@aws-sdk/client-kms 3.67.0 → 3.74.0

package/dist-types/commands/GenerateDataKeyPairWithoutPlaintextCommand.d.ts

@@ -7,18 +7,17 @@ export interface GenerateDataKeyPairWithoutPlaintextCommandInput extends Generat
 export interface GenerateDataKeyPairWithoutPlaintextCommandOutput extends GenerateDataKeyPairWithoutPlaintextResponse, __MetadataBearer {
 }
 /**
- * <p>Generates a unique asymmetric data key pair. The
- *         <code>GenerateDataKeyPairWithoutPlaintext</code> operation returns a plaintext public key
- *       and a copy of the private key that is encrypted under the symmetric KMS key you specify.
- *       Unlike <a>GenerateDataKeyPair</a>, this operation does not return a plaintext
- *       private key. </p>
+ * <p>Returns a unique asymmetric data key pair for use outside of KMS. This operation returns
+ *       a plaintext public key and a copy of the private key that is encrypted under the symmetric
+ *       encryption KMS key you specify. Unlike <a>GenerateDataKeyPair</a>, this operation
+ *       does not return a plaintext private key. The bytes in the keys are random; they are not related to the caller
+ *       or to the KMS key that is used to encrypt the private key. </p>
  *          <p>You can use the public key that <code>GenerateDataKeyPairWithoutPlaintext</code> returns
  *       to encrypt data or verify a signature outside of KMS. Then, store the encrypted private key
  *       with the data. When you are ready to decrypt data or sign a message, you can use the <a>Decrypt</a> operation to decrypt the encrypted private key.</p>
- *          <p>To generate a data key pair, you must specify a symmetric KMS key to encrypt the private
- *       key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a custom key
- *       store. To get the type and origin of your KMS key, use the <a>DescribeKey</a>
- *       operation. </p>
+ *          <p>To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt
+ *       the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a
+ *       custom key store. To get the type and origin of your KMS key, use the <a>DescribeKey</a> operation. </p>
  *          <p>Use the <code>KeyPairSpec</code> parameter to choose an RSA or Elliptic Curve (ECC) data
  *       key pair. KMS recommends that your use ECC key pairs for signing, and use RSA key pairs for
  *       either encryption or signing, but not both. However, KMS cannot enforce any restrictions on
@@ -29,13 +28,13 @@ export interface GenerateDataKeyPairWithoutPlaintextCommandOutput extends Genera
  *       the private key. The public key is a DER-encoded X.509 SubjectPublicKeyInfo, as specified in
  *         <a href="https://tools.ietf.org/html/rfc5280">RFC 5280</a>.</p>
  *
- *          <p>You can use the optional encryption context to add additional security to the encryption
+ *          <p>You can use an optional encryption context to add additional security to the encryption
  *       operation. If you specify an <code>EncryptionContext</code>, you must specify the same
  *       encryption context (a case-sensitive exact match) when decrypting the encrypted data key.
  *       Otherwise, the request to decrypt fails with an <code>InvalidCiphertextException</code>. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> in the
  *       <i>Key Management Service Developer Guide</i>.</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account
  *         use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify

package/dist-types/commands/GenerateDataKeyWithoutPlaintextCommand.d.ts

@@ -7,40 +7,37 @@ export interface GenerateDataKeyWithoutPlaintextCommandInput extends GenerateDat
 export interface GenerateDataKeyWithoutPlaintextCommandOutput extends GenerateDataKeyWithoutPlaintextResponse, __MetadataBearer {
 }
 /**
- * <p>Generates a unique symmetric data key. This operation returns a data key that is encrypted
- *       under a KMS key that you specify. To request an asymmetric data key pair, use the <a>GenerateDataKeyPair</a> or <a>GenerateDataKeyPairWithoutPlaintext</a>
- *       operations.</p>
+ * <p>Returns a unique symmetric data key for use outside of KMS. This operation returns a
+ *       data key that is encrypted under a symmetric encryption KMS key that you specify. The bytes in
+ *       the key are random; they are not related to the caller or to the KMS key.</p>
  *          <p>
- *             <code>GenerateDataKeyWithoutPlaintext</code> is identical to the <a>GenerateDataKey</a> operation except that returns only the encrypted copy of the
- *       data key. This operation is useful for systems that need to encrypt data at some point, but
- *       not immediately. When you need to encrypt the data, you call the <a>Decrypt</a>
- *       operation on the encrypted copy of the key. </p>
- *          <p>It's also useful in distributed systems with different levels of trust. For example, you
- *       might store encrypted data in containers. One component of your system creates new containers
- *       and stores an encrypted data key with each container. Then, a different component puts the
- *       data into the containers. That component first decrypts the data key, uses the plaintext data
- *       key to encrypt data, puts the encrypted data into the container, and then destroys the
- *       plaintext data key. In this system, the component that creates the containers never sees the
- *       plaintext data key.</p>
- *          <p>
- *             <code>GenerateDataKeyWithoutPlaintext</code> returns a unique data key for each request.
- *       The bytes in the keys are not related to the caller or KMS key that is used to encrypt the
- *       private key.</p>
- *
- *          <p>To generate a data key, you must specify the symmetric KMS key that is used to encrypt the
- *       data key. You cannot use an asymmetric KMS key to generate a data key. To get the type of your
- *       KMS key, use the <a>DescribeKey</a> operation.</p>
+ *             <code>GenerateDataKeyWithoutPlaintext</code> is identical to the <a>GenerateDataKey</a> operation except that it does not return a plaintext copy of the
+ *       data key. </p>
+ *          <p>This operation is useful for systems that need to encrypt data at some point, but not
+ *       immediately. When you need to encrypt the data, you call the <a>Decrypt</a>
+ *       operation on the encrypted copy of the key. It's also useful in distributed systems with
+ *       different levels of trust. For example, you might store encrypted data in containers. One
+ *       component of your system creates new containers and stores an encrypted data key with each
+ *       container. Then, a different component puts the data into the containers. That component first
+ *       decrypts the data key, uses the plaintext data key to encrypt data, puts the encrypted data
+ *       into the container, and then destroys the plaintext data key. In this system, the component
+ *       that creates the containers never sees the plaintext data key.</p>
+ *          <p>To request an asymmetric data key pair, use the <a>GenerateDataKeyPair</a> or
+ *         <a>GenerateDataKeyPairWithoutPlaintext</a> operations.</p>
  *
+ *          <p>To generate a data key, you must specify the symmetric encryption KMS key that is used to
+ *       encrypt the data key. You cannot use an asymmetric KMS key or a key in a custom key store to generate a data key. To get the
+ *       type of your KMS key, use the <a>DescribeKey</a> operation.</p>
  *          <p>If the operation succeeds, you will find the encrypted copy of the data key in the
  *         <code>CiphertextBlob</code> field.</p>
  *
- *          <p>You can use the optional encryption context to add additional security to the encryption
+ *          <p>You can use an optional encryption context to add additional security to the encryption
  *       operation. If you specify an <code>EncryptionContext</code>, you must specify the same
  *       encryption context (a case-sensitive exact match) when decrypting the encrypted data key.
  *       Otherwise, the request to decrypt fails with an <code>InvalidCiphertextException</code>. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> in the
  *       <i>Key Management Service Developer Guide</i>.</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account
  *         use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify

package/dist-types/commands/GenerateMacCommand.d.ts

@@ -0,0 +1,55 @@
+import { Command as $Command } from "@aws-sdk/smithy-client";
+import { Handler, HttpHandlerOptions as __HttpHandlerOptions, MetadataBearer as __MetadataBearer, MiddlewareStack } from "@aws-sdk/types";
+import { KMSClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../KMSClient";
+import { GenerateMacRequest, GenerateMacResponse } from "../models/models_0";
+export interface GenerateMacCommandInput extends GenerateMacRequest {
+}
+export interface GenerateMacCommandOutput extends GenerateMacResponse, __MetadataBearer {
+}
+/**
+ * <p>Generates a hash-based message authentication code (HMAC) for a message using an HMAC KMS
+ *       key and a MAC algorithm that the key supports. The MAC algorithm computes the HMAC for the
+ *       message and the key as described in <a href="https://datatracker.ietf.org/doc/html/rfc2104">RFC 2104</a>.</p>
+ *          <p>You can use the HMAC that this operation generates with the <a>VerifyMac</a>
+ *       operation to demonstrate that the original message has not changed. Also, because a secret key
+ *       is used to create the hash, you can verify that the party that generated the hash has the
+ *       required secret key. This operation is part of KMS support for HMAC KMS keys.
+ *       For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC keys in KMS</a> in the <i>
+ *                <i>Key Management Service Developer Guide</i>
+ *             </i>.</p>
+ *          <p>The KMS key that you use for this operation must be in a compatible key state. For
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *          <p>
+ *             <b>Cross-account
+ *         use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify
+ *   the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. </p>
+ *          <p>
+ *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:GenerateMac</a> (key policy)</p>
+ *          <p>
+ *             <b>Related operations</b>: <a>VerifyMac</a>
+ *          </p>
+ * @example
+ * Use a bare-bones client and the command you need to make an API call.
+ * ```javascript
+ * import { KMSClient, GenerateMacCommand } from "@aws-sdk/client-kms"; // ES Modules import
+ * // const { KMSClient, GenerateMacCommand } = require("@aws-sdk/client-kms"); // CommonJS import
+ * const client = new KMSClient(config);
+ * const command = new GenerateMacCommand(input);
+ * const response = await client.send(command);
+ * ```
+ *
+ * @see {@link GenerateMacCommandInput} for command's `input` shape.
+ * @see {@link GenerateMacCommandOutput} for command's `response` shape.
+ * @see {@link KMSClientResolvedConfig | config} for KMSClient's `config` shape.
+ *
+ */
+export declare class GenerateMacCommand extends $Command<GenerateMacCommandInput, GenerateMacCommandOutput, KMSClientResolvedConfig> {
+    readonly input: GenerateMacCommandInput;
+    constructor(input: GenerateMacCommandInput);
+    /**
+     * @internal
+     */
+    resolveMiddleware(clientStack: MiddlewareStack<ServiceInputTypes, ServiceOutputTypes>, configuration: KMSClientResolvedConfig, options?: __HttpHandlerOptions): Handler<GenerateMacCommandInput, GenerateMacCommandOutput>;
+    private serialize;
+    private deserialize;
+}

package/dist-types/commands/GetKeyRotationStatusCommand.d.ts

@@ -9,10 +9,10 @@ export interface GetKeyRotationStatusCommandOutput extends GetKeyRotationStatusR
 /**
  * <p>Gets a Boolean value that indicates whether <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic rotation of the key material</a> is
  *       enabled for the specified KMS key.</p>
- *          <p>You cannot enable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks">asymmetric KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key">multi-Region keys</a>, set the property on the primary key. The key rotation status for these KMS keys is always
+ *          <p>You cannot enable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key. The key rotation status for these KMS keys is always
  *       <code>false</code>.</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <ul>
  *             <li>
  *                <p>Disabled: The key rotation status does not change when you disable a KMS key. However,

