npm - @aws-sdk/client-kms - Versions diffs - 3.87.0 → 3.94.0 - Mend

@aws-sdk/client-kms 3.87.0 → 3.94.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -3,6 +3,30 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
+# [3.94.0](https://github.com/aws/aws-sdk-js-v3/compare/v3.93.0...v3.94.0) (2022-05-18)
+**Note:** Version bump only for package @aws-sdk/client-kms
+# [3.93.0](https://github.com/aws/aws-sdk-js-v3/compare/v3.92.0...v3.93.0) (2022-05-17)
+**Note:** Version bump only for package @aws-sdk/client-kms
+# [3.92.0](https://github.com/aws/aws-sdk-js-v3/compare/v3.91.0...v3.92.0) (2022-05-16)
+**Note:** Version bump only for package @aws-sdk/client-kms
 # [3.87.0](https://github.com/aws/aws-sdk-js-v3/compare/v3.86.0...v3.87.0) (2022-05-09)
 **Note:** Version bump only for package @aws-sdk/client-kms

package/README.md CHANGED Viewed

@@ -30,7 +30,8 @@ Services</a>.</p>
 <p>If you need to use FIPS 140-2 validated cryptographic modules when communicating with
 Amazon Web Services, use the FIPS endpoint in your preferred Amazon Web Services Region. For more information about the
 available FIPS endpoints, see <a href="https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region">Service endpoints</a> in the Key Management Service topic of the <i>Amazon Web Services General Reference</i>.</p>
-<p>Clients must support TLS (Transport Layer Security) 1.0. We recommend TLS 1.2. Clients
+<p>All KMS API calls must be signed and be transmitted using Transport Layer Security (TLS).
+KMS recommends you always use the latest supported TLS version. Clients
 must also support cipher suites with Perfect Forward Secrecy (PFS) such as Ephemeral
 Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems
 such as Java 7 and later support these modes.</p>

package/dist-types/KMS.d.ts CHANGED Viewed

@@ -71,7 +71,8 @@ import { KMSClient } from "./KMSClient";
  *          <p>If you need to use FIPS 140-2 validated cryptographic modules when communicating with
  *       Amazon Web Services, use the FIPS endpoint in your preferred Amazon Web Services Region. For more information about the
  *       available FIPS endpoints, see <a href="https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region">Service endpoints</a> in the Key Management Service topic of the <i>Amazon Web Services General Reference</i>.</p>
- *          <p>Clients must support TLS (Transport Layer Security) 1.0. We recommend TLS 1.2. Clients
+ *          <p>All KMS API calls must be signed and be transmitted using Transport Layer Security (TLS).
+ *       KMS recommends you always use the latest supported TLS version. Clients
  *       must also support cipher suites with Perfect Forward Secrecy (PFS) such as Ephemeral
  *       Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems
  *       such as Java 7 and later support these modes.</p>
@@ -420,13 +421,12 @@ export declare class KMS extends KMSClient {
     createGrant(args: CreateGrantCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: CreateGrantCommandOutput) => void): void;
     /**
      * <p>Creates a unique customer managed <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys">KMS key</a> in your Amazon Web Services account and
-     *       Region. </p>
+     *       Region.</p>
      *          <p>In addition to the required parameters, you can use the optional parameters to specify a key policy, description, tags, and other useful elements for any key type.</p>
      *          <note>
      *             <p>KMS is replacing the term <i>customer master key (CMK)</i> with <i>KMS key</i> and <i>KMS key</i>. The concept has not changed. To prevent breaking changes, KMS is keeping some variations of this term.</p>
      *          </note>
      *
-     *
      *          <p>To create different types of KMS keys, use the following guidance:</p>
      *
      *          <dl>
@@ -446,8 +446,8 @@ export declare class KMS extends KMSClient {
      *             to determine whether the KMS key will be used to encrypt and decrypt or sign and verify.
      *             You can't change these properties after the KMS key is created.</p>
      *                <p>Asymmetric KMS keys contain an RSA key pair or an Elliptic Curve (ECC) key pair. The private key in an asymmetric
-     *             KMS key never leaves AWS KMS unencrypted. However, you can use the <a>GetPublicKey</a> operation to download the public key
-     *             so it can be used outside of AWS KMS. KMS keys with RSA key pairs can be used to encrypt or decrypt data or sign and verify messages (but not both).
+     *             KMS key never leaves KMS unencrypted. However, you can use the <a>GetPublicKey</a> operation to download the public key
+     *             so it can be used outside of KMS. KMS keys with RSA key pairs can be used to encrypt or decrypt data or sign and verify messages (but not both).
      *             KMS keys with ECC key pairs can be used only to sign and verify messages.
      *             For information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
      *                <p> </p>
@@ -586,7 +586,7 @@ export declare class KMS extends KMSClient {
      *       asymmetric encryption KMS key. When the KMS key is asymmetric, you must specify the KMS key and the
      *       encryption algorithm that was used to encrypt the ciphertext. For information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
      *          <p>The <code>Decrypt</code> operation also decrypts ciphertext that was encrypted outside of KMS by the
-     *       public key in an KMS asymmetric KMS key. However, it cannot decrypt symmetric ciphertext produced by
+     *       public key in an KMS asymmetric KMS key. However, it cannot decrypt ciphertext produced by
      *       other libraries, such as the <a href="https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/">Amazon Web Services
      *         Encryption SDK</a> or <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html">Amazon S3 client-side encryption</a>.
      *       These libraries return a ciphertext format that is incompatible with KMS.</p>
@@ -958,8 +958,18 @@ export declare class KMS extends KMSClient {
     disableKey(args: DisableKeyCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: DisableKeyCommandOutput) => void): void;
     /**
      * <p>Disables <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic
-     *         rotation of the key material</a> for the specified symmetric encryption KMS key.</p>
-     *          <p> You cannot enable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key. </p>
+     *         rotation of the key material</a> of the specified symmetric encryption KMS key.</p>
+     *          <p>Automatic key rotation is supported only on symmetric encryption KMS keys.
+     *       You cannot enable or disable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. The key rotation status of these KMS keys is always <code>false</code>.
+     * To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key.</p>
+     *          <p>You can enable (<a>EnableKeyRotation</a>) and disable automatic rotation of the
+     *       key material in <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed KMS keys</a>. Key material rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services managed KMS keys</a> is not
+     *       configurable. KMS always rotates the key material for every year. Rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk">Amazon Web Services owned KMS
+     *         keys</a> varies.</p>
+     *          <note>
+     *             <p>In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every
+     *         three years to every year. For details, see <a>EnableKeyRotation</a>.</p>
+     *          </note>
      *          <p>The KMS key that you use for this operation must be in a compatible key state. For
      * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
      *          <p>
@@ -1065,8 +1075,26 @@ export declare class KMS extends KMSClient {
     enableKey(args: EnableKeyCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: EnableKeyCommandOutput) => void): void;
     /**
      * <p>Enables <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic rotation
-     *         of the key material</a> for the specified symmetric encryption KMS key.</p>
-     *          <p>You cannot enable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key.</p>
+     *         of the key material</a> of the specified symmetric encryption KMS key. </p>
+     *          <p>When you enable automatic rotation of a<a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed KMS key</a>, KMS
+     *       rotates the key material of the KMS key one year (approximately 365 days) from the enable date
+     *       and every year thereafter. You can monitor rotation of the key material for your KMS keys in
+     *       CloudTrail and Amazon CloudWatch. To disable rotation of the key material in a customer
+     *       managed KMS key, use the <a>DisableKeyRotation</a> operation.</p>
+     *          <p>Automatic key rotation is supported only on <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks">symmetric encryption KMS keys</a>.
+     *       You cannot enable or disable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. The key rotation status of these KMS keys is always <code>false</code>.
+     * To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key. </p>
+     *          <p>You cannot enable or disable automatic rotation <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services managed KMS keys</a>. KMS
+     *       always rotates the key material of Amazon Web Services managed keys every year. Rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk">Amazon Web Services owned KMS
+     *         keys</a> varies.</p>
+     *          <note>
+     *             <p>In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three
+     *         years (approximately 1,095 days) to every year (approximately 365 days).</p>
+     *             <p>New Amazon Web Services managed keys are automatically rotated one year after they
+     *         are created, and approximately every year thereafter. </p>
+     *             <p>Existing Amazon Web Services managed keys are automatically rotated one year after
+     *         their most recent rotation, and every year thereafter.</p>
+     *          </note>
      *          <p>The KMS key that you use for this operation must be in a compatible key state. For
      * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
      *          <p>
@@ -1210,15 +1238,14 @@ export declare class KMS extends KMSClient {
      * <p>Returns a unique symmetric data key for use outside of KMS. This operation returns a
      *       plaintext copy of the data key and a copy that is encrypted under a symmetric encryption KMS
      *       key that you specify. The bytes in the plaintext key are random; they are not related to the caller or the KMS
-     *       key. You can use the plaintext key to encrypt your data outside of KMS and store the
-     *       encrypted data key with the encrypted data.</p>
+     *       key. You can use the plaintext key to encrypt your data outside of KMS and store the encrypted
+     *       data key with the encrypted data.</p>
      *
      *          <p>To generate a data key, specify the symmetric encryption KMS key that will be used to
      *       encrypt the data key. You cannot use an asymmetric KMS key to encrypt data keys. To get the
-     *       type of your KMS key, use the <a>DescribeKey</a> operation. You must also specify
-     *       the length of the data key. Use either the <code>KeySpec</code> or <code>NumberOfBytes</code>
-     *       parameters (but not both). For 128-bit and 256-bit data keys, use the <code>KeySpec</code>
-     *       parameter. </p>
+     *       type of your KMS key, use the <a>DescribeKey</a> operation. You must also specify the length of
+     *       the data key. Use either the <code>KeySpec</code> or <code>NumberOfBytes</code> parameters
+     *       (but not both). For 128-bit and 256-bit data keys, use the <code>KeySpec</code> parameter. </p>
      *
      *          <p>To get only an encrypted copy of the data key, use <a>GenerateDataKeyWithoutPlaintext</a>. To generate an asymmetric data key pair, use
      *       the <a>GenerateDataKeyPair</a> or <a>GenerateDataKeyPairWithoutPlaintext</a> operation. To get a cryptographically secure
@@ -1321,7 +1348,8 @@ export declare class KMS extends KMSClient {
      *
      *          <p>To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt
      *       the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a
-     *       custom key store. To get the type and origin of your KMS key, use the <a>DescribeKey</a> operation. </p>
+     *       custom key store. To get the type and origin of your KMS key, use the <a>DescribeKey</a>
+     *       operation. </p>
      *          <p>Use the <code>KeyPairSpec</code> parameter to choose an RSA or Elliptic Curve (ECC) data
      *       key pair. KMS recommends that your use ECC key pairs for signing, and use RSA key pairs for
      *       either encryption or signing, but not both. However, KMS cannot enforce any restrictions on
@@ -1401,7 +1429,8 @@ export declare class KMS extends KMSClient {
      *       with the data. When you are ready to decrypt data or sign a message, you can use the <a>Decrypt</a> operation to decrypt the encrypted private key.</p>
      *          <p>To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt
      *       the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a
-     *       custom key store. To get the type and origin of your KMS key, use the <a>DescribeKey</a> operation. </p>
+     *       custom key store. To get the type and origin of your KMS key, use the <a>DescribeKey</a>
+     *       operation. </p>
      *          <p>Use the <code>KeyPairSpec</code> parameter to choose an RSA or Elliptic Curve (ECC) data
      *       key pair. KMS recommends that your use ECC key pairs for signing, and use RSA key pairs for
      *       either encryption or signing, but not both. However, KMS cannot enforce any restrictions on
@@ -1470,19 +1499,21 @@ export declare class KMS extends KMSClient {
      *       data key. </p>
      *          <p>This operation is useful for systems that need to encrypt data at some point, but not
      *       immediately. When you need to encrypt the data, you call the <a>Decrypt</a>
-     *       operation on the encrypted copy of the key. It's also useful in distributed systems with
-     *       different levels of trust. For example, you might store encrypted data in containers. One
-     *       component of your system creates new containers and stores an encrypted data key with each
-     *       container. Then, a different component puts the data into the containers. That component first
-     *       decrypts the data key, uses the plaintext data key to encrypt data, puts the encrypted data
-     *       into the container, and then destroys the plaintext data key. In this system, the component
-     *       that creates the containers never sees the plaintext data key.</p>
+     *       operation on the encrypted copy of the key.</p>
+     *          <p>It's also useful in distributed systems with different levels of trust. For example, you
+     *       might store encrypted data in containers. One component of your system creates new containers
+     *       and stores an encrypted data key with each container. Then, a different component puts the
+     *       data into the containers. That component first decrypts the data key, uses the plaintext data
+     *       key to encrypt data, puts the encrypted data into the container, and then destroys the
+     *       plaintext data key. In this system, the component that creates the containers never sees the
+     *       plaintext data key.</p>
      *          <p>To request an asymmetric data key pair, use the <a>GenerateDataKeyPair</a> or
      *         <a>GenerateDataKeyPairWithoutPlaintext</a> operations.</p>
      *
      *          <p>To generate a data key, you must specify the symmetric encryption KMS key that is used to
      *       encrypt the data key. You cannot use an asymmetric KMS key or a key in a custom key store to generate a data key. To get the
      *       type of your KMS key, use the <a>DescribeKey</a> operation.</p>
+     *
      *          <p>If the operation succeeds, you will find the encrypted copy of the data key in the
      *         <code>CiphertextBlob</code> field.</p>
      *
@@ -1546,6 +1577,13 @@ export declare class KMS extends KMSClient {
      *       For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC keys in KMS</a> in the <i>
      *                <i>Key Management Service Developer Guide</i>
      *             </i>.</p>
+     *          <note>
+     *             <p>Best practices recommend that you limit the time during which any signing mechanism,
+     *         including an HMAC, is effective. This deters an attack where the actor uses a signed
+     *         message to establish validity repeatedly or long after the message is superseded. HMAC
+     *         tags do not include a timestamp, but you can include a timestamp in the token or message
+     *         to help you detect when its time to refresh the HMAC. </p>
+     *          </note>
      *          <p>The KMS key that you use for this operation must be in a compatible key state. For
      * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
      *          <p>
@@ -1593,19 +1631,35 @@ export declare class KMS extends KMSClient {
     /**
      * <p>Gets a Boolean value that indicates whether <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic rotation of the key material</a> is
      *       enabled for the specified KMS key.</p>
-     *          <p>You cannot enable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key. The key rotation status for these KMS keys is always
-     *       <code>false</code>.</p>
+     *          <p>When you enable automatic rotation for <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed KMS keys</a>, KMS
+     *       rotates the key material of the KMS key one year (approximately 365 days) from the enable date
+     *       and every year thereafter. You can monitor rotation of the key material for your KMS keys in
+     *       CloudTrail and Amazon CloudWatch.</p>
+     *          <p>Automatic key rotation is supported only on <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks">symmetric encryption KMS keys</a>.
+     *       You cannot enable or disable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. The key rotation status of these KMS keys is always <code>false</code>.
+     * To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key..</p>
+     *          <p>You can enable (<a>EnableKeyRotation</a>) and disable automatic rotation (<a>DisableKeyRotation</a>) of the key material in customer managed KMS keys. Key
+     *       material rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services managed KMS keys</a> is not
+     *       configurable. KMS always rotates the key material in Amazon Web Services managed KMS keys every year. The
+     *       key rotation status for Amazon Web Services managed KMS keys is always <code>true</code>.</p>
+     *          <note>
+     *             <p>In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three years to every year. For details, see <a>EnableKeyRotation</a>.</p>
+     *          </note>
      *          <p>The KMS key that you use for this operation must be in a compatible key state. For
      * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
      *          <ul>
      *             <li>
      *                <p>Disabled: The key rotation status does not change when you disable a KMS key. However,
-     *           while the KMS key is disabled, KMS does not rotate the key material.</p>
+     *           while the KMS key is disabled, KMS does not rotate the key material. When you re-enable
+     *           the KMS key, rotation resumes. If the key material in the re-enabled KMS key hasn't been
+     *           rotated in one year, KMS rotates it immediately, and every year thereafter. If it's been
+     *           less than a year since the key material in the re-enabled KMS key was rotated, the KMS key
+     *           resumes its prior rotation schedule.</p>
      *             </li>
      *             <li>
      *                <p>Pending deletion: While a KMS key is pending deletion, its key rotation status is
      *             <code>false</code> and KMS does not rotate the key material. If you cancel the
-     *           deletion, the original key rotation status is restored.</p>
+     *           deletion, the original key rotation status returns to <code>true</code>.</p>
      *             </li>
      *          </ul>
      *          <p>
@@ -1635,8 +1689,8 @@ export declare class KMS extends KMSClient {
     getKeyRotationStatus(args: GetKeyRotationStatusCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: GetKeyRotationStatusCommandOutput) => void): void;
     /**
      * <p>Returns the items you need to import key material into a symmetric encryption KMS key. For
-     *       more information about importing key material into KMS, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a> in the
-     *       <i>Key Management Service Developer Guide</i>.</p>
+     *       more information about importing key material into KMS, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a>
+     *       in the <i>Key Management Service Developer Guide</i>.</p>
      *          <p>This operation returns a public key and an import token. Use the public key to encrypt the
      *       symmetric key material. Store the import token to send with a subsequent <a>ImportKeyMaterial</a> request.</p>
      *          <p>You must specify the key ID of the symmetric encryption KMS key into which you will import
@@ -1728,11 +1782,12 @@ export declare class KMS extends KMSClient {
     /**
      * <p>Imports key material into an existing symmetric encryption KMS key that was created
      *       without key material. After you successfully import key material into a KMS key, you can
-     *         <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material">reimport the same key material</a> into that KMS key, but you cannot import different
-     *       key material. </p>
-     *          <p>You cannot perform this operation on an asymmetric KMS key, an HMAC KMS key, or on any KMS key in a different Amazon Web Services account. For more information about
-     *       creating KMS keys with no key material and then importing key material, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a>
-     *       in the <i>Key Management Service Developer Guide</i>.</p>
+     *         <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material">reimport
+     *         the same key material</a> into that KMS key, but you cannot import different key
+     *       material. </p>
+     *          <p>You cannot perform this operation on an asymmetric KMS key, an HMAC KMS key, or on any KMS key in a different Amazon Web Services account. For more information about creating KMS keys with no key material
+     *       and then importing key material, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in the
+     *       <i>Key Management Service Developer Guide</i>.</p>
      *          <p>Before using this operation, call <a>GetParametersForImport</a>. Its response
      *       includes a public key and an import token. Use the public key to encrypt the key material.
      *       Then, submit the import token from the same <code>GetParametersForImport</code>
@@ -2418,8 +2473,8 @@ export declare class KMS extends KMSClient {
     /**
      * <p>Creates a <a href="https://en.wikipedia.org/wiki/Digital_signature">digital
      *         signature</a> for a message or message digest by using the private key in an asymmetric
-     *       signing KMS key. To verify the signature, use the <a>Verify</a> operation, or use
-     *       the public key in the same asymmetric KMS key outside of KMS. For information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
+     *       signing KMS key. To verify the signature, use the <a>Verify</a> operation, or use the
+     *       public key in the same asymmetric KMS key outside of KMS. For information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
      *          <p>Digital signatures are generated and verified by using asymmetric key pair, such as an RSA
      *       or ECC pair that is represented by an asymmetric KMS key. The key owner (or an authorized
      *       user) uses their private key to sign a message. Anyone with the public key can verify that the
@@ -2448,6 +2503,11 @@ export declare class KMS extends KMSClient {
      *             <p>When signing a message, be sure to record the KMS key and the signing algorithm. This
      *         information is required to verify the signature.</p>
      *          </important>
+     *          <note>
+     *             <p>Best practices recommend that you limit the time during which any signature is effective. This deters an attack where the actor uses a signed
+     *         message to establish validity repeatedly or long after the message is superseded. Signatures do not include a timestamp, but you can include a timestamp in the signed message
+     *         to help you detect when its time to refresh the signature. </p>
+     *          </note>
      *          <p>To verify the signature that this operation generates, use the <a>Verify</a>
      *       operation. Or use the <a>GetPublicKey</a> operation to download the public key and
      *       then use the public key to verify the signature outside of KMS. </p>

package/dist-types/KMSClient.d.ts CHANGED Viewed

@@ -196,7 +196,8 @@ export interface KMSClientResolvedConfig extends KMSClientResolvedConfigType {
  *          <p>If you need to use FIPS 140-2 validated cryptographic modules when communicating with
  *       Amazon Web Services, use the FIPS endpoint in your preferred Amazon Web Services Region. For more information about the
  *       available FIPS endpoints, see <a href="https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region">Service endpoints</a> in the Key Management Service topic of the <i>Amazon Web Services General Reference</i>.</p>
- *          <p>Clients must support TLS (Transport Layer Security) 1.0. We recommend TLS 1.2. Clients
+ *          <p>All KMS API calls must be signed and be transmitted using Transport Layer Security (TLS).
+ *       KMS recommends you always use the latest supported TLS version. Clients
  *       must also support cipher suites with Perfect Forward Secrecy (PFS) such as Ephemeral
  *       Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems
  *       such as Java 7 and later support these modes.</p>

package/dist-types/commands/CreateKeyCommand.d.ts CHANGED Viewed

@@ -8,13 +8,12 @@ export interface CreateKeyCommandOutput extends CreateKeyResponse, __MetadataBea
 }
 /**
  * <p>Creates a unique customer managed <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys">KMS key</a> in your Amazon Web Services account and
- *       Region. </p>
+ *       Region.</p>
  *          <p>In addition to the required parameters, you can use the optional parameters to specify a key policy, description, tags, and other useful elements for any key type.</p>
  *          <note>
  *             <p>KMS is replacing the term <i>customer master key (CMK)</i> with <i>KMS key</i> and <i>KMS key</i>. The concept has not changed. To prevent breaking changes, KMS is keeping some variations of this term.</p>
  *          </note>
  *
- *
  *          <p>To create different types of KMS keys, use the following guidance:</p>
  *
  *          <dl>
@@ -34,8 +33,8 @@ export interface CreateKeyCommandOutput extends CreateKeyResponse, __MetadataBea
  *             to determine whether the KMS key will be used to encrypt and decrypt or sign and verify.
  *             You can't change these properties after the KMS key is created.</p>
  *                <p>Asymmetric KMS keys contain an RSA key pair or an Elliptic Curve (ECC) key pair. The private key in an asymmetric
- *             KMS key never leaves AWS KMS unencrypted. However, you can use the <a>GetPublicKey</a> operation to download the public key
- *             so it can be used outside of AWS KMS. KMS keys with RSA key pairs can be used to encrypt or decrypt data or sign and verify messages (but not both).
+ *             KMS key never leaves KMS unencrypted. However, you can use the <a>GetPublicKey</a> operation to download the public key
+ *             so it can be used outside of KMS. KMS keys with RSA key pairs can be used to encrypt or decrypt data or sign and verify messages (but not both).
  *             KMS keys with ECC key pairs can be used only to sign and verify messages.
  *             For information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *                <p> </p>

package/dist-types/commands/DecryptCommand.d.ts CHANGED Viewed

@@ -40,7 +40,7 @@ export interface DecryptCommandOutput extends DecryptResponse, __MetadataBearer
  *       asymmetric encryption KMS key. When the KMS key is asymmetric, you must specify the KMS key and the
  *       encryption algorithm that was used to encrypt the ciphertext. For information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>The <code>Decrypt</code> operation also decrypts ciphertext that was encrypted outside of KMS by the
- *       public key in an KMS asymmetric KMS key. However, it cannot decrypt symmetric ciphertext produced by
+ *       public key in an KMS asymmetric KMS key. However, it cannot decrypt ciphertext produced by
  *       other libraries, such as the <a href="https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/">Amazon Web Services
  *         Encryption SDK</a> or <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html">Amazon S3 client-side encryption</a>.
  *       These libraries return a ciphertext format that is incompatible with KMS.</p>

package/dist-types/commands/DisableKeyRotationCommand.d.ts CHANGED Viewed

@@ -8,8 +8,18 @@ export interface DisableKeyRotationCommandOutput extends __MetadataBearer {
 }
 /**
  * <p>Disables <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic
- *         rotation of the key material</a> for the specified symmetric encryption KMS key.</p>
- *          <p> You cannot enable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key. </p>
+ *         rotation of the key material</a> of the specified symmetric encryption KMS key.</p>
+ *          <p>Automatic key rotation is supported only on symmetric encryption KMS keys.
+ *       You cannot enable or disable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. The key rotation status of these KMS keys is always <code>false</code>.
+ * To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key.</p>
+ *          <p>You can enable (<a>EnableKeyRotation</a>) and disable automatic rotation of the
+ *       key material in <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed KMS keys</a>. Key material rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services managed KMS keys</a> is not
+ *       configurable. KMS always rotates the key material for every year. Rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk">Amazon Web Services owned KMS
+ *         keys</a> varies.</p>
+ *          <note>
+ *             <p>In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every
+ *         three years to every year. For details, see <a>EnableKeyRotation</a>.</p>
+ *          </note>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>

package/dist-types/commands/EnableKeyRotationCommand.d.ts CHANGED Viewed

@@ -8,8 +8,26 @@ export interface EnableKeyRotationCommandOutput extends __MetadataBearer {
 }
 /**
  * <p>Enables <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic rotation
- *         of the key material</a> for the specified symmetric encryption KMS key.</p>
- *          <p>You cannot enable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key.</p>
+ *         of the key material</a> of the specified symmetric encryption KMS key. </p>
+ *          <p>When you enable automatic rotation of a<a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed KMS key</a>, KMS
+ *       rotates the key material of the KMS key one year (approximately 365 days) from the enable date
+ *       and every year thereafter. You can monitor rotation of the key material for your KMS keys in
+ *       CloudTrail and Amazon CloudWatch. To disable rotation of the key material in a customer
+ *       managed KMS key, use the <a>DisableKeyRotation</a> operation.</p>
+ *          <p>Automatic key rotation is supported only on <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks">symmetric encryption KMS keys</a>.
+ *       You cannot enable or disable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. The key rotation status of these KMS keys is always <code>false</code>.
+ * To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key. </p>
+ *          <p>You cannot enable or disable automatic rotation <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services managed KMS keys</a>. KMS
+ *       always rotates the key material of Amazon Web Services managed keys every year. Rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk">Amazon Web Services owned KMS
+ *         keys</a> varies.</p>
+ *          <note>
+ *             <p>In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three
+ *         years (approximately 1,095 days) to every year (approximately 365 days).</p>
+ *             <p>New Amazon Web Services managed keys are automatically rotated one year after they
+ *         are created, and approximately every year thereafter. </p>
+ *             <p>Existing Amazon Web Services managed keys are automatically rotated one year after
+ *         their most recent rotation, and every year thereafter.</p>
+ *          </note>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>

package/dist-types/commands/GenerateDataKeyCommand.d.ts CHANGED Viewed

@@ -10,15 +10,14 @@ export interface GenerateDataKeyCommandOutput extends GenerateDataKeyResponse, _
  * <p>Returns a unique symmetric data key for use outside of KMS. This operation returns a
  *       plaintext copy of the data key and a copy that is encrypted under a symmetric encryption KMS
  *       key that you specify. The bytes in the plaintext key are random; they are not related to the caller or the KMS
- *       key. You can use the plaintext key to encrypt your data outside of KMS and store the
- *       encrypted data key with the encrypted data.</p>
+ *       key. You can use the plaintext key to encrypt your data outside of KMS and store the encrypted
+ *       data key with the encrypted data.</p>
  *
  *          <p>To generate a data key, specify the symmetric encryption KMS key that will be used to
  *       encrypt the data key. You cannot use an asymmetric KMS key to encrypt data keys. To get the
- *       type of your KMS key, use the <a>DescribeKey</a> operation. You must also specify
- *       the length of the data key. Use either the <code>KeySpec</code> or <code>NumberOfBytes</code>
- *       parameters (but not both). For 128-bit and 256-bit data keys, use the <code>KeySpec</code>
- *       parameter. </p>
+ *       type of your KMS key, use the <a>DescribeKey</a> operation. You must also specify the length of
+ *       the data key. Use either the <code>KeySpec</code> or <code>NumberOfBytes</code> parameters
+ *       (but not both). For 128-bit and 256-bit data keys, use the <code>KeySpec</code> parameter. </p>
  *
  *          <p>To get only an encrypted copy of the data key, use <a>GenerateDataKeyWithoutPlaintext</a>. To generate an asymmetric data key pair, use
  *       the <a>GenerateDataKeyPair</a> or <a>GenerateDataKeyPairWithoutPlaintext</a> operation. To get a cryptographically secure

package/dist-types/commands/GenerateDataKeyPairCommand.d.ts CHANGED Viewed

@@ -20,7 +20,8 @@ export interface GenerateDataKeyPairCommandOutput extends GenerateDataKeyPairRes
  *
  *          <p>To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt
  *       the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a
- *       custom key store. To get the type and origin of your KMS key, use the <a>DescribeKey</a> operation. </p>
+ *       custom key store. To get the type and origin of your KMS key, use the <a>DescribeKey</a>
+ *       operation. </p>
  *          <p>Use the <code>KeyPairSpec</code> parameter to choose an RSA or Elliptic Curve (ECC) data
  *       key pair. KMS recommends that your use ECC key pairs for signing, and use RSA key pairs for
  *       either encryption or signing, but not both. However, KMS cannot enforce any restrictions on

package/dist-types/commands/GenerateDataKeyPairWithoutPlaintextCommand.d.ts CHANGED Viewed

@@ -17,7 +17,8 @@ export interface GenerateDataKeyPairWithoutPlaintextCommandOutput extends Genera
  *       with the data. When you are ready to decrypt data or sign a message, you can use the <a>Decrypt</a> operation to decrypt the encrypted private key.</p>
  *          <p>To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt
  *       the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a
- *       custom key store. To get the type and origin of your KMS key, use the <a>DescribeKey</a> operation. </p>
+ *       custom key store. To get the type and origin of your KMS key, use the <a>DescribeKey</a>
+ *       operation. </p>
  *          <p>Use the <code>KeyPairSpec</code> parameter to choose an RSA or Elliptic Curve (ECC) data
  *       key pair. KMS recommends that your use ECC key pairs for signing, and use RSA key pairs for
  *       either encryption or signing, but not both. However, KMS cannot enforce any restrictions on

package/dist-types/commands/GenerateDataKeyWithoutPlaintextCommand.d.ts CHANGED Viewed

@@ -15,19 +15,21 @@ export interface GenerateDataKeyWithoutPlaintextCommandOutput extends GenerateDa
  *       data key. </p>
  *          <p>This operation is useful for systems that need to encrypt data at some point, but not
  *       immediately. When you need to encrypt the data, you call the <a>Decrypt</a>
- *       operation on the encrypted copy of the key. It's also useful in distributed systems with
- *       different levels of trust. For example, you might store encrypted data in containers. One
- *       component of your system creates new containers and stores an encrypted data key with each
- *       container. Then, a different component puts the data into the containers. That component first
- *       decrypts the data key, uses the plaintext data key to encrypt data, puts the encrypted data
- *       into the container, and then destroys the plaintext data key. In this system, the component
- *       that creates the containers never sees the plaintext data key.</p>
+ *       operation on the encrypted copy of the key.</p>
+ *          <p>It's also useful in distributed systems with different levels of trust. For example, you
+ *       might store encrypted data in containers. One component of your system creates new containers
+ *       and stores an encrypted data key with each container. Then, a different component puts the
+ *       data into the containers. That component first decrypts the data key, uses the plaintext data
+ *       key to encrypt data, puts the encrypted data into the container, and then destroys the
+ *       plaintext data key. In this system, the component that creates the containers never sees the
+ *       plaintext data key.</p>
  *          <p>To request an asymmetric data key pair, use the <a>GenerateDataKeyPair</a> or
  *         <a>GenerateDataKeyPairWithoutPlaintext</a> operations.</p>
  *
  *          <p>To generate a data key, you must specify the symmetric encryption KMS key that is used to
  *       encrypt the data key. You cannot use an asymmetric KMS key or a key in a custom key store to generate a data key. To get the
  *       type of your KMS key, use the <a>DescribeKey</a> operation.</p>
+ *
  *          <p>If the operation succeeds, you will find the encrypted copy of the data key in the
  *         <code>CiphertextBlob</code> field.</p>
  *

package/dist-types/commands/GenerateMacCommand.d.ts CHANGED Viewed

@@ -17,6 +17,13 @@ export interface GenerateMacCommandOutput extends GenerateMacResponse, __Metadat
  *       For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC keys in KMS</a> in the <i>
  *                <i>Key Management Service Developer Guide</i>
  *             </i>.</p>
+ *          <note>
+ *             <p>Best practices recommend that you limit the time during which any signing mechanism,
+ *         including an HMAC, is effective. This deters an attack where the actor uses a signed
+ *         message to establish validity repeatedly or long after the message is superseded. HMAC
+ *         tags do not include a timestamp, but you can include a timestamp in the token or message
+ *         to help you detect when its time to refresh the HMAC. </p>
+ *          </note>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>

package/dist-types/commands/GetKeyRotationStatusCommand.d.ts CHANGED Viewed

@@ -9,19 +9,35 @@ export interface GetKeyRotationStatusCommandOutput extends GetKeyRotationStatusR
 /**
  * <p>Gets a Boolean value that indicates whether <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic rotation of the key material</a> is
  *       enabled for the specified KMS key.</p>
- *          <p>You cannot enable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key. The key rotation status for these KMS keys is always
- *       <code>false</code>.</p>
+ *          <p>When you enable automatic rotation for <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed KMS keys</a>, KMS
+ *       rotates the key material of the KMS key one year (approximately 365 days) from the enable date
+ *       and every year thereafter. You can monitor rotation of the key material for your KMS keys in
+ *       CloudTrail and Amazon CloudWatch.</p>
+ *          <p>Automatic key rotation is supported only on <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks">symmetric encryption KMS keys</a>.
+ *       You cannot enable or disable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. The key rotation status of these KMS keys is always <code>false</code>.
+ * To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key..</p>
+ *          <p>You can enable (<a>EnableKeyRotation</a>) and disable automatic rotation (<a>DisableKeyRotation</a>) of the key material in customer managed KMS keys. Key
+ *       material rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services managed KMS keys</a> is not
+ *       configurable. KMS always rotates the key material in Amazon Web Services managed KMS keys every year. The
+ *       key rotation status for Amazon Web Services managed KMS keys is always <code>true</code>.</p>
+ *          <note>
+ *             <p>In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three years to every year. For details, see <a>EnableKeyRotation</a>.</p>
+ *          </note>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <ul>
  *             <li>
  *                <p>Disabled: The key rotation status does not change when you disable a KMS key. However,
- *           while the KMS key is disabled, KMS does not rotate the key material.</p>
+ *           while the KMS key is disabled, KMS does not rotate the key material. When you re-enable
+ *           the KMS key, rotation resumes. If the key material in the re-enabled KMS key hasn't been
+ *           rotated in one year, KMS rotates it immediately, and every year thereafter. If it's been
+ *           less than a year since the key material in the re-enabled KMS key was rotated, the KMS key
+ *           resumes its prior rotation schedule.</p>
  *             </li>
  *             <li>
  *                <p>Pending deletion: While a KMS key is pending deletion, its key rotation status is
  *             <code>false</code> and KMS does not rotate the key material. If you cancel the
- *           deletion, the original key rotation status is restored.</p>
+ *           deletion, the original key rotation status returns to <code>true</code>.</p>
  *             </li>
  *          </ul>
  *          <p>

package/dist-types/commands/GetParametersForImportCommand.d.ts CHANGED Viewed

@@ -8,8 +8,8 @@ export interface GetParametersForImportCommandOutput extends GetParametersForImp
 }
 /**
  * <p>Returns the items you need to import key material into a symmetric encryption KMS key. For
- *       more information about importing key material into KMS, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a> in the
- *       <i>Key Management Service Developer Guide</i>.</p>
+ *       more information about importing key material into KMS, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a>
+ *       in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>This operation returns a public key and an import token. Use the public key to encrypt the
  *       symmetric key material. Store the import token to send with a subsequent <a>ImportKeyMaterial</a> request.</p>
  *          <p>You must specify the key ID of the symmetric encryption KMS key into which you will import

package/dist-types/commands/ImportKeyMaterialCommand.d.ts CHANGED Viewed

@@ -9,11 +9,12 @@ export interface ImportKeyMaterialCommandOutput extends ImportKeyMaterialRespons
 /**
  * <p>Imports key material into an existing symmetric encryption KMS key that was created
  *       without key material. After you successfully import key material into a KMS key, you can
- *         <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material">reimport the same key material</a> into that KMS key, but you cannot import different
- *       key material. </p>
- *          <p>You cannot perform this operation on an asymmetric KMS key, an HMAC KMS key, or on any KMS key in a different Amazon Web Services account. For more information about
- *       creating KMS keys with no key material and then importing key material, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a>
- *       in the <i>Key Management Service Developer Guide</i>.</p>
+ *         <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material">reimport
+ *         the same key material</a> into that KMS key, but you cannot import different key
+ *       material. </p>
+ *          <p>You cannot perform this operation on an asymmetric KMS key, an HMAC KMS key, or on any KMS key in a different Amazon Web Services account. For more information about creating KMS keys with no key material
+ *       and then importing key material, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in the
+ *       <i>Key Management Service Developer Guide</i>.</p>
  *          <p>Before using this operation, call <a>GetParametersForImport</a>. Its response
  *       includes a public key and an import token. Use the public key to encrypt the key material.
  *       Then, submit the import token from the same <code>GetParametersForImport</code>

package/dist-types/commands/SignCommand.d.ts CHANGED Viewed

@@ -9,8 +9,8 @@ export interface SignCommandOutput extends SignResponse, __MetadataBearer {
 /**
  * <p>Creates a <a href="https://en.wikipedia.org/wiki/Digital_signature">digital
  *         signature</a> for a message or message digest by using the private key in an asymmetric
- *       signing KMS key. To verify the signature, use the <a>Verify</a> operation, or use
- *       the public key in the same asymmetric KMS key outside of KMS. For information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *       signing KMS key. To verify the signature, use the <a>Verify</a> operation, or use the
+ *       public key in the same asymmetric KMS key outside of KMS. For information about asymmetric KMS keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>Digital signatures are generated and verified by using asymmetric key pair, such as an RSA
  *       or ECC pair that is represented by an asymmetric KMS key. The key owner (or an authorized
  *       user) uses their private key to sign a message. Anyone with the public key can verify that the
@@ -39,6 +39,11 @@ export interface SignCommandOutput extends SignResponse, __MetadataBearer {
  *             <p>When signing a message, be sure to record the KMS key and the signing algorithm. This
  *         information is required to verify the signature.</p>
  *          </important>
+ *          <note>
+ *             <p>Best practices recommend that you limit the time during which any signature is effective. This deters an attack where the actor uses a signed
+ *         message to establish validity repeatedly or long after the message is superseded. Signatures do not include a timestamp, but you can include a timestamp in the signed message
+ *         to help you detect when its time to refresh the signature. </p>
+ *          </note>
  *          <p>To verify the signature that this operation generates, use the <a>Verify</a>
  *       operation. Or use the <a>GetPublicKey</a> operation to download the public key and
  *       then use the public key to verify the signature outside of KMS. </p>

package/dist-types/models/models_0.d.ts CHANGED Viewed

@@ -584,10 +584,10 @@ export interface CreateGrantRequest {
     /**
      * <p>A list of operations that the grant permits. </p>
      *          <p>This list must include only operations that are permitted in a grant. Also, the operation
-     *       must be supported on the KMS key. For example, you cannot create a grant for a symmetric encryption KMS key that allows the <a>Sign</a> operation, or a grant for an asymmetric KMS key
-     *       that allows the <a>GenerateDataKey</a> operation. If you try, KMS returns a
-     *         <code>ValidationError</code> exception. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations">Grant operations</a> in the
-     *       <i>Key Management Service Developer Guide</i>.</p>
+     *       must be supported on the KMS key. For example, you cannot create a grant for a symmetric encryption KMS key that allows the <a>Sign</a> operation, or a grant for an
+     *       asymmetric KMS key that allows the <a>GenerateDataKey</a> operation. If you try,
+     *       KMS returns a <code>ValidationError</code> exception. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations">Grant
+     *         operations</a> in the <i>Key Management Service Developer Guide</i>.</p>
      */
     Operations: (GrantOperation | string)[] | undefined;
     /**
@@ -745,11 +745,13 @@ export declare namespace Tag {
 }
 export interface CreateKeyRequest {
     /**
-     * <p>The key policy to attach to the KMS key.</p>
+     * <p>The key policy to attach to the KMS key. If you do not specify a key policy, KMS attaches a default key policy to the KMS key.
+     *       For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default">Default key policy</a> in the
+     *       <i>Key Management Service Developer Guide</i>.</p>
      *          <p>If you provide a key policy, it must meet the following criteria:</p>
      *          <ul>
      *             <li>
-     *                <p>If you don't set <code>BypassPolicyLockoutSafetyCheck</code> to true, the key policy
+     *                <p>If you don't set <code>BypassPolicyLockoutSafetyCheck</code> to <code>True</code>, the key policy
      *           must allow the principal that is making the <code>CreateKey</code> request to make a
      *           subsequent <a>PutKeyPolicy</a> request on the KMS key. This reduces the risk
      *           that the KMS key becomes unmanageable. For more information, refer to the scenario in the
@@ -766,10 +768,23 @@ export interface CreateKeyRequest {
      *             Identity and Access Management User Guide</i>.</p>
      *             </li>
      *          </ul>
-     *          <p>If you do not provide a key policy, KMS attaches a default key policy to the KMS key.
-     *       For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default">Default Key Policy</a> in the
-     *       <i>Key Management Service Developer Guide</i>. </p>
-     *          <p>The key policy size quota is 32 kilobytes (32768 bytes).</p>
+     *
+     *          <p>A key policy document must conform to the following rules.</p>
+     *          <ul>
+     *             <li>
+     *                <p>Up to 32 kilobytes (32768 bytes)</p>
+     *             </li>
+     *             <li>
+     *                <p>Must be UTF-8 encoded</p>
+     *             </li>
+     *             <li>
+     *                <p>The only Unicode characters that are permitted in a key policy document are the horizontal tab (U+0009), linefeed (U+000A), carriage return (U+000D), and characters in the range U+0020 to U+00FF.</p>
+     *             </li>
+     *             <li>
+     *                <p>The <code>Sid</code> element in a key policy statement can include spaces. (Spaces are
+     *             prohibited in the <code>Sid</code> element of an IAM policy document.)</p>
+     *             </li>
+     *          </ul>
      *          <p>For help writing and formatting a JSON policy document, see the <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html">IAM JSON Policy Reference</a> in the <i>
      *                <i>Identity and Access Management User Guide</i>
      *             </i>.</p>
@@ -784,7 +799,7 @@ export interface CreateKeyRequest {
     Description?: string;
     /**
      * <p>Determines the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic operations</a> for which you can use the KMS key. The default value is
-     *       <code>ENCRYPT_DECRYPT</code>. This parameter is optional when you are creating a symmetric
+     *         <code>ENCRYPT_DECRYPT</code>. This parameter is optional when you are creating a symmetric
      *       encryption KMS key; otherwise, it is required. You
      *       can't change the <code>KeyUsage</code> value after the KMS key is created.</p>
      *          <p>Select only one valid value.</p>
@@ -819,15 +834,14 @@ export interface CreateKeyRequest {
     /**
      * <p>Specifies the type of KMS key to create. The default value,
      *       <code>SYMMETRIC_DEFAULT</code>, creates a KMS key with a 256-bit symmetric key for encryption
-     *       and decryption. For help choosing a key spec for your KMS key, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose">Choosing a KMS key type</a> in
-     *       the <i>
+     *       and decryption. For help choosing a key spec for your KMS key, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose">Choosing a KMS key type</a> in the <i>
      *                <i>Key Management Service Developer Guide</i>
      *             </i>.</p>
      *          <p>The <code>KeySpec</code> determines whether the KMS key contains a symmetric key or an
-     *       asymmetric key pair. It also determines the algorithms that the KMS key supports. You can't
-     *       change the <code>KeySpec</code> after the KMS key is created. To further restrict the
-     *       algorithms that can be used with the KMS key, use a condition key in its key policy or IAM
-     *       policy. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm">kms:EncryptionAlgorithm</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-mac-algorithm">kms:MacAlgorithm</a> or <a href="https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm">kms:Signing Algorithm</a> in the <i>
+     *       asymmetric key pair. It also determines the cryptographic algorithms that the KMS key supports. You can't
+     *       change the <code>KeySpec</code> after the KMS key is created.
+     *       To further restrict the algorithms that can be used with the KMS key, use a condition key in
+     *       its key policy or IAM policy. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm">kms:EncryptionAlgorithm</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-mac-algorithm">kms:MacAlgorithm</a> or <a href="https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm">kms:Signing Algorithm</a> in the <i>
      *                <i>Key Management Service Developer Guide</i>
      *             </i>.</p>
      *          <important>
@@ -993,8 +1007,8 @@ export interface CreateKeyRequest {
      *       it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
      *          <p>This value creates a <i>primary key</i>, not a replica. To create a
      *         <i>replica key</i>, use the <a>ReplicateKey</a> operation. </p>
-     *          <p>You can create a symmetric or asymmetric multi-Region key, and you can create a
-     *       multi-Region key with imported key material. However, you cannot create a multi-Region key in
+     *          <p>You can create a multi-Region version of a symmetric encryption KMS key, an HMAC KMS key, an asymmetric KMS key, or a
+     *       KMS key with imported key material. However, you cannot create a multi-Region key in
      *       a custom key store.</p>
      */
     MultiRegion?: boolean;
@@ -1490,10 +1504,8 @@ export interface DecryptRequest {
     GrantTokens?: string[];
     /**
      * <p>Specifies the KMS key that KMS uses to decrypt the ciphertext.</p>
-     *
      *          <p>Enter a key ID of the KMS
      *       key that was used to encrypt the ciphertext. If you identify a different KMS key, the <code>Decrypt</code> operation throws an <code>IncorrectKeyException</code>.</p>
-     *
      *          <p>This parameter is required only when the ciphertext was encrypted under an asymmetric KMS
      *       key. If you used a symmetric encryption KMS key, KMS can get the KMS key from metadata that it adds to
      *       the symmetric ciphertext blob. However, it is always recommended as a best practice. This
@@ -1560,8 +1572,8 @@ export declare namespace DecryptResponse {
 }
 /**
  * <p>The request was rejected because the specified KMS key cannot decrypt the data. The
- *       <code>KeyId</code> in a <code>Decrypt</code> request and the <code>SourceKeyId</code>
- *       in a <code>ReEncrypt</code> request must identify the same KMS key that was used to
+ *       <code>KeyId</code> in a <a>Decrypt</a> request and the <code>SourceKeyId</code>
+ *       in a <a>ReEncrypt</a> request must identify the same KMS key that was used to
  *       encrypt the ciphertext.</p>
  */
 export declare class IncorrectKeyException extends __BaseException {
@@ -1604,8 +1616,8 @@ export declare class InvalidCiphertextException extends __BaseException {
  *         <code>KeyUsage</code> must be <code>ENCRYPT_DECRYPT</code>. For signing and verifying
  *       messages, the <code>KeyUsage</code> must be <code>SIGN_VERIFY</code>. For generating and
  *       verifying message authentication codes (MACs), the <code>KeyUsage</code> must be
- *         <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a KMS key, use the
- *         <a>DescribeKey</a> operation.</p>
+ *         <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of
+ *       a KMS key, use the <a>DescribeKey</a> operation.</p>
  *          <p>To find the encryption or signing algorithms supported for a particular KMS key, use the
  *         <a>DescribeKey</a> operation.</p>
  */
@@ -1916,7 +1928,9 @@ export declare namespace EnableKeyRequest {
 }
 export interface EnableKeyRotationRequest {
     /**
-     * <p>Identifies a symmetric encryption KMS key. You cannot enable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key.</p>
+     * <p>Identifies a symmetric encryption KMS key. You cannot enable or disable automatic rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. The key rotation status of these KMS keys is always <code>false</code>.
+     * To enable or disable automatic rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate">multi-Region keys</a>, set the property on the primary key.</p>
+     *
      *          <p>Specify the key ID or key ARN of the KMS key.</p>
      *          <p>For example:</p>
      *          <ul>
@@ -2229,7 +2243,8 @@ export interface GenerateDataKeyPairWithoutPlaintextRequest {
     /**
      * <p>Specifies the symmetric encryption KMS key that encrypts the private key in the data key
      *       pair. You cannot specify an asymmetric KMS key or a KMS key in a custom key store. To get the
-     *       type and origin of your KMS key, use the <a>DescribeKey</a> operation.</p>
+     *       type and origin of your KMS key, use the <a>DescribeKey</a> operation.
+     *     </p>
      *          <p>To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using an alias name, prefix it with <code>"alias/"</code>. To specify a KMS key in a different Amazon Web Services account, you must use the key ARN or alias ARN.</p>
      *          <p>For example:</p>
      *          <ul>
@@ -2760,8 +2775,7 @@ export declare namespace GrantListEntry {
 export interface ImportKeyMaterialRequest {
     /**
      * <p>The identifier of the symmetric encryption KMS key that receives the imported key
-     *       material. This must be the same KMS key specified in the <code>KeyID</code> parameter of the
-     *       corresponding <a>GetParametersForImport</a> request. The <code>Origin</code> of the
+     *       material. This must be the same KMS key specified in the <code>KeyID</code> parameter of the corresponding <a>GetParametersForImport</a> request. The <code>Origin</code> of the
      *       KMS key must be <code>EXTERNAL</code>. You cannot perform this operation on an asymmetric KMS
      *       key, an HMAC KMS key, a KMS key in a custom key store, or on a KMS key in a different
      *       Amazon Web Services account</p>
@@ -3297,8 +3311,23 @@ export interface PutKeyPolicyRequest {
      *             Identity and Access Management User Guide</i>.</p>
      *             </li>
      *          </ul>
-     *          <p>The key policy cannot exceed 32 kilobytes (32768 bytes). For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/resource-limits.html">Resource Quotas</a> in the
-     *       <i>Key Management Service Developer Guide</i>.</p>
+     *
+     *          <p>A key policy document must conform to the following rules.</p>
+     *          <ul>
+     *             <li>
+     *                <p>Up to 32 kilobytes (32768 bytes)</p>
+     *             </li>
+     *             <li>
+     *                <p>Must be UTF-8 encoded</p>
+     *             </li>
+     *             <li>
+     *                <p>The only Unicode characters that are permitted in a key policy document are the horizontal tab (U+0009), linefeed (U+000A), carriage return (U+000D), and characters in the range U+0020 to U+00FF.</p>
+     *             </li>
+     *             <li>
+     *                <p>The <code>Sid</code> element in a key policy statement can include spaces. (Spaces are
+     *             prohibited in the <code>Sid</code> element of an IAM policy document.)</p>
+     *             </li>
+     *          </ul>
      */
     Policy: string | undefined;
     /**
@@ -3342,9 +3371,9 @@ export interface ReEncryptRequest {
      *       re-encrypted.</p>
      *          <p>Enter a key ID of the KMS key that was used to encrypt the ciphertext. If you identify a different KMS key, the <code>ReEncrypt</code> operation throws an <code>IncorrectKeyException</code>.</p>
      *          <p>This parameter is required only when the ciphertext was encrypted under an asymmetric KMS
-     *       key. If you used a symmetric encryption KMS key, KMS can get the KMS key from metadata that
-     *       it adds to the symmetric ciphertext blob. However, it is always recommended as a best
-     *       practice. This practice ensures that you use the KMS key that you intend.</p>
+     *       key. If you used a symmetric encryption KMS key, KMS can get the KMS key from metadata that it adds to
+     *       the symmetric ciphertext blob. However, it is always recommended as a best practice. This
+     *       practice ensures that you use the KMS key that you intend.</p>
      *
      *          <p>To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using an alias name, prefix it with <code>"alias/"</code>. To specify a KMS key in a different Amazon Web Services account, you must use the key ARN or alias ARN.</p>
      *          <p>For example:</p>
@@ -3538,8 +3567,23 @@ export interface ReplicateKeyRequest {
      *                      <i>Identity and Access Management User Guide</i>
      *                   </i>.</p>
      *             </li>
+     *          </ul>
+     *
+     *
+     *          <p>A key policy document must conform to the following rules.</p>
+     *          <ul>
+     *             <li>
+     *                <p>Up to 32 kilobytes (32768 bytes)</p>
+     *             </li>
      *             <li>
-     *                <p>The key policy size quota is 32 kilobytes (32768 bytes).</p>
+     *                <p>Must be UTF-8 encoded</p>
+     *             </li>
+     *             <li>
+     *                <p>The only Unicode characters that are permitted in a key policy document are the horizontal tab (U+0009), linefeed (U+000A), carriage return (U+000D), and characters in the range U+0020 to U+00FF.</p>
+     *             </li>
+     *             <li>
+     *                <p>The <code>Sid</code> element in a key policy statement can include spaces. (Spaces are
+     *             prohibited in the <code>Sid</code> element of an IAM policy document.)</p>
      *             </li>
      *          </ul>
      */
@@ -3702,7 +3746,7 @@ export interface ScheduleKeyDeletionRequest {
     /**
      * <p>The waiting period, specified in number of days. After the waiting period ends, KMS
      *       deletes the KMS key.</p>
-     *          <p>If the KMS key is a multi-Region primary key with replicas, the waiting period begins when
+     *          <p>If the KMS key is a multi-Region primary key with replica keys, the waiting period begins when
      *       the last of its replica keys is deleted. Otherwise, the waiting period begins
      *       immediately.</p>
      *          <p>This value is optional. If you include a value, it must be between 7 and 30, inclusive. If

