@aws-sdk/client-kms 3.72.0 → 3.73.0

package/dist-types/KMSClient.d.ts

@@ -28,6 +28,7 @@ import { GenerateDataKeyCommandInput, GenerateDataKeyCommandOutput } from "./com
 import { GenerateDataKeyPairCommandInput, GenerateDataKeyPairCommandOutput } from "./commands/GenerateDataKeyPairCommand";
 import { GenerateDataKeyPairWithoutPlaintextCommandInput, GenerateDataKeyPairWithoutPlaintextCommandOutput } from "./commands/GenerateDataKeyPairWithoutPlaintextCommand";
 import { GenerateDataKeyWithoutPlaintextCommandInput, GenerateDataKeyWithoutPlaintextCommandOutput } from "./commands/GenerateDataKeyWithoutPlaintextCommand";
+import { GenerateMacCommandInput, GenerateMacCommandOutput } from "./commands/GenerateMacCommand";
 import { GenerateRandomCommandInput, GenerateRandomCommandOutput } from "./commands/GenerateRandomCommand";
 import { GetKeyPolicyCommandInput, GetKeyPolicyCommandOutput } from "./commands/GetKeyPolicyCommand";
 import { GetKeyRotationStatusCommandInput, GetKeyRotationStatusCommandOutput } from "./commands/GetKeyRotationStatusCommand";
@@ -54,8 +55,9 @@ import { UpdateCustomKeyStoreCommandInput, UpdateCustomKeyStoreCommandOutput } f
 import { UpdateKeyDescriptionCommandInput, UpdateKeyDescriptionCommandOutput } from "./commands/UpdateKeyDescriptionCommand";
 import { UpdatePrimaryRegionCommandInput, UpdatePrimaryRegionCommandOutput } from "./commands/UpdatePrimaryRegionCommand";
 import { VerifyCommandInput, VerifyCommandOutput } from "./commands/VerifyCommand";
-export declare type ServiceInputTypes = CancelKeyDeletionCommandInput | ConnectCustomKeyStoreCommandInput | CreateAliasCommandInput | CreateCustomKeyStoreCommandInput | CreateGrantCommandInput | CreateKeyCommandInput | DecryptCommandInput | DeleteAliasCommandInput | DeleteCustomKeyStoreCommandInput | DeleteImportedKeyMaterialCommandInput | DescribeCustomKeyStoresCommandInput | DescribeKeyCommandInput | DisableKeyCommandInput | DisableKeyRotationCommandInput | DisconnectCustomKeyStoreCommandInput | EnableKeyCommandInput | EnableKeyRotationCommandInput | EncryptCommandInput | GenerateDataKeyCommandInput | GenerateDataKeyPairCommandInput | GenerateDataKeyPairWithoutPlaintextCommandInput | GenerateDataKeyWithoutPlaintextCommandInput | GenerateRandomCommandInput | GetKeyPolicyCommandInput | GetKeyRotationStatusCommandInput | GetParametersForImportCommandInput | GetPublicKeyCommandInput | ImportKeyMaterialCommandInput | ListAliasesCommandInput | ListGrantsCommandInput | ListKeyPoliciesCommandInput | ListKeysCommandInput | ListResourceTagsCommandInput | ListRetirableGrantsCommandInput | PutKeyPolicyCommandInput | ReEncryptCommandInput | ReplicateKeyCommandInput | RetireGrantCommandInput | RevokeGrantCommandInput | ScheduleKeyDeletionCommandInput | SignCommandInput | TagResourceCommandInput | UntagResourceCommandInput | UpdateAliasCommandInput | UpdateCustomKeyStoreCommandInput | UpdateKeyDescriptionCommandInput | UpdatePrimaryRegionCommandInput | VerifyCommandInput;
-export declare type ServiceOutputTypes = CancelKeyDeletionCommandOutput | ConnectCustomKeyStoreCommandOutput | CreateAliasCommandOutput | CreateCustomKeyStoreCommandOutput | CreateGrantCommandOutput | CreateKeyCommandOutput | DecryptCommandOutput | DeleteAliasCommandOutput | DeleteCustomKeyStoreCommandOutput | DeleteImportedKeyMaterialCommandOutput | DescribeCustomKeyStoresCommandOutput | DescribeKeyCommandOutput | DisableKeyCommandOutput | DisableKeyRotationCommandOutput | DisconnectCustomKeyStoreCommandOutput | EnableKeyCommandOutput | EnableKeyRotationCommandOutput | EncryptCommandOutput | GenerateDataKeyCommandOutput | GenerateDataKeyPairCommandOutput | GenerateDataKeyPairWithoutPlaintextCommandOutput | GenerateDataKeyWithoutPlaintextCommandOutput | GenerateRandomCommandOutput | GetKeyPolicyCommandOutput | GetKeyRotationStatusCommandOutput | GetParametersForImportCommandOutput | GetPublicKeyCommandOutput | ImportKeyMaterialCommandOutput | ListAliasesCommandOutput | ListGrantsCommandOutput | ListKeyPoliciesCommandOutput | ListKeysCommandOutput | ListResourceTagsCommandOutput | ListRetirableGrantsCommandOutput | PutKeyPolicyCommandOutput | ReEncryptCommandOutput | ReplicateKeyCommandOutput | RetireGrantCommandOutput | RevokeGrantCommandOutput | ScheduleKeyDeletionCommandOutput | SignCommandOutput | TagResourceCommandOutput | UntagResourceCommandOutput | UpdateAliasCommandOutput | UpdateCustomKeyStoreCommandOutput | UpdateKeyDescriptionCommandOutput | UpdatePrimaryRegionCommandOutput | VerifyCommandOutput;