package/dist-types/commands/GetParametersForImportCommand.d.ts

@@ -7,21 +7,21 @@ export interface GetParametersForImportCommandInput extends GetParametersForImpo
 export interface GetParametersForImportCommandOutput extends GetParametersForImportResponse, __MetadataBearer {
 }
 /**
- * <p>Returns the items you need to import key material into a symmetric, customer managed KMS
- *       key. For more information about importing key material into KMS, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a>
- *       in the <i>Key Management Service Developer Guide</i>.</p>
+ * <p>Returns the items you need to import key material into a symmetric encryption KMS key. For
+ *       more information about importing key material into KMS, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a> in the
+ *       <i>Key Management Service Developer Guide</i>.</p>
  *          <p>This operation returns a public key and an import token. Use the public key to encrypt the
  *       symmetric key material. Store the import token to send with a subsequent <a>ImportKeyMaterial</a> request.</p>
- *          <p>You must specify the key ID of the symmetric KMS key into which you will import key
- *       material. This KMS key's <code>Origin</code> must be <code>EXTERNAL</code>. You must also
+ *          <p>You must specify the key ID of the symmetric encryption KMS key into which you will import
+ *       key material. This KMS key's <code>Origin</code> must be <code>EXTERNAL</code>. You must also
  *       specify the wrapping algorithm and type of wrapping key (public key) that you will use to
- *       encrypt the key material. You cannot perform this operation on an asymmetric KMS key or on any KMS key in a different Amazon Web Services account.</p>
+ *       encrypt the key material. You cannot perform this operation on an asymmetric KMS key, an HMAC KMS key, or on any KMS key in a different Amazon Web Services account.</p>
  *          <p>To import key material, you must use the public key and import token from the same
  *       response. These items are valid for 24 hours. The expiration date and time appear in the
  *         <code>GetParametersForImport</code> response. You cannot use an expired token in an <a>ImportKeyMaterial</a> request. If your key and token expire, send another
  *         <code>GetParametersForImport</code> request.</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.</p>
  *

package/dist-types/commands/GetPublicKeyCommand.d.ts

@@ -11,7 +11,7 @@ export interface GetPublicKeyCommandOutput extends GetPublicKeyResponse, __Metad
  *       KMS key, which never leaves KMS unencrypted, callers with <code>kms:GetPublicKey</code>
  *       permission can download the public key of an asymmetric KMS key. You can share the public key
  *       to allow others to encrypt messages and verify signatures outside of KMS.
- *       For information about symmetric and asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Using Symmetric and Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *       For information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>You do not need to download the public key. Instead, you can use the public key within
  *       KMS by calling the <a>Encrypt</a>, <a>ReEncrypt</a>, or <a>Verify</a> operations with the identifier of an asymmetric KMS key. When you use the
  *       public key within KMS, you benefit from the authentication, authorization, and logging that
@@ -43,7 +43,7 @@ export interface GetPublicKeyCommandOutput extends GetPublicKeyResponse, __Metad
  *       can also avoid errors, such as using the wrong signing algorithm in a verification
  *       operation.</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account use</b>:
  *       Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify

package/dist-types/commands/ImportKeyMaterialCommand.d.ts

@@ -7,13 +7,13 @@ export interface ImportKeyMaterialCommandInput extends ImportKeyMaterialRequest
 export interface ImportKeyMaterialCommandOutput extends ImportKeyMaterialResponse, __MetadataBearer {
 }
 /**
- * <p>Imports key material into an existing symmetric KMS KMS key that was created without key
- *       material. After you successfully import key material into a KMS key, you can <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material">reimport
- *         the same key material</a> into that KMS key, but you cannot import different key
- *       material. </p>
- *          <p>You cannot perform this operation on an asymmetric KMS key or on any KMS key in a different Amazon Web Services account. For more information about creating KMS keys with no key material
- *       and then importing key material, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in the
- *       <i>Key Management Service Developer Guide</i>.</p>
+ * <p>Imports key material into an existing symmetric encryption KMS key that was created
+ *       without key material. After you successfully import key material into a KMS key, you can
+ *         <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material">reimport the same key material</a> into that KMS key, but you cannot import different
+ *       key material. </p>
+ *          <p>You cannot perform this operation on an asymmetric KMS key, an HMAC KMS key, or on any KMS key in a different Amazon Web Services account. For more information about
+ *       creating KMS keys with no key material and then importing key material, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a>
+ *       in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>Before using this operation, call <a>GetParametersForImport</a>. Its response
  *       includes a public key and an import token. Use the public key to encrypt the key material.
  *       Then, submit the import token from the same <code>GetParametersForImport</code>
@@ -50,7 +50,7 @@ export interface ImportKeyMaterialCommandOutput extends ImportKeyMaterialRespons
  *       and repeat the import procedure. For help, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-overview">How To Import Key
  *         Material</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.</p>
  *

