #   action throws `ValidationException`.
     #
+    # @option params [Types::EncryptionConfiguration] :encryption_configuration
+    #   Settings to configure server-side encryption.
+    #
     # @return [Types::CreateStateMachineOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::CreateStateMachineOutput#state_machine_arn #state_machine_arn} => String
@@ -669,6 +687,11 @@ module Aws::States
     #     },
     #     publish: false,
     #     version_description: "VersionDescription",
+    #     encryption_configuration: {
+    #       kms_key_id: "KmsKeyId",
+    #       kms_data_key_reuse_period_seconds: 1,
+    #       type: "AWS_OWNED_KEY", # required, accepts AWS_OWNED_KEY, CUSTOMER_MANAGED_KMS_KEY
+    #     },
     #   })
     #
     # @example Response structure
@@ -960,6 +983,7 @@ module Aws::States
     #   * {Types::DescribeActivityOutput#activity_arn #activity_arn} => String
     #   * {Types::DescribeActivityOutput#name #name} => String
     #   * {Types::DescribeActivityOutput#creation_date #creation_date} => Time
+    #   * {Types::DescribeActivityOutput#encryption_configuration #encryption_configuration} => Types::EncryptionConfiguration
     #
     # @example Request syntax with placeholder values
     #
@@ -972,6 +996,9 @@ module Aws::States
     #   resp.activity_arn #=> String
     #   resp.name #=> String
     #   resp.creation_date #=> Time
+    #   resp.encryption_configuration.kms_key_id #=> String
+    #   resp.encryption_configuration.kms_data_key_reuse_period_seconds #=> Integer
+    #   resp.encryption_configuration.type #=> String, one of "AWS_OWNED_KEY", "CUSTOMER_MANAGED_KMS_KEY"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/states-2016-11-23/DescribeActivity AWS API Documentation
     #
@@ -1008,6 +1035,13 @@ module Aws::States
     # @option params [required, String] :execution_arn
     #   The Amazon Resource Name (ARN) of the execution to describe.
     #
+    # @option params [String] :included_data
+    #   If your state machine definition is encrypted with a KMS key, callers
+    #   must have `kms:Decrypt` permission to decrypt the definition.
+    #   Alternatively, you can call DescribeStateMachine API with
+    #   `includedData = METADATA_ONLY` to get a successful response without
+    #   the encrypted definition.
+    #
     # @return [Types::DescribeExecutionOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::DescribeExecutionOutput#execution_arn #execution_arn} => String
@@ -1035,6 +1069,7 @@ module Aws::States
     #
     #   resp = client.describe_execution({
     #     execution_arn: "Arn", # required
+    #     included_data: "ALL_DATA", # accepts ALL_DATA, METADATA_ONLY
     #   })
     #
     # @example Response structure
@@ -1200,6 +1235,21 @@ module Aws::States
     #   ARN and the version number separated by a colon (:). For example,
     #   `stateMachineARN:1`.
     #
+    # @option params [String] :included_data
+    #   If your state machine definition is encrypted with a KMS key, callers
+    #   must have `kms:Decrypt` permission to decrypt the definition.
+    #   Alternatively, you can call the API with `includedData =
+    #   METADATA_ONLY` to get a successful response without the encrypted
+    #   definition.
+    #
+    #   <note markdown="1"> When calling a labelled ARN for an encrypted state machine, the
+    #   `includedData = METADATA_ONLY` parameter will not apply because Step
+    #   Functions needs to decrypt the entire state machine definition to get
+    #   the Distributed Map state’s definition. In this case, the API caller
+    #   needs to have `kms:Decrypt` permission.
+    #
+    #    </note>
+    #
     # @return [Types::DescribeStateMachineOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::DescribeStateMachineOutput#state_machine_arn #state_machine_arn} => String
@@ -1214,11 +1264,13 @@ module Aws::States
     #   * {Types::DescribeStateMachineOutput#label #label} => String
     #   * {Types::DescribeStateMachineOutput#revision_id #revision_id} => String
     #   * {Types::DescribeStateMachineOutput#description #description} => String
+    #   * {Types::DescribeStateMachineOutput#encryption_configuration #encryption_configuration} => Types::EncryptionConfiguration
     #
     # @example Request syntax with placeholder values
     #
     #   resp = client.describe_state_machine({
     #     state_machine_arn: "Arn", # required
+    #     included_data: "ALL_DATA", # accepts ALL_DATA, METADATA_ONLY
     #   })
     #
     # @example Response structure
@@ -1238,6 +1290,9 @@ module Aws::States
     #   resp.label #=> String
     #   resp.revision_id #=> String
     #   resp.description #=> String
