Returns a list of one or more conformance packs.
", "DescribeDeliveryChannelStatus": "Returns the current status of the specified delivery channel. If a delivery channel is not specified, this action returns the current status of all delivery channels associated with the account.
Currently, you can specify only one delivery channel per region in your account.
Returns details about the specified delivery channel. If a delivery channel is not specified, this action returns the details of all delivery channels associated with the account.
Currently, you can specify only one delivery channel per region in your account.
Provides organization config rule deployment status for an organization.
Only a master account and a delegated administrator account can call this API. When calling this API with a delegated administrator, you must ensure AWS Organizations ListDelegatedAdministrator permissions are added.
The status is not considered successful until organization config rule is successfully deployed in all the member accounts with an exception of excluded accounts.
When you specify the limit and the next token, you receive a paginated response. Limit and next token are not applicable if you specify organization config rule names. It is only applicable, when you request all the organization config rules.
Returns a list of organization config rules.
Only a master account and a delegated administrator account can call this API. When calling this API with a delegated administrator, you must ensure AWS Organizations ListDelegatedAdministrator permissions are added.
When you specify the limit and the next token, you receive a paginated response. Limit and next token are not applicable if you specify organization config rule names. It is only applicable, when you request all the organization config rules.
Provides organization conformance pack deployment status for an organization.
Only a master account and a delegated administrator account can call this API. When calling this API with a delegated administrator, you must ensure AWS Organizations ListDelegatedAdministrator permissions are added.
The status is not considered successful until organization conformance pack is successfully deployed in all the member accounts with an exception of excluded accounts.
When you specify the limit and the next token, you receive a paginated response. Limit and next token are not applicable if you specify organization conformance pack names. They are only applicable, when you request all the organization conformance packs.
Returns a list of organization conformance packs.
Only a master account and a delegated administrator account can call this API. When calling this API with a delegated administrator, you must ensure AWS Organizations ListDelegatedAdministrator permissions are added.
When you specify the limit and the next token, you receive a paginated response.
Limit and next token are not applicable if you specify organization conformance packs names. They are only applicable, when you request all the organization conformance packs.
Provides organization config rule deployment status for an organization.
The status is not considered successful until organization config rule is successfully deployed in all the member accounts with an exception of excluded accounts.
When you specify the limit and the next token, you receive a paginated response. Limit and next token are not applicable if you specify organization config rule names. It is only applicable, when you request all the organization config rules.
Returns a list of organization config rules.
When you specify the limit and the next token, you receive a paginated response. Limit and next token are not applicable if you specify organization config rule names. It is only applicable, when you request all the organization config rules.
Provides organization conformance pack deployment status for an organization.
The status is not considered successful until organization conformance pack is successfully deployed in all the member accounts with an exception of excluded accounts.
When you specify the limit and the next token, you receive a paginated response. Limit and next token are not applicable if you specify organization conformance pack names. They are only applicable, when you request all the organization conformance packs.
Returns a list of organization conformance packs.
When you specify the limit and the next token, you receive a paginated response.
Limit and next token are not applicable if you specify organization conformance packs names. They are only applicable, when you request all the organization conformance packs.
Returns a list of all pending aggregation requests.
", "DescribeRemediationConfigurations": "Returns the details of one or more remediation configurations.
", "DescribeRemediationExceptions": "Returns the details of one or more remediation exceptions. A detailed view of a remediation exception for a set of resources that includes an explanation of an exception and the time when the exception will be deleted. When you specify the limit and the next token, you receive a paginated response.
AWS Config generates a remediation exception when a problem occurs executing a remediation action to a specific resource. Remediation exceptions blocks auto-remediation until the exception is cleared.
When you specify the limit and the next token, you receive a paginated response.
Limit and next token are not applicable if you request resources in batch. It is only applicable, when you request all resources.
Returns compliance details of a conformance pack for all AWS resources that are monitered by conformance pack.
", "GetConformancePackComplianceSummary": "Returns compliance details for the conformance pack based on the cumulative compliance results of all the rules in that conformance pack.
", "GetDiscoveredResourceCounts": "Returns the resource types, the number of each resource type, and the total number of resources that AWS Config is recording in this region for your AWS account.
Example
AWS Config is recording three resource types in the US East (Ohio) Region for your account: 25 EC2 instances, 20 IAM users, and 15 S3 buckets.
You make a call to the GetDiscoveredResourceCounts action and specify that you want all resource types.
AWS Config returns the following:
The resource types (EC2 instances, IAM users, and S3 buckets).
The number of each resource type (25, 20, and 15).
The total number of all resources (60).
The response is paginated. By default, AWS Config lists 100 ResourceCount objects on each page. You can customize this number with the limit parameter. The response includes a nextToken string. To get the next page of results, run the request again and specify the string for the nextToken parameter.
If you make a call to the GetDiscoveredResourceCounts action, you might not immediately receive resource counts in the following situations:
You are a new AWS Config customer.
You just enabled resource recording.
It might take a few minutes for AWS Config to record and count your resources. Wait a few minutes and then retry the GetDiscoveredResourceCounts action.
Returns detailed status for each member account within an organization for a given organization config rule.
Only a master account and a delegated administrator account can call this API. When calling this API with a delegated administrator, you must ensure AWS Organizations ListDelegatedAdministrator permissions are added.
Returns detailed status for each member account within an organization for a given organization conformance pack.
Only a master account and a delegated administrator account can call this API. When calling this API with a delegated administrator, you must ensure AWS Organizations ListDelegatedAdministrator permissions are added.
Returns detailed status for each member account within an organization for a given organization config rule.
", + "GetOrganizationConformancePackDetailedStatus": "Returns detailed status for each member account within an organization for a given organization conformance pack.
", "GetResourceConfigHistory": "Returns a list of configuration items for the specified resource. The list contains details about each state of the resource during the specified time interval. If you specified a retention period to retain your ConfigurationItems between a minimum of 30 days and a maximum of 7 years (2557 days), AWS Config returns the ConfigurationItems for the specified retention period.
The response is paginated. By default, AWS Config returns a limit of 10 configuration items per page. You can customize this number with the limit parameter. The response includes a nextToken string. To get the next page of results, run the request again and specify the string for the nextToken parameter.
Each call to the API is limited to span a duration of seven days. It is likely that the number of records returned is smaller than the specified limit. In such cases, you can make another call, using the nextToken.
Accepts a resource type and returns a list of resource identifiers that are aggregated for a specific resource type across accounts and regions. A resource identifier includes the resource type, ID, (if available) the custom resource name, source account, and source region. You can narrow the results to include only resources that have specific resource IDs, or a resource name, or source account ID, or source region.
For example, if the input consists of accountID 12345678910 and the region is us-east-1 for resource type AWS::EC2::Instance then the API returns all the EC2 instance identifiers of accountID 12345678910 and region us-east-1.
Accepts a resource type and returns a list of resource identifiers for the resources of that type. A resource identifier includes the resource type, ID, and (if available) the custom resource name. The results consist of resources that AWS Config has discovered, including those that AWS Config is not currently recording. You can narrow the results to include only resources that have specific resource IDs or a resource name.
You can specify either resource IDs or a resource name, but not both, in the same request.
The response is paginated. By default, AWS Config lists 100 resource identifiers on each page. You can customize this number with the limit parameter. The response includes a nextToken string. To get the next page of results, run the request again and specify the string for the nextToken parameter.
Creates or updates a conformance pack. A conformance pack is a collection of AWS Config rules that can be easily deployed in an account and a region and across AWS Organization.
This API creates a service linked role AWSServiceRoleForConfigConforms in your account. The service linked role is created only when the role does not exist in your account.
You must specify either the TemplateS3Uri or the TemplateBody parameter, but not both. If you provide both AWS Config uses the TemplateS3Uri parameter and ignores the TemplateBody parameter.
Creates a delivery channel object to deliver configuration information to an Amazon S3 bucket and Amazon SNS topic.
Before you can create a delivery channel, you must create a configuration recorder.
You can use this action to change the Amazon S3 bucket or an Amazon SNS topic of the existing delivery channel. To change the Amazon S3 bucket or an Amazon SNS topic, call this action and specify the changed values for the S3 bucket and the SNS topic. If you specify a different value for either the S3 bucket or the SNS topic, this action will keep the existing value for the parameter that is not changed.
You can have only one delivery channel per region in your account.
Used by an AWS Lambda function to deliver evaluation results to AWS Config. This action is required in every AWS Lambda function that is invoked by an AWS Config rule.
", + "PutExternalEvaluation": null, "PutOrganizationConfigRule": "Adds or updates organization config rule for your entire organization evaluating whether your AWS resources comply with your desired configurations.
Only a master account and a delegated administrator can create or update an organization config rule. When calling this API with a delegated administrator, you must ensure AWS Organizations ListDelegatedAdministrator permissions are added.
This API enables organization service access through the EnableAWSServiceAccess action and creates a service linked role AWSServiceRoleForConfigMultiAccountSetup in the master or delegated administrator account of your organization. The service linked role is created only when the role does not exist in the caller account. AWS Config verifies the existence of role with GetRole action.
To use this API with delegated administrator, register a delegated administrator by calling AWS Organization register-delegated-administrator for config-multiaccountsetup.amazonaws.com.
You can use this action to create both custom AWS Config rules and AWS managed Config rules. If you are adding a new custom AWS Config rule, you must first create AWS Lambda function in the master account or a delegated administrator that the rule invokes to evaluate your resources. When you use the PutOrganizationConfigRule action to add the rule to AWS Config, you must specify the Amazon Resource Name (ARN) that AWS Lambda assigns to the function. If you are adding an AWS managed Config rule, specify the rule's identifier for the RuleIdentifier key.
The maximum number of organization config rules that AWS Config supports is 150 and 3 delegated administrator per organization.
Prerequisite: Ensure you call EnableAllFeatures API to enable all features in an organization.
Specify either OrganizationCustomRuleMetadata or OrganizationManagedRuleMetadata.
Deploys conformance packs across member accounts in an AWS Organization.
Only a master account and a delegated administrator can call this API. When calling this API with a delegated administrator, you must ensure AWS Organizations ListDelegatedAdministrator permissions are added.
This API enables organization service access for config-multiaccountsetup.amazonaws.com through the EnableAWSServiceAccess action and creates a service linked role AWSServiceRoleForConfigMultiAccountSetup in the master or delegated administrator account of your organization. The service linked role is created only when the role does not exist in the caller account. To use this API with delegated administrator, register a delegated administrator by calling AWS Organization register-delegate-admin for config-multiaccountsetup.amazonaws.com.
Prerequisite: Ensure you call EnableAllFeatures API to enable all features in an organization.
You must specify either the TemplateS3Uri or the TemplateBody parameter, but not both. If you provide both AWS Config uses the TemplateS3Uri parameter and ignores the TemplateBody parameter.
AWS Config sets the state of a conformance pack to CREATE_IN_PROGRESS and UPDATE_IN_PROGRESS until the conformance pack is created or updated. You cannot update a conformance pack while it is in this state.
You can create 6 conformance packs with 25 AWS Config rules in each pack and 3 delegated administrator per organization.
Adds or updates the remediation configuration with a specific AWS Config rule with the selected target or action. The API creates the RemediationConfiguration object for the AWS Config rule. The AWS Config rule must already exist for you to add a remediation configuration. The target (SSM document) must exist and have permissions to use the target.
If you make backward incompatible changes to the SSM document, you must call this again to ensure the remediations can run.
A remediation exception is when a specific resource is no longer considered for auto-remediation. This API adds a new exception or updates an exisiting exception for a specific resource with a specific AWS Config rule.
AWS Config generates a remediation exception when a problem occurs executing a remediation action to a specific resource. Remediation exceptions blocks auto-remediation until the exception is cleared.
Adds or updates the remediation configuration with a specific AWS Config rule with the selected target or action. The API creates the RemediationConfiguration object for the AWS Config rule. The AWS Config rule must already exist for you to add a remediation configuration. The target (SSM document) must exist and have permissions to use the target.
If you make backward incompatible changes to the SSM document, you must call this again to ensure the remediations can run.
This API does not support adding remediation configurations for service-linked AWS Config Rules such as Organization Config rules, the rules deployed by conformance packs, and rules deployed by AWS Security Hub.
A remediation exception is when a specific resource is no longer considered for auto-remediation. This API adds a new exception or updates an existing exception for a specific resource with a specific AWS Config rule.
AWS Config generates a remediation exception when a problem occurs executing a remediation action to a specific resource. Remediation exceptions blocks auto-remediation until the exception is cleared.
Records the configuration state for the resource provided in the request. The configuration state of a resource is represented in AWS Config as Configuration Items. Once this API records the configuration item, you can retrieve the list of configuration items for the custom resource type using existing AWS Config APIs.
The custom resource type must be registered with AWS CloudFormation. This API accepts the configuration item registered with AWS CloudFormation.
When you call this API, AWS Config only stores configuration state of the resource provided in the request. This API does not change or remediate the configuration of the resource.
Write-only schema properites are not recorded as part of the published configuration item.
Creates and updates the retention configuration with details about retention period (number of days) that AWS Config stores your historical information. The API creates the RetentionConfiguration object and names the object as default. When you have a RetentionConfiguration object named default, calling the API modifies the default object.
Currently, AWS Config supports only one retention configuration per region in your account.
Accepts a structured query language (SQL) SELECT command and an aggregator to query configuration state of AWS resources across multiple accounts and regions, performs the corresponding search, and returns resource configurations matching the properties.
For more information about query components, see the Query Components section in the AWS Config Developer Guide.
", @@ -87,7 +88,7 @@ "base": null, "refs": { "BaseConfigurationItem$arn": "The Amazon Resource Name (ARN) of the resource.
", - "ConfigurationItem$arn": "accoun
" + "ConfigurationItem$arn": "Amazon Resource Name (ARN) associated with the resource.
" } }, "AccountAggregationSource": { @@ -254,13 +255,13 @@ "AutoRemediationAttemptSeconds": { "base": null, "refs": { - "RemediationConfiguration$RetryAttemptSeconds": "Maximum time in seconds that AWS Config runs auto-remediation. If you do not select a number, the default is 60 seconds.
For example, if you specify RetryAttemptsSeconds as 50 seconds and MaximumAutomaticAttempts as 5, AWS Config will run auto-remediations 5 times within 50 seconds before throwing an exception.
" + "RemediationConfiguration$RetryAttemptSeconds": "Maximum time in seconds that AWS Config runs auto-remediation. If you do not select a number, the default is 60 seconds.
For example, if you specify RetryAttemptSeconds as 50 seconds and MaximumAutomaticAttempts as 5, AWS Config will run auto-remediations 5 times within 50 seconds before throwing an exception.
" } }, "AutoRemediationAttempts": { "base": null, "refs": { - "RemediationConfiguration$MaximumAutomaticAttempts": "The maximum number of failed attempts for auto-remediation. If you do not select a number, the default is 5.
For example, if you specify MaximumAutomaticAttempts as 5 with RetryAttemptsSeconds as 50 seconds, AWS Config will put a RemediationException on your behalf for the failing resource after the 5th failed attempt within 50 seconds.
" + "RemediationConfiguration$MaximumAutomaticAttempts": "The maximum number of failed attempts for auto-remediation. If you do not select a number, the default is 5.
For example, if you specify MaximumAutomaticAttempts as 5 with RetryAttemptSeconds as 50 seconds, AWS Config will put a RemediationException on your behalf for the failing resource after the 5th failed attempt within 50 seconds.
" } }, "AvailabilityZone": { @@ -311,6 +312,7 @@ "DescribeComplianceByResourceRequest$ResourceId": "The ID of the AWS resource for which you want compliance information. You can specify only one resource ID. If you specify a resource ID, you must also specify a type for ResourceType.
The ID of the AWS resource that was evaluated.
", "EvaluationResultQualifier$ResourceId": "The ID of the evaluated AWS resource.
", + "ExternalEvaluation$ComplianceResourceId": null, "GetComplianceDetailsByResourceRequest$ResourceId": "The ID of the AWS resource for which you want compliance information.
", "Scope$ComplianceResourceId": "The ID of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for ComplianceResourceTypes.
The rule compliance status.
For the ConfigRuleComplianceFilters data type, AWS Config supports only COMPLIANT and NON_COMPLIANT. AWS Config does not support the NOT_APPLICABLE and the INSUFFICIENT_DATA values.
Indicates whether the AWS resource complies with the AWS Config rule that it was evaluated against.
For the Evaluation data type, AWS Config supports only the COMPLIANT, NON_COMPLIANT, and NOT_APPLICABLE values. AWS Config does not support the INSUFFICIENT_DATA value for this data type.
Similarly, AWS Config does not accept INSUFFICIENT_DATA as the value for ComplianceType from a PutEvaluations request. For example, an AWS Lambda function for a custom AWS Config rule cannot pass an INSUFFICIENT_DATA value to AWS Config.
Indicates whether the AWS resource complies with the AWS Config rule that evaluated it.
For the EvaluationResult data type, AWS Config supports only the COMPLIANT, NON_COMPLIANT, and NOT_APPLICABLE values. AWS Config does not support the INSUFFICIENT_DATA value for the EvaluationResult data type.
The resource compliance status.
For the GetAggregateComplianceDetailsByConfigRuleRequest data type, AWS Config supports only the COMPLIANT and NON_COMPLIANT. AWS Config does not support the NOT_APPLICABLE and INSUFFICIENT_DATA values.
A list of AWS Config rule names.
", "EvaluationResultQualifier$ConfigRuleName": "The name of the AWS Config rule that was used in the evaluation.
", "GetAggregateComplianceDetailsByConfigRuleRequest$ConfigRuleName": "The name of the AWS Config rule for which you want compliance information.
", + "PutExternalEvaluationRequest$ConfigRuleName": null, "PutRemediationExceptionsRequest$ConfigRuleName": "The name of the AWS Config rule for which you want to create remediation exception.
", "ReevaluateConfigRuleNames$member": null, "RemediationConfiguration$ConfigRuleName": "The name of the AWS Config rule.
", @@ -1030,19 +1034,19 @@ "DeliveryS3Bucket": { "base": null, "refs": { - "ConformancePackDetail$DeliveryS3Bucket": "Conformance pack template that is used to create a pack. The delivery bucket name should start with awsconfigconforms. For example: \"Resource\": \"arn:aws:s3:::your_bucket_name/*\".
", - "OrganizationConformancePack$DeliveryS3Bucket": "Location of an Amazon S3 bucket where AWS Config can deliver evaluation results and conformance pack template that is used to create a pack.
", - "PutConformancePackRequest$DeliveryS3Bucket": "AWS Config stores intermediate files while processing conformance pack template.
", - "PutOrganizationConformancePackRequest$DeliveryS3Bucket": "Location of an Amazon S3 bucket where AWS Config can deliver evaluation results. AWS Config stores intermediate files while processing conformance pack template.
The delivery bucket name should start with awsconfigconforms. For example: \"Resource\": \"arn:aws:s3:::your_bucket_name/*\". For more information, see Permissions for cross account bucket access.
" + "ConformancePackDetail$DeliveryS3Bucket": "Amazon S3 bucket where AWS Config stores conformance pack templates.
This field is optional.
Amazon S3 bucket where AWS Config stores conformance pack templates.
This field is optional.
Amazon S3 bucket where AWS Config stores conformance pack templates.
This field is optional.
Amazon S3 bucket where AWS Config stores conformance pack templates.
This field is optional.
The prefix for the Amazon S3 bucket.
", - "OrganizationConformancePack$DeliveryS3KeyPrefix": "Any folder structure you want to add to an Amazon S3 bucket.
", - "PutConformancePackRequest$DeliveryS3KeyPrefix": "The prefix for the Amazon S3 bucket.
", - "PutOrganizationConformancePackRequest$DeliveryS3KeyPrefix": "The prefix for the Amazon S3 bucket.
" + "ConformancePackDetail$DeliveryS3KeyPrefix": "The prefix for the Amazon S3 bucket.
This field is optional.
Any folder structure you want to add to an Amazon S3 bucket.
This field is optional.
The prefix for the Amazon S3 bucket.
This field is optional.
The prefix for the Amazon S3 bucket.
This field is optional.
The SQL query SELECT command.
List of each of the failed delete remediation exceptions with specific reasons.
", "refs": { @@ -1711,7 +1721,7 @@ "GetComplianceDetailsByConfigRuleRequest$Limit": "The maximum number of evaluation results returned on each page. The default is 10. You cannot specify a number greater than 100. If you specify 0, AWS Config uses the default.
", "GetDiscoveredResourceCountsRequest$limit": "The maximum number of ResourceCount objects returned on each page. The default is 100. You cannot specify a number greater than 100. If you specify 0, AWS Config uses the default.
", "GetResourceConfigHistoryRequest$limit": "The maximum number of configuration items returned on each page. The default is 10. You cannot specify a number greater than 100. If you specify 0, AWS Config uses the default.
", - "ListAggregateDiscoveredResourcesRequest$Limit": "The maximum number of resource identifiers returned on each page. The default is 100. You cannot specify a number greater than 100. If you specify 0, AWS Config uses the default.
", + "ListAggregateDiscoveredResourcesRequest$Limit": "The maximum number of resource identifiers returned on each page. You cannot specify a number greater than 100. If you specify 0, AWS Config uses the default.
", "ListDiscoveredResourcesRequest$limit": "The maximum number of resource identifiers returned on each page. The default is 100. You cannot specify a number greater than 100. If you specify 0, AWS Config uses the default.
", "ListTagsForResourceRequest$Limit": "The maximum number of tags returned on each page. The limit maximum is 50. You cannot specify a number greater than 50. If you specify 0, AWS Config uses the default.
", "SelectAggregateResourceConfigRequest$Limit": "The maximum number of query results returned on each page.
", @@ -1964,7 +1974,8 @@ "OrderingTimestamp": { "base": null, "refs": { - "Evaluation$OrderingTimestamp": "The time of the event in AWS Config that triggered the evaluation. For event-based evaluations, the time indicates when AWS Config created the configuration item that triggered the evaluation. For periodic evaluations, the time indicates when AWS Config triggered the evaluation at the frequency that you specified (for example, every 24 hours).
" + "Evaluation$OrderingTimestamp": "The time of the event in AWS Config that triggered the evaluation. For event-based evaluations, the time indicates when AWS Config created the configuration item that triggered the evaluation. For periodic evaluations, the time indicates when AWS Config triggered the evaluation at the frequency that you specified (for example, every 24 hours).
", + "ExternalEvaluation$OrderingTimestamp": null } }, "OrganizationAccessDeniedException": { @@ -2246,6 +2257,16 @@ "refs": { } }, + "PutExternalEvaluationRequest": { + "base": null, + "refs": { + } + }, + "PutExternalEvaluationResponse": { + "base": null, + "refs": { + } + }, "PutOrganizationConfigRuleRequest": { "base": null, "refs": { @@ -2934,6 +2955,8 @@ "Evaluation$Annotation": "Supplementary information about how the evaluation determined the compliance.
