npm - @aws-sdk/client-kms - Versions diffs - 3.363.0 → 3.366.0 - Mend

@aws-sdk/client-kms 3.363.0 → 3.366.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (49) hide show

package/dist-types/commands/CreateKeyCommand.d.ts CHANGED Viewed

@@ -63,11 +63,14 @@ export interface CreateKeyCommandOutput extends CreateKeyResponse, __MetadataBea
  *             the type of key material in the KMS key. Then, use the <code>KeyUsage</code> parameter
  *             to determine whether the KMS key will be used to encrypt and decrypt or sign and verify.
  *             You can't change these properties after the KMS key is created.</p>
- *                <p>Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair, or an SM2 key pair (China Regions only). The private key in an asymmetric
- *             KMS key never leaves KMS unencrypted. However, you can use the <a>GetPublicKey</a> operation to download the public key
- *             so it can be used outside of KMS. KMS keys with RSA or SM2 key pairs can be used to encrypt or decrypt data or sign and verify messages (but not both).
- *             KMS keys with ECC key pairs can be used only to sign and verify messages.
- *             For information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *                <p>Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair, or an
+ *             SM2 key pair (China Regions only). The private key in an asymmetric KMS key never leaves
+ *             KMS unencrypted. However, you can use the <a>GetPublicKey</a> operation to
+ *             download the public key so it can be used outside of KMS. KMS keys with RSA or SM2 key
+ *             pairs can be used to encrypt or decrypt data or sign and verify messages (but not both).
+ *             KMS keys with ECC key pairs can be used only to sign and verify messages. For
+ *             information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the
+ *             <i>Key Management Service Developer Guide</i>.</p>
  *                <p> </p>
  *             </dd>
  *             <dt>HMAC KMS key</dt>
@@ -104,8 +107,8 @@ export interface CreateKeyCommandOutput extends CreateKeyResponse, __MetadataBea
  *                <p>To import your own key material into a KMS key, begin by creating a KMS key with no
  *             key material. To do this, use the <code>Origin</code> parameter of
  *               <code>CreateKey</code> with a value of <code>EXTERNAL</code>. Next, use <a>GetParametersForImport</a> operation to get a public key and import token. Use
- *             the wrapping public key to encrypt your key material. Then, use <a>ImportKeyMaterial</a> with your import token to import the key material. For step-by-step instructions, see
- *               <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in the <i>
+ *             the wrapping public key to encrypt your key material. Then, use <a>ImportKeyMaterial</a> with your import token to import the key material. For
+ *             step-by-step instructions, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in the <i>
  *                      <i>Key Management Service Developer Guide</i>
  *                   </i>.</p>
  *                <p>You can import key material into KMS keys of all supported KMS key types: symmetric
@@ -147,9 +150,9 @@ export interface CreateKeyCommandOutput extends CreateKeyResponse, __MetadataBea
  *               <code>Origin</code> parameter with a value of <code>AWS_CLOUDHSM</code>. The CloudHSM
  *             cluster that is associated with the custom key store must have at least two active HSMs
  *             in different Availability Zones in the Amazon Web Services Region.</p>
- *                <p>To create a KMS key in an <a href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html">external key store</a>, use the <code>Origin</code> parameter
- *             with a value of <code>EXTERNAL_KEY_STORE</code> and an <code>XksKeyId</code> parameter
- *             that identifies an existing external key.</p>
+ *                <p>To create a KMS key in an <a href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html">external key store</a>, use the
+ *               <code>Origin</code> parameter with a value of <code>EXTERNAL_KEY_STORE</code> and an
+ *               <code>XksKeyId</code> parameter that identifies an existing external key.</p>
  *                <note>
  *                   <p>Some external key managers provide a simpler method for creating a KMS key in an
  *               external key store. For details, see your external key manager documentation.</p>
@@ -380,9 +383,9 @@ export interface CreateKeyCommandOutput extends CreateKeyResponse, __MetadataBea
  *       and decryption.</p>
  *
  * @throws {@link XksKeyNotFoundException} (client fault)
- *  <p>The request was rejected because the external key store proxy could not find the external key. This
- *       exception is thrown when the value of the <code>XksKeyId</code> parameter doesn't identify a
- *       key in the external key manager associated with the external key proxy.</p>
+ *  <p>The request was rejected because the external key store proxy could not find the external
+ *       key. This exception is thrown when the value of the <code>XksKeyId</code> parameter doesn't
+ *       identify a key in the external key manager associated with the external key proxy.</p>
  *          <p>Verify that the <code>XksKeyId</code> represents an existing key in the external key
  *       manager. Use the key identifier that the external key store proxy uses to identify the key.
  *       For details, see the documentation provided with your external key store proxy or key

