@aws-sdk/client-kms 3.288.0 → 3.290.0

package/dist-types/commands/CreateKeyCommand.d.ts

@@ -195,6 +195,411 @@ export interface CreateKeyCommandOutput extends CreateKeyResponse, __MetadataBea
  * @see {@link CreateKeyCommandOutput} for command's `response` shape.
  * @see {@link KMSClientResolvedConfig | config} for KMSClient's `config` shape.
  *
+ * @throws {@link CloudHsmClusterInvalidConfigurationException} (client fault)
+ *  <p>The request was rejected because the associated CloudHSM cluster did not meet the
+ *       configuration requirements for an CloudHSM key store.</p>
+ *          <ul>
+ *             <li>
+ *                <p>The CloudHSM cluster must be configured with private subnets in at least two different
+ *           Availability Zones in the Region.</p>
+ *             </li>
+ *             <li>
+ *                <p>The <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">security group for
+ *             the cluster</a> (cloudhsm-cluster-<i><cluster-id></i>-sg) must
+ *           include inbound rules and outbound rules that allow TCP traffic on ports 2223-2225. The
+ *             <b>Source</b> in the inbound rules and the <b>Destination</b> in the outbound rules must match the security group
+ *           ID. These rules are set by default when you create the CloudHSM cluster. Do not delete or
+ *           change them. To get information about a particular security group, use the <a href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html">DescribeSecurityGroups</a> operation.</p>
+ *             </li>
+ *             <li>
+ *                <p>The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add
+ *           HSMs, use the CloudHSM <a href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> operation.</p>
+ *                <p>For the <a>CreateCustomKeyStore</a>, <a>UpdateCustomKeyStore</a>, and <a>CreateKey</a> operations, the CloudHSM cluster must have at least two
+ *           active HSMs, each in a different Availability Zone. For the <a>ConnectCustomKeyStore</a> operation, the CloudHSM must contain at least one active
+ *           HSM.</p>
+ *             </li>
+ *          </ul>
+ *          <p>For information about the requirements for an CloudHSM cluster that is associated with an
+ *       CloudHSM key store, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore">Assemble the Prerequisites</a>
+ *       in the <i>Key Management Service Developer Guide</i>. For information about creating a private subnet for an CloudHSM cluster,
+ *       see <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html">Create a Private
+ *         Subnet</a> in the <i>CloudHSM User Guide</i>. For information about cluster security groups, see
+ *         <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">Configure a Default Security
+ *         Group</a> in the <i>
+ *                <i>CloudHSM User Guide</i>
+ *             </i>. </p>
+ *
+ * @throws {@link CustomKeyStoreInvalidStateException} (client fault)
+ *  <p>The request was rejected because of the <code>ConnectionState</code> of the custom key
+ *       store. To get the <code>ConnectionState</code> of a custom key store, use the <a>DescribeCustomKeyStores</a> operation.</p>
+ *          <p>This exception is thrown under the following conditions:</p>
+ *          <ul>
+ *             <li>
+ *                <p>You requested the <a>ConnectCustomKeyStore</a> operation on a custom key
+ *           store with a <code>ConnectionState</code> of <code>DISCONNECTING</code> or
+ *             <code>FAILED</code>. This operation is valid for all other <code>ConnectionState</code>
+ *           values. To reconnect a custom key store in a <code>FAILED</code> state, disconnect it
+ *             (<a>DisconnectCustomKeyStore</a>), then connect it
+ *             (<code>ConnectCustomKeyStore</code>).</p>
+ *             </li>
+ *             <li>
+ *                <p>You requested the <a>CreateKey</a> operation in a custom key store that is
+ *           not connected. This operations is valid only when the custom key store
+ *             <code>ConnectionState</code> is <code>CONNECTED</code>.</p>
+ *             </li>
+ *             <li>
+ *                <p>You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key
+ *           store with a <code>ConnectionState</code> of <code>DISCONNECTING</code> or
+ *             <code>DISCONNECTED</code>. This operation is valid for all other
+ *             <code>ConnectionState</code> values.</p>
+ *             </li>
+ *             <li>
+ *                <p>You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key store that is not
