npm - @aws-sdk/client-kms - Versions diffs - 3.289.0 → 3.290.0 - Mend

@aws-sdk/client-kms 3.289.0 → 3.290.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (51) hide show

package/dist-types/commands/CancelKeyDeletionCommand.d.ts CHANGED Viewed

@@ -41,6 +41,41 @@ export interface CancelKeyDeletionCommandOutput extends CancelKeyDeletionRespons
  * @see {@link CancelKeyDeletionCommandOutput} for command's `response` shape.
  * @see {@link KMSClientResolvedConfig | config} for KMSClient's `config` shape.
  *
+ * @throws {@link DependencyTimeoutException} (server fault)
+ *  <p>The system timed out while trying to fulfill the request. You can retry the
+ *       request.</p>
+ *
+ * @throws {@link InvalidArnException} (client fault)
+ *  <p>The request was rejected because a specified ARN, or an ARN in a key policy, is not
+ *       valid.</p>
+ *
+ * @throws {@link KMSInternalException} (server fault)
+ *  <p>The request was rejected because an internal exception occurred. The request can be
+ *       retried.</p>
+ *
+ * @throws {@link KMSInvalidStateException} (client fault)
+ *  <p>The request was rejected because the state of the specified resource is not valid for this
+ *       request.</p>
+ *          <p>This exceptions means one of the following:</p>
+ *          <ul>
+ *             <li>
+ *                <p>The key state of the KMS key is not compatible with the operation. </p>
+ *                <p>To find the key state, use the <a>DescribeKey</a> operation. For more
+ *           information about which key states are compatible with each KMS operation, see
+ *           <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>
+ *                      <i>Key Management Service Developer Guide</i>
+ *                   </i>.</p>
+ *             </li>
+ *             <li>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *             </li>
+ *          </ul>
+ *
+ * @throws {@link NotFoundException} (client fault)
+ *  <p>The request was rejected because the specified entity or resource could not be
+ *       found.</p>
+ *
+ *
  * @example To cancel deletion of a KMS key
  * ```javascript
  * // The following example cancels deletion of the specified KMS key.

package/dist-types/commands/ConnectCustomKeyStoreCommand.d.ts CHANGED Viewed

@@ -115,6 +115,91 @@ export interface ConnectCustomKeyStoreCommandOutput extends ConnectCustomKeyStor
  * @see {@link ConnectCustomKeyStoreCommandOutput} for command's `response` shape.
  * @see {@link KMSClientResolvedConfig | config} for KMSClient's `config` shape.
  *
+ * @throws {@link CloudHsmClusterInvalidConfigurationException} (client fault)
+ *  <p>The request was rejected because the associated CloudHSM cluster did not meet the
+ *       configuration requirements for an CloudHSM key store.</p>
+ *          <ul>
+ *             <li>
+ *                <p>The CloudHSM cluster must be configured with private subnets in at least two different
+ *           Availability Zones in the Region.</p>
+ *             </li>
+ *             <li>
+ *                <p>The <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">security group for
+ *             the cluster</a> (cloudhsm-cluster-<i><cluster-id></i>-sg) must
+ *           include inbound rules and outbound rules that allow TCP traffic on ports 2223-2225. The
+ *             <b>Source</b> in the inbound rules and the <b>Destination</b> in the outbound rules must match the security group
+ *           ID. These rules are set by default when you create the CloudHSM cluster. Do not delete or
+ *           change them. To get information about a particular security group, use the <a href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html">DescribeSecurityGroups</a> operation.</p>
+ *             </li>
+ *             <li>
+ *                <p>The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add
+ *           HSMs, use the CloudHSM <a href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> operation.</p>
+ *                <p>For the <a>CreateCustomKeyStore</a>, <a>UpdateCustomKeyStore</a>, and <a>CreateKey</a> operations, the CloudHSM cluster must have at least two
+ *           active HSMs, each in a different Availability Zone. For the <a>ConnectCustomKeyStore</a> operation, the CloudHSM must contain at least one active
+ *           HSM.</p>
+ *             </li>
+ *          </ul>
+ *          <p>For information about the requirements for an CloudHSM cluster that is associated with an