package/dist-types/commands/DecryptCommand.d.ts CHANGED Viewed

@@ -83,7 +83,7 @@ export interface DecryptCommandOutput extends DecryptResponse, __MetadataBearer
  *       the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter to provide the
  *       attestation document for the enclave. Instead of the plaintext data, the response includes the
  *       plaintext data encrypted with the public key from the attestation document
- *       (<code>CiphertextForRecipient</code>).For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>..</p>
+ *         (<code>CiphertextForRecipient</code>).For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>..</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
@@ -137,6 +137,7 @@ export interface DecryptCommandOutput extends DecryptResponse, __MetadataBearer
  *     KeyEncryptionAlgorithm: "RSAES_OAEP_SHA_256",
  *     AttestationDocument: "BLOB_VALUE",
  *   },
+ *   DryRun: true || false,
  * };
  * const command = new DecryptCommand(input);
  * const response = await client.send(command);
@@ -162,6 +163,11 @@ export interface DecryptCommandOutput extends DecryptResponse, __MetadataBearer
  * @throws {@link DisabledException} (client fault)
  *  <p>The request was rejected because the specified KMS key is not enabled.</p>
  *
+ * @throws {@link DryRunOperationException} (client fault)
+ *  <p>
+ *       The request was rejected because the DryRun parameter was specified.
+ *     </p>
+ *
  * @throws {@link IncorrectKeyException} (client fault)
  *  <p>The request was rejected because the specified KMS key cannot decrypt the data. The
  *         <code>KeyId</code> in a <a>Decrypt</a> request and the <code>SourceKeyId</code>
@@ -222,7 +228,9 @@ export interface DecryptCommandOutput extends DecryptResponse, __MetadataBearer
  *                   </i>.</p>
  *             </li>
  *             <li>
- *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception
+ *           represents a general failure with many possible causes. To identify the cause, see the
+ *           error message that accompanies the exception.</p>
  *             </li>
  *          </ul>
  *

package/dist-types/commands/DeleteAliasCommand.d.ts CHANGED Viewed

@@ -114,7 +114,9 @@ export interface DeleteAliasCommandOutput extends __MetadataBearer {
  *                   </i>.</p>
  *             </li>
  *             <li>
- *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception
+ *           represents a general failure with many possible causes. To identify the cause, see the
+ *           error message that accompanies the exception.</p>
  *             </li>
  *          </ul>
  *

package/dist-types/commands/DeleteImportedKeyMaterialCommand.d.ts CHANGED Viewed

@@ -98,7 +98,9 @@ export interface DeleteImportedKeyMaterialCommandOutput extends __MetadataBearer
  *                   </i>.</p>
  *             </li>
  *             <li>
- *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception
+ *           represents a general failure with many possible causes. To identify the cause, see the
+ *           error message that accompanies the exception.</p>
  *             </li>
  *          </ul>
  *

package/dist-types/commands/DescribeCustomKeyStoresCommand.d.ts CHANGED Viewed

@@ -46,8 +46,8 @@ export interface DescribeCustomKeyStoresCommandOutput extends DescribeCustomKeyS
  *       any. For an external key store, verify that the external key store proxy and its associated
  *       external key manager are reachable and enabled.</p>
  *          <p> For help repairing your CloudHSM key store, see the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html">Troubleshooting CloudHSM key stores</a>. For help
- *       repairing your external key store, see the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html">Troubleshooting external key stores</a>. Both
- *       topics are in the <i>Key Management Service Developer Guide</i>.</p>
+ *       repairing your external key store, see the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html">Troubleshooting external key stores</a>.
+ *       Both topics are in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.</p>
  *          <p>

