openapi-directory

Version:

Building & bundling https://github.com/APIs-guru/openapi-directory for easy use from JS

github.com/httptoolkit/openapi-directory-js

1 lines • 487 kB

JSON

{"openapi":"3.0.0","info":{"version":"2014-11-01","x-release":"v4","title":"AWS Key Management Service","description":"<fullname>Key Management Service</fullname> Key Management Service (KMS) is an encryption and key management web service. This guide describes the KMS operations that you can call programmatically. For general information about KMS, see the <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/\"> Key Management Service Developer Guide </a>. <note> KMS has replaced the term customer master key (CMK) with KMS key and KMS key. The concept has not changed. To prevent breaking changes, KMS is keeping some variations of this term. Amazon Web Services provides SDKs that consist of libraries and sample code for various programming languages and platforms (Java, Ruby, .Net, macOS, Android, etc.). The SDKs provide a convenient way to create programmatic access to KMS and other Amazon Web Services services. For example, the SDKs take care of tasks such as signing requests (see below), managing errors, and retrying requests automatically. For more information about the Amazon Web Services SDKs, including how to download and install them, see <a href=\"http://aws.amazon.com/tools/\">Tools for Amazon Web Services</a>. </note> We recommend that you use the Amazon Web Services SDKs to make programmatic API calls to KMS. If you need to use FIPS 140-2 validated cryptographic modules when communicating with Amazon Web Services, use the FIPS endpoint in your preferred Amazon Web Services Region. For more information about the available FIPS endpoints, see <a href=\"https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region\">Service endpoints</a> in the Key Management Service topic of the Amazon Web Services General Reference. All KMS API calls must be signed and be transmitted using Transport Layer Security (TLS). KMS recommends you always use the latest supported TLS version. Clients must also support cipher suites with Perfect Forward Secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later support these modes. Signing Requests Requests must be signed using an access key ID and a secret access key. We strongly recommend that you do not use your Amazon Web Services account root access key ID and secret access key for everyday work. You can use the access key ID and secret access key for an IAM user or you can use the Security Token Service (STS) to generate temporary security credentials and use those to sign requests. All KMS requests must be signed with <a href=\"https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html\">Signature Version 4</a>. Logging API Requests KMS supports CloudTrail, a service that logs Amazon Web Services API calls and related events for your Amazon Web Services account and delivers them to an Amazon S3 bucket that you specify. By using the information collected by CloudTrail, you can determine what requests were made to KMS, who made the request, when it was made, and so on. To learn more about CloudTrail, including how to turn it on and find your log files, see the <a href=\"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/\">CloudTrail User Guide</a>. Additional Resources For more information about credentials and request signing, see the following: <ul> <li> <a href=\"https://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html\">Amazon Web Services Security Credentials</a> - This topic provides general information about the types of credentials used to access Amazon Web Services. </li> <li> <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html\">Temporary Security Credentials</a> - This section of the IAM User Guide describes how to create and use temporary security credentials. </li> <li> <a href=\"https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html\">Signature Version 4 Signing Process</a> - This set of topics walks you through the process of signing a request using an access key ID and a secret access key. </li> </ul> Commonly Used API Operations Of the API operations discussed in this guide, the following will prove the most useful for most applications. You will likely perform operations other than these, such as creating keys and assigning policies, by using the console. <ul> <li> <a>Encrypt</a> </li> <li> <a>Decrypt</a> </li> <li> <a>GenerateDataKey</a> </li> <li> <a>GenerateDataKeyWithoutPlaintext</a> </li> </ul>","x-logo":{"url":"https://twitter.com/awscloud/profile_image?size=original","backgroundColor":"#FFFFFF"},"termsOfService":"https://aws.amazon.com/service-terms/","contact":{"name":"Mike Ralphson","email":"mike.ralphson@gmail.com","url":"https://github.com/mermade/aws2openapi","x-twitter":"PermittedSoc"},"license":{"name":"Apache 2.0 License","url":"http://www.apache.org/licenses/"},"x-providerName":"amazonaws.com","x-serviceName":"kms","x-origin":[{"contentType":"application/json","url":"https://raw.githubusercontent.com/aws/aws-sdk-js/master/apis/kms-2014-11-01.normal.json","converter":{"url":"https://github.com/mermade/aws2openapi","version":"1.0.0"},"x-apisguru-driver":"external"}],"x-apiClientRegistration":{"url":"https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc2=h_ct"},"x-apisguru-categories":["cloud"],"x-preferred":true},"externalDocs":{"description":"Amazon Web Services documentation","url":"https://docs.aws.amazon.com/kms/"},"servers":[{"url":"http://kms.