+ *       CloudHSM key store, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore">Assemble the Prerequisites</a>
+ *       in the <i>Key Management Service Developer Guide</i>. For information about creating a private subnet for an CloudHSM cluster,
+ *       see <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html">Create a Private
+ *         Subnet</a> in the <i>CloudHSM User Guide</i>. For information about cluster security groups, see
+ *         <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">Configure a Default Security
+ *         Group</a> in the <i>
+ *                <i>CloudHSM User Guide</i>
+ *             </i>. </p>
+ *
+ * @throws {@link CloudHsmClusterNotActiveException} (client fault)
+ *  <p>The request was rejected because the CloudHSM cluster associated with the CloudHSM key store is
+ *       not active. Initialize and activate the cluster and try the command again. For detailed
+ *       instructions, see <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html">Getting
+ *         Started</a> in the <i>CloudHSM User Guide</i>.</p>
+ *
+ * @throws {@link CustomKeyStoreInvalidStateException} (client fault)
+ *  <p>The request was rejected because of the <code>ConnectionState</code> of the custom key
+ *       store. To get the <code>ConnectionState</code> of a custom key store, use the <a>DescribeCustomKeyStores</a> operation.</p>
+ *          <p>This exception is thrown under the following conditions:</p>
+ *          <ul>
+ *             <li>
+ *                <p>You requested the <a>ConnectCustomKeyStore</a> operation on a custom key
+ *           store with a <code>ConnectionState</code> of <code>DISCONNECTING</code> or
+ *             <code>FAILED</code>. This operation is valid for all other <code>ConnectionState</code>
+ *           values. To reconnect a custom key store in a <code>FAILED</code> state, disconnect it
+ *             (<a>DisconnectCustomKeyStore</a>), then connect it
+ *             (<code>ConnectCustomKeyStore</code>).</p>
+ *             </li>
+ *             <li>
+ *                <p>You requested the <a>CreateKey</a> operation in a custom key store that is
+ *           not connected. This operations is valid only when the custom key store
+ *             <code>ConnectionState</code> is <code>CONNECTED</code>.</p>
+ *             </li>
+ *             <li>
+ *                <p>You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key
+ *           store with a <code>ConnectionState</code> of <code>DISCONNECTING</code> or
+ *             <code>DISCONNECTED</code>. This operation is valid for all other
+ *             <code>ConnectionState</code> values.</p>
+ *             </li>
+ *             <li>
+ *                <p>You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key store that is not
+ *           disconnected. This operation is valid only when the custom key store
+ *             <code>ConnectionState</code> is <code>DISCONNECTED</code>.</p>
+ *             </li>
+ *             <li>
+ *                <p>You requested the <a>GenerateRandom</a> operation in an CloudHSM key store
+ *           that is not connected. This operation is valid only when the CloudHSM key store
+ *             <code>ConnectionState</code> is <code>CONNECTED</code>. </p>
+ *             </li>
+ *          </ul>
+ *
+ * @throws {@link CustomKeyStoreNotFoundException} (client fault)
+ *  <p>The request was rejected because KMS cannot find a custom key store with the specified
+ *       key store name or ID.</p>
+ *
+ * @throws {@link KMSInternalException} (server fault)
+ *  <p>The request was rejected because an internal exception occurred. The request can be
+ *       retried.</p>
+ *
+ *
  * @example To connect a custom key store
  * ```javascript
  * // This example connects an AWS KMS custom key store to its backing key store. For an AWS CloudHSM key store, it connects the key store to its AWS CloudHSM cluster. For an external key store, it connects the key store to the external key store proxy that communicates with your external key manager. This operation does not return any data. To verify that the custom key store is connected, use the <code>DescribeCustomKeyStores</code> operation.

package/dist-types/commands/CreateAliasCommand.d.ts CHANGED Viewed

@@ -85,6 +85,48 @@ export interface CreateAliasCommandOutput extends __MetadataBearer {
  * @see {@link CreateAliasCommandOutput} for command's `response` shape.
  * @see {@link KMSClientResolvedConfig | config} for KMSClient's `config` shape.