+import { VerifyMacCommandInput, VerifyMacCommandOutput } from "./commands/VerifyMacCommand";
+export declare type ServiceInputTypes = CancelKeyDeletionCommandInput | ConnectCustomKeyStoreCommandInput | CreateAliasCommandInput | CreateCustomKeyStoreCommandInput | CreateGrantCommandInput | CreateKeyCommandInput | DecryptCommandInput | DeleteAliasCommandInput | DeleteCustomKeyStoreCommandInput | DeleteImportedKeyMaterialCommandInput | DescribeCustomKeyStoresCommandInput | DescribeKeyCommandInput | DisableKeyCommandInput | DisableKeyRotationCommandInput | DisconnectCustomKeyStoreCommandInput | EnableKeyCommandInput | EnableKeyRotationCommandInput | EncryptCommandInput | GenerateDataKeyCommandInput | GenerateDataKeyPairCommandInput | GenerateDataKeyPairWithoutPlaintextCommandInput | GenerateDataKeyWithoutPlaintextCommandInput | GenerateMacCommandInput | GenerateRandomCommandInput | GetKeyPolicyCommandInput | GetKeyRotationStatusCommandInput | GetParametersForImportCommandInput | GetPublicKeyCommandInput | ImportKeyMaterialCommandInput | ListAliasesCommandInput | ListGrantsCommandInput | ListKeyPoliciesCommandInput | ListKeysCommandInput | ListResourceTagsCommandInput | ListRetirableGrantsCommandInput | PutKeyPolicyCommandInput | ReEncryptCommandInput | ReplicateKeyCommandInput | RetireGrantCommandInput | RevokeGrantCommandInput | ScheduleKeyDeletionCommandInput | SignCommandInput | TagResourceCommandInput | UntagResourceCommandInput | UpdateAliasCommandInput | UpdateCustomKeyStoreCommandInput | UpdateKeyDescriptionCommandInput | UpdatePrimaryRegionCommandInput | VerifyCommandInput | VerifyMacCommandInput;
+export declare type ServiceOutputTypes = CancelKeyDeletionCommandOutput | ConnectCustomKeyStoreCommandOutput | CreateAliasCommandOutput | CreateCustomKeyStoreCommandOutput | CreateGrantCommandOutput | CreateKeyCommandOutput | DecryptCommandOutput | DeleteAliasCommandOutput | DeleteCustomKeyStoreCommandOutput | DeleteImportedKeyMaterialCommandOutput | DescribeCustomKeyStoresCommandOutput | DescribeKeyCommandOutput | DisableKeyCommandOutput | DisableKeyRotationCommandOutput | DisconnectCustomKeyStoreCommandOutput | EnableKeyCommandOutput | EnableKeyRotationCommandOutput | EncryptCommandOutput | GenerateDataKeyCommandOutput | GenerateDataKeyPairCommandOutput | GenerateDataKeyPairWithoutPlaintextCommandOutput | GenerateDataKeyWithoutPlaintextCommandOutput | GenerateMacCommandOutput | GenerateRandomCommandOutput | GetKeyPolicyCommandOutput | GetKeyRotationStatusCommandOutput | GetParametersForImportCommandOutput | GetPublicKeyCommandOutput | ImportKeyMaterialCommandOutput | ListAliasesCommandOutput | ListGrantsCommandOutput | ListKeyPoliciesCommandOutput | ListKeysCommandOutput | ListResourceTagsCommandOutput | ListRetirableGrantsCommandOutput | PutKeyPolicyCommandOutput | ReEncryptCommandOutput | ReplicateKeyCommandOutput | RetireGrantCommandOutput | RevokeGrantCommandOutput | ScheduleKeyDeletionCommandOutput | SignCommandOutput | TagResourceCommandOutput | UntagResourceCommandOutput | UpdateAliasCommandOutput | UpdateCustomKeyStoreCommandOutput | UpdateKeyDescriptionCommandOutput | UpdatePrimaryRegionCommandOutput | VerifyCommandOutput | VerifyMacCommandOutput;
 export interface ClientDefaults extends Partial<__SmithyResolvedConfiguration<__HttpHandlerOptions>> {
     /**
      * The HTTP handler to use. Fetch in browser and Https in Nodejs.
@@ -190,7 +192,10 @@ export interface KMSClientResolvedConfig extends KMSClientResolvedConfigType {
  *         download and install them, see <a href="http://aws.amazon.com/tools/">Tools for Amazon Web
  *           Services</a>.</p>
  *          </note>
- *          <p>We recommend that you use the Amazon Web Services SDKs to make programmatic API calls to KMS.</p>
+ *          <p>We recommend that you use the Amazon Web Services SDKs to make programmatic API calls to KMS. </p>
+ *          <p>If you need to use FIPS 140-2 validated cryptographic modules when communicating with
+ *       Amazon Web Services, use the FIPS endpoint in your preferred Amazon Web Services Region. For more information about the
+ *       available FIPS endpoints, see <a href="https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region">Service endpoints</a> in the Key Management Service topic of the <i>Amazon Web Services General Reference</i>.</p>
  *          <p>Clients must support TLS (Transport Layer Security) 1.0. We recommend TLS 1.2. Clients
  *       must also support cipher suites with Perfect Forward Secrecy (PFS) such as Ephemeral
  *       Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems

package/dist-types/commands/CancelKeyDeletionCommand.d.ts

@@ -12,7 +12,7 @@ export interface CancelKeyDeletionCommandOutput extends CancelKeyDeletionRespons
  *          <p>For more information about scheduling and canceling deletion of a KMS key, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html">Deleting KMS keys</a> in the
  *       <i>Key Management Service Developer Guide</i>.</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account
  *         use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.</p>

package/dist-types/commands/CreateAliasCommand.d.ts

@@ -9,7 +9,7 @@ export interface CreateAliasCommandOutput extends __MetadataBearer {
 /**
  * <p>Creates a friendly name for a KMS key. </p>
  *          <note>
- *             <p>Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">Using ABAC in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *             <p>Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          </note>
  *          <p>You can use an alias to identify a KMS key in the KMS console, in the <a>DescribeKey</a> operation and in <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic operations</a>, such as <a>Encrypt</a> and
  *         <a>GenerateDataKey</a>. You can also change the KMS key that's associated with
@@ -24,7 +24,7 @@ export interface CreateAliasCommandOutput extends __MetadataBearer {
  *          <p>This operation does not return a response. To get the alias that you created, use the
  *         <a>ListAliases</a> operation.</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account use</b>: No. You cannot perform this operation on an alias in a different Amazon Web Services account.</p>
  *

package/dist-types/commands/CreateGrantCommand.d.ts

@@ -13,7 +13,7 @@ export interface CreateGrantCommandOutput extends CreateGrantResponse, __Metadat
  *       grants are considered along with key policies and IAM policies. Grants are often used for
  *       temporary permissions because you can create one, use its permissions, and delete it without
  *       changing your key policies or IAM policies. </p>
- *          <p>For detailed information about grants, including grant terminology, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Using grants</a> in the
+ *          <p>For detailed information about grants, including grant terminology, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the
  *         <i>
  *                <i>Key Management Service Developer Guide</i>
  *             </i>. For examples of working with grants in several
@@ -38,7 +38,7 @@ export interface CreateGrantCommandOutput extends CreateGrantResponse, __Metadat
  *             </li>
  *          </ul>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account use</b>: Yes.
  *       To perform this operation on a KMS key in a different Amazon Web Services account, specify the key