+    #   resp.encryption_configuration.kms_key_id #=> String
+    #   resp.encryption_configuration.kms_data_key_reuse_period_seconds #=> Integer
+    #   resp.encryption_configuration.type #=> String, one of "AWS_OWNED_KEY", "CUSTOMER_MANAGED_KMS_KEY"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/states-2016-11-23/DescribeStateMachine AWS API Documentation
     #
@@ -1319,6 +1374,13 @@ module Aws::States
     #   The Amazon Resource Name (ARN) of the execution you want state machine
     #   information for.
     #
+    # @option params [String] :included_data
+    #   If your state machine definition is encrypted with a KMS key, callers
+    #   must have `kms:Decrypt` permission to decrypt the definition.
+    #   Alternatively, you can call the API with `includedData =
+    #   METADATA_ONLY` to get a successful response without the encrypted
+    #   definition.
+    #
     # @return [Types::DescribeStateMachineForExecutionOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::DescribeStateMachineForExecutionOutput#state_machine_arn #state_machine_arn} => String
@@ -1331,11 +1393,13 @@ module Aws::States
     #   * {Types::DescribeStateMachineForExecutionOutput#map_run_arn #map_run_arn} => String
     #   * {Types::DescribeStateMachineForExecutionOutput#label #label} => String
     #   * {Types::DescribeStateMachineForExecutionOutput#revision_id #revision_id} => String
+    #   * {Types::DescribeStateMachineForExecutionOutput#encryption_configuration #encryption_configuration} => Types::EncryptionConfiguration
     #
     # @example Request syntax with placeholder values
     #
     #   resp = client.describe_state_machine_for_execution({
     #     execution_arn: "Arn", # required
+    #     included_data: "ALL_DATA", # accepts ALL_DATA, METADATA_ONLY
     #   })
     #
     # @example Response structure
@@ -1353,6 +1417,9 @@ module Aws::States
     #   resp.map_run_arn #=> String
     #   resp.label #=> String
     #   resp.revision_id #=> String
+    #   resp.encryption_configuration.kms_key_id #=> String
+    #   resp.encryption_configuration.kms_data_key_reuse_period_seconds #=> Integer
+    #   resp.encryption_configuration.type #=> String, one of "AWS_OWNED_KEY", "CUSTOMER_MANAGED_KMS_KEY"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/states-2016-11-23/DescribeStateMachineForExecution AWS API Documentation
     #
@@ -2279,6 +2346,13 @@ module Aws::States
     # and optionally Task states using the [job run][2] pattern to report
     # that the task identified by the `taskToken` failed.
     #
+    # For an execution with encryption enabled, Step Functions will encrypt
+    # the error and cause fields using the KMS key for the execution role.
+    #
+    # A caller can mark a task as fail without using any KMS permissions in
+    # the execution role if the caller provides a null value for both
+    # `error` and `cause` fields because no data needs to be encrypted.
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/step-functions/latest/dg/connect-to-resource.html#connect-wait-token
@@ -2621,6 +2695,13 @@ module Aws::States
     #   Passes the X-Ray trace header. The trace header can also be passed in
     #   the request payload.
     #
+    # @option params [String] :included_data
+    #   If your state machine definition is encrypted with a KMS key, callers
+    #   must have `kms:Decrypt` permission to decrypt the definition.
+    #   Alternatively, you can call the API with `includedData =
+    #   METADATA_ONLY` to get a successful response without the encrypted
+    #   definition.
+    #
     # @return [Types::StartSyncExecutionOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::StartSyncExecutionOutput#execution_arn #execution_arn} => String
@@ -2645,6 +2726,7 @@ module Aws::States
     #     name: "Name",
     #     input: "SensitiveData",
     #     trace_header: "TraceHeader",
+    #     included_data: "ALL_DATA", # accepts ALL_DATA, METADATA_ONLY
     #   })
     #
     # @example Response structure
@@ -2678,6 +2760,13 @@ module Aws::States
     #
     # This API action is not supported by `EXPRESS` state machines.
     #
+    # For an execution with encryption enabled, Step Functions will encrypt
+    # the error and cause fields using the KMS key for the execution role.
+    #
+    # A caller can stop an execution without using any KMS permissions in
+    # the execution role if the caller provides a null value for both
+    # `error` and `cause` fields because no data needs to be encrypted.
+    #
     # @option params [required, String] :execution_arn
     #   The Amazon Resource Name (ARN) of the execution to stop.
     #
@@ -2981,10 +3070,10 @@ module Aws::States
     end
 