package/dist-types/commands/DisableKeyCommand.d.ts CHANGED Viewed

@@ -85,7 +85,9 @@ export interface DisableKeyCommandOutput extends __MetadataBearer {
  *                   </i>.</p>
  *             </li>
  *             <li>
- *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception
+ *           represents a general failure with many possible causes. To identify the cause, see the
+ *           error message that accompanies the exception.</p>
  *             </li>
  *          </ul>
  *

package/dist-types/commands/DisableKeyRotationCommand.d.ts CHANGED Viewed

@@ -106,7 +106,9 @@ export interface DisableKeyRotationCommandOutput extends __MetadataBearer {
  *                   </i>.</p>
  *             </li>
  *             <li>
- *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception
+ *           represents a general failure with many possible causes. To identify the cause, see the
+ *           error message that accompanies the exception.</p>
  *             </li>
  *          </ul>
  *

package/dist-types/commands/EnableKeyCommand.d.ts CHANGED Viewed

@@ -81,7 +81,9 @@ export interface EnableKeyCommandOutput extends __MetadataBearer {
  *                   </i>.</p>
  *             </li>
  *             <li>
- *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception
+ *           represents a general failure with many possible causes. To identify the cause, see the
+ *           error message that accompanies the exception.</p>
  *             </li>
  *          </ul>
  *

package/dist-types/commands/EnableKeyRotationCommand.d.ts CHANGED Viewed

@@ -114,7 +114,9 @@ export interface EnableKeyRotationCommandOutput extends __MetadataBearer {
  *                   </i>.</p>
  *             </li>
  *             <li>
- *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception
+ *           represents a general failure with many possible causes. To identify the cause, see the
+ *           error message that accompanies the exception.</p>
  *             </li>
  *          </ul>
  *

package/dist-types/commands/EncryptCommand.d.ts CHANGED Viewed

@@ -108,8 +108,7 @@ export interface EncryptCommandOutput extends EncryptResponse, __MetadataBearer
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
- *             <b>Cross-account use</b>: Yes.
- *       To perform this operation with a KMS key in a different Amazon Web Services account, specify
+ *             <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify
  *   the key ARN or alias ARN in the value of the <code>KeyId</code> parameter.</p>
  *          <p>
  *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:Encrypt</a> (key policy)</p>
@@ -149,6 +148,7 @@ export interface EncryptCommandOutput extends EncryptResponse, __MetadataBearer
  *     "STRING_VALUE",
  *   ],
  *   EncryptionAlgorithm: "SYMMETRIC_DEFAULT" || "RSAES_OAEP_SHA_1" || "RSAES_OAEP_SHA_256" || "SM2PKE",
+ *   DryRun: true || false,
  * };
  * const command = new EncryptCommand(input);
  * const response = await client.send(command);
@@ -173,6 +173,11 @@ export interface EncryptCommandOutput extends EncryptResponse, __MetadataBearer
  * @throws {@link DisabledException} (client fault)
  *  <p>The request was rejected because the specified KMS key is not enabled.</p>
  *
+ * @throws {@link DryRunOperationException} (client fault)
+ *  <p>
+ *       The request was rejected because the DryRun parameter was specified.
+ *     </p>
+ *
  * @throws {@link InvalidGrantTokenException} (client fault)
  *  <p>The request was rejected because the specified grant token is not valid.</p>
  *
@@ -219,7 +224,9 @@ export interface EncryptCommandOutput extends EncryptResponse, __MetadataBearer
  *                   </i>.</p>
  *             </li>
  *             <li>
- *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception
+ *           represents a general failure with many possible causes. To identify the cause, see the
+ *           error message that accompanies the exception.</p>
  *             </li>
  *          </ul>
  *