+ *           disconnected. This operation is valid only when the custom key store
+ *             <code>ConnectionState</code> is <code>DISCONNECTED</code>.</p>
+ *             </li>
+ *             <li>
+ *                <p>You requested the <a>GenerateRandom</a> operation in an CloudHSM key store
+ *           that is not connected. This operation is valid only when the CloudHSM key store
+ *             <code>ConnectionState</code> is <code>CONNECTED</code>. </p>
+ *             </li>
+ *          </ul>
+ *
+ * @throws {@link CustomKeyStoreNotFoundException} (client fault)
+ *  <p>The request was rejected because KMS cannot find a custom key store with the specified
+ *       key store name or ID.</p>
+ *
+ * @throws {@link DependencyTimeoutException} (server fault)
+ *  <p>The system timed out while trying to fulfill the request. You can retry the
+ *       request.</p>
+ *
+ * @throws {@link InvalidArnException} (client fault)
+ *  <p>The request was rejected because a specified ARN, or an ARN in a key policy, is not
+ *       valid.</p>
+ *
+ * @throws {@link KMSInternalException} (server fault)
+ *  <p>The request was rejected because an internal exception occurred. The request can be
+ *       retried.</p>
+ *
+ * @throws {@link LimitExceededException} (client fault)
+ *  <p>The request was rejected because a quota was exceeded. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the
+ *       <i>Key Management Service Developer Guide</i>.</p>
+ *
+ * @throws {@link MalformedPolicyDocumentException} (client fault)
+ *  <p>The request was rejected because the specified policy is not syntactically or semantically
+ *       correct.</p>
+ *
+ * @throws {@link TagException} (client fault)
+ *  <p>The request was rejected because one or more tags are not valid.</p>
+ *
+ * @throws {@link UnsupportedOperationException} (client fault)
+ *  <p>The request was rejected because a specified parameter is not supported or a specified
+ *       resource is not valid for this operation.</p>
+ *
+ * @throws {@link XksKeyAlreadyInUseException} (client fault)
+ *  <p>The request was rejected because the (<code>XksKeyId</code>) is already associated with a
+ *       KMS key in this external key store. Each KMS key in an external key store must be associated
+ *       with a different external key.</p>
+ *
+ * @throws {@link XksKeyInvalidConfigurationException} (client fault)
+ *  <p>The request was rejected because the external key specified by the <code>XksKeyId</code>
+ *       parameter did not meet the configuration requirements for an external key store.</p>
+ *          <p>The external key must be an AES-256 symmetric key that is enabled and performs encryption
+ *       and decryption.</p>
+ *
+ * @throws {@link XksKeyNotFoundException} (client fault)
+ *  <p>The request was rejected because the external key store proxy could not find the external key. This
+ *       exception is thrown when the value of the <code>XksKeyId</code> parameter doesn't identify a
+ *       key in the external key manager associated with the external key proxy.</p>
+ *          <p>Verify that the <code>XksKeyId</code> represents an existing key in the external key
+ *       manager. Use the key identifier that the external key store proxy uses to identify the key.
+ *       For details, see the documentation provided with your external key store proxy or key
+ *       manager.</p>
+ *
+ *
+ * @example To create a KMS key
+ * ```javascript
+ * // The following example creates a symmetric KMS key for encryption and decryption. No parameters are required for this operation.
+ * const input = {};
+ * const command = new CreateKeyCommand(input);
+ * const response = await client.send(command);
+ * /* response ==
+ * {
+ *   "KeyMetadata": {
+ *     "AWSAccountId": "111122223333",
+ *     "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
+ *     "CreationDate": "2017-07-05T14:04:55-07:00",
+ *     "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
+ *     "Description": "",
+ *     "Enabled": true,
+ *     "EncryptionAlgorithms": [
+ *       "SYMMETRIC_DEFAULT"
+ *     ],
+ *     "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
+ *     "KeyManager": "CUSTOMER",
+ *     "KeySpec": "SYMMETRIC_DEFAULT",
+ *     "KeyState": "Enabled",
+ *     "KeyUsage": "ENCRYPT_DECRYPT",
+ *     "MultiRegion": false,
+ *     "Origin": "AWS_KMS"
+ *   }
+ * }
+ * *\/
+ * // example id: to-create-a-cmk-1
+ * ```
+ *
+ * @example To create an asymmetric RSA KMS key for encryption and decryption
+ * ```javascript
+ * // This example creates a KMS key that contains an asymmetric RSA key pair for encryption and decryption. The key spec and key usage can't be changed after the key is created.