package/dist-types/commands/CreateKeyCommand.d.ts

@@ -8,53 +8,53 @@ export interface CreateKeyCommandOutput extends CreateKeyResponse, __MetadataBea
 }
 /**
  * <p>Creates a unique customer managed <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys">KMS key</a> in your Amazon Web Services account and
- *       Region.</p>
+ *       Region. </p>
+ *          <p>In addition to the required parameters, you can use the optional parameters to specify a key policy, description, tags, and other useful elements for any key type.</p>
  *          <note>
  *             <p>KMS is replacing the term <i>customer master key (CMK)</i> with <i>KMS key</i> and <i>KMS key</i>. The concept has not changed. To prevent breaking changes, KMS is keeping some variations of this term.</p>
  *          </note>
  *
- *          <p>You can use the <code>CreateKey</code> operation to create symmetric or asymmetric KMS
- *       keys.</p>
- *          <ul>
- *             <li>
- *                <p>
- *                   <b>Symmetric KMS keys</b> contain a 256-bit symmetric key
- *           that never leaves KMS unencrypted. To use the KMS key, you must call KMS. You can use
- *           a symmetric KMS key to encrypt and decrypt small amounts of data, but they are typically
- *           used to generate <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys">data keys</a> and <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-key-pairs">data keys pairs</a>. For details,
- *           see <a>GenerateDataKey</a> and <a>GenerateDataKeyPair</a>.</p>
- *             </li>
- *             <li>
- *                <p>
- *                   <b>Asymmetric KMS keys</b> can contain an RSA key pair or an
- *           Elliptic Curve (ECC) key pair. The private key in an asymmetric KMS key never leaves KMS
- *           unencrypted. However, you can use the <a>GetPublicKey</a> operation to download
- *           the public key so it can be used outside of KMS. KMS keys with RSA key pairs can be used
- *           to encrypt or decrypt data or sign and verify messages (but not both). KMS keys with ECC
- *           key pairs can be used only to sign and verify messages.</p>
- *             </li>
- *          </ul>
- *          <p>For information about symmetric and asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Using Symmetric and Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
- *
  *
  *          <p>To create different types of KMS keys, use the following guidance:</p>
  *
  *          <dl>
+ *             <dt>Symmetric encryption KMS key</dt>
+ *             <dd>
+ *                <p>To create a symmetric encryption KMS key, you aren't required to specify any parameters. The default value for
+ *             <code>KeySpec</code>, <code>SYMMETRIC_DEFAULT</code>, and the default value for
+ *             <code>KeyUsage</code>, <code>ENCRYPT_DECRYPT</code>, create a symmetric encryption KMS key.</p>
+ *                <p>If you need a key for basic encryption and decryption or you
+ *             are creating a KMS key to protect your resources in an Amazon Web Services service, create a symmetric encryption KMS key. The key material in a symmetric encryption key never leaves KMS unencrypted. You can use a symmetric encryption KMS key to encrypt and decrypt data up to 4,096 bytes, but they are typically used to generate data keys and data keys pairs. For details, see <a>GenerateDataKey</a> and <a>GenerateDataKeyPair</a>.</p>
+ *                <p> </p>
+ *             </dd>
  *             <dt>Asymmetric KMS keys</dt>
  *             <dd>
  *                <p>To create an asymmetric KMS key, use the <code>KeySpec</code> parameter to specify
  *             the type of key material in the KMS key. Then, use the <code>KeyUsage</code> parameter
  *             to determine whether the KMS key will be used to encrypt and decrypt or sign and verify.
  *             You can't change these properties after the KMS key is created.</p>
+ *                <p>Asymmetric KMS keys contain an RSA key pair or an Elliptic Curve (ECC) key pair. The private key in an asymmetric
+ *             KMS key never leaves AWS KMS unencrypted. However, you can use the <a>GetPublicKey</a> operation to download the public key
+ *             so it can be used outside of AWS KMS. KMS keys with RSA key pairs can be used to encrypt or decrypt data or sign and verify messages (but not both).
+ *             KMS keys with ECC key pairs can be used only to sign and verify messages.
+ *             For information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *                <p> </p>
  *             </dd>
- *             <dt>Symmetric KMS keys</dt>
+ *             <dt>HMAC KMS key</dt>
  *             <dd>
- *                <p>When creating a symmetric KMS key, you don't need to specify the
- *               <code>KeySpec</code> or <code>KeyUsage</code> parameters. The default value for
- *               <code>KeySpec</code>, <code>SYMMETRIC_DEFAULT</code>, and the default value for
- *               <code>KeyUsage</code>, <code>ENCRYPT_DECRYPT</code>, are the only valid values for
- *             symmetric KMS keys. </p>
+ *                <p>To create an HMAC KMS key, set the <code>KeySpec</code> parameter to a
+ *           key spec value for HMAC KMS keys. Then set the <code>KeyUsage</code> parameter to
+ *           <code>GENERATE_VERIFY_MAC</code>. You must set the key usage even though
+ *           <code>GENERATE_VERIFY_MAC</code> is the only valid key usage value for HMAC KMS keys.
+ *           You can't change these properties after the KMS key is created.</p>
+ *                <p>HMAC KMS keys are symmetric keys that never leave KMS unencrypted. You can use
+ *             HMAC keys to generate (<a>GenerateMac</a>) and verify (<a>VerifyMac</a>) HMAC codes for messages up to 4096 bytes.</p>
+ *                <p>HMAC KMS keys are not supported in all Amazon Web Services Regions. If you try to create an HMAC
+ *             KMS key in an Amazon Web Services Region in which HMAC keys are not supported, the
+ *               <code>CreateKey</code> operation returns an
+ *             <code>UnsupportedOperationException</code>. For a list of Regions in which HMAC KMS keys
+ *             are supported, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC keys in
+ *               KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *                <p> </p>
  *             </dd>
  *             <dt>Multi-Region primary keys</dt>
@@ -66,38 +66,42 @@ export interface CreateKeyCommandOutput extends CreateKeyResponse, __MetadataBea
  *             and key material as a primary key, but in a different Amazon Web Services Region, use the <a>ReplicateKey</a> operation. To change a replica key to a primary key, and its
  *             primary key to a replica key, use the <a>UpdatePrimaryRegion</a>
  *             operation.</p>
+ *                <p>You can create multi-Region KMS keys for all supported KMS key types: symmetric
+ *             encryption KMS keys, HMAC KMS keys, asymmetric encryption KMS keys, and asymmetric
+ *             signing KMS keys. You can also create multi-Region keys with imported key material.
+ *             However, you can't create multi-Region keys in a custom key store.</p>
  *                <p>This operation supports <i>multi-Region keys</i>, an KMS feature that lets you create multiple
  *       interoperable KMS keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key
  *       material, and other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt
- *       it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Using multi-Region keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
- *                <p>You can create symmetric and asymmetric multi-Region keys and multi-Region keys with
- *             imported key material. You cannot create multi-Region keys in a custom key store.</p>
+ *       it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *                <p> </p>
  *             </dd>
  *             <dd>
- *                <p>To import your own key material, begin by creating a symmetric KMS key with no key
+ *                <p>To import your own key material, begin by creating a symmetric encryption KMS key with no key
  *             material. To do this, use the <code>Origin</code> parameter of <code>CreateKey</code>
  *             with a value of <code>EXTERNAL</code>. Next, use <a>GetParametersForImport</a> operation to get a public key and import token, and use the public key to encrypt
  *             your key material. Then, use <a>ImportKeyMaterial</a> with your import token
  *             to import the key material. For step-by-step instructions, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in the <i>
  *                      <i>Key Management Service Developer Guide</i>
- *                   </i>. You
- *             cannot import the key material into an asymmetric KMS key.</p>
+ *                   </i>.</p>
+ *                <p>This feature supports only symmetric encryption KMS keys, including multi-Region symmetric encryption KMS keys. You cannot import key
+ *             material into any other type of KMS key.</p>
  *                <p>To create a multi-Region primary key with imported key material, use the
  *               <code>Origin</code> parameter of <code>CreateKey</code> with a value of
  *               <code>EXTERNAL</code> and the <code>MultiRegion</code> parameter with a value of
- *               <code>True</code>. To create replicas of the multi-Region primary key, use the <a>ReplicateKey</a> operation. For more information about multi-Region keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Using multi-Region keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *               <code>True</code>. To create replicas of the multi-Region primary key, use the <a>ReplicateKey</a> operation. For more information about multi-Region keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *                <p> </p>
  *             </dd>
  *             <dt>Custom key store</dt>
  *             <dd>
- *                <p>To create a symmetric KMS key in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>, use the
+ *                <p>To create a symmetric encryption KMS key in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>, use the
  *               <code>CustomKeyStoreId</code> parameter to specify the custom key store. You must also
  *             use the <code>Origin</code> parameter with a value of <code>AWS_CLOUDHSM</code>. The
  *             CloudHSM cluster that is associated with the custom key store must have at least two active
  *             HSMs in different Availability Zones in the Amazon Web Services Region. </p>
- *                <p>You cannot create an asymmetric KMS key in a custom key store. For information about
- *             custom key stores in KMS see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">Using Custom Key Stores</a> in
+ *                <p>Custom key stores support only symmetric encryption KMS keys. You cannot create an
+ *             HMAC KMS key or an asymmetric KMS key in a custom key store. For information about
+ *             custom key stores in KMS see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">Custom key stores in KMS</a> in
  *             the <i>
  *                      <i>Key Management Service Developer Guide</i>
  *                   </i>.</p>

