@aws-sdk/client-kms 3.85.0 → 3.93.0

package/CHANGELOG.md

@@ -3,6 +3,30 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+# [3.93.0](https://github.com/aws/aws-sdk-js-v3/compare/v3.92.0...v3.93.0) (2022-05-17)
+
+**Note:** Version bump only for package @aws-sdk/client-kms
+
+
+
+
+
+# [3.92.0](https://github.com/aws/aws-sdk-js-v3/compare/v3.91.0...v3.92.0) (2022-05-16)
+
+**Note:** Version bump only for package @aws-sdk/client-kms
+
+
+
+
+
+# [3.87.0](https://github.com/aws/aws-sdk-js-v3/compare/v3.86.0...v3.87.0) (2022-05-09)
+
+**Note:** Version bump only for package @aws-sdk/client-kms
+
+
+
+
+
 # [3.85.0](https://github.com/aws/aws-sdk-js-v3/compare/v3.84.0...v3.85.0) (2022-05-05)
 
 

package/README.md

@@ -30,7 +30,8 @@ Services</a>.</p>
 <p>If you need to use FIPS 140-2 validated cryptographic modules when communicating with
 Amazon Web Services, use the FIPS endpoint in your preferred Amazon Web Services Region. For more information about the
 available FIPS endpoints, see <a href="https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region">Service endpoints</a> in the Key Management Service topic of the <i>Amazon Web Services General Reference</i>.</p>
-<p>Clients must support TLS (Transport Layer Security) 1.0. We recommend TLS 1.2. Clients
+<p>All KMS API calls must be signed and be transmitted using Transport Layer Security (TLS).
+KMS recommends you always use the latest supported TLS version. Clients
 must also support cipher suites with Perfect Forward Secrecy (PFS) such as Ephemeral
 Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems
 such as Java 7 and later support these modes.</p>