package/dist-types/commands/GenerateDataKeyCommand.d.ts CHANGED Viewed

@@ -25,18 +25,19 @@ export interface GenerateDataKeyCommandOutput extends GenerateDataKeyResponse, _
  * @public
  * <p>Returns a unique symmetric data key for use outside of KMS. This operation returns a
  *       plaintext copy of the data key and a copy that is encrypted under a symmetric encryption KMS
- *       key that you specify. The bytes in the plaintext key are random; they are not related
- *       to the caller or the KMS key. You can use the plaintext key to encrypt your data outside of KMS
- *       and store the encrypted data key with the encrypted data.</p>
+ *       key that you specify. The bytes in the plaintext key are random; they are not related to the
+ *       caller or the KMS key. You can use the plaintext key to encrypt your data outside of KMS and
+ *       store the encrypted data key with the encrypted data.</p>
  *          <p>To generate a data key, specify the symmetric encryption KMS key that will be used to
  *       encrypt the data key. You cannot use an asymmetric KMS key to encrypt data keys. To get the
  *       type of your KMS key, use the <a>DescribeKey</a> operation.</p>
  *          <p>You must also specify the length of the data key. Use either the <code>KeySpec</code> or
- *       <code>NumberOfBytes</code> parameters (but not both). For 128-bit and 256-bit data keys, use
+ *         <code>NumberOfBytes</code> parameters (but not both). For 128-bit and 256-bit data keys, use
  *       the <code>KeySpec</code> parameter.</p>
- *          <p>To generate a 128-bit SM4 data key (China Regions only), specify a <code>KeySpec</code> value of
- *       <code>AES_128</code> or a <code>NumberOfBytes</code> value of <code>16</code>. The symmetric
- *       encryption key used in China Regions to encrypt your data key is an SM4 encryption key.</p>
+ *          <p>To generate a 128-bit SM4 data key (China Regions only), specify a <code>KeySpec</code>
+ *       value of <code>AES_128</code> or a <code>NumberOfBytes</code> value of <code>16</code>. The
+ *       symmetric encryption key used in China Regions to encrypt your data key is an SM4 encryption
+ *       key.</p>
  *          <p>To get only an encrypted copy of the data key, use <a>GenerateDataKeyWithoutPlaintext</a>. To generate an asymmetric data key pair, use
  *       the <a>GenerateDataKeyPair</a> or <a>GenerateDataKeyPairWithoutPlaintext</a> operation. To get a cryptographically secure
  *       random byte string, use <a>GenerateRandom</a>.</p>
@@ -145,6 +146,7 @@ export interface GenerateDataKeyCommandOutput extends GenerateDataKeyResponse, _
  *     KeyEncryptionAlgorithm: "RSAES_OAEP_SHA_256",
  *     AttestationDocument: "BLOB_VALUE",
  *   },
+ *   DryRun: true || false,
  * };
  * const command = new GenerateDataKeyCommand(input);
  * const response = await client.send(command);
@@ -170,6 +172,11 @@ export interface GenerateDataKeyCommandOutput extends GenerateDataKeyResponse, _
  * @throws {@link DisabledException} (client fault)
  *  <p>The request was rejected because the specified KMS key is not enabled.</p>
  *
+ * @throws {@link DryRunOperationException} (client fault)
+ *  <p>
+ *       The request was rejected because the DryRun parameter was specified.
+ *     </p>
+ *
  * @throws {@link InvalidGrantTokenException} (client fault)
  *  <p>The request was rejected because the specified grant token is not valid.</p>
  *
@@ -216,7 +223,9 @@ export interface GenerateDataKeyCommandOutput extends GenerateDataKeyResponse, _
  *                   </i>.</p>
  *             </li>
  *             <li>
- *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception
+ *           represents a general failure with many possible causes. To identify the cause, see the
+ *           error message that accompanies the exception.</p>
  *             </li>
  *          </ul>
  *

