npm - @aws-sdk/client-kms - Versions diffs - 3.321.1 → 3.324.0 - Mend

@aws-sdk/client-kms 3.321.1 → 3.324.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/dist-cjs/models/models_0.js +4 -1
package/dist-cjs/protocols/Aws_json1_1.js +40 -3
package/dist-es/models/models_0.js +3 -0
package/dist-es/protocols/Aws_json1_1.js +40 -3
package/dist-types/commands/DecryptCommand.d.ts +11 -1
package/dist-types/commands/GenerateDataKeyCommand.d.ts +13 -1
package/dist-types/commands/GenerateDataKeyPairCommand.d.ts +13 -0
package/dist-types/commands/GenerateDataKeyWithoutPlaintextCommand.d.ts +1 -1
package/dist-types/commands/GenerateRandomCommand.d.ts +11 -1
package/dist-types/models/models_0.d.ts +204 -19
package/dist-types/ts3.4/models/models_0.d.ts +17 -0
package/package.json +1 -1

package/dist-cjs/models/models_0.js CHANGED Viewed

@@ -1,7 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.XksKeyInvalidConfigurationException = exports.XksKeyAlreadyInUseException = exports.UnsupportedOperationException = exports.TagException = exports.MalformedPolicyDocumentException = exports.SigningAlgorithmSpec = exports.MultiRegionKeyType = exports.MacAlgorithmSpec = exports.KeyState = exports.KeyManagerType = exports.ExpirationModelType = exports.EncryptionAlgorithmSpec = exports.OriginType = exports.KeyUsageType = exports.KeySpec = exports.CustomerMasterKeySpec = exports.InvalidGrantTokenException = exports.DisabledException = exports.GrantOperation = exports.XksProxyVpcEndpointServiceNotFoundException = exports.XksProxyVpcEndpointServiceInvalidConfigurationException = exports.XksProxyVpcEndpointServiceInUseException = exports.XksProxyUriUnreachableException = exports.XksProxyUriInUseException = exports.XksProxyUriEndpointInUseException = exports.XksProxyInvalidResponseException = exports.XksProxyInvalidConfigurationException = exports.XksProxyIncorrectAuthenticationCredentialException = exports.IncorrectTrustAnchorException = exports.CustomKeyStoreNameInUseException = exports.XksProxyConnectivityType = exports.CustomKeyStoreType = exports.LimitExceededException = exports.InvalidAliasNameException = exports.ConnectionStateType = exports.ConnectionErrorCodeType = exports.CustomKeyStoreNotFoundException = exports.CustomKeyStoreInvalidStateException = exports.CloudHsmClusterNotRelatedException = exports.CloudHsmClusterNotFoundException = exports.CloudHsmClusterNotActiveException = exports.CloudHsmClusterInvalidConfigurationException = exports.CloudHsmClusterInUseException = exports.NotFoundException = exports.KMSInvalidStateException = exports.KMSInternalException = exports.InvalidArnException = exports.DependencyTimeoutException = exports.AlreadyExistsException = exports.AlgorithmSpec = void 0;
-exports.VerifyMacRequestFilterSensitiveLog = exports.VerifyRequestFilterSensitiveLog = exports.UpdateCustomKeyStoreRequestFilterSensitiveLog = exports.SignRequestFilterSensitiveLog = exports.GetParametersForImportResponseFilterSensitiveLog = exports.GenerateRandomResponseFilterSensitiveLog = exports.GenerateMacRequestFilterSensitiveLog = exports.GenerateDataKeyPairResponseFilterSensitiveLog = exports.GenerateDataKeyResponseFilterSensitiveLog = exports.EncryptRequestFilterSensitiveLog = exports.DescribeCustomKeyStoresResponseFilterSensitiveLog = exports.DecryptResponseFilterSensitiveLog = exports.CustomKeyStoresListEntryFilterSensitiveLog = exports.XksProxyConfigurationTypeFilterSensitiveLog = exports.CreateCustomKeyStoreRequestFilterSensitiveLog = exports.XksProxyAuthenticationCredentialTypeFilterSensitiveLog = exports.MessageType = exports.KMSInvalidSignatureException = exports.KMSInvalidMacException = exports.InvalidGrantIdException = exports.InvalidImportTokenException = exports.IncorrectKeyMaterialException = exports.WrappingKeySpec = exports.ExpiredImportTokenException = exports.InvalidMarkerException = exports.KeyUnavailableException = exports.InvalidKeyUsageException = exports.InvalidCiphertextException = exports.IncorrectKeyException = exports.DataKeySpec = exports.DataKeyPairSpec = exports.CustomKeyStoreHasCMKsException = exports.XksKeyNotFoundException = void 0;
+exports.VerifyMacRequestFilterSensitiveLog = exports.VerifyRequestFilterSensitiveLog = exports.UpdateCustomKeyStoreRequestFilterSensitiveLog = exports.SignRequestFilterSensitiveLog = exports.GetParametersForImportResponseFilterSensitiveLog = exports.GenerateRandomResponseFilterSensitiveLog = exports.GenerateMacRequestFilterSensitiveLog = exports.GenerateDataKeyPairResponseFilterSensitiveLog = exports.GenerateDataKeyResponseFilterSensitiveLog = exports.EncryptRequestFilterSensitiveLog = exports.DescribeCustomKeyStoresResponseFilterSensitiveLog = exports.DecryptResponseFilterSensitiveLog = exports.CustomKeyStoresListEntryFilterSensitiveLog = exports.XksProxyConfigurationTypeFilterSensitiveLog = exports.CreateCustomKeyStoreRequestFilterSensitiveLog = exports.XksProxyAuthenticationCredentialTypeFilterSensitiveLog = exports.MessageType = exports.KMSInvalidSignatureException = exports.KMSInvalidMacException = exports.InvalidGrantIdException = exports.InvalidImportTokenException = exports.IncorrectKeyMaterialException = exports.WrappingKeySpec = exports.ExpiredImportTokenException = exports.InvalidMarkerException = exports.KeyUnavailableException = exports.InvalidKeyUsageException = exports.InvalidCiphertextException = exports.IncorrectKeyException = exports.KeyEncryptionMechanism = exports.DataKeySpec = exports.DataKeyPairSpec = exports.CustomKeyStoreHasCMKsException = exports.XksKeyNotFoundException = void 0;
 const smithy_client_1 = require("@aws-sdk/smithy-client");
 const KMSServiceException_1 = require("./KMSServiceException");
 exports.AlgorithmSpec = {
@@ -618,6 +618,9 @@ exports.DataKeySpec = {
     AES_128: "AES_128",
     AES_256: "AES_256",
 };
+exports.KeyEncryptionMechanism = {
+    RSAES_OAEP_SHA_256: "RSAES_OAEP_SHA_256",
+};
 class IncorrectKeyException extends KMSServiceException_1.KMSServiceException {
     constructor(opts) {
         super({

