docs(client-kms): AWS KMS is deprecating the RSAES_PKCS1_V1_5 wrappin…

…g algorithm option in the GetParametersForImport API that is used in the AWS KMS Import Key Material feature. AWS KMS will end support for this wrapping algorithm by October 1, 2023.

clients/client-kms/README.md

@@ -39,12 +39,12 @@ and later support these modes.</p>
 <p>
 <b>Signing Requests</b>
 </p>
-<p>Requests must be signed by using an access key ID and a secret access key. We strongly
-recommend that you <i>do not</i> use your Amazon Web Services account (root) access key ID and
-secret access key for everyday work with KMS. Instead, use the access key ID and secret
-access key for an IAM user. You can also use the Amazon Web Services Security Token Service to generate
-temporary security credentials that you can use to sign requests.</p>
-<p>All KMS operations require <a href="https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html">Signature Version 4</a>.</p>
+<p>Requests must be signed using an access key ID and a secret access key. We strongly
+recommend that you do not use your Amazon Web Services account root access key ID and secret access key for
+everyday work. You can use the access key ID and secret access key for an IAM user or you
+can use the Security Token Service (STS) to generate temporary security credentials and use those to sign
+requests. </p>
+<p>All KMS requests must be signed with <a href="https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html">Signature Version 4</a>.</p>
 <p>
 <b>Logging API Requests</b>
 </p>

clients/client-kms/src/KMSClient.ts

@@ -438,12 +438,12 @@ export interface KMSClientResolvedConfig extends KMSClientResolvedConfigType {}
  *          <p>
  *             <b>Signing Requests</b>
  *          </p>
- *          <p>Requests must be signed by using an access key ID and a secret access key. We strongly
- *       recommend that you <i>do not</i> use your Amazon Web Services account (root) access key ID and
- *       secret access key for everyday work with KMS. Instead, use the access key ID and secret
- *       access key for an IAM user. You can also use the Amazon Web Services Security Token Service to generate
- *       temporary security credentials that you can use to sign requests.</p>
- *          <p>All KMS operations require <a href="https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html">Signature Version 4</a>.</p>
+ *          <p>Requests must be signed using an access key ID and a secret access key. We strongly
+ *       recommend that you do not use your Amazon Web Services account root access key ID and secret access key for
+ *       everyday work. You can use the access key ID and secret access key for an IAM user or you
+ *       can use the Security Token Service (STS) to generate temporary security credentials and use those to sign
+ *       requests. </p>
+ *          <p>All KMS requests must be signed with <a href="https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html">Signature Version 4</a>.</p>
  *          <p>
  *             <b>Logging API Requests</b>
  *          </p>

clients/client-kms/src/commands/ConnectCustomKeyStoreCommand.ts

@@ -90,7 +90,6 @@ export interface ConnectCustomKeyStoreCommandOutput extends ConnectCustomKeyStor
  *         key store</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.</p>
- *
  *          <p>
  *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:ConnectCustomKeyStore</a> (IAM policy)</p>
  *          <p>

clients/client-kms/src/commands/CreateAliasCommand.ts

@@ -50,7 +50,6 @@ export interface CreateAliasCommandOutput extends __MetadataBearer {}
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account use</b>: No. You cannot perform this operation on an alias in a different Amazon Web Services account.</p>
- *
  *          <p>
  *             <b>Required permissions</b>
  *          </p>