package/dist-types/commands/ListGrantsCommand.d.ts

@@ -10,7 +10,7 @@ export interface ListGrantsCommandOutput extends ListGrantsResponse, __MetadataB
  * <p>Gets a list of all grants for the specified KMS key. </p>
  *          <p>You must specify the KMS key in all requests. You can filter the grant list by grant ID or
  *       grantee principal.</p>
- *          <p>For detailed information about grants, including grant terminology, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Using grants</a> in the
+ *          <p>For detailed information about grants, including grant terminology, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the
  *         <i>
  *                <i>Key Management Service Developer Guide</i>
  *             </i>. For examples of working with grants in several

package/dist-types/commands/ListRetirableGrantsCommand.d.ts

@@ -12,7 +12,7 @@ export interface ListRetirableGrantsCommandOutput extends ListGrantsResponse, __
  *          <p>You can specify any principal in your Amazon Web Services account. The grants that are returned include
  *       grants for KMS keys in your Amazon Web Services account and other Amazon Web Services accounts. You might use this
  *       operation to determine which grants you may retire. To retire a grant, use the <a>RetireGrant</a> operation.</p>
- *          <p>For detailed information about grants, including grant terminology, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Using grants</a> in the
+ *          <p>For detailed information about grants, including grant terminology, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the
  *         <i>
  *                <i>Key Management Service Developer Guide</i>
  *             </i>. For examples of working with grants in several

package/dist-types/commands/ReEncryptCommand.d.ts

@@ -12,8 +12,8 @@ export interface ReEncryptCommandOutput extends ReEncryptResponse, __MetadataBea
  *         rotate</a> a KMS key or change the KMS key that protects a ciphertext. You can also use
  *       it to reencrypt ciphertext under the same KMS key, such as to change the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">encryption
  *         context</a> of a ciphertext.</p>
- *          <p>The <code>ReEncrypt</code> operation can decrypt ciphertext that was encrypted by using an
- *       KMS KMS key in an KMS operation, such as <a>Encrypt</a> or <a>GenerateDataKey</a>. It can also decrypt ciphertext that was encrypted by using the
+ *          <p>The <code>ReEncrypt</code> operation can decrypt ciphertext that was encrypted by using a
+ *       KMS key in an KMS operation, such as <a>Encrypt</a> or <a>GenerateDataKey</a>. It can also decrypt ciphertext that was encrypted by using the
  *       public key of an <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks">asymmetric KMS key</a>
  *       outside of KMS. However, it cannot decrypt ciphertext produced by other libraries, such as
  *       the <a href="https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/">Amazon Web Services Encryption SDK</a> or
@@ -30,7 +30,7 @@ export interface ReEncryptCommandOutput extends ReEncryptResponse, __MetadataBea
  *           is required to decrypt the data.</p>
  *             </li>
  *             <li>
- *                <p>If your ciphertext was encrypted under a symmetric KMS key, the
+ *                <p>If your ciphertext was encrypted under a symmetric encryption KMS key, the
  *             <code>SourceKeyId</code> parameter is optional. KMS can get this information from
  *           metadata that it adds to the symmetric ciphertext blob. This feature adds durability to
  *           your implementation by ensuring that authorized users can decrypt ciphertext decades after
@@ -43,19 +43,18 @@ export interface ReEncryptCommandOutput extends ReEncryptResponse, __MetadataBea
  *             </li>
  *             <li>
  *                <p>To reencrypt the data, you must use the <code>DestinationKeyId</code> parameter
- *           specify the KMS key that re-encrypts the data after it is decrypted. You can select a
- *           symmetric or asymmetric KMS key. If the destination KMS key is an asymmetric KMS key, you
- *           must also provide the encryption algorithm. The algorithm that you choose must be
- *           compatible with the KMS key.</p>
+ *           specify the KMS key that re-encrypts the data after it is decrypted. If the destination
+ *           KMS key is an asymmetric KMS key, you must also provide the encryption algorithm. The
+ *           algorithm that you choose must be compatible with the KMS key.</p>
  *
  *                <important>
  *                   <p>When you use an asymmetric KMS key to encrypt or reencrypt data, be sure to record the KMS key and encryption algorithm that you choose. You will be required to provide the same KMS key and encryption algorithm when you decrypt the data. If the KMS key and algorithm do not match the values used to encrypt the data, the decrypt operation fails.</p>
- *                   <p>You are not required to supply the key ID and encryption algorithm when you decrypt with symmetric KMS keys because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields.</p>
+ *                   <p>You are not required to supply the key ID and encryption algorithm when you decrypt with symmetric encryption KMS keys because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields.</p>
  *                </important>
  *             </li>
  *          </ul>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account use</b>: Yes.
  *       The source KMS key and destination KMS key can be in different Amazon Web Services accounts. Either or both