", "EvaluationResult$Annotation": "Supplementary information about how the evaluation determined the compliance.
", "EvaluationResultQualifier$ResourceType": "The type of AWS resource that was evaluated.
", + "ExternalEvaluation$ComplianceResourceType": null, + "ExternalEvaluation$Annotation": null, "GetAggregateConfigRuleComplianceSummaryResponse$GroupByKey": "Groups the result based on ACCOUNT_ID or AWS_REGION.
", "GetAggregateDiscoveredResourceCountsResponse$GroupByKey": "The key passed into the request object. If GroupByKey is not provided, the result will be empty.
The type of the AWS resource for which you want compliance information.
", diff --git a/models/apis/dlm/2018-01-12/api-2.json b/models/apis/dlm/2018-01-12/api-2.json index ec346a5746..8ddbf405f5 100644 --- a/models/apis/dlm/2018-01-12/api-2.json +++ b/models/apis/dlm/2018-01-12/api-2.json @@ -129,6 +129,29 @@ } }, "shapes":{ + "Action":{ + "type":"structure", + "required":[ + "Name", + "CrossRegionCopy" + ], + "members":{ + "Name":{"shape":"ActionName"}, + "CrossRegionCopy":{"shape":"CrossRegionCopyActionList"} + } + }, + "ActionList":{ + "type":"list", + "member":{"shape":"Action"}, + "max":1, + "min":1 + }, + "ActionName":{ + "type":"string", + "max":120, + "min":0, + "pattern":"[0-9A-Za-z _-]+" + }, "AvailabilityZone":{ "type":"string", "max":16, @@ -141,6 +164,12 @@ "max":10, "min":1 }, + "AwsAccountId":{ + "type":"string", + "max":12, + "min":12, + "pattern":"^[0-9]{12}$" + }, "CmkArn":{ "type":"string", "max":2048, @@ -191,6 +220,24 @@ "min":17, "pattern":"cron\\([^\\n]{11,100}\\)" }, + "CrossRegionCopyAction":{ + "type":"structure", + "required":[ + "Target", + "EncryptionConfiguration" + ], + "members":{ + "Target":{"shape":"Target"}, + "EncryptionConfiguration":{"shape":"EncryptionConfiguration"}, + "RetainRule":{"shape":"CrossRegionCopyRetainRule"} + } + }, + "CrossRegionCopyActionList":{ + "type":"list", + "member":{"shape":"CrossRegionCopyAction"}, + "max":3, + "min":0 + }, "CrossRegionCopyRetainRule":{ "type":"structure", "members":{ @@ -234,9 +281,52 @@ "members":{ } }, + "DescriptionRegex":{ + "type":"string", + "max":1000, + "min":0, + "pattern":"[\\p{all}]*" + }, "Encrypted":{"type":"boolean"}, + "EncryptionConfiguration":{ + "type":"structure", + "required":["Encrypted"], + "members":{ + "Encrypted":{"shape":"Encrypted"}, + "CmkArn":{"shape":"CmkArn"} + } + }, "ErrorCode":{"type":"string"}, "ErrorMessage":{"type":"string"}, + "EventParameters":{ + "type":"structure", + "required":[ + "EventType", + "SnapshotOwner", + "DescriptionRegex" + ], + "members":{ + "EventType":{"shape":"EventTypeValues"}, + "SnapshotOwner":{"shape":"SnapshotOwnerList"}, + "DescriptionRegex":{"shape":"DescriptionRegex"} + } + }, + "EventSource":{ + "type":"structure", + "required":["Type"], + "members":{ + "Type":{"shape":"EventSourceValues"}, + "Parameters":{"shape":"EventParameters"} + } + }, + "EventSourceValues":{ + "type":"string", + "enum":["MANAGED_CWE"] + }, + "EventTypeValues":{ + "type":"string", + "enum":["shareSnapshot"] + }, "ExcludeBootVolume":{"type":"boolean"}, "ExecutionRoleArn":{ "type":"string", @@ -431,7 +521,9 @@ "ResourceTypes":{"shape":"ResourceTypeValuesList"}, "TargetTags":{"shape":"TargetTagList"}, "Schedules":{"shape":"ScheduleList"}, - "Parameters":{"shape":"Parameters"} + "Parameters":{"shape":"Parameters"}, + "EventSource":{"shape":"EventSource"}, + "Actions":{"shape":"ActionList"} } }, "PolicyId":{ @@ -448,7 +540,8 @@ "type":"string", "enum":[ "EBS_SNAPSHOT_MANAGEMENT", - "IMAGE_MANAGEMENT" + "IMAGE_MANAGEMENT", + "EVENT_BASED_POLICY" ] }, "ResourceNotFoundException":{ @@ -502,7 +595,8 @@ "CreateRule":{"shape":"CreateRule"}, "RetainRule":{"shape":"RetainRule"}, "FastRestoreRule":{"shape":"FastRestoreRule"}, - "CrossRegionCopyRules":{"shape":"CrossRegionCopyRules"} + "CrossRegionCopyRules":{"shape":"CrossRegionCopyRules"}, + "ShareRules":{"shape":"ShareRules"} } }, "ScheduleList":{ @@ -515,7 +609,7 @@ "type":"string", "max":120, "min":0, - "pattern":"[\\p{all}]*" + "pattern":"[0-9A-Za-z _-]+" }, "SettablePolicyStateValues":{ "type":"string", @@ -524,6 +618,32 @@ "DISABLED" ] }, + "ShareRule":{ + "type":"structure", + "required":["TargetAccounts"], + "members":{ + "TargetAccounts":{"shape":"ShareTargetAccountList"}, + "UnshareInterval":{"shape":"Interval"}, + "UnshareIntervalUnit":{"shape":"RetentionIntervalUnitValues"} + } + }, + "ShareRules":{ + "type":"list", + "member":{"shape":"ShareRule"}, + "max":1, + "min":0 + }, + "ShareTargetAccountList":{ + "type":"list", + "member":{"shape":"AwsAccountId"}, + "min":1 + }, + "SnapshotOwnerList":{ + "type":"list", + "member":{"shape":"AwsAccountId"}, + "max":50, + "min":0 + }, "StatusMessage":{ "type":"string", "max":500, @@ -609,6 +729,12 @@ "max":45, "min":0 }, + "Target":{ + "type":"string", + "max":16, + "min":0, + "pattern":"^[\\\\w:\\\\-\\\\/\\\\*]+$" + }, "TargetRegion":{ "type":"string", "max":16, diff --git a/models/apis/dlm/2018-01-12/docs-2.json b/models/apis/dlm/2018-01-12/docs-2.json index 06d385b709..38a9d86e89 100644 --- a/models/apis/dlm/2018-01-12/docs-2.json +++ b/models/apis/dlm/2018-01-12/docs-2.json @@ -12,6 +12,24 @@ "UpdateLifecyclePolicy": "Updates the specified lifecycle policy.
" }, "shapes": { + "Action": { + "base": "Specifies an action for an event-based policy.
", + "refs": { + "ActionList$member": null + } + }, + "ActionList": { + "base": null, + "refs": { + "PolicyDetails$Actions": "The actions to be performed when the event-based policy is triggered. You can specify only one action per policy.
This parameter is required for event-based policies only. If you are creating a snapshot or AMI policy, omit this parameter.
" + } + }, + "ActionName": { + "base": null, + "refs": { + "Action$Name": "A descriptive name for the action.
" + } + }, "AvailabilityZone": { "base": null, "refs": { @@ -24,10 +42,18 @@ "FastRestoreRule$AvailabilityZones": "The Availability Zones in which to enable fast snapshot restore.
" } }, + "AwsAccountId": { + "base": null, + "refs": { + "ShareTargetAccountList$member": null, + "SnapshotOwnerList$member": null + } + }, "CmkArn": { "base": null, "refs": { - "CrossRegionCopyRule$CmkArn": "The Amazon Resource Name (ARN) of the AWS KMS customer master key (CMK) to use for EBS encryption. If this parameter is not specified, your AWS managed CMK for EBS is used.
" + "CrossRegionCopyRule$CmkArn": "The Amazon Resource Name (ARN) of the AWS KMS customer master key (CMK) to use for EBS encryption. If this parameter is not specified, your AWS managed CMK for EBS is used.
", + "EncryptionConfiguration$CmkArn": "The Amazon Resource Name (ARN) of the AWS KMS customer master key (CMK) to use for EBS encryption. If this parameter is not specified, your AWS managed CMK for EBS is used.
" } }, "CopyTags": { @@ -71,9 +97,22 @@ "CreateRule$CronExpression": "The schedule, as a Cron expression. The schedule interval must be between 1 hour and 1 year. For more information, see Cron expressions in the Amazon CloudWatch User Guide.
" } }, + "CrossRegionCopyAction": { + "base": "Specifies a rule for copying shared snapshots across Regions.
", + "refs": { + "CrossRegionCopyActionList$member": null + } + }, + "CrossRegionCopyActionList": { + "base": null, + "refs": { + "Action$CrossRegionCopy": "The rule for copying shared snapshots across Regions.
" + } + }, "CrossRegionCopyRetainRule": { "base": "Specifies the retention rule for cross-Region snapshot copies.
", "refs": { + "CrossRegionCopyAction$RetainRule": null, "CrossRegionCopyRule$RetainRule": "The retention rule.
" } }, @@ -99,10 +138,23 @@ "refs": { } }, + "DescriptionRegex": { + "base": null, + "refs": { + "EventParameters$DescriptionRegex": "The snapshot description that can trigger the policy. The description pattern is specified using a regular expression. The policy runs only if a snapshot with a description that matches the specified pattern is shared with your account.
For example, specifying ^.*Created for policy: policy-1234567890abcdef0.*$ configures the policy to run only if snapshots created by policy policy-1234567890abcdef0 are shared with your account.
To encrypt a copy of an unencrypted snapshot if encryption by default is not enabled, enable encryption using this parameter. Copies of encrypted snapshots are encrypted, even if this parameter is false or if encryption by default is not enabled.
" + "CrossRegionCopyRule$Encrypted": "To encrypt a copy of an unencrypted snapshot if encryption by default is not enabled, enable encryption using this parameter. Copies of encrypted snapshots are encrypted, even if this parameter is false or if encryption by default is not enabled.
", + "EncryptionConfiguration$Encrypted": "To encrypt a copy of an unencrypted snapshot when encryption by default is not enabled, enable encryption using this parameter. Copies of encrypted snapshots are encrypted, even if this parameter is false or when encryption by default is not enabled.
" + } + }, + "EncryptionConfiguration": { + "base": "Specifies the encryption settings for shared snapshots that are copied across Regions.
", + "refs": { + "CrossRegionCopyAction$EncryptionConfiguration": "The encryption settings for the copied snapshot.
" } }, "ErrorCode": { @@ -123,6 +175,30 @@ "ResourceNotFoundException$Message": null } }, + "EventParameters": { + "base": "Specifies an event that triggers an event-based policy.
", + "refs": { + "EventSource$Parameters": "Information about the event.
" + } + }, + "EventSource": { + "base": "Specifies an event that triggers an event-based policy.
", + "refs": { + "PolicyDetails$EventSource": "The event that triggers the event-based policy.
This parameter is required for event-based policies only. If you are creating a snapshot or AMI policy, omit this parameter.
" + } + }, + "EventSourceValues": { + "base": null, + "refs": { + "EventSource$Type": "The source of the event. Currently only managed AWS CloudWatch Events rules are supported.
" + } + }, + "EventTypeValues": { + "base": null, + "refs": { + "EventParameters$EventType": "The type of event. Currently, only snapshot sharing events are supported.
" + } + }, "ExcludeBootVolume": { "base": null, "refs": { @@ -182,7 +258,8 @@ "CreateRule$Interval": "The interval between snapshots. The supported values are 1, 2, 3, 4, 6, 8, 12, and 24.
", "CrossRegionCopyRetainRule$Interval": "The amount of time to retain each snapshot. The maximum is 100 years. This is equivalent to 1200 months, 5200 weeks, or 36500 days.
", "FastRestoreRule$Interval": "The amount of time to enable fast snapshot restore. The maximum is 100 years. This is equivalent to 1200 months, 5200 weeks, or 36500 days.
", - "RetainRule$Interval": "The amount of time to retain each snapshot. The maximum is 100 years. This is equivalent to 1200 months, 5200 weeks, or 36500 days.
" + "RetainRule$Interval": "The amount of time to retain each snapshot. The maximum is 100 years. This is equivalent to 1200 months, 5200 weeks, or 36500 days.
", + "ShareRule$UnshareInterval": "The period after which snapshots that are shared with other AWS accounts are automatically unshared.
" } }, "IntervalUnitValues": { @@ -232,7 +309,7 @@ "NoReboot": { "base": null, "refs": { - "Parameters$NoReboot": "Applies to AMI lifecycle policies only. Indicates whether targeted instances are rebooted when the lifecycle policy runs. true indicates that targeted instances are not rebooted when the policy runs. false indicates that target instances are rebooted when the policy runs. The default is true (instance are not rebooted).
Applies to AMI lifecycle policies only. Indicates whether targeted instances are rebooted when the lifecycle policy runs. true indicates that targeted instances are not rebooted when the policy runs. false indicates that target instances are rebooted when the policy runs. The default is true (instances are not rebooted).
Specifies optional parameters to add to a policy. The set of valid parameters depends on the combination of policy type and resource type.
", "refs": { - "PolicyDetails$Parameters": "A set of optional parameters for the policy.
" + "PolicyDetails$Parameters": "A set of optional parameters for snapshot and AMI lifecycle policies.
This parameter is required for snapshot and AMI policies only. If you are creating an event-based policy, omit this parameter.
" } }, "PolicyArn": { @@ -303,7 +380,7 @@ "base": null, "refs": { "LifecyclePolicySummary$PolicyType": "The type of policy. EBS_SNAPSHOT_MANAGEMENT indicates that the policy manages the lifecycle of Amazon EBS snapshots. IMAGE_MANAGEMENT indicates that the policy manages the lifecycle of EBS-backed AMIs.
The valid target resource types and actions a policy can manage. Specify EBS_SNAPSHOT_MANAGEMENT to create a lifecycle policy that manages the lifecycle of Amazon EBS snapshots. Specify IMAGE_MANAGEMENT to create a lifecycle policy that manages the lifecycle of EBS-backed AMIs. The default is EBS_SNAPSHOT_MANAGEMENT.
The valid target resource types and actions a policy can manage. Specify EBS_SNAPSHOT_MANAGEMENT to create a lifecycle policy that manages the lifecycle of Amazon EBS snapshots. Specify IMAGE_MANAGEMENT to create a lifecycle policy that manages the lifecycle of EBS-backed AMIs. Specify EVENT_BASED_POLICY to create an event-based policy that performs specific actions when a defined event occurs in your AWS account.
The default is EBS_SNAPSHOT_MANAGEMENT.
The resource type.
", - "PolicyDetails$ResourceTypes": "The resource type. Use VOLUME to create snapshots of individual volumes or use INSTANCE to create multi-volume snapshots from the volumes for an instance.
" + "PolicyDetails$ResourceTypes": "The target resource type for snapshot and AMI lifecycle policies. Use VOLUME to create snapshots of individual volumes or use INSTANCE to create multi-volume snapshots from the volumes for an instance.
This parameter is required for snapshot and AMI policies only. If you are creating an event-based policy, omit this parameter.
" } }, "RetainRule": { @@ -335,11 +412,12 @@ "refs": { "CrossRegionCopyRetainRule$IntervalUnit": "The unit of time for time-based retention.
", "FastRestoreRule$IntervalUnit": "The unit of time for enabling fast snapshot restore.
", - "RetainRule$IntervalUnit": "The unit of time for time-based retention.
" + "RetainRule$IntervalUnit": "The unit of time for time-based retention.
", + "ShareRule$UnshareIntervalUnit": "The unit of time for the automatic unsharing interval.
" } }, "Schedule": { - "base": "Specifies a backup schedule.
", + "base": "Specifies a backup schedule for a snapshot or AMI lifecycle policy.
", "refs": { "ScheduleList$member": null } @@ -347,7 +425,7 @@ "ScheduleList": { "base": null, "refs": { - "PolicyDetails$Schedules": "The schedules of policy-defined actions. A policy can have up to four schedules - one mandatory schedule and up to three optional schedules.
" + "PolicyDetails$Schedules": "The schedules of policy-defined actions for snapshot and AMI lifecycle policies. A policy can have up to four schedules—one mandatory schedule and up to three optional schedules.
This parameter is required for snapshot and AMI policies only. If you are creating an event-based policy, omit this parameter.
" } }, "ScheduleName": { @@ -363,6 +441,30 @@ "UpdateLifecyclePolicyRequest$State": "The desired activation state of the lifecycle policy after creation.
" } }, + "ShareRule": { + "base": "Specifies a rule for sharing snapshots across AWS accounts.
", + "refs": { + "ShareRules$member": null + } + }, + "ShareRules": { + "base": null, + "refs": { + "Schedule$ShareRules": "The rule for sharing snapshots with other AWS accounts.
" + } + }, + "ShareTargetAccountList": { + "base": null, + "refs": { + "ShareRule$TargetAccounts": "The IDs of the AWS accounts with which to share the snapshots.
" + } + }, + "SnapshotOwnerList": { + "base": null, + "refs": { + "EventParameters$SnapshotOwner": "The IDs of the AWS accounts that can trigger policy by sharing snapshots with your account. The policy only runs if one of the specified AWS accounts shares a snapshot with your account.
" + } + }, "StatusMessage": { "base": null, "refs": { @@ -444,6 +546,12 @@ "Schedule$TagsToAdd": "The tags to apply to policy-created resources. These user-defined tags are in addition to the AWS-added lifecycle tags.
" } }, + "Target": { + "base": null, + "refs": { + "CrossRegionCopyAction$Target": "The target Region.
" + } + }, "TargetRegion": { "base": null, "refs": { @@ -453,7 +561,7 @@ "TargetTagList": { "base": null, "refs": { - "PolicyDetails$TargetTags": "The single tag that identifies targeted resources for this policy.
" + "PolicyDetails$TargetTags": "The single tag that identifies targeted resources for this policy.
This parameter is required for snapshot and AMI policies only. If you are creating an event-based policy, omit this parameter.