package/dist-cjs/protocols/Aws_json1_1.js CHANGED Viewed

@@ -135,14 +135,14 @@ exports.se_EncryptCommand = se_EncryptCommand;
 const se_GenerateDataKeyCommand = async (input, context) => {
     const headers = sharedHeaders("GenerateDataKey");
     let body;
-    body = JSON.stringify((0, smithy_client_1._json)(input));
+    body = JSON.stringify(se_GenerateDataKeyRequest(input, context));
     return buildHttpRpcRequest(context, headers, "/", undefined, body);
 };
 exports.se_GenerateDataKeyCommand = se_GenerateDataKeyCommand;
 const se_GenerateDataKeyPairCommand = async (input, context) => {
     const headers = sharedHeaders("GenerateDataKeyPair");
     let body;
-    body = JSON.stringify((0, smithy_client_1._json)(input));
+    body = JSON.stringify(se_GenerateDataKeyPairRequest(input, context));
     return buildHttpRpcRequest(context, headers, "/", undefined, body);
 };
 exports.se_GenerateDataKeyPairCommand = se_GenerateDataKeyPairCommand;
@@ -170,7 +170,7 @@ exports.se_GenerateMacCommand = se_GenerateMacCommand;
 const se_GenerateRandomCommand = async (input, context) => {
     const headers = sharedHeaders("GenerateRandom");
     let body;
-    body = JSON.stringify((0, smithy_client_1._json)(input));
+    body = JSON.stringify(se_GenerateRandomRequest(input, context));
     return buildHttpRpcRequest(context, headers, "/", undefined, body);
 };
 exports.se_GenerateRandomCommand = se_GenerateRandomCommand;
@@ -3279,6 +3279,7 @@ const se_DecryptRequest = (input, context) => {
         EncryptionContext: smithy_client_1._json,
         GrantTokens: smithy_client_1._json,
         KeyId: [],
+        Recipient: (_) => se_RecipientInfo(_, context),
     });
 };
 const se_EncryptRequest = (input, context) => {
@@ -3290,6 +3291,25 @@ const se_EncryptRequest = (input, context) => {
         Plaintext: context.base64Encoder,
     });
 };
+const se_GenerateDataKeyPairRequest = (input, context) => {
+    return (0, smithy_client_1.take)(input, {
+        EncryptionContext: smithy_client_1._json,
+        GrantTokens: smithy_client_1._json,
+        KeyId: [],
+        KeyPairSpec: [],
+        Recipient: (_) => se_RecipientInfo(_, context),
+    });
+};
+const se_GenerateDataKeyRequest = (input, context) => {
+    return (0, smithy_client_1.take)(input, {
+        EncryptionContext: smithy_client_1._json,
+        GrantTokens: smithy_client_1._json,
+        KeyId: [],
+        KeySpec: [],
+        NumberOfBytes: [],
+        Recipient: (_) => se_RecipientInfo(_, context),
+    });
+};
 const se_GenerateMacRequest = (input, context) => {
     return (0, smithy_client_1.take)(input, {
         GrantTokens: smithy_client_1._json,
@@ -3298,6 +3318,13 @@ const se_GenerateMacRequest = (input, context) => {
         Message: context.base64Encoder,
     });
 };
+const se_GenerateRandomRequest = (input, context) => {
+    return (0, smithy_client_1.take)(input, {
+        CustomKeyStoreId: [],
+        NumberOfBytes: [],
+        Recipient: (_) => se_RecipientInfo(_, context),
+    });
+};
 const se_ImportKeyMaterialRequest = (input, context) => {
     return (0, smithy_client_1.take)(input, {
         EncryptedKeyMaterial: context.base64Encoder,
@@ -3307,6 +3334,12 @@ const se_ImportKeyMaterialRequest = (input, context) => {
         ValidTo: (_) => Math.round(_.getTime() / 1000),
     });
 };
+const se_RecipientInfo = (input, context) => {
+    return (0, smithy_client_1.take)(input, {
+        AttestationDocument: context.base64Encoder,
+        KeyEncryptionAlgorithm: [],
+    });
+};
 const se_ReEncryptRequest = (input, context) => {
     return (0, smithy_client_1.take)(input, {
         CiphertextBlob: context.base64Encoder,
@@ -3392,6 +3425,7 @@ const de_CustomKeyStoresListEntry = (output, context) => {
 };
 const de_DecryptResponse = (output, context) => {
     return (0, smithy_client_1.take)(output, {
+        CiphertextForRecipient: context.base64Decoder,
         EncryptionAlgorithm: smithy_client_1.expectString,
         KeyId: smithy_client_1.expectString,
         Plaintext: context.base64Decoder,
@@ -3418,6 +3452,7 @@ const de_EncryptResponse = (output, context) => {
 };
 const de_GenerateDataKeyPairResponse = (output, context) => {
     return (0, smithy_client_1.take)(output, {
+        CiphertextForRecipient: context.base64Decoder,
         KeyId: smithy_client_1.expectString,
         KeyPairSpec: smithy_client_1.expectString,
         PrivateKeyCiphertextBlob: context.base64Decoder,
@@ -3436,6 +3471,7 @@ const de_GenerateDataKeyPairWithoutPlaintextResponse = (output, context) => {
 const de_GenerateDataKeyResponse = (output, context) => {
     return (0, smithy_client_1.take)(output, {
         CiphertextBlob: context.base64Decoder,
+        CiphertextForRecipient: context.base64Decoder,
         KeyId: smithy_client_1.expectString,
         Plaintext: context.base64Decoder,
     });
@@ -3455,6 +3491,7 @@ const de_GenerateMacResponse = (output, context) => {
 };
 const de_GenerateRandomResponse = (output, context) => {
     return (0, smithy_client_1.take)(output, {
+        CiphertextForRecipient: context.base64Decoder,
         Plaintext: context.base64Decoder,
     });
 };

package/dist-es/models/models_0.js CHANGED Viewed

@@ -579,6 +579,9 @@ export const DataKeySpec = {
     AES_128: "AES_128",
     AES_256: "AES_256",
 };
+export const KeyEncryptionMechanism = {
+    RSAES_OAEP_SHA_256: "RSAES_OAEP_SHA_256",
+};
 export class IncorrectKeyException extends __BaseException {
     constructor(opts) {
         super({