  *
+ * @throws {@link AlreadyExistsException} (client fault)
+ *  <p>The request was rejected because it attempted to create a resource that already
+ *       exists.</p>
+ *
+ * @throws {@link DependencyTimeoutException} (server fault)
+ *  <p>The system timed out while trying to fulfill the request. You can retry the
+ *       request.</p>
+ *
+ * @throws {@link InvalidAliasNameException} (client fault)
+ *  <p>The request was rejected because the specified alias name is not valid.</p>
+ *
+ * @throws {@link KMSInternalException} (server fault)
+ *  <p>The request was rejected because an internal exception occurred. The request can be
+ *       retried.</p>
+ *
+ * @throws {@link KMSInvalidStateException} (client fault)
+ *  <p>The request was rejected because the state of the specified resource is not valid for this
+ *       request.</p>
+ *          <p>This exceptions means one of the following:</p>
+ *          <ul>
+ *             <li>
+ *                <p>The key state of the KMS key is not compatible with the operation. </p>
+ *                <p>To find the key state, use the <a>DescribeKey</a> operation. For more
+ *           information about which key states are compatible with each KMS operation, see
+ *           <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>
+ *                      <i>Key Management Service Developer Guide</i>
+ *                   </i>.</p>
+ *             </li>
+ *             <li>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *             </li>
+ *          </ul>
+ *
+ * @throws {@link LimitExceededException} (client fault)
+ *  <p>The request was rejected because a quota was exceeded. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the
+ *       <i>Key Management Service Developer Guide</i>.</p>
+ *
+ * @throws {@link NotFoundException} (client fault)
+ *  <p>The request was rejected because the specified entity or resource could not be
+ *       found.</p>
+ *
+ *
  * @example To create an alias
  * ```javascript
  * // The following example creates an alias for the specified KMS key.

package/dist-types/commands/CreateCustomKeyStoreCommand.d.ts CHANGED Viewed

@@ -116,6 +116,131 @@ export interface CreateCustomKeyStoreCommandOutput extends CreateCustomKeyStoreR
  * @see {@link CreateCustomKeyStoreCommandOutput} for command's `response` shape.
  * @see {@link KMSClientResolvedConfig | config} for KMSClient's `config` shape.
  *
+ * @throws {@link CloudHsmClusterInUseException} (client fault)
+ *  <p>The request was rejected because the specified CloudHSM cluster is already associated with an
+ *       CloudHSM key store in the account, or it shares a backup history with an CloudHSM key store in the
+ *       account. Each CloudHSM key store in the account must be associated with a different CloudHSM
+ *       cluster.</p>
+ *          <p>CloudHSM clusters that share a backup history have the same cluster certificate. To view the
+ *       cluster certificate of an CloudHSM cluster, use the <a href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html">DescribeClusters</a> operation.</p>
+ *
+ * @throws {@link CloudHsmClusterInvalidConfigurationException} (client fault)
+ *  <p>The request was rejected because the associated CloudHSM cluster did not meet the
+ *       configuration requirements for an CloudHSM key store.</p>
+ *          <ul>
+ *             <li>
+ *                <p>The CloudHSM cluster must be configured with private subnets in at least two different
+ *           Availability Zones in the Region.</p>
+ *             </li>
+ *             <li>
+ *                <p>The <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">security group for
+ *             the cluster</a> (cloudhsm-cluster-<i><cluster-id></i>-sg) must
+ *           include inbound rules and outbound rules that allow TCP traffic on ports 2223-2225. The
+ *             <b>Source</b> in the inbound rules and the <b>Destination</b> in the outbound rules must match the security group
+ *           ID. These rules are set by default when you create the CloudHSM cluster. Do not delete or
+ *           change them. To get information about a particular security group, use the <a href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html">DescribeSecurityGroups</a> operation.</p>
+ *             </li>
+ *             <li>
+ *                <p>The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add
+ *           HSMs, use the CloudHSM <a href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> operation.</p>
+ *                <p>For the <a>CreateCustomKeyStore</a>, <a>UpdateCustomKeyStore</a>, and <a>CreateKey</a> operations, the CloudHSM cluster must have at least two
+ *           active HSMs, each in a different Availability Zone. For the <a>ConnectCustomKeyStore</a> operation, the CloudHSM must contain at least one active
+ *           HSM.</p>
+ *             </li>
+ *          </ul>
+ *          <p>For information about the requirements for an CloudHSM cluster that is associated with an
+ *       CloudHSM key store, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore">Assemble the Prerequisites</a>
+ *       in the <i>Key Management Service Developer Guide</i>. For information about creating a private subnet for an CloudHSM cluster,
+ *       see <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html">Create a Private
+ *         Subnet</a> in the <i>CloudHSM User Guide</i>. For information about cluster security groups, see
+ *         <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">Configure a Default Security