" } }, "TargetTagsFilterList": { diff --git a/models/apis/ec2/2016-11-15/api-2.json b/models/apis/ec2/2016-11-15/api-2.json index f5b4fa4f3c..d8c9da7e51 100755 --- a/models/apis/ec2/2016-11-15/api-2.json +++ b/models/apis/ec2/2016-11-15/api-2.json @@ -19893,6 +19893,14 @@ "c6gd.8xlarge", "c6gd.12xlarge", "c6gd.16xlarge", + "c6gn.medium", + "c6gn.large", + "c6gn.xlarge", + "c6gn.2xlarge", + "c6gn.4xlarge", + "c6gn.8xlarge", + "c6gn.12xlarge", + "c6gn.16xlarge", "cc1.4xlarge", "cc2.8xlarge", "g2.2xlarge", diff --git a/models/apis/imagebuilder/2019-12-02/api-2.json b/models/apis/imagebuilder/2019-12-02/api-2.json index 147b3e594a..b2c2df7916 100644 --- a/models/apis/imagebuilder/2019-12-02/api-2.json +++ b/models/apis/imagebuilder/2019-12-02/api-2.json @@ -54,6 +54,28 @@ {"shape":"ServiceQuotaExceededException"} ] }, + "CreateContainerRecipe":{ + "name":"CreateContainerRecipe", + "http":{ + "method":"PUT", + "requestUri":"/CreateContainerRecipe" + }, + "input":{"shape":"CreateContainerRecipeRequest"}, + "output":{"shape":"CreateContainerRecipeResponse"}, + "errors":[ + {"shape":"ServiceException"}, + {"shape":"ClientException"}, + {"shape":"ServiceUnavailableException"}, + {"shape":"InvalidRequestException"}, + {"shape":"IdempotentParameterMismatchException"}, + {"shape":"ForbiddenException"}, + {"shape":"CallRateLimitExceededException"}, + {"shape":"InvalidVersionNumberException"}, + {"shape":"ResourceInUseException"}, + {"shape":"ResourceAlreadyExistsException"}, + {"shape":"ServiceQuotaExceededException"} + ] + }, "CreateDistributionConfiguration":{ "name":"CreateDistributionConfiguration", "http":{ @@ -178,6 +200,24 @@ {"shape":"ResourceDependencyException"} ] }, + "DeleteContainerRecipe":{ + "name":"DeleteContainerRecipe", + "http":{ + "method":"DELETE", + "requestUri":"/DeleteContainerRecipe" + }, + "input":{"shape":"DeleteContainerRecipeRequest"}, + "output":{"shape":"DeleteContainerRecipeResponse"}, + "errors":[ + {"shape":"ServiceException"}, + {"shape":"ClientException"}, + {"shape":"ServiceUnavailableException"}, + {"shape":"InvalidRequestException"}, + {"shape":"ForbiddenException"}, + {"shape":"CallRateLimitExceededException"}, + {"shape":"ResourceDependencyException"} + ] + }, "DeleteDistributionConfiguration":{ "name":"DeleteDistributionConfiguration", "http":{ @@ -302,6 +342,40 @@ {"shape":"CallRateLimitExceededException"} ] }, + "GetContainerRecipe":{ + "name":"GetContainerRecipe", + "http":{ + "method":"GET", + "requestUri":"/GetContainerRecipe" + }, + "input":{"shape":"GetContainerRecipeRequest"}, + "output":{"shape":"GetContainerRecipeResponse"}, + "errors":[ + {"shape":"ServiceException"}, + {"shape":"ClientException"}, + {"shape":"ServiceUnavailableException"}, + {"shape":"InvalidRequestException"}, + {"shape":"ForbiddenException"}, + {"shape":"CallRateLimitExceededException"} + ] + }, + "GetContainerRecipePolicy":{ + "name":"GetContainerRecipePolicy", + "http":{ + "method":"GET", + "requestUri":"/GetContainerRecipePolicy" + }, + "input":{"shape":"GetContainerRecipePolicyRequest"}, + "output":{"shape":"GetContainerRecipePolicyResponse"}, + "errors":[ + {"shape":"ServiceException"}, + {"shape":"ServiceUnavailableException"}, + {"shape":"InvalidRequestException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"ForbiddenException"}, + {"shape":"CallRateLimitExceededException"} + ] + }, "GetDistributionConfiguration":{ "name":"GetDistributionConfiguration", "http":{ @@ -478,6 +552,24 @@ {"shape":"CallRateLimitExceededException"} ] }, + "ListContainerRecipes":{ + "name":"ListContainerRecipes", + "http":{ + "method":"POST", + "requestUri":"/ListContainerRecipes" + }, + "input":{"shape":"ListContainerRecipesRequest"}, + "output":{"shape":"ListContainerRecipesResponse"}, + "errors":[ + {"shape":"ServiceException"}, + {"shape":"ClientException"}, + {"shape":"ServiceUnavailableException"}, + {"shape":"InvalidRequestException"}, + {"shape":"InvalidPaginationTokenException"}, + {"shape":"ForbiddenException"}, + {"shape":"CallRateLimitExceededException"} + ] + }, "ListDistributionConfigurations":{ "name":"ListDistributionConfigurations", "http":{ @@ -638,6 +730,25 @@ {"shape":"CallRateLimitExceededException"} ] }, + "PutContainerRecipePolicy":{ + "name":"PutContainerRecipePolicy", + "http":{ + "method":"PUT", + "requestUri":"/PutContainerRecipePolicy" + }, + "input":{"shape":"PutContainerRecipePolicyRequest"}, + "output":{"shape":"PutContainerRecipePolicyResponse"}, + "errors":[ + {"shape":"ServiceException"}, + {"shape":"ClientException"}, + {"shape":"ServiceUnavailableException"}, + {"shape":"InvalidRequestException"}, + {"shape":"InvalidParameterValueException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"ForbiddenException"}, + {"shape":"CallRateLimitExceededException"} + ] + }, "PutImagePolicy":{ "name":"PutImagePolicy", "http":{ @@ -827,6 +938,7 @@ "pattern":"^[-_A-Za-z0-9{][-_A-Za-z0-9\\s:{}\\.]+[-_A-Za-z0-9}]$" }, "Arn":{"type":"string"}, + "Boolean":{"type":"boolean"}, "CallRateLimitExceededException":{ "type":"structure", "members":{ @@ -963,6 +1075,76 @@ "type":"list", "member":{"shape":"ComponentVersion"} }, + "Container":{ + "type":"structure", + "members":{ + "region":{"shape":"NonEmptyString"}, + "imageUris":{"shape":"StringList"} + } + }, + "ContainerDistributionConfiguration":{ + "type":"structure", + "required":["targetRepository"], + "members":{ + "description":{"shape":"NonEmptyString"}, + "containerTags":{"shape":"StringList"}, + "targetRepository":{"shape":"TargetContainerRepository"} + } + }, + "ContainerList":{ + "type":"list", + "member":{"shape":"Container"} + }, + "ContainerRecipe":{ + "type":"structure", + "members":{ + "arn":{"shape":"ImageBuilderArn"}, + "containerType":{"shape":"ContainerType"}, + "name":{"shape":"ResourceName"}, + "description":{"shape":"NonEmptyString"}, + "platform":{"shape":"Platform"}, + "owner":{"shape":"NonEmptyString"}, + "version":{"shape":"VersionNumber"}, + "components":{"shape":"ComponentConfigurationList"}, + "dockerfileTemplateData":{"shape":"DockerFileTemplate"}, + "kmsKeyId":{"shape":"NonEmptyString"}, + "encrypted":{"shape":"NullableBoolean"}, + "parentImage":{"shape":"NonEmptyString"}, + "dateCreated":{"shape":"DateTime"}, + "tags":{"shape":"TagMap"}, + "workingDirectory":{"shape":"NonEmptyString"}, + "targetRepository":{"shape":"TargetContainerRepository"} + } + }, + "ContainerRecipeArn":{ + "type":"string", + "pattern":"^arn:aws[^:]*:imagebuilder:[^:]+:(?:\\d{12}|aws):container-recipe/[a-z0-9-_]+/\\d+\\.\\d+\\.\\d+$" + }, + "ContainerRecipeSummary":{ + "type":"structure", + "members":{ + "arn":{"shape":"ImageBuilderArn"}, + "containerType":{"shape":"ContainerType"}, + "name":{"shape":"ResourceName"}, + "platform":{"shape":"Platform"}, + "owner":{"shape":"NonEmptyString"}, + "parentImage":{"shape":"NonEmptyString"}, + "dateCreated":{"shape":"DateTime"}, + "tags":{"shape":"TagMap"} + } + }, + "ContainerRecipeSummaryList":{ + "type":"list", + "member":{"shape":"ContainerRecipeSummary"} + }, + "ContainerRepositoryService":{ + "type":"string", + "enum":["ECR"] + }, + "ContainerType":{ + "type":"string", + "enum":["DOCKER"] + }, "CreateComponentRequest":{ "type":"structure", "required":[ @@ -996,6 +1178,47 @@ "componentBuildVersionArn":{"shape":"ComponentBuildVersionArn"} } }, + "CreateContainerRecipeRequest":{ + "type":"structure", + "required":[ + "containerType", + "name", + "semanticVersion", + "components", + "dockerfileTemplateData", + "parentImage", + "targetRepository", + "clientToken" + ], + "members":{ + "containerType":{"shape":"ContainerType"}, + "name":{"shape":"ResourceName"}, + "description":{"shape":"NonEmptyString"}, + "semanticVersion":{"shape":"VersionNumber"}, + "components":{"shape":"ComponentConfigurationList"}, + "dockerfileTemplateData":{"shape":"InlineDockerFileTemplate"}, + "dockerfileTemplateUri":{"shape":"Uri"}, + "platformOverride":{"shape":"Platform"}, + "imageOsVersionOverride":{"shape":"NonEmptyString"}, + "parentImage":{"shape":"NonEmptyString"}, + "tags":{"shape":"TagMap"}, + "workingDirectory":{"shape":"NonEmptyString"}, + "targetRepository":{"shape":"TargetContainerRepository"}, + "kmsKeyId":{"shape":"NonEmptyString"}, + "clientToken":{ + "shape":"ClientToken", + "idempotencyToken":true + } + } + }, + "CreateContainerRecipeResponse":{ + "type":"structure", + "members":{ + "requestId":{"shape":"NonEmptyString"}, + "clientToken":{"shape":"ClientToken"}, + "containerRecipeArn":{"shape":"ContainerRecipeArn"} + } + }, "CreateDistributionConfigurationRequest":{ "type":"structure", "required":[ @@ -1026,7 +1249,6 @@ "type":"structure", "required":[ "name", - "imageRecipeArn", "infrastructureConfigurationArn", "clientToken" ], @@ -1034,6 +1256,7 @@ "name":{"shape":"ResourceName"}, "description":{"shape":"NonEmptyString"}, "imageRecipeArn":{"shape":"ImageRecipeArn"}, + "containerRecipeArn":{"shape":"ContainerRecipeArn"}, "infrastructureConfigurationArn":{"shape":"InfrastructureConfigurationArn"}, "distributionConfigurationArn":{"shape":"DistributionConfigurationArn"}, "imageTestsConfiguration":{"shape":"ImageTestsConfiguration"}, @@ -1090,12 +1313,12 @@ "CreateImageRequest":{ "type":"structure", "required":[ - "imageRecipeArn", "infrastructureConfigurationArn", "clientToken" ], "members":{ "imageRecipeArn":{"shape":"ImageRecipeArn"}, + "containerRecipeArn":{"shape":"ContainerRecipeArn"}, "distributionConfigurationArn":{"shape":"DistributionConfigurationArn"}, "infrastructureConfigurationArn":{"shape":"InfrastructureConfigurationArn"}, "imageTestsConfiguration":{"shape":"ImageTestsConfiguration"}, @@ -1168,6 +1391,24 @@ "componentBuildVersionArn":{"shape":"ComponentBuildVersionArn"} } }, + "DeleteContainerRecipeRequest":{ + "type":"structure", + "required":["containerRecipeArn"], + "members":{ + "containerRecipeArn":{ + "shape":"ContainerRecipeArn", + "location":"querystring", + "locationName":"containerRecipeArn" + } + } + }, + "DeleteContainerRecipeResponse":{ + "type":"structure", + "members":{ + "requestId":{"shape":"NonEmptyString"}, + "containerRecipeArn":{"shape":"ContainerRecipeArn"} + } + }, "DeleteDistributionConfigurationRequest":{ "type":"structure", "required":["distributionConfigurationArn"], @@ -1264,6 +1505,7 @@ "members":{ "region":{"shape":"NonEmptyString"}, "amiDistributionConfiguration":{"shape":"AmiDistributionConfiguration"}, + "containerDistributionConfiguration":{"shape":"ContainerDistributionConfiguration"}, "licenseConfigurationArns":{"shape":"LicenseConfigurationArnList"} } }, @@ -1293,7 +1535,8 @@ "description":{"shape":"NonEmptyString"}, "dateCreated":{"shape":"DateTime"}, "dateUpdated":{"shape":"DateTime"}, - "tags":{"shape":"TagMap"} + "tags":{"shape":"TagMap"}, + "regions":{"shape":"RegionList"} } }, "DistributionConfigurationSummaryList":{ @@ -1309,6 +1552,7 @@ "max":720, "min":30 }, + "DockerFileTemplate":{"type":"string"}, "EbsInstanceBlockDeviceSpecification":{ "type":"structure", "members":{ @@ -1419,6 +1663,42 @@ "component":{"shape":"Component"} } }, + "GetContainerRecipePolicyRequest":{ + "type":"structure", + "required":["containerRecipeArn"], + "members":{ + "containerRecipeArn":{ + "shape":"ContainerRecipeArn", + "location":"querystring", + "locationName":"containerRecipeArn" + } + } + }, + "GetContainerRecipePolicyResponse":{ + "type":"structure", + "members":{ + "requestId":{"shape":"NonEmptyString"}, + "policy":{"shape":"ResourcePolicyDocument"} + } + }, + "GetContainerRecipeRequest":{ + "type":"structure", + "required":["containerRecipeArn"], + "members":{ + "containerRecipeArn":{ + "shape":"ContainerRecipeArn", + "location":"querystring", + "locationName":"containerRecipeArn" + } + } + }, + "GetContainerRecipeResponse":{ + "type":"structure", + "members":{ + "requestId":{"shape":"NonEmptyString"}, + "containerRecipe":{"shape":"ContainerRecipe"} + } + }, "GetDistributionConfigurationRequest":{ "type":"structure", "required":["distributionConfigurationArn"], @@ -1557,6 +1837,7 @@ "type":"structure", "members":{ "arn":{"shape":"ImageBuilderArn"}, + "type":{"shape":"ImageType"}, "name":{"shape":"ResourceName"}, "version":{"shape":"VersionNumber"}, "platform":{"shape":"Platform"}, @@ -1564,6 +1845,7 @@ "osVersion":{"shape":"OsVersion"}, "state":{"shape":"ImageState"}, "imageRecipe":{"shape":"ImageRecipe"}, + "containerRecipe":{"shape":"ContainerRecipe"}, "sourcePipelineName":{"shape":"ResourceName"}, "sourcePipelineArn":{"shape":"Arn"}, "infrastructureConfiguration":{"shape":"InfrastructureConfiguration"}, @@ -1580,7 +1862,7 @@ }, "ImageBuilderArn":{ "type":"string", - "pattern":"^arn:aws[^:]*:imagebuilder:[^:]+:(?:\\d{12}|aws):(?:image-recipe|infrastructure-configuration|distribution-configuration|component|image|image-pipeline)/[a-z0-9-_]+(?:/(?:(?:x|\\d+)\\.(?:x|\\d+)\\.(?:x|\\d+))(?:/\\d+)?)?$" + "pattern":"^arn:aws[^:]*:imagebuilder:[^:]+:(?:\\d{12}|aws):(?:image-recipe|container-recipe|infrastructure-configuration|distribution-configuration|component|image|image-pipeline)/[a-z0-9-_]+(?:/(?:(?:x|\\d+)\\.(?:x|\\d+)\\.(?:x|\\d+))(?:/\\d+)?)?$" }, "ImagePipeline":{ "type":"structure", @@ -1591,6 +1873,7 @@ "platform":{"shape":"Platform"}, "enhancedImageMetadataEnabled":{"shape":"NullableBoolean"}, "imageRecipeArn":{"shape":"Arn"}, + "containerRecipeArn":{"shape":"Arn"}, "infrastructureConfigurationArn":{"shape":"Arn"}, "distributionConfigurationArn":{"shape":"Arn"}, "imageTestsConfiguration":{"shape":"ImageTestsConfiguration"}, @@ -1615,6 +1898,7 @@ "type":"structure", "members":{ "arn":{"shape":"ImageBuilderArn"}, + "type":{"shape":"ImageType"}, "name":{"shape":"ResourceName"}, "description":{"shape":"NonEmptyString"}, "platform":{"shape":"Platform"}, @@ -1676,6 +1960,7 @@ "members":{ "arn":{"shape":"ImageBuilderArn"}, "name":{"shape":"ResourceName"}, + "type":{"shape":"ImageType"}, "version":{"shape":"VersionNumber"}, "platform":{"shape":"Platform"}, "osVersion":{"shape":"OsVersion"}, @@ -1702,11 +1987,19 @@ "max":1440, "min":60 }, + "ImageType":{ + "type":"string", + "enum":[ + "AMI", + "DOCKER" + ] + }, "ImageVersion":{ "type":"structure", "members":{ "arn":{"shape":"ImageBuilderArn"}, "name":{"shape":"ResourceName"}, + "type":{"shape":"ImageType"}, "version":{"shape":"VersionNumber"}, "platform":{"shape":"Platform"}, "osVersion":{"shape":"OsVersion"}, @@ -1805,7 +2098,14 @@ "InlineComponentData":{ "type":"string", "max":16000, - "min":1 + "min":1, + "pattern":"[^\\x00]+" + }, + "InlineDockerFileTemplate":{ + "type":"string", + "max":16000, + "min":1, + "pattern":"[^\\x00]+" }, "InstanceBlockDeviceMapping":{ "type":"structure", @@ -1915,6 +2215,7 @@ "members":{ "owner":{"shape":"Ownership"}, "filters":{"shape":"FilterList"}, + "byName":{"shape":"Boolean"}, "maxResults":{ "shape":"RestrictedInteger", "box":true @@ -1930,6 +2231,26 @@ "nextToken":{"shape":"PaginationToken"} } }, + "ListContainerRecipesRequest":{ + "type":"structure", + "members":{ + "owner":{"shape":"Ownership"}, + "filters":{"shape":"FilterList"}, + "maxResults":{ + "shape":"RestrictedInteger", + "box":true + }, + "nextToken":{"shape":"NonEmptyString"} + } + }, + "ListContainerRecipesResponse":{ + "type":"structure", + "members":{ + "requestId":{"shape":"NonEmptyString"}, + "containerRecipeSummaryList":{"shape":"ContainerRecipeSummaryList"}, + "nextToken":{"shape":"NonEmptyString"} + } + }, "ListDistributionConfigurationsRequest":{ "type":"structure", "members":{ @@ -2035,11 +2356,13 @@ "members":{ "owner":{"shape":"Ownership"}, "filters":{"shape":"FilterList"}, + "byName":{"shape":"Boolean"}, "maxResults":{ "shape":"RestrictedInteger", "box":true }, - "nextToken":{"shape":"PaginationToken"} + "nextToken":{"shape":"PaginationToken"}, + "includeDeprecated":{"shape":"NullableBoolean"} } }, "ListImagesResponse":{ @@ -2111,7 +2434,8 @@ "OutputResources":{ "type":"structure", "members":{ - "amis":{"shape":"AmiList"} + "amis":{"shape":"AmiList"}, + "containers":{"shape":"ContainerList"} } }, "Ownership":{ @@ -2166,6 +2490,24 @@ "componentArn":{"shape":"ComponentBuildVersionArn"} } }, + "PutContainerRecipePolicyRequest":{ + "type":"structure", + "required":[ + "containerRecipeArn", + "policy" + ], + "members":{ + "containerRecipeArn":{"shape":"ContainerRecipeArn"}, + "policy":{"shape":"ResourcePolicyDocument"} + } + }, + "PutContainerRecipePolicyResponse":{ + "type":"structure", + "members":{ + "requestId":{"shape":"NonEmptyString"}, + "containerRecipeArn":{"shape":"ContainerRecipeArn"} + } + }, "PutImagePolicyRequest":{ "type":"structure", "required":[ @@ -2202,6 +2544,10 @@ "imageRecipeArn":{"shape":"ImageRecipeArn"} } }, + "RegionList":{ + "type":"list", + "member":{"shape":"NonEmptyString"} + }, "ResourceAlreadyExistsException":{ "type":"structure", "members":{ @@ -2370,6 +2716,17 @@ "type":"string", "max":256 }, + "TargetContainerRepository":{ + "type":"structure", + "required":[ + "service", + "repositoryName" + ], + "members":{ + "service":{"shape":"ContainerRepositoryService"}, + "repositoryName":{"shape":"NonEmptyString"} + } + }, "UntagResourceRequest":{ "type":"structure", "required":[ @@ -2423,7 +2780,6 @@ "type":"structure", "required":[ "imagePipelineArn", - "imageRecipeArn", "infrastructureConfigurationArn", "clientToken" ], @@ -2431,6 +2787,7 @@ "imagePipelineArn":{"shape":"ImagePipelineArn"}, "description":{"shape":"NonEmptyString"}, "imageRecipeArn":{"shape":"ImageRecipeArn"}, + "containerRecipeArn":{"shape":"ContainerRecipeArn"}, "infrastructureConfigurationArn":{"shape":"InfrastructureConfigurationArn"}, "distributionConfigurationArn":{"shape":"DistributionConfigurationArn"}, "imageTestsConfiguration":{"shape":"ImageTestsConfiguration"}, diff --git a/models/apis/imagebuilder/2019-12-02/docs-2.json b/models/apis/imagebuilder/2019-12-02/docs-2.json index 91df316e22..0b9b4bbd86 100644 --- a/models/apis/imagebuilder/2019-12-02/docs-2.json +++ b/models/apis/imagebuilder/2019-12-02/docs-2.json @@ -1,15 +1,17 @@ { "version": "2.0", - "service": "EC2 Image Builder is a fully managed AWS service that makes it easier to automate the creation, management, and deployment of customized, secure, and up-to-date “golden” server images that are pre-installed and pre-configured with software and settings to meet specific IT standards.
", + "service": "EC2 Image Builder is a fully managed AWS service that makes it easier to automate the creation, management, and deployment of customized, secure, and up-to-date \"golden\" server images that are pre-installed and pre-configured with software and settings to meet specific IT standards.
", "operations": { "CancelImageCreation": "CancelImageCreation cancels the creation of Image. This operation can only be used on images in a non-terminal state.
", "CreateComponent": "Creates a new component that can be used to build, validate, test, and assess your image.
", + "CreateContainerRecipe": "Creates a new container recipe. Container recipes define how images are configured, tested, and assessed.
", "CreateDistributionConfiguration": "Creates a new distribution configuration. Distribution configurations define and configure the outputs of your pipeline.
", "CreateImage": "Creates a new image. This request will create a new image along with all of the configured output resources defined in the distribution configuration.
", "CreateImagePipeline": "Creates a new image pipeline. Image pipelines enable you to automate the creation and distribution of images.
", "CreateImageRecipe": "Creates a new image recipe. Image recipes define how images are configured, tested, and assessed.
", "CreateInfrastructureConfiguration": "Creates a new infrastructure configuration. An infrastructure configuration defines the environment in which your image will be built and tested.
", "DeleteComponent": "Deletes a component build version.
", + "DeleteContainerRecipe": "Deletes a container recipe.
", "DeleteDistributionConfiguration": "Deletes a distribution configuration.
", "DeleteImage": "Deletes an image.
", "DeleteImagePipeline": "Deletes an image pipeline.
", @@ -17,6 +19,8 @@ "DeleteInfrastructureConfiguration": "Deletes an infrastructure configuration.
", "GetComponent": "Gets a component object.
", "GetComponentPolicy": "Gets a component policy.
", + "GetContainerRecipe": "Retrieves a container recipe.
", + "GetContainerRecipePolicy": "Retrieves the policy for a container recipe.
", "GetDistributionConfiguration": "Gets a distribution configuration.
", "GetImage": "Gets an image.
", "GetImagePipeline": "Gets an image pipeline.
", @@ -27,7 +31,8 @@ "ImportComponent": "Imports a component and transforms its data into a component document.
", "ListComponentBuildVersions": "Returns the list of component build versions for the specified semantic version.
", "ListComponents": "Returns the list of component build versions for the specified semantic version.
", - "ListDistributionConfigurations": "Returns a list of distribution configurations.
", + "ListContainerRecipes": "Returns a list of container recipes.
", + "ListDistributionConfigurations": "Returns a list of distribution configurations.
", "ListImageBuildVersions": "Returns a list of image build versions.
", "ListImagePipelineImages": "Returns a list of images created by the specified pipeline.
", "ListImagePipelines": "Returns a list of image pipelines.
", @@ -36,6 +41,7 @@ "ListInfrastructureConfigurations": "Returns a list of infrastructure configurations.
", "ListTagsForResource": "Returns the list of tags for the specified resource.
", "PutComponentPolicy": " Applies a policy to a component. We recommend that you call the RAM API CreateResourceShare to share resources. If you call the Image Builder API PutComponentPolicy, you must also call the RAM API PromoteResourceShareCreatedFromPolicy in order for the resource to be visible to all principals with whom the resource is shared.
Applies a policy to a container image. We recommend that you call the RAM API CreateResourceShare (https://docs.aws.amazon.com/ram/latest/APIReference/API_CreateResourceShare.html) to share resources. If you call the Image Builder API PutContainerImagePolicy, you must also call the RAM API PromoteResourceShareCreatedFromPolicy (https://docs.aws.amazon.com/ram/latest/APIReference/API_PromoteResourceShareCreatedFromPolicy.html) in order for the resource to be visible to all principals with whom the resource is shared.
Applies a policy to an image. We recommend that you call the RAM API CreateResourceShare to share resources. If you call the Image Builder API PutImagePolicy, you must also call the RAM API PromoteResourceShareCreatedFromPolicy in order for the resource to be visible to all principals with whom the resource is shared.
Applies a policy to an image recipe. We recommend that you call the RAM API CreateResourceShare to share resources. If you call the Image Builder API PutImageRecipePolicy, you must also call the RAM API PromoteResourceShareCreatedFromPolicy in order for the resource to be visible to all principals with whom the resource is shared.
Manually triggers a pipeline to create an image.
", @@ -88,10 +94,18 @@ "refs": { "Image$sourcePipelineArn": "The Amazon Resource Name (ARN) of the image pipeline that created this image.
", "ImagePipeline$imageRecipeArn": "The Amazon Resource Name (ARN) of the image recipe associated with this image pipeline.
", + "ImagePipeline$containerRecipeArn": "The Amazon Resource Name (ARN) of the container recipe that is used for this pipeline.
", "ImagePipeline$infrastructureConfigurationArn": "The Amazon Resource Name (ARN) of the infrastructure configuration associated with this image pipeline.
", "ImagePipeline$distributionConfigurationArn": "The Amazon Resource Name (ARN) of the distribution configuration associated with this image pipeline.