package/dist-types/KMS.d.ts

@@ -71,7 +71,8 @@ import { KMSClient } from "./KMSClient";
  *          <p>If you need to use FIPS 140-2 validated cryptographic modules when communicating with
  *       Amazon Web Services, use the FIPS endpoint in your preferred Amazon Web Services Region. For more information about the
  *       available FIPS endpoints, see <a href="https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region">Service endpoints</a> in the Key Management Service topic of the <i>Amazon Web Services General Reference</i>.</p>
- *          <p>Clients must support TLS (Transport Layer Security) 1.0. We recommend TLS 1.2. Clients
+ *          <p>All KMS API calls must be signed and be transmitted using Transport Layer Security (TLS).
+ *       KMS recommends you always use the latest supported TLS version. Clients
  *       must also support cipher suites with Perfect Forward Secrecy (PFS) such as Ephemeral
  *       Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems
  *       such as Java 7 and later support these modes.</p>
@@ -420,13 +421,12 @@ export declare class KMS extends KMSClient {
     createGrant(args: CreateGrantCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: CreateGrantCommandOutput) => void): void;
     /**
      * <p>Creates a unique customer managed <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys">KMS key</a> in your Amazon Web Services account and
-     *       Region. </p>
+     *       Region.</p>
      *          <p>In addition to the required parameters, you can use the optional parameters to specify a key policy, description, tags, and other useful elements for any key type.</p>
      *          <note>
      *             <p>KMS is replacing the term <i>customer master key (CMK)</i> with <i>KMS key</i> and <i>KMS key</i>. The concept has not changed. To prevent breaking changes, KMS is keeping some variations of this term.</p>
      *          </note>
      *
-     *
      *          <p>To create different types of KMS keys, use the following guidance:</p>
      *
      *          <dl>
@@ -446,8 +446,8 @@ export declare class KMS extends KMSClient {
      *             to determine whether the KMS key will be used to encrypt and decrypt or sign and verify.
      *             You can't change these properties after the KMS key is created.</p>
      *                <p>Asymmetric KMS keys contain an RSA key pair or an Elliptic Curve (ECC) key pair. The private key in an asymmetric
-     *             KMS key never leaves AWS KMS unencrypted. However, you can use the <a>GetPublicKey</a> operation to download the public key
-     *             so it can be used outside of AWS KMS. KMS keys with RSA key pairs can be used to encrypt or decrypt data or sign and verify messages (but not both).
+     *             KMS key never leaves KMS unencrypted. However, you can use the <a>GetPublicKey</a> operation to download the public key
+     *             so it can be used outside of KMS. KMS keys with RSA key pairs can be used to encrypt or decrypt data or sign and verify messages (but not both).
      *             KMS keys with ECC key pairs can be used only to sign and verify messages.
      *             For information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
      *                <p> </p>
@@ -586,7 +586,7 @@ export declare class KMS extends KMSClient {
      *       asymmetric encryption KMS key. When the KMS key is asymmetric, you must specify the KMS key and the
      *       encryption algorithm that was used to encrypt the ciphertext. For information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
      *          <p>The <code>Decrypt</code> operation also decrypts ciphertext that was encrypted outside of KMS by the
-     *       public key in an KMS asymmetric KMS key. However, it cannot decrypt symmetric ciphertext produced by
+     *       public key in an KMS asymmetric KMS key. However, it cannot decrypt ciphertext produced by
      *       other libraries, such as the <a href="https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/">Amazon Web Services
      *         Encryption SDK</a> or <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html">Amazon S3 client-side encryption</a>.
      *       These libraries return a ciphertext format that is incompatible with KMS.</p>
@@ -958,8 +958,18 @@ export declare class KMS extends KMSClient {
     disableKey(args: DisableKeyCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: DisableKeyCommandOutput) => void): void;
     /**
      * <p>Disables <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic
-     *         rotation of the key material</a> for the specified symmetric encryption KMS key.</p>
-     *          <p> You cannot enable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key. </p>
+     *         rotation of the key material</a> of the specified symmetric encryption KMS key.</p>
+     *          <p>Automatic key rotation is supported only on symmetric encryption KMS keys.
+     *       You cannot enable or disable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. The key rotation status of these KMS keys is always <code>false</code>.
+     * To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key.</p>
+     *          <p>You can enable (<a>EnableKeyRotation</a>) and disable automatic rotation of the
+     *       key material in <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed KMS keys</a>. Key material rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services managed KMS keys</a> is not
+     *       configurable. KMS always rotates the key material for every year. Rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk">Amazon Web Services owned KMS
+     *         keys</a> varies.</p>
+     *          <note>
+     *             <p>In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every
+     *         three years to every year. For details, see <a>EnableKeyRotation</a>.</p>
+     *          </note>
      *          <p>The KMS key that you use for this operation must be in a compatible key state. For
      * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
      *          <p>
@@ -1065,8 +1075,26 @@ export declare class KMS extends KMSClient {
     enableKey(args: EnableKeyCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: EnableKeyCommandOutput) => void): void;
     /**
      * <p>Enables <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic rotation
-     *         of the key material</a> for the specified symmetric encryption KMS key.</p>
-     *          <p>You cannot enable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key.</p>
+     *         of the key material</a> of the specified symmetric encryption KMS key. </p>
+     *          <p>When you enable automatic rotation of a<a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed KMS key</a>, KMS
+     *       rotates the key material of the KMS key one year (approximately 365 days) from the enable date
+     *       and every year thereafter. You can monitor rotation of the key material for your KMS keys in
+     *       CloudTrail and Amazon CloudWatch. To disable rotation of the key material in a customer
+     *       managed KMS key, use the <a>DisableKeyRotation</a> operation.</p>
+     *          <p>Automatic key rotation is supported only on <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks">symmetric encryption KMS keys</a>.
+     *       You cannot enable or disable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. The key rotation status of these KMS keys is always <code>false</code>.
+     * To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key. </p>
+     *          <p>You cannot enable or disable automatic rotation <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services managed KMS keys</a>. KMS
+     *       always rotates the key material of Amazon Web Services managed keys every year. Rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk">Amazon Web Services owned KMS
+     *         keys</a> varies.</p>
+     *          <note>
+     *             <p>In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three
+     *         years (approximately 1,095 days) to every year (approximately 365 days).</p>
+     *             <p>New Amazon Web Services managed keys are automatically rotated one year after they
+     *         are created, and approximately every year thereafter. </p>
+     *             <p>Existing Amazon Web Services managed keys are automatically rotated one year after
+     *         their most recent rotation, and every year thereafter.</p>
+     *          </note>
      *          <p>The KMS key that you use for this operation must be in a compatible key state. For
      * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
      *          <p>
@@ -1210,15 +1238,14 @@ export declare class KMS extends KMSClient {
      * <p>Returns a unique symmetric data key for use outside of KMS. This operation returns a
      *       plaintext copy of the data key and a copy that is encrypted under a symmetric encryption KMS
      *       key that you specify. The bytes in the plaintext key are random; they are not related to the caller or the KMS
-     *       key. You can use the plaintext key to encrypt your data outside of KMS and store the
-     *       encrypted data key with the encrypted data.</p>
+     *       key. You can use the plaintext key to encrypt your data outside of KMS and store the encrypted
+     *       data key with the encrypted data.</p>
      *
      *          <p>To generate a data key, specify the symmetric encryption KMS key that will be used to
      *       encrypt the data key. You cannot use an asymmetric KMS key to encrypt data keys. To get the
-     *       type of your KMS key, use the <a>DescribeKey</a> operation. You must also specify
-     *       the length of the data key. Use either the <code>KeySpec</code> or <code>NumberOfBytes</code>
-     *       parameters (but not both). For 128-bit and 256-bit data keys, use the <code>KeySpec</code>
-     *       parameter. </p>
+     *       type of your KMS key, use the <a>DescribeKey</a> operation. You must also specify the length of
+     *       the data key. Use either the <code>KeySpec</code> or <code>NumberOfBytes</code> parameters
+     *       (but not both). For 128-bit and 256-bit data keys, use the <code>KeySpec</code> parameter. </p>
      *
      *          <p>To get only an encrypted copy of the data key, use <a>GenerateDataKeyWithoutPlaintext</a>. To generate an asymmetric data key pair, use
      *       the <a>GenerateDataKeyPair</a> or <a>GenerateDataKeyPairWithoutPlaintext</a> operation. To get a cryptographically secure
@@ -1321,7 +1348,8 @@ export declare class KMS extends KMSClient {
      *
      *          <p>To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt
      *       the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a
-     *       custom key store. To get the type and origin of your KMS key, use the <a>DescribeKey</a> operation. </p>
+     *       custom key store. To get the type and origin of your KMS key, use the <a>DescribeKey</a>
+     *       operation. </p>
      *          <p>Use the <code>KeyPairSpec</code> parameter to choose an RSA or Elliptic Curve (ECC) data
      *       key pair. KMS recommends that your use ECC key pairs for signing, and use RSA key pairs for
      *       either encryption or signing, but not both. However, KMS cannot enforce any restrictions on
@@ -1401,7 +1429,8 @@ export declare class KMS extends KMSClient {
      *       with the data. When you are ready to decrypt data or sign a message, you can use the <a>Decrypt</a> operation to decrypt the encrypted private key.</p>
      *          <p>To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt
      *       the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a
-     *       custom key store. To get the type and origin of your KMS key, use the <a>DescribeKey</a> operation. </p>
+     *       custom key store. To get the type and origin of your KMS key, use the <a>DescribeKey</a>