     # Updates an existing state machine by modifying its `definition`,
-    # `roleArn`, or `loggingConfiguration`. Running executions will continue
-    # to use the previous `definition` and `roleArn`. You must include at
-    # least one of `definition` or `roleArn` or you will receive a
-    # `MissingRequiredParameter` error.
+    # `roleArn`, `loggingConfiguration`, or `EncryptionConfiguration`.
+    # Running executions will continue to use the previous `definition` and
+    # `roleArn`. You must include at least one of `definition` or `roleArn`
+    # or you will receive a `MissingRequiredParameter` error.
     #
     # A qualified state machine ARN refers to a *Distributed Map state*
     # defined within a state machine. For example, the qualified state
@@ -3079,6 +3168,9 @@ module Aws::States
     #   You can only specify the `versionDescription` parameter if you've set
     #   `publish` to `true`.
     #
+    # @option params [Types::EncryptionConfiguration] :encryption_configuration
+    #   Settings to configure server-side encryption.
+    #
     # @return [Types::UpdateStateMachineOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::UpdateStateMachineOutput#update_date #update_date} => Time
@@ -3107,6 +3199,11 @@ module Aws::States
     #     },
     #     publish: false,
     #     version_description: "VersionDescription",
+    #     encryption_configuration: {
+    #       kms_key_id: "KmsKeyId",
+    #       kms_data_key_reuse_period_seconds: 1,
+    #       type: "AWS_OWNED_KEY", # required, accepts AWS_OWNED_KEY, CUSTOMER_MANAGED_KMS_KEY
+    #     },
     #   })
     #
     # @example Response structure
@@ -3284,7 +3381,7 @@ module Aws::States
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-states'
-      context[:gem_version] = '1.72.0'
+      context[:gem_version] = '1.73.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-states/client_api.rb