" } }, + "Boolean": { + "base": null, + "refs": { + "ListComponentsRequest$byName": "Returns the list of component build versions for the specified semantic version.
", + "ListImagesRequest$byName": "Requests a list of images with a specific recipe name.
" + } + }, "CallRateLimitExceededException": { "base": "You have exceeded the permitted request rate for the specific operation.
", "refs": { @@ -119,6 +133,8 @@ "CancelImageCreationResponse$clientToken": "The idempotency token used to make this request idempotent.
", "CreateComponentRequest$clientToken": "The idempotency token of the component.
", "CreateComponentResponse$clientToken": "The idempotency token used to make this request idempotent.
", + "CreateContainerRecipeRequest$clientToken": "The client token used to make this request idempotent.
", + "CreateContainerRecipeResponse$clientToken": "The client token used to make this request idempotent.
", "CreateDistributionConfigurationRequest$clientToken": "The idempotency token of the distribution configuration.
", "CreateDistributionConfigurationResponse$clientToken": "The idempotency token used to make this request idempotent.
", "CreateImagePipelineRequest$clientToken": "The idempotency token used to make this request idempotent.
", @@ -168,6 +184,8 @@ "ComponentConfigurationList": { "base": null, "refs": { + "ContainerRecipe$components": "Components for build and test that are included in the container recipe.
", + "CreateContainerRecipeRequest$components": "Components for build and test that are included in the container recipe.
", "CreateImageRecipeRequest$components": "The components of the image recipe.
", "ImageRecipe$components": "The components of the image recipe.
" } @@ -230,6 +248,72 @@ "ListComponentsResponse$componentVersionList": "The list of component semantic versions.
" } }, + "Container": { + "base": "A container encapsulates the runtime environment for an application.
", + "refs": { + "ContainerList$member": null + } + }, + "ContainerDistributionConfiguration": { + "base": "Container distribution settings for encryption, licensing, and sharing in a specific Region.
", + "refs": { + "Distribution$containerDistributionConfiguration": "Container distribution settings for encryption, licensing, and sharing in a specific Region.
" + } + }, + "ContainerList": { + "base": null, + "refs": { + "OutputResources$containers": "Container images that the pipeline has generated and stored in the output repository.
" + } + }, + "ContainerRecipe": { + "base": "A container recipe.
", + "refs": { + "GetContainerRecipeResponse$containerRecipe": "The container recipe object that is returned.
", + "Image$containerRecipe": "The container recipe used to create the container image type.
" + } + }, + "ContainerRecipeArn": { + "base": null, + "refs": { + "CreateContainerRecipeResponse$containerRecipeArn": "Returns the Amazon Resource Name (ARN) of the container recipe that the request created.
", + "CreateImagePipelineRequest$containerRecipeArn": "The Amazon Resource Name (ARN) of the container recipe that is used to configure images created by this container pipeline.
", + "CreateImageRequest$containerRecipeArn": "The Amazon Resource Name (ARN) of the container recipe that defines how images are configured and tested.
", + "DeleteContainerRecipeRequest$containerRecipeArn": "The Amazon Resource Name (ARN) of the container recipe to delete.
", + "DeleteContainerRecipeResponse$containerRecipeArn": "The Amazon Resource Name (ARN) of the container recipe that was deleted.
", + "GetContainerRecipePolicyRequest$containerRecipeArn": "The Amazon Resource Name (ARN) of the container recipe for the policy being requested.
", + "GetContainerRecipeRequest$containerRecipeArn": "The Amazon Resource Name (ARN) of the container recipe to retrieve.
", + "PutContainerRecipePolicyRequest$containerRecipeArn": "The Amazon Resource Name (ARN) of the container recipe that this policy should be applied to.
", + "PutContainerRecipePolicyResponse$containerRecipeArn": "The Amazon Resource Name (ARN) of the container recipe that this policy was applied to.
", + "UpdateImagePipelineRequest$containerRecipeArn": "The Amazon Resource Name (ARN) of the container pipeline to update.
" + } + }, + "ContainerRecipeSummary": { + "base": "A summary of a container recipe
", + "refs": { + "ContainerRecipeSummaryList$member": null + } + }, + "ContainerRecipeSummaryList": { + "base": null, + "refs": { + "ListContainerRecipesResponse$containerRecipeSummaryList": "The list of container recipes returned for the request.
" + } + }, + "ContainerRepositoryService": { + "base": null, + "refs": { + "TargetContainerRepository$service": "Specifies the service in which this image was registered.
" + } + }, + "ContainerType": { + "base": null, + "refs": { + "ContainerRecipe$containerType": "Specifies the type of container, such as Docker.
", + "ContainerRecipeSummary$containerType": "Specifies the type of container, such as \"Docker\".
", + "CreateContainerRecipeRequest$containerType": "The type of container to create.
" + } + }, "CreateComponentRequest": { "base": null, "refs": { @@ -240,6 +324,16 @@ "refs": { } }, + "CreateContainerRecipeRequest": { + "base": null, + "refs": { + } + }, + "CreateContainerRecipeResponse": { + "base": null, + "refs": { + } + }, "CreateDistributionConfigurationRequest": { "base": null, "refs": { @@ -296,6 +390,8 @@ "Component$dateCreated": "The date that the component was created.
", "ComponentSummary$dateCreated": "The date that the component was created.
", "ComponentVersion$dateCreated": "The date that the component was created.
", + "ContainerRecipe$dateCreated": "The date when this container recipe was created.
", + "ContainerRecipeSummary$dateCreated": "The date when this container recipe was created.
", "DistributionConfiguration$dateCreated": "The date on which this distribution configuration was created.
", "DistributionConfiguration$dateUpdated": "The date on which this distribution configuration was last updated.
", "DistributionConfigurationSummary$dateCreated": "The date on which the distribution configuration was created.
", @@ -325,6 +421,16 @@ "refs": { } }, + "DeleteContainerRecipeRequest": { + "base": null, + "refs": { + } + }, + "DeleteContainerRecipeResponse": { + "base": null, + "refs": { + } + }, "DeleteDistributionConfigurationRequest": { "base": null, "refs": { @@ -428,6 +534,12 @@ "DistributionConfiguration$timeoutMinutes": "The maximum duration in minutes for this distribution configuration.
" } }, + "DockerFileTemplate": { + "base": null, + "refs": { + "ContainerRecipe$dockerfileTemplateData": "Dockerfiles are text documents that are used to build Docker containers, and ensure that they contain all of the elements required by the application running inside. The template data consists of contextual variables where Image Builder places build information or scripts, based on your container image recipe.
" + } + }, "EbsInstanceBlockDeviceSpecification": { "base": "Amazon EBS-specific block device mapping specifications.
", "refs": { @@ -490,6 +602,7 @@ "base": null, "refs": { "ListComponentsRequest$filters": "The filters.
", + "ListContainerRecipesRequest$filters": "Request filters that are used to narrow the list of container images that are returned.
", "ListDistributionConfigurationsRequest$filters": "The filters.
name - The name of this distribution configuration.
The filters.
", "ListImagePipelineImagesRequest$filters": "The filters.
", @@ -542,6 +655,26 @@ "refs": { } }, + "GetContainerRecipePolicyRequest": { + "base": null, + "refs": { + } + }, + "GetContainerRecipePolicyResponse": { + "base": null, + "refs": { + } + }, + "GetContainerRecipeRequest": { + "base": null, + "refs": { + } + }, + "GetContainerRecipeResponse": { + "base": null, + "refs": { + } + }, "GetDistributionConfigurationRequest": { "base": null, "refs": { @@ -643,6 +776,8 @@ "Component$arn": "The Amazon Resource Name (ARN) of the component.
", "ComponentSummary$arn": "The Amazon Resource Name (ARN) of the component.
", "ComponentVersion$arn": "The Amazon Resource Name (ARN) of the component.
", + "ContainerRecipe$arn": "The Amazon Resource Name (ARN) of the container recipe.
", + "ContainerRecipeSummary$arn": "The Amazon Resource Name (ARN) of the container recipe.
", "DistributionConfiguration$arn": "The Amazon Resource Name (ARN) of the distribution configuration.
", "DistributionConfigurationSummary$arn": "The Amazon Resource Name (ARN) of the distribution configuration.
", "Image$arn": "The Amazon Resource Name (ARN) of the image.
", @@ -761,6 +896,15 @@ "ImageTestsConfiguration$timeoutMinutes": "The maximum time in minutes that tests are permitted to run.
" } }, + "ImageType": { + "base": null, + "refs": { + "Image$type": "Specifies whether this is an AMI or container image.
", + "ImageRecipe$type": "Specifies which type of image is created by the recipe - an AMI or a container image.
", + "ImageSummary$type": "Specifies whether this is an AMI or container image.
", + "ImageVersion$type": "Specifies whether this is an AMI or container image.
" + } + }, "ImageVersion": { "base": "An image semantic version.
", "refs": { @@ -834,6 +978,12 @@ "CreateComponentRequest$data": "The data of the component. Used to specify the data inline. Either data or uri can be used to specify the data within the component.
The Dockerfile template used to build your image as an inline data blob.
" + } + }, "InstanceBlockDeviceMapping": { "base": "Defines block device mappings for the instance used to configure your image.
", "refs": { @@ -929,6 +1079,16 @@ "refs": { } }, + "ListContainerRecipesRequest": { + "base": null, + "refs": { + } + }, + "ListContainerRecipesResponse": { + "base": null, + "refs": { + } + }, "ListDistributionConfigurationsRequest": { "base": null, "refs": { @@ -1037,10 +1197,25 @@ "ComponentSummary$changeDescription": "The change description of the component.
", "ComponentVersion$description": "The description of the component.
", "ComponentVersion$owner": "The owner of the component.
", + "Container$region": "Containers and container images are Region-specific. This is the Region context for the container.
", + "ContainerDistributionConfiguration$description": "The description of the container distribution configuration.
", + "ContainerRecipe$description": "The description of the container recipe.
", + "ContainerRecipe$owner": "The owner of the container recipe.
", + "ContainerRecipe$kmsKeyId": "Identifies which KMS key is used to encrypt the container image for distribution to the target Region.
", + "ContainerRecipe$parentImage": "The source image for the container recipe.
", + "ContainerRecipe$workingDirectory": "The working directory for use during build and test workflows.
", + "ContainerRecipeSummary$owner": "The owner of the container recipe.
", + "ContainerRecipeSummary$parentImage": "The source image for the container recipe.
", "CreateComponentRequest$description": "The description of the component. Describes the contents of the component.
", "CreateComponentRequest$changeDescription": "The change description of the component. Describes what change has been made in this version, or what makes this version different from other versions of this component.
", "CreateComponentRequest$kmsKeyId": "The ID of the KMS key that should be used to encrypt this component.
", "CreateComponentResponse$requestId": "The request ID that uniquely identifies this request.
", + "CreateContainerRecipeRequest$description": "The description of the container recipe.
", + "CreateContainerRecipeRequest$imageOsVersionOverride": "Specifies the operating system version for the source image.
", + "CreateContainerRecipeRequest$parentImage": "The source image for the container recipe.
", + "CreateContainerRecipeRequest$workingDirectory": "The working directory for use during build and test workflows.
", + "CreateContainerRecipeRequest$kmsKeyId": "Identifies which KMS key is used to encrypt the container image.
", + "CreateContainerRecipeResponse$requestId": "The request ID that uniquely identifies this request.
", "CreateDistributionConfigurationRequest$description": "The description of the distribution configuration.
", "CreateDistributionConfigurationResponse$requestId": "The request ID that uniquely identifies this request.
", "CreateImagePipelineRequest$description": "The description of the image pipeline.
", @@ -1056,6 +1231,7 @@ "CreateInfrastructureConfigurationRequest$keyPair": "The key pair of the infrastructure configuration. This can be used to log on to and debug the instance used to create your image.
", "CreateInfrastructureConfigurationResponse$requestId": "The request ID that uniquely identifies this request.
", "DeleteComponentResponse$requestId": "The request ID that uniquely identifies this request.
", + "DeleteContainerRecipeResponse$requestId": "The request ID that uniquely identifies this request.
", "DeleteDistributionConfigurationResponse$requestId": "The request ID that uniquely identifies this request.
", "DeleteImagePipelineResponse$requestId": "The request ID that uniquely identifies this request.
", "DeleteImageRecipeResponse$requestId": "The request ID that uniquely identifies this request.
", @@ -1068,6 +1244,8 @@ "EbsInstanceBlockDeviceSpecification$snapshotId": "The snapshot that defines the device contents.
", "GetComponentPolicyResponse$requestId": "The request ID that uniquely identifies this request.
", "GetComponentResponse$requestId": "The request ID that uniquely identifies this request.
", + "GetContainerRecipePolicyResponse$requestId": "The request ID that uniquely identifies this request.
", + "GetContainerRecipeResponse$requestId": "The request ID that uniquely identifies this request.
", "GetDistributionConfigurationResponse$requestId": "The request ID that uniquely identifies this request.
", "GetImagePipelineResponse$requestId": "The request ID that uniquely identifies this request.
", "GetImagePolicyResponse$requestId": "The request ID that uniquely identifies this request.
", @@ -1100,6 +1278,9 @@ "InstanceBlockDeviceMapping$virtualName": "Use to manage instance ephemeral devices.
", "ListComponentBuildVersionsResponse$requestId": "The request ID that uniquely identifies this request.
", "ListComponentsResponse$requestId": "The request ID that uniquely identifies this request.
", + "ListContainerRecipesRequest$nextToken": "Provides a token for pagination, which determines where to begin the next set of results when the current set reaches the maximum for one request.
", + "ListContainerRecipesResponse$requestId": "The request ID that uniquely identifies this request.
", + "ListContainerRecipesResponse$nextToken": "The next token field is used for paginated responses. When this is not empty, there are additional container recipes that the service has not included in this response. Use this token with the next request to retrieve additional list items.
", "ListDistributionConfigurationsResponse$requestId": "The request ID that uniquely identifies this request.
", "ListImageBuildVersionsResponse$requestId": "The request ID that uniquely identifies this request.
", "ListImagePipelineImagesResponse$requestId": "The request ID that uniquely identifies this request.
", @@ -1108,14 +1289,17 @@ "ListImagesResponse$requestId": "The request ID that uniquely identifies this request.
", "ListInfrastructureConfigurationsResponse$requestId": "The request ID that uniquely identifies this request.
", "PutComponentPolicyResponse$requestId": "The request ID that uniquely identifies this request.
", + "PutContainerRecipePolicyResponse$requestId": "The request ID that uniquely identifies this request.
", "PutImagePolicyResponse$requestId": "The request ID that uniquely identifies this request.
", "PutImageRecipePolicyResponse$requestId": "The request ID that uniquely identifies this request.
", + "RegionList$member": null, "S3Logs$s3BucketName": "The Amazon S3 bucket in which to store the logs.
", "S3Logs$s3KeyPrefix": "The Amazon S3 path in which to store the logs.
", "Schedule$scheduleExpression": "The cron expression determines how often EC2 Image Builder evaluates your pipelineExecutionStartCondition.
For information on how to format a cron expression in Image Builder, see Use cron expressions in EC2 Image Builder.
", "SecurityGroupIds$member": null, "StartImagePipelineExecutionResponse$requestId": "The request ID that uniquely identifies this request.
", "StringList$member": null, + "TargetContainerRepository$repositoryName": "The name of the container repository where the output container image is stored. This name is prefixed by the repository location.
", "UpdateDistributionConfigurationRequest$description": "The description of the distribution configuration.
", "UpdateDistributionConfigurationResponse$requestId": "The request ID that uniquely identifies this request.
", "UpdateImagePipelineRequest$description": "The description of the image pipeline.
", @@ -1131,6 +1315,7 @@ "base": null, "refs": { "Component$encrypted": "The encryption status of the component.
", + "ContainerRecipe$encrypted": "A flag that indicates if the target container is encrypted.
", "CreateImagePipelineRequest$enhancedImageMetadataEnabled": "Collects additional information about the image being created, including the operating system (OS) version and package list. This information is used to enhance the overall experience of using EC2 Image Builder. Enabled by default.
", "CreateImageRequest$enhancedImageMetadataEnabled": "Collects additional information about the image being created, including the operating system (OS) version and package list. This information is used to enhance the overall experience of using EC2 Image Builder. Enabled by default.
", "CreateInfrastructureConfigurationRequest$terminateInstanceOnFailure": "The terminate instance on failure setting of the infrastructure configuration. Set to false if you want Image Builder to retain the instance used to configure your AMI if the build or test phase of your workflow fails.
", @@ -1140,6 +1325,7 @@ "ImagePipeline$enhancedImageMetadataEnabled": "Collects additional information about the image being created, including the operating system (OS) version and package list. This information is used to enhance the overall experience of using EC2 Image Builder. Enabled by default.
", "ImageTestsConfiguration$imageTestsEnabled": "Defines if tests should be executed when building this image.
", "InfrastructureConfiguration$terminateInstanceOnFailure": "The terminate instance on failure configuration of the infrastructure configuration.
", + "ListImagesRequest$includeDeprecated": "Includes deprecated images in the response list.
", "UpdateImagePipelineRequest$enhancedImageMetadataEnabled": "Collects additional information about the image being created, including the operating system (OS) version and package list. This information is used to enhance the overall experience of using EC2 Image Builder. Enabled by default.
", "UpdateInfrastructureConfigurationRequest$terminateInstanceOnFailure": "The terminate instance on failure setting of the infrastructure configuration. Set to false if you want Image Builder to retain the instance used to configure your AMI if the build or test phase of your workflow fails.
" } @@ -1173,6 +1359,7 @@ "base": null, "refs": { "ListComponentsRequest$owner": "The owner defines which components you want to list. By default, this request will only show components owned by your account. You can use this field to specify if you want to view components owned by yourself, by Amazon, or those components that have been shared with you by other customers.
", + "ListContainerRecipesRequest$owner": "Returns container recipes belonging to the specified owner, that have been shared with you. You can omit this field to return container recipes belonging to your account.
", "ListImageRecipesRequest$owner": "The owner defines which image recipes you want to list. By default, this request will only show image recipes owned by your account. You can use this field to specify if you want to view image recipes owned by yourself, by Amazon, or those image recipes that have been shared with you by other customers.
", "ListImagesRequest$owner": "The owner defines which images you want to list. By default, this request will only show images owned by your account. You can use this field to specify if you want to view images owned by yourself, by Amazon, or those images that have been shared with you by other customers.
" } @@ -1220,7 +1407,10 @@ "Component$platform": "The platform of the component.
", "ComponentSummary$platform": "The platform of the component.
", "ComponentVersion$platform": "The platform of the component.
", + "ContainerRecipe$platform": "The system platform for the container, such as Windows or Linux.
", + "ContainerRecipeSummary$platform": "The system platform for the container, such as Windows or Linux.
", "CreateComponentRequest$platform": "The platform of the component.
", + "CreateContainerRecipeRequest$platformOverride": "Specifies the operating system platform when you use a custom source image.
", "Image$platform": "The platform of the image.
", "ImagePipeline$platform": "The platform of the image pipeline.
", "ImageRecipe$platform": "The platform of the image recipe.
", @@ -1240,6 +1430,16 @@ "refs": { } }, + "PutContainerRecipePolicyRequest": { + "base": null, + "refs": { + } + }, + "PutContainerRecipePolicyResponse": { + "base": null, + "refs": { + } + }, "PutImagePolicyRequest": { "base": null, "refs": { @@ -1260,6 +1460,12 @@ "refs": { } }, + "RegionList": { + "base": null, + "refs": { + "DistributionConfigurationSummary$regions": "A list of Regions where the container image is distributed to.
" + } + }, "ResourceAlreadyExistsException": { "base": "The resource that you are trying to create already exists.
", "refs": { @@ -1281,7 +1487,10 @@ "Component$name": "The name of the component.
", "ComponentSummary$name": "The name of the component.
", "ComponentVersion$name": "The name of the component.
", + "ContainerRecipe$name": "The name of the container recipe.
", + "ContainerRecipeSummary$name": "The name of the container recipe.
", "CreateComponentRequest$name": "The name of the component.
", + "CreateContainerRecipeRequest$name": "The name of the container recipe.
", "CreateDistributionConfigurationRequest$name": "The name of the distribution configuration.
", "CreateImagePipelineRequest$name": "The name of the image pipeline.
", "CreateImageRecipeRequest$name": "The name of the image recipe.
", @@ -1309,9 +1518,11 @@ "base": null, "refs": { "GetComponentPolicyResponse$policy": "The component policy.
", + "GetContainerRecipePolicyResponse$policy": "The container recipe policy object that is returned.
", "GetImagePolicyResponse$policy": "The image policy object.
", "GetImageRecipePolicyResponse$policy": "The image recipe policy object.
", "PutComponentPolicyRequest$policy": "The policy to apply.
", + "PutContainerRecipePolicyRequest$policy": "The policy to apply to the container recipe.
", "PutImagePolicyRequest$policy": "The policy to apply.
", "PutImageRecipePolicyRequest$policy": "The policy to apply.
" } @@ -1330,6 +1541,7 @@ "refs": { "ListComponentBuildVersionsRequest$maxResults": "The maximum items to return in a request.
", "ListComponentsRequest$maxResults": "The maximum items to return in a request.
", + "ListContainerRecipesRequest$maxResults": "The maximum number of results to return in the list.
", "ListDistributionConfigurationsRequest$maxResults": "The maximum items to return in a request.
", "ListImageBuildVersionsRequest$maxResults": "The maximum items to return in a request.
", "ListImagePipelineImagesRequest$maxResults": "The maximum items to return in a request.
", @@ -1396,6 +1608,8 @@ "StringList": { "base": null, "refs": { + "Container$imageUris": "A list of URIs for containers created in the context Region.
", + "ContainerDistributionConfiguration$containerTags": "Tags that are attached to the container distribution configuration.
", "LaunchPermissionConfiguration$userGroups": "The name of the group.
" } }, @@ -1419,7 +1633,10 @@ "AmiDistributionConfiguration$amiTags": "The tags to apply to AMIs distributed to this Region.
", "Component$tags": "The tags associated with the component.
", "ComponentSummary$tags": "The tags associated with the component.
", + "ContainerRecipe$tags": "Tags that are attached to the container recipe.
", + "ContainerRecipeSummary$tags": "Tags that are attached to the container recipe.
", "CreateComponentRequest$tags": "The tags of the component.
", + "CreateContainerRecipeRequest$tags": "Tags that are attached to the container recipe.
", "CreateDistributionConfigurationRequest$tags": "The tags of the distribution configuration.
", "CreateImagePipelineRequest$tags": "The tags of the image pipeline.
", "CreateImageRecipeRequest$tags": "The tags of the image recipe.
", @@ -1456,6 +1673,14 @@ "TagMap$value": null } }, + "TargetContainerRepository": { + "base": "The container repository where the output container image is stored.