clients/client-kms/src/commands/CreateKeyCommand.ts

@@ -46,10 +46,7 @@ export interface CreateKeyCommandOutput extends CreateKeyResponse, __MetadataBea
  *          <note>
  *             <p>KMS has replaced the term <i>customer master key (CMK)</i> with <i>KMS key</i> and <i>KMS key</i>. The concept has not changed. To prevent breaking changes, KMS is keeping some variations of this term.</p>
  *          </note>
- *
- *
  *          <p>To create different types of KMS keys, use the following guidance:</p>
- *
  *          <dl>
  *             <dt>Symmetric encryption KMS key</dt>
  *             <dd>
@@ -177,7 +174,6 @@ export interface CreateKeyCommandOutput extends CreateKeyResponse, __MetadataBea
  *          <p>
  *             <b>Cross-account use</b>: No. You cannot use this operation to
  *       create a KMS key in a different Amazon Web Services account.</p>
- *
  *          <p>
  *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:CreateKey</a> (IAM policy). To use the
  *         <code>Tags</code> parameter, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:TagResource</a> (IAM policy). For examples and information about related

clients/client-kms/src/commands/DecryptCommand.ts

@@ -79,8 +79,8 @@ export interface DecryptCommandOutput extends DecryptResponse, __MetadataBearer
  *       the <code>Decrypt</code> operation fails. This practice ensures that you use the KMS key that
  *       you intend.</p>
  *          <p>Whenever possible, use key policies to give users permission to call the
- *         <code>Decrypt</code> operation on a particular KMS key, instead of using IAM policies.
- *       Otherwise, you might create an IAM user policy that gives the user <code>Decrypt</code>
+ *         <code>Decrypt</code> operation on a particular KMS key, instead of using &IAM; policies.
+ *       Otherwise, you might create an &IAM; policy that gives the user <code>Decrypt</code>
  *       permission on all KMS keys. This user could decrypt ciphertext that was encrypted by KMS keys
  *       in other accounts if the key policy for the cross-account KMS key permits it. If you must use
  *       an IAM policy for <code>Decrypt</code> permissions, limit the user to particular KMS keys or
@@ -90,9 +90,9 @@ export interface DecryptCommandOutput extends DecryptResponse, __MetadataBearer
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
- *             <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify
- *   the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. </p>
- *
+ *             <b>Cross-account use</b>: Yes. If you use the <code>KeyId</code>
+ *       parameter to identify a KMS key in a different Amazon Web Services account, specify the key ARN or the alias
+ *       ARN of the KMS key.</p>
  *          <p>
  *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:Decrypt</a> (key policy)</p>
  *          <p>

clients/client-kms/src/commands/DeleteCustomKeyStoreCommand.ts

@@ -62,7 +62,6 @@ export interface DeleteCustomKeyStoreCommandOutput extends DeleteCustomKeyStoreR
  * properties.</p>
  *          <p>
  *             <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.</p>
- *
  *          <p>
  *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:DeleteCustomKeyStore</a> (IAM policy)</p>
  *          <p>

clients/client-kms/src/commands/DeleteImportedKeyMaterialCommand.ts

@@ -45,7 +45,6 @@ export interface DeleteImportedKeyMaterialCommandOutput extends __MetadataBearer
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.</p>
- *
  *          <p>
  *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:DeleteImportedKeyMaterial</a> (key policy)</p>
  *          <p>

clients/client-kms/src/commands/DescribeKeyCommand.ts

@@ -76,7 +76,6 @@ export interface DescribeKeyCommandOutput extends DescribeKeyResponse, __Metadat
  *          <p>
  *             <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify
  *   the key ARN or alias ARN in the value of the <code>KeyId</code> parameter.</p>
- *
  *          <p>
  *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:DescribeKey</a> (key policy)</p>
  *          <p>

clients/client-kms/src/commands/DisableKeyCommand.ts

@@ -40,7 +40,6 @@ export interface DisableKeyCommandOutput extends __MetadataBearer {}
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.</p>
- *
  *          <p>
  *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:DisableKey</a> (key policy)</p>
  *          <p>

clients/client-kms/src/commands/DisableKeyRotationCommand.ts

@@ -46,7 +46,6 @@ export interface DisableKeyRotationCommandOutput extends __MetadataBearer {}
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.</p>
- *
  *          <p>
  *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:DisableKeyRotation</a> (key policy)</p>
  *          <p>