+ * const input = {
+ *   "KeySpec": "RSA_4096",
+ *   "KeyUsage": "ENCRYPT_DECRYPT"
+ * };
+ * const command = new CreateKeyCommand(input);
+ * const response = await client.send(command);
+ * /* response ==
+ * {
+ *   "KeyMetadata": {
+ *     "AWSAccountId": "111122223333",
+ *     "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
+ *     "CreationDate": "2021-04-05T14:04:55-07:00",
+ *     "CustomerMasterKeySpec": "RSA_4096",
+ *     "Description": "",
+ *     "Enabled": true,
+ *     "EncryptionAlgorithms": [
+ *       "RSAES_OAEP_SHA_1",
+ *       "RSAES_OAEP_SHA_256"
+ *     ],
+ *     "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
+ *     "KeyManager": "CUSTOMER",
+ *     "KeySpec": "RSA_4096",
+ *     "KeyState": "Enabled",
+ *     "KeyUsage": "ENCRYPT_DECRYPT",
+ *     "MultiRegion": false,
+ *     "Origin": "AWS_KMS"
+ *   }
+ * }
+ * *\/
+ * // example id: to-create-an-asymmetric-rsa-kms-key-for-encryption-and-decryption-2
+ * ```
+ *
+ * @example To create an asymmetric elliptic curve KMS key for signing and verification
+ * ```javascript
+ * // This example creates a KMS key that contains an asymmetric elliptic curve (ECC) key pair for signing and verification. The key usage is required even though "SIGN_VERIFY" is the only valid value for ECC KMS keys. The key spec and key usage can't be changed after the key is created.
+ * const input = {
+ *   "KeySpec": "ECC_NIST_P521",
+ *   "KeyUsage": "SIGN_VERIFY"
+ * };
+ * const command = new CreateKeyCommand(input);
+ * const response = await client.send(command);
+ * /* response ==
+ * {
+ *   "KeyMetadata": {
+ *     "AWSAccountId": "111122223333",
+ *     "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
+ *     "CreationDate": "2019-12-02T07:48:55-07:00",
+ *     "CustomerMasterKeySpec": "ECC_NIST_P521",
+ *     "Description": "",
+ *     "Enabled": true,
+ *     "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
+ *     "KeyManager": "CUSTOMER",
+ *     "KeySpec": "ECC_NIST_P521",
+ *     "KeyState": "Enabled",
+ *     "KeyUsage": "SIGN_VERIFY",
+ *     "MultiRegion": false,
+ *     "Origin": "AWS_KMS",
+ *     "SigningAlgorithms": [
+ *       "ECDSA_SHA_512"
+ *     ]
+ *   }
+ * }
+ * *\/
+ * // example id: to-create-an-asymmetric-elliptic-curve-kms-key-for-signing-and-verification-3
+ * ```
+ *
+ * @example To create an HMAC KMS key
+ * ```javascript
+ * // This example creates a 384-bit symmetric HMAC KMS key. The GENERATE_VERIFY_MAC key usage value is required even though it's the only valid value for HMAC KMS keys. The key spec and key usage can't be changed after the key is created.
+ * const input = {
+ *   "KeySpec": "HMAC_384",
+ *   "KeyUsage": "GENERATE_VERIFY_MAC"
+ * };
+ * const command = new CreateKeyCommand(input);
+ * const response = await client.send(command);
+ * /* response ==
+ * {
+ *   "KeyMetadata": {
+ *     "AWSAccountId": "111122223333",
+ *     "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
+ *     "CreationDate": "2022-04-05T14:04:55-07:00",
+ *     "CustomerMasterKeySpec": "HMAC_384",
+ *     "Description": "",
+ *     "Enabled": true,
+ *     "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
+ *     "KeyManager": "CUSTOMER",
+ *     "KeySpec": "HMAC_384",
+ *     "KeyState": "Enabled",
+ *     "KeyUsage": "GENERATE_VERIFY_MAC",
+ *     "MacAlgorithms": [
+ *       "HMAC_SHA_384"
+ *     ],
+ *     "MultiRegion": false,
+ *     "Origin": "AWS_KMS"
+ *   }
+ * }
+ * *\/
+ * // example id: to-create-an-hmac-kms-key-1630628752841
+ * ```
+ *
+ * @example To create a multi-Region primary KMS key
+ * ```javascript
+ * // This example creates a multi-Region primary symmetric encryption key. Because the default values for all parameters create a symmetric encryption key, only the MultiRegion parameter is required for this KMS key.