package/dist-types/commands/GenerateDataKeyPairCommand.d.ts CHANGED Viewed

@@ -36,9 +36,10 @@ export interface GenerateDataKeyPairCommandOutput extends GenerateDataKeyPairRes
  *       the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a
  *       custom key store. To get the type and origin of your KMS key, use the <a>DescribeKey</a> operation. </p>
  *          <p>Use the <code>KeyPairSpec</code> parameter to choose an RSA or Elliptic Curve (ECC) data
- *       key pair. In China Regions, you can also choose an SM2 data key pair. KMS recommends that you use
- *       ECC key pairs for signing, and use RSA and SM2 key pairs for either encryption or signing, but not both.
- *       However, KMS cannot enforce any restrictions on the use of data key pairs outside of KMS.</p>
+ *       key pair. In China Regions, you can also choose an SM2 data key pair. KMS recommends that
+ *       you use ECC key pairs for signing, and use RSA and SM2 key pairs for either encryption or
+ *       signing, but not both. However, KMS cannot enforce any restrictions on the use of data key
+ *       pairs outside of KMS.</p>
  *          <p>If you are using the data key pair to encrypt data, or for any operation where you don't
  *       immediately need a private key, consider using the <a>GenerateDataKeyPairWithoutPlaintext</a> operation.
  *         <code>GenerateDataKeyPairWithoutPlaintext</code> returns a plaintext public key and an
@@ -54,13 +55,14 @@ export interface GenerateDataKeyPairCommandOutput extends GenerateDataKeyPairRes
  *       key is a DER-encoded PKCS8 PrivateKeyInfo, as specified in <a href="https://tools.ietf.org/html/rfc5958">RFC 5958</a>.</p>
  *          <p>
  *             <code>GenerateDataKeyPair</code> also supports <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro Enclaves</a>, which provide an
- *       isolated compute environment in Amazon EC2. To call <code>GenerateDataKeyPair</code> for an Amazon Web Services Nitro
- *       enclave, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter
- *       to provide the attestation document for the enclave. <code>GenerateDataKeyPair</code> returns the public data key and a
- *       copy of the private data key encrypted under the specified KMS key, as usual. But instead of a
- *       plaintext copy of the private data key (<code>PrivateKeyPlaintext</code>), the response includes a copy of the private data key encrypted under
- *       the public key from the attestation document (<code>CiphertextForRecipient</code>).
- *       For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>..</p>
+ *       isolated compute environment in Amazon EC2. To call <code>GenerateDataKeyPair</code> for an Amazon Web Services
+ *       Nitro enclave, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code>
+ *       parameter to provide the attestation document for the enclave.
+ *         <code>GenerateDataKeyPair</code> returns the public data key and a copy of the private data
+ *       key encrypted under the specified KMS key, as usual. But instead of a plaintext copy of the
+ *       private data key (<code>PrivateKeyPlaintext</code>), the response includes a copy of the
+ *       private data key encrypted under the public key from the attestation document
+ *         (<code>CiphertextForRecipient</code>). For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>..</p>
  *          <p>You can use an optional encryption context to add additional security to the encryption
  *       operation. If you specify an <code>EncryptionContext</code>, you must specify the same
  *       encryption context (a case-sensitive exact match) when decrypting the encrypted data key.
@@ -122,6 +124,7 @@ export interface GenerateDataKeyPairCommandOutput extends GenerateDataKeyPairRes
  *     KeyEncryptionAlgorithm: "RSAES_OAEP_SHA_256",
  *     AttestationDocument: "BLOB_VALUE",
  *   },
+ *   DryRun: true || false,
  * };
  * const command = new GenerateDataKeyPairCommand(input);
  * const response = await client.send(command);
@@ -149,6 +152,11 @@ export interface GenerateDataKeyPairCommandOutput extends GenerateDataKeyPairRes
  * @throws {@link DisabledException} (client fault)
  *  <p>The request was rejected because the specified KMS key is not enabled.</p>
  *
+ * @throws {@link DryRunOperationException} (client fault)
+ *  <p>
+ *       The request was rejected because the DryRun parameter was specified.
+ *     </p>
+ *
  * @throws {@link InvalidGrantTokenException} (client fault)
  *  <p>The request was rejected because the specified grant token is not valid.</p>
  *
@@ -195,7 +203,9 @@ export interface GenerateDataKeyPairCommandOutput extends GenerateDataKeyPairRes
  *                   </i>.</p>
  *             </li>
  *             <li>
- *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception
+ *           represents a general failure with many possible causes. To identify the cause, see the
+ *           error message that accompanies the exception.</p>
  *             </li>
  *          </ul>
  *

package/dist-types/commands/GenerateDataKeyPairWithoutPlaintextCommand.d.ts CHANGED Viewed