{region}.amazonaws.com","variables":{"region":{"description":"The AWS region","enum":["us-east-1","us-east-2","us-west-1","us-west-2","us-gov-west-1","us-gov-east-1","ca-central-1","eu-north-1","eu-west-1","eu-west-2","eu-west-3","eu-central-1","eu-south-1","af-south-1","ap-northeast-1","ap-northeast-2","ap-northeast-3","ap-southeast-1","ap-southeast-2","ap-east-1","ap-south-1","sa-east-1","me-south-1"],"default":"us-east-1"}},"description":"The KMS multi-region endpoint"},{"url":"https://kms.{region}.amazonaws.com","variables":{"region":{"description":"The AWS region","enum":["us-east-1","us-east-2","us-west-1","us-west-2","us-gov-west-1","us-gov-east-1","ca-central-1","eu-north-1","eu-west-1","eu-west-2","eu-west-3","eu-central-1","eu-south-1","af-south-1","ap-northeast-1","ap-northeast-2","ap-northeast-3","ap-southeast-1","ap-southeast-2","ap-east-1","ap-south-1","sa-east-1","me-south-1"],"default":"us-east-1"}},"description":"The KMS multi-region endpoint"},{"url":"http://kms.{region}.amazonaws.com.cn","variables":{"region":{"description":"The AWS region","enum":["cn-north-1","cn-northwest-1"],"default":"cn-north-1"}},"description":"The KMS endpoint for China (Beijing) and China (Ningxia)"},{"url":"https://kms.{region}.amazonaws.com.cn","variables":{"region":{"description":"The AWS region","enum":["cn-north-1","cn-northwest-1"],"default":"cn-north-1"}},"description":"The KMS endpoint for China (Beijing) and China (Ningxia)"}],"x-hasEquivalentPaths":true,"paths":{"/#X-Amz-Target=TrentService.CancelKeyDeletion":{"post":{"operationId":"CancelKeyDeletion","description":"Cancels the deletion of a KMS key. When this operation succeeds, the key state of the KMS key is <code>Disabled</code>. To enable the KMS key, use <a>EnableKey</a>. For more information about scheduling and canceling deletion of a KMS key, see <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html\">Deleting KMS keys</a> in the Key Management Service Developer Guide. The KMS key that you use for this operation must be in a compatible key state. For details, see <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html\">Key states of KMS keys</a> in the Key Management Service Developer Guide. Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account. Required permissions: <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html\">kms:CancelKeyDeletion</a> (key policy) Related operations: <a>ScheduleKeyDeletion</a> ","responses":{"200":{"description":"Success","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CancelKeyDeletionResponse"}}}},"480":{"description":"NotFoundException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/NotFoundException"}}}},"481":{"description":"InvalidArnException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/InvalidArnException"}}}},"482":{"description":"DependencyTimeoutException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/DependencyTimeoutException"}}}},"483":{"description":"KMSInternalException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/KMSInternalException"}}}},"484":{"description":"KMSInvalidStateException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/KMSInvalidStateException"}}}}},"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CancelKeyDeletionRequest"}}}},"parameters":[{"name":"X-Amz-Target","in":"header","required":true,"schema":{"type":"string","enum":["TrentService.CancelKeyDeletion"]}}]},"parameters":[{"$ref":"#/components/parameters/X-Amz-Content-Sha256"},{"$ref":"#/components/parameters/X-Amz-Date"},{"$ref":"#/components/parameters/X-Amz-Algorithm"},{"$ref":"#/components/parameters/X-Amz-Credential"},{"$ref":"#/components/parameters/X-Amz-Security-Token"},{"$ref":"#/components/parameters/X-Amz-Signature"},{"$ref":"#/components/parameters/X-Amz-SignedHeaders"}]},"/#X-Amz-Target=TrentService.ConnectCustomKeyStore":{"post":{"operationId":"ConnectCustomKeyStore","description":"Connects or reconnects a <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html\">custom key store</a> to its backing key store. For an CloudHSM key store, <code>ConnectCustomKeyStore</code> connects the key store to its associated CloudHSM cluster. For an external key store, <code>ConnectCustomKeyStore</code> connects the key store to the external key store proxy that communicates with your external key manager. The custom key store must be connected before you can create KMS keys in the key store or use the KMS keys it contains. You can disconnect and reconnect a custom key store at any time. The connection process for a custom key store can take an extended amount of time to complete. This operation starts the connection process, but it does not wait for it to complete. When it succeeds, this operation quickly returns an HTTP 200 response and a JSON object with no properties. However, this response does not indicate that the custom key store is connected. To get the connection state of the custom key store, use the <a>DescribeCustomKeyStores</a> operation. This operation is part of the <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html\">custom key stores</a> feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of a key store that you own and manage. The <code>ConnectCustomKeyStore</code> operation might fail for various reasons. To find the reason, use the <a>DescribeCustomKeyStores</a> operation and see the <code>ConnectionErrorCode</code> in the response. For help interpreting the <code>ConnectionErrorCode</code>, see <a>CustomKeyStoresListEntry</a>. To fix the failure, use the <a>DisconnectCustomKeyStore</a> operation to disconnect the custom key store, correct the error, use the <a>UpdateCustomKeyStore</a> operation if necessary, and then use <code>ConnectCustomKeyStore</code> again. CloudHSM key store During the connection process for an CloudHSM key store, KMS finds the CloudHSM cluster that is associated with the custom key store, creates the connection infrastructure, connects to the cluster, logs into the CloudHSM client as the <code>kmsuser</code> CU, and rotates its password. To connect an CloudHSM key store, its associated CloudHSM cluster must have at least one active HSM. To get the number of active HSMs in a cluster, use the <a href=\"https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html\">DescribeClusters</a> operation. To add HSMs to the cluster, use the <a href=\"https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html\">CreateHsm</a> operation. Also, the <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser\"> <code>kmsuser</code> crypto user</a> (CU) must not be logged into the cluster. This prevents KMS from using this account to log in. If you are having trouble connecting or disconnecting a CloudHSM key store, see <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html\">Troubleshooting an CloudHSM key store</a> in the Key Management Service Developer Guide. External key store When you connect an external key store that uses public endpoint connectivity, KMS tests its ability to communicate with your external key manager by sending a request via the external key store proxy. When you connect to an external key store that uses VPC endpoint service connectivity, KMS establishes the networking elements that it needs to communicate with your external key manager via the external key store proxy. This includes creating an interface endpoint to the VPC endpoint service and a private hosted zone for traffic between KMS and the VPC endpoint service. To connect an external key store, KMS must be able to connect to the external key store proxy, the external key store proxy must be able to communicate with your external key manager, and the external key manager must be available for cryptographic operations. If you are having trouble connecting or disconnecting an external key store, see <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html\">Troubleshooting an external key store</a> in the Key Management Service Developer Guide. Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account. Required permissions: <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html\">kms:ConnectCustomKeyStore</a> (IAM policy) Related operations <ul> <li> <a>CreateCustomKeyStore</a> </li> <li> <a>DeleteCustomKeyStore</a> </li> <li> <a>DescribeCustomKeyStores</a> </li> <li> <a>DisconnectCustomKeyStore</a> </li> <li> <a>UpdateCustomKeyStore</a> </li> </ul>","responses":{"200":{"description":"Success","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ConnectCustomKeyStoreResponse"}}}},"480":{"description":"CloudHsmClusterNotActiveException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CloudHsmClusterNotActiveException"}}}},"481":{"description":"CustomKeyStoreInvalidStateException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CustomKeyStoreInvalidStateException"}}}},"482":{"description":"CustomKeyStoreNotFoundException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CustomKeyStoreNotFoundException"}}}},"483":{"description":"KMSInternalException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/KMSInternalException"}}}},"484":{"description":"CloudHsmClusterInvalidConfigurationException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CloudHsmClusterInvalidConfigurationException"}}}}},"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ConnectCustomKeyStoreRequest"}}}},"parameters":[{"name":"X-Amz-Target","in":"header","required":true,"schema":{"type":"string","enum":["TrentService.ConnectCustomKeyStore"]}}]},"parameters":[{"$ref":"#/components/parameters/X-Amz-Content-Sha256"},{"$ref":"#/components/parameters/X-Amz-Date"},{"$ref":"#/components/parameters/X-Amz-Algorithm"},{"$ref":"#/components/parameters/X-Amz-Credential"},{"$ref":"#/components/parameters/X-Amz-Security-Token"},{"$ref":"#/components/parameters/X-Amz-Signature"},{"$ref":"#/components/parameters/X-Amz-SignedHeaders"}]},"/#X-Amz-Target=TrentService.CreateAlias":{"post":{"operationId":"CreateAlias","description":"Creates a friendly name for a KMS key. <note> Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/abac.html\">ABAC for KMS</a> in the Key Management Service Developer Guide. </note> You can use an alias to identify a KMS key in the KMS console, in the <a>DescribeKey</a> operation and in <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations\">cryptographic operations</a>, such as <a>Encrypt</a> and <a>GenerateDataKey</a>. You can also change the KMS key that's associated with the alias (<a>UpdateAlias</a>) or delete the alias (<a>DeleteAlias</a>) at any time. These operations don't affect the underlying KMS key. You can associate the alias with any customer managed key in the same Amazon Web Services Region. Each alias is associated with only one KMS key at a time, but a KMS key can have multiple aliases. A valid KMS key is required. You can't create an alias without a KMS key. The alias must be unique in the account and Region, but you can have aliases with the same name in different Regions. For detailed information about aliases, see <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html\">Using aliases</a> in the Key Management Service Developer Guide. This operation does not return a response. To get the alias that you created, use the <a>ListAliases</a> operation. The KMS key that you use for this operation must be in a compatible key state. For details, see <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html\">Key states of KMS keys</a> in the Key Management Service Developer Guide. Cross-account use: No. You cannot perform this operation on an alias in a different Amazon Web Services account. Required permissions <ul> <li> <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html\">kms:CreateAlias</a> on the alias (IAM policy). </li> <li> <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html\">kms:CreateAlias</a> on the KMS key (key policy). </li> </ul> For details, see <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access\">Controlling access to aliases</a> in the Key Management Service Developer Guide. Related operations: <ul> <li> <a>DeleteAlias</a> </li> <li> <a>ListAliases</a> </li> <li> <a>UpdateAlias</a> </li> </ul>","responses":{"200":{"description":"Success"},"480":{"description":"DependencyTimeoutException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/DependencyTimeoutException"}}}},"481":{"description":"AlreadyExistsException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AlreadyExistsException"}}}},"482":{"description":"NotFoundException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/NotFoundException"}}}},"483":{"description":"InvalidAliasNameException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/InvalidAliasNameException"}}}},"484":{"description":"KMSInternalException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/KMSInternalException"}}}},"485":{"description":"LimitExceededException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/LimitExceededException"}}}},"486":{"description":"KMSInvalidStateException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/KMSInvalidStateException"}}}}},"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CreateAliasRequest"}}}},"parameters":[{"name":"X-Amz-Target","in":"header","required":true,"schema":{"type":"string","enum":["TrentService.CreateAlias"]}}]},"parameters":[{"$ref":"#/components/parameters/X-Amz-Content-Sha256"},{"$ref":"#/components/parameters/X-Amz-Date"},{"$ref":"#/components/parameters/X-Amz-Algorithm"},{"$ref":"#/components/parameters/X-Amz-Credential"},{"$ref":"#/components/parameters/X-Amz-Security-Token"},{"$ref":"#/components/parameters/X-Amz-Signature"},{"$ref":"#/components/parameters/X-Amz-SignedHeaders"}]},"/#X-Amz-Target=TrentService.CreateCustomKeyStore":{"post":{"operationId":"CreateCustomKeyStore","description":"Creates a <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html\">custom key store</a> backed by a key store that you own and manage. When you use a KMS key in a custom key store for a cryptographic operation, the cryptographic operation is actually performed in your key store using your keys. KMS supports <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html\">CloudHSM key stores</a> backed by an <a href=\"https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html\">CloudHSM cluster</a> and <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html\">external key stores</a> backed by an external key store proxy and external key manager outside of Amazon Web Services. This operation is part of the <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html\">custom key stores</a> feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of a key store that you own and manage. Before you create the custom key store, the required elements must be in place and operational. We recommend that you use the test tools that KMS provides to verify the configuration your external key store proxy. For details about the required elements and verification tests, see <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore\">Assemble the prerequisites (for CloudHSM key stores)</a> or <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirements\">Assemble the prerequisites (for external key stores)</a> in the Key Management Service Developer Guide. To create a custom key store, use the following parameters. <ul> <li> To create an CloudHSM key store, specify the <code>CustomKeyStoreName</code>, <code>CloudHsmClusterId</code>, <code>KeyStorePassword</code>, and <code>TrustAnchorCertificate</code>. The <code>CustomKeyStoreType</code> parameter is optional for CloudHSM key stores. If you include it, set it to the default value, <code>AWS_CLOUDHSM</code>. For help with failures, see <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html\">Troubleshooting an CloudHSM key store</a> in the Key Management Service Developer Guide. </li> <li> To create an external key store, specify the <code>CustomKeyStoreName</code> and a <code>CustomKeyStoreType</code> of <code>EXTERNAL_KEY_STORE</code>. Also, specify values for <code>XksProxyConnectivity</code>, <code>XksProxyAuthenticationCredential</code>, <code>XksProxyUriEndpoint</code>, and <code>XksProxyUriPath</code>. If your <code>XksProxyConnectivity</code> value is <code>VPC_ENDPOINT_SERVICE</code>, specify the <code>XksProxyVpcEndpointServiceName</code> parameter. For help with failures, see <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html\">Troubleshooting an external key store</a> in the Key Management Service Developer Guide. </li> </ul> <note> For external key stores: Some external key managers provide a simpler method for creating an external key store. For details, see your external key manager documentation. When creating an external key store in the KMS console, you can upload a JSON-based proxy configuration file with