+ * const input = {
+ *   "MultiRegion": true
+ * };
+ * const command = new CreateKeyCommand(input);
+ * const response = await client.send(command);
+ * /* response ==
+ * {
+ *   "KeyMetadata": {
+ *     "AWSAccountId": "111122223333",
+ *     "Arn": "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef12345678990ab",
+ *     "CreationDate": "2021-09-02T016:15:21-09:00",
+ *     "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
+ *     "Description": "",
+ *     "Enabled": true,
+ *     "EncryptionAlgorithms": [
+ *       "SYMMETRIC_DEFAULT"
+ *     ],
+ *     "KeyId": "mrk-1234abcd12ab34cd56ef12345678990ab",
+ *     "KeyManager": "CUSTOMER",
+ *     "KeySpec": "SYMMETRIC_DEFAULT",
+ *     "KeyState": "Enabled",
+ *     "KeyUsage": "ENCRYPT_DECRYPT",
+ *     "MultiRegion": true,
+ *     "MultiRegionConfiguration": {
+ *       "MultiRegionKeyType": "PRIMARY",
+ *       "PrimaryKey": {
+ *         "Arn": "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef12345678990ab",
+ *         "Region": "us-west-2"
+ *       },
+ *       "ReplicaKeys": []
+ *     },
+ *     "Origin": "AWS_KMS"
+ *   }
+ * }
+ * *\/
+ * // example id: to-create-a-multi-region-primary-kms-key-4
+ * ```
+ *
+ * @example To create a KMS key for imported key material
+ * ```javascript
+ * // This example creates a KMS key with no key material. When the operation is complete, you can import your own key material into the KMS key. To create this KMS key, set the Origin parameter to EXTERNAL.
+ * const input = {
+ *   "Origin": "EXTERNAL"
+ * };
+ * const command = new CreateKeyCommand(input);
+ * const response = await client.send(command);
+ * /* response ==
+ * {
+ *   "KeyMetadata": {
+ *     "AWSAccountId": "111122223333",
+ *     "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
+ *     "CreationDate": "2019-12-02T07:48:55-07:00",
+ *     "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
+ *     "Description": "",
+ *     "Enabled": false,
+ *     "EncryptionAlgorithms": [
+ *       "SYMMETRIC_DEFAULT"
+ *     ],
+ *     "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
+ *     "KeyManager": "CUSTOMER",
+ *     "KeySpec": "SYMMETRIC_DEFAULT",
+ *     "KeyState": "PendingImport",
+ *     "KeyUsage": "ENCRYPT_DECRYPT",
+ *     "MultiRegion": false,
+ *     "Origin": "EXTERNAL"
+ *   }
+ * }
+ * *\/
+ * // example id: to-create-a-kms-key-for-imported-key-material-5
+ * ```
+ *
+ * @example To create a KMS key in an AWS CloudHSM key store
+ * ```javascript
+ * // This example creates a KMS key in the specified AWS CloudHSM key store. The operation creates the KMS key and its metadata in AWS KMS and creates the key material in the AWS CloudHSM cluster associated with the custom key store. This example requires the CustomKeyStoreId  and Origin parameters.
+ * const input = {
+ *   "CustomKeyStoreId": "cks-1234567890abcdef0",
+ *   "Origin": "AWS_CLOUDHSM"
+ * };
+ * const command = new CreateKeyCommand(input);
+ * const response = await client.send(command);
+ * /* response ==
+ * {
+ *   "KeyMetadata": {
+ *     "AWSAccountId": "111122223333",
+ *     "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
+ *     "CloudHsmClusterId": "cluster-1a23b4cdefg",
+ *     "CreationDate": "2019-12-02T07:48:55-07:00",
+ *     "CustomKeyStoreId": "cks-1234567890abcdef0",
+ *     "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
+ *     "Description": "",
+ *     "Enabled": true,
+ *     "EncryptionAlgorithms": [
+ *       "SYMMETRIC_DEFAULT"
+ *     ],
+ *     "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
+ *     "KeyManager": "CUSTOMER",
+ *     "KeySpec": "SYMMETRIC_DEFAULT",
+ *     "KeyState": "Enabled",
+ *     "KeyUsage": "ENCRYPT_DECRYPT",
+ *     "MultiRegion": false,
+ *     "Origin": "AWS_CLOUDHSM"
+ *   }
+ * }
+ * *\/
+ * // example id: to-create-a-kms-key-in-an-aws-cloudhsm-custom-key-store-6
+ * ```
+ *
+ * @example To create a KMS key in an external key store
+ * ```javascript
+ * // This example creates a KMS key in the specified external key store. It uses the XksKeyId parameter to associate the KMS key with an existing symmetric encryption key in your external key manager. This CustomKeyStoreId, Origin, and XksKeyId parameters are required in this operation.