", + "refs": { + "ContainerDistributionConfiguration$targetRepository": "The destination repository for the container distribution configuration.
", + "ContainerRecipe$targetRepository": "The destination repository for the container image.
", + "CreateContainerRecipeRequest$targetRepository": "The destination repository for the container image.
" + } + }, "UntagResourceRequest": { "base": null, "refs": { @@ -1500,6 +1725,7 @@ "base": null, "refs": { "CreateComponentRequest$uri": "The uri of the component. Must be an S3 URL and the requester must have permission to access the S3 bucket. If you use S3, you can specify component content up to your service quota. Either data or uri can be used to specify the data within the component.
The S3 URI for the Dockerfile that will be used to build your container image.
", "ImportComponentRequest$uri": "The uri of the component. Must be an S3 URL and the requester must have permission to access the S3 bucket. If you use S3, you can specify component content up to your service quota. Either data or uri can be used to specify the data within the component.
The version of the component.
", "ComponentSummary$version": "The version of the component.
", "ComponentVersion$version": "The semantic version of the component.
", + "ContainerRecipe$version": "The semantic version of the container recipe (<major>.<minor>.<patch>).
", "CreateComponentRequest$semanticVersion": "The semantic version of the component. This version follows the semantic version syntax. For example, major.minor.patch. This could be versioned like software (2.0.1) or like a date (2019.12.01).
", + "CreateContainerRecipeRequest$semanticVersion": "The semantic version of the container recipe (<major>.<minor>.<patch>).
", "CreateImageRecipeRequest$semanticVersion": "The semantic version of the image recipe.
", "Image$version": "The semantic version of the image.
", "ImageRecipe$version": "The version of the image recipe.
", diff --git a/models/apis/imagebuilder/2019-12-02/paginators-1.json b/models/apis/imagebuilder/2019-12-02/paginators-1.json index f1aa23df30..157e6543cc 100644 --- a/models/apis/imagebuilder/2019-12-02/paginators-1.json +++ b/models/apis/imagebuilder/2019-12-02/paginators-1.json @@ -3,47 +3,62 @@ "ListComponentBuildVersions": { "input_token": "nextToken", "output_token": "nextToken", - "limit_key": "maxResults" + "limit_key": "maxResults", + "result_key": "componentSummaryList" }, "ListComponents": { "input_token": "nextToken", "output_token": "nextToken", - "limit_key": "maxResults" + "limit_key": "maxResults", + "result_key": "componentVersionList" + }, + "ListContainerRecipes": { + "input_token": "nextToken", + "output_token": "nextToken", + "limit_key": "maxResults", + "result_key": "containerRecipeSummaryList" }, "ListDistributionConfigurations": { "input_token": "nextToken", "output_token": "nextToken", - "limit_key": "maxResults" + "limit_key": "maxResults", + "result_key": "distributionConfigurationSummaryList" }, "ListImageBuildVersions": { "input_token": "nextToken", "output_token": "nextToken", - "limit_key": "maxResults" + "limit_key": "maxResults", + "result_key": "imageSummaryList" }, "ListImagePipelineImages": { "input_token": "nextToken", "output_token": "nextToken", - "limit_key": "maxResults" + "limit_key": "maxResults", + "result_key": "imageSummaryList" }, "ListImagePipelines": { "input_token": "nextToken", "output_token": "nextToken", - "limit_key": "maxResults" + "limit_key": "maxResults", + "result_key": "imagePipelineList" }, "ListImageRecipes": { "input_token": "nextToken", "output_token": "nextToken", - "limit_key": "maxResults" + "limit_key": "maxResults", + "result_key": "imageRecipeSummaryList" }, "ListImages": { "input_token": "nextToken", "output_token": "nextToken", - "limit_key": "maxResults" + "limit_key": "maxResults", + "result_key": "imageVersionList" }, "ListInfrastructureConfigurations": { "input_token": "nextToken", "output_token": "nextToken", - "limit_key": "maxResults" + "limit_key": "maxResults", + "result_key": "infrastructureConfigurationSummaryList" } } } diff --git a/models/apis/kms/2014-11-01/api-2.json b/models/apis/kms/2014-11-01/api-2.json index f745c2ab6c..f979481ffe 100644 --- a/models/apis/kms/2014-11-01/api-2.json +++ b/models/apis/kms/2014-11-01/api-2.json @@ -818,7 +818,9 @@ "members":{ "AliasName":{"shape":"AliasNameType"}, "AliasArn":{"shape":"ArnType"}, - "TargetKeyId":{"shape":"KeyIdType"} + "TargetKeyId":{"shape":"KeyIdType"}, + "CreationDate":{"shape":"DateType"}, + "LastUpdatedDate":{"shape":"DateType"} } }, "AliasNameType":{ diff --git a/models/apis/kms/2014-11-01/docs-2.json b/models/apis/kms/2014-11-01/docs-2.json index c0f1d1b07c..3eb7c90629 100644 --- a/models/apis/kms/2014-11-01/docs-2.json +++ b/models/apis/kms/2014-11-01/docs-2.json @@ -2,52 +2,52 @@ "version": "2.0", "service": "AWS Key Management Service (AWS KMS) is an encryption and key management web service. This guide describes the AWS KMS operations that you can call programmatically. For general information about AWS KMS, see the AWS Key Management Service Developer Guide .
AWS provides SDKs that consist of libraries and sample code for various programming languages and platforms (Java, Ruby, .Net, macOS, Android, etc.). The SDKs provide a convenient way to create programmatic access to AWS KMS and other AWS services. For example, the SDKs take care of tasks such as signing requests (see below), managing errors, and retrying requests automatically. For more information about the AWS SDKs, including how to download and install them, see Tools for Amazon Web Services.
We recommend that you use the AWS SDKs to make programmatic API calls to AWS KMS.
Clients must support TLS (Transport Layer Security) 1.0. We recommend TLS 1.2. Clients must also support cipher suites with Perfect Forward Secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later support these modes.
Signing Requests
Requests must be signed by using an access key ID and a secret access key. We strongly recommend that you do not use your AWS account (root) access key ID and secret key for everyday work with AWS KMS. Instead, use the access key ID and secret access key for an IAM user. You can also use the AWS Security Token Service to generate temporary security credentials that you can use to sign requests.
All AWS KMS operations require Signature Version 4.
Logging API Requests
AWS KMS supports AWS CloudTrail, a service that logs AWS API calls and related events for your AWS account and delivers them to an Amazon S3 bucket that you specify. By using the information collected by CloudTrail, you can determine what requests were made to AWS KMS, who made the request, when it was made, and so on. To learn more about CloudTrail, including how to turn it on and find your log files, see the AWS CloudTrail User Guide.
Additional Resources
For more information about credentials and request signing, see the following:
AWS Security Credentials - This topic provides general information about the types of credentials used for accessing AWS.
Temporary Security Credentials - This section of the IAM User Guide describes how to create and use temporary security credentials.
Signature Version 4 Signing Process - This set of topics walks you through the process of signing a request using an access key ID and a secret access key.
Commonly Used API Operations
Of the API operations discussed in this guide, the following will prove the most useful for most applications. You will likely perform operations other than these, such as creating keys and assigning policies, by using the console.
", "operations": { - "CancelKeyDeletion": "Cancels the deletion of a customer master key (CMK). When this operation succeeds, the key state of the CMK is Disabled. To enable the CMK, use EnableKey. You cannot perform this operation on a CMK in a different AWS account.
For more information about scheduling and canceling deletion of a CMK, see Deleting Customer Master Keys in the AWS Key Management Service Developer Guide.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
", - "ConnectCustomKeyStore": "Connects or reconnects a custom key store to its associated AWS CloudHSM cluster.
The custom key store must be connected before you can create customer master keys (CMKs) in the key store or use the CMKs it contains. You can disconnect and reconnect a custom key store at any time.
To connect a custom key store, its associated AWS CloudHSM cluster must have at least one active HSM. To get the number of active HSMs in a cluster, use the DescribeClusters operation. To add HSMs to the cluster, use the CreateHsm operation. Also, the kmsuser crypto user (CU) must not be logged into the cluster. This prevents AWS KMS from using this account to log in.
The connection process can take an extended amount of time to complete; up to 20 minutes. This operation starts the connection process, but it does not wait for it to complete. When it succeeds, this operation quickly returns an HTTP 200 response and a JSON object with no properties. However, this response does not indicate that the custom key store is connected. To get the connection state of the custom key store, use the DescribeCustomKeyStores operation.
During the connection process, AWS KMS finds the AWS CloudHSM cluster that is associated with the custom key store, creates the connection infrastructure, connects to the cluster, logs into the AWS CloudHSM client as the kmsuser CU, and rotates its password.
The ConnectCustomKeyStore operation might fail for various reasons. To find the reason, use the DescribeCustomKeyStores operation and see the ConnectionErrorCode in the response. For help interpreting the ConnectionErrorCode, see CustomKeyStoresListEntry.
To fix the failure, use the DisconnectCustomKeyStore operation to disconnect the custom key store, correct the error, use the UpdateCustomKeyStore operation if necessary, and then use ConnectCustomKeyStore again.
If you are having trouble connecting or disconnecting a custom key store, see Troubleshooting a Custom Key Store in the AWS Key Management Service Developer Guide.
", - "CreateAlias": "Creates a display name for a customer managed customer master key (CMK). You can use an alias to identify a CMK in cryptographic operations, such as Encrypt and GenerateDataKey. You can change the CMK associated with the alias at any time.
Aliases are easier to remember than key IDs. They can also help to simplify your applications. For example, if you use an alias in your code, you can change the CMK your code uses by associating a given alias with a different CMK.
To run the same code in multiple AWS regions, use an alias in your code, such as alias/ApplicationKey. Then, in each AWS Region, create an alias/ApplicationKey alias that is associated with a CMK in that Region. When you run your code, it uses the alias/ApplicationKey CMK for that AWS Region without any Region-specific code.
This operation does not return a response. To get the alias that you created, use the ListAliases operation.
To use aliases successfully, be aware of the following information.
Each alias points to only one CMK at a time, although a single CMK can have multiple aliases. The alias and its associated CMK must be in the same AWS account and Region.
You can associate an alias with any customer managed CMK in the same AWS account and Region. However, you do not have permission to associate an alias with an AWS managed CMK or an AWS owned CMK.
To change the CMK associated with an alias, use the UpdateAlias operation. The current CMK and the new CMK must be the same type (both symmetric or both asymmetric) and they must have the same key usage (ENCRYPT_DECRYPT or SIGN_VERIFY). This restriction prevents cryptographic errors in code that uses aliases.
The alias name must begin with alias/ followed by a name, such as alias/ExampleAlias. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). The alias name cannot begin with alias/aws/. The alias/aws/ prefix is reserved for AWS managed CMKs.
The alias name must be unique within an AWS Region. However, you can use the same alias name in multiple Regions of the same AWS account. Each instance of the alias is associated with a CMK in its Region.
After you create an alias, you cannot change its alias name. However, you can use the DeleteAlias operation to delete the alias and then create a new alias with the desired name.
You can use an alias name or alias ARN to identify a CMK in AWS KMS cryptographic operations and in the DescribeKey operation. However, you cannot use alias names or alias ARNs in API operations that manage CMKs, such as DisableKey or GetKeyPolicy. For information about the valid CMK identifiers for each AWS KMS API operation, see the descriptions of the KeyId parameter in the API operation documentation.
Because an alias is not a property of a CMK, you can delete and change the aliases of a CMK without affecting the CMK. Also, aliases do not appear in the response from the DescribeKey operation. To get the aliases and alias ARNs of CMKs in each AWS account and Region, use the ListAliases operation.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
", - "CreateCustomKeyStore": "Creates a custom key store that is associated with an AWS CloudHSM cluster that you own and manage.
This operation is part of the Custom Key Store feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the isolation and control of a single-tenant key store.
Before you create the custom key store, you must assemble the required elements, including an AWS CloudHSM cluster that fulfills the requirements for a custom key store. For details about the required elements, see Assemble the Prerequisites in the AWS Key Management Service Developer Guide.
When the operation completes successfully, it returns the ID of the new custom key store. Before you can use your new custom key store, you need to use the ConnectCustomKeyStore operation to connect the new key store to its AWS CloudHSM cluster. Even if you are not going to use your custom key store immediately, you might want to connect it to verify that all settings are correct and then disconnect it until you are ready to use it.
For help with failures, see Troubleshooting a Custom Key Store in the AWS Key Management Service Developer Guide.
", - "CreateGrant": "Adds a grant to a customer master key (CMK). The grant allows the grantee principal to use the CMK when the conditions specified in the grant are met. When setting permissions, grants are an alternative to key policies.
To create a grant that allows a cryptographic operation only when the request includes a particular encryption context, use the Constraints parameter. For details, see GrantConstraints.
You can create grants on symmetric and asymmetric CMKs. However, if the grant allows an operation that the CMK does not support, CreateGrant fails with a ValidationException.
Grants for symmetric CMKs cannot allow operations that are not supported for symmetric CMKs, including Sign, Verify, and GetPublicKey. (There are limited exceptions to this rule for legacy operations, but you should not create a grant for an operation that AWS KMS does not support.)
Grants for asymmetric CMKs cannot allow operations that are not supported for asymmetric CMKs, including operations that generate data keys or data key pairs, or operations related to automatic key rotation, imported key material, or CMKs in custom key stores.
Grants for asymmetric CMKs with a KeyUsage of ENCRYPT_DECRYPT cannot allow the Sign or Verify operations. Grants for asymmetric CMKs with a KeyUsage of SIGN_VERIFY cannot allow the Encrypt or Decrypt operations.
Grants for asymmetric CMKs cannot include an encryption context grant constraint. An encryption context is not supported on asymmetric CMKs.
For information about symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer Guide.
To perform this operation on a CMK in a different AWS account, specify the key ARN in the value of the KeyId parameter. For more information about grants, see Grants in the AWS Key Management Service Developer Guide .
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
", - "CreateKey": "Creates a unique customer managed customer master key (CMK) in your AWS account and Region. You cannot use this operation to create a CMK in a different AWS account.
You can use the CreateKey operation to create symmetric or asymmetric CMKs.
Symmetric CMKs contain a 256-bit symmetric key that never leaves AWS KMS unencrypted. To use the CMK, you must call AWS KMS. You can use a symmetric CMK to encrypt and decrypt small amounts of data, but they are typically used to generate data keys and data keys pairs. For details, see GenerateDataKey and GenerateDataKeyPair.
Asymmetric CMKs can contain an RSA key pair or an Elliptic Curve (ECC) key pair. The private key in an asymmetric CMK never leaves AWS KMS unencrypted. However, you can use the GetPublicKey operation to download the public key so it can be used outside of AWS KMS. CMKs with RSA key pairs can be used to encrypt or decrypt data or sign and verify messages (but not both). CMKs with ECC key pairs can be used only to sign and verify messages.
For information about symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer Guide.
To create different types of CMKs, use the following guidance:
To create an asymmetric CMK, use the CustomerMasterKeySpec parameter to specify the type of key material in the CMK. Then, use the KeyUsage parameter to determine whether the CMK will be used to encrypt and decrypt or sign and verify. You can't change these properties after the CMK is created.
When creating a symmetric CMK, you don't need to specify the CustomerMasterKeySpec or KeyUsage parameters. The default value for CustomerMasterKeySpec, SYMMETRIC_DEFAULT, and the default value for KeyUsage, ENCRYPT_DECRYPT, are the only valid values for symmetric CMKs.
To import your own key material, begin by creating a symmetric CMK with no key material. To do this, use the Origin parameter of CreateKey with a value of EXTERNAL. Next, use GetParametersForImport operation to get a public key and import token, and use the public key to encrypt your key material. Then, use ImportKeyMaterial with your import token to import the key material. For step-by-step instructions, see Importing Key Material in the AWS Key Management Service Developer Guide . You cannot import the key material into an asymmetric CMK.
To create a symmetric CMK in a custom key store, use the CustomKeyStoreId parameter to specify the custom key store. You must also use the Origin parameter with a value of AWS_CLOUDHSM. The AWS CloudHSM cluster that is associated with the custom key store must have at least two active HSMs in different Availability Zones in the AWS Region.
You cannot create an asymmetric CMK in a custom key store. For information about custom key stores in AWS KMS see Using Custom Key Stores in the AWS Key Management Service Developer Guide .
Decrypts ciphertext that was encrypted by a AWS KMS customer master key (CMK) using any of the following operations:
You can use this operation to decrypt ciphertext that was encrypted under a symmetric or asymmetric CMK. When the CMK is asymmetric, you must specify the CMK and the encryption algorithm that was used to encrypt the ciphertext. For information about symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer Guide.
The Decrypt operation also decrypts ciphertext that was encrypted outside of AWS KMS by the public key in an AWS KMS asymmetric CMK. However, it cannot decrypt ciphertext produced by other libraries, such as the AWS Encryption SDK or Amazon S3 client-side encryption. These libraries return a ciphertext format that is incompatible with AWS KMS.
If the ciphertext was encrypted under a symmetric CMK, you do not need to specify the CMK or the encryption algorithm. AWS KMS can get this information from metadata that it adds to the symmetric ciphertext blob. However, if you prefer, you can specify the KeyId to ensure that a particular CMK is used to decrypt the ciphertext. If you specify a different CMK than the one used to encrypt the ciphertext, the Decrypt operation fails.
Whenever possible, use key policies to give users permission to call the Decrypt operation on a particular CMK, instead of using IAM policies. Otherwise, you might create an IAM user policy that gives the user Decrypt permission on all CMKs. This user could decrypt ciphertext that was encrypted by CMKs in other accounts if the key policy for the cross-account CMK permits it. If you must use an IAM policy for Decrypt permissions, limit the user to particular CMKs or particular trusted accounts.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
", - "DeleteAlias": "Deletes the specified alias. You cannot perform this operation on an alias in a different AWS account.
Because an alias is not a property of a CMK, you can delete and change the aliases of a CMK without affecting the CMK. Also, aliases do not appear in the response from the DescribeKey operation. To get the aliases of all CMKs, use the ListAliases operation.
Each CMK can have multiple aliases. To change the alias of a CMK, use DeleteAlias to delete the current alias and CreateAlias to create a new alias. To associate an existing alias with a different customer master key (CMK), call UpdateAlias.
", - "DeleteCustomKeyStore": "Deletes a custom key store. This operation does not delete the AWS CloudHSM cluster that is associated with the custom key store, or affect any users or keys in the cluster.
The custom key store that you delete cannot contain any AWS KMS customer master keys (CMKs). Before deleting the key store, verify that you will never need to use any of the CMKs in the key store for any cryptographic operations. Then, use ScheduleKeyDeletion to delete the AWS KMS customer master keys (CMKs) from the key store. When the scheduled waiting period expires, the ScheduleKeyDeletion operation deletes the CMKs. Then it makes a best effort to delete the key material from the associated cluster. However, you might need to manually delete the orphaned key material from the cluster and its backups.
After all CMKs are deleted from AWS KMS, use DisconnectCustomKeyStore to disconnect the key store from AWS KMS. Then, you can delete the custom key store.
Instead of deleting the custom key store, consider using DisconnectCustomKeyStore to disconnect it from AWS KMS. While the key store is disconnected, you cannot create or use the CMKs in the key store. But, you do not need to delete CMKs and you can reconnect a disconnected custom key store at any time.
If the operation succeeds, it returns a JSON object with no properties.
This operation is part of the Custom Key Store feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the isolation and control of a single-tenant key store.
", - "DeleteImportedKeyMaterial": "Deletes key material that you previously imported. This operation makes the specified customer master key (CMK) unusable. For more information about importing key material into AWS KMS, see Importing Key Material in the AWS Key Management Service Developer Guide. You cannot perform this operation on a CMK in a different AWS account.
When the specified CMK is in the PendingDeletion state, this operation does not change the CMK's state. Otherwise, it changes the CMK's state to PendingImport.
After you delete key material, you can use ImportKeyMaterial to reimport the same key material into the CMK.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
", - "DescribeCustomKeyStores": "Gets information about custom key stores in the account and region.
This operation is part of the Custom Key Store feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the isolation and control of a single-tenant key store.
By default, this operation returns information about all custom key stores in the account and region. To get only information about a particular custom key store, use either the CustomKeyStoreName or CustomKeyStoreId parameter (but not both).
To determine whether the custom key store is connected to its AWS CloudHSM cluster, use the ConnectionState element in the response. If an attempt to connect the custom key store failed, the ConnectionState value is FAILED and the ConnectionErrorCode element in the response indicates the cause of the failure. For help interpreting the ConnectionErrorCode, see CustomKeyStoresListEntry.
Custom key stores have a DISCONNECTED connection state if the key store has never been connected or you use the DisconnectCustomKeyStore operation to disconnect it. If your custom key store state is CONNECTED but you are having trouble using it, make sure that its associated AWS CloudHSM cluster is active and contains the minimum number of HSMs required for the operation, if any.
For help repairing your custom key store, see the Troubleshooting Custom Key Stores topic in the AWS Key Management Service Developer Guide.
", - "DescribeKey": "Provides detailed information about a customer master key (CMK). You can run DescribeKey on a customer managed CMK or an AWS managed CMK.
This detailed information includes the key ARN, creation date (and deletion date, if applicable), the key state, and the origin and expiration date (if any) of the key material. For CMKs in custom key stores, it includes information about the custom key store, such as the key store ID and the AWS CloudHSM cluster ID. It includes fields, like KeySpec, that help you distinguish symmetric from asymmetric CMKs. It also provides information that is particularly important to asymmetric CMKs, such as the key usage (encryption or signing) and the encryption algorithms or signing algorithms that the CMK supports.
DescribeKey does not return the following information:
Aliases associated with the CMK. To get this information, use ListAliases.
Whether automatic key rotation is enabled on the CMK. To get this information, use GetKeyRotationStatus. Also, some key states prevent a CMK from being automatically rotated. For details, see How Automatic Key Rotation Works in AWS Key Management Service Developer Guide.
Tags on the CMK. To get this information, use ListResourceTags.
Key policies and grants on the CMK. To get this information, use GetKeyPolicy and ListGrants.
If you call the DescribeKey operation on a predefined AWS alias, that is, an AWS alias with no key ID, AWS KMS creates an AWS managed CMK. Then, it associates the alias with the new CMK, and returns the KeyId and Arn of the new CMK in the response.
To perform this operation on a CMK in a different AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.
", - "DisableKey": "Sets the state of a customer master key (CMK) to disabled, thereby preventing its use for cryptographic operations. You cannot perform this operation on a CMK in a different AWS account.
For more information about how key state affects the use of a CMK, see How Key State Affects the Use of a Customer Master Key in the AWS Key Management Service Developer Guide .
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
", - "DisableKeyRotation": "Disables automatic rotation of the key material for the specified symmetric customer master key (CMK).