@@ -13,6 +13,7 @@ module Aws::States
 
     include Seahorse::Model
 
+    ActivityAlreadyExists = Shapes::StructureShape.new(name: 'ActivityAlreadyExists')
     ActivityDoesNotExist = Shapes::StructureShape.new(name: 'ActivityDoesNotExist')
     ActivityFailedEventDetails = Shapes::StructureShape.new(name: 'ActivityFailedEventDetails')
     ActivityLimitExceeded = Shapes::StructureShape.new(name: 'ActivityLimitExceeded')
@@ -63,6 +64,8 @@ module Aws::States
     DescribeStateMachineInput = Shapes::StructureShape.new(name: 'DescribeStateMachineInput')
     DescribeStateMachineOutput = Shapes::StructureShape.new(name: 'DescribeStateMachineOutput')
     Enabled = Shapes::BooleanShape.new(name: 'Enabled')
+    EncryptionConfiguration = Shapes::StructureShape.new(name: 'EncryptionConfiguration')
+    EncryptionType = Shapes::StringShape.new(name: 'EncryptionType')
     ErrorMessage = Shapes::StringShape.new(name: 'ErrorMessage')
     EventId = Shapes::IntegerShape.new(name: 'EventId')
     ExecutionAbortedEventDetails = Shapes::StructureShape.new(name: 'ExecutionAbortedEventDetails')
@@ -97,18 +100,26 @@ module Aws::States
     Identity = Shapes::StringShape.new(name: 'Identity')
     IncludeExecutionData = Shapes::BooleanShape.new(name: 'IncludeExecutionData')
     IncludeExecutionDataGetExecutionHistory = Shapes::BooleanShape.new(name: 'IncludeExecutionDataGetExecutionHistory')
+    IncludedData = Shapes::StringShape.new(name: 'IncludedData')
     InspectionData = Shapes::StructureShape.new(name: 'InspectionData')
     InspectionDataRequest = Shapes::StructureShape.new(name: 'InspectionDataRequest')
     InspectionDataResponse = Shapes::StructureShape.new(name: 'InspectionDataResponse')
     InspectionLevel = Shapes::StringShape.new(name: 'InspectionLevel')
     InvalidArn = Shapes::StructureShape.new(name: 'InvalidArn')
     InvalidDefinition = Shapes::StructureShape.new(name: 'InvalidDefinition')
+    InvalidEncryptionConfiguration = Shapes::StructureShape.new(name: 'InvalidEncryptionConfiguration')
     InvalidExecutionInput = Shapes::StructureShape.new(name: 'InvalidExecutionInput')
     InvalidLoggingConfiguration = Shapes::StructureShape.new(name: 'InvalidLoggingConfiguration')
     InvalidName = Shapes::StructureShape.new(name: 'InvalidName')
     InvalidOutput = Shapes::StructureShape.new(name: 'InvalidOutput')
     InvalidToken = Shapes::StructureShape.new(name: 'InvalidToken')
     InvalidTracingConfiguration = Shapes::StructureShape.new(name: 'InvalidTracingConfiguration')
+    KmsAccessDeniedException = Shapes::StructureShape.new(name: 'KmsAccessDeniedException')
+    KmsDataKeyReusePeriodSeconds = Shapes::IntegerShape.new(name: 'KmsDataKeyReusePeriodSeconds')
+    KmsInvalidStateException = Shapes::StructureShape.new(name: 'KmsInvalidStateException')
+    KmsKeyId = Shapes::StringShape.new(name: 'KmsKeyId')
+    KmsKeyState = Shapes::StringShape.new(name: 'KmsKeyState')
+    KmsThrottlingException = Shapes::StructureShape.new(name: 'KmsThrottlingException')
     LambdaFunctionFailedEventDetails = Shapes::StructureShape.new(name: 'LambdaFunctionFailedEventDetails')
     LambdaFunctionScheduleFailedEventDetails = Shapes::StructureShape.new(name: 'LambdaFunctionScheduleFailedEventDetails')
     LambdaFunctionScheduledEventDetails = Shapes::StructureShape.new(name: 'LambdaFunctionScheduledEventDetails')
@@ -254,6 +265,9 @@ module Aws::States
     includedDetails = Shapes::BooleanShape.new(name: 'includedDetails')
     truncated = Shapes::BooleanShape.new(name: 'truncated')
 
+    ActivityAlreadyExists.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessage, location_name: "message"))
+    ActivityAlreadyExists.struct_class = Types::ActivityAlreadyExists
+
     ActivityDoesNotExist.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessage, location_name: "message"))
     ActivityDoesNotExist.struct_class = Types::ActivityDoesNotExist
 
@@ -311,6 +325,7 @@ module Aws::States
 
     CreateActivityInput.add_member(:name, Shapes::ShapeRef.new(shape: Name, required: true, location_name: "name"))
     CreateActivityInput.add_member(:tags, Shapes::ShapeRef.new(shape: TagList, location_name: "tags"))
+    CreateActivityInput.add_member(:encryption_configuration, Shapes::ShapeRef.new(shape: EncryptionConfiguration, location_name: "encryptionConfiguration"))
     CreateActivityInput.struct_class = Types::CreateActivityInput
 
     CreateActivityOutput.add_member(:activity_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "activityArn"))
@@ -335,6 +350,7 @@ module Aws::States
     CreateStateMachineInput.add_member(:tracing_configuration, Shapes::ShapeRef.new(shape: TracingConfiguration, location_name: "tracingConfiguration"))
     CreateStateMachineInput.add_member(:publish, Shapes::ShapeRef.new(shape: Publish, location_name: "publish"))
     CreateStateMachineInput.add_member(:version_description, Shapes::ShapeRef.new(shape: VersionDescription, location_name: "versionDescription"))
+    CreateStateMachineInput.add_member(:encryption_configuration, Shapes::ShapeRef.new(shape: EncryptionConfiguration, location_name: "encryptionConfiguration"))
     CreateStateMachineInput.struct_class = Types::CreateStateMachineInput
 