package/dist-types/commands/DecryptCommand.d.ts

@@ -36,15 +36,15 @@ export interface DecryptCommandOutput extends DecryptResponse, __MetadataBearer
  *                </p>
  *             </li>
  *          </ul>
- *          <p>You can use this operation to decrypt ciphertext that was encrypted under a symmetric or
- *       asymmetric KMS key. When the KMS key is asymmetric, you must specify the KMS key and the
- *       encryption algorithm that was used to encrypt the ciphertext. For information about symmetric and asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Using Symmetric and Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
- *          <p>The Decrypt operation also decrypts ciphertext that was encrypted outside of KMS by the
- *       public key in an KMS asymmetric KMS key. However, it cannot decrypt ciphertext produced by
+ *          <p>You can use this operation to decrypt ciphertext that was encrypted under a symmetric encryption KMS key or an
+ *       asymmetric encryption KMS key. When the KMS key is asymmetric, you must specify the KMS key and the
+ *       encryption algorithm that was used to encrypt the ciphertext. For information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *          <p>The <code>Decrypt</code> operation also decrypts ciphertext that was encrypted outside of KMS by the
+ *       public key in an KMS asymmetric KMS key. However, it cannot decrypt symmetric ciphertext produced by
  *       other libraries, such as the <a href="https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/">Amazon Web Services
  *         Encryption SDK</a> or <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html">Amazon S3 client-side encryption</a>.
  *       These libraries return a ciphertext format that is incompatible with KMS.</p>
- *          <p>If the ciphertext was encrypted under a symmetric KMS key, the <code>KeyId</code>
+ *          <p>If the ciphertext was encrypted under a symmetric encryption KMS key, the <code>KeyId</code>
  *       parameter is optional. KMS can get this information from metadata that it adds to the
  *       symmetric ciphertext blob. This feature adds durability to your implementation by ensuring
  *       that authorized users can decrypt ciphertext decades after it was encrypted, even if they've
@@ -63,7 +63,7 @@ export interface DecryptCommandOutput extends DecryptResponse, __MetadataBearer
  *         policies</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>Applications in Amazon Web Services Nitro Enclaves can call this operation by using the <a href="https://github.com/aws/aws-nitro-enclaves-sdk-c">Amazon Web Services Nitro Enclaves Development Kit</a>. For information about the supporting parameters, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves use KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account
  *         use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify

package/dist-types/commands/DeleteAliasCommand.d.ts

@@ -9,7 +9,7 @@ export interface DeleteAliasCommandOutput extends __MetadataBearer {
 /**
  * <p>Deletes the specified alias. </p>
  *          <note>
- *             <p>Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">Using ABAC in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *             <p>Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          </note>
  *          <p>Because an alias is not a property of a KMS key, you can delete and change the aliases of
  *       a KMS key without affecting the KMS key. Also, aliases do not appear in the response from the

package/dist-types/commands/DeleteImportedKeyMaterialCommand.d.ts

@@ -16,7 +16,7 @@ export interface DeleteImportedKeyMaterialCommandOutput extends __MetadataBearer
  *          <p>After you delete key material, you can use <a>ImportKeyMaterial</a> to reimport
  *       the same key material into the KMS key.</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.</p>
  *