+     *       operation. </p>
      *          <p>Use the <code>KeyPairSpec</code> parameter to choose an RSA or Elliptic Curve (ECC) data
      *       key pair. KMS recommends that your use ECC key pairs for signing, and use RSA key pairs for
      *       either encryption or signing, but not both. However, KMS cannot enforce any restrictions on
@@ -1470,19 +1499,21 @@ export declare class KMS extends KMSClient {
      *       data key. </p>
      *          <p>This operation is useful for systems that need to encrypt data at some point, but not
      *       immediately. When you need to encrypt the data, you call the <a>Decrypt</a>
-     *       operation on the encrypted copy of the key. It's also useful in distributed systems with
-     *       different levels of trust. For example, you might store encrypted data in containers. One
-     *       component of your system creates new containers and stores an encrypted data key with each
-     *       container. Then, a different component puts the data into the containers. That component first
-     *       decrypts the data key, uses the plaintext data key to encrypt data, puts the encrypted data
-     *       into the container, and then destroys the plaintext data key. In this system, the component
-     *       that creates the containers never sees the plaintext data key.</p>
+     *       operation on the encrypted copy of the key.</p>
+     *          <p>It's also useful in distributed systems with different levels of trust. For example, you
+     *       might store encrypted data in containers. One component of your system creates new containers
+     *       and stores an encrypted data key with each container. Then, a different component puts the
+     *       data into the containers. That component first decrypts the data key, uses the plaintext data
+     *       key to encrypt data, puts the encrypted data into the container, and then destroys the
+     *       plaintext data key. In this system, the component that creates the containers never sees the
+     *       plaintext data key.</p>
      *          <p>To request an asymmetric data key pair, use the <a>GenerateDataKeyPair</a> or
      *         <a>GenerateDataKeyPairWithoutPlaintext</a> operations.</p>
      *
      *          <p>To generate a data key, you must specify the symmetric encryption KMS key that is used to
      *       encrypt the data key. You cannot use an asymmetric KMS key or a key in a custom key store to generate a data key. To get the
      *       type of your KMS key, use the <a>DescribeKey</a> operation.</p>
+     *
      *          <p>If the operation succeeds, you will find the encrypted copy of the data key in the
      *         <code>CiphertextBlob</code> field.</p>
      *
@@ -1546,6 +1577,13 @@ export declare class KMS extends KMSClient {
      *       For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC keys in KMS</a> in the <i>
      *                <i>Key Management Service Developer Guide</i>
      *             </i>.</p>
+     *          <note>
+     *             <p>Best practices recommend that you limit the time during which any signing mechanism,
+     *         including an HMAC, is effective. This deters an attack where the actor uses a signed
+     *         message to establish validity repeatedly or long after the message is superseded. HMAC
+     *         tags do not include a timestamp, but you can include a timestamp in the token or message
+     *         to help you detect when its time to refresh the HMAC. </p>
+     *          </note>
      *          <p>The KMS key that you use for this operation must be in a compatible key state. For
      * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
      *          <p>
@@ -1593,19 +1631,35 @@ export declare class KMS extends KMSClient {
     /**
      * <p>Gets a Boolean value that indicates whether <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic rotation of the key material</a> is
      *       enabled for the specified KMS key.</p>
-     *          <p>You cannot enable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key. The key rotation status for these KMS keys is always
-     *       <code>false</code>.</p>
+     *          <p>When you enable automatic rotation for <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed KMS keys</a>, KMS
+     *       rotates the key material of the KMS key one year (approximately 365 days) from the enable date
+     *       and every year thereafter. You can monitor rotation of the key material for your KMS keys in
+     *       CloudTrail and Amazon CloudWatch.</p>
+     *          <p>Automatic key rotation is supported only on <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks">symmetric encryption KMS keys</a>.
+     *       You cannot enable or disable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. The key rotation status of these KMS keys is always <code>false</code>.
+     * To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key..</p>
+     *          <p>You can enable (<a>EnableKeyRotation</a>) and disable automatic rotation (<a>DisableKeyRotation</a>) of the key material in customer managed KMS keys. Key
+     *       material rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services managed KMS keys</a> is not
+     *       configurable. KMS always rotates the key material in Amazon Web Services managed KMS keys every year. The
+     *       key rotation status for Amazon Web Services managed KMS keys is always <code>true</code>.</p>
+     *          <note>
+     *             <p>In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three years to every year. For details, see <a>EnableKeyRotation</a>.</p>
+     *          </note>
      *          <p>The KMS key that you use for this operation must be in a compatible key state. For
      * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
      *          <ul>
      *             <li>
      *                <p>Disabled: The key rotation status does not change when you disable a KMS key. However,
-     *           while the KMS key is disabled, KMS does not rotate the key material.</p>
+     *           while the KMS key is disabled, KMS does not rotate the key material. When you re-enable
+     *           the KMS key, rotation resumes. If the key material in the re-enabled KMS key hasn't been
+     *           rotated in one year, KMS rotates it immediately, and every year thereafter. If it's been
+     *           less than a year since the key material in the re-enabled KMS key was rotated, the KMS key
+     *           resumes its prior rotation schedule.</p>
      *             </li>
      *             <li>
      *                <p>Pending deletion: While a KMS key is pending deletion, its key rotation status is
      *             <code>false</code> and KMS does not rotate the key material. If you cancel the
-     *           deletion, the original key rotation status is restored.</p>
+     *           deletion, the original key rotation status returns to <code>true</code>.</p>
      *             </li>
      *          </ul>
      *          <p>
@@ -1635,8 +1689,8 @@ export declare class KMS extends KMSClient {
     getKeyRotationStatus(args: GetKeyRotationStatusCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: GetKeyRotationStatusCommandOutput) => void): void;
     /**
      * <p>Returns the items you need to import key material into a symmetric encryption KMS key. For
-     *       more information about importing key material into KMS, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a> in the
-     *       <i>Key Management Service Developer Guide</i>.</p>
+     *       more information about importing key material into KMS, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a>
+     *       in the <i>Key Management Service Developer Guide</i>.</p>
      *          <p>This operation returns a public key and an import token. Use the public key to encrypt the
      *       symmetric key material. Store the import token to send with a subsequent <a>ImportKeyMaterial</a> request.</p>
      *          <p>You must specify the key ID of the symmetric encryption KMS key into which you will import
@@ -1728,11 +1782,12 @@ export declare class KMS extends KMSClient {
     /**
      * <p>Imports key material into an existing symmetric encryption KMS key that was created
      *       without key material. After you successfully import key material into a KMS key, you can
-     *         <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material">reimport the same key material</a> into that KMS key, but you cannot import different
-     *       key material. </p>
-     *          <p>You cannot perform this operation on an asymmetric KMS key, an HMAC KMS key, or on any KMS key in a different Amazon Web Services account. For more information about
-     *       creating KMS keys with no key material and then importing key material, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a>
-     *       in the <i>Key Management Service Developer Guide</i>.</p>
+     *         <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material">reimport
+     *         the same key material</a> into that KMS key, but you cannot import different key
+     *       material. </p>
+     *          <p>You cannot perform this operation on an asymmetric KMS key, an HMAC KMS key, or on any KMS key in a different Amazon Web Services account. For more information about creating KMS keys with no key material
+     *       and then importing key material, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in the
+     *       <i>Key Management Service Developer Guide</i>.</p>
      *          <p>Before using this operation, call <a>GetParametersForImport</a>. Its response
      *       includes a public key and an import token. Use the public key to encrypt the key material.
      *       Then, submit the import token from the same <code>GetParametersForImport</code>
@@ -2418,8 +2473,8 @@ export declare class KMS extends KMSClient {
     /**
      * <p>Creates a <a href="https://en.wikipedia.org/wiki/Digital_signature">digital
      *         signature</a> for a message or message digest by using the private key in an asymmetric
-     *       signing KMS key. To verify the signature, use the <a>Verify</a> operation, or use
-     *       the public key in the same asymmetric KMS key outside of KMS. For information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
+     *       signing KMS key. To verify the signature, use the <a>Verify</a> operation, or use the
+     *       public key in the same asymmetric KMS key outside of KMS. For information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
      *          <p>Digital signatures are generated and verified by using asymmetric key pair, such as an RSA
      *       or ECC pair that is represented by an asymmetric KMS key. The key owner (or an authorized
      *       user) uses their private key to sign a message. Anyone with the public key can verify that the
@@ -2448,6 +2503,11 @@ export declare class KMS extends KMSClient {
      *             <p>When signing a message, be sure to record the KMS key and the signing algorithm. This
      *         information is required to verify the signature.</p>
      *          </important>
+     *          <note>
+     *             <p>Best practices recommend that you limit the time during which any signature is effective. This deters an attack where the actor uses a signed
+     *         message to establish validity repeatedly or long after the message is superseded. Signatures do not include a timestamp, but you can include a timestamp in the signed message
+     *         to help you detect when its time to refresh the signature. </p>
+     *          </note>
      *          <p>To verify the signature that this operation generates, use the <a>Verify</a>
      *       operation. Or use the <a>GetPublicKey</a> operation to download the public key and
      *       then use the public key to verify the signature outside of KMS. </p>