You cannot enable automatic rotation of asymmetric CMKs, CMKs with imported key material, or CMKs in a custom key store. You cannot perform this operation on a CMK in a different AWS account.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
", - "DisconnectCustomKeyStore": "Disconnects the custom key store from its associated AWS CloudHSM cluster. While a custom key store is disconnected, you can manage the custom key store and its customer master keys (CMKs), but you cannot create or use CMKs in the custom key store. You can reconnect the custom key store at any time.
While a custom key store is disconnected, all attempts to create customer master keys (CMKs) in the custom key store or to use existing CMKs in cryptographic operations will fail. This action can prevent users from storing and accessing sensitive data.
To find the connection state of a custom key store, use the DescribeCustomKeyStores operation. To reconnect a custom key store, use the ConnectCustomKeyStore operation.
If the operation succeeds, it returns a JSON object with no properties.
This operation is part of the Custom Key Store feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the isolation and control of a single-tenant key store.
", - "EnableKey": "Sets the key state of a customer master key (CMK) to enabled. This allows you to use the CMK for cryptographic operations. You cannot perform this operation on a CMK in a different AWS account.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
", - "EnableKeyRotation": "Enables automatic rotation of the key material for the specified symmetric customer master key (CMK). You cannot perform this operation on a CMK in a different AWS account.
You cannot enable automatic rotation of asymmetric CMKs, CMKs with imported key material, or CMKs in a custom key store.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
", - "Encrypt": "Encrypts plaintext into ciphertext by using a customer master key (CMK). The Encrypt operation has two primary use cases:
You can encrypt small amounts of arbitrary data, such as a personal identifier or database password, or other sensitive information.
You can use the Encrypt operation to move encrypted data from one AWS Region to another. For example, in Region A, generate a data key and use the plaintext key to encrypt your data. Then, in Region A, use the Encrypt operation to encrypt the plaintext data key under a CMK in Region B. Now, you can move the encrypted data and the encrypted data key to Region B. When necessary, you can decrypt the encrypted data key and the encrypted data entirely within in Region B.
You don't need to use the Encrypt operation to encrypt a data key. The GenerateDataKey and GenerateDataKeyPair operations return a plaintext data key and an encrypted copy of that data key.
When you encrypt data, you must specify a symmetric or asymmetric CMK to use in the encryption operation. The CMK must have a KeyUsage value of ENCRYPT_DECRYPT. To find the KeyUsage of a CMK, use the DescribeKey operation.
If you use a symmetric CMK, you can use an encryption context to add additional security to your encryption operation. If you specify an EncryptionContext when encrypting data, you must specify the same encryption context (a case-sensitive exact match) when decrypting the data. Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the AWS Key Management Service Developer Guide.
If you specify an asymmetric CMK, you must also specify the encryption algorithm. The algorithm must be compatible with the CMK type.
When you use an asymmetric CMK to encrypt or reencrypt data, be sure to record the CMK and encryption algorithm that you choose. You will be required to provide the same CMK and encryption algorithm when you decrypt the data. If the CMK and algorithm do not match the values used to encrypt the data, the decrypt operation fails.
You are not required to supply the CMK ID and encryption algorithm when you decrypt with symmetric CMKs because AWS KMS stores this information in the ciphertext blob. AWS KMS cannot store metadata in ciphertext generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields.
The maximum size of the data that you can encrypt varies with the type of CMK and the encryption algorithm that you choose.
Symmetric CMKs
SYMMETRIC_DEFAULT: 4096 bytes
RSA_2048
RSAES_OAEP_SHA_1: 214 bytes
RSAES_OAEP_SHA_256: 190 bytes
RSA_3072
RSAES_OAEP_SHA_1: 342 bytes
RSAES_OAEP_SHA_256: 318 bytes
RSA_4096
RSAES_OAEP_SHA_1: 470 bytes
RSAES_OAEP_SHA_256: 446 bytes
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
To perform this operation on a CMK in a different AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.
", - "GenerateDataKey": "Generates a unique symmetric data key for client-side encryption. This operation returns a plaintext copy of the data key and a copy that is encrypted under a customer master key (CMK) that you specify. You can use the plaintext key to encrypt your data outside of AWS KMS and store the encrypted data key with the encrypted data.
GenerateDataKey returns a unique data key for each request. The bytes in the plaintext key are not related to the caller or the CMK.
To generate a data key, specify the symmetric CMK that will be used to encrypt the data key. You cannot use an asymmetric CMK to generate data keys. To get the type of your CMK, use the DescribeKey operation. You must also specify the length of the data key. Use either the KeySpec or NumberOfBytes parameters (but not both). For 128-bit and 256-bit data keys, use the KeySpec parameter.
To get only an encrypted copy of the data key, use GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext operation. To get a cryptographically secure random byte string, use GenerateRandom.
You can use the optional encryption context to add additional security to the encryption operation. If you specify an EncryptionContext, you must specify the same encryption context (a case-sensitive exact match) when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the AWS Key Management Service Developer Guide.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
How to use your data key
We recommend that you use the following pattern to encrypt data locally in your application. You can write your own code or use a client-side encryption library, such as the AWS Encryption SDK, the Amazon DynamoDB Encryption Client, or Amazon S3 client-side encryption to do these tasks for you.
To encrypt data outside of AWS KMS:
Use the GenerateDataKey operation to get a data key.
Use the plaintext data key (in the Plaintext field of the response) to encrypt your data outside of AWS KMS. Then erase the plaintext data key from memory.
Store the encrypted data key (in the CiphertextBlob field of the response) with the encrypted data.
To decrypt data outside of AWS KMS:
Use the Decrypt operation to decrypt the encrypted data key. The operation returns a plaintext copy of the data key.
Use the plaintext data key to decrypt data outside of AWS KMS, then erase the plaintext data key from memory.
Generates a unique asymmetric data key pair. The GenerateDataKeyPair operation returns a plaintext public key, a plaintext private key, and a copy of the private key that is encrypted under the symmetric CMK you specify. You can use the data key pair to perform asymmetric cryptography outside of AWS KMS.
GenerateDataKeyPair returns a unique data key pair for each request. The bytes in the keys are not related to the caller or the CMK that is used to encrypt the private key.
You can use the public key that GenerateDataKeyPair returns to encrypt data or verify a signature outside of AWS KMS. Then, store the encrypted private key with the data. When you are ready to decrypt data or sign a message, you can use the Decrypt operation to decrypt the encrypted private key.
To generate a data key pair, you must specify a symmetric customer master key (CMK) to encrypt the private key in a data key pair. You cannot use an asymmetric CMK or a CMK in a custom key store. To get the type and origin of your CMK, use the DescribeKey operation.
If you are using the data key pair to encrypt data, or for any operation where you don't immediately need a private key, consider using the GenerateDataKeyPairWithoutPlaintext operation. GenerateDataKeyPairWithoutPlaintext returns a plaintext public key and an encrypted private key, but omits the plaintext private key that you need only to decrypt ciphertext or sign a message. Later, when you need to decrypt the data or sign a message, use the Decrypt operation to decrypt the encrypted private key in the data key pair.
You can use the optional encryption context to add additional security to the encryption operation. If you specify an EncryptionContext, you must specify the same encryption context (a case-sensitive exact match) when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the AWS Key Management Service Developer Guide.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
", - "GenerateDataKeyPairWithoutPlaintext": "Generates a unique asymmetric data key pair. The GenerateDataKeyPairWithoutPlaintext operation returns a plaintext public key and a copy of the private key that is encrypted under the symmetric CMK you specify. Unlike GenerateDataKeyPair, this operation does not return a plaintext private key.
To generate a data key pair, you must specify a symmetric customer master key (CMK) to encrypt the private key in the data key pair. You cannot use an asymmetric CMK or a CMK in a custom key store. To get the type and origin of your CMK, use the KeySpec field in the DescribeKey response.
You can use the public key that GenerateDataKeyPairWithoutPlaintext returns to encrypt data or verify a signature outside of AWS KMS. Then, store the encrypted private key with the data. When you are ready to decrypt data or sign a message, you can use the Decrypt operation to decrypt the encrypted private key.
GenerateDataKeyPairWithoutPlaintext returns a unique data key pair for each request. The bytes in the key are not related to the caller or CMK that is used to encrypt the private key.
You can use the optional encryption context to add additional security to the encryption operation. If you specify an EncryptionContext, you must specify the same encryption context (a case-sensitive exact match) when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the AWS Key Management Service Developer Guide.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
", - "GenerateDataKeyWithoutPlaintext": "Generates a unique symmetric data key. This operation returns a data key that is encrypted under a customer master key (CMK) that you specify. To request an asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext operations.
GenerateDataKeyWithoutPlaintext is identical to the GenerateDataKey operation except that returns only the encrypted copy of the data key. This operation is useful for systems that need to encrypt data at some point, but not immediately. When you need to encrypt the data, you call the Decrypt operation on the encrypted copy of the key.
It's also useful in distributed systems with different levels of trust. For example, you might store encrypted data in containers. One component of your system creates new containers and stores an encrypted data key with each container. Then, a different component puts the data into the containers. That component first decrypts the data key, uses the plaintext data key to encrypt data, puts the encrypted data into the container, and then destroys the plaintext data key. In this system, the component that creates the containers never sees the plaintext data key.
GenerateDataKeyWithoutPlaintext returns a unique data key for each request. The bytes in the keys are not related to the caller or CMK that is used to encrypt the private key.
To generate a data key, you must specify the symmetric customer master key (CMK) that is used to encrypt the data key. You cannot use an asymmetric CMK to generate a data key. To get the type of your CMK, use the DescribeKey operation.
If the operation succeeds, you will find the encrypted copy of the data key in the CiphertextBlob field.
You can use the optional encryption context to add additional security to the encryption operation. If you specify an EncryptionContext, you must specify the same encryption context (a case-sensitive exact match) when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the AWS Key Management Service Developer Guide.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
", - "GenerateRandom": "Returns a random byte string that is cryptographically secure.
By default, the random byte string is generated in AWS KMS. To generate the byte string in the AWS CloudHSM cluster that is associated with a custom key store, specify the custom key store ID.
For more information about entropy and random number generation, see the AWS Key Management Service Cryptographic Details whitepaper.
", - "GetKeyPolicy": "Gets a key policy attached to the specified customer master key (CMK). You cannot perform this operation on a CMK in a different AWS account.
", - "GetKeyRotationStatus": "Gets a Boolean value that indicates whether automatic rotation of the key material is enabled for the specified customer master key (CMK).
You cannot enable automatic rotation of asymmetric CMKs, CMKs with imported key material, or CMKs in a custom key store. The key rotation status for these CMKs is always false.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Disabled: The key rotation status does not change when you disable a CMK. However, while the CMK is disabled, AWS KMS does not rotate the backing key.
Pending deletion: While a CMK is pending deletion, its key rotation status is false and AWS KMS does not rotate the backing key. If you cancel the deletion, the original key rotation status is restored.
To perform this operation on a CMK in a different AWS account, specify the key ARN in the value of the KeyId parameter.
Returns the items you need to import key material into a symmetric, customer managed customer master key (CMK). For more information about importing key material into AWS KMS, see Importing Key Material in the AWS Key Management Service Developer Guide.
This operation returns a public key and an import token. Use the public key to encrypt the symmetric key material. Store the import token to send with a subsequent ImportKeyMaterial request.
You must specify the key ID of the symmetric CMK into which you will import key material. This CMK's Origin must be EXTERNAL. You must also specify the wrapping algorithm and type of wrapping key (public key) that you will use to encrypt the key material. You cannot perform this operation on an asymmetric CMK or on any CMK in a different AWS account.
To import key material, you must use the public key and import token from the same response. These items are valid for 24 hours. The expiration date and time appear in the GetParametersForImport response. You cannot use an expired token in an ImportKeyMaterial request. If your key and token expire, send another GetParametersForImport request.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
", - "GetPublicKey": "Returns the public key of an asymmetric CMK. Unlike the private key of a asymmetric CMK, which never leaves AWS KMS unencrypted, callers with kms:GetPublicKey permission can download the public key of an asymmetric CMK. You can share the public key to allow others to encrypt messages and verify signatures outside of AWS KMS. For information about symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer Guide.
You do not need to download the public key. Instead, you can use the public key within AWS KMS by calling the Encrypt, ReEncrypt, or Verify operations with the identifier of an asymmetric CMK. When you use the public key within AWS KMS, you benefit from the authentication, authorization, and logging that are part of every AWS KMS operation. You also reduce of risk of encrypting data that cannot be decrypted. These features are not effective outside of AWS KMS. For details, see Special Considerations for Downloading Public Keys.
To help you use the public key safely outside of AWS KMS, GetPublicKey returns important information about the public key in the response, including:
CustomerMasterKeySpec: The type of key material in the public key, such as RSA_4096 or ECC_NIST_P521.
KeyUsage: Whether the key is used for encryption or signing.
EncryptionAlgorithms or SigningAlgorithms: A list of the encryption algorithms or the signing algorithms for the key.
Although AWS KMS cannot enforce these restrictions on external operations, it is crucial that you use this information to prevent the public key from being used improperly. For example, you can prevent a public signing key from being used encrypt data, or prevent a public key from being used with an encryption algorithm that is not supported by AWS KMS. You can also avoid errors, such as using the wrong signing algorithm in a verification operation.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
", - "ImportKeyMaterial": "Imports key material into an existing symmetric AWS KMS customer master key (CMK) that was created without key material. After you successfully import key material into a CMK, you can reimport the same key material into that CMK, but you cannot import different key material.
You cannot perform this operation on an asymmetric CMK or on any CMK in a different AWS account. For more information about creating CMKs with no key material and then importing key material, see Importing Key Material in the AWS Key Management Service Developer Guide.
Before using this operation, call GetParametersForImport. Its response includes a public key and an import token. Use the public key to encrypt the key material. Then, submit the import token from the same GetParametersForImport response.
When calling this operation, you must specify the following values:
The key ID or key ARN of a CMK with no key material. Its Origin must be EXTERNAL.
To create a CMK with no key material, call CreateKey and set the value of its Origin parameter to EXTERNAL. To get the Origin of a CMK, call DescribeKey.)
The encrypted key material. To get the public key to encrypt the key material, call GetParametersForImport.
The import token that GetParametersForImport returned. You must use a public key and token from the same GetParametersForImport response.
Whether the key material expires and if so, when. If you set an expiration date, AWS KMS deletes the key material from the CMK on the specified date, and the CMK becomes unusable. To use the CMK again, you must reimport the same key material. The only way to change an expiration date is by reimporting the same key material and specifying a new expiration date.
When this operation is successful, the key state of the CMK changes from PendingImport to Enabled, and you can use the CMK.
If this operation fails, use the exception to help determine the problem. If the error is related to the key material, the import token, or wrapping key, use GetParametersForImport to get a new public key and import token for the CMK and repeat the import procedure. For help, see How To Import Key Material in the AWS Key Management Service Developer Guide.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
", - "ListAliases": "Gets a list of aliases in the caller's AWS account and region. You cannot list aliases in other accounts. For more information about aliases, see CreateAlias.
By default, the ListAliases command returns all aliases in the account and region. To get only the aliases that point to a particular customer master key (CMK), use the KeyId parameter.
The ListAliases response can include aliases that you created and associated with your customer managed CMKs, and aliases that AWS created and associated with AWS managed CMKs in your account. You can recognize AWS aliases because their names have the format aws/<service-name>, such as aws/dynamodb.
The response might also include aliases that have no TargetKeyId field. These are predefined aliases that AWS has created but has not yet associated with a CMK. Aliases that AWS creates in your account, including predefined aliases, do not count against your AWS KMS aliases quota.
Gets a list of all grants for the specified customer master key (CMK).
To perform this operation on a CMK in a different AWS account, specify the key ARN in the value of the KeyId parameter.
The GranteePrincipal field in the ListGrants response usually contains the user or role designated as the grantee principal in the grant. However, when the grantee principal in the grant is an AWS service, the GranteePrincipal field contains the service principal, which might represent several different grantee principals.
Gets the names of the key policies that are attached to a customer master key (CMK). This operation is designed to get policy names that you can use in a GetKeyPolicy operation. However, the only valid policy name is default. You cannot perform this operation on a CMK in a different AWS account.
Gets a list of all customer master keys (CMKs) in the caller's AWS account and Region.
", - "ListResourceTags": "Returns a list of all tags for the specified customer master key (CMK).
You cannot perform this operation on a CMK in a different AWS account.
", - "ListRetirableGrants": "Returns a list of all grants for which the grant's RetiringPrincipal matches the one specified.
A typical use is to list all grants that you are able to retire. To retire a grant, use RetireGrant.
", - "PutKeyPolicy": "Attaches a key policy to the specified customer master key (CMK). You cannot perform this operation on a CMK in a different AWS account.
For more information about key policies, see Key Policies in the AWS Key Management Service Developer Guide.
", - "ReEncrypt": "Decrypts ciphertext and then reencrypts it entirely within AWS KMS. You can use this operation to change the customer master key (CMK) under which data is encrypted, such as when you manually rotate a CMK or change the CMK that protects a ciphertext. You can also use it to reencrypt ciphertext under the same CMK, such as to change the encryption context of a ciphertext.
The ReEncrypt operation can decrypt ciphertext that was encrypted by using an AWS KMS CMK in an AWS KMS operation, such as Encrypt or GenerateDataKey. It can also decrypt ciphertext that was encrypted by using the public key of an asymmetric CMK outside of AWS KMS. However, it cannot decrypt ciphertext produced by other libraries, such as the AWS Encryption SDK or Amazon S3 client-side encryption. These libraries return a ciphertext format that is incompatible with AWS KMS.
When you use the ReEncrypt operation, you need to provide information for the decrypt operation and the subsequent encrypt operation.
If your ciphertext was encrypted under an asymmetric CMK, you must identify the source CMK, that is, the CMK that encrypted the ciphertext. You must also supply the encryption algorithm that was used. This information is required to decrypt the data.
It is optional, but you can specify a source CMK even when the ciphertext was encrypted under a symmetric CMK. This ensures that the ciphertext is decrypted only by using a particular CMK. If the CMK that you specify cannot decrypt the ciphertext, the ReEncrypt operation fails.
To reencrypt the data, you must specify the destination CMK, that is, the CMK that re-encrypts the data after it is decrypted. You can select a symmetric or asymmetric CMK. If the destination CMK is an asymmetric CMK, you must also provide the encryption algorithm. The algorithm that you choose must be compatible with the CMK.
When you use an asymmetric CMK to encrypt or reencrypt data, be sure to record the CMK and encryption algorithm that you choose. You will be required to provide the same CMK and encryption algorithm when you decrypt the data. If the CMK and algorithm do not match the values used to encrypt the data, the decrypt operation fails.
You are not required to supply the CMK ID and encryption algorithm when you decrypt with symmetric CMKs because AWS KMS stores this information in the ciphertext blob. AWS KMS cannot store metadata in ciphertext generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields.
Unlike other AWS KMS API operations, ReEncrypt callers must have two permissions:
kms:ReEncryptFrom permission on the source CMK
kms:ReEncryptTo permission on the destination CMK
To permit reencryption from or to a CMK, include the \"kms:ReEncrypt*\" permission in your key policy. This permission is automatically included in the key policy when you use the console to create a CMK. But you must include it manually when you create a CMK programmatically or when you use the PutKeyPolicy operation to set a key policy.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
", - "RetireGrant": "Retires a grant. To clean up, you can retire a grant when you're done using it. You should revoke a grant when you intend to actively deny operations that depend on it. The following are permitted to call this API:
The AWS account (root user) under which the grant was created
The RetiringPrincipal, if present in the grant
The GranteePrincipal, if RetireGrant is an operation specified in the grant
You must identify the grant to retire by its grant token or by a combination of the grant ID and the Amazon Resource Name (ARN) of the customer master key (CMK). A grant token is a unique variable-length base64-encoded string. A grant ID is a 64 character unique identifier of a grant. The CreateGrant operation returns both.
", - "RevokeGrant": "Revokes the specified grant for the specified customer master key (CMK). You can revoke a grant to actively deny operations that depend on it.
To perform this operation on a CMK in a different AWS account, specify the key ARN in the value of the KeyId parameter.
Schedules the deletion of a customer master key (CMK). You may provide a waiting period, specified in days, before deletion occurs. If you do not provide a waiting period, the default period of 30 days is used. When this operation is successful, the key state of the CMK changes to PendingDeletion. Before the waiting period ends, you can use CancelKeyDeletion to cancel the deletion of the CMK. After the waiting period ends, AWS KMS deletes the CMK and all AWS KMS data associated with it, including all aliases that refer to it.
Deleting a CMK is a destructive and potentially dangerous operation. When a CMK is deleted, all data that was encrypted under the CMK is unrecoverable. To prevent the use of a CMK without deleting it, use DisableKey.
If you schedule deletion of a CMK from a custom key store, when the waiting period expires, ScheduleKeyDeletion deletes the CMK from AWS KMS. Then AWS KMS makes a best effort to delete the key material from the associated AWS CloudHSM cluster. However, you might need to manually delete the orphaned key material from the cluster and its backups.
You cannot perform this operation on a CMK in a different AWS account.
For more information about scheduling a CMK for deletion, see Deleting Customer Master Keys in the AWS Key Management Service Developer Guide.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
", - "Sign": "Creates a digital signature for a message or message digest by using the private key in an asymmetric CMK. To verify the signature, use the Verify operation, or use the public key in the same asymmetric CMK outside of AWS KMS. For information about symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer Guide.
Digital signatures are generated and verified by using asymmetric key pair, such as an RSA or ECC pair that is represented by an asymmetric customer master key (CMK). The key owner (or an authorized user) uses their private key to sign a message. Anyone with the public key can verify that the message was signed with that particular private key and that the message hasn't changed since it was signed.
To use the Sign operation, provide the following information:
Use the KeyId parameter to identify an asymmetric CMK with a KeyUsage value of SIGN_VERIFY. To get the KeyUsage value of a CMK, use the DescribeKey operation. The caller must have kms:Sign permission on the CMK.
Use the Message parameter to specify the message or message digest to sign. You can submit messages of up to 4096 bytes. To sign a larger message, generate a hash digest of the message, and then provide the hash digest in the Message parameter. To indicate whether the message is a full message or a digest, use the MessageType parameter.
Choose a signing algorithm that is compatible with the CMK.
When signing a message, be sure to record the CMK and the signing algorithm. This information is required to verify the signature.
To verify the signature that this operation generates, use the Verify operation. Or use the GetPublicKey operation to download the public key and then use the public key to verify the signature outside of AWS KMS.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
", - "TagResource": "Adds or edits tags for a customer master key (CMK). You cannot perform this operation on a CMK in a different AWS account.
Each tag consists of a tag key and a tag value. Tag keys and tag values are both required, but tag values can be empty (null) strings.