     CreateStateMachineOutput.add_member(:state_machine_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "stateMachineArn"))
@@ -368,9 +384,11 @@ module Aws::States
     DescribeActivityOutput.add_member(:activity_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "activityArn"))
     DescribeActivityOutput.add_member(:name, Shapes::ShapeRef.new(shape: Name, required: true, location_name: "name"))
     DescribeActivityOutput.add_member(:creation_date, Shapes::ShapeRef.new(shape: Timestamp, required: true, location_name: "creationDate"))
+    DescribeActivityOutput.add_member(:encryption_configuration, Shapes::ShapeRef.new(shape: EncryptionConfiguration, location_name: "encryptionConfiguration"))
     DescribeActivityOutput.struct_class = Types::DescribeActivityOutput
 
     DescribeExecutionInput.add_member(:execution_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "executionArn"))
+    DescribeExecutionInput.add_member(:included_data, Shapes::ShapeRef.new(shape: IncludedData, location_name: "includedData"))
     DescribeExecutionInput.struct_class = Types::DescribeExecutionInput
 
     DescribeExecutionOutput.add_member(:execution_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "executionArn"))
@@ -424,6 +442,7 @@ module Aws::States
     DescribeStateMachineAliasOutput.struct_class = Types::DescribeStateMachineAliasOutput
 
     DescribeStateMachineForExecutionInput.add_member(:execution_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "executionArn"))
+    DescribeStateMachineForExecutionInput.add_member(:included_data, Shapes::ShapeRef.new(shape: IncludedData, location_name: "includedData"))
     DescribeStateMachineForExecutionInput.struct_class = Types::DescribeStateMachineForExecutionInput
 
     DescribeStateMachineForExecutionOutput.add_member(:state_machine_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "stateMachineArn"))
@@ -436,9 +455,11 @@ module Aws::States
     DescribeStateMachineForExecutionOutput.add_member(:map_run_arn, Shapes::ShapeRef.new(shape: LongArn, location_name: "mapRunArn"))
     DescribeStateMachineForExecutionOutput.add_member(:label, Shapes::ShapeRef.new(shape: MapRunLabel, location_name: "label"))
     DescribeStateMachineForExecutionOutput.add_member(:revision_id, Shapes::ShapeRef.new(shape: RevisionId, location_name: "revisionId"))
+    DescribeStateMachineForExecutionOutput.add_member(:encryption_configuration, Shapes::ShapeRef.new(shape: EncryptionConfiguration, location_name: "encryptionConfiguration"))
     DescribeStateMachineForExecutionOutput.struct_class = Types::DescribeStateMachineForExecutionOutput
 
     DescribeStateMachineInput.add_member(:state_machine_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "stateMachineArn"))
+    DescribeStateMachineInput.add_member(:included_data, Shapes::ShapeRef.new(shape: IncludedData, location_name: "includedData"))
     DescribeStateMachineInput.struct_class = Types::DescribeStateMachineInput
 
     DescribeStateMachineOutput.add_member(:state_machine_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "stateMachineArn"))
@@ -453,8 +474,14 @@ module Aws::States
     DescribeStateMachineOutput.add_member(:label, Shapes::ShapeRef.new(shape: MapRunLabel, location_name: "label"))
     DescribeStateMachineOutput.add_member(:revision_id, Shapes::ShapeRef.new(shape: RevisionId, location_name: "revisionId"))
     DescribeStateMachineOutput.add_member(:description, Shapes::ShapeRef.new(shape: VersionDescription, location_name: "description"))
+    DescribeStateMachineOutput.add_member(:encryption_configuration, Shapes::ShapeRef.new(shape: EncryptionConfiguration, location_name: "encryptionConfiguration"))
     DescribeStateMachineOutput.struct_class = Types::DescribeStateMachineOutput
 
+    EncryptionConfiguration.add_member(:kms_key_id, Shapes::ShapeRef.new(shape: KmsKeyId, location_name: "kmsKeyId"))
+    EncryptionConfiguration.add_member(:kms_data_key_reuse_period_seconds, Shapes::ShapeRef.new(shape: KmsDataKeyReusePeriodSeconds, location_name: "kmsDataKeyReusePeriodSeconds", metadata: {"box"=>true}))
+    EncryptionConfiguration.add_member(:type, Shapes::ShapeRef.new(shape: EncryptionType, required: true, location_name: "type"))
+    EncryptionConfiguration.struct_class = Types::EncryptionConfiguration
+
     ExecutionAbortedEventDetails.add_member(:error, Shapes::ShapeRef.new(shape: SensitiveError, location_name: "error"))
     ExecutionAbortedEventDetails.add_member(:cause, Shapes::ShapeRef.new(shape: SensitiveCause, location_name: "cause"))
     ExecutionAbortedEventDetails.struct_class = Types::ExecutionAbortedEventDetails
@@ -605,6 +632,9 @@ module Aws::States
     InvalidDefinition.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessage, location_name: "message"))
     InvalidDefinition.struct_class = Types::InvalidDefinition
 