package/dist-es/protocols/Aws_json1_1.js CHANGED Viewed

@@ -113,13 +113,13 @@ export const se_EncryptCommand = async (input, context) => {
 export const se_GenerateDataKeyCommand = async (input, context) => {
     const headers = sharedHeaders("GenerateDataKey");
     let body;
-    body = JSON.stringify(_json(input));
+    body = JSON.stringify(se_GenerateDataKeyRequest(input, context));
     return buildHttpRpcRequest(context, headers, "/", undefined, body);
 };
 export const se_GenerateDataKeyPairCommand = async (input, context) => {
     const headers = sharedHeaders("GenerateDataKeyPair");
     let body;
-    body = JSON.stringify(_json(input));
+    body = JSON.stringify(se_GenerateDataKeyPairRequest(input, context));
     return buildHttpRpcRequest(context, headers, "/", undefined, body);
 };
 export const se_GenerateDataKeyPairWithoutPlaintextCommand = async (input, context) => {
@@ -143,7 +143,7 @@ export const se_GenerateMacCommand = async (input, context) => {
 export const se_GenerateRandomCommand = async (input, context) => {
     const headers = sharedHeaders("GenerateRandom");
     let body;
-    body = JSON.stringify(_json(input));
+    body = JSON.stringify(se_GenerateRandomRequest(input, context));
     return buildHttpRpcRequest(context, headers, "/", undefined, body);
 };
 export const se_GetKeyPolicyCommand = async (input, context) => {
@@ -3175,6 +3175,7 @@ const se_DecryptRequest = (input, context) => {
         EncryptionContext: _json,
         GrantTokens: _json,
         KeyId: [],
+        Recipient: (_) => se_RecipientInfo(_, context),
     });
 };
 const se_EncryptRequest = (input, context) => {
@@ -3186,6 +3187,25 @@ const se_EncryptRequest = (input, context) => {
         Plaintext: context.base64Encoder,
     });
 };
+const se_GenerateDataKeyPairRequest = (input, context) => {
+    return take(input, {
+        EncryptionContext: _json,
+        GrantTokens: _json,
+        KeyId: [],
+        KeyPairSpec: [],
+        Recipient: (_) => se_RecipientInfo(_, context),
+    });
+};
+const se_GenerateDataKeyRequest = (input, context) => {
+    return take(input, {
+        EncryptionContext: _json,
+        GrantTokens: _json,
+        KeyId: [],
+        KeySpec: [],
+        NumberOfBytes: [],
+        Recipient: (_) => se_RecipientInfo(_, context),
+    });
+};
 const se_GenerateMacRequest = (input, context) => {
     return take(input, {
         GrantTokens: _json,
@@ -3194,6 +3214,13 @@ const se_GenerateMacRequest = (input, context) => {
         Message: context.base64Encoder,
     });
 };
+const se_GenerateRandomRequest = (input, context) => {
+    return take(input, {
+        CustomKeyStoreId: [],
+        NumberOfBytes: [],
+        Recipient: (_) => se_RecipientInfo(_, context),
+    });
+};
 const se_ImportKeyMaterialRequest = (input, context) => {
     return take(input, {
         EncryptedKeyMaterial: context.base64Encoder,
@@ -3203,6 +3230,12 @@ const se_ImportKeyMaterialRequest = (input, context) => {
         ValidTo: (_) => Math.round(_.getTime() / 1000),
     });
 };
+const se_RecipientInfo = (input, context) => {
+    return take(input, {
+        AttestationDocument: context.base64Encoder,
+        KeyEncryptionAlgorithm: [],
+    });
+};
 const se_ReEncryptRequest = (input, context) => {
     return take(input, {
         CiphertextBlob: context.base64Encoder,
@@ -3288,6 +3321,7 @@ const de_CustomKeyStoresListEntry = (output, context) => {
 };
 const de_DecryptResponse = (output, context) => {
     return take(output, {
+        CiphertextForRecipient: context.base64Decoder,
         EncryptionAlgorithm: __expectString,
         KeyId: __expectString,
         Plaintext: context.base64Decoder,
@@ -3314,6 +3348,7 @@ const de_EncryptResponse = (output, context) => {
 };
 const de_GenerateDataKeyPairResponse = (output, context) => {
     return take(output, {
+        CiphertextForRecipient: context.base64Decoder,
         KeyId: __expectString,
         KeyPairSpec: __expectString,
         PrivateKeyCiphertextBlob: context.base64Decoder,
@@ -3332,6 +3367,7 @@ const de_GenerateDataKeyPairWithoutPlaintextResponse = (output, context) => {
 const de_GenerateDataKeyResponse = (output, context) => {
     return take(output, {
         CiphertextBlob: context.base64Decoder,
+        CiphertextForRecipient: context.base64Decoder,
         KeyId: __expectString,
         Plaintext: context.base64Decoder,
     });
@@ -3351,6 +3387,7 @@ const de_GenerateMacResponse = (output, context) => {
 };
 const de_GenerateRandomResponse = (output, context) => {
     return take(output, {
+        CiphertextForRecipient: context.base64Decoder,
         Plaintext: context.base64Decoder,
     });
 };

package/dist-types/commands/DecryptCommand.d.ts CHANGED Viewed

@@ -73,7 +73,13 @@ export interface DecryptCommandOutput extends DecryptResponse, __MetadataBearer
  *       an IAM policy for <code>Decrypt</code> permissions, limit the user to particular KMS keys or
  *       particular trusted accounts. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policies-best-practices">Best practices for IAM
  *         policies</a> in the <i>Key Management Service Developer Guide</i>.</p>
- *          <p>Applications in Amazon Web Services Nitro Enclaves can call this operation by using the <a href="https://github.com/aws/aws-nitro-enclaves-sdk-c">Amazon Web Services Nitro Enclaves Development Kit</a>. For information about the supporting parameters, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves use KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *          <p>
+ *             <code>Decrypt</code> also supports <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro Enclaves</a>, which provide an
+ *       isolated compute environment in Amazon EC2. To call <code>Decrypt</code> for a Nitro enclave, use
+ *       the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter to provide the
+ *       attestation document for the enclave. Instead of the plaintext data, the response includes the
+ *       plaintext data encrypted with the public key from the attestation document
+ *       (<code>CiphertextForRecipient</code>).For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>..</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
@@ -123,6 +129,10 @@ export interface DecryptCommandOutput extends DecryptResponse, __MetadataBearer
  *   ],
  *   KeyId: "STRING_VALUE",
  *   EncryptionAlgorithm: "SYMMETRIC_DEFAULT" || "RSAES_OAEP_SHA_1" || "RSAES_OAEP_SHA_256" || "SM2PKE",
+ *   Recipient: { // RecipientInfo
+ *     KeyEncryptionAlgorithm: "RSAES_OAEP_SHA_256",
+ *     AttestationDocument: "BLOB_VALUE",
+ *   },
  * };
  * const command = new DecryptCommand(input);
  * const response = await client.send(command);

