@aws-sdk/client-kms 3.936.0 → 3.938.0

package/dist-cjs/index.js

@@ -3321,6 +3321,7 @@ const IncludeKeyMaterial = {
 const KeyMaterialState = {
     CURRENT: "CURRENT",
     NON_CURRENT: "NON_CURRENT",
+    PENDING_MULTI_REGION_IMPORT_AND_ROTATION: "PENDING_MULTI_REGION_IMPORT_AND_ROTATION",
     PENDING_ROTATION: "PENDING_ROTATION",
 };
 const RotationType = {

package/dist-es/models/enums.js

@@ -197,6 +197,7 @@ export const IncludeKeyMaterial = {
 export const KeyMaterialState = {
     CURRENT: "CURRENT",
     NON_CURRENT: "NON_CURRENT",
+    PENDING_MULTI_REGION_IMPORT_AND_ROTATION: "PENDING_MULTI_REGION_IMPORT_AND_ROTATION",
     PENDING_ROTATION: "PENDING_ROTATION",
 };
 export const RotationType = {

package/dist-types/commands/DeleteImportedKeyMaterialCommand.d.ts

@@ -34,6 +34,20 @@ declare const DeleteImportedKeyMaterialCommand_base: {
  *          <p>When the specified KMS key is in the <code>PendingDeletion</code> state, this operation
  *       does not change the KMS key's state. Otherwise, it changes the KMS key's state to
  *         <code>PendingImport</code>.</p>
+ *          <p class="title">
+ *             <b>Considerations for multi-Region symmetric encryption keys</b>
+ *          </p>
+ *          <ul>
+ *             <li>
+ *                <p>When you delete the key material of a primary Region key that is in
+ *             <code>PENDING_ROTATION</code> or <code>PENDING_MULTI_REGION_IMPORT_AND_ROTATION</code>state,
+ *             you'll also be deleting the key materials for the replica Region keys.</p>
+ *             </li>
+ *             <li>
+ *                <p>If you delete any key material of a replica Region key, the primary Region key and
+ *           other replica Region keys remain unchanged.</p>
+ *             </li>
+ *          </ul>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>

package/dist-types/commands/ImportKeyMaterialCommand.d.ts

@@ -34,9 +34,28 @@ declare const ImportKeyMaterialCommand_base: {
  *       generate and import your own key material. For more information about importing key material,
  *       see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key
  *         material</a>.</p>
- *          <p>For asymmetric, HMAC and multi-Region keys, you cannot change the key material after the
- *       initial import. You can import multiple key materials into single-Region, symmetric encryption
- *       keys and rotate the key material on demand using <code>RotateKeyOnDemand</code>.</p>
+ *          <p>For asymmetric and HMAC keys, you cannot change the key material after the initial import.
+ *       You can import multiple key materials into symmetric encryption keys and rotate the key
+ *       material on demand using <code>RotateKeyOnDemand</code>.</p>
+ *          <p>You can import new key materials into multi-Region symmetric encryption keys. To do so, you must
+ *       import the new key material into the primary Region key. Then you can import the same key
+ *       materials into the replica Region keys. You cannot directly import new key material into
+ *       the replica Region keys.</p>
+ *          <p>To import new key material for a multi-Region symmetric key, you’ll need to complete the
+ *       following:</p>
+ *          <ol>
+ *             <li>
+ *                <p>Call <code>ImportKeyMaterial</code> on the primary Region key with the
+ *             <code>ImportType</code>set to <code>NEW_KEY_MATERIAL</code>.</p>
+ *             </li>
+ *             <li>
+ *                <p>Call <code>ImportKeyMaterial</code> on the replica Region key with the
+ *             <code>ImportType</code> set to <code>EXISTING_KEY_MATERIAL</code> using the same key
+ *             material imported to the primary Region key. You must do this for every replica
+ *             Region key before you can perform the <a>RotateKeyOnDemand</a> operation
+ *             on the primary Region key.</p>
+ *             </li>
+ *          </ol>
  *          <p>After you import key material, you can <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-import-key-material.html#reimport-key-material">reimport
  *         the same key material</a> into that KMS key or, if the key supports on-demand rotation,
  *       import new key material. You can use the <code>ImportType</code> parameter to indicate whether
@@ -68,15 +87,15 @@ declare const ImportKeyMaterialCommand_base: {
  *           your key material.</p>
  *             </li>
  *          </ul>
- *          <p> Then, in an <code>ImportKeyMaterial</code> request, you submit your encrypted key
+ *          <p>Then, in an <code>ImportKeyMaterial</code> request, you submit your encrypted key
  *       material and import token. When calling this operation, you must specify the following
  *       values:</p>
  *          <ul>
  *             <li>
  *                <p>The key ID or key ARN of the KMS key to associate with the imported key material. Its
  *             <code>Origin</code> must be <code>EXTERNAL</code> and its <code>KeyState</code> must be
- *             <code>PendingImport</code>. You cannot perform this operation on a KMS key in a
- *           <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html">custom key store</a>, or on a KMS key in a different Amazon Web Services account. To get the
+ *             <code>PendingImport</code> or <code>Enabled</code>. You cannot perform this operation on
+ *             a KMS key in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html">custom key store</a>, or on a KMS key in a different Amazon Web Services account. To get the
  *             <code>Origin</code> and <code>KeyState</code> of a KMS key, call <a>DescribeKey</a>.</p>
  *             </li>
  *             <li>
@@ -96,12 +115,11 @@ declare const ImportKeyMaterialCommand_base: {
  *           time you reimport, you can eliminate or reset the expiration time.</p>
  *             </li>
  *          </ul>
- *          <p>When this operation is successful, the key state of the KMS key changes from
- *         <code>PendingImport</code> to <code>Enabled</code>, and you can use the KMS key in
- *       cryptographic operations. For single-Region, symmetric encryption keys, you will need to
- *       import all of the key materials associated with the KMS key to change its state to
- *         <code>Enabled</code>. Use the <code>ListKeyRotations</code> operation to list the ID and
- *       import state of each key material associated with a KMS key.</p>
+ *          <p>When this operation is successful, the state of the KMS key changes to <code>Enabled</code>,
+ *       and you can use the KMS key in cryptographic operations. For symmetric encryption keys, you will
+ *       need to import all of the key materials associated with the KMS key to change its state to
+ *       <code>Enabled</code>. Use the <code>ListKeyRotations</code> operation to list the ID and import
+ *       state of each key material associated with a KMS key.</p>
  *          <p>If this operation fails, use the exception to help determine the problem. If the error is
  *       related to the key material, the import token, or wrapping key, use <a>GetParametersForImport</a> to get a new public key and import token for the KMS key
  *       and repeat the import procedure. For help, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-conceptual.html">Create a KMS key with imported key