the desired values. You cannot use a proxy configuration with the <code>CreateCustomKeyStore</code> operation. However, you can use the values in the file to help you determine the correct values for the <code>CreateCustomKeyStore</code> parameters. </note> When the operation completes successfully, it returns the ID of the new custom key store. Before you can use your new custom key store, you need to use the <a>ConnectCustomKeyStore</a> operation to connect a new CloudHSM key store to its CloudHSM cluster, or to connect a new external key store to the external key store proxy for your external key manager. Even if you are not going to use your custom key store immediately, you might want to connect it to verify that all settings are correct and then disconnect it until you are ready to use it. For help with failures, see <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html\">Troubleshooting a custom key store</a> in the Key Management Service Developer Guide. Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account. Required permissions: <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html\">kms:CreateCustomKeyStore</a> (IAM policy). Related operations: <ul> <li> <a>ConnectCustomKeyStore</a> </li> <li> <a>DeleteCustomKeyStore</a> </li> <li> <a>DescribeCustomKeyStores</a> </li> <li> <a>DisconnectCustomKeyStore</a> </li> <li> <a>UpdateCustomKeyStore</a> </li> </ul>","responses":{"200":{"description":"Success","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CreateCustomKeyStoreResponse"}}}},"480":{"description":"CloudHsmClusterInUseException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CloudHsmClusterInUseException"}}}},"481":{"description":"CustomKeyStoreNameInUseException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CustomKeyStoreNameInUseException"}}}},"482":{"description":"CloudHsmClusterNotFoundException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CloudHsmClusterNotFoundException"}}}},"483":{"description":"KMSInternalException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/KMSInternalException"}}}},"484":{"description":"CloudHsmClusterNotActiveException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CloudHsmClusterNotActiveException"}}}},"485":{"description":"IncorrectTrustAnchorException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/IncorrectTrustAnchorException"}}}},"486":{"description":"CloudHsmClusterInvalidConfigurationException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CloudHsmClusterInvalidConfigurationException"}}}},"487":{"description":"LimitExceededException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/LimitExceededException"}}}},"488":{"description":"XksProxyUriInUseException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/XksProxyUriInUseException"}}}},"489":{"description":"XksProxyUriEndpointInUseException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/XksProxyUriEndpointInUseException"}}}},"490":{"description":"XksProxyUriUnreachableException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/XksProxyUriUnreachableException"}}}},"491":{"description":"XksProxyIncorrectAuthenticationCredentialException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/XksProxyIncorrectAuthenticationCredentialException"}}}},"492":{"description":"XksProxyVpcEndpointServiceInUseException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/XksProxyVpcEndpointServiceInUseException"}}}},"493":{"description":"XksProxyVpcEndpointServiceNotFoundException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/XksProxyVpcEndpointServiceNotFoundException"}}}},"494":{"description":"XksProxyVpcEndpointServiceInvalidConfigurationException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/XksProxyVpcEndpointServiceInvalidConfigurationException"}}}},"495":{"description":"XksProxyInvalidResponseException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/XksProxyInvalidResponseException"}}}},"496":{"description":"XksProxyInvalidConfigurationException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/XksProxyInvalidConfigurationException"}}}}},"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CreateCustomKeyStoreRequest"}}}},"parameters":[{"name":"X-Amz-Target","in":"header","required":true,"schema":{"type":"string","enum":["TrentService.CreateCustomKeyStore"]}}]},"parameters":[{"$ref":"#/components/parameters/X-Amz-Content-Sha256"},{"$ref":"#/components/parameters/X-Amz-Date"},{"$ref":"#/components/parameters/X-Amz-Algorithm"},{"$ref":"#/components/parameters/X-Amz-Credential"},{"$ref":"#/components/parameters/X-Amz-Security-Token"},{"$ref":"#/components/parameters/X-Amz-Signature"},{"$ref":"#/components/parameters/X-Amz-SignedHeaders"}]},"/#X-Amz-Target=TrentService.CreateGrant":{"post":{"operationId":"CreateGrant","description":"Adds a grant to a KMS key. A grant is a policy instrument that allows Amazon Web Services principals to use KMS keys in cryptographic operations. It also can allow them to view a KMS key (<a>DescribeKey</a>) and create and manage grants. When authorizing access to a KMS key, grants are considered along with key policies and IAM policies. Grants are often used for temporary permissions because you can create one, use its permissions, and delete it without changing your key policies or IAM policies. For detailed information about grants, including grant terminology, see <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/grants.html\">Grants in KMS</a> in the Key Management Service Developer Guide . For examples of working with grants in several programming languages, see <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html\">Programming grants</a>. The <code>CreateGrant</code> operation returns a <code>GrantToken</code> and a <code>GrantId</code>. <ul> <li> When you create, retire, or revoke a grant, there might be a brief delay, usually less than five minutes, until the grant is available throughout KMS. This state is known as eventual consistency. Once the grant has achieved eventual consistency, the grantee principal can use the permissions in the grant without identifying the grant. However, to use the permissions in the grant immediately, use the <code>GrantToken</code> that <code>CreateGrant</code> returns. For details, see <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token\">Using a grant token</a> in the Key Management Service Developer Guide . </li> <li> The <code>CreateGrant</code> operation also returns a <code>GrantId</code>. You can use the <code>GrantId</code> and a key identifier to identify the grant in the <a>RetireGrant</a> and <a>RevokeGrant</a> operations. To find the grant ID, use the <a>ListGrants</a> or <a>ListRetirableGrants</a> operations. </li> </ul> The KMS key that you use for this operation must be in a compatible key state. For details, see <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html\">Key states of KMS keys</a> in the Key Management Service Developer Guide. Cross-account use: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, specify the key ARN in the value of the <code>KeyId</code> parameter. Required permissions: <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html\">kms:CreateGrant</a> (key policy) Related operations: <ul> <li> <a>ListGrants</a> </li> <li> <a>ListRetirableGrants</a> </li> <li> <a>RetireGrant</a> </li> <li> <a>RevokeGrant</a> </li> </ul>","responses":{"200":{"description":"Success","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CreateGrantResponse"}}}},"480":{"description":"NotFoundException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/NotFoundException"}}}},"481":{"description":"DisabledException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/DisabledException"}}}},"482":{"description":"DependencyTimeoutException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/DependencyTimeoutException"}}}},"483":{"description":"InvalidArnException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/InvalidArnException"}}}},"484":{"description":"KMSInternalException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/KMSInternalException"}}}},"485":{"description":"InvalidGrantTokenException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/InvalidGrantTokenException"}}}},"486":{"description":"LimitExceededException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/LimitExceededException"}}}},"487":{"description":"KMSInvalidStateException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/KMSInvalidStateException"}}}},"488":{"description":"DryRunOperationException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/DryRunOperationException"}}}}},"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CreateGrantRequest"}}}},"parameters":[{"name":"X-Amz-Target","in":"header","required":true,"schema":{"type":"string","enum":["TrentService.CreateGrant"]}}]},"parameters":[{"$ref":"#/components/parameters/X-Amz-Content-Sha256"},{"$ref":"#/components/parameters/X-Amz-Date"},{"$ref":"#/components/parameters/X-Amz-Algorithm"},{"$ref":"#/components/parameters/X-Amz-Credential"},{"$ref":"#/components/parameters/X-Amz-Security-Token"},{"$ref":"#/components/parameters/X-Amz-Signature"},{"$ref":"#/components/parameters/X-Amz-SignedHeaders"}]},"/#X-Amz-Target=TrentService.CreateKey":{"post":{"operationId":"CreateKey","description":"Creates a unique customer managed <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys\">KMS key</a> in your Amazon Web Services account and Region. You can use a KMS key in cryptographic operations, such as encryption and signing. Some Amazon Web Services services let you use KMS keys that you create and manage to protect your service resources. A KMS key is a logical representation of a cryptographic key. In addition to the key material used in cryptographic operations, a KMS key includes metadata, such as the key ID, key policy, creation date, description, and key state. For details, see <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/getting-started.html\">Managing keys</a> in the Key Management Service Developer Guide Use the parameters of <code>CreateKey</code> to specify the type of KMS key, the source of its key material, its key policy, description, tags, and other properties. <note> KMS has replaced the term customer master key (CMK) with KMS key and KMS key. The concept has not changed. To prevent breaking changes, KMS is keeping some variations of this term. </note> To create different types of KMS keys, use the following guidance: <dl> <dt>Symmetric encryption KMS key</dt> <dd> By default, <code>CreateKey</code> creates a symmetric encryption KMS key with key material that KMS generates. This is the basic and most widely used type of KMS key, and provides the best performance. To create a symmetric encryption KMS key, you don't need to specify any parameters. The default value for <code>KeySpec</code>, <code>SYMMETRIC_DEFAULT</code>, the default value for <code>KeyUsage</code>, <code>ENCRYPT_DECRYPT</code>, and the default value for <code>Origin</code>, <code>AWS_KMS</code>, create a symmetric encryption KMS key with KMS key material. If you need a key for basic encryption and decryption or you are creating a KMS key to protect your resources in an Amazon Web Services service, create a symmetric encryption KMS key. The key material in a symmetric encryption key never leaves KMS unencrypted. You can use a symmetric encryption KMS key to encrypt and decrypt data up to 4,096 bytes, but they are typically used to generate data keys and data keys pairs. For details, see <a>GenerateDataKey</a> and <a>GenerateDataKeyPair</a>. </dd> <dt>Asymmetric KMS keys</dt> <dd> To create an asymmetric KMS key, use the <code>KeySpec</code> parameter to specify the type of key material in the KMS key. Then, use the <code>KeyUsage</code> parameter to determine whether the KMS key will be used to encrypt and decrypt or sign and verify. You can't change these properties after the KMS key is created. Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair, or an SM2 key pair (China Regions only). The private key in an asymmetric KMS key never leaves KMS unencrypted. However, you can use the <a>GetPublicKey</a> operation to download the public key so it can be used outside of KMS. KMS keys with RSA or SM2 key pairs can be used to encrypt or decrypt data or sign and verify messages (but not both). KMS keys with ECC key pairs can be used only to sign and verify messages. For information about asymmetric KMS keys, see <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html\">Asymmetric KMS keys</a> in the Key Management Service Developer Guide. </dd> <dt>HMAC KMS key</dt> <dd> To create an HMAC KMS key, set the <code>KeySpec</code> parameter to a key spec value for HMAC KMS keys. Then set the <code>KeyUsage</code> parameter to <code>GENERATE_VERIFY_MAC</code>. You must set the key usage even though <code>GENERATE_VERIFY_MAC</code> is the only valid key usage value for HMAC KMS keys. You can't change these properties after the KMS key is created. HMAC KMS keys are symmetric keys that never leave KMS unencrypted. You can use HMAC keys to generate (<a>GenerateMac</a>) and verify (<a>VerifyMac</a>) HMAC codes for messages up to 4096 bytes. </dd> <dt>Multi-Region primary keys</dt> <dt>Imported key material</dt> <dd> To create a multi-Region primary key in the local Amazon Web Services Region, use the <code>MultiRegion</code> parameter with a value of <code>True</code>. To create a multi-Region replica key, that is, a KMS key with the same key ID and key material as a primary key, but in a different Amazon Web Services Region, use the <a>ReplicateKey</a> operation. To change a replica key to a primary key, and its primary key to a replica key, use the <a>UpdatePrimaryRegion</a> operation. You can create multi-Region KMS keys for all supported KMS key types: symmetric encryption KMS keys, HMAC KMS keys, asymmetric encryption KMS keys, and asymmetric signing KMS keys. You can also create multi-Region keys with imported key material. However, you can't create multi-Region keys in a custom key store. This operation supports multi-Region keys, an KMS feature that lets you create multiple interoperable KMS keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html\">Multi-Region keys in KMS</a> in the Key Management Service Developer Guide. </dd> <dd> To import your own key material into a KMS key, begin by creating a KMS key with no key material. To do this, use the <code>Origin</code> parameter of <code>CreateKey</code> with a value of <code>EXTERNAL</code>. Next, use <a>GetParametersForImport</a> operation to get a public key and import token. Use the wrapping public key to encrypt your key material. Then, use <a>ImportKeyMaterial</a> with your import token to import the key material. For step-by-step instructions, see <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html\">Importing Key Material</a> in the Key Management Service Developer Guide . You can import key material into KMS keys of all supported KMS key types: symmetric encryption KMS keys, HMAC KMS keys, asymmetric encryption KMS keys, and asymmetric signing KMS keys. You can also create multi-Region keys with imported key material. However, you can't import key material into a KMS key in a custom key store. To create a multi-Region primary key with imported key material, use the <code>Origin</code> parameter of <code>CreateKey</code> with a value of <code>EXTERNAL</code> and the <code>MultiRegion</code> parameter with a value of <code>True</code>. To create replicas of the multi-Region primary key, use the <a>ReplicateKey</a> operation. For instructions, see <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-import.html \">Importing key material into multi-Region keys</a>. For more information about multi-Region keys, see <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html\">Multi-Region keys in KMS</a> in the Key Management Service Developer Guide. </dd> <dt>Custom key store</dt> <dd> A <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html\">custom key store</a> lets you protect your Amazon Web Services resources using keys in a backing key store that you own and manage. When you request a cryptographic operation with a KMS key in a custom key store, the operation is performed in the backing key store using its cryptographic keys. KMS supports <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html\">CloudHSM key stores</a> backed by an CloudHSM cluster and <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html\">external key stores</a> backed by an external key manager outside of Amazon Web Services. When you create a KMS key in an CloudHSM key store, KMS generates an encryption key in the CloudHSM cluster and associates it with the KMS key. When