clients/client-kms/src/commands/DisconnectCustomKeyStoreCommand.ts

@@ -55,7 +55,6 @@ export interface DisconnectCustomKeyStoreCommandOutput extends DisconnectCustomK
  * properties.</p>
  *          <p>
  *             <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.</p>
- *
  *          <p>
  *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:DisconnectCustomKeyStore</a> (IAM policy)</p>
  *          <p>

clients/client-kms/src/commands/EnableKeyCommand.ts

@@ -33,7 +33,6 @@ export interface EnableKeyCommandOutput extends __MetadataBearer {}
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.</p>
- *
  *          <p>
  *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:EnableKey</a> (key policy)</p>
  *          <p>

clients/client-kms/src/commands/EnableKeyRotationCommand.ts

@@ -54,7 +54,6 @@ export interface EnableKeyRotationCommandOutput extends __MetadataBearer {}
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>
  *             <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.</p>
- *
  *          <p>
  *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:EnableKeyRotation</a> (key policy)</p>
  *          <p>

clients/client-kms/src/commands/EncryptCommand.ts

@@ -52,8 +52,6 @@ export interface EncryptCommandOutput extends EncryptResponse, __MetadataBearer
  *             <p>When you use an asymmetric KMS key to encrypt or reencrypt data, be sure to record the KMS key and encryption algorithm that you choose. You will be required to provide the same KMS key and encryption algorithm when you decrypt the data. If the KMS key and algorithm do not match the values used to encrypt the data, the decrypt operation fails.</p>
  *             <p>You are not required to supply the key ID and encryption algorithm when you decrypt with symmetric encryption KMS keys because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields.</p>
  *          </important>
- *
- *
  *          <p>The maximum size of the data that you can encrypt varies with the type of KMS key and the
  *       encryption algorithm that you choose.</p>
  *          <ul>
@@ -122,7 +120,6 @@ export interface EncryptCommandOutput extends EncryptResponse, __MetadataBearer
  *             <b>Cross-account use</b>: Yes.
  *       To perform this operation with a KMS key in a different Amazon Web Services account, specify
  *   the key ARN or alias ARN in the value of the <code>KeyId</code> parameter.</p>
- *
  *          <p>
  *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:Encrypt</a> (key policy)</p>
  *          <p>

clients/client-kms/src/commands/GenerateDataKeyCommand.ts

@@ -40,23 +40,18 @@ export interface GenerateDataKeyCommandOutput extends GenerateDataKeyResponse, _
  *       key that you specify. The bytes in the plaintext key are random; they are not related
  *       to the caller or the KMS key. You can use the plaintext key to encrypt your data outside of KMS
  *       and store the encrypted data key with the encrypted data.</p>
- *
  *          <p>To generate a data key, specify the symmetric encryption KMS key that will be used to
  *       encrypt the data key. You cannot use an asymmetric KMS key to encrypt data keys. To get the
  *       type of your KMS key, use the <a>DescribeKey</a> operation.</p>
- *
  *          <p>You must also specify the length of the data key. Use either the <code>KeySpec</code> or
  *       <code>NumberOfBytes</code> parameters (but not both). For 128-bit and 256-bit data keys, use
  *       the <code>KeySpec</code> parameter.</p>
- *
- *          <p>To generate an SM4 data key (China Regions only), specify a <code>KeySpec</code> value of
- *       <code>AES_128</code> or <code>NumberOfBytes</code> value of <code>128</code>. The symmetric
+ *          <p>To generate a 128-bit SM4 data key (China Regions only), specify a <code>KeySpec</code> value of
+ *       <code>AES_128</code> or a <code>NumberOfBytes</code> value of <code>16</code>. The symmetric
  *       encryption key used in China Regions to encrypt your data key is an SM4 encryption key.</p>
- *
  *          <p>To get only an encrypted copy of the data key, use <a>GenerateDataKeyWithoutPlaintext</a>. To generate an asymmetric data key pair, use
  *       the <a>GenerateDataKeyPair</a> or <a>GenerateDataKeyPairWithoutPlaintext</a> operation. To get a cryptographically secure
  *       random byte string, use <a>GenerateRandom</a>.</p>
- *
  *          <p>You can use an optional encryption context to add additional security to the encryption
  *       operation. If you specify an <code>EncryptionContext</code>, you must specify the same
  *       encryption context (a case-sensitive exact match) when decrypting the encrypted data key.
@@ -102,7 +97,6 @@ export interface GenerateDataKeyCommandOutput extends GenerateDataKeyResponse, _
  *          <p>
  *             <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify
  *   the key ARN or alias ARN in the value of the <code>KeyId</code> parameter.</p>
- *
  *          <p>
  *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:GenerateDataKey</a> (key policy)</p>
  *          <p>