package/dist-types/commands/DescribeKeyCommand.d.ts

@@ -12,10 +12,7 @@ export interface DescribeKeyCommandOutput extends DescribeKeyResponse, __Metadat
  *         key</a> or an <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services managed key</a>.</p>
  *          <p>This detailed information includes the key ARN, creation date (and deletion date, if
  *       applicable), the key state, and the origin and expiration date (if any) of the key material.
- *       It includes fields, like <code>KeySpec</code>, that help you distinguish symmetric from
- *       asymmetric KMS keys. It also provides information that is particularly important to asymmetric
- *       keys, such as the key usage (encryption or signing) and the encryption algorithms or signing
- *       algorithms that the KMS key supports. For KMS keys in custom key stores, it includes
+ *       It includes fields, like <code>KeySpec</code>, that help you distinguish different types of KMS keys. It also displays the key usage (encryption, signing, or generating and verifying MACs) and the algorithms that the KMS key supports. For KMS keys in custom key stores, it includes
  *       information about the custom key store, such as the key store ID and the CloudHSM cluster ID. For
  *       multi-Region keys, it displays the primary key and all related replica keys. </p>
  *          <p>
@@ -37,10 +34,11 @@ export interface DescribeKeyCommandOutput extends DescribeKeyResponse, __Metadat
  *                <p>Key policies and grants on the KMS key. To get this information, use <a>GetKeyPolicy</a> and <a>ListGrants</a>.</p>
  *             </li>
  *          </ul>
- *          <p>If you call the <code>DescribeKey</code> operation on a <i>predefined Amazon Web Services
- *         alias</i>, that is, an Amazon Web Services alias with no key ID, KMS creates an <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services managed
- *         key</a>. Then, it associates the alias with the new KMS key, and returns the
- *         <code>KeyId</code> and <code>Arn</code> of the new KMS key in the response.</p>
+ *          <p>In general, <code>DescribeKey</code> is a non-mutating operation. It returns data about
+ *       KMS keys, but doesn't change them. However, Amazon Web Services services use <code>DescribeKey</code> to
+ *       create <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services
+ *         managed keys</a> from a <i>predefined Amazon Web Services alias</i> with no key
+ *       ID.</p>
  *          <p>
  *             <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify
  *   the key ARN or alias ARN in the value of the <code>KeyId</code> parameter.</p>

package/dist-types/commands/DisableKeyCommand.d.ts

@@ -9,12 +9,11 @@ export interface DisableKeyCommandOutput extends __MetadataBearer {
 /**
  * <p>Sets the state of a KMS key to disabled. This change temporarily prevents use of the KMS
  *       key for <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic operations</a>. </p>
- *          <p>For more information about how key state affects the use of a KMS key, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS
- *         key</a> in the <i>
+ *          <p>For more information about how key state affects the use of a KMS key, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>
  *                <i>Key Management Service Developer Guide</i>
  *             </i>.</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *         <p>
  *             <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.</p>
  *

package/dist-types/commands/DisableKeyRotationCommand.d.ts

@@ -8,10 +8,10 @@ export interface DisableKeyRotationCommandOutput extends __MetadataBearer {
 }
 /**
  * <p>Disables <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic
- *         rotation of the key material</a> for the specified symmetric KMS key.</p>
- *          <p> You cannot enable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks">asymmetric KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key">multi-Region keys</a>, set the property on the primary key. </p>
+ *         rotation of the key material</a> for the specified symmetric encryption KMS key.</p>
+ *          <p> You cannot enable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key. </p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account
  *         use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.</p>

package/dist-types/commands/EnableKeyCommand.d.ts

@@ -10,7 +10,7 @@ export interface EnableKeyCommandOutput extends __MetadataBearer {
  * <p>Sets the key state of a KMS key to enabled. This allows you to use the KMS key for
  *       <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic operations</a>. </p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account
  *       use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.</p>

package/dist-types/commands/EnableKeyRotationCommand.d.ts

@@ -8,10 +8,10 @@ export interface EnableKeyRotationCommandOutput extends __MetadataBearer {
 }
 /**
  * <p>Enables <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic rotation
- *         of the key material</a> for the specified symmetric KMS key.</p>
- *          <p>You cannot enable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks">asymmetric KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key">multi-Region keys</a>, set the property on the primary key.</p>
+ *         of the key material</a> for the specified symmetric encryption KMS key.</p>
+ *          <p>You cannot enable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key.</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account
  *         use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.</p>