+    InvalidEncryptionConfiguration.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessage, location_name: "message"))
+    InvalidEncryptionConfiguration.struct_class = Types::InvalidEncryptionConfiguration
+
     InvalidExecutionInput.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessage, location_name: "message"))
     InvalidExecutionInput.struct_class = Types::InvalidExecutionInput
 
@@ -623,6 +653,16 @@ module Aws::States
     InvalidTracingConfiguration.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessage, location_name: "message"))
     InvalidTracingConfiguration.struct_class = Types::InvalidTracingConfiguration
 
+    KmsAccessDeniedException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessage, location_name: "message"))
+    KmsAccessDeniedException.struct_class = Types::KmsAccessDeniedException
+
+    KmsInvalidStateException.add_member(:kms_key_state, Shapes::ShapeRef.new(shape: KmsKeyState, location_name: "kmsKeyState"))
+    KmsInvalidStateException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessage, location_name: "message"))
+    KmsInvalidStateException.struct_class = Types::KmsInvalidStateException
+
+    KmsThrottlingException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessage, location_name: "message"))
+    KmsThrottlingException.struct_class = Types::KmsThrottlingException
+
     LambdaFunctionFailedEventDetails.add_member(:error, Shapes::ShapeRef.new(shape: SensitiveError, location_name: "error"))
     LambdaFunctionFailedEventDetails.add_member(:cause, Shapes::ShapeRef.new(shape: SensitiveCause, location_name: "cause"))
     LambdaFunctionFailedEventDetails.struct_class = Types::LambdaFunctionFailedEventDetails
@@ -836,6 +876,7 @@ module Aws::States
     StartSyncExecutionInput.add_member(:name, Shapes::ShapeRef.new(shape: Name, location_name: "name"))
     StartSyncExecutionInput.add_member(:input, Shapes::ShapeRef.new(shape: SensitiveData, location_name: "input"))
     StartSyncExecutionInput.add_member(:trace_header, Shapes::ShapeRef.new(shape: TraceHeader, location_name: "traceHeader"))
+    StartSyncExecutionInput.add_member(:included_data, Shapes::ShapeRef.new(shape: IncludedData, location_name: "includedData"))
     StartSyncExecutionInput.struct_class = Types::StartSyncExecutionInput
 
     StartSyncExecutionOutput.add_member(:execution_arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "executionArn"))
@@ -1030,6 +1071,7 @@ module Aws::States
     UpdateStateMachineInput.add_member(:tracing_configuration, Shapes::ShapeRef.new(shape: TracingConfiguration, location_name: "tracingConfiguration"))
     UpdateStateMachineInput.add_member(:publish, Shapes::ShapeRef.new(shape: Publish, location_name: "publish"))
     UpdateStateMachineInput.add_member(:version_description, Shapes::ShapeRef.new(shape: VersionDescription, location_name: "versionDescription"))
+    UpdateStateMachineInput.add_member(:encryption_configuration, Shapes::ShapeRef.new(shape: EncryptionConfiguration, location_name: "encryptionConfiguration"))
     UpdateStateMachineInput.struct_class = Types::UpdateStateMachineInput
 
     UpdateStateMachineOutput.add_member(:update_date, Shapes::ShapeRef.new(shape: Timestamp, required: true, location_name: "updateDate"))
@@ -1085,8 +1127,12 @@ module Aws::States
         o.input = Shapes::ShapeRef.new(shape: CreateActivityInput)
         o.output = Shapes::ShapeRef.new(shape: CreateActivityOutput)
         o.errors << Shapes::ShapeRef.new(shape: ActivityLimitExceeded)
+        o.errors << Shapes::ShapeRef.new(shape: ActivityAlreadyExists)
         o.errors << Shapes::ShapeRef.new(shape: InvalidName)
         o.errors << Shapes::ShapeRef.new(shape: TooManyTags)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidEncryptionConfiguration)
+        o.errors << Shapes::ShapeRef.new(shape: KmsAccessDeniedException)
+        o.errors << Shapes::ShapeRef.new(shape: KmsThrottlingException)
       end)
 