@@ -35,9 +35,10 @@ export interface GenerateDataKeyPairWithoutPlaintextCommandOutput extends Genera
  *       the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a
  *       custom key store. To get the type and origin of your KMS key, use the <a>DescribeKey</a> operation. </p>
  *          <p>Use the <code>KeyPairSpec</code> parameter to choose an RSA or Elliptic Curve (ECC) data
- *       key pair. In China Regions, you can also choose an SM2 data key pair. KMS recommends that you
- *       use ECC key pairs for signing, and use RSA and SM2 key pairs for either encryption or signing, but not
- *       both. However, KMS cannot enforce any restrictions on the use of data key pairs outside of KMS.</p>
+ *       key pair. In China Regions, you can also choose an SM2 data key pair. KMS recommends that
+ *       you use ECC key pairs for signing, and use RSA and SM2 key pairs for either encryption or
+ *       signing, but not both. However, KMS cannot enforce any restrictions on the use of data key
+ *       pairs outside of KMS.</p>
  *          <p>
  *             <code>GenerateDataKeyPairWithoutPlaintext</code> returns a unique data key pair for each
  *       request. The bytes in the key are not related to the caller or KMS key that is used to encrypt
@@ -101,6 +102,7 @@ export interface GenerateDataKeyPairWithoutPlaintextCommandOutput extends Genera
  *   GrantTokens: [ // GrantTokenList
  *     "STRING_VALUE",
  *   ],
+ *   DryRun: true || false,
  * };
  * const command = new GenerateDataKeyPairWithoutPlaintextCommand(input);
  * const response = await client.send(command);
@@ -126,6 +128,11 @@ export interface GenerateDataKeyPairWithoutPlaintextCommandOutput extends Genera
  * @throws {@link DisabledException} (client fault)
  *  <p>The request was rejected because the specified KMS key is not enabled.</p>
  *
+ * @throws {@link DryRunOperationException} (client fault)
+ *  <p>
+ *       The request was rejected because the DryRun parameter was specified.
+ *     </p>
+ *
  * @throws {@link InvalidGrantTokenException} (client fault)
  *  <p>The request was rejected because the specified grant token is not valid.</p>
  *
@@ -172,7 +179,9 @@ export interface GenerateDataKeyPairWithoutPlaintextCommandOutput extends Genera
  *                   </i>.</p>
  *             </li>
  *             <li>
- *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception
+ *           represents a general failure with many possible causes. To identify the cause, see the
+ *           error message that accompanies the exception.</p>
  *             </li>
  *          </ul>
  *

package/dist-types/commands/GenerateDataKeyWithoutPlaintextCommand.d.ts CHANGED Viewed

@@ -42,10 +42,11 @@ export interface GenerateDataKeyWithoutPlaintextCommandOutput extends GenerateDa
  *          <p>To request an asymmetric data key pair, use the <a>GenerateDataKeyPair</a> or
  *         <a>GenerateDataKeyPairWithoutPlaintext</a> operations.</p>
  *          <p>To generate a data key, you must specify the symmetric encryption KMS key that is used to
- *       encrypt the data key. You cannot use an asymmetric KMS key or a key in a custom key store to generate a data key. To get the
- *       type of your KMS key, use the <a>DescribeKey</a> operation.</p>
+ *       encrypt the data key. You cannot use an asymmetric KMS key or a key in a custom key store to
+ *       generate a data key. To get the type of your KMS key, use the <a>DescribeKey</a>
+ *       operation.</p>
  *          <p>You must also specify the length of the data key. Use either the <code>KeySpec</code> or
- *       <code>NumberOfBytes</code> parameters (but not both). For 128-bit and 256-bit data keys, use
+ *         <code>NumberOfBytes</code> parameters (but not both). For 128-bit and 256-bit data keys, use
  *       the <code>KeySpec</code> parameter.</p>
  *          <p>To generate an SM4 data key (China Regions only), specify a <code>KeySpec</code> value of
  *         <code>AES_128</code> or <code>NumberOfBytes</code> value of <code>16</code>. The symmetric
@@ -111,6 +112,7 @@ export interface GenerateDataKeyWithoutPlaintextCommandOutput extends GenerateDa
  *   GrantTokens: [ // GrantTokenList
  *     "STRING_VALUE",
  *   ],
+ *   DryRun: true || false,
  * };
  * const command = new GenerateDataKeyWithoutPlaintextCommand(input);
  * const response = await client.send(command);
@@ -134,6 +136,11 @@ export interface GenerateDataKeyWithoutPlaintextCommandOutput extends GenerateDa
  * @throws {@link DisabledException} (client fault)
  *  <p>The request was rejected because the specified KMS key is not enabled.</p>
  *
+ * @throws {@link DryRunOperationException} (client fault)
+ *  <p>
+ *       The request was rejected because the DryRun parameter was specified.
+ *     </p>
+ *
  * @throws {@link InvalidGrantTokenException} (client fault)
  *  <p>The request was rejected because the specified grant token is not valid.</p>
  *
@@ -180,7 +187,9 @@ export interface GenerateDataKeyWithoutPlaintextCommandOutput extends GenerateDa
  *                   </i>.</p>
  *             </li>
  *             <li>
- *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception
+ *           represents a general failure with many possible causes. To identify the cause, see the
+ *           error message that accompanies the exception.</p>
  *             </li>
  *          </ul>
  *