+ *         Group</a> in the <i>
+ *                <i>CloudHSM User Guide</i>
+ *             </i>. </p>
+ *
+ * @throws {@link CloudHsmClusterNotActiveException} (client fault)
+ *  <p>The request was rejected because the CloudHSM cluster associated with the CloudHSM key store is
+ *       not active. Initialize and activate the cluster and try the command again. For detailed
+ *       instructions, see <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html">Getting
+ *         Started</a> in the <i>CloudHSM User Guide</i>.</p>
+ *
+ * @throws {@link CloudHsmClusterNotFoundException} (client fault)
+ *  <p>The request was rejected because KMS cannot find the CloudHSM cluster with the specified
+ *       cluster ID. Retry the request with a different cluster ID.</p>
+ *
+ * @throws {@link CustomKeyStoreNameInUseException} (client fault)
+ *  <p>The request was rejected because the specified custom key store name is already assigned
+ *       to another custom key store in the account. Try again with a custom key store name that is
+ *       unique in the account.</p>
+ *
+ * @throws {@link IncorrectTrustAnchorException} (client fault)
+ *  <p>The request was rejected because the trust anchor certificate in the request to create an
+ *       CloudHSM key store is not the trust anchor certificate for the specified CloudHSM cluster.</p>
+ *          <p>When you <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr">initialize the CloudHSM cluster</a>, you create the trust anchor certificate and save it
+ *       in the <code>customerCA.crt</code> file.</p>
+ *
+ * @throws {@link KMSInternalException} (server fault)
+ *  <p>The request was rejected because an internal exception occurred. The request can be
+ *       retried.</p>
+ *
+ * @throws {@link LimitExceededException} (client fault)
+ *  <p>The request was rejected because a quota was exceeded. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the
+ *       <i>Key Management Service Developer Guide</i>.</p>
+ *
+ * @throws {@link XksProxyIncorrectAuthenticationCredentialException} (client fault)
+ *  <p>The request was rejected because the proxy credentials failed to authenticate to the
+ *       specified external key store proxy. The specified external key store proxy rejected a status
+ *       request from KMS due to invalid credentials. This can indicate an error in the credentials
+ *       or in the identification of the external key store proxy.</p>
+ *
+ * @throws {@link XksProxyInvalidConfigurationException} (client fault)
+ *  <p>The request was rejected because the Amazon VPC endpoint service configuration does not fulfill
+ *       the requirements for an external key store proxy. For details, see the exception
+ *       message.</p>
+ *
+ * @throws {@link XksProxyInvalidResponseException} (client fault)
+ *  <p></p>
+ *          <p>KMS cannot interpret the response it received from the external key store proxy. The
+ *       problem might be a poorly constructed response, but it could also be a transient network
+ *       issue. If you see this error repeatedly, report it to the proxy vendor.</p>
+ *
+ * @throws {@link XksProxyUriEndpointInUseException} (client fault)
+ *  <p>The request was rejected because the concatenation of the <code>XksProxyUriEndpoint</code>
+ *       is already associated with an external key store in the Amazon Web Services account and Region. Each
+ *       external key store in an account and Region must use a unique external key store proxy
+ *       address.</p>
+ *
+ * @throws {@link XksProxyUriInUseException} (client fault)
+ *  <p>The request was rejected because the concatenation of the <code>XksProxyUriEndpoint</code>
+ *       and <code>XksProxyUriPath</code> is already associated with an external key store in the
+ *       Amazon Web Services account and Region. Each external key store in an account and Region must use a unique
+ *       external key store proxy API address.</p>
+ *
+ * @throws {@link XksProxyUriUnreachableException} (client fault)
+ *  <p>KMS was unable to reach the specified <code>XksProxyUriPath</code>. The path must be
+ *       reachable before you create the external key store or update its settings.</p>
+ *          <p>This exception is also thrown when the external key store proxy response to a <code>GetHealthStatus</code>
+ *       request indicates that all external key manager instances are unavailable.</p>
+ *
+ * @throws {@link XksProxyVpcEndpointServiceInUseException} (client fault)
+ *  <p>The request was rejected because the specified Amazon VPC endpoint service is already
+ *       associated with an external key store in the Amazon Web Services account and Region. Each external key store
+ *       in an Amazon Web Services account and Region must use a different Amazon VPC endpoint service.</p>
+ *
+ * @throws {@link XksProxyVpcEndpointServiceInvalidConfigurationException} (client fault)
+ *  <p>The request was rejected because the Amazon VPC endpoint service configuration does not fulfill
+ *       the requirements for an external key store proxy. For details, see the exception message and
+ *         <a href="kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements">review the requirements</a> for Amazon VPC endpoint service connectivity for an external key
+ *       store.</p>
+ *
+ * @throws {@link XksProxyVpcEndpointServiceNotFoundException} (client fault)
+ *  <p>The request was rejected because KMS could not find the specified VPC endpoint service.