+ * const input = {
+ *   "CustomKeyStoreId": "cks-9876543210fedcba9",
+ *   "Origin": "EXTERNAL_KEY_STORE",
+ *   "XksKeyId": "bb8562717f809024"
+ * };
+ * const command = new CreateKeyCommand(input);
+ * const response = await client.send(command);
+ * /* response ==
+ * {
+ *   "KeyMetadata": {
+ *     "AWSAccountId": "111122223333",
+ *     "Arn": "arn:aws:kms:us-east-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321",
+ *     "CreationDate": "2022-02-02T07:48:55-07:00",
+ *     "CustomKeyStoreId": "cks-9876543210fedcba9",
+ *     "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
+ *     "Description": "",
+ *     "Enabled": true,
+ *     "EncryptionAlgorithms": [
+ *       "SYMMETRIC_DEFAULT"
+ *     ],
+ *     "KeyId": "0987dcba-09fe-87dc-65ba-ab0987654321",
+ *     "KeyManager": "CUSTOMER",
+ *     "KeySpec": "SYMMETRIC_DEFAULT",
+ *     "KeyState": "Enabled",
+ *     "KeyUsage": "ENCRYPT_DECRYPT",
+ *     "MultiRegion": false,
+ *     "Origin": "EXTERNAL_KEY_STORE",
+ *     "XksKeyConfiguration": {
+ *       "Id": "bb8562717f809024"
+ *     }
+ *   }
+ * }
+ * *\/
+ * // example id: to-create-a-kms-key-in-an-external-custom-key-store-7
+ * ```
+ *
  */
 export declare class CreateKeyCommand extends $Command<CreateKeyCommandInput, CreateKeyCommandOutput, KMSClientResolvedConfig> {
     readonly input: CreateKeyCommandInput;

package/dist-types/commands/DecryptCommand.d.ts

@@ -116,6 +116,100 @@ export interface DecryptCommandOutput extends DecryptResponse, __MetadataBearer
  * @see {@link DecryptCommandOutput} for command's `response` shape.
  * @see {@link KMSClientResolvedConfig | config} for KMSClient's `config` shape.
  *
+ * @throws {@link DependencyTimeoutException} (server fault)
+ *  <p>The system timed out while trying to fulfill the request. You can retry the
+ *       request.</p>
+ *
+ * @throws {@link DisabledException} (client fault)
+ *  <p>The request was rejected because the specified KMS key is not enabled.</p>
+ *
+ * @throws {@link IncorrectKeyException} (client fault)
+ *  <p>The request was rejected because the specified KMS key cannot decrypt the data. The
+ *         <code>KeyId</code> in a <a>Decrypt</a> request and the <code>SourceKeyId</code>
+ *       in a <a>ReEncrypt</a> request must identify the same KMS key that was used to
+ *       encrypt the ciphertext.</p>
+ *
+ * @throws {@link InvalidCiphertextException} (client fault)
+ *  <p>From the <a>Decrypt</a> or <a>ReEncrypt</a> operation, the request
+ *       was rejected because the specified ciphertext, or additional authenticated data incorporated
+ *       into the ciphertext, such as the encryption context, is corrupted, missing, or otherwise
+ *       invalid.</p>
+ *          <p>From the <a>ImportKeyMaterial</a> operation, the request was rejected because
+ *       KMS could not decrypt the encrypted (wrapped) key material. </p>
+ *
+ * @throws {@link InvalidGrantTokenException} (client fault)
+ *  <p>The request was rejected because the specified grant token is not valid.</p>
+ *
+ * @throws {@link InvalidKeyUsageException} (client fault)
+ *  <p>The request was rejected for one of the following reasons: </p>
+ *          <ul>
+ *             <li>
+ *                <p>The <code>KeyUsage</code> value of the KMS key is incompatible with the API
+ *           operation.</p>
+ *             </li>
+ *             <li>
+ *                <p>The encryption algorithm or signing algorithm specified for the operation is
+ *           incompatible with the type of key material in the KMS key <code>(KeySpec</code>).</p>
+ *             </li>
+ *          </ul>
+ *          <p>For encrypting, decrypting, re-encrypting, and generating data keys, the
+ *         <code>KeyUsage</code> must be <code>ENCRYPT_DECRYPT</code>. For signing and verifying
+ *       messages, the <code>KeyUsage</code> must be <code>SIGN_VERIFY</code>. For generating and
+ *       verifying message authentication codes (MACs), the <code>KeyUsage</code> must be
+ *         <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a KMS key, use the