package/dist-types/commands/ListKeyRotationsCommand.d.ts

@@ -99,7 +99,7 @@ declare const ListKeyRotationsCommand_base: {
  * //       KeyMaterialId: "STRING_VALUE",
  * //       KeyMaterialDescription: "STRING_VALUE",
  * //       ImportState: "IMPORTED" || "PENDING_IMPORT",
- * //       KeyMaterialState: "NON_CURRENT" || "CURRENT" || "PENDING_ROTATION",
+ * //       KeyMaterialState: "NON_CURRENT" || "CURRENT" || "PENDING_ROTATION" || "PENDING_MULTI_REGION_IMPORT_AND_ROTATION",
  * //       ExpirationModel: "KEY_MATERIAL_EXPIRES" || "KEY_MATERIAL_DOES_NOT_EXPIRE",
  * //       ValidTo: new Date("TIMESTAMP"),
  * //       RotationDate: new Date("TIMESTAMP"),

package/dist-types/commands/RotateKeyOnDemandCommand.d.ts

@@ -46,15 +46,14 @@ declare const RotateKeyOnDemandCommand_base: {
  *       on-demand rotations were performed. You can monitor rotation of the key material for your KMS
  *       keys in CloudTrail and Amazon CloudWatch.</p>
  *          <p>On-demand key rotation is supported only on symmetric encryption KMS keys. You cannot
- *       perform on-demand rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, multi-Region KMS
- *       keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key
- *         material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html">custom key store</a>. When you initiate on-demand key
- *       rotation on a symmetric encryption KMS key with imported key material, you must have already
- *       imported <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-import-key-material.html">new key material</a> and that
+ *       perform on-demand rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, or KMS keys in a
+ *       <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html">custom key store</a>. When you initiate on-demand key rotation on a symmetric encryption KMS key
+ *       with imported key material, you must have already imported <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-import-key-material.html">new key material</a> and that
  *       key material's state should be <code>PENDING_ROTATION</code>. Use the
  *         <code>ListKeyRotations</code> operation to check the state of all key materials associated
- *       with a KMS key. To perform on-demand rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#multi-region-rotate">multi-Region keys</a>, invoke
- *       the on-demand rotation on the primary key.</p>
+ *       with a KMS key. To perform on-demand rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#multi-region-rotate">multi-Region keys</a>, import
+ *         new key material in the primary Region key, import the same key material in each replica
+ *         Region key, and invoke the on-demand rotation on the primary Region key.</p>
  *          <p>You cannot initiate on-demand rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-key">Amazon Web Services managed KMS keys</a>. KMS
  *       always rotates the key material of Amazon Web Services managed keys every year. Rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-key">Amazon Web Services owned KMS
  *         keys</a> is managed by the Amazon Web Services service that owns the key.</p>

package/dist-types/models/enums.d.ts

@@ -401,6 +401,7 @@ export type IncludeKeyMaterial = (typeof IncludeKeyMaterial)[keyof typeof Includ
 export declare const KeyMaterialState: {
     readonly CURRENT: "CURRENT";
     readonly NON_CURRENT: "NON_CURRENT";
+    readonly PENDING_MULTI_REGION_IMPORT_AND_ROTATION: "PENDING_MULTI_REGION_IMPORT_AND_ROTATION";
     readonly PENDING_ROTATION: "PENDING_ROTATION";
 };
 /**