       api.add_operation(:create_state_machine, Seahorse::Model::Operation.new.tap do |o|
@@ -1107,6 +1153,9 @@ module Aws::States
         o.errors << Shapes::ShapeRef.new(shape: TooManyTags)
         o.errors << Shapes::ShapeRef.new(shape: ValidationException)
         o.errors << Shapes::ShapeRef.new(shape: ConflictException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidEncryptionConfiguration)
+        o.errors << Shapes::ShapeRef.new(shape: KmsAccessDeniedException)
+        o.errors << Shapes::ShapeRef.new(shape: KmsThrottlingException)
       end)
 
       api.add_operation(:create_state_machine_alias, Seahorse::Model::Operation.new.tap do |o|
@@ -1184,6 +1233,9 @@ module Aws::States
         o.output = Shapes::ShapeRef.new(shape: DescribeExecutionOutput)
         o.errors << Shapes::ShapeRef.new(shape: ExecutionDoesNotExist)
         o.errors << Shapes::ShapeRef.new(shape: InvalidArn)
+        o.errors << Shapes::ShapeRef.new(shape: KmsAccessDeniedException)
+        o.errors << Shapes::ShapeRef.new(shape: KmsInvalidStateException)
+        o.errors << Shapes::ShapeRef.new(shape: KmsThrottlingException)
       end)
 
       api.add_operation(:describe_map_run, Seahorse::Model::Operation.new.tap do |o|
@@ -1204,6 +1256,9 @@ module Aws::States
         o.output = Shapes::ShapeRef.new(shape: DescribeStateMachineOutput)
         o.errors << Shapes::ShapeRef.new(shape: InvalidArn)
         o.errors << Shapes::ShapeRef.new(shape: StateMachineDoesNotExist)
+        o.errors << Shapes::ShapeRef.new(shape: KmsAccessDeniedException)
+        o.errors << Shapes::ShapeRef.new(shape: KmsInvalidStateException)
+        o.errors << Shapes::ShapeRef.new(shape: KmsThrottlingException)
       end)
 
       api.add_operation(:describe_state_machine_alias, Seahorse::Model::Operation.new.tap do |o|
@@ -1225,6 +1280,9 @@ module Aws::States
         o.output = Shapes::ShapeRef.new(shape: DescribeStateMachineForExecutionOutput)
         o.errors << Shapes::ShapeRef.new(shape: ExecutionDoesNotExist)
         o.errors << Shapes::ShapeRef.new(shape: InvalidArn)
+        o.errors << Shapes::ShapeRef.new(shape: KmsAccessDeniedException)
+        o.errors << Shapes::ShapeRef.new(shape: KmsInvalidStateException)
+        o.errors << Shapes::ShapeRef.new(shape: KmsThrottlingException)
       end)
 
       api.add_operation(:get_activity_task, Seahorse::Model::Operation.new.tap do |o|
@@ -1236,6 +1294,9 @@ module Aws::States
         o.errors << Shapes::ShapeRef.new(shape: ActivityDoesNotExist)
         o.errors << Shapes::ShapeRef.new(shape: ActivityWorkerLimitExceeded)
         o.errors << Shapes::ShapeRef.new(shape: InvalidArn)
+        o.errors << Shapes::ShapeRef.new(shape: KmsAccessDeniedException)
+        o.errors << Shapes::ShapeRef.new(shape: KmsInvalidStateException)
+        o.errors << Shapes::ShapeRef.new(shape: KmsThrottlingException)
       end)
 