You can only use a tag key once for each CMK. If you use the tag key again, AWS KMS replaces the current tag value with the specified value.
For information about the rules that apply to tag keys and tag values, see User-Defined Tag Restrictions in the AWS Billing and Cost Management User Guide.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
", - "UntagResource": "Removes the specified tags from the specified customer master key (CMK). You cannot perform this operation on a CMK in a different AWS account.
To remove a tag, specify the tag key. To change the tag value of an existing tag key, use TagResource.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
", - "UpdateAlias": "Associates an existing AWS KMS alias with a different customer master key (CMK). Each alias is associated with only one CMK at a time, although a CMK can have multiple aliases. The alias and the CMK must be in the same AWS account and region. You cannot perform this operation on an alias in a different AWS account.
The current and new CMK must be the same type (both symmetric or both asymmetric), and they must have the same key usage (ENCRYPT_DECRYPT or SIGN_VERIFY). This restriction prevents errors in code that uses aliases. If you must assign an alias to a different type of CMK, use DeleteAlias to delete the old alias and CreateAlias to create a new alias.
You cannot use UpdateAlias to change an alias name. To change an alias name, use DeleteAlias to delete the old alias and CreateAlias to create a new alias.
Because an alias is not a property of a CMK, you can create, update, and delete the aliases of a CMK without affecting the CMK. Also, aliases do not appear in the response from the DescribeKey operation. To get the aliases of all CMKs in the account, use the ListAliases operation.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
", - "UpdateCustomKeyStore": "Changes the properties of a custom key store. Use the CustomKeyStoreId parameter to identify the custom key store you want to edit. Use the remaining parameters to change the properties of the custom key store.
You can only update a custom key store that is disconnected. To disconnect the custom key store, use DisconnectCustomKeyStore. To reconnect the custom key store after the update completes, use ConnectCustomKeyStore. To find the connection state of a custom key store, use the DescribeCustomKeyStores operation.
Use the parameters of UpdateCustomKeyStore to edit your keystore settings.
Use the NewCustomKeyStoreName parameter to change the friendly name of the custom key store to the value that you specify.
Use the KeyStorePassword parameter tell AWS KMS the current password of the kmsuser crypto user (CU) in the associated AWS CloudHSM cluster. You can use this parameter to fix connection failures that occur when AWS KMS cannot log into the associated cluster because the kmsuser password has changed. This value does not change the password in the AWS CloudHSM cluster.
Use the CloudHsmClusterId parameter to associate the custom key store with a different, but related, AWS CloudHSM cluster. You can use this parameter to repair a custom key store if its AWS CloudHSM cluster becomes corrupted or is deleted, or when you need to create or restore a cluster from a backup.
If the operation succeeds, it returns a JSON object with no properties.
This operation is part of the Custom Key Store feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the isolation and control of a single-tenant key store.
", - "UpdateKeyDescription": "Updates the description of a customer master key (CMK). To see the description of a CMK, use DescribeKey.
You cannot perform this operation on a CMK in a different AWS account.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
", - "Verify": "Verifies a digital signature that was generated by the Sign operation.
Verification confirms that an authorized user signed the message with the specified CMK and signing algorithm, and the message hasn't changed since it was signed. If the signature is verified, the value of the SignatureValid field in the response is True. If the signature verification fails, the Verify operation fails with an KMSInvalidSignatureException exception.
A digital signature is generated by using the private key in an asymmetric CMK. The signature is verified by using the public key in the same asymmetric CMK. For information about symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer Guide.
To verify a digital signature, you can use the Verify operation. Specify the same asymmetric CMK, message, and signing algorithm that were used to produce the signature.
You can also verify the digital signature by using the public key of the CMK outside of AWS KMS. Use the GetPublicKey operation to download the public key in the asymmetric CMK and then use the public key to verify the signature outside of AWS KMS. The advantage of using the Verify operation is that it is performed within AWS KMS. As a result, it's easy to call, the operation is performed within the FIPS boundary, it is logged in AWS CloudTrail, and you can use key policy and IAM policy to determine who is authorized to use the CMK to verify signatures.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
" + "CancelKeyDeletion": "Cancels the deletion of a customer master key (CMK). When this operation succeeds, the key state of the CMK is Disabled. To enable the CMK, use EnableKey.
For more information about scheduling and canceling deletion of a CMK, see Deleting Customer Master Keys in the AWS Key Management Service Developer Guide.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.
Required permissions: kms:CancelKeyDeletion (key policy)
Related operations: ScheduleKeyDeletion
", + "ConnectCustomKeyStore": "Connects or reconnects a custom key store to its associated AWS CloudHSM cluster.
The custom key store must be connected before you can create customer master keys (CMKs) in the key store or use the CMKs it contains. You can disconnect and reconnect a custom key store at any time.
To connect a custom key store, its associated AWS CloudHSM cluster must have at least one active HSM. To get the number of active HSMs in a cluster, use the DescribeClusters operation. To add HSMs to the cluster, use the CreateHsm operation. Also, the kmsuser crypto user (CU) must not be logged into the cluster. This prevents AWS KMS from using this account to log in.
The connection process can take an extended amount of time to complete; up to 20 minutes. This operation starts the connection process, but it does not wait for it to complete. When it succeeds, this operation quickly returns an HTTP 200 response and a JSON object with no properties. However, this response does not indicate that the custom key store is connected. To get the connection state of the custom key store, use the DescribeCustomKeyStores operation.
During the connection process, AWS KMS finds the AWS CloudHSM cluster that is associated with the custom key store, creates the connection infrastructure, connects to the cluster, logs into the AWS CloudHSM client as the kmsuser CU, and rotates its password.
The ConnectCustomKeyStore operation might fail for various reasons. To find the reason, use the DescribeCustomKeyStores operation and see the ConnectionErrorCode in the response. For help interpreting the ConnectionErrorCode, see CustomKeyStoresListEntry.
To fix the failure, use the DisconnectCustomKeyStore operation to disconnect the custom key store, correct the error, use the UpdateCustomKeyStore operation if necessary, and then use ConnectCustomKeyStore again.
If you are having trouble connecting or disconnecting a custom key store, see Troubleshooting a Custom Key Store in the AWS Key Management Service Developer Guide.
Cross-account use: No. You cannot perform this operation on a custom key store in a different AWS account.
Required permissions: kms:ConnectCustomKeyStore (IAM policy)
Related operations
Creates a friendly name for a customer master key (CMK). You can use an alias to identify a CMK in the AWS KMS console, in the DescribeKey operation and in cryptographic operations, such as Encrypt and GenerateDataKey.
You can also change the CMK that's associated with the alias (UpdateAlias) or delete the alias (DeleteAlias) at any time. These operations don't affect the underlying CMK.
You can associate the alias with any customer managed CMK in the same AWS Region. Each alias is associated with only on CMK at a time, but a CMK can have multiple aliases. A valid CMK is required. You can't create an alias without a CMK.
The alias must be unique in the account and Region, but you can have aliases with the same name in different Regions. For detailed information about aliases, see Using aliases in the AWS Key Management Service Developer Guide.
This operation does not return a response. To get the alias that you created, use the ListAliases operation.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Cross-account use: No. You cannot perform this operation on an alias in a different AWS account.
Required permissions
kms:CreateAlias on the alias (IAM policy).
kms:CreateAlias on the CMK (key policy).
For details, see Controlling access to aliases in the AWS Key Management Service Developer Guide.
Related operations:
", + "CreateCustomKeyStore": "Creates a custom key store that is associated with an AWS CloudHSM cluster that you own and manage.
This operation is part of the Custom Key Store feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the isolation and control of a single-tenant key store.
Before you create the custom key store, you must assemble the required elements, including an AWS CloudHSM cluster that fulfills the requirements for a custom key store. For details about the required elements, see Assemble the Prerequisites in the AWS Key Management Service Developer Guide.
When the operation completes successfully, it returns the ID of the new custom key store. Before you can use your new custom key store, you need to use the ConnectCustomKeyStore operation to connect the new key store to its AWS CloudHSM cluster. Even if you are not going to use your custom key store immediately, you might want to connect it to verify that all settings are correct and then disconnect it until you are ready to use it.
For help with failures, see Troubleshooting a Custom Key Store in the AWS Key Management Service Developer Guide.
Cross-account use: No. You cannot perform this operation on a custom key store in a different AWS account.
Required permissions: kms:CreateCustomKeyStore (IAM policy).
Related operations:
Adds a grant to a customer master key (CMK). The grant allows the grantee principal to use the CMK when the conditions specified in the grant are met. When setting permissions, grants are an alternative to key policies.
To create a grant that allows a cryptographic operation only when the request includes a particular encryption context, use the Constraints parameter. For details, see GrantConstraints.
You can create grants on symmetric and asymmetric CMKs. However, if the grant allows an operation that the CMK does not support, CreateGrant fails with a ValidationException.
Grants for symmetric CMKs cannot allow operations that are not supported for symmetric CMKs, including Sign, Verify, and GetPublicKey. (There are limited exceptions to this rule for legacy operations, but you should not create a grant for an operation that AWS KMS does not support.)
Grants for asymmetric CMKs cannot allow operations that are not supported for asymmetric CMKs, including operations that generate data keys or data key pairs, or operations related to automatic key rotation, imported key material, or CMKs in custom key stores.
Grants for asymmetric CMKs with a KeyUsage of ENCRYPT_DECRYPT cannot allow the Sign or Verify operations. Grants for asymmetric CMKs with a KeyUsage of SIGN_VERIFY cannot allow the Encrypt or Decrypt operations.
Grants for asymmetric CMKs cannot include an encryption context grant constraint. An encryption context is not supported on asymmetric CMKs.
For information about symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer Guide. For more information about grants, see Grants in the AWS Key Management Service Developer Guide .
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Cross-account use: Yes. To perform this operation on a CMK in a different AWS account, specify the key ARN in the value of the KeyId parameter.
Required permissions: kms:CreateGrant (key policy)
Related operations:
", + "CreateKey": "Creates a unique customer managed customer master key (CMK) in your AWS account and Region.
You can use the CreateKey operation to create symmetric or asymmetric CMKs.
Symmetric CMKs contain a 256-bit symmetric key that never leaves AWS KMS unencrypted. To use the CMK, you must call AWS KMS. You can use a symmetric CMK to encrypt and decrypt small amounts of data, but they are typically used to generate data keys and data keys pairs. For details, see GenerateDataKey and GenerateDataKeyPair.
Asymmetric CMKs can contain an RSA key pair or an Elliptic Curve (ECC) key pair. The private key in an asymmetric CMK never leaves AWS KMS unencrypted. However, you can use the GetPublicKey operation to download the public key so it can be used outside of AWS KMS. CMKs with RSA key pairs can be used to encrypt or decrypt data or sign and verify messages (but not both). CMKs with ECC key pairs can be used only to sign and verify messages.
For information about symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer Guide.
To create different types of CMKs, use the following guidance:
To create an asymmetric CMK, use the CustomerMasterKeySpec parameter to specify the type of key material in the CMK. Then, use the KeyUsage parameter to determine whether the CMK will be used to encrypt and decrypt or sign and verify. You can't change these properties after the CMK is created.
When creating a symmetric CMK, you don't need to specify the CustomerMasterKeySpec or KeyUsage parameters. The default value for CustomerMasterKeySpec, SYMMETRIC_DEFAULT, and the default value for KeyUsage, ENCRYPT_DECRYPT, are the only valid values for symmetric CMKs.
To import your own key material, begin by creating a symmetric CMK with no key material. To do this, use the Origin parameter of CreateKey with a value of EXTERNAL. Next, use GetParametersForImport operation to get a public key and import token, and use the public key to encrypt your key material. Then, use ImportKeyMaterial with your import token to import the key material. For step-by-step instructions, see Importing Key Material in the AWS Key Management Service Developer Guide . You cannot import the key material into an asymmetric CMK.
To create a symmetric CMK in a custom key store, use the CustomKeyStoreId parameter to specify the custom key store. You must also use the Origin parameter with a value of AWS_CLOUDHSM. The AWS CloudHSM cluster that is associated with the custom key store must have at least two active HSMs in different Availability Zones in the AWS Region.
You cannot create an asymmetric CMK in a custom key store. For information about custom key stores in AWS KMS see Using Custom Key Stores in the AWS Key Management Service Developer Guide .
Cross-account use: No. You cannot use this operation to create a CMK in a different AWS account.
Required permissions: kms:CreateKey (IAM policy). To use the Tags parameter, kms:TagResource (IAM policy). For examples and information about related permissions, see Allow a user to create CMKs in the AWS Key Management Service Developer Guide.
Related operations:
", + "Decrypt": "Decrypts ciphertext that was encrypted by a AWS KMS customer master key (CMK) using any of the following operations:
You can use this operation to decrypt ciphertext that was encrypted under a symmetric or asymmetric CMK. When the CMK is asymmetric, you must specify the CMK and the encryption algorithm that was used to encrypt the ciphertext. For information about symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer Guide.
The Decrypt operation also decrypts ciphertext that was encrypted outside of AWS KMS by the public key in an AWS KMS asymmetric CMK. However, it cannot decrypt ciphertext produced by other libraries, such as the AWS Encryption SDK or Amazon S3 client-side encryption. These libraries return a ciphertext format that is incompatible with AWS KMS.
If the ciphertext was encrypted under a symmetric CMK, the KeyId parameter is optional. AWS KMS can get this information from metadata that it adds to the symmetric ciphertext blob. This feature adds durability to your implementation by ensuring that authorized users can decrypt ciphertext decades after it was encrypted, even if they've lost track of the CMK ID. However, specifying the CMK is always recommended as a best practice. When you use the KeyId parameter to specify a CMK, AWS KMS only uses the CMK you specify. If the ciphertext was encrypted under a different CMK, the Decrypt operation fails. This practice ensures that you use the CMK that you intend.
Whenever possible, use key policies to give users permission to call the Decrypt operation on a particular CMK, instead of using IAM policies. Otherwise, you might create an IAM user policy that gives the user Decrypt permission on all CMKs. This user could decrypt ciphertext that was encrypted by CMKs in other accounts if the key policy for the cross-account CMK permits it. If you must use an IAM policy for Decrypt permissions, limit the user to particular CMKs or particular trusted accounts. For details, see Best practices for IAM policies in the AWS Key Management Service Developer Guide.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Cross-account use: Yes. You can decrypt a ciphertext using a CMK in a different AWS account.
Required permissions: kms:Decrypt (key policy)
Related operations:
", + "DeleteAlias": "Deletes the specified alias.
Because an alias is not a property of a CMK, you can delete and change the aliases of a CMK without affecting the CMK. Also, aliases do not appear in the response from the DescribeKey operation. To get the aliases of all CMKs, use the ListAliases operation.
Each CMK can have multiple aliases. To change the alias of a CMK, use DeleteAlias to delete the current alias and CreateAlias to create a new alias. To associate an existing alias with a different customer master key (CMK), call UpdateAlias.
Cross-account use: No. You cannot perform this operation on an alias in a different AWS account.
Required permissions
kms:DeleteAlias on the alias (IAM policy).
kms:DeleteAlias on the CMK (key policy).
For details, see Controlling access to aliases in the AWS Key Management Service Developer Guide.
Related operations:
", + "DeleteCustomKeyStore": "Deletes a custom key store. This operation does not delete the AWS CloudHSM cluster that is associated with the custom key store, or affect any users or keys in the cluster.
The custom key store that you delete cannot contain any AWS KMS customer master keys (CMKs). Before deleting the key store, verify that you will never need to use any of the CMKs in the key store for any cryptographic operations. Then, use ScheduleKeyDeletion to delete the AWS KMS customer master keys (CMKs) from the key store. When the scheduled waiting period expires, the ScheduleKeyDeletion operation deletes the CMKs. Then it makes a best effort to delete the key material from the associated cluster. However, you might need to manually delete the orphaned key material from the cluster and its backups.
After all CMKs are deleted from AWS KMS, use DisconnectCustomKeyStore to disconnect the key store from AWS KMS. Then, you can delete the custom key store.
Instead of deleting the custom key store, consider using DisconnectCustomKeyStore to disconnect it from AWS KMS. While the key store is disconnected, you cannot create or use the CMKs in the key store. But, you do not need to delete CMKs and you can reconnect a disconnected custom key store at any time.
If the operation succeeds, it returns a JSON object with no properties.
This operation is part of the Custom Key Store feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the isolation and control of a single-tenant key store.
Cross-account use: No. You cannot perform this operation on a custom key store in a different AWS account.
Required permissions: kms:DeleteCustomKeyStore (IAM policy)
Related operations:
Deletes key material that you previously imported. This operation makes the specified customer master key (CMK) unusable. For more information about importing key material into AWS KMS, see Importing Key Material in the AWS Key Management Service Developer Guide.
When the specified CMK is in the PendingDeletion state, this operation does not change the CMK's state. Otherwise, it changes the CMK's state to PendingImport.
After you delete key material, you can use ImportKeyMaterial to reimport the same key material into the CMK.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.
Required permissions: kms:DeleteImportedKeyMaterial (key policy)
Related operations:
", + "DescribeCustomKeyStores": "Gets information about custom key stores in the account and region.
This operation is part of the Custom Key Store feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the isolation and control of a single-tenant key store.
By default, this operation returns information about all custom key stores in the account and region. To get only information about a particular custom key store, use either the CustomKeyStoreName or CustomKeyStoreId parameter (but not both).
To determine whether the custom key store is connected to its AWS CloudHSM cluster, use the ConnectionState element in the response. If an attempt to connect the custom key store failed, the ConnectionState value is FAILED and the ConnectionErrorCode element in the response indicates the cause of the failure. For help interpreting the ConnectionErrorCode, see CustomKeyStoresListEntry.
Custom key stores have a DISCONNECTED connection state if the key store has never been connected or you use the DisconnectCustomKeyStore operation to disconnect it. If your custom key store state is CONNECTED but you are having trouble using it, make sure that its associated AWS CloudHSM cluster is active and contains the minimum number of HSMs required for the operation, if any.
For help repairing your custom key store, see the Troubleshooting Custom Key Stores topic in the AWS Key Management Service Developer Guide.
Cross-account use: No. You cannot perform this operation on a custom key store in a different AWS account.
Required permissions: kms:DescribeCustomKeyStores (IAM policy)
Related operations:
Provides detailed information about a customer master key (CMK). You can run DescribeKey on a customer managed CMK or an AWS managed CMK.
This detailed information includes the key ARN, creation date (and deletion date, if applicable), the key state, and the origin and expiration date (if any) of the key material. For CMKs in custom key stores, it includes information about the custom key store, such as the key store ID and the AWS CloudHSM cluster ID. It includes fields, like KeySpec, that help you distinguish symmetric from asymmetric CMKs. It also provides information that is particularly important to asymmetric CMKs, such as the key usage (encryption or signing) and the encryption algorithms or signing algorithms that the CMK supports.
DescribeKey does not return the following information:
Aliases associated with the CMK. To get this information, use ListAliases.
Whether automatic key rotation is enabled on the CMK. To get this information, use GetKeyRotationStatus. Also, some key states prevent a CMK from being automatically rotated. For details, see How Automatic Key Rotation Works in AWS Key Management Service Developer Guide.
Tags on the CMK. To get this information, use ListResourceTags.
Key policies and grants on the CMK. To get this information, use GetKeyPolicy and ListGrants.
If you call the DescribeKey operation on a predefined AWS alias, that is, an AWS alias with no key ID, AWS KMS creates an AWS managed CMK. Then, it associates the alias with the new CMK, and returns the KeyId and Arn of the new CMK in the response.
Cross-account use: Yes. To perform this operation with a CMK in a different AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.
Required permissions: kms:DescribeKey (key policy)
Related operations:
Sets the state of a customer master key (CMK) to disabled. This change temporarily prevents use of the CMK for cryptographic operations.
For more information about how key state affects the use of a CMK, see How Key State Affects the Use of a Customer Master Key in the AWS Key Management Service Developer Guide .
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.
Required permissions: kms:DisableKey (key policy)
Related operations: EnableKey
", + "DisableKeyRotation": "Disables automatic rotation of the key material for the specified symmetric customer master key (CMK).
You cannot enable automatic rotation of asymmetric CMKs, CMKs with imported key material, or CMKs in a custom key store.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.
Required permissions: kms:DisableKeyRotation (key policy)
Related operations:
", + "DisconnectCustomKeyStore": "Disconnects the custom key store from its associated AWS CloudHSM cluster. While a custom key store is disconnected, you can manage the custom key store and its customer master keys (CMKs), but you cannot create or use CMKs in the custom key store. You can reconnect the custom key store at any time.
While a custom key store is disconnected, all attempts to create customer master keys (CMKs) in the custom key store or to use existing CMKs in cryptographic operations will fail. This action can prevent users from storing and accessing sensitive data.
To find the connection state of a custom key store, use the DescribeCustomKeyStores operation. To reconnect a custom key store, use the ConnectCustomKeyStore operation.
If the operation succeeds, it returns a JSON object with no properties.
This operation is part of the Custom Key Store feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the isolation and control of a single-tenant key store.
Cross-account use: No. You cannot perform this operation on a custom key store in a different AWS account.
Required permissions: kms:DisconnectCustomKeyStore (IAM policy)
Related operations:
Sets the key state of a customer master key (CMK) to enabled. This allows you to use the CMK for cryptographic operations.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.
Required permissions: kms:EnableKey (key policy)
Related operations: DisableKey
", + "EnableKeyRotation": "Enables automatic rotation of the key material for the specified symmetric customer master key (CMK).
You cannot enable automatic rotation of asymmetric CMKs, CMKs with imported key material, or CMKs in a custom key store.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.
Required permissions: kms:EnableKeyRotation (key policy)
Related operations:
", + "Encrypt": "Encrypts plaintext into ciphertext by using a customer master key (CMK). The Encrypt operation has two primary use cases:
You can encrypt small amounts of arbitrary data, such as a personal identifier or database password, or other sensitive information.
You can use the Encrypt operation to move encrypted data from one AWS Region to another. For example, in Region A, generate a data key and use the plaintext key to encrypt your data. Then, in Region A, use the Encrypt operation to encrypt the plaintext data key under a CMK in Region B. Now, you can move the encrypted data and the encrypted data key to Region B. When necessary, you can decrypt the encrypted data key and the encrypted data entirely within in Region B.
You don't need to use the Encrypt operation to encrypt a data key. The GenerateDataKey and GenerateDataKeyPair operations return a plaintext data key and an encrypted copy of that data key.
When you encrypt data, you must specify a symmetric or asymmetric CMK to use in the encryption operation. The CMK must have a KeyUsage value of ENCRYPT_DECRYPT. To find the KeyUsage of a CMK, use the DescribeKey operation.