+ *         <a>DescribeKey</a> operation.</p>
+ *          <p>To find the encryption or signing algorithms supported for a particular KMS key, use the
+ *         <a>DescribeKey</a> operation.</p>
+ *
+ * @throws {@link KeyUnavailableException} (server fault)
+ *  <p>The request was rejected because the specified KMS key was not available. You can retry
+ *       the request.</p>
+ *
+ * @throws {@link KMSInternalException} (server fault)
+ *  <p>The request was rejected because an internal exception occurred. The request can be
+ *       retried.</p>
+ *
+ * @throws {@link KMSInvalidStateException} (client fault)
+ *  <p>The request was rejected because the state of the specified resource is not valid for this
+ *       request.</p>
+ *          <p>This exceptions means one of the following:</p>
+ *          <ul>
+ *             <li>
+ *                <p>The key state of the KMS key is not compatible with the operation. </p>
+ *                <p>To find the key state, use the <a>DescribeKey</a> operation. For more
+ *           information about which key states are compatible with each KMS operation, see
+ *           <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>
+ *                      <i>Key Management Service Developer Guide</i>
+ *                   </i>.</p>
+ *             </li>
+ *             <li>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *             </li>
+ *          </ul>
+ *
+ * @throws {@link NotFoundException} (client fault)
+ *  <p>The request was rejected because the specified entity or resource could not be
+ *       found.</p>
+ *
+ *
+ * @example To decrypt data
+ * ```javascript
+ * // The following example decrypts data that was encrypted with a KMS key.
+ * const input = {
+ *   "CiphertextBlob": "<binary data>",
+ *   "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
+ * };
+ * const command = new DecryptCommand(input);
+ * const response = await client.send(command);
+ * /* response ==
+ * {
+ *   "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
+ *   "Plaintext": "<binary data>"
+ * }
+ * *\/
+ * // example id: to-decrypt-data-1478281622886
+ * ```
+ *
  */
 export declare class DecryptCommand extends $Command<DecryptCommandInput, DecryptCommandOutput, KMSClientResolvedConfig> {
     readonly input: DecryptCommandInput;

package/dist-types/commands/DeleteAliasCommand.d.ts

@@ -76,6 +76,48 @@ export interface DeleteAliasCommandOutput extends __MetadataBearer {
  * @see {@link DeleteAliasCommandOutput} for command's `response` shape.
  * @see {@link KMSClientResolvedConfig | config} for KMSClient's `config` shape.
  *
+ * @throws {@link DependencyTimeoutException} (server fault)
+ *  <p>The system timed out while trying to fulfill the request. You can retry the
+ *       request.</p>
+ *
+ * @throws {@link KMSInternalException} (server fault)
+ *  <p>The request was rejected because an internal exception occurred. The request can be
+ *       retried.</p>
+ *
+ * @throws {@link KMSInvalidStateException} (client fault)
+ *  <p>The request was rejected because the state of the specified resource is not valid for this
+ *       request.</p>
+ *          <p>This exceptions means one of the following:</p>
+ *          <ul>
+ *             <li>
+ *                <p>The key state of the KMS key is not compatible with the operation. </p>
+ *                <p>To find the key state, use the <a>DescribeKey</a> operation. For more
+ *           information about which key states are compatible with each KMS operation, see
+ *           <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>
+ *                      <i>Key Management Service Developer Guide</i>
+ *                   </i>.</p>
+ *             </li>
+ *             <li>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *             </li>
+ *          </ul>
+ *
+ * @throws {@link NotFoundException} (client fault)
+ *  <p>The request was rejected because the specified entity or resource could not be
+ *       found.</p>
+ *
+ *
+ * @example To delete an alias
+ * ```javascript
+ * // The following example deletes the specified alias.