package/dist-types/KMSClient.d.ts

@@ -196,7 +196,8 @@ export interface KMSClientResolvedConfig extends KMSClientResolvedConfigType {
  *          <p>If you need to use FIPS 140-2 validated cryptographic modules when communicating with
  *       Amazon Web Services, use the FIPS endpoint in your preferred Amazon Web Services Region. For more information about the
  *       available FIPS endpoints, see <a href="https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region">Service endpoints</a> in the Key Management Service topic of the <i>Amazon Web Services General Reference</i>.</p>
- *          <p>Clients must support TLS (Transport Layer Security) 1.0. We recommend TLS 1.2. Clients
+ *          <p>All KMS API calls must be signed and be transmitted using Transport Layer Security (TLS).
+ *       KMS recommends you always use the latest supported TLS version. Clients
  *       must also support cipher suites with Perfect Forward Secrecy (PFS) such as Ephemeral
  *       Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems
  *       such as Java 7 and later support these modes.</p>

package/dist-types/commands/CreateKeyCommand.d.ts

@@ -8,13 +8,12 @@ export interface CreateKeyCommandOutput extends CreateKeyResponse, __MetadataBea
 }
 /**
  * <p>Creates a unique customer managed <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys">KMS key</a> in your Amazon Web Services account and
- *       Region. </p>
+ *       Region.</p>
  *          <p>In addition to the required parameters, you can use the optional parameters to specify a key policy, description, tags, and other useful elements for any key type.</p>
  *          <note>
  *             <p>KMS is replacing the term <i>customer master key (CMK)</i> with <i>KMS key</i> and <i>KMS key</i>. The concept has not changed. To prevent breaking changes, KMS is keeping some variations of this term.</p>
  *          </note>
  *
- *
  *          <p>To create different types of KMS keys, use the following guidance:</p>
  *
  *          <dl>
@@ -34,8 +33,8 @@ export interface CreateKeyCommandOutput extends CreateKeyResponse, __MetadataBea
  *             to determine whether the KMS key will be used to encrypt and decrypt or sign and verify.
  *             You can't change these properties after the KMS key is created.</p>
  *                <p>Asymmetric KMS keys contain an RSA key pair or an Elliptic Curve (ECC) key pair. The private key in an asymmetric
- *             KMS key never leaves AWS KMS unencrypted. However, you can use the <a>GetPublicKey</a> operation to download the public key
- *             so it can be used outside of AWS KMS. KMS keys with RSA key pairs can be used to encrypt or decrypt data or sign and verify messages (but not both).
+ *             KMS key never leaves KMS unencrypted. However, you can use the <a>GetPublicKey</a> operation to download the public key
+ *             so it can be used outside of KMS. KMS keys with RSA key pairs can be used to encrypt or decrypt data or sign and verify messages (but not both).
  *             KMS keys with ECC key pairs can be used only to sign and verify messages.
  *             For information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *                <p> </p>

package/dist-types/commands/DecryptCommand.d.ts

@@ -40,7 +40,7 @@ export interface DecryptCommandOutput extends DecryptResponse, __MetadataBearer
  *       asymmetric encryption KMS key. When the KMS key is asymmetric, you must specify the KMS key and the
  *       encryption algorithm that was used to encrypt the ciphertext. For information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>The <code>Decrypt</code> operation also decrypts ciphertext that was encrypted outside of KMS by the
- *       public key in an KMS asymmetric KMS key. However, it cannot decrypt symmetric ciphertext produced by
+ *       public key in an KMS asymmetric KMS key. However, it cannot decrypt ciphertext produced by
  *       other libraries, such as the <a href="https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/">Amazon Web Services
  *         Encryption SDK</a> or <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html">Amazon S3 client-side encryption</a>.
  *       These libraries return a ciphertext format that is incompatible with KMS.</p>

package/dist-types/commands/DisableKeyRotationCommand.d.ts

@@ -8,8 +8,18 @@ export interface DisableKeyRotationCommandOutput extends __MetadataBearer {
 }
 /**
  * <p>Disables <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic
- *         rotation of the key material</a> for the specified symmetric encryption KMS key.</p>
- *          <p> You cannot enable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key. </p>
+ *         rotation of the key material</a> of the specified symmetric encryption KMS key.</p>
+ *          <p>Automatic key rotation is supported only on symmetric encryption KMS keys.
+ *       You cannot enable or disable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. The key rotation status of these KMS keys is always <code>false</code>.
+ * To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key.</p>
+ *          <p>You can enable (<a>EnableKeyRotation</a>) and disable automatic rotation of the
+ *       key material in <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed KMS keys</a>. Key material rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services managed KMS keys</a> is not
+ *       configurable. KMS always rotates the key material for every year. Rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk">Amazon Web Services owned KMS
+ *         keys</a> varies.</p>
+ *          <note>
+ *             <p>In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every
+ *         three years to every year. For details, see <a>EnableKeyRotation</a>.</p>
+ *          </note>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>

package/dist-types/commands/EnableKeyRotationCommand.d.ts

@@ -8,8 +8,26 @@ export interface EnableKeyRotationCommandOutput extends __MetadataBearer {
 }
 /**
  * <p>Enables <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic rotation
- *         of the key material</a> for the specified symmetric encryption KMS key.</p>
- *          <p>You cannot enable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key.</p>
+ *         of the key material</a> of the specified symmetric encryption KMS key. </p>
+ *          <p>When you enable automatic rotation of a<a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed KMS key</a>, KMS
+ *       rotates the key material of the KMS key one year (approximately 365 days) from the enable date
+ *       and every year thereafter. You can monitor rotation of the key material for your KMS keys in
+ *       CloudTrail and Amazon CloudWatch. To disable rotation of the key material in a customer
+ *       managed KMS key, use the <a>DisableKeyRotation</a> operation.</p>
+ *          <p>Automatic key rotation is supported only on <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks">symmetric encryption KMS keys</a>.
+ *       You cannot enable or disable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. The key rotation status of these KMS keys is always <code>false</code>.
+ * To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key. </p>
+ *          <p>You cannot enable or disable automatic rotation <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services managed KMS keys</a>. KMS
+ *       always rotates the key material of Amazon Web Services managed keys every year. Rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk">Amazon Web Services owned KMS
+ *         keys</a> varies.</p>
+ *          <note>
+ *             <p>In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three
+ *         years (approximately 1,095 days) to every year (approximately 365 days).</p>
+ *             <p>New Amazon Web Services managed keys are automatically rotated one year after they
+ *         are created, and approximately every year thereafter. </p>
+ *             <p>Existing Amazon Web Services managed keys are automatically rotated one year after
+ *         their most recent rotation, and every year thereafter.</p>
+ *          </note>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>