clients/client-kms/src/commands/GenerateDataKeyPairCommand.ts

@@ -41,34 +41,29 @@ export interface GenerateDataKeyPairCommandOutput extends GenerateDataKeyPairRes
  *       perform asymmetric cryptography and implement digital signatures outside of KMS. The bytes
  *       in the keys are random; they not related to the caller or to the KMS key that is used to
  *       encrypt the private key. </p>
- *
  *          <p>You can use the public key that <code>GenerateDataKeyPair</code> returns to encrypt data
  *       or verify a signature outside of KMS. Then, store the encrypted private key with the data.
  *       When you are ready to decrypt data or sign a message, you can use the <a>Decrypt</a> operation to decrypt the encrypted private key.</p>
- *
  *          <p>To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt
  *       the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a
  *       custom key store. To get the type and origin of your KMS key, use the <a>DescribeKey</a> operation. </p>
  *          <p>Use the <code>KeyPairSpec</code> parameter to choose an RSA or Elliptic Curve (ECC) data
  *       key pair. In China Regions, you can also choose an SM2 data key pair. KMS recommends that you use
  *       ECC key pairs for signing, and use RSA and SM2 key pairs for either encryption or signing, but not both.
  *       However, KMS cannot enforce any restrictions on the use of data key pairs outside of KMS.</p>
- *
  *          <p>If you are using the data key pair to encrypt data, or for any operation where you don't
  *       immediately need a private key, consider using the <a>GenerateDataKeyPairWithoutPlaintext</a> operation.
  *         <code>GenerateDataKeyPairWithoutPlaintext</code> returns a plaintext public key and an
  *       encrypted private key, but omits the plaintext private key that you need only to decrypt
  *       ciphertext or sign a message. Later, when you need to decrypt the data or sign a message, use
  *       the <a>Decrypt</a> operation to decrypt the encrypted private key in the data key
  *       pair.</p>
- *
  *          <p>
  *             <code>GenerateDataKeyPair</code> returns a unique data key pair for each request. The
  *       bytes in the keys are random; they are not related to the caller or the KMS key that is used
  *       to encrypt the private key. The public key is a DER-encoded X.509 SubjectPublicKeyInfo, as
  *       specified in <a href="https://tools.ietf.org/html/rfc5280">RFC 5280</a>. The private
  *       key is a DER-encoded PKCS8 PrivateKeyInfo, as specified in <a href="https://tools.ietf.org/html/rfc5958">RFC 5958</a>.</p>
- *
  *          <p>You can use an optional encryption context to add additional security to the encryption
  *       operation. If you specify an <code>EncryptionContext</code>, you must specify the same
  *       encryption context (a case-sensitive exact match) when decrypting the encrypted data key.
@@ -79,7 +74,6 @@ export interface GenerateDataKeyPairCommandOutput extends GenerateDataKeyPairRes
  *          <p>
  *             <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify
  *   the key ARN or alias ARN in the value of the <code>KeyId</code> parameter.</p>
- *
  *          <p>
  *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:GenerateDataKeyPair</a> (key policy)</p>
  *          <p>