+ *       Use <a>DescribeCustomKeyStores</a> to verify the VPC endpoint service name for the
+ *       external key store. Also, confirm that the <code>Allow principals</code> list for the VPC
+ *       endpoint service includes the KMS service principal for the Region, such as
+ *         <code>cks.kms.us-east-1.amazonaws.com</code>.</p>
+ *
+ *
  * @example To create an AWS CloudHSM key store
  * ```javascript
  * // This example creates a custom key store that is associated with an AWS CloudHSM cluster.

package/dist-types/commands/CreateGrantCommand.d.ts CHANGED Viewed

@@ -90,6 +90,51 @@ export interface CreateGrantCommandOutput extends CreateGrantResponse, __Metadat
  * @see {@link CreateGrantCommandOutput} for command's `response` shape.
  * @see {@link KMSClientResolvedConfig | config} for KMSClient's `config` shape.
  *
+ * @throws {@link DependencyTimeoutException} (server fault)
+ *  <p>The system timed out while trying to fulfill the request. You can retry the
+ *       request.</p>
+ *
+ * @throws {@link DisabledException} (client fault)
+ *  <p>The request was rejected because the specified KMS key is not enabled.</p>
+ *
+ * @throws {@link InvalidArnException} (client fault)
+ *  <p>The request was rejected because a specified ARN, or an ARN in a key policy, is not
+ *       valid.</p>
+ *
+ * @throws {@link InvalidGrantTokenException} (client fault)
+ *  <p>The request was rejected because the specified grant token is not valid.</p>
+ *
+ * @throws {@link KMSInternalException} (server fault)
+ *  <p>The request was rejected because an internal exception occurred. The request can be
+ *       retried.</p>
+ *
+ * @throws {@link KMSInvalidStateException} (client fault)
+ *  <p>The request was rejected because the state of the specified resource is not valid for this
+ *       request.</p>
+ *          <p>This exceptions means one of the following:</p>
+ *          <ul>
+ *             <li>
+ *                <p>The key state of the KMS key is not compatible with the operation. </p>
+ *                <p>To find the key state, use the <a>DescribeKey</a> operation. For more
+ *           information about which key states are compatible with each KMS operation, see
+ *           <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>
+ *                      <i>Key Management Service Developer Guide</i>
+ *                   </i>.</p>
+ *             </li>
+ *             <li>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *             </li>
+ *          </ul>
+ *
+ * @throws {@link LimitExceededException} (client fault)
+ *  <p>The request was rejected because a quota was exceeded. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the
+ *       <i>Key Management Service Developer Guide</i>.</p>
+ *
+ * @throws {@link NotFoundException} (client fault)
+ *  <p>The request was rejected because the specified entity or resource could not be
+ *       found.</p>
+ *
+ *
  * @example To create a grant
  * ```javascript
  * // The following example creates a grant that allows the specified IAM role to encrypt data with the specified KMS key.

package/dist-types/commands/CreateKeyCommand.d.ts CHANGED Viewed

@@ -195,6 +195,128 @@ export interface CreateKeyCommandOutput extends CreateKeyResponse, __MetadataBea
  * @see {@link CreateKeyCommandOutput} for command's `response` shape.
  * @see {@link KMSClientResolvedConfig | config} for KMSClient's `config` shape.