package/dist-types/commands/GenerateMacCommand.d.ts CHANGED Viewed

@@ -23,8 +23,9 @@ export interface GenerateMacCommandOutput extends GenerateMacResponse, __Metadat
 }
 /**
  * @public
- * <p>Generates a hash-based message authentication code (HMAC) for a message using an HMAC KMS key and a MAC algorithm that the key supports.
- *       HMAC KMS keys and the HMAC algorithms that KMS uses conform to industry standards defined in <a href="https://datatracker.ietf.org/doc/html/rfc2104">RFC 2104</a>.</p>
+ * <p>Generates a hash-based message authentication code (HMAC) for a message using an HMAC KMS
+ *       key and a MAC algorithm that the key supports. HMAC KMS keys and the HMAC algorithms that
+ *       KMS uses conform to industry standards defined in <a href="https://datatracker.ietf.org/doc/html/rfc2104">RFC 2104</a>.</p>
  *          <p>You can use value that GenerateMac returns in the <a>VerifyMac</a> operation to
  *       demonstrate that the original message has not changed. Also, because a secret key is used to
  *       create the hash, you can verify that the party that generated the hash has the required secret
@@ -64,6 +65,7 @@ export interface GenerateMacCommandOutput extends GenerateMacResponse, __Metadat
  *   GrantTokens: [ // GrantTokenList
  *     "STRING_VALUE",
  *   ],
+ *   DryRun: true || false,
  * };
  * const command = new GenerateMacCommand(input);
  * const response = await client.send(command);
@@ -84,6 +86,11 @@ export interface GenerateMacCommandOutput extends GenerateMacResponse, __Metadat
  * @throws {@link DisabledException} (client fault)
  *  <p>The request was rejected because the specified KMS key is not enabled.</p>
  *
+ * @throws {@link DryRunOperationException} (client fault)
+ *  <p>
+ *       The request was rejected because the DryRun parameter was specified.
+ *     </p>
+ *
  * @throws {@link InvalidGrantTokenException} (client fault)
  *  <p>The request was rejected because the specified grant token is not valid.</p>
  *
@@ -130,7 +137,9 @@ export interface GenerateMacCommandOutput extends GenerateMacResponse, __Metadat
  *                   </i>.</p>
  *             </li>
  *             <li>
- *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception
+ *           represents a general failure with many possible causes. To identify the cause, see the
+ *           error message that accompanies the exception.</p>
  *             </li>
  *          </ul>
  *

package/dist-types/commands/GenerateRandomCommand.d.ts CHANGED Viewed

@@ -35,7 +35,7 @@ export interface GenerateRandomCommandOutput extends GenerateRandomResponse, __M
  *       enclave, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter
  *       to provide the attestation document for the enclave. Instead of plaintext bytes, the response
  *       includes the plaintext bytes encrypted under the public key from the attestation document
- *       (<code>CiphertextForRecipient</code>).For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *         (<code>CiphertextForRecipient</code>).For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>For more information about entropy and random number generation, see
  *       <a href="https://docs.aws.amazon.com/kms/latest/cryptographic-details/">Key Management Service Cryptographic Details</a>.</p>
  *          <p>

package/dist-types/commands/GetKeyPolicyCommand.d.ts CHANGED Viewed

@@ -81,7 +81,9 @@ export interface GetKeyPolicyCommandOutput extends GetKeyPolicyResponse, __Metad
  *                   </i>.</p>
  *             </li>
  *             <li>
- *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception
+ *           represents a general failure with many possible causes. To identify the cause, see the
+ *           error message that accompanies the exception.</p>
  *             </li>
  *          </ul>
  *