package/dist-types/commands/GenerateDataKeyCommand.d.ts

@@ -10,15 +10,14 @@ export interface GenerateDataKeyCommandOutput extends GenerateDataKeyResponse, _
  * <p>Returns a unique symmetric data key for use outside of KMS. This operation returns a
  *       plaintext copy of the data key and a copy that is encrypted under a symmetric encryption KMS
  *       key that you specify. The bytes in the plaintext key are random; they are not related to the caller or the KMS
- *       key. You can use the plaintext key to encrypt your data outside of KMS and store the
- *       encrypted data key with the encrypted data.</p>
+ *       key. You can use the plaintext key to encrypt your data outside of KMS and store the encrypted
+ *       data key with the encrypted data.</p>
  *
  *          <p>To generate a data key, specify the symmetric encryption KMS key that will be used to
  *       encrypt the data key. You cannot use an asymmetric KMS key to encrypt data keys. To get the
- *       type of your KMS key, use the <a>DescribeKey</a> operation. You must also specify
- *       the length of the data key. Use either the <code>KeySpec</code> or <code>NumberOfBytes</code>
- *       parameters (but not both). For 128-bit and 256-bit data keys, use the <code>KeySpec</code>
- *       parameter. </p>
+ *       type of your KMS key, use the <a>DescribeKey</a> operation. You must also specify the length of
+ *       the data key. Use either the <code>KeySpec</code> or <code>NumberOfBytes</code> parameters
+ *       (but not both). For 128-bit and 256-bit data keys, use the <code>KeySpec</code> parameter. </p>
  *
  *          <p>To get only an encrypted copy of the data key, use <a>GenerateDataKeyWithoutPlaintext</a>. To generate an asymmetric data key pair, use
  *       the <a>GenerateDataKeyPair</a> or <a>GenerateDataKeyPairWithoutPlaintext</a> operation. To get a cryptographically secure

package/dist-types/commands/GenerateDataKeyPairCommand.d.ts

@@ -20,7 +20,8 @@ export interface GenerateDataKeyPairCommandOutput extends GenerateDataKeyPairRes
  *
  *          <p>To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt
  *       the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a
- *       custom key store. To get the type and origin of your KMS key, use the <a>DescribeKey</a> operation. </p>
+ *       custom key store. To get the type and origin of your KMS key, use the <a>DescribeKey</a>
+ *       operation. </p>
  *          <p>Use the <code>KeyPairSpec</code> parameter to choose an RSA or Elliptic Curve (ECC) data
  *       key pair. KMS recommends that your use ECC key pairs for signing, and use RSA key pairs for
  *       either encryption or signing, but not both. However, KMS cannot enforce any restrictions on

package/dist-types/commands/GenerateDataKeyPairWithoutPlaintextCommand.d.ts

@@ -17,7 +17,8 @@ export interface GenerateDataKeyPairWithoutPlaintextCommandOutput extends Genera
  *       with the data. When you are ready to decrypt data or sign a message, you can use the <a>Decrypt</a> operation to decrypt the encrypted private key.</p>
  *          <p>To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt
  *       the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a
- *       custom key store. To get the type and origin of your KMS key, use the <a>DescribeKey</a> operation. </p>
+ *       custom key store. To get the type and origin of your KMS key, use the <a>DescribeKey</a>
+ *       operation. </p>
  *          <p>Use the <code>KeyPairSpec</code> parameter to choose an RSA or Elliptic Curve (ECC) data
  *       key pair. KMS recommends that your use ECC key pairs for signing, and use RSA key pairs for
  *       either encryption or signing, but not both. However, KMS cannot enforce any restrictions on

package/dist-types/commands/GenerateDataKeyWithoutPlaintextCommand.d.ts

@@ -15,19 +15,21 @@ export interface GenerateDataKeyWithoutPlaintextCommandOutput extends GenerateDa
  *       data key. </p>
  *          <p>This operation is useful for systems that need to encrypt data at some point, but not
  *       immediately. When you need to encrypt the data, you call the <a>Decrypt</a>
- *       operation on the encrypted copy of the key. It's also useful in distributed systems with
- *       different levels of trust. For example, you might store encrypted data in containers. One
- *       component of your system creates new containers and stores an encrypted data key with each
- *       container. Then, a different component puts the data into the containers. That component first
- *       decrypts the data key, uses the plaintext data key to encrypt data, puts the encrypted data
- *       into the container, and then destroys the plaintext data key. In this system, the component
- *       that creates the containers never sees the plaintext data key.</p>
+ *       operation on the encrypted copy of the key.</p>
+ *          <p>It's also useful in distributed systems with different levels of trust. For example, you
+ *       might store encrypted data in containers. One component of your system creates new containers
+ *       and stores an encrypted data key with each container. Then, a different component puts the
+ *       data into the containers. That component first decrypts the data key, uses the plaintext data
+ *       key to encrypt data, puts the encrypted data into the container, and then destroys the
+ *       plaintext data key. In this system, the component that creates the containers never sees the
+ *       plaintext data key.</p>
  *          <p>To request an asymmetric data key pair, use the <a>GenerateDataKeyPair</a> or
  *         <a>GenerateDataKeyPairWithoutPlaintext</a> operations.</p>
  *
  *          <p>To generate a data key, you must specify the symmetric encryption KMS key that is used to
  *       encrypt the data key. You cannot use an asymmetric KMS key or a key in a custom key store to generate a data key. To get the
  *       type of your KMS key, use the <a>DescribeKey</a> operation.</p>
+ *
  *          <p>If the operation succeeds, you will find the encrypted copy of the data key in the
  *         <code>CiphertextBlob</code> field.</p>
  *

package/dist-types/commands/GenerateMacCommand.d.ts

@@ -17,6 +17,13 @@ export interface GenerateMacCommandOutput extends GenerateMacResponse, __Metadat
  *       For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC keys in KMS</a> in the <i>
  *                <i>Key Management Service Developer Guide</i>
  *             </i>.</p>
+ *          <note>
+ *             <p>Best practices recommend that you limit the time during which any signing mechanism,
+ *         including an HMAC, is effective. This deters an attack where the actor uses a signed
+ *         message to establish validity repeatedly or long after the message is superseded. HMAC
+ *         tags do not include a timestamp, but you can include a timestamp in the token or message
+ *         to help you detect when its time to refresh the HMAC. </p>
+ *          </note>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>