  *
+ * @throws {@link CloudHsmClusterInvalidConfigurationException} (client fault)
+ *  <p>The request was rejected because the associated CloudHSM cluster did not meet the
+ *       configuration requirements for an CloudHSM key store.</p>
+ *          <ul>
+ *             <li>
+ *                <p>The CloudHSM cluster must be configured with private subnets in at least two different
+ *           Availability Zones in the Region.</p>
+ *             </li>
+ *             <li>
+ *                <p>The <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">security group for
+ *             the cluster</a> (cloudhsm-cluster-<i><cluster-id></i>-sg) must
+ *           include inbound rules and outbound rules that allow TCP traffic on ports 2223-2225. The
+ *             <b>Source</b> in the inbound rules and the <b>Destination</b> in the outbound rules must match the security group
+ *           ID. These rules are set by default when you create the CloudHSM cluster. Do not delete or
+ *           change them. To get information about a particular security group, use the <a href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html">DescribeSecurityGroups</a> operation.</p>
+ *             </li>
+ *             <li>
+ *                <p>The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add
+ *           HSMs, use the CloudHSM <a href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> operation.</p>
+ *                <p>For the <a>CreateCustomKeyStore</a>, <a>UpdateCustomKeyStore</a>, and <a>CreateKey</a> operations, the CloudHSM cluster must have at least two
+ *           active HSMs, each in a different Availability Zone. For the <a>ConnectCustomKeyStore</a> operation, the CloudHSM must contain at least one active
+ *           HSM.</p>
+ *             </li>
+ *          </ul>
+ *          <p>For information about the requirements for an CloudHSM cluster that is associated with an
+ *       CloudHSM key store, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore">Assemble the Prerequisites</a>
+ *       in the <i>Key Management Service Developer Guide</i>. For information about creating a private subnet for an CloudHSM cluster,
+ *       see <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html">Create a Private
+ *         Subnet</a> in the <i>CloudHSM User Guide</i>. For information about cluster security groups, see
+ *         <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">Configure a Default Security
+ *         Group</a> in the <i>
+ *                <i>CloudHSM User Guide</i>
+ *             </i>. </p>
+ *
+ * @throws {@link CustomKeyStoreInvalidStateException} (client fault)
+ *  <p>The request was rejected because of the <code>ConnectionState</code> of the custom key
+ *       store. To get the <code>ConnectionState</code> of a custom key store, use the <a>DescribeCustomKeyStores</a> operation.</p>
+ *          <p>This exception is thrown under the following conditions:</p>
+ *          <ul>
+ *             <li>
+ *                <p>You requested the <a>ConnectCustomKeyStore</a> operation on a custom key
+ *           store with a <code>ConnectionState</code> of <code>DISCONNECTING</code> or
+ *             <code>FAILED</code>. This operation is valid for all other <code>ConnectionState</code>
+ *           values. To reconnect a custom key store in a <code>FAILED</code> state, disconnect it
+ *             (<a>DisconnectCustomKeyStore</a>), then connect it
+ *             (<code>ConnectCustomKeyStore</code>).</p>
+ *             </li>
+ *             <li>
+ *                <p>You requested the <a>CreateKey</a> operation in a custom key store that is
+ *           not connected. This operations is valid only when the custom key store
+ *             <code>ConnectionState</code> is <code>CONNECTED</code>.</p>
+ *             </li>
+ *             <li>
+ *                <p>You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key
+ *           store with a <code>ConnectionState</code> of <code>DISCONNECTING</code> or
+ *             <code>DISCONNECTED</code>. This operation is valid for all other
+ *             <code>ConnectionState</code> values.</p>
+ *             </li>
+ *             <li>
+ *                <p>You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key store that is not
+ *           disconnected. This operation is valid only when the custom key store
+ *             <code>ConnectionState</code> is <code>DISCONNECTED</code>.</p>
+ *             </li>
+ *             <li>
+ *                <p>You requested the <a>GenerateRandom</a> operation in an CloudHSM key store
+ *           that is not connected. This operation is valid only when the CloudHSM key store