package/dist-types/commands/EncryptCommand.d.ts

@@ -7,31 +7,13 @@ export interface EncryptCommandInput extends EncryptRequest {
 export interface EncryptCommandOutput extends EncryptResponse, __MetadataBearer {
 }
 /**
- * <p>Encrypts plaintext into ciphertext by using a KMS key. The <code>Encrypt</code> operation
- *       has two primary use cases:</p>
- *          <ul>
- *             <li>
- *                <p>You can encrypt small amounts of arbitrary data, such as a personal identifier or
- *           database password, or other sensitive information. </p>
- *             </li>
- *             <li>
- *                <p>You can use the <code>Encrypt</code> operation to move encrypted data from one Amazon Web Services
- *           Region to another. For example, in Region A, generate a data key and use the plaintext key
- *           to encrypt your data. Then, in Region A, use the <code>Encrypt</code> operation to encrypt
- *           the plaintext data key under a KMS key in Region B. Now, you can move the encrypted data
- *           and the encrypted data key to Region B. When necessary, you can decrypt the encrypted data
- *           key and the encrypted data entirely within in Region B.</p>
- *             </li>
- *          </ul>
- *
- *          <p>You don't need to use the <code>Encrypt</code> operation to encrypt a data key. The <a>GenerateDataKey</a> and <a>GenerateDataKeyPair</a> operations return a
+ * <p>Encrypts plaintext of up to 4,096 bytes using a KMS key. You can use a symmetric or
+ *       asymmetric KMS key with a <code>KeyUsage</code> of <code>ENCRYPT_DECRYPT</code>.</p>
+ *          <p>You can use this operation to encrypt small amounts of arbitrary data, such as a personal identifier or
+ *           database password, or other sensitive information. You don't need to use the <code>Encrypt</code> operation to encrypt a data key. The <a>GenerateDataKey</a> and <a>GenerateDataKeyPair</a> operations return a
  *       plaintext data key and an encrypted copy of that data key.</p>
  *
- *          <p>When you encrypt data, you must specify a symmetric or asymmetric KMS key to use in the
- *       encryption operation. The KMS key must have a <code>KeyUsage</code> value of
- *         <code>ENCRYPT_DECRYPT.</code> To find the <code>KeyUsage</code> of a KMS key, use the <a>DescribeKey</a> operation. </p>
- *
- *          <p>If you use a symmetric KMS key, you can use an encryption context to add additional
+ *          <p>If you use a symmetric encryption KMS key, you can use an encryption context to add additional
  *       security to your encryption operation. If you specify an <code>EncryptionContext</code> when
  *       encrypting data, you must specify the same encryption context (a case-sensitive exact match)
  *       when decrypting the data. Otherwise, the request to decrypt fails with an
@@ -41,7 +23,7 @@ export interface EncryptCommandOutput extends EncryptResponse, __MetadataBearer
  *       algorithm must be compatible with the KMS key type.</p>
  *          <important>
  *             <p>When you use an asymmetric KMS key to encrypt or reencrypt data, be sure to record the KMS key and encryption algorithm that you choose. You will be required to provide the same KMS key and encryption algorithm when you decrypt the data. If the KMS key and algorithm do not match the values used to encrypt the data, the decrypt operation fails.</p>
- *             <p>You are not required to supply the key ID and encryption algorithm when you decrypt with symmetric KMS keys because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields.</p>
+ *             <p>You are not required to supply the key ID and encryption algorithm when you decrypt with symmetric encryption KMS keys because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields.</p>
  *          </important>
  *
  *
@@ -49,7 +31,7 @@ export interface EncryptCommandOutput extends EncryptResponse, __MetadataBearer
  *       encryption algorithm that you choose.</p>
  *          <ul>
  *             <li>
- *                <p>Symmetric KMS keys</p>
+ *                <p>Symmetric encryption KMS keys</p>
  *                <ul>
  *                   <li>
  *                      <p>
@@ -104,7 +86,7 @@ export interface EncryptCommandOutput extends EncryptResponse, __MetadataBearer
  *             </li>
  *          </ul>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account use</b>: Yes.
  *       To perform this operation with a KMS key in a different Amazon Web Services account, specify