package/dist-types/commands/ReplicateKeyCommand.d.ts

@@ -15,7 +15,7 @@ export interface ReplicateKeyCommandOutput extends ReplicateKeyResponse, __Metad
  *          <p>This operation supports <i>multi-Region keys</i>, an KMS feature that lets you create multiple
  *       interoperable KMS keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key
  *       material, and other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt
- *       it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Using multi-Region keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *       it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>A <i>replica key</i> is a fully-functional KMS key that can be used
  *       independently of its primary and peer replica keys. A primary key and its replica keys share
  *       properties that make them interoperable. They have the same <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id">key ID</a> and key material. They also
@@ -25,8 +25,7 @@ export interface ReplicateKeyCommandOutput extends ReplicateKeyResponse, __Metad
  *         material origin</a>, and <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic key rotation status</a>. KMS automatically synchronizes these shared
  *       properties among related multi-Region keys. All other properties of a replica key can differ,
  *       including its <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html">key
- *         policy</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html">tags</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html">aliases</a>, and <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">key
- *         state</a>. KMS pricing and quotas for KMS keys apply to each primary key and replica
+ *         policy</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html">tags</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html">aliases</a>, and <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a>. KMS pricing and quotas for KMS keys apply to each primary key and replica
  *       key.</p>
  *          <p>When this operation completes, the new replica key has a transient key state of
  *         <code>Creating</code>. This key state changes to <code>Enabled</code> (or
@@ -35,8 +34,13 @@ export interface ReplicateKeyCommandOutput extends ReplicateKeyResponse, __Metad
  *       cannot yet use it in cryptographic operations. If you are creating and using the replica key
  *       programmatically, retry on <code>KMSInvalidStateException</code> or call
  *         <code>DescribeKey</code> to check its <code>KeyState</code> value before using it. For
- *       details about the <code>Creating</code> key state, see <a href="kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the
+ *       details about the <code>Creating</code> key state, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the
  *       <i>Key Management Service Developer Guide</i>.</p>
+ *          <p>You cannot create more than one replica of a primary key in any Region. If the Region
+ *       already includes a replica of the key you're trying to replicate, <code>ReplicateKey</code>
+ *       returns an <code>AlreadyExistsException</code> error. If the key state of the existing replica
+ *       is <code>PendingDeletion</code>, you can cancel the scheduled key deletion (<a>CancelKeyDeletion</a>) or wait for the key to be deleted. The new replica key you create
+ *       will have the same <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-sync-properties">shared properties</a> as the original replica key.</p>
  *          <p>The CloudTrail log of a <code>ReplicateKey</code> operation records a
  *         <code>ReplicateKey</code> operation in the primary key's Region and a <a>CreateKey</a> operation in the replica key's Region.</p>
  *          <p>If you replicate a multi-Region primary key with imported key material, the replica key is