package/dist-types/commands/GetKeyRotationStatusCommand.d.ts

@@ -9,19 +9,35 @@ export interface GetKeyRotationStatusCommandOutput extends GetKeyRotationStatusR
 /**
  * <p>Gets a Boolean value that indicates whether <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic rotation of the key material</a> is
  *       enabled for the specified KMS key.</p>
- *          <p>You cannot enable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key. The key rotation status for these KMS keys is always
- *       <code>false</code>.</p>
+ *          <p>When you enable automatic rotation for <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed KMS keys</a>, KMS
+ *       rotates the key material of the KMS key one year (approximately 365 days) from the enable date
+ *       and every year thereafter. You can monitor rotation of the key material for your KMS keys in
+ *       CloudTrail and Amazon CloudWatch.</p>
+ *          <p>Automatic key rotation is supported only on <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks">symmetric encryption KMS keys</a>.
+ *       You cannot enable or disable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. The key rotation status of these KMS keys is always <code>false</code>.
+ * To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key..</p>
+ *          <p>You can enable (<a>EnableKeyRotation</a>) and disable automatic rotation (<a>DisableKeyRotation</a>) of the key material in customer managed KMS keys. Key
+ *       material rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services managed KMS keys</a> is not
+ *       configurable. KMS always rotates the key material in Amazon Web Services managed KMS keys every year. The
+ *       key rotation status for Amazon Web Services managed KMS keys is always <code>true</code>.</p>
+ *          <note>
+ *             <p>In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three years to every year. For details, see <a>EnableKeyRotation</a>.</p>
+ *          </note>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <ul>
  *             <li>
  *                <p>Disabled: The key rotation status does not change when you disable a KMS key. However,
- *           while the KMS key is disabled, KMS does not rotate the key material.</p>
+ *           while the KMS key is disabled, KMS does not rotate the key material. When you re-enable
+ *           the KMS key, rotation resumes. If the key material in the re-enabled KMS key hasn't been
+ *           rotated in one year, KMS rotates it immediately, and every year thereafter. If it's been
+ *           less than a year since the key material in the re-enabled KMS key was rotated, the KMS key
+ *           resumes its prior rotation schedule.</p>
  *             </li>
  *             <li>
  *                <p>Pending deletion: While a KMS key is pending deletion, its key rotation status is
  *             <code>false</code> and KMS does not rotate the key material. If you cancel the
- *           deletion, the original key rotation status is restored.</p>
+ *           deletion, the original key rotation status returns to <code>true</code>.</p>
  *             </li>
  *          </ul>
  *          <p>

package/dist-types/commands/GetParametersForImportCommand.d.ts

@@ -8,8 +8,8 @@ export interface GetParametersForImportCommandOutput extends GetParametersForImp
 }
 /**
  * <p>Returns the items you need to import key material into a symmetric encryption KMS key. For
- *       more information about importing key material into KMS, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a> in the
- *       <i>Key Management Service Developer Guide</i>.</p>
+ *       more information about importing key material into KMS, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a>
+ *       in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>This operation returns a public key and an import token. Use the public key to encrypt the
  *       symmetric key material. Store the import token to send with a subsequent <a>ImportKeyMaterial</a> request.</p>
  *          <p>You must specify the key ID of the symmetric encryption KMS key into which you will import

package/dist-types/commands/ImportKeyMaterialCommand.d.ts

@@ -9,11 +9,12 @@ export interface ImportKeyMaterialCommandOutput extends ImportKeyMaterialRespons
 /**
  * <p>Imports key material into an existing symmetric encryption KMS key that was created
  *       without key material. After you successfully import key material into a KMS key, you can
- *         <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material">reimport the same key material</a> into that KMS key, but you cannot import different
- *       key material. </p>
- *          <p>You cannot perform this operation on an asymmetric KMS key, an HMAC KMS key, or on any KMS key in a different Amazon Web Services account. For more information about
- *       creating KMS keys with no key material and then importing key material, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a>
- *       in the <i>Key Management Service Developer Guide</i>.</p>
+ *         <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material">reimport
+ *         the same key material</a> into that KMS key, but you cannot import different key
+ *       material. </p>
+ *          <p>You cannot perform this operation on an asymmetric KMS key, an HMAC KMS key, or on any KMS key in a different Amazon Web Services account. For more information about creating KMS keys with no key material
+ *       and then importing key material, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in the
+ *       <i>Key Management Service Developer Guide</i>.</p>
  *          <p>Before using this operation, call <a>GetParametersForImport</a>. Its response
  *       includes a public key and an import token. Use the public key to encrypt the key material.
  *       Then, submit the import token from the same <code>GetParametersForImport</code>

package/dist-types/commands/SignCommand.d.ts

@@ -9,8 +9,8 @@ export interface SignCommandOutput extends SignResponse, __MetadataBearer {
 /**
  * <p>Creates a <a href="https://en.wikipedia.org/wiki/Digital_signature">digital
  *         signature</a> for a message or message digest by using the private key in an asymmetric
- *       signing KMS key. To verify the signature, use the <a>Verify</a> operation, or use
- *       the public key in the same asymmetric KMS key outside of KMS. For information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *       signing KMS key. To verify the signature, use the <a>Verify</a> operation, or use the
+ *       public key in the same asymmetric KMS key outside of KMS. For information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>Digital signatures are generated and verified by using asymmetric key pair, such as an RSA
  *       or ECC pair that is represented by an asymmetric KMS key. The key owner (or an authorized
  *       user) uses their private key to sign a message. Anyone with the public key can verify that the
@@ -39,6 +39,11 @@ export interface SignCommandOutput extends SignResponse, __MetadataBearer {
  *             <p>When signing a message, be sure to record the KMS key and the signing algorithm. This
  *         information is required to verify the signature.</p>
  *          </important>
+ *          <note>
+ *             <p>Best practices recommend that you limit the time during which any signature is effective. This deters an attack where the actor uses a signed
+ *         message to establish validity repeatedly or long after the message is superseded. Signatures do not include a timestamp, but you can include a timestamp in the signed message
+ *         to help you detect when its time to refresh the signature. </p>
+ *          </note>
  *          <p>To verify the signature that this operation generates, use the <a>Verify</a>
  *       operation. Or use the <a>GetPublicKey</a> operation to download the public key and
  *       then use the public key to verify the signature outside of KMS. </p>

package/dist-types/models/models_0.d.ts

@@ -584,10 +584,10 @@ export interface CreateGrantRequest {
     /**
      * <p>A list of operations that the grant permits. </p>
      *          <p>This list must include only operations that are permitted in a grant. Also, the operation
-     *       must be supported on the KMS key. For example, you cannot create a grant for a symmetric encryption KMS key that allows the <a>Sign</a> operation, or a grant for an asymmetric KMS key
-     *       that allows the <a>GenerateDataKey</a> operation. If you try, KMS returns a
-     *         <code>ValidationError</code> exception. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations">Grant operations</a> in the
-     *       <i>Key Management Service Developer Guide</i>.</p>
+     *       must be supported on the KMS key. For example, you cannot create a grant for a symmetric encryption KMS key that allows the <a>Sign</a> operation, or a grant for an
+     *       asymmetric KMS key that allows the <a>GenerateDataKey</a> operation. If you try,
+     *       KMS returns a <code>ValidationError</code> exception. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations">Grant
+     *         operations</a> in the <i>Key Management Service Developer Guide</i>.</p>
      */
     Operations: (GrantOperation | string)[] | undefined;
     /**
@@ -745,11 +745,13 @@ export declare namespace Tag {
 }
 export interface CreateKeyRequest {
     /**
-     * <p>The key policy to attach to the KMS key.</p>
+     * <p>The key policy to attach to the KMS key. If you do not specify a key policy, KMS attaches a default key policy to the KMS key.
+     *       For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default">Default key policy</a> in the
+     *       <i>Key Management Service Developer Guide</i>.</p>
      *          <p>If you provide a key policy, it must meet the following criteria:</p>
      *          <ul>
      *             <li>
-     *                <p>If you don't set <code>BypassPolicyLockoutSafetyCheck</code> to true, the key policy
+     *                <p>If you don't set <code>BypassPolicyLockoutSafetyCheck</code> to <code>True</code>, the key policy
      *           must allow the principal that is making the <code>CreateKey</code> request to make a
      *           subsequent <a>PutKeyPolicy</a> request on the KMS key. This reduces the risk
      *           that the KMS key becomes unmanageable. For more information, refer to the scenario in the
@@ -766,10 +768,23 @@ export interface CreateKeyRequest {
      *             Identity and Access Management User Guide</i>.</p>
      *             </li>
      *          </ul>
-     *          <p>If you do not provide a key policy, KMS attaches a default key policy to the KMS key.
-     *       For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default">Default Key Policy</a> in the
-     *       <i>Key Management Service Developer Guide</i>. </p>
-     *          <p>The key policy size quota is 32 kilobytes (32768 bytes).</p>
+     *
+     *          <p>A key policy document must conform to the following rules.</p>
+     *          <ul>
+     *             <li>
+     *                <p>Up to 32 kilobytes (32768 bytes)</p>
+     *             </li>
+     *             <li>
+     *                <p>Must be UTF-8 encoded</p>
+     *             </li>
+     *             <li>
+     *                <p>The only Unicode characters that are permitted in a key policy document are the horizontal tab (U+0009), linefeed (U+000A), carriage return (U+000D), and characters in the range U+0020 to U+00FF.</p>
+     *             </li>
+     *             <li>
+     *                <p>The <code>Sid</code> element in a key policy statement can include spaces. (Spaces are
+     *             prohibited in the <code>Sid</code> element of an IAM policy document.)</p>
+     *             </li>
+     *          </ul>
      *          <p>For help writing and formatting a JSON policy document, see the <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html">IAM JSON Policy Reference</a> in the <i>
      *                <i>Identity and Access Management User Guide</i>
      *             </i>.</p>
@@ -784,7 +799,7 @@ export interface CreateKeyRequest {
     Description?: string;
     /**
      * <p>Determines the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic operations</a> for which you can use the KMS key. The default value is
-     *       <code>ENCRYPT_DECRYPT</code>. This parameter is optional when you are creating a symmetric
+     *         <code>ENCRYPT_DECRYPT</code>. This parameter is optional when you are creating a symmetric
      *       encryption KMS key; otherwise, it is required. You
      *       can't change the <code>KeyUsage</code> value after the KMS key is created.</p>
      *          <p>Select only one valid value.</p>
@@ -819,15 +834,14 @@ export interface CreateKeyRequest {
     /**
      * <p>Specifies the type of KMS key to create. The default value,
      *       <code>SYMMETRIC_DEFAULT</code>, creates a KMS key with a 256-bit symmetric key for encryption
-     *       and decryption. For help choosing a key spec for your KMS key, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose">Choosing a KMS key type</a> in
-     *       the <i>
+     *       and decryption. For help choosing a key spec for your KMS key, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose">Choosing a KMS key type</a> in the <i>
      *                <i>Key Management Service Developer Guide</i>
      *             </i>.</p>
      *          <p>The <code>KeySpec</code> determines whether the KMS key contains a symmetric key or an
-     *       asymmetric key pair. It also determines the algorithms that the KMS key supports. You can't
-     *       change the <code>KeySpec</code> after the KMS key is created. To further restrict the
-     *       algorithms that can be used with the KMS key, use a condition key in its key policy or IAM
-     *       policy. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm">kms:EncryptionAlgorithm</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-mac-algorithm">kms:MacAlgorithm</a> or <a href="https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm">kms:Signing Algorithm</a> in the <i>
+     *       asymmetric key pair. It also determines the cryptographic algorithms that the KMS key supports. You can't
+     *       change the <code>KeySpec</code> after the KMS key is created.
+     *       To further restrict the algorithms that can be used with the KMS key, use a condition key in
+     *       its key policy or IAM policy. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm">kms:EncryptionAlgorithm</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-mac-algorithm">kms:MacAlgorithm</a> or <a href="https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm">kms:Signing Algorithm</a> in the <i>
      *                <i>Key Management Service Developer Guide</i>
      *             </i>.</p>
      *          <important>
@@ -993,8 +1007,8 @@ export interface CreateKeyRequest {
      *       it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
      *          <p>This value creates a <i>primary key</i>, not a replica. To create a
      *         <i>replica key</i>, use the <a>ReplicateKey</a> operation. </p>
-     *          <p>You can create a symmetric or asymmetric multi-Region key, and you can create a
-     *       multi-Region key with imported key material. However, you cannot create a multi-Region key in
+     *          <p>You can create a multi-Region version of a symmetric encryption KMS key, an HMAC KMS key, an asymmetric KMS key, or a
+     *       KMS key with imported key material. However, you cannot create a multi-Region key in
      *       a custom key store.</p>
      */
     MultiRegion?: boolean;
@@ -1490,10 +1504,8 @@ export interface DecryptRequest {
     GrantTokens?: string[];
     /**
      * <p>Specifies the KMS key that KMS uses to decrypt the ciphertext.</p>
-     *
      *          <p>Enter a key ID of the KMS
      *       key that was used to encrypt the ciphertext. If you identify a different KMS key, the <code>Decrypt</code> operation throws an <code>IncorrectKeyException</code>.</p>
-     *
      *          <p>This parameter is required only when the ciphertext was encrypted under an asymmetric KMS
      *       key. If you used a symmetric encryption KMS key, KMS can get the KMS key from metadata that it adds to
      *       the symmetric ciphertext blob. However, it is always recommended as a best practice. This
@@ -1560,8 +1572,8 @@ export declare namespace DecryptResponse {
 }
 /**
  * <p>The request was rejected because the specified KMS key cannot decrypt the data. The
- *       <code>KeyId</code> in a <code>Decrypt</code> request and the <code>SourceKeyId</code>