+ *             <code>ConnectionState</code> is <code>CONNECTED</code>. </p>
+ *             </li>
+ *          </ul>
+ *
+ * @throws {@link CustomKeyStoreNotFoundException} (client fault)
+ *  <p>The request was rejected because KMS cannot find a custom key store with the specified
+ *       key store name or ID.</p>
+ *
+ * @throws {@link DependencyTimeoutException} (server fault)
+ *  <p>The system timed out while trying to fulfill the request. You can retry the
+ *       request.</p>
+ *
+ * @throws {@link InvalidArnException} (client fault)
+ *  <p>The request was rejected because a specified ARN, or an ARN in a key policy, is not
+ *       valid.</p>
+ *
+ * @throws {@link KMSInternalException} (server fault)
+ *  <p>The request was rejected because an internal exception occurred. The request can be
+ *       retried.</p>
+ *
+ * @throws {@link LimitExceededException} (client fault)
+ *  <p>The request was rejected because a quota was exceeded. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the
+ *       <i>Key Management Service Developer Guide</i>.</p>
+ *
+ * @throws {@link MalformedPolicyDocumentException} (client fault)
+ *  <p>The request was rejected because the specified policy is not syntactically or semantically
+ *       correct.</p>
+ *
+ * @throws {@link TagException} (client fault)
+ *  <p>The request was rejected because one or more tags are not valid.</p>
+ *
+ * @throws {@link UnsupportedOperationException} (client fault)
+ *  <p>The request was rejected because a specified parameter is not supported or a specified
+ *       resource is not valid for this operation.</p>
+ *
+ * @throws {@link XksKeyAlreadyInUseException} (client fault)
+ *  <p>The request was rejected because the (<code>XksKeyId</code>) is already associated with a
+ *       KMS key in this external key store. Each KMS key in an external key store must be associated
+ *       with a different external key.</p>
+ *
+ * @throws {@link XksKeyInvalidConfigurationException} (client fault)
+ *  <p>The request was rejected because the external key specified by the <code>XksKeyId</code>
+ *       parameter did not meet the configuration requirements for an external key store.</p>
+ *          <p>The external key must be an AES-256 symmetric key that is enabled and performs encryption
+ *       and decryption.</p>
+ *
+ * @throws {@link XksKeyNotFoundException} (client fault)
+ *  <p>The request was rejected because the external key store proxy could not find the external key. This
+ *       exception is thrown when the value of the <code>XksKeyId</code> parameter doesn't identify a
+ *       key in the external key manager associated with the external key proxy.</p>
+ *          <p>Verify that the <code>XksKeyId</code> represents an existing key in the external key
+ *       manager. Use the key identifier that the external key store proxy uses to identify the key.
+ *       For details, see the documentation provided with your external key store proxy or key
+ *       manager.</p>
+ *
+ *
  * @example To create a KMS key
  * ```javascript
  * // The following example creates a symmetric KMS key for encryption and decryption. No parameters are required for this operation.

package/dist-types/commands/DecryptCommand.d.ts CHANGED Viewed

@@ -116,6 +116,82 @@ export interface DecryptCommandOutput extends DecryptResponse, __MetadataBearer
  * @see {@link DecryptCommandOutput} for command's `response` shape.
  * @see {@link KMSClientResolvedConfig | config} for KMSClient's `config` shape.
  *
+ * @throws {@link DependencyTimeoutException} (server fault)
+ *  <p>The system timed out while trying to fulfill the request. You can retry the
+ *       request.</p>
+ *
+ * @throws {@link DisabledException} (client fault)
+ *  <p>The request was rejected because the specified KMS key is not enabled.</p>
+ *
+ * @throws {@link IncorrectKeyException} (client fault)
+ *  <p>The request was rejected because the specified KMS key cannot decrypt the data. The
+ *         <code>KeyId</code> in a <a>Decrypt</a> request and the <code>SourceKeyId</code>
+ *       in a <a>ReEncrypt</a> request must identify the same KMS key that was used to
+ *       encrypt the ciphertext.</p>
+ *
+ * @throws {@link InvalidCiphertextException} (client fault)
+ *  <p>From the <a>Decrypt</a> or <a>ReEncrypt</a> operation, the request
+ *       was rejected because the specified ciphertext, or additional authenticated data incorporated
+ *       into the ciphertext, such as the encryption context, is corrupted, missing, or otherwise
+ *       invalid.</p>
+ *          <p>From the <a>ImportKeyMaterial</a> operation, the request was rejected because
+ *       KMS could not decrypt the encrypted (wrapped) key material. </p>
+ *