package/dist-types/commands/GenerateDataKeyCommand.d.ts CHANGED Viewed

@@ -41,7 +41,15 @@ export interface GenerateDataKeyCommandOutput extends GenerateDataKeyResponse, _
  *       encryption context (a case-sensitive exact match) when decrypting the encrypted data key.
  *       Otherwise, the request to decrypt fails with an <code>InvalidCiphertextException</code>. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> in the
  *       <i>Key Management Service Developer Guide</i>.</p>
- *          <p>Applications in Amazon Web Services Nitro Enclaves can call this operation by using the <a href="https://github.com/aws/aws-nitro-enclaves-sdk-c">Amazon Web Services Nitro Enclaves Development Kit</a>. For information about the supporting parameters, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves use KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *          <p>
+ *             <code>GenerateDataKey</code> also supports <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro Enclaves</a>, which provide an
+ *       isolated compute environment in Amazon EC2. To call <code>GenerateDataKey</code> for an Amazon Web Services Nitro
+ *       enclave, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter
+ *       to provide the attestation document for the enclave. <code>GenerateDataKey</code> returns a
+ *       copy of the data key encrypted under the specified KMS key, as usual. But instead of a
+ *       plaintext copy of the data key, the response includes a copy of the data key encrypted under
+ *       the public key from the attestation document (<code>CiphertextForRecipient</code>).
+ *       For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>..</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
@@ -129,6 +137,10 @@ export interface GenerateDataKeyCommandOutput extends GenerateDataKeyResponse, _
  *   GrantTokens: [ // GrantTokenList
  *     "STRING_VALUE",
  *   ],
+ *   Recipient: { // RecipientInfo
+ *     KeyEncryptionAlgorithm: "RSAES_OAEP_SHA_256",
+ *     AttestationDocument: "BLOB_VALUE",
+ *   },
  * };
  * const command = new GenerateDataKeyCommand(input);
  * const response = await client.send(command);

package/dist-types/commands/GenerateDataKeyPairCommand.d.ts CHANGED Viewed

@@ -48,6 +48,15 @@ export interface GenerateDataKeyPairCommandOutput extends GenerateDataKeyPairRes
  *       to encrypt the private key. The public key is a DER-encoded X.509 SubjectPublicKeyInfo, as
  *       specified in <a href="https://tools.ietf.org/html/rfc5280">RFC 5280</a>. The private
  *       key is a DER-encoded PKCS8 PrivateKeyInfo, as specified in <a href="https://tools.ietf.org/html/rfc5958">RFC 5958</a>.</p>
+ *          <p>
+ *             <code>GenerateDataKeyPair</code> also supports <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro Enclaves</a>, which provide an
+ *       isolated compute environment in Amazon EC2. To call <code>GenerateDataKeyPair</code> for an Amazon Web Services Nitro
+ *       enclave, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter
+ *       to provide the attestation document for the enclave. <code>GenerateDataKeyPair</code> returns the public data key and a
+ *       copy of the private data key encrypted under the specified KMS key, as usual. But instead of a
+ *       plaintext copy of the private data key (<code>PrivateKeyPlaintext</code>), the response includes a copy of the private data key encrypted under
+ *       the public key from the attestation document (<code>CiphertextForRecipient</code>).
+ *       For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>..</p>
  *          <p>You can use an optional encryption context to add additional security to the encryption
  *       operation. If you specify an <code>EncryptionContext</code>, you must specify the same
  *       encryption context (a case-sensitive exact match) when decrypting the encrypted data key.
@@ -105,6 +114,10 @@ export interface GenerateDataKeyPairCommandOutput extends GenerateDataKeyPairRes
  *   GrantTokens: [ // GrantTokenList
  *     "STRING_VALUE",
  *   ],
+ *   Recipient: { // RecipientInfo
+ *     KeyEncryptionAlgorithm: "RSAES_OAEP_SHA_256",
+ *     AttestationDocument: "BLOB_VALUE",
+ *   },
  * };
  * const command = new GenerateDataKeyPairCommand(input);
  * const response = await client.send(command);

package/dist-types/commands/GenerateDataKeyWithoutPlaintextCommand.d.ts CHANGED Viewed

@@ -44,7 +44,7 @@ export interface GenerateDataKeyWithoutPlaintextCommandOutput extends GenerateDa
  *       <code>NumberOfBytes</code> parameters (but not both). For 128-bit and 256-bit data keys, use
  *       the <code>KeySpec</code> parameter.</p>
  *          <p>To generate an SM4 data key (China Regions only), specify a <code>KeySpec</code> value of
- *       <code>AES_128</code> or <code>NumberOfBytes</code> value of <code>128</code>. The symmetric
+ *         <code>AES_128</code> or <code>NumberOfBytes</code> value of <code>16</code>. The symmetric
  *       encryption key used in China Regions to encrypt your data key is an SM4 encryption key.</p>
  *          <p>If the operation succeeds, you will find the encrypted copy of the data key in the
  *         <code>CiphertextBlob</code> field.</p>

package/dist-types/commands/GenerateRandomCommand.d.ts CHANGED Viewed

@@ -25,7 +25,13 @@ export interface GenerateRandomCommandOutput extends GenerateRandomResponse, __M
  *          <p>By default, the random byte string is generated in KMS. To generate the byte string in
  *       the CloudHSM cluster associated with an CloudHSM key store, use the <code>CustomKeyStoreId</code>
  *       parameter.</p>
- *          <p>Applications in Amazon Web Services Nitro Enclaves can call this operation by using the <a href="https://github.com/aws/aws-nitro-enclaves-sdk-c">Amazon Web Services Nitro Enclaves Development Kit</a>. For information about the supporting parameters, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves use KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *          <p>
+ *             <code>GenerateRandom</code> also supports <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro Enclaves</a>, which provide an
+ *       isolated compute environment in Amazon EC2. To call <code>GenerateRandom</code> for a Nitro
+ *       enclave, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter
+ *       to provide the attestation document for the enclave. Instead of plaintext bytes, the response
+ *       includes the plaintext bytes encrypted under the public key from the attestation document
+ *       (<code>CiphertextForRecipient</code>).For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>For more information about entropy and random number generation, see
  *       <a href="https://docs.aws.amazon.com/kms/latest/cryptographic-details/">Key Management Service Cryptographic Details</a>.</p>
  *          <p>
@@ -43,6 +49,10 @@ export interface GenerateRandomCommandOutput extends GenerateRandomResponse, __M
  * const input = { // GenerateRandomRequest
  *   NumberOfBytes: Number("int"),
  *   CustomKeyStoreId: "STRING_VALUE",
+ *   Recipient: { // RecipientInfo
+ *     KeyEncryptionAlgorithm: "RSAES_OAEP_SHA_256",
+ *     AttestationDocument: "BLOB_VALUE",
+ *   },
  * };
  * const command = new GenerateRandomCommand(input);
  * const response = await client.send(command);