- *       in a <code>ReEncrypt</code> request must identify the same KMS key that was used to
+ *       <code>KeyId</code> in a <a>Decrypt</a> request and the <code>SourceKeyId</code>
+ *       in a <a>ReEncrypt</a> request must identify the same KMS key that was used to
  *       encrypt the ciphertext.</p>
  */
 export declare class IncorrectKeyException extends __BaseException {
@@ -1604,8 +1616,8 @@ export declare class InvalidCiphertextException extends __BaseException {
  *         <code>KeyUsage</code> must be <code>ENCRYPT_DECRYPT</code>. For signing and verifying
  *       messages, the <code>KeyUsage</code> must be <code>SIGN_VERIFY</code>. For generating and
  *       verifying message authentication codes (MACs), the <code>KeyUsage</code> must be
- *         <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a KMS key, use the
- *         <a>DescribeKey</a> operation.</p>
+ *         <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of
+ *       a KMS key, use the <a>DescribeKey</a> operation.</p>
  *          <p>To find the encryption or signing algorithms supported for a particular KMS key, use the
  *         <a>DescribeKey</a> operation.</p>
  */
@@ -1916,7 +1928,9 @@ export declare namespace EnableKeyRequest {
 }
 export interface EnableKeyRotationRequest {
     /**
-     * <p>Identifies a symmetric encryption KMS key. You cannot enable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key.</p>
+     * <p>Identifies a symmetric encryption KMS key. You cannot enable or disable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. The key rotation status of these KMS keys is always <code>false</code>.
+     * To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key.</p>
+     *
      *          <p>Specify the key ID or key ARN of the KMS key.</p>
      *          <p>For example:</p>
      *          <ul>
@@ -2229,7 +2243,8 @@ export interface GenerateDataKeyPairWithoutPlaintextRequest {
     /**
      * <p>Specifies the symmetric encryption KMS key that encrypts the private key in the data key
      *       pair. You cannot specify an asymmetric KMS key or a KMS key in a custom key store. To get the
-     *       type and origin of your KMS key, use the <a>DescribeKey</a> operation.</p>
+     *       type and origin of your KMS key, use the <a>DescribeKey</a> operation.
+     *     </p>
      *          <p>To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using an alias name, prefix it with <code>"alias/"</code>. To specify a KMS key in a different Amazon Web Services account, you must use the key ARN or alias ARN.</p>
      *          <p>For example:</p>
      *          <ul>
@@ -2760,8 +2775,7 @@ export declare namespace GrantListEntry {
 export interface ImportKeyMaterialRequest {
     /**
      * <p>The identifier of the symmetric encryption KMS key that receives the imported key
-     *       material. This must be the same KMS key specified in the <code>KeyID</code> parameter of the
-     *       corresponding <a>GetParametersForImport</a> request. The <code>Origin</code> of the
+     *       material. This must be the same KMS key specified in the <code>KeyID</code> parameter of the corresponding <a>GetParametersForImport</a> request. The <code>Origin</code> of the
      *       KMS key must be <code>EXTERNAL</code>. You cannot perform this operation on an asymmetric KMS
      *       key, an HMAC KMS key, a KMS key in a custom key store, or on a KMS key in a different
      *       Amazon Web Services account</p>
@@ -3297,8 +3311,23 @@ export interface PutKeyPolicyRequest {
      *             Identity and Access Management User Guide</i>.</p>
      *             </li>
      *          </ul>
-     *          <p>The key policy cannot exceed 32 kilobytes (32768 bytes). For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/resource-limits.html">Resource Quotas</a> in the
-     *       <i>Key Management Service Developer Guide</i>.</p>
+     *
+     *          <p>A key policy document must conform to the following rules.</p>
+     *          <ul>
+     *             <li>
+     *                <p>Up to 32 kilobytes (32768 bytes)</p>
+     *             </li>
+     *             <li>
+     *                <p>Must be UTF-8 encoded</p>
+     *             </li>
+     *             <li>
+     *                <p>The only Unicode characters that are permitted in a key policy document are the horizontal tab (U+0009), linefeed (U+000A), carriage return (U+000D), and characters in the range U+0020 to U+00FF.</p>
+     *             </li>
+     *             <li>
+     *                <p>The <code>Sid</code> element in a key policy statement can include spaces. (Spaces are
+     *             prohibited in the <code>Sid</code> element of an IAM policy document.)</p>
+     *             </li>
+     *          </ul>
      */
     Policy: string | undefined;
     /**
@@ -3342,9 +3371,9 @@ export interface ReEncryptRequest {
      *       re-encrypted.</p>
      *          <p>Enter a key ID of the KMS key that was used to encrypt the ciphertext. If you identify a different KMS key, the <code>ReEncrypt</code> operation throws an <code>IncorrectKeyException</code>.</p>
      *          <p>This parameter is required only when the ciphertext was encrypted under an asymmetric KMS
-     *       key. If you used a symmetric encryption KMS key, KMS can get the KMS key from metadata that
-     *       it adds to the symmetric ciphertext blob. However, it is always recommended as a best
-     *       practice. This practice ensures that you use the KMS key that you intend.</p>
+     *       key. If you used a symmetric encryption KMS key, KMS can get the KMS key from metadata that it adds to
+     *       the symmetric ciphertext blob. However, it is always recommended as a best practice. This
+     *       practice ensures that you use the KMS key that you intend.</p>
      *
      *          <p>To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using an alias name, prefix it with <code>"alias/"</code>. To specify a KMS key in a different Amazon Web Services account, you must use the key ARN or alias ARN.</p>
      *          <p>For example:</p>
@@ -3538,8 +3567,23 @@ export interface ReplicateKeyRequest {
      *                      <i>Identity and Access Management User Guide</i>
      *                   </i>.</p>
      *             </li>
+     *          </ul>
+     *
+     *
+     *          <p>A key policy document must conform to the following rules.</p>
+     *          <ul>
+     *             <li>
+     *                <p>Up to 32 kilobytes (32768 bytes)</p>
+     *             </li>
      *             <li>
-     *                <p>The key policy size quota is 32 kilobytes (32768 bytes).</p>
+     *                <p>Must be UTF-8 encoded</p>
+     *             </li>
+     *             <li>
+     *                <p>The only Unicode characters that are permitted in a key policy document are the horizontal tab (U+0009), linefeed (U+000A), carriage return (U+000D), and characters in the range U+0020 to U+00FF.</p>
+     *             </li>
+     *             <li>
+     *                <p>The <code>Sid</code> element in a key policy statement can include spaces. (Spaces are
+     *             prohibited in the <code>Sid</code> element of an IAM policy document.)</p>
      *             </li>
      *          </ul>
      */
@@ -3702,7 +3746,7 @@ export interface ScheduleKeyDeletionRequest {
     /**
      * <p>The waiting period, specified in number of days. After the waiting period ends, KMS
      *       deletes the KMS key.</p>
-     *          <p>If the KMS key is a multi-Region primary key with replicas, the waiting period begins when
+     *          <p>If the KMS key is a multi-Region primary key with replica keys, the waiting period begins when
      *       the last of its replica keys is deleted. Otherwise, the waiting period begins
      *       immediately.</p>
      *          <p>This value is optional. If you include a value, it must be between 7 and 30, inclusive. If

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@aws-sdk/client-kms",
   "description": "AWS SDK for JavaScript Kms Client for Node.js, Browser and React Native",
-  "version": "3.85.0",
+  "version": "3.93.0",
   "scripts": {
     "build": "concurrently 'yarn:build:cjs' 'yarn:build:es' 'yarn:build:types'",
     "build:cjs": "tsc -p tsconfig.cjs.json",
@@ -18,9 +18,9 @@
   "dependencies": {
     "@aws-crypto/sha256-browser": "2.0.0",
     "@aws-crypto/sha256-js": "2.0.0",
-    "@aws-sdk/client-sts": "3.85.0",
+    "@aws-sdk/client-sts": "3.92.0",
     "@aws-sdk/config-resolver": "3.80.0",
-    "@aws-sdk/credential-provider-node": "3.85.0",
+    "@aws-sdk/credential-provider-node": "3.87.0",
     "@aws-sdk/fetch-http-handler": "3.78.0",
     "@aws-sdk/hash-node": "3.78.0",
     "@aws-sdk/invalid-dependency": "3.78.0",