package/dist-types/commands/RetireGrantCommand.d.ts

@@ -13,11 +13,10 @@ export interface RetireGrantCommandOutput extends __MetadataBearer {
  *       returns both values.</p>
  *          <p>This operation can be called by the <i>retiring principal</i> for a grant,
  *       by the <i>grantee principal</i> if the grant allows the <code>RetireGrant</code>
- *       operation, and by the Amazon Web Services account (root user) in which the grant is created. It can also be
- *       called by principals to whom permission for retiring a grant is delegated. For details, see
- *         <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete">Retiring and
- *         revoking grants</a> in the <i>Key Management Service Developer Guide</i>.</p>
- *          <p>For detailed information about grants, including grant terminology, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Using grants</a> in the
+ *       operation, and by the Amazon Web Services account in which the grant is created. It can also be called by
+ *       principals to whom permission for retiring a grant is delegated. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete">Retiring and revoking
+ *         grants</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *          <p>For detailed information about grants, including grant terminology, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the
  *         <i>
  *                <i>Key Management Service Developer Guide</i>
  *             </i>. For examples of working with grants in several

package/dist-types/commands/RevokeGrantCommand.d.ts

@@ -16,7 +16,7 @@ export interface RevokeGrantCommandOutput extends __MetadataBearer {
  *       the <i>
  *                <i>Key Management Service Developer Guide</i>
  *             </i>. </p>
- *          <p>For detailed information about grants, including grant terminology, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Using grants</a> in the
+ *          <p>For detailed information about grants, including grant terminology, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the
  *         <i>
  *                <i>Key Management Service Developer Guide</i>
  *             </i>. For examples of working with grants in several

package/dist-types/commands/ScheduleKeyDeletionCommand.d.ts

@@ -38,7 +38,7 @@ export interface ScheduleKeyDeletionCommandOutput extends ScheduleKeyDeletionRes
  *          <p>For more information about scheduling a KMS key for deletion, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html">Deleting KMS keys</a> in the
  *       <i>Key Management Service Developer Guide</i>.</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account
  *         use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.</p>

package/dist-types/commands/SignCommand.d.ts

@@ -9,8 +9,8 @@ export interface SignCommandOutput extends SignResponse, __MetadataBearer {
 /**
  * <p>Creates a <a href="https://en.wikipedia.org/wiki/Digital_signature">digital
  *         signature</a> for a message or message digest by using the private key in an asymmetric
- *       KMS key. To verify the signature, use the <a>Verify</a> operation, or use the
- *       public key in the same asymmetric KMS key outside of KMS. For information about symmetric and asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Using Symmetric and Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *       signing KMS key. To verify the signature, use the <a>Verify</a> operation, or use
+ *       the public key in the same asymmetric KMS key outside of KMS. For information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>Digital signatures are generated and verified by using asymmetric key pair, such as an RSA
  *       or ECC pair that is represented by an asymmetric KMS key. The key owner (or an authorized
  *       user) uses their private key to sign a message. Anyone with the public key can verify that the
@@ -43,7 +43,7 @@ export interface SignCommandOutput extends SignResponse, __MetadataBearer {
  *       operation. Or use the <a>GetPublicKey</a> operation to download the public key and
  *       then use the public key to verify the signature outside of KMS. </p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *         <p>
  *             <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify
  *   the key ARN or alias ARN in the value of the <code>KeyId</code> parameter.</p>

package/dist-types/commands/TagResourceCommand.d.ts

@@ -9,7 +9,7 @@ export interface TagResourceCommandOutput extends __MetadataBearer {
 /**
  * <p>Adds or edits tags on a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed key</a>.</p>
  *          <note>
- *             <p>Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">Using ABAC in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *             <p>Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          </note>
  *          <p>Each tag consists of a tag key and a tag value, both of which are case-sensitive strings.
  *       The tag value can be an empty (null) string. To add a tag, specify a new tag key and a tag
@@ -24,7 +24,7 @@ export interface TagResourceCommandOutput extends __MetadataBearer {
  *       tags, including the format and syntax, see <a href="https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html">Tagging Amazon Web Services resources</a> in the <i>Amazon
  *         Web Services General Reference</i>. </p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. </p>
  *