package/dist-types/models/models_0.d.ts CHANGED Viewed

@@ -394,6 +394,9 @@ export interface CreateAliasRequest {
     /**
      * <p>Specifies the alias name. This value must begin with <code>alias/</code> followed by a
      *       name, such as <code>alias/ExampleAlias</code>. </p>
+     *          <important>
+     *             <p>Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.</p>
+     *          </important>
      *          <p>The <code>AliasName</code> value must be string of 1-256 characters. It can contain only
      *       alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). The alias name
      *       cannot begin with <code>alias/aws/</code>. The <code>alias/aws/</code> prefix is reserved for
@@ -500,6 +503,9 @@ export interface CreateCustomKeyStoreRequest {
     /**
      * <p>Specifies a friendly name for the custom key store. The name must be unique in your
      *       Amazon Web Services account and Region. This parameter is required for all custom key stores.</p>
+     *          <important>
+     *             <p>Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.</p>
+     *          </important>
      */
     CustomKeyStoreName: string | undefined;
     /**
@@ -945,19 +951,15 @@ export interface CreateGrantRequest {
      */
     Operations: (GrantOperation | string)[] | undefined;
     /**
-     * <p>Specifies a grant constraint. </p>
+     * <p>Specifies a grant constraint.</p>
+     *          <important>
+     *             <p>Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.</p>
+     *          </important>
      *          <p>KMS supports the <code>EncryptionContextEquals</code> and
-     *         <code>EncryptionContextSubset</code> grant constraints. Each constraint value can include up
-     *       to 8 encryption context pairs. The encryption context value in each constraint cannot exceed
-     *       384 characters. For information about grant constraints, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints">Using grant
-     *         constraints</a> in the <i>Key Management Service Developer Guide</i>. For more information about encryption context,
-     *       see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption
-     *         context</a> in the <i>
-     *                <i>Key Management Service Developer Guide</i>
-     *             </i>. </p>
-     *          <p>The encryption context grant constraints allow the permissions in the grant only when the
-     *       encryption context in the request matches (<code>EncryptionContextEquals</code>) or includes
-     *         (<code>EncryptionContextSubset</code>) the encryption context specified in this structure. </p>
+     *         <code>EncryptionContextSubset</code> grant constraints, which allow the permissions in the
+     *       grant only when the encryption context in the request matches
+     *         (<code>EncryptionContextEquals</code>) or includes (<code>EncryptionContextSubset</code>)
+     *       the encryption context specified in the constraint. </p>
      *          <p>The encryption context grant constraints are supported only on <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations">grant operations</a> that include
      *       an <code>EncryptionContext</code> parameter, such as cryptographic operations on symmetric
      *       encryption KMS keys. Grants with grant constraints can include the <a>DescribeKey</a> and <a>RetireGrant</a> operations, but the constraint doesn't apply to these
@@ -965,8 +967,16 @@ export interface CreateGrantRequest {
      *       operation, the constraint requires that any grants created with the <code>CreateGrant</code>
      *       permission have an equally strict or stricter encryption context constraint.</p>
      *          <p>You cannot use an encryption context grant constraint for cryptographic operations with
-     *       asymmetric KMS keys or HMAC KMS keys. These keys don't support an encryption context. </p>
-     *          <p></p>
+     *       asymmetric KMS keys or HMAC KMS keys. Operations with these keys don't support an encryption
+     *       context.</p>
+     *          <p>Each constraint value can include up to 8 encryption context pairs. The encryption context
+     *       value in each constraint cannot exceed 384 characters. For information about grant
+     *       constraints, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints">Using grant
+     *         constraints</a> in the <i>Key Management Service Developer Guide</i>. For more information about encryption context,
+     *       see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption
+     *         context</a> in the <i>
+     *                <i>Key Management Service Developer Guide</i>
+     *             </i>. </p>
      */
     Constraints?: GrantConstraints;
     /**
@@ -978,6 +988,9 @@ export interface CreateGrantRequest {
     /**
      * <p>A friendly name for the grant. Use this value to prevent the unintended creation of
      *       duplicate grants when retrying this request.</p>
+     *          <important>
+     *             <p>Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.</p>
+     *          </important>
      *          <p>When this value is absent, all <code>CreateGrant</code> requests result in a new grant
      *       with a unique <code>GrantId</code> even if all the supplied parameters are identical. This can
      *       result in unintended duplicates when you retry the <code>CreateGrant</code> request.</p>
@@ -1106,6 +1119,9 @@ export type OriginType = (typeof OriginType)[keyof typeof OriginType];
  * @public
  * <p>A key-value pair. A tag consists of a tag key and a tag value. Tag keys and tag values are
  *       both required, but tag values can be empty (null) strings.</p>
+ *          <important>
+ *             <p>Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.</p>
+ *          </important>
  *          <p>For information about the rules that apply to tag keys and tag values, see <a href="https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html">User-Defined Tag Restrictions</a> in the <i>Amazon Web Services Billing and Cost Management
  *         User Guide</i>.</p>
  */
@@ -1152,9 +1168,11 @@ export interface CreateKeyRequest {
      */
     Policy?: string;
     /**
-     * <p>A description of the KMS key.</p>
-     *          <p>Use a description that helps you decide whether the KMS key is appropriate for a task. The
+     * <p>A description of the KMS key. Use a description that helps you decide whether the KMS key is appropriate for a task. The
      *       default value is an empty string (no description).</p>
+     *          <important>
+     *             <p>Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.</p>
+     *          </important>
      *          <p>To set or change the description after the key is created, use <a>UpdateKeyDescription</a>.</p>
      */
     Description?: string;
@@ -1359,6 +1377,9 @@ export interface CreateKeyRequest {
     /**
      * <p>Assigns one or more tags to the KMS key. Use this parameter to tag the KMS key when it is
      *       created. To tag an existing KMS key, use the <a>TagResource</a> operation.</p>
+     *          <important>
+     *             <p>Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.</p>
+     *          </important>
      *          <note>
      *             <p>Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
      *          </note>
@@ -2176,6 +2197,36 @@ export declare const DataKeySpec: {
  * @public
  */
 export type DataKeySpec = (typeof DataKeySpec)[keyof typeof DataKeySpec];
+/**
+ * @public
+ * @enum
+ */
+export declare const KeyEncryptionMechanism: {
+    readonly RSAES_OAEP_SHA_256: "RSAES_OAEP_SHA_256";
+};
+/**
+ * @public
+ */
+export type KeyEncryptionMechanism = (typeof KeyEncryptionMechanism)[keyof typeof KeyEncryptionMechanism];
+/**
+ * @public
+ * <p>Contains information about the party that receives the response from the API
+ *       operation.</p>
+ *          <p>This data type is designed to support Amazon Web Services Nitro Enclaves, which lets you create an isolated
+ *       compute environment in Amazon EC2. For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ */
+export interface RecipientInfo {
+    /**
+     * <p>The encryption algorithm that KMS should use with the public key for an Amazon Web Services Nitro Enclave to encrypt plaintext
+     *       values for the response. The only valid value is <code>RSAES_OAEP_SHA_256</code>.</p>
+     */
+    KeyEncryptionAlgorithm?: KeyEncryptionMechanism | string;
+    /**
+     * <p>The attestation document for an Amazon Web Services Nitro Enclave. This document includes the enclave's public
+     *       key.</p>
+     */
+    AttestationDocument?: Uint8Array;
+}
 /**
  * @public
  */
@@ -2241,6 +2292,20 @@ export interface DecryptRequest {
      *       algorithm that is valid for symmetric encryption KMS keys.</p>