package/dist-types/models/models_0.d.ts

@@ -1181,11 +1181,10 @@ export interface KeyMetadata {
     XksKeyConfiguration?: XksKeyConfigurationType | undefined;
     /**
      * <p>Identifies the current key material. This value is present for symmetric encryption keys
-     *       with <code>AWS_KMS</code> origin and single-Region, symmetric encryption keys with
-     *         <code>EXTERNAL</code> origin. These KMS keys support automatic or on-demand key rotation and
-     *       can have multiple key materials associated with them. KMS uses the current key material for
-     *       both encryption and decryption, and the non-current key material for decryption operations
-     *       only.</p>
+     *       with <code>AWS_KMS</code> or <code>EXTERNAL</code> origin. These KMS keys support automatic
+     *       or on-demand key rotation and can have multiple key materials associated with them. KMS uses
+     *       the current key material for both encryption and decryption, and the non-current key material
+     *       for decryption operations only.</p>
      * @public
      */
     CurrentKeyMaterialId?: string | undefined;
@@ -3229,6 +3228,10 @@ export interface ImportKeyMaterialRequest {
      *       parameter defaults to <code>NEW_KEY_MATERIAL</code>. After the first key material is imported,
      *       if this parameter is omitted then the parameter defaults to
      *       <code>EXISTING_KEY_MATERIAL</code>.</p>
+     *          <p>For multi-Region keys, you must first import new key material into
+     * the primary Region key. You should use the <code>NEW_KEY_MATERIAL</code> import type when importing key
+     * material into the primary Region key. Then, you can import the same key material into the replica Region
+     * key. The import type for the replica Region key should be <code>EXISTING_KEY_MATERIAL</code>.</p>
      * @public
      */
     ImportType?: ImportType | undefined;
@@ -3580,14 +3583,20 @@ export interface RotationsListEntry {
      */
     ImportState?: ImportState | undefined;
     /**
-     * <p>There are three possible values for this field: <code>CURRENT</code>,
-     *         <code>NON_CURRENT</code> and <code>PENDING_ROTATION</code>. KMS uses <code>CURRENT</code>
+     * <p>There are four possible values for this field: <code>CURRENT</code>,
+     *         <code>NON_CURRENT</code>, <code>PENDING_MULTI_REGION_IMPORT_AND_ROTATION</code> and
+     *         <code>PENDING_ROTATION</code>. KMS uses <code>CURRENT</code>
      *       key material for both encryption and decryption and <code>NON_CURRENT</code> key material only
      *       for decryption. <code>PENDING_ROTATION</code> identifies key material that has been imported
-     *       for on-demand key rotation but the rotation hasn't completed. Key material in
-     *         <code>PENDING_ROTATION</code> is not permanently associated with the KMS key. You can delete
-     *       this key material and import different key material in its place. The
-     *         <code>PENDING_ROTATION</code> value is only used in symmetric encryption keys with imported
+     *       for on-demand key rotation but the rotation hasn't completed. The key material state
+     *       <code>PENDING_MULTI_REGION_IMPORT_AND_ROTATION</code> is unique to multi-region,
+     *       symmetric encryption keys with imported key material. It indicates key material that has
+     *       been imported into the primary Region key but not all of the replica Region keys. When this key material
+     *       is imported in to all of the replica Region keys, the key material state will change to
+     *       <code>PENDING_ROTATION</code>. Key material in <code>PENDING_MULTI_REGION_IMPORT_AND_ROTATION</code>
+     *       or <code>PENDING_ROTATION</code> state is not permanently associated with the KMS key. You can delete
+     *       this key material and import different key material in its place. The <code>PENDING_MULTI_REGION_IMPORT_AND_ROTATION</code>
+     *       and <code>PENDING_ROTATION</code> values are only used in symmetric encryption keys with imported
      *       key material. The other values, <code>CURRENT</code> and <code>NON_CURRENT</code>, are used
      *       for all KMS keys that support automatic or on-demand key rotation.</p>
      * @public

package/dist-types/ts3.4/models/enums.d.ts

@@ -239,6 +239,7 @@ export type IncludeKeyMaterial =
 export declare const KeyMaterialState: {
   readonly CURRENT: "CURRENT";
   readonly NON_CURRENT: "NON_CURRENT";
+  readonly PENDING_MULTI_REGION_IMPORT_AND_ROTATION: "PENDING_MULTI_REGION_IMPORT_AND_ROTATION";
   readonly PENDING_ROTATION: "PENDING_ROTATION";
 };
 export type KeyMaterialState =

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@aws-sdk/client-kms",
   "description": "AWS SDK for JavaScript Kms Client for Node.js, Browser and React Native",
-  "version": "3.936.0",
+  "version": "3.938.0",
   "scripts": {
     "build": "concurrently 'yarn:build:cjs' 'yarn:build:es' 'yarn:build:types'",
     "build:cjs": "node ../../scripts/compilation/inline client-kms",