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@aws-sdk/client-kms",
   "description": "AWS SDK for JavaScript Kms Client for Node.js, Browser and React Native",
-  "version": "3.87.0",
+  "version": "3.94.0",
   "scripts": {
     "build": "concurrently 'yarn:build:cjs' 'yarn:build:es' 'yarn:build:types'",
     "build:cjs": "tsc -p tsconfig.cjs.json",
@@ -18,9 +18,9 @@
   "dependencies": {
     "@aws-crypto/sha256-browser": "2.0.0",
     "@aws-crypto/sha256-js": "2.0.0",
-    "@aws-sdk/client-sts": "3.87.0",
+    "@aws-sdk/client-sts": "3.94.0",
     "@aws-sdk/config-resolver": "3.80.0",
-    "@aws-sdk/credential-provider-node": "3.87.0",
+    "@aws-sdk/credential-provider-node": "3.94.0",
     "@aws-sdk/fetch-http-handler": "3.78.0",
     "@aws-sdk/hash-node": "3.78.0",
     "@aws-sdk/invalid-dependency": "3.78.0",
@@ -33,7 +33,7 @@
     "@aws-sdk/middleware-stack": "3.78.0",
     "@aws-sdk/middleware-user-agent": "3.78.0",
     "@aws-sdk/node-config-provider": "3.80.0",
-    "@aws-sdk/node-http-handler": "3.82.0",
+    "@aws-sdk/node-http-handler": "3.94.0",
     "@aws-sdk/protocol-http": "3.78.0",
     "@aws-sdk/smithy-client": "3.85.0",
     "@aws-sdk/types": "3.78.0",