      */
     EncryptionAlgorithm?: EncryptionAlgorithmSpec | string;
+    /**
+     * <p>A signed <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc">attestation document</a> from
+     *       an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key.
+     *       The only valid encryption algorithm is <code>RSAES_OAEP_SHA_256</code>. </p>
+     *          <p>This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this
+     *       parameter, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK.</p>
+     *          <p>When you use this parameter, instead of returning the plaintext data, KMS encrypts the
+     *       plaintext data with the public key in the attestation document, and returns the resulting
+     *       ciphertext in the <code>CiphertextForRecipient</code> field in the response. This ciphertext
+     *       can be decrypted only with the private key in the enclave. The <code>Plaintext</code> field in
+     *       the response is null or empty.</p>
+     *          <p>For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+     */
+    Recipient?: RecipientInfo;
 }
 /**
  * @public
@@ -2252,12 +2317,21 @@ export interface DecryptResponse {
     KeyId?: string;
     /**
      * <p>Decrypted plaintext data. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.</p>
+     *          <p>If the response includes the <code>CiphertextForRecipient</code> field, the
+     *       <code>Plaintext</code> field is null or empty.</p>
      */
     Plaintext?: Uint8Array;
     /**
      * <p>The encryption algorithm that was used to decrypt the ciphertext.</p>
      */
     EncryptionAlgorithm?: EncryptionAlgorithmSpec | string;
+    /**
+     * <p>The plaintext data encrypted with the public key in the attestation document. </p>
+     *          <p>This field is included in the response only when the <code>Recipient</code> parameter in
+     *       the request includes a valid attestation document from an Amazon Web Services Nitro enclave.
+     *       For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+     */
+    CiphertextForRecipient?: Uint8Array;
 }
 /**
  * @public
@@ -2640,6 +2714,9 @@ export interface EncryptRequest {
     /**
      * <p>Specifies the encryption context that will be used to encrypt the data.
      *       An encryption context is valid only for <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic operations</a> with a symmetric encryption KMS key. The standard asymmetric encryption algorithms and HMAC algorithms that KMS uses do not support an encryption context. </p>
+     *          <important>
+     *             <p>Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.</p>
+     *          </important>
      *          <p>An <i>encryption context</i> is a collection of non-secret key-value pairs that represent additional authenticated data.
      * When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is supported
      * only on operations with symmetric encryption KMS keys. On operations with symmetric encryption KMS keys, an encryption context is optional, but it is strongly recommended.</p>
@@ -2726,6 +2803,9 @@ export interface GenerateDataKeyRequest {
     KeyId: string | undefined;
     /**
      * <p>Specifies the encryption context that will be used when encrypting the data key.</p>
+     *          <important>
+     *             <p>Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.</p>
+     *          </important>
      *          <p>An <i>encryption context</i> is a collection of non-secret key-value pairs that represent additional authenticated data.
      * When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is supported
      * only on operations with symmetric encryption KMS keys. On operations with symmetric encryption KMS keys, an encryption context is optional, but it is strongly recommended.</p>
@@ -2754,6 +2834,22 @@ export interface GenerateDataKeyRequest {
      *     <i>Key Management Service Developer Guide</i>.</p>
      */
     GrantTokens?: string[];
+    /**
+     * <p>A signed <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc">attestation document</a> from
+     *       an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key.
+     *       The only valid encryption algorithm is <code>RSAES_OAEP_SHA_256</code>. </p>
+     *          <p>This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this
+     *       parameter, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK.</p>
+     *          <p>When you use this parameter, instead of returning the plaintext data key, KMS encrypts
+     *       the plaintext data key under the public key in the attestation document, and returns the
+     *       resulting ciphertext in the <code>CiphertextForRecipient</code> field in the response. This
+     *       ciphertext can be decrypted only with the private key in the enclave. The
+     *       <code>CiphertextBlob</code> field in the response contains a copy of the data key encrypted
+     *       under the KMS key specified by the <code>KeyId</code> parameter. The <code>Plaintext</code>
+     *       field in the response is null or empty.</p>
+     *          <p>For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+     */
+    Recipient?: RecipientInfo;
 }
 /**
  * @public
@@ -2766,12 +2862,22 @@ export interface GenerateDataKeyResponse {
     /**
      * <p>The plaintext data key. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. Use this data key to encrypt your data outside of
      *       KMS. Then, remove it from memory as soon as possible.</p>
+     *          <p>If the response includes the <code>CiphertextForRecipient</code> field, the
+     *       <code>Plaintext</code> field is null or empty.</p>
      */
     Plaintext?: Uint8Array;
     /**
      * <p>The Amazon Resource Name (<a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN">key ARN</a>) of the KMS key that encrypted the data key.</p>
      */
     KeyId?: string;
+    /**
+     * <p>The plaintext data key encrypted with the public key from the Nitro enclave. This ciphertext can
+     *       be decrypted only by using a private key in the Nitro enclave. </p>
+     *          <p>This field is included in the response only when the <code>Recipient</code> parameter in
+     *       the request includes a valid attestation document from an Amazon Web Services Nitro enclave.
+     *       For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+     */
+    CiphertextForRecipient?: Uint8Array;
 }
 /**
  * @public
@@ -2780,6 +2886,9 @@ export interface GenerateDataKeyPairRequest {
     /**
      * <p>Specifies the encryption context that will be used when encrypting the private key in the
      *       data key pair.</p>
+     *          <important>
+     *             <p>Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.</p>
+     *          </important>
      *          <p>An <i>encryption context</i> is a collection of non-secret key-value pairs that represent additional authenticated data.
      * When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is supported
      * only on operations with symmetric encryption KMS keys. On operations with symmetric encryption KMS keys, an encryption context is optional, but it is strongly recommended.</p>
@@ -2825,6 +2934,22 @@ export interface GenerateDataKeyPairRequest {
      *     <i>Key Management Service Developer Guide</i>.</p>
      */
     GrantTokens?: string[];
+    /**
+     * <p>A signed <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc">attestation document</a> from
+     *       an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key.
+     *       The only valid encryption algorithm is <code>RSAES_OAEP_SHA_256</code>. </p>
+     *          <p>This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this
+     *       parameter, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK.</p>
+     *          <p>When you use this parameter, instead of returning a plaintext copy of the private data key, KMS encrypts
+     *       the plaintext private data key under the public key in the attestation document, and returns the
+     *       resulting ciphertext in the <code>CiphertextForRecipient</code> field in the response. This
+     *       ciphertext can be decrypted only with the private key in the enclave. The
+     *       <code>CiphertextBlob</code> field in the response contains a copy of the private data key encrypted
+     *       under the KMS key specified by the <code>KeyId</code> parameter. The <code>PrivateKeyPlaintext</code>
+     *       field in the response is null or empty.</p>
+     *          <p>For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+     */
+    Recipient?: RecipientInfo;
 }
 /**
  * @public
@@ -2836,6 +2961,8 @@ export interface GenerateDataKeyPairResponse {
     PrivateKeyCiphertextBlob?: Uint8Array;
     /**
      * <p>The plaintext copy of the private key. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.</p>