you create a KMS key in an external key store, you specify an existing encryption key in the external key manager. <note> Some external key managers provide a simpler method for creating a KMS key in an external key store. For details, see your external key manager documentation. </note> Before you create a KMS key in a custom key store, the <code>ConnectionState</code> of the key store must be <code>CONNECTED</code>. To connect the custom key store, use the <a>ConnectCustomKeyStore</a> operation. To find the <code>ConnectionState</code>, use the <a>DescribeCustomKeyStores</a> operation. To create a KMS key in a custom key store, use the <code>CustomKeyStoreId</code>. Use the default <code>KeySpec</code> value, <code>SYMMETRIC_DEFAULT</code>, and the default <code>KeyUsage</code> value, <code>ENCRYPT_DECRYPT</code> to create a symmetric encryption key. No other key type is supported in a custom key store. To create a KMS key in an <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html\">CloudHSM key store</a>, use the <code>Origin</code> parameter with a value of <code>AWS_CLOUDHSM</code>. The CloudHSM cluster that is associated with the custom key store must have at least two active HSMs in different Availability Zones in the Amazon Web Services Region. To create a KMS key in an <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html\">external key store</a>, use the <code>Origin</code> parameter with a value of <code>EXTERNAL_KEY_STORE</code> and an <code>XksKeyId</code> parameter that identifies an existing external key. <note> Some external key managers provide a simpler method for creating a KMS key in an external key store. For details, see your external key manager documentation. </note> </dd> </dl> Cross-account use: No. You cannot use this operation to create a KMS key in a different Amazon Web Services account. Required permissions: <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html\">kms:CreateKey</a> (IAM policy). To use the <code>Tags</code> parameter, <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html\">kms:TagResource</a> (IAM policy). For examples and information about related permissions, see <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key\">Allow a user to create KMS keys</a> in the Key Management Service Developer Guide. Related operations: <ul> <li> <a>DescribeKey</a> </li> <li> <a>ListKeys</a> </li> <li> <a>ScheduleKeyDeletion</a> </li> </ul>","responses":{"200":{"description":"Success","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CreateKeyResponse"}}}},"480":{"description":"MalformedPolicyDocumentException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/MalformedPolicyDocumentException"}}}},"481":{"description":"DependencyTimeoutException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/DependencyTimeoutException"}}}},"482":{"description":"InvalidArnException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/InvalidArnException"}}}},"483":{"description":"UnsupportedOperationException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/UnsupportedOperationException"}}}},"484":{"description":"KMSInternalException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/KMSInternalException"}}}},"485":{"description":"LimitExceededException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/LimitExceededException"}}}},"486":{"description":"TagException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/TagException"}}}},"487":{"description":"CustomKeyStoreNotFoundException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CustomKeyStoreNotFoundException"}}}},"488":{"description":"CustomKeyStoreInvalidStateException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CustomKeyStoreInvalidStateException"}}}},"489":{"description":"CloudHsmClusterInvalidConfigurationException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CloudHsmClusterInvalidConfigurationException"}}}},"490":{"description":"XksKeyInvalidConfigurationException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/XksKeyInvalidConfigurationException"}}}},"491":{"description":"XksKeyAlreadyInUseException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/XksKeyAlreadyInUseException"}}}},"492":{"description":"XksKeyNotFoundException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/XksKeyNotFoundException"}}}}},"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CreateKeyRequest"}}}},"parameters":[{"name":"X-Amz-Target","in":"header","required":true,"schema":{"type":"string","enum":["TrentService.CreateKey"]}}]},"parameters":[{"$ref":"#/components/parameters/X-Amz-Content-Sha256"},{"$ref":"#/components/parameters/X-Amz-Date"},{"$ref":"#/components/parameters/X-Amz-Algorithm"},{"$ref":"#/components/parameters/X-Amz-Credential"},{"$ref":"#/components/parameters/X-Amz-Security-Token"},{"$ref":"#/components/parameters/X-Amz-Signature"},{"$ref":"#/components/parameters/X-Amz-SignedHeaders"}]},"/#X-Amz-Target=TrentService.Decrypt":{"post":{"operationId":"Decrypt","description":"Decrypts ciphertext that was encrypted by a KMS key using any of the following operations: <ul> <li> <a>Encrypt</a> </li> <li> <a>GenerateDataKey</a> </li> <li> <a>GenerateDataKeyPair</a> </li> <li> <a>GenerateDataKeyWithoutPlaintext</a> </li> <li> <a>GenerateDataKeyPairWithoutPlaintext</a> </li> </ul> You can use this operation to decrypt ciphertext that was encrypted under a symmetric encryption KMS key or an asymmetric encryption KMS key. When the KMS key is asymmetric, you must specify the KMS key and the encryption algorithm that was used to encrypt the ciphertext. For infor