+ * const input = {
+ *   "AliasName": "alias/ExampleAlias"
+ * };
+ * const command = new DeleteAliasCommand(input);
+ * await client.send(command);
+ * // example id: to-delete-an-alias-1478285209338
+ * ```
+ *
  */
 export declare class DeleteAliasCommand extends $Command<DeleteAliasCommandInput, DeleteAliasCommandOutput, KMSClientResolvedConfig> {
     readonly input: DeleteAliasCommandInput;

package/dist-types/commands/DeleteCustomKeyStoreCommand.d.ts

@@ -87,6 +87,68 @@ export interface DeleteCustomKeyStoreCommandOutput extends DeleteCustomKeyStoreR
  * @see {@link DeleteCustomKeyStoreCommandOutput} for command's `response` shape.
  * @see {@link KMSClientResolvedConfig | config} for KMSClient's `config` shape.
  *
+ * @throws {@link CustomKeyStoreHasCMKsException} (client fault)
+ *  <p>The request was rejected because the custom key store contains KMS keys. After verifying
+ *       that you do not need to use the KMS keys, use the <a>ScheduleKeyDeletion</a>
+ *       operation to delete the KMS keys. After they are deleted, you can delete the custom key
+ *       store.</p>
+ *
+ * @throws {@link CustomKeyStoreInvalidStateException} (client fault)
+ *  <p>The request was rejected because of the <code>ConnectionState</code> of the custom key
+ *       store. To get the <code>ConnectionState</code> of a custom key store, use the <a>DescribeCustomKeyStores</a> operation.</p>
+ *          <p>This exception is thrown under the following conditions:</p>
+ *          <ul>
+ *             <li>
+ *                <p>You requested the <a>ConnectCustomKeyStore</a> operation on a custom key
+ *           store with a <code>ConnectionState</code> of <code>DISCONNECTING</code> or
+ *             <code>FAILED</code>. This operation is valid for all other <code>ConnectionState</code>
+ *           values. To reconnect a custom key store in a <code>FAILED</code> state, disconnect it
+ *             (<a>DisconnectCustomKeyStore</a>), then connect it
+ *             (<code>ConnectCustomKeyStore</code>).</p>
+ *             </li>
+ *             <li>
+ *                <p>You requested the <a>CreateKey</a> operation in a custom key store that is
+ *           not connected. This operations is valid only when the custom key store
+ *             <code>ConnectionState</code> is <code>CONNECTED</code>.</p>
+ *             </li>
+ *             <li>
+ *                <p>You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key
+ *           store with a <code>ConnectionState</code> of <code>DISCONNECTING</code> or
+ *             <code>DISCONNECTED</code>. This operation is valid for all other
+ *             <code>ConnectionState</code> values.</p>
+ *             </li>
+ *             <li>
+ *                <p>You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key store that is not
+ *           disconnected. This operation is valid only when the custom key store
+ *             <code>ConnectionState</code> is <code>DISCONNECTED</code>.</p>
+ *             </li>
+ *             <li>
+ *                <p>You requested the <a>GenerateRandom</a> operation in an CloudHSM key store
+ *           that is not connected. This operation is valid only when the CloudHSM key store
+ *             <code>ConnectionState</code> is <code>CONNECTED</code>. </p>
+ *             </li>
+ *          </ul>
+ *
+ * @throws {@link CustomKeyStoreNotFoundException} (client fault)
+ *  <p>The request was rejected because KMS cannot find a custom key store with the specified
+ *       key store name or ID.</p>
+ *
+ * @throws {@link KMSInternalException} (server fault)
+ *  <p>The request was rejected because an internal exception occurred. The request can be
+ *       retried.</p>
+ *
+ *
+ * @example To delete a custom key store from AWS KMS
+ * ```javascript
+ * // This example deletes a custom key store from AWS KMS. This operation does not affect the backing key store, such as a CloudHSM cluster, external key store proxy, or your external key manager. This operation doesn't return any data. To verify that the operation was successful, use the DescribeCustomKeyStores operation.
+ * const input = {
+ *   "CustomKeyStoreId": "cks-1234567890abcdef0"
+ * };
+ * const command = new DeleteCustomKeyStoreCommand(input);
+ * await client.send(command);
+ * // example id: to-delete-a-custom-key-store-from-aws-kms-1628630837145
+ * ```
+ *
  */
 export declare class DeleteCustomKeyStoreCommand extends $Command<DeleteCustomKeyStoreCommandInput, DeleteCustomKeyStoreCommandOutput, KMSClientResolvedConfig> {
     readonly input: DeleteCustomKeyStoreCommandInput;