       api.add_operation(:get_execution_history, Seahorse::Model::Operation.new.tap do |o|
@@ -1247,6 +1308,9 @@ module Aws::States
         o.errors << Shapes::ShapeRef.new(shape: ExecutionDoesNotExist)
         o.errors << Shapes::ShapeRef.new(shape: InvalidArn)
         o.errors << Shapes::ShapeRef.new(shape: InvalidToken)
+        o.errors << Shapes::ShapeRef.new(shape: KmsAccessDeniedException)
+        o.errors << Shapes::ShapeRef.new(shape: KmsInvalidStateException)
+        o.errors << Shapes::ShapeRef.new(shape: KmsThrottlingException)
         o[:pager] = Aws::Pager.new(
           limit_key: "max_results",
           tokens: {
@@ -1392,6 +1456,9 @@ module Aws::States
         o.errors << Shapes::ShapeRef.new(shape: TaskDoesNotExist)
         o.errors << Shapes::ShapeRef.new(shape: InvalidToken)
         o.errors << Shapes::ShapeRef.new(shape: TaskTimedOut)
+        o.errors << Shapes::ShapeRef.new(shape: KmsAccessDeniedException)
+        o.errors << Shapes::ShapeRef.new(shape: KmsInvalidStateException)
+        o.errors << Shapes::ShapeRef.new(shape: KmsThrottlingException)
       end)
 
       api.add_operation(:send_task_heartbeat, Seahorse::Model::Operation.new.tap do |o|
@@ -1415,6 +1482,9 @@ module Aws::States
         o.errors << Shapes::ShapeRef.new(shape: InvalidOutput)
         o.errors << Shapes::ShapeRef.new(shape: InvalidToken)
         o.errors << Shapes::ShapeRef.new(shape: TaskTimedOut)
+        o.errors << Shapes::ShapeRef.new(shape: KmsAccessDeniedException)
+        o.errors << Shapes::ShapeRef.new(shape: KmsInvalidStateException)
+        o.errors << Shapes::ShapeRef.new(shape: KmsThrottlingException)
       end)
 
       api.add_operation(:start_execution, Seahorse::Model::Operation.new.tap do |o|
@@ -1431,6 +1501,9 @@ module Aws::States
         o.errors << Shapes::ShapeRef.new(shape: StateMachineDoesNotExist)
         o.errors << Shapes::ShapeRef.new(shape: StateMachineDeleting)
         o.errors << Shapes::ShapeRef.new(shape: ValidationException)
+        o.errors << Shapes::ShapeRef.new(shape: KmsAccessDeniedException)
+        o.errors << Shapes::ShapeRef.new(shape: KmsInvalidStateException)
+        o.errors << Shapes::ShapeRef.new(shape: KmsThrottlingException)
       end)
 
       api.add_operation(:start_sync_execution, Seahorse::Model::Operation.new.tap do |o|
@@ -1448,6 +1521,9 @@ module Aws::States
         o.errors << Shapes::ShapeRef.new(shape: StateMachineDoesNotExist)
         o.errors << Shapes::ShapeRef.new(shape: StateMachineDeleting)
         o.errors << Shapes::ShapeRef.new(shape: StateMachineTypeNotSupported)
+        o.errors << Shapes::ShapeRef.new(shape: KmsAccessDeniedException)
+        o.errors << Shapes::ShapeRef.new(shape: KmsInvalidStateException)
+        o.errors << Shapes::ShapeRef.new(shape: KmsThrottlingException)
       end)
 
       api.add_operation(:stop_execution, Seahorse::Model::Operation.new.tap do |o|
@@ -1459,6 +1535,9 @@ module Aws::States
         o.errors << Shapes::ShapeRef.new(shape: ExecutionDoesNotExist)
         o.errors << Shapes::ShapeRef.new(shape: InvalidArn)
         o.errors << Shapes::ShapeRef.new(shape: ValidationException)
+        o.errors << Shapes::ShapeRef.new(shape: KmsAccessDeniedException)
+        o.errors << Shapes::ShapeRef.new(shape: KmsInvalidStateException)
+        o.errors << Shapes::ShapeRef.new(shape: KmsThrottlingException)
       end)
 
       api.add_operation(:tag_resource, Seahorse::Model::Operation.new.tap do |o|
@@ -1524,6 +1603,9 @@ module Aws::States
         o.errors << Shapes::ShapeRef.new(shape: ServiceQuotaExceededException)
         o.errors << Shapes::ShapeRef.new(shape: ConflictException)
         o.errors << Shapes::ShapeRef.new(shape: ValidationException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidEncryptionConfiguration)
+        o.errors << Shapes::ShapeRef.new(shape: KmsAccessDeniedException)
+        o.errors << Shapes::ShapeRef.new(shape: KmsThrottlingException)
       end)
 
       api.add_operation(:update_state_machine_alias, Seahorse::Model::Operation.new.tap do |o|