+ * @throws {@link InvalidGrantTokenException} (client fault)
+ *  <p>The request was rejected because the specified grant token is not valid.</p>
+ *
+ * @throws {@link InvalidKeyUsageException} (client fault)
+ *  <p>The request was rejected for one of the following reasons: </p>
+ *          <ul>
+ *             <li>
+ *                <p>The <code>KeyUsage</code> value of the KMS key is incompatible with the API
+ *           operation.</p>
+ *             </li>
+ *             <li>
+ *                <p>The encryption algorithm or signing algorithm specified for the operation is
+ *           incompatible with the type of key material in the KMS key <code>(KeySpec</code>).</p>
+ *             </li>
+ *          </ul>
+ *          <p>For encrypting, decrypting, re-encrypting, and generating data keys, the
+ *         <code>KeyUsage</code> must be <code>ENCRYPT_DECRYPT</code>. For signing and verifying
+ *       messages, the <code>KeyUsage</code> must be <code>SIGN_VERIFY</code>. For generating and
+ *       verifying message authentication codes (MACs), the <code>KeyUsage</code> must be
+ *         <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a KMS key, use the
+ *         <a>DescribeKey</a> operation.</p>
+ *          <p>To find the encryption or signing algorithms supported for a particular KMS key, use the
+ *         <a>DescribeKey</a> operation.</p>
+ *
+ * @throws {@link KeyUnavailableException} (server fault)
+ *  <p>The request was rejected because the specified KMS key was not available. You can retry
+ *       the request.</p>
+ *
+ * @throws {@link KMSInternalException} (server fault)
+ *  <p>The request was rejected because an internal exception occurred. The request can be
+ *       retried.</p>
+ *
+ * @throws {@link KMSInvalidStateException} (client fault)
+ *  <p>The request was rejected because the state of the specified resource is not valid for this
+ *       request.</p>
+ *          <p>This exceptions means one of the following:</p>
+ *          <ul>
+ *             <li>
+ *                <p>The key state of the KMS key is not compatible with the operation. </p>
+ *                <p>To find the key state, use the <a>DescribeKey</a> operation. For more
+ *           information about which key states are compatible with each KMS operation, see
+ *           <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>
+ *                      <i>Key Management Service Developer Guide</i>
+ *                   </i>.</p>
+ *             </li>
+ *             <li>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *             </li>
+ *          </ul>
+ *
+ * @throws {@link NotFoundException} (client fault)
+ *  <p>The request was rejected because the specified entity or resource could not be
+ *       found.</p>
+ *
+ *
  * @example To decrypt data
  * ```javascript
  * // The following example decrypts data that was encrypted with a KMS key.

package/dist-types/commands/DeleteAliasCommand.d.ts CHANGED Viewed

@@ -76,6 +76,37 @@ export interface DeleteAliasCommandOutput extends __MetadataBearer {
  * @see {@link DeleteAliasCommandOutput} for command's `response` shape.
  * @see {@link KMSClientResolvedConfig | config} for KMSClient's `config` shape.
  *
+ * @throws {@link DependencyTimeoutException} (server fault)
+ *  <p>The system timed out while trying to fulfill the request. You can retry the
+ *       request.</p>
+ *
+ * @throws {@link KMSInternalException} (server fault)
+ *  <p>The request was rejected because an internal exception occurred. The request can be
+ *       retried.</p>
+ *
+ * @throws {@link KMSInvalidStateException} (client fault)
+ *  <p>The request was rejected because the state of the specified resource is not valid for this
+ *       request.</p>
+ *          <p>This exceptions means one of the following:</p>
+ *          <ul>
+ *             <li>
+ *                <p>The key state of the KMS key is not compatible with the operation. </p>
+ *                <p>To find the key state, use the <a>DescribeKey</a> operation. For more
+ *           information about which key states are compatible with each KMS operation, see
+ *           <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>
+ *                      <i>Key Management Service Developer Guide</i>
+ *                   </i>.</p>
+ *             </li>
+ *             <li>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *             </li>
+ *          </ul>
+ *
+ * @throws {@link NotFoundException} (client fault)
+ *  <p>The request was rejected because the specified entity or resource could not be
+ *       found.</p>
+ *
+ *
  * @example To delete an alias
  * ```javascript
  * // The following example deletes the specified alias.