package/dist-types/commands/UntagResourceCommand.d.ts

@@ -10,7 +10,7 @@ export interface UntagResourceCommandOutput extends __MetadataBearer {
  * <p>Deletes tags from a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed key</a>. To delete a tag,
  *       specify the tag key and the KMS key.</p>
  *          <note>
- *             <p>Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">Using ABAC in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *             <p>Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          </note>
  *          <p>When it succeeds, the <code>UntagResource</code> operation doesn't return any output.
  *       Also, if the specified tag key isn't found on the KMS key, it doesn't throw an exception or
@@ -20,7 +20,7 @@ export interface UntagResourceCommandOutput extends __MetadataBearer {
  *       tags, including the format and syntax, see <a href="https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html">Tagging Amazon Web Services resources</a> in the <i>Amazon
  *         Web Services General Reference</i>. </p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.</p>
  *

package/dist-types/commands/UpdateAliasCommand.d.ts

@@ -11,7 +11,7 @@ export interface UpdateAliasCommandOutput extends __MetadataBearer {
  *       only one KMS key at a time, although a KMS key can have multiple aliases. The alias and the
  *       KMS key must be in the same Amazon Web Services account and Region.</p>
  *          <note>
- *             <p>Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">Using ABAC in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *             <p>Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          </note>
  *          <p>The current and new KMS key must be the same type (both symmetric or both asymmetric), and
  *       they must have the same key usage (<code>ENCRYPT_DECRYPT</code> or <code>SIGN_VERIFY</code>).
@@ -25,7 +25,7 @@ export interface UpdateAliasCommandOutput extends __MetadataBearer {
  *       response from the <a>DescribeKey</a> operation. To get the aliases of all KMS keys
  *       in the account, use the <a>ListAliases</a> operation. </p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *         <p>
  *             <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. </p>
  *          <p>

package/dist-types/commands/UpdateKeyDescriptionCommand.d.ts

@@ -9,7 +9,7 @@ export interface UpdateKeyDescriptionCommandOutput extends __MetadataBearer {
 /**
  * <p>Updates the description of a KMS key. To see the description of a KMS key, use <a>DescribeKey</a>. </p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account
  *         use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. </p>

package/dist-types/commands/UpdatePrimaryRegionCommand.d.ts

@@ -17,7 +17,7 @@ export interface UpdatePrimaryRegionCommandOutput extends __MetadataBearer {
  *          <p>This operation supports <i>multi-Region keys</i>, an KMS feature that lets you create multiple
  *       interoperable KMS keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key
  *       material, and other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt
- *       it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Using multi-Region keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *       it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>The <i>primary key</i> of a multi-Region key is the source for properties
  *       that are always shared by primary and replica keys, including the key material, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id">key ID</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec">key spec</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage">key usage</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin">key material
  *       origin</a>, and <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic
@@ -37,8 +37,7 @@ export interface UpdatePrimaryRegionCommandOutput extends __MetadataBearer {
  *       update is complete. While the key state is <code>Updating</code>, you can use the keys in
  *       cryptographic operations, but you cannot replicate the new primary key or perform certain
  *       management operations, such as enabling or disabling these keys. For details about the
- *         <code>Updating</code> key state, see <a href="kms/latest/developerguide/key-state.html">Key state:
- *         Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *         <code>Updating</code> key state, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>This operation does not return any output. To verify that primary key is changed, use the
  *         <a>DescribeKey</a> operation.</p>
  *          <p>

package/dist-types/commands/VerifyCommand.d.ts

@@ -16,7 +16,7 @@ export interface VerifyCommandOutput extends VerifyResponse, __MetadataBearer {
  *       fails with an <code>KMSInvalidSignatureException</code> exception.</p>
  *          <p>A digital signature is generated by using the private key in an asymmetric KMS key. The
  *       signature is verified by using the public key in the same asymmetric KMS key.
- *       For information about symmetric and asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Using Symmetric and Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *       For information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>To verify a digital signature, you can use the <code>Verify</code> operation. Specify the
  *       same asymmetric KMS key, message, and signing algorithm that were used to produce the
  *       signature.</p>
@@ -28,7 +28,7 @@ export interface VerifyCommandOutput extends VerifyResponse, __MetadataBearer {
  *       in CloudTrail, and you can use key policy and IAM policy to determine who is authorized to use
  *       the KMS key to verify signatures.</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify
  *   the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. </p>