+     *          <p>If the response includes the <code>CiphertextForRecipient</code> field, the
+     *       <code>PrivateKeyPlaintext</code> field is null or empty.</p>
      */
     PrivateKeyPlaintext?: Uint8Array;
     /**
@@ -2850,6 +2977,14 @@ export interface GenerateDataKeyPairResponse {
      * <p>The type of data key pair that was generated.</p>
      */
     KeyPairSpec?: DataKeyPairSpec | string;
+    /**
+     * <p>The plaintext private data key encrypted with the public key from the Nitro enclave. This ciphertext can
+     *       be decrypted only by using a private key in the Nitro enclave. </p>
+     *          <p>This field is included in the response only when the <code>Recipient</code> parameter in
+     *       the request includes a valid attestation document from an Amazon Web Services Nitro enclave.
+     *       For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+     */
+    CiphertextForRecipient?: Uint8Array;
 }
 /**
  * @public
@@ -2858,6 +2993,9 @@ export interface GenerateDataKeyPairWithoutPlaintextRequest {
     /**
      * <p>Specifies the encryption context that will be used when encrypting the private key in the
      *       data key pair.</p>
+     *          <important>
+     *             <p>Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.</p>
+     *          </important>
      *          <p>An <i>encryption context</i> is a collection of non-secret key-value pairs that represent additional authenticated data.
      * When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is supported
      * only on operations with symmetric encryption KMS keys. On operations with symmetric encryption KMS keys, an encryption context is optional, but it is strongly recommended.</p>
@@ -2958,6 +3096,9 @@ export interface GenerateDataKeyWithoutPlaintextRequest {
     KeyId: string | undefined;
     /**
      * <p>Specifies the encryption context that will be used when encrypting the data key.</p>
+     *          <important>
+     *             <p>Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.</p>
+     *          </important>
      *          <p>An <i>encryption context</i> is a collection of non-secret key-value pairs that represent additional authenticated data.
      * When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is supported
      * only on operations with symmetric encryption KMS keys. On operations with symmetric encryption KMS keys, an encryption context is optional, but it is strongly recommended.</p>
@@ -3061,9 +3202,23 @@ export interface GenerateRandomRequest {
      *       specified CloudHSM key store. To find the ID of a custom key store, use the <a>DescribeCustomKeyStores</a> operation.</p>
      *          <p>External key store IDs are not valid for this parameter. If you specify the ID of an
      *       external key store, <code>GenerateRandom</code> throws an
-     *         <code>UnsupportedOperationException</code>.</p>
+     *       <code>UnsupportedOperationException</code>.</p>
      */
     CustomKeyStoreId?: string;
+    /**
+     * <p>A signed <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc">attestation document</a> from
+     *       an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key.
+     *       The only valid encryption algorithm is <code>RSAES_OAEP_SHA_256</code>. </p>
+     *          <p>This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this
+     *       parameter, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK.</p>
+     *          <p>When you use this parameter, instead of returning plaintext bytes, KMS encrypts the
+     *       plaintext bytes under the public key in the attestation document, and returns the resulting
+     *       ciphertext in the <code>CiphertextForRecipient</code> field in the response. This ciphertext
+     *       can be decrypted only with the private key in the enclave. The <code>Plaintext</code> field in
+     *       the response is null or empty.</p>
+     *          <p>For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+     */
+    Recipient?: RecipientInfo;
 }
 /**
  * @public
@@ -3071,8 +3226,18 @@ export interface GenerateRandomRequest {
 export interface GenerateRandomResponse {
     /**
      * <p>The random byte string. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.</p>
+     *          <p>If the response includes the <code>CiphertextForRecipient</code> field, the
+     *       <code>Plaintext</code> field is null or empty.</p>
      */
     Plaintext?: Uint8Array;
+    /**
+     * <p>The plaintext random bytes encrypted with the public key from the Nitro enclave. This ciphertext can
+     *       be decrypted only by using a private key in the Nitro enclave. </p>
+     *          <p>This field is included in the response only when the <code>Recipient</code> parameter in
+     *       the request includes a valid attestation document from an Amazon Web Services Nitro enclave.
+     *       For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+     */
+    CiphertextForRecipient?: Uint8Array;
 }
 /**
  * @public
@@ -3986,6 +4151,9 @@ export interface ReEncryptRequest {
     DestinationKeyId: string | undefined;
     /**
      * <p>Specifies that encryption context to use when the reencrypting the data.</p>
+     *          <important>
+     *             <p>Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.</p>
+     *          </important>
      *          <p>A destination encryption context is valid only when the destination KMS key is a symmetric
      *       encryption KMS key. The standard ciphertext format for asymmetric KMS keys does not include
      *       fields for metadata.</p>
@@ -4146,6 +4314,9 @@ export interface ReplicateKeyRequest {
     /**
      * <p>A description of the KMS key. The default value is an empty string (no
      *       description).</p>
+     *          <important>
+     *             <p>Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.</p>
+     *          </important>
      *          <p>The description is not a shared property of multi-Region keys. You can specify the same
      *       description or a different description for each key in a set of related multi-Region keys.
      *       KMS does not synchronize this property.</p>
@@ -4155,6 +4326,9 @@ export interface ReplicateKeyRequest {
      * <p>Assigns one or more tags to the replica key. Use this parameter to tag the KMS key when it
      *       is created. To tag an existing KMS key, use the <a>TagResource</a>
      *       operation.</p>
+     *          <important>
+     *             <p>Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.</p>
+     *          </important>
      *          <note>
      *             <p>Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
      *          </note>
@@ -4453,9 +4627,11 @@ export interface TagResourceRequest {
      */
     KeyId: string | undefined;
     /**
-     * <p>One or more tags. </p>
-     *          <p>Each tag consists of a tag key and a tag value. The tag value can be an empty (null)
+     * <p>One or more tags. Each tag consists of a tag key and a tag value. The tag value can be an empty (null)
      *       string. </p>
+     *          <important>
+     *             <p>Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.</p>
+     *          </important>
      *          <p>You cannot have more than one tag on a KMS key with the same tag key. If you specify an
      *       existing tag key with a different tag value, KMS replaces the current tag value with the
      *       specified one.</p>
@@ -4496,6 +4672,9 @@ export interface UpdateAliasRequest {
      * <p>Identifies the alias that is changing its KMS key. This value must begin with
      *         <code>alias/</code> followed by the alias name, such as <code>alias/ExampleAlias</code>. You
      *       cannot use <code>UpdateAlias</code> to change the alias name.</p>
+     *          <important>
+     *             <p>Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.</p>
+     *          </important>
      */
     AliasName: string | undefined;
     /**
@@ -4533,6 +4712,9 @@ export interface UpdateCustomKeyStoreRequest {
     /**
      * <p>Changes the friendly name of the custom key store to the value that you specify. The
      *       custom key store name must be unique in the Amazon Web Services account.</p>
+     *          <important>
+     *             <p>Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.</p>
+     *          </important>
      *          <p>To change this value, an CloudHSM key store must be disconnected. An external key store can
      *       be connected or disconnected.</p>
      */
@@ -4651,6 +4833,9 @@ export interface UpdateKeyDescriptionRequest {
     KeyId: string | undefined;
     /**
      * <p>New description for the KMS key.</p>
+     *          <important>
+     *             <p>Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.</p>
+     *          </important>
      */
     Description: string | undefined;
 }