package/dist-types/commands/GenerateDataKeyCommand.d.ts

@@ -7,33 +7,31 @@ export interface GenerateDataKeyCommandInput extends GenerateDataKeyRequest {
 export interface GenerateDataKeyCommandOutput extends GenerateDataKeyResponse, __MetadataBearer {
 }
 /**
- * <p>Generates a unique symmetric data key for client-side encryption. This operation returns a
- *       plaintext copy of the data key and a copy that is encrypted under a KMS key that you specify.
- *       You can use the plaintext key to encrypt your data outside of KMS and store the encrypted
- *       data key with the encrypted data.</p>
+ * <p>Returns a unique symmetric data key for use outside of KMS. This operation returns a
+ *       plaintext copy of the data key and a copy that is encrypted under a symmetric encryption KMS
+ *       key that you specify. The bytes in the plaintext key are random; they are not related to the caller or the KMS
+ *       key. You can use the plaintext key to encrypt your data outside of KMS and store the
+ *       encrypted data key with the encrypted data.</p>
  *
- *          <p>
- *             <code>GenerateDataKey</code> returns a unique data key for each request. The bytes in the
- *       plaintext key are not related to the caller or the KMS key.</p>
- *
- *          <p>To generate a data key, specify the symmetric KMS key that will be used to encrypt the
- *       data key. You cannot use an asymmetric KMS key to generate data keys. To get the type of your
- *       KMS key, use the <a>DescribeKey</a> operation. You must also specify the length of
- *       the data key. Use either the <code>KeySpec</code> or <code>NumberOfBytes</code> parameters
- *       (but not both). For 128-bit and 256-bit data keys, use the <code>KeySpec</code> parameter. </p>
+ *          <p>To generate a data key, specify the symmetric encryption KMS key that will be used to
+ *       encrypt the data key. You cannot use an asymmetric KMS key to encrypt data keys. To get the
+ *       type of your KMS key, use the <a>DescribeKey</a> operation. You must also specify
+ *       the length of the data key. Use either the <code>KeySpec</code> or <code>NumberOfBytes</code>
+ *       parameters (but not both). For 128-bit and 256-bit data keys, use the <code>KeySpec</code>
+ *       parameter. </p>
  *
  *          <p>To get only an encrypted copy of the data key, use <a>GenerateDataKeyWithoutPlaintext</a>. To generate an asymmetric data key pair, use
  *       the <a>GenerateDataKeyPair</a> or <a>GenerateDataKeyPairWithoutPlaintext</a> operation. To get a cryptographically secure
  *       random byte string, use <a>GenerateRandom</a>.</p>
  *
- *          <p>You can use the optional encryption context to add additional security to the encryption
+ *          <p>You can use an optional encryption context to add additional security to the encryption
  *       operation. If you specify an <code>EncryptionContext</code>, you must specify the same
  *       encryption context (a case-sensitive exact match) when decrypting the encrypted data key.
  *       Otherwise, the request to decrypt fails with an <code>InvalidCiphertextException</code>. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> in the
  *       <i>Key Management Service Developer Guide</i>.</p>
  *          <p>Applications in Amazon Web Services Nitro Enclaves can call this operation by using the <a href="https://github.com/aws/aws-nitro-enclaves-sdk-c">Amazon Web Services Nitro Enclaves Development Kit</a>. For information about the supporting parameters, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves use KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>How to use your data
  *         key</b>

package/dist-types/commands/GenerateDataKeyPairCommand.d.ts

@@ -7,19 +7,20 @@ export interface GenerateDataKeyPairCommandInput extends GenerateDataKeyPairRequ
 export interface GenerateDataKeyPairCommandOutput extends GenerateDataKeyPairResponse, __MetadataBearer {
 }
 /**
- * <p>Generates a unique asymmetric data key pair. The <code>GenerateDataKeyPair</code>
- *       operation returns a plaintext public key, a plaintext private key, and a copy of the private
- *       key that is encrypted under the symmetric KMS key you specify. You can use the data key pair
- *       to perform asymmetric cryptography and implement digital signatures outside of KMS.</p>
+ * <p>Returns a unique asymmetric data key pair for use outside of KMS. This operation returns
+ *       a plaintext public key, a plaintext private key, and a copy of the private key that is
+ *       encrypted under the symmetric encryption KMS key you specify. You can use the data key pair to
+ *       perform asymmetric cryptography and implement digital signatures outside of KMS. The bytes
+ *       in the keys are random; they not related to the caller or to the KMS key that is used to encrypt the
+ *       private key. </p>
  *
  *          <p>You can use the public key that <code>GenerateDataKeyPair</code> returns to encrypt data
  *       or verify a signature outside of KMS. Then, store the encrypted private key with the data.
  *       When you are ready to decrypt data or sign a message, you can use the <a>Decrypt</a> operation to decrypt the encrypted private key.</p>
  *
- *          <p>To generate a data key pair, you must specify a symmetric KMS key to encrypt the private
- *       key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a custom key
- *       store. To get the type and origin of your KMS key, use the <a>DescribeKey</a>
- *       operation. </p>
+ *          <p>To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt
+ *       the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a
+ *       custom key store. To get the type and origin of your KMS key, use the <a>DescribeKey</a> operation. </p>
  *          <p>Use the <code>KeyPairSpec</code> parameter to choose an RSA or Elliptic Curve (ECC) data
  *       key pair. KMS recommends that your use ECC key pairs for signing, and use RSA key pairs for
  *       either encryption or signing, but not both. However, KMS cannot enforce any restrictions on
@@ -35,18 +36,18 @@ export interface GenerateDataKeyPairCommandOutput extends GenerateDataKeyPairRes
  *
  *          <p>
  *             <code>GenerateDataKeyPair</code> returns a unique data key pair for each request. The
- *       bytes in the keys are not related to the caller or the KMS key that is used to encrypt the
+ *       bytes in the keys are random; they are not related to the caller or the KMS key that is used to encrypt the
  *       private key. The public key is a DER-encoded X.509 SubjectPublicKeyInfo, as specified in
  *         <a href="https://tools.ietf.org/html/rfc5280">RFC 5280</a>. The private key is a
  *       DER-encoded PKCS8 PrivateKeyInfo, as specified in <a href="https://tools.ietf.org/html/rfc5958">RFC 5958</a>.</p>
  *
- *          <p>You can use the optional encryption context to add additional security to the encryption
+ *          <p>You can use an optional encryption context to add additional security to the encryption
  *       operation. If you specify an <code>EncryptionContext</code>, you must specify the same
  *       encryption context (a case-sensitive exact match) when decrypting the encrypted data key.
  *       Otherwise, the request to decrypt fails with an <code>InvalidCiphertextException</code>. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> in the
  *       <i>Key Management Service Developer Guide</i>.</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account
  *         use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify