npm - @aws-sdk/client-kms - Versions diffs - 3.894.0 → 3.896.0 - Mend

@aws-sdk/client-kms 3.894.0 → 3.896.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist-types/commands/DecryptCommand.d.ts CHANGED Viewed

@@ -82,12 +82,12 @@ declare const DecryptCommand_base: {
  *       particular trusted accounts. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policies-best-practices">Best practices for IAM
  *         policies</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
- *             <code>Decrypt</code> also supports <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro Enclaves</a>, which provide an
- *       isolated compute environment in Amazon EC2. To call <code>Decrypt</code> for a Nitro enclave, use
+ *             <code>Decrypt</code> also supports <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro Enclaves</a> and NitroTPM, which provide
+ *       attested environments in Amazon EC2. To call <code>Decrypt</code> for a Nitro enclave or NitroTPM, use
  *       the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter to provide the
- *       attestation document for the enclave. Instead of the plaintext data, the response includes the
- *       plaintext data encrypted with the public key from the attestation document
- *         (<code>CiphertextForRecipient</code>). For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *       attestation document for the attested environment. Instead of the plaintext data, the response
+ *       includes the plaintext data encrypted with the public key from the attestation document
+ *         (<code>CiphertextForRecipient</code>). For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>

package/dist-types/commands/DeriveSharedSecretCommand.d.ts CHANGED Viewed

@@ -30,8 +30,8 @@ declare const DeriveSharedSecretCommand_base: {
  * <p>Derives a shared secret using a key agreement algorithm.</p>
  *          <note>
  *             <p>You must use an asymmetric NIST-recommended elliptic curve (ECC) or SM2 (China Regions
- *         only) KMS key pair with a <code>KeyUsage</code> value of <code>KEY_AGREEMENT</code> to call
- *         DeriveSharedSecret.</p>
+ *         only) KMS key pair with a <code>KeyUsage</code>
+ *         value of <code>KEY_AGREEMENT</code> to call DeriveSharedSecret.</p>
  *          </note>
  *          <p>DeriveSharedSecret uses the <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf#page=60">Elliptic Curve Cryptography Cofactor Diffie-Hellman Primitive</a> (ECDH) to establish a
  *       key agreement between two peers by deriving a shared secret from their elliptic curve

package/dist-types/commands/DescribeKeyCommand.d.ts CHANGED Viewed

@@ -28,8 +28,8 @@ declare const DescribeKeyCommand_base: {
 };
 /**
  * <p>Provides detailed information about a KMS key. You can run <code>DescribeKey</code> on a
- *       <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-mgn-key">customer managed
- *         key</a> or an <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-key">Amazon Web Services managed key</a>.</p>
+ *         <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-mgn-key">customer
+ *         managed key</a> or an <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-key">Amazon Web Services managed key</a>.</p>
  *          <p>This detailed information includes the key ARN, creation date (and deletion date, if
  *       applicable), the key state, and the origin and expiration date (if any) of the key material.
  *       It includes fields, like <code>KeySpec</code>, that help you distinguish different types of

package/dist-types/commands/GenerateDataKeyCommand.d.ts CHANGED Viewed

@@ -53,12 +53,12 @@ declare const GenerateDataKeyCommand_base: {
  *          <p>
  *             <code>GenerateDataKey</code> also supports <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro Enclaves</a>, which provide an
  *       isolated compute environment in Amazon EC2. To call <code>GenerateDataKey</code> for an Amazon Web Services Nitro
- *       enclave, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter
- *       to provide the attestation document for the enclave. <code>GenerateDataKey</code> returns a
+ *       enclave or NitroTPM, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter
+ *       to provide the attestation document for the attested environment. <code>GenerateDataKey</code> returns a
  *       copy of the data key encrypted under the specified KMS key, as usual. But instead of a
  *       plaintext copy of the data key, the response includes a copy of the data key encrypted under
  *       the public key from the attestation document (<code>CiphertextForRecipient</code>).
- *       For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>..</p>
+ *       For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>

package/dist-types/commands/GenerateDataKeyPairCommand.d.ts CHANGED Viewed

@@ -60,13 +60,13 @@ declare const GenerateDataKeyPairCommand_base: {
  *          <p>
  *             <code>GenerateDataKeyPair</code> also supports <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro Enclaves</a>, which provide an
  *       isolated compute environment in Amazon EC2. To call <code>GenerateDataKeyPair</code> for an Amazon Web Services
- *       Nitro enclave, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code>
- *       parameter to provide the attestation document for the enclave.
+ *       Nitro enclave or NitroTPM, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code>
+ *       parameter to provide the attestation document for the attested environment.
  *         <code>GenerateDataKeyPair</code> returns the public data key and a copy of the private data
  *       key encrypted under the specified KMS key, as usual. But instead of a plaintext copy of the
  *       private data key (<code>PrivateKeyPlaintext</code>), the response includes a copy of the
  *       private data key encrypted under the public key from the attestation document
- *         (<code>CiphertextForRecipient</code>). For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>..</p>
+ *         (<code>CiphertextForRecipient</code>). For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>You can use an optional encryption context to add additional security to the encryption
  *       operation. If you specify an <code>EncryptionContext</code>, you must specify the same
  *       encryption context (a case-sensitive exact match) when decrypting the encrypted data key.

package/dist-types/commands/GenerateRandomCommand.d.ts CHANGED Viewed

@@ -36,10 +36,10 @@ declare const GenerateRandomCommand_base: {
  *          <p>
  *             <code>GenerateRandom</code> also supports <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro Enclaves</a>, which provide an
  *       isolated compute environment in Amazon EC2. To call <code>GenerateRandom</code> for a Nitro
- *       enclave, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter
- *       to provide the attestation document for the enclave. Instead of plaintext bytes, the response
+ *       enclave or NitroTPM, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter
+ *       to provide the attestation document for the attested environment. Instead of plaintext bytes, the response
  *       includes the plaintext bytes encrypted under the public key from the attestation document
- *         (<code>CiphertextForRecipient</code>).For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *         (<code>CiphertextForRecipient</code>). For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>For more information about entropy and random number generation, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#entropy-and-random-numbers">Entropy and random number generation</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account use</b>: Not applicable.

package/dist-types/commands/TagResourceCommand.d.ts CHANGED Viewed

@@ -34,9 +34,8 @@ declare const TagResourceCommand_base: {
  *          <p>Each tag consists of a tag key and a tag value, both of which are case-sensitive strings.
  *       The tag value can be an empty (null) string. To add a tag, specify a new tag key and a tag
  *       value. To edit a tag, specify an existing tag key and a new tag value.</p>
- *          <p>You can use this operation to tag a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-mgn-key">customer managed key</a>, but you cannot
- *       tag an <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-key">Amazon Web Services
- *         managed key</a>, an <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-key">Amazon Web Services owned key</a>, a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html">custom key store</a>,
+ *          <p>You can use this operation to tag a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-mgn-key">customer managed key</a>, but you
+ *       cannot tag an <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-key">Amazon Web Services managed key</a>, an <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-key">Amazon Web Services owned key</a>, a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html">custom key store</a>,
  *       or an <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html">alias</a>.</p>
  *          <p>You can also add tags to a KMS key while creating it (<a>CreateKey</a>) or
  *       replicating it (<a>ReplicateKey</a>).</p>

package/dist-types/commands/UntagResourceCommand.d.ts CHANGED Viewed

@@ -27,8 +27,8 @@ declare const UntagResourceCommand_base: {
     getEndpointParameterInstructions(): import("@smithy/middleware-endpoint").EndpointParameterInstructions;
 };
 /**
- * <p>Deletes tags from a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-mgn-key">customer managed key</a>. To delete a tag,
- *       specify the tag key and the KMS key.</p>
+ * <p>Deletes tags from a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-mgn-key">customer managed key</a>. To delete a
+ *       tag, specify the tag key and the KMS key.</p>
  *          <note>
  *             <p>Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          </note>

package/dist-types/models/models_0.d.ts CHANGED Viewed

@@ -432,8 +432,8 @@ export interface CreateAliasRequest {
      */
     AliasName: string | undefined;
     /**
-     * <p>Associates the alias with the specified <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-mgn-key">customer managed key</a>. The KMS key must
-     *       be in the same Amazon Web Services Region. </p>
+     * <p>Associates the alias with the specified <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-mgn-key">customer managed key</a>. The KMS key
+     *       must be in the same Amazon Web Services Region. </p>
      *          <p>A valid key ID is required. If you supply a null or empty string value, this operation
      *       returns an error.</p>
      *          <p>For help finding the key ID and ARN, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/find-cmk-id-arn.html">Find the key ID and key ARN</a> in
@@ -1273,8 +1273,11 @@ export interface CreateKeyRequest {
     /**
      * <p>Determines the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations">cryptographic operations</a> for which you can use the KMS key. The default value is
      *         <code>ENCRYPT_DECRYPT</code>. This parameter is optional when you are creating a symmetric
-     *       encryption KMS key; otherwise, it is required. You can't change the <code>KeyUsage</code>
-     *       value after the KMS key is created.</p>
+     *       encryption KMS key; otherwise, it is required. You can't change the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#key-usage">
+     *                <code>KeyUsage</code>
+     *             </a> value after the KMS key is created. Each KMS key can have
+     *       only one key usage. This follows key usage best practices according to <a href="https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final">NIST SP 800-57 Recommendations for
+     *         Key Management</a>, section 5.2, Key usage.</p>
      *          <p>Select only one valid value.</p>
      *          <ul>
      *             <li>
@@ -2423,20 +2426,20 @@ export type KeyEncryptionMechanism = (typeof KeyEncryptionMechanism)[keyof typeo
 /**
  * <p>Contains information about the party that receives the response from the API
  *       operation.</p>
- *          <p>This data type is designed to support Amazon Web Services Nitro Enclaves, which lets you create an isolated
- *       compute environment in Amazon EC2. For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *          <p>This data type is designed to support Amazon Web Services Nitro Enclaves and Amazon Web Services NitroTPM, which lets you create an attested
+ *       environment in Amazon EC2. For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  * @public
  */
 export interface RecipientInfo {
     /**
      * <p>The encryption algorithm that KMS should use with the public key for an Amazon Web Services Nitro
-     *       Enclave to encrypt plaintext values for the response. The only valid value is
+     *       Enclave or NitroTPM to encrypt plaintext values for the response. The only valid value is
      *         <code>RSAES_OAEP_SHA_256</code>.</p>
      * @public
      */
     KeyEncryptionAlgorithm?: KeyEncryptionMechanism | undefined;
     /**
-     * <p>The attestation document for an Amazon Web Services Nitro Enclave. This document includes the enclave's
+     * <p>The attestation document for an Amazon Web Services Nitro Enclave or a NitroTPM. This document includes the enclave's
      *       public key.</p>
      * @public
      */
@@ -2514,16 +2517,17 @@ export interface DecryptRequest {
     EncryptionAlgorithm?: EncryptionAlgorithmSpec | undefined;
     /**
      * <p>A signed <a href="https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-concepts.html#term-attestdoc">attestation
-     *         document</a> from an Amazon Web Services Nitro enclave and the encryption algorithm to use with the
-     *       enclave's public key. The only valid encryption algorithm is <code>RSAES_OAEP_SHA_256</code>. </p>
-     *          <p>This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this
-     *       parameter, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK.</p>
+     *         document</a> from an Amazon Web Services Nitro enclave or NitroTPM, and the encryption algorithm to use with the
+     *       public key in the attestation document. The only valid encryption algorithm is <code>RSAES_OAEP_SHA_256</code>. </p>
+     *          <p>This parameter supports the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK for Amazon Web Services Nitro Enclaves. It supports
+     *       any Amazon Web Services SDK for Amazon Web Services NitroTPM.
+     *     </p>
      *          <p>When you use this parameter, instead of returning the plaintext data, KMS encrypts the
      *       plaintext data with the public key in the attestation document, and returns the resulting
      *       ciphertext in the <code>CiphertextForRecipient</code> field in the response. This ciphertext
-     *       can be decrypted only with the private key in the enclave. The <code>Plaintext</code> field in
+     *       can be decrypted only with the private key in the attested environment. The <code>Plaintext</code> field in
      *       the response is null or empty.</p>
-     *          <p>For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+     *          <p>For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
      * @public
      */
     Recipient?: RecipientInfo | undefined;
@@ -2556,10 +2560,11 @@ export interface DecryptResponse {
      */
     EncryptionAlgorithm?: EncryptionAlgorithmSpec | undefined;
     /**
-     * <p>The plaintext data encrypted with the public key in the attestation document. </p>
+     * <p>The plaintext data encrypted with the public key from the attestation document. This
+     *       ciphertext can be decrypted only by using a private key from the attested environment. </p>
      *          <p>This field is included in the response only when the <code>Recipient</code> parameter in
-     *       the request includes a valid attestation document from an Amazon Web Services Nitro enclave.
-     *       For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+     *       the request includes a valid attestation document from an Amazon Web Services Nitro enclave or NitroTPM.
+     *       For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
      * @public
      */
     CiphertextForRecipient?: Uint8Array | undefined;
@@ -2793,21 +2798,21 @@ export interface DeriveSharedSecretRequest {
     DryRun?: boolean | undefined;
     /**
      * <p>A signed <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc">attestation document</a> from
-     *       an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key. The
+     *       an Amazon Web Services Nitro enclave or NitroTPM, and the encryption algorithm to use with the public key in the attestation document. The
      *       only valid encryption algorithm is <code>RSAES_OAEP_SHA_256</code>. </p>
-     *          <p>This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To call
-     *       DeriveSharedSecret for an Amazon Web Services Nitro Enclaves, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> to generate the
-     *       attestation document and then use the Recipient parameter from any Amazon Web Services SDK to provide the
-     *       attestation document for the enclave.</p>
+     *          <p>This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM. To call
+     *       DeriveSharedSecret generate an attestation document use either <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> for an Amazon Web Services Nitro Enclaves or
+     *       <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/attestation-get-doc.html">Amazon Web Services NitroTPM tools</a> for Amazon Web Services NitroTPM. Then use the Recipient parameter from any Amazon Web Services SDK to provide the
+     *       attestation document for the attested environment.</p>
      *          <p>When you use this parameter, instead of returning a plaintext copy of the shared secret,
      *       KMS encrypts the plaintext shared secret under the public key in the attestation document,
      *       and returns the resulting ciphertext in the <code>CiphertextForRecipient</code> field in the
-     *       response. This ciphertext can be decrypted only with the private key in the enclave. The
+     *       response. This ciphertext can be decrypted only with the private key in the attested environment. The
      *         <code>CiphertextBlob</code> field in the response contains the encrypted shared secret
      *       derived from the KMS key specified by the <code>KeyId</code> parameter and public key
      *       specified by the <code>PublicKey</code> parameter. The <code>SharedSecret</code> field in the
      *       response is null or empty.</p>
-     *          <p>For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+     *          <p>For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
      * @public
      */
     Recipient?: RecipientInfo | undefined;
@@ -2830,11 +2835,11 @@ export interface DeriveSharedSecretResponse {
      */
     SharedSecret?: Uint8Array | undefined;
     /**
-     * <p>The plaintext shared secret encrypted with the public key in the attestation
-     *       document.</p>
+     * <p>The plaintext shared secret encrypted with the public key from the attestation document. This
+     *       ciphertext can be decrypted only by using a private key from the attested environment. </p>
      *          <p>This field is included in the response only when the <code>Recipient</code> parameter in
-     *       the request includes a valid attestation document from an Amazon Web Services Nitro enclave.
-     *       For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+     *       the request includes a valid attestation document from an Amazon Web Services Nitro enclave or NitroTPM.
+     *       For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
      * @public
      */
     CiphertextForRecipient?: Uint8Array | undefined;
@@ -2938,8 +2943,8 @@ export interface DescribeKeyRequest {
     /**
      * <p>Describes the specified KMS key. </p>
      *          <p>If you specify a predefined Amazon Web Services alias (an Amazon Web Services alias with no key ID), KMS associates
-     *       the alias with an <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-key">Amazon Web Services managed key</a> and returns its
-     *         <code>KeyId</code> and <code>Arn</code> in the response.</p>
+     *       the alias with an <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-key">Amazon Web Services managed key</a> and returns its <code>KeyId</code> and <code>Arn</code> in the
+     *       response.</p>
      *          <p>To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using an alias name, prefix it with <code>"alias/"</code>. To specify a KMS key in a different Amazon Web Services account, you must use the key ARN or alias ARN.</p>
      *          <p>For example:</p>
      *          <ul>
@@ -3285,10 +3290,11 @@ export interface GenerateDataKeyRequest {
     GrantTokens?: string[] | undefined;
     /**
      * <p>A signed <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc">attestation document</a> from
-     *       an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key. The
+     *       an Amazon Web Services Nitro enclave or NitroTPM, and the encryption algorithm to use with the public key in the attestation document. The
      *       only valid encryption algorithm is <code>RSAES_OAEP_SHA_256</code>. </p>
-     *          <p>This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this
-     *       parameter, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK.</p>
+     *          <p>This parameter supports the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK for Amazon Web Services Nitro Enclaves. It supports
+     *       any Amazon Web Services SDK for Amazon Web Services NitroTPM.
+     *     </p>
      *          <p>When you use this parameter, instead of returning the plaintext data key, KMS encrypts
      *       the plaintext data key under the public key in the attestation document, and returns the
      *       resulting ciphertext in the <code>CiphertextForRecipient</code> field in the response. This
@@ -3296,7 +3302,7 @@ export interface GenerateDataKeyRequest {
      *         <code>CiphertextBlob</code> field in the response contains a copy of the data key encrypted
      *       under the KMS key specified by the <code>KeyId</code> parameter. The <code>Plaintext</code>
      *       field in the response is null or empty.</p>
-     *          <p>For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+     *          <p>For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
      * @public
      */
     Recipient?: RecipientInfo | undefined;
@@ -3330,11 +3336,11 @@ export interface GenerateDataKeyResponse {
      */
     KeyId?: string | undefined;
     /**
-     * <p>The plaintext data key encrypted with the public key from the Nitro enclave. This
-     *       ciphertext can be decrypted only by using a private key in the Nitro enclave. </p>
+     * <p>The plaintext data key encrypted with the public key from the attestation document. This
+     *       ciphertext can be decrypted only by using a private key from the attested environment. </p>
      *          <p>This field is included in the response only when the <code>Recipient</code> parameter in
-     *       the request includes a valid attestation document from an Amazon Web Services Nitro enclave.
-     *       For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+     *       the request includes a valid attestation document from an Amazon Web Services Nitro enclave or NitroTPM.
+     *       For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
      * @public
      */
     CiphertextForRecipient?: Uint8Array | undefined;
@@ -3406,20 +3412,20 @@ export interface GenerateDataKeyPairRequest {
     GrantTokens?: string[] | undefined;
     /**
      * <p>A signed <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc">attestation document</a> from
-     *       an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key. The
+     *       an Amazon Web Services Nitro enclave or NitroTPM, and the encryption algorithm to use with the public key in the attestation document. The
      *       only valid encryption algorithm is <code>RSAES_OAEP_SHA_256</code>. </p>
-     *          <p>This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To call
-     *       DeriveSharedSecret for an Amazon Web Services Nitro Enclaves, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> to generate the
-     *       attestation document and then use the Recipient parameter from any Amazon Web Services SDK to provide the
-     *       attestation document for the enclave.</p>
+     *          <p>This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM. To call
+     *       GenerateDataKeyPair generate an attestation document use either <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> for an Amazon Web Services Nitro Enclaves or
+     *       <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/attestation-get-doc.html">Amazon Web Services NitroTPM tools</a> for Amazon Web Services NitroTPM. Then use the Recipient parameter from any Amazon Web Services SDK to provide the
+     *       attestation document for the attested environment.</p>
      *          <p>When you use this parameter, instead of returning a plaintext copy of the private data
      *       key, KMS encrypts the plaintext private data key under the public key in the attestation
      *       document, and returns the resulting ciphertext in the <code>CiphertextForRecipient</code>
      *       field in the response. This ciphertext can be decrypted only with the private key in the
-     *       enclave. The <code>CiphertextBlob</code> field in the response contains a copy of the private
+     *       attested environment. The <code>CiphertextBlob</code> field in the response contains a copy of the private
      *       data key encrypted under the KMS key specified by the <code>KeyId</code> parameter. The
      *         <code>PrivateKeyPlaintext</code> field in the response is null or empty.</p>
-     *          <p>For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+     *          <p>For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
      * @public
      */
     Recipient?: RecipientInfo | undefined;
@@ -3462,11 +3468,11 @@ export interface GenerateDataKeyPairResponse {
      */
     KeyPairSpec?: DataKeyPairSpec | undefined;
     /**
-     * <p>The plaintext private data key encrypted with the public key from the Nitro enclave. This
-     *       ciphertext can be decrypted only by using a private key in the Nitro enclave. </p>
+     * <p>The plaintext private data key encrypted with the public key from the attestation document. This
+     *       ciphertext can be decrypted only by using a private key from the attested environment. </p>
      *          <p>This field is included in the response only when the <code>Recipient</code> parameter in
-     *       the request includes a valid attestation document from an Amazon Web Services Nitro enclave.
-     *       For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+     *       the request includes a valid attestation document from an Amazon Web Services Nitro enclave or NitroTPM.
+     *       For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
      * @public
      */
     CiphertextForRecipient?: Uint8Array | undefined;
@@ -3749,16 +3755,17 @@ export interface GenerateRandomRequest {
     CustomKeyStoreId?: string | undefined;
     /**
      * <p>A signed <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc">attestation document</a> from
-     *       an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key. The
+     *       an Amazon Web Services Nitro enclave or NitroTPM, and the encryption algorithm to use with the public key in the attestation document. The
      *       only valid encryption algorithm is <code>RSAES_OAEP_SHA_256</code>. </p>
-     *          <p>This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this
-     *       parameter, use the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK.</p>
+     *          <p>This parameter supports the <a href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services Nitro Enclaves SDK</a> or any Amazon Web Services SDK for Amazon Web Services Nitro Enclaves. It supports
+     *       any Amazon Web Services SDK for Amazon Web Services NitroTPM.
+     *     </p>
      *          <p>When you use this parameter, instead of returning plaintext bytes, KMS encrypts the
      *       plaintext bytes under the public key in the attestation document, and returns the resulting
      *       ciphertext in the <code>CiphertextForRecipient</code> field in the response. This ciphertext
-     *       can be decrypted only with the private key in the enclave. The <code>Plaintext</code> field in
+     *       can be decrypted only with the private key in the attested environment. The <code>Plaintext</code> field in
      *       the response is null or empty.</p>
-     *          <p>For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+     *          <p>For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
      * @public
      */
     Recipient?: RecipientInfo | undefined;
@@ -3775,11 +3782,11 @@ export interface GenerateRandomResponse {
      */
     Plaintext?: Uint8Array | undefined;
     /**
-     * <p>The plaintext random bytes encrypted with the public key from the Nitro enclave. This
-     *       ciphertext can be decrypted only by using a private key in the Nitro enclave. </p>
+     * <p>The plaintext random bytes encrypted with the public key from the attestation document. This
+     *       ciphertext can be decrypted only by using a private key from the attested environment. </p>
      *          <p>This field is included in the response only when the <code>Recipient</code> parameter in
-     *       the request includes a valid attestation document from an Amazon Web Services Nitro enclave.
-     *       For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
+     *       the request includes a valid attestation document from an Amazon Web Services Nitro enclave or NitroTPM.
+     *       For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html">Cryptographic attestation support in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
      * @public
      */
     CiphertextForRecipient?: Uint8Array | undefined;
@@ -5787,8 +5794,9 @@ export interface UpdateAliasRequest {
      */
     AliasName: string | undefined;
     /**
-     * <p>Identifies the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-mgn-key">customer managed key</a> to associate with the alias. You don't have permission to
-     *       associate an alias with an <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-key">Amazon Web Services managed key</a>.</p>
+     * <p>Identifies the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-mgn-key">customer managed key</a> to associate
+     *       with the alias. You don't have permission to associate an alias with an <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-key">Amazon Web Services managed
+     *         key</a>.</p>
      *          <p>The KMS key must be in the same Amazon Web Services account and Region as the alias. Also, the new
      *       target KMS key must be the same type as the current target KMS key (both symmetric or both
      *       asymmetric or both HMAC) and they must have the same key usage. </p>