package/dist-types/commands/GetKeyRotationStatusCommand.d.ts CHANGED Viewed

@@ -125,7 +125,9 @@ export interface GetKeyRotationStatusCommandOutput extends GetKeyRotationStatusR
  *                   </i>.</p>
  *             </li>
  *             <li>
- *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception
+ *           represents a general failure with many possible causes. To identify the cause, see the
+ *           error message that accompanies the exception.</p>
  *             </li>
  *          </ul>
  *

package/dist-types/commands/GetParametersForImportCommand.d.ts CHANGED Viewed

@@ -37,8 +37,8 @@ export interface GetParametersForImportCommandOutput extends GetParametersForImp
  *       asymmetric encryption KMS key, or asymmetric signing KMS key. You can also import key material
  *       into a <a href="kms/latest/developerguide/multi-region-keys-overview.html">multi-Region key</a> of
  *       any supported type. However, you can't import key material into a KMS key in a <a href="kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. You can also use
- *       <code>GetParametersForImport</code> to get a public key and import token to <a href="kms/latest/developerguide/importing-keys.html#reimport-key-material">reimport the original key material</a> into a KMS key whose key material expired or was
- *       deleted.</p>
+ *         <code>GetParametersForImport</code> to get a public key and import token to <a href="kms/latest/developerguide/importing-keys.html#reimport-key-material">reimport the original key
+ *         material</a> into a KMS key whose key material expired or was deleted.</p>
  *          <p>
  *             <code>GetParametersForImport</code> returns the items that you need to import your key
  *       material.</p>
@@ -49,7 +49,8 @@ export interface GetParametersForImportCommandOutput extends GetParametersForImp
  *           transit to KMS. </p>
  *             </li>
  *             <li>
- *                <p>A import token that ensures that KMS can decrypt your key material and associate it with the correct KMS key.</p>
+ *                <p>A import token that ensures that KMS can decrypt your key material and associate it
+ *           with the correct KMS key.</p>
  *             </li>
  *          </ul>
  *          <p>The public key and its import token are permanently linked and must be used together. Each
@@ -150,7 +151,9 @@ export interface GetParametersForImportCommandOutput extends GetParametersForImp
  *                   </i>.</p>
  *             </li>
  *             <li>
- *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception
+ *           represents a general failure with many possible causes. To identify the cause, see the
+ *           error message that accompanies the exception.</p>
  *             </li>
  *          </ul>
  *

package/dist-types/commands/GetPublicKeyCommand.d.ts CHANGED Viewed

@@ -57,15 +57,14 @@ export interface GetPublicKeyCommandOutput extends GetPublicKeyResponse, __Metad
  *       public key from being used with an encryption algorithm that is not supported by KMS. You
  *       can also avoid errors, such as using the wrong signing algorithm in a verification
  *       operation.</p>
- *          <p>To verify a signature outside of KMS with an SM2 public key (China Regions only), you must
- *       specify the distinguishing ID. By default, KMS uses <code>1234567812345678</code> as the
- *       distinguishing ID. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification">Offline verification
- *         with SM2 key pairs</a>.</p>
+ *          <p>To verify a signature outside of KMS with an SM2 public key (China Regions only), you
+ *       must specify the distinguishing ID. By default, KMS uses <code>1234567812345678</code> as
+ *       the distinguishing ID. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification">Offline
+ *         verification with SM2 key pairs</a>.</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
- *             <b>Cross-account use</b>:
- *       Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify
+ *             <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify
  *   the key ARN or alias ARN in the value of the <code>KeyId</code> parameter.</p>
  *          <p>
  *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:GetPublicKey</a> (key policy)</p>
@@ -165,7 +164,9 @@ export interface GetPublicKeyCommandOutput extends GetPublicKeyResponse, __Metad
  *                   </i>.</p>
  *             </li>
  *             <li>
- *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception
+ *           represents a general failure with many possible causes. To identify the cause, see the
+ *           error message that accompanies the exception.</p>
  *             </li>
  *          </ul>
  *