package/dist-types/ts3.4/models/models_0.d.ts CHANGED Viewed

@@ -614,17 +614,28 @@ export declare const DataKeySpec: {
   readonly AES_256: "AES_256";
 };
 export type DataKeySpec = (typeof DataKeySpec)[keyof typeof DataKeySpec];
+export declare const KeyEncryptionMechanism: {
+  readonly RSAES_OAEP_SHA_256: "RSAES_OAEP_SHA_256";
+};
+export type KeyEncryptionMechanism =
+  (typeof KeyEncryptionMechanism)[keyof typeof KeyEncryptionMechanism];
+export interface RecipientInfo {
+  KeyEncryptionAlgorithm?: KeyEncryptionMechanism | string;
+  AttestationDocument?: Uint8Array;
+}
 export interface DecryptRequest {
   CiphertextBlob: Uint8Array | undefined;
   EncryptionContext?: Record<string, string>;
   GrantTokens?: string[];
   KeyId?: string;
   EncryptionAlgorithm?: EncryptionAlgorithmSpec | string;
+  Recipient?: RecipientInfo;
 }
 export interface DecryptResponse {
   KeyId?: string;
   Plaintext?: Uint8Array;
   EncryptionAlgorithm?: EncryptionAlgorithmSpec | string;
+  CiphertextForRecipient?: Uint8Array;
 }
 export declare class IncorrectKeyException extends __BaseException {
   readonly name: "IncorrectKeyException";
@@ -730,17 +741,20 @@ export interface GenerateDataKeyRequest {
   NumberOfBytes?: number;
   KeySpec?: DataKeySpec | string;
   GrantTokens?: string[];
+  Recipient?: RecipientInfo;
 }
 export interface GenerateDataKeyResponse {
   CiphertextBlob?: Uint8Array;
   Plaintext?: Uint8Array;
   KeyId?: string;
+  CiphertextForRecipient?: Uint8Array;
 }
 export interface GenerateDataKeyPairRequest {
   EncryptionContext?: Record<string, string>;
   KeyId: string | undefined;
   KeyPairSpec: DataKeyPairSpec | string | undefined;
   GrantTokens?: string[];
+  Recipient?: RecipientInfo;
 }
 export interface GenerateDataKeyPairResponse {
   PrivateKeyCiphertextBlob?: Uint8Array;
@@ -748,6 +762,7 @@ export interface GenerateDataKeyPairResponse {
   PublicKey?: Uint8Array;
   KeyId?: string;
   KeyPairSpec?: DataKeyPairSpec | string;
+  CiphertextForRecipient?: Uint8Array;
 }
 export interface GenerateDataKeyPairWithoutPlaintextRequest {
   EncryptionContext?: Record<string, string>;
@@ -786,9 +801,11 @@ export interface GenerateMacResponse {
 export interface GenerateRandomRequest {
   NumberOfBytes?: number;
   CustomKeyStoreId?: string;
+  Recipient?: RecipientInfo;
 }
 export interface GenerateRandomResponse {
   Plaintext?: Uint8Array;
+  CiphertextForRecipient?: Uint8Array;
 }
 export interface GetKeyPolicyRequest {
   KeyId: string | undefined;

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@aws-sdk/client-kms",
   "description": "AWS SDK for JavaScript Kms Client for Node.js, Browser and React Native",
-  "version": "3.321.1",
+  "version": "3.324.0",
   "scripts": {
     "build": "concurrently 'yarn:build:cjs' 'yarn:build:es' 'yarn:build:types'",
     "build:cjs": "tsc -p tsconfig.cjs.json",