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@aws-sdk/client-kms",
   "description": "AWS SDK for JavaScript Kms Client for Node.js, Browser and React Native",
-  "version": "3.894.0",
+  "version": "3.896.0",
   "scripts": {
     "build": "concurrently 'yarn:build:cjs' 'yarn:build:es' 'yarn:build:types'",
     "build:cjs": "node ../../scripts/compilation/inline client-kms",
@@ -20,38 +20,38 @@
   "dependencies": {
     "@aws-crypto/sha256-browser": "5.2.0",
     "@aws-crypto/sha256-js": "5.2.0",
-    "@aws-sdk/core": "3.894.0",
-    "@aws-sdk/credential-provider-node": "3.894.0",
+    "@aws-sdk/core": "3.896.0",
+    "@aws-sdk/credential-provider-node": "3.896.0",
     "@aws-sdk/middleware-host-header": "3.893.0",
     "@aws-sdk/middleware-logger": "3.893.0",
     "@aws-sdk/middleware-recursion-detection": "3.893.0",
-    "@aws-sdk/middleware-user-agent": "3.894.0",
+    "@aws-sdk/middleware-user-agent": "3.896.0",
     "@aws-sdk/region-config-resolver": "3.893.0",
     "@aws-sdk/types": "3.893.0",
-    "@aws-sdk/util-endpoints": "3.893.0",
+    "@aws-sdk/util-endpoints": "3.895.0",
     "@aws-sdk/util-user-agent-browser": "3.893.0",
-    "@aws-sdk/util-user-agent-node": "3.894.0",
+    "@aws-sdk/util-user-agent-node": "3.896.0",
     "@smithy/config-resolver": "^4.2.2",
-    "@smithy/core": "^3.11.1",
+    "@smithy/core": "^3.12.0",
     "@smithy/fetch-http-handler": "^5.2.1",
     "@smithy/hash-node": "^4.1.1",
     "@smithy/invalid-dependency": "^4.1.1",
     "@smithy/middleware-content-length": "^4.1.1",
-    "@smithy/middleware-endpoint": "^4.2.3",
-    "@smithy/middleware-retry": "^4.2.4",
+    "@smithy/middleware-endpoint": "^4.2.4",
+    "@smithy/middleware-retry": "^4.3.0",
     "@smithy/middleware-serde": "^4.1.1",
     "@smithy/middleware-stack": "^4.1.1",
     "@smithy/node-config-provider": "^4.2.2",
     "@smithy/node-http-handler": "^4.2.1",
     "@smithy/protocol-http": "^5.2.1",
-    "@smithy/smithy-client": "^4.6.3",
+    "@smithy/smithy-client": "^4.6.4",
     "@smithy/types": "^4.5.0",
     "@smithy/url-parser": "^4.1.1",
     "@smithy/util-base64": "^4.1.0",
     "@smithy/util-body-length-browser": "^4.1.0",
     "@smithy/util-body-length-node": "^4.1.0",
-    "@smithy/util-defaults-mode-browser": "^4.1.3",
-    "@smithy/util-defaults-mode-node": "^4.1.3",
+    "@smithy/util-defaults-mode-browser": "^4.1.4",
+    "@smithy/util-defaults-mode-node": "^4.1.4",
     "@smithy/util-endpoints": "^3.1.2",
     "@smithy/util-middleware": "^4.1.1",
     "@smithy/util-retry": "^4.1.2",