If you use a symmetric CMK, you can use an encryption context to add additional security to your encryption operation. If you specify an EncryptionContext when encrypting data, you must specify the same encryption context (a case-sensitive exact match) when decrypting the data. Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the AWS Key Management Service Developer Guide.
If you specify an asymmetric CMK, you must also specify the encryption algorithm. The algorithm must be compatible with the CMK type.
When you use an asymmetric CMK to encrypt or reencrypt data, be sure to record the CMK and encryption algorithm that you choose. You will be required to provide the same CMK and encryption algorithm when you decrypt the data. If the CMK and algorithm do not match the values used to encrypt the data, the decrypt operation fails.
You are not required to supply the CMK ID and encryption algorithm when you decrypt with symmetric CMKs because AWS KMS stores this information in the ciphertext blob. AWS KMS cannot store metadata in ciphertext generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields.
The maximum size of the data that you can encrypt varies with the type of CMK and the encryption algorithm that you choose.
Symmetric CMKs
SYMMETRIC_DEFAULT: 4096 bytes
RSA_2048
RSAES_OAEP_SHA_1: 214 bytes
RSAES_OAEP_SHA_256: 190 bytes
RSA_3072
RSAES_OAEP_SHA_1: 342 bytes
RSAES_OAEP_SHA_256: 318 bytes
RSA_4096
RSAES_OAEP_SHA_1: 470 bytes
RSAES_OAEP_SHA_256: 446 bytes
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Cross-account use: Yes. To perform this operation with a CMK in a different AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.
Required permissions: kms:Encrypt (key policy)
Related operations:
", + "GenerateDataKey": "Generates a unique symmetric data key for client-side encryption. This operation returns a plaintext copy of the data key and a copy that is encrypted under a customer master key (CMK) that you specify. You can use the plaintext key to encrypt your data outside of AWS KMS and store the encrypted data key with the encrypted data.
GenerateDataKey returns a unique data key for each request. The bytes in the plaintext key are not related to the caller or the CMK.
To generate a data key, specify the symmetric CMK that will be used to encrypt the data key. You cannot use an asymmetric CMK to generate data keys. To get the type of your CMK, use the DescribeKey operation. You must also specify the length of the data key. Use either the KeySpec or NumberOfBytes parameters (but not both). For 128-bit and 256-bit data keys, use the KeySpec parameter.
To get only an encrypted copy of the data key, use GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext operation. To get a cryptographically secure random byte string, use GenerateRandom.
You can use the optional encryption context to add additional security to the encryption operation. If you specify an EncryptionContext, you must specify the same encryption context (a case-sensitive exact match) when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the AWS Key Management Service Developer Guide.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
How to use your data key
We recommend that you use the following pattern to encrypt data locally in your application. You can write your own code or use a client-side encryption library, such as the AWS Encryption SDK, the Amazon DynamoDB Encryption Client, or Amazon S3 client-side encryption to do these tasks for you.
To encrypt data outside of AWS KMS:
Use the GenerateDataKey operation to get a data key.
Use the plaintext data key (in the Plaintext field of the response) to encrypt your data outside of AWS KMS. Then erase the plaintext data key from memory.
Store the encrypted data key (in the CiphertextBlob field of the response) with the encrypted data.
To decrypt data outside of AWS KMS:
Use the Decrypt operation to decrypt the encrypted data key. The operation returns a plaintext copy of the data key.
Use the plaintext data key to decrypt data outside of AWS KMS, then erase the plaintext data key from memory.
Cross-account use: Yes. To perform this operation with a CMK in a different AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.
Required permissions: kms:GenerateDataKey (key policy)
Related operations:
Generates a unique asymmetric data key pair. The GenerateDataKeyPair operation returns a plaintext public key, a plaintext private key, and a copy of the private key that is encrypted under the symmetric CMK you specify. You can use the data key pair to perform asymmetric cryptography outside of AWS KMS.
GenerateDataKeyPair returns a unique data key pair for each request. The bytes in the keys are not related to the caller or the CMK that is used to encrypt the private key.
You can use the public key that GenerateDataKeyPair returns to encrypt data or verify a signature outside of AWS KMS. Then, store the encrypted private key with the data. When you are ready to decrypt data or sign a message, you can use the Decrypt operation to decrypt the encrypted private key.
To generate a data key pair, you must specify a symmetric customer master key (CMK) to encrypt the private key in a data key pair. You cannot use an asymmetric CMK or a CMK in a custom key store. To get the type and origin of your CMK, use the DescribeKey operation.
If you are using the data key pair to encrypt data, or for any operation where you don't immediately need a private key, consider using the GenerateDataKeyPairWithoutPlaintext operation. GenerateDataKeyPairWithoutPlaintext returns a plaintext public key and an encrypted private key, but omits the plaintext private key that you need only to decrypt ciphertext or sign a message. Later, when you need to decrypt the data or sign a message, use the Decrypt operation to decrypt the encrypted private key in the data key pair.
You can use the optional encryption context to add additional security to the encryption operation. If you specify an EncryptionContext, you must specify the same encryption context (a case-sensitive exact match) when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the AWS Key Management Service Developer Guide.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Cross-account use: Yes. To perform this operation with a CMK in a different AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.
Required permissions: kms:GenerateDataKeyPair (key policy)
Related operations:
", + "GenerateDataKeyPairWithoutPlaintext": "Generates a unique asymmetric data key pair. The GenerateDataKeyPairWithoutPlaintext operation returns a plaintext public key and a copy of the private key that is encrypted under the symmetric CMK you specify. Unlike GenerateDataKeyPair, this operation does not return a plaintext private key.
To generate a data key pair, you must specify a symmetric customer master key (CMK) to encrypt the private key in the data key pair. You cannot use an asymmetric CMK or a CMK in a custom key store. To get the type and origin of your CMK, use the KeySpec field in the DescribeKey response.
You can use the public key that GenerateDataKeyPairWithoutPlaintext returns to encrypt data or verify a signature outside of AWS KMS. Then, store the encrypted private key with the data. When you are ready to decrypt data or sign a message, you can use the Decrypt operation to decrypt the encrypted private key.
GenerateDataKeyPairWithoutPlaintext returns a unique data key pair for each request. The bytes in the key are not related to the caller or CMK that is used to encrypt the private key.
You can use the optional encryption context to add additional security to the encryption operation. If you specify an EncryptionContext, you must specify the same encryption context (a case-sensitive exact match) when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the AWS Key Management Service Developer Guide.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Cross-account use: Yes. To perform this operation with a CMK in a different AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.
Required permissions: kms:GenerateDataKeyPairWithoutPlaintext (key policy)
Related operations:
", + "GenerateDataKeyWithoutPlaintext": "Generates a unique symmetric data key. This operation returns a data key that is encrypted under a customer master key (CMK) that you specify. To request an asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext operations.
GenerateDataKeyWithoutPlaintext is identical to the GenerateDataKey operation except that returns only the encrypted copy of the data key. This operation is useful for systems that need to encrypt data at some point, but not immediately. When you need to encrypt the data, you call the Decrypt operation on the encrypted copy of the key.
It's also useful in distributed systems with different levels of trust. For example, you might store encrypted data in containers. One component of your system creates new containers and stores an encrypted data key with each container. Then, a different component puts the data into the containers. That component first decrypts the data key, uses the plaintext data key to encrypt data, puts the encrypted data into the container, and then destroys the plaintext data key. In this system, the component that creates the containers never sees the plaintext data key.
GenerateDataKeyWithoutPlaintext returns a unique data key for each request. The bytes in the keys are not related to the caller or CMK that is used to encrypt the private key.
To generate a data key, you must specify the symmetric customer master key (CMK) that is used to encrypt the data key. You cannot use an asymmetric CMK to generate a data key. To get the type of your CMK, use the DescribeKey operation.
If the operation succeeds, you will find the encrypted copy of the data key in the CiphertextBlob field.
You can use the optional encryption context to add additional security to the encryption operation. If you specify an EncryptionContext, you must specify the same encryption context (a case-sensitive exact match) when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the AWS Key Management Service Developer Guide.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Cross-account use: Yes. To perform this operation with a CMK in a different AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.
Required permissions: kms:GenerateDataKeyWithoutPlaintext (key policy)
Related operations:
", + "GenerateRandom": "Returns a random byte string that is cryptographically secure.
By default, the random byte string is generated in AWS KMS. To generate the byte string in the AWS CloudHSM cluster that is associated with a custom key store, specify the custom key store ID.
For more information about entropy and random number generation, see the AWS Key Management Service Cryptographic Details whitepaper.
Required permissions: kms:GenerateRandom (IAM policy)
", + "GetKeyPolicy": "Gets a key policy attached to the specified customer master key (CMK).
Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.
Required permissions: kms:GetKeyPolicy (key policy)
Related operations: PutKeyPolicy
", + "GetKeyRotationStatus": "Gets a Boolean value that indicates whether automatic rotation of the key material is enabled for the specified customer master key (CMK).
You cannot enable automatic rotation of asymmetric CMKs, CMKs with imported key material, or CMKs in a custom key store. The key rotation status for these CMKs is always false.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Disabled: The key rotation status does not change when you disable a CMK. However, while the CMK is disabled, AWS KMS does not rotate the backing key.
Pending deletion: While a CMK is pending deletion, its key rotation status is false and AWS KMS does not rotate the backing key. If you cancel the deletion, the original key rotation status is restored.
Cross-account use: Yes. To perform this operation on a CMK in a different AWS account, specify the key ARN in the value of the KeyId parameter.
Required permissions: kms:GetKeyRotationStatus (key policy)
Related operations:
", + "GetParametersForImport": "Returns the items you need to import key material into a symmetric, customer managed customer master key (CMK). For more information about importing key material into AWS KMS, see Importing Key Material in the AWS Key Management Service Developer Guide.
This operation returns a public key and an import token. Use the public key to encrypt the symmetric key material. Store the import token to send with a subsequent ImportKeyMaterial request.
You must specify the key ID of the symmetric CMK into which you will import key material. This CMK's Origin must be EXTERNAL. You must also specify the wrapping algorithm and type of wrapping key (public key) that you will use to encrypt the key material. You cannot perform this operation on an asymmetric CMK or on any CMK in a different AWS account.
To import key material, you must use the public key and import token from the same response. These items are valid for 24 hours. The expiration date and time appear in the GetParametersForImport response. You cannot use an expired token in an ImportKeyMaterial request. If your key and token expire, send another GetParametersForImport request.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.
Required permissions: kms:GetParametersForImport (key policy)
Related operations:
", + "GetPublicKey": "Returns the public key of an asymmetric CMK. Unlike the private key of a asymmetric CMK, which never leaves AWS KMS unencrypted, callers with kms:GetPublicKey permission can download the public key of an asymmetric CMK. You can share the public key to allow others to encrypt messages and verify signatures outside of AWS KMS. For information about symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer Guide.
You do not need to download the public key. Instead, you can use the public key within AWS KMS by calling the Encrypt, ReEncrypt, or Verify operations with the identifier of an asymmetric CMK. When you use the public key within AWS KMS, you benefit from the authentication, authorization, and logging that are part of every AWS KMS operation. You also reduce of risk of encrypting data that cannot be decrypted. These features are not effective outside of AWS KMS. For details, see Special Considerations for Downloading Public Keys.
To help you use the public key safely outside of AWS KMS, GetPublicKey returns important information about the public key in the response, including:
CustomerMasterKeySpec: The type of key material in the public key, such as RSA_4096 or ECC_NIST_P521.
KeyUsage: Whether the key is used for encryption or signing.
EncryptionAlgorithms or SigningAlgorithms: A list of the encryption algorithms or the signing algorithms for the key.
Although AWS KMS cannot enforce these restrictions on external operations, it is crucial that you use this information to prevent the public key from being used improperly. For example, you can prevent a public signing key from being used encrypt data, or prevent a public key from being used with an encryption algorithm that is not supported by AWS KMS. You can also avoid errors, such as using the wrong signing algorithm in a verification operation.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Cross-account use: Yes. To perform this operation with a CMK in a different AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.
Required permissions: kms:GetPublicKey (key policy)
Related operations: CreateKey
", + "ImportKeyMaterial": "Imports key material into an existing symmetric AWS KMS customer master key (CMK) that was created without key material. After you successfully import key material into a CMK, you can reimport the same key material into that CMK, but you cannot import different key material.
You cannot perform this operation on an asymmetric CMK or on any CMK in a different AWS account. For more information about creating CMKs with no key material and then importing key material, see Importing Key Material in the AWS Key Management Service Developer Guide.
Before using this operation, call GetParametersForImport. Its response includes a public key and an import token. Use the public key to encrypt the key material. Then, submit the import token from the same GetParametersForImport response.
When calling this operation, you must specify the following values:
The key ID or key ARN of a CMK with no key material. Its Origin must be EXTERNAL.
To create a CMK with no key material, call CreateKey and set the value of its Origin parameter to EXTERNAL. To get the Origin of a CMK, call DescribeKey.)
The encrypted key material. To get the public key to encrypt the key material, call GetParametersForImport.
The import token that GetParametersForImport returned. You must use a public key and token from the same GetParametersForImport response.
Whether the key material expires and if so, when. If you set an expiration date, AWS KMS deletes the key material from the CMK on the specified date, and the CMK becomes unusable. To use the CMK again, you must reimport the same key material. The only way to change an expiration date is by reimporting the same key material and specifying a new expiration date.
When this operation is successful, the key state of the CMK changes from PendingImport to Enabled, and you can use the CMK.
If this operation fails, use the exception to help determine the problem. If the error is related to the key material, the import token, or wrapping key, use GetParametersForImport to get a new public key and import token for the CMK and repeat the import procedure. For help, see How To Import Key Material in the AWS Key Management Service Developer Guide.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.
Required permissions: kms:ImportKeyMaterial (key policy)
Related operations:
", + "ListAliases": "Gets a list of aliases in the caller's AWS account and region. For more information about aliases, see CreateAlias.
By default, the ListAliases operation returns all aliases in the account and region. To get only the aliases associated with a particular customer master key (CMK), use the KeyId parameter.
The ListAliases response can include aliases that you created and associated with your customer managed CMKs, and aliases that AWS created and associated with AWS managed CMKs in your account. You can recognize AWS aliases because their names have the format aws/<service-name>, such as aws/dynamodb.
The response might also include aliases that have no TargetKeyId field. These are predefined aliases that AWS has created but has not yet associated with a CMK. Aliases that AWS creates in your account, including predefined aliases, do not count against your AWS KMS aliases quota.
Cross-account use: No. ListAliases does not return aliases in other AWS accounts.
Required permissions: kms:ListAliases (IAM policy)
For details, see Controlling access to aliases in the AWS Key Management Service Developer Guide.
Related operations:
", + "ListGrants": "Gets a list of all grants for the specified customer master key (CMK).
The GranteePrincipal field in the ListGrants response usually contains the user or role designated as the grantee principal in the grant. However, when the grantee principal in the grant is an AWS service, the GranteePrincipal field contains the service principal, which might represent several different grantee principals.
Cross-account use: Yes. To perform this operation on a CMK in a different AWS account, specify the key ARN in the value of the KeyId parameter.
Required permissions: kms:ListGrants (key policy)
Related operations:
", + "ListKeyPolicies": "Gets the names of the key policies that are attached to a customer master key (CMK). This operation is designed to get policy names that you can use in a GetKeyPolicy operation. However, the only valid policy name is default.
Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.
Required permissions: kms:ListKeyPolicies (key policy)
Related operations:
", + "ListKeys": "Gets a list of all customer master keys (CMKs) in the caller's AWS account and Region.
Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.
Required permissions: kms:ListKeys (IAM policy)
Related operations:
", + "ListResourceTags": "Returns all tags on the specified customer master key (CMK).
For general information about tags, including the format and syntax, see Tagging AWS resources in the Amazon Web Services General Reference. For information about using tags in AWS KMS, see Tagging keys.
Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.
Required permissions: kms:ListResourceTags (key policy)
Related operations:
", + "ListRetirableGrants": "Returns all grants in which the specified principal is the RetiringPrincipal in the grant.
You can specify any principal in your AWS account. The grants that are returned include grants for CMKs in your AWS account and other AWS accounts.
You might use this operation to determine which grants you may retire. To retire a grant, use the RetireGrant operation.
Cross-account use: You must specify a principal in your AWS account. However, this operation can return grants in any AWS account. You do not need kms:ListRetirableGrants permission (or any other additional permission) in any AWS account other than your own.
Required permissions: kms:ListRetirableGrants (IAM policy) in your AWS account.
Related operations:
", + "PutKeyPolicy": "Attaches a key policy to the specified customer master key (CMK).
For more information about key policies, see Key Policies in the AWS Key Management Service Developer Guide. For help writing and formatting a JSON policy document, see the IAM JSON Policy Reference in the IAM User Guide . For examples of adding a key policy in multiple programming languages, see Setting a key policy in the AWS Key Management Service Developer Guide.
Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.
Required permissions: kms:PutKeyPolicy (key policy)
Related operations: GetKeyPolicy
", + "ReEncrypt": "Decrypts ciphertext and then reencrypts it entirely within AWS KMS. You can use this operation to change the customer master key (CMK) under which data is encrypted, such as when you manually rotate a CMK or change the CMK that protects a ciphertext. You can also use it to reencrypt ciphertext under the same CMK, such as to change the encryption context of a ciphertext.
The ReEncrypt operation can decrypt ciphertext that was encrypted by using an AWS KMS CMK in an AWS KMS operation, such as Encrypt or GenerateDataKey. It can also decrypt ciphertext that was encrypted by using the public key of an asymmetric CMK outside of AWS KMS. However, it cannot decrypt ciphertext produced by other libraries, such as the AWS Encryption SDK or Amazon S3 client-side encryption. These libraries return a ciphertext format that is incompatible with AWS KMS.
When you use the ReEncrypt operation, you need to provide information for the decrypt operation and the subsequent encrypt operation.
If your ciphertext was encrypted under an asymmetric CMK, you must use the SourceKeyId parameter to identify the CMK that encrypted the ciphertext. You must also supply the encryption algorithm that was used. This information is required to decrypt the data.
If your ciphertext was encrypted under a symmetric CMK, the SourceKeyId parameter is optional. AWS KMS can get this information from metadata that it adds to the symmetric ciphertext blob. This feature adds durability to your implementation by ensuring that authorized users can decrypt ciphertext decades after it was encrypted, even if they've lost track of the CMK ID. However, specifying the source CMK is always recommended as a best practice. When you use the SourceKeyId parameter to specify a CMK, AWS KMS uses only the CMK you specify. If the ciphertext was encrypted under a different CMK, the ReEncrypt operation fails. This practice ensures that you use the CMK that you intend.
To reencrypt the data, you must use the DestinationKeyId parameter specify the CMK that re-encrypts the data after it is decrypted. You can select a symmetric or asymmetric CMK. If the destination CMK is an asymmetric CMK, you must also provide the encryption algorithm. The algorithm that you choose must be compatible with the CMK.
When you use an asymmetric CMK to encrypt or reencrypt data, be sure to record the CMK and encryption algorithm that you choose. You will be required to provide the same CMK and encryption algorithm when you decrypt the data. If the CMK and algorithm do not match the values used to encrypt the data, the decrypt operation fails.
You are not required to supply the CMK ID and encryption algorithm when you decrypt with symmetric CMKs because AWS KMS stores this information in the ciphertext blob. AWS KMS cannot store metadata in ciphertext generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Cross-account use: Yes. The source CMK and destination CMK can be in different AWS accounts. Either or both CMKs can be in a different account than the caller.
Required permissions:
kms:ReEncryptFrom permission on the source CMK (key policy)
kms:ReEncryptTo permission on the destination CMK (key policy)
To permit reencryption from or to a CMK, include the \"kms:ReEncrypt*\" permission in your key policy. This permission is automatically included in the key policy when you use the console to create a CMK. But you must include it manually when you create a CMK programmatically or when you use the PutKeyPolicy operation to set a key policy.
Related operations:
", + "RetireGrant": "Retires a grant. To clean up, you can retire a grant when you're done using it. You should revoke a grant when you intend to actively deny operations that depend on it. The following are permitted to call this API:
The AWS account (root user) under which the grant was created
The RetiringPrincipal, if present in the grant
The GranteePrincipal, if RetireGrant is an operation specified in the grant
You must identify the grant to retire by its grant token or by a combination of the grant ID and the Amazon Resource Name (ARN) of the customer master key (CMK). A grant token is a unique variable-length base64-encoded string. A grant ID is a 64 character unique identifier of a grant. The CreateGrant operation returns both.
Cross-account use: Yes. You can retire a grant on a CMK in a different AWS account.
Required permissions:: Permission to retire a grant is specified in the grant. You cannot control access to this operation in a policy. For more information, see Using grants in the AWS Key Management Service Developer Guide.
Related operations:
", + "RevokeGrant": "Revokes the specified grant for the specified customer master key (CMK). You can revoke a grant to actively deny operations that depend on it.
Cross-account use: Yes. To perform this operation on a CMK in a different AWS account, specify the key ARN in the value of the KeyId parameter.
Required permissions: kms:RevokeGrant (key policy)
Related operations:
", + "ScheduleKeyDeletion": "Schedules the deletion of a customer master key (CMK). You may provide a waiting period, specified in days, before deletion occurs. If you do not provide a waiting period, the default period of 30 days is used. When this operation is successful, the key state of the CMK changes to PendingDeletion. Before the waiting period ends, you can use CancelKeyDeletion to cancel the deletion of the CMK. After the waiting period ends, AWS KMS deletes the CMK and all AWS KMS data associated with it, including all aliases that refer to it.
Deleting a CMK is a destructive and potentially dangerous operation. When a CMK is deleted, all data that was encrypted under the CMK is unrecoverable. To prevent the use of a CMK without deleting it, use DisableKey.
If you schedule deletion of a CMK from a custom key store, when the waiting period expires, ScheduleKeyDeletion deletes the CMK from AWS KMS. Then AWS KMS makes a best effort to delete the key material from the associated AWS CloudHSM cluster. However, you might need to manually delete the orphaned key material from the cluster and its backups.
For more information about scheduling a CMK for deletion, see Deleting Customer Master Keys in the AWS Key Management Service Developer Guide.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.
Required permissions: kms:ScheduleKeyDeletion (key policy)
Related operations
", + "Sign": "Creates a digital signature for a message or message digest by using the private key in an asymmetric CMK. To verify the signature, use the Verify operation, or use the public key in the same asymmetric CMK outside of AWS KMS. For information about symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer Guide.
Digital signatures are generated and verified by using asymmetric key pair, such as an RSA or ECC pair that is represented by an asymmetric customer master key (CMK). The key owner (or an authorized user) uses their private key to sign a message. Anyone with the public key can verify that the message was signed with that particular private key and that the message hasn't changed since it was signed.
To use the Sign operation, provide the following information:
Use the KeyId parameter to identify an asymmetric CMK with a KeyUsage value of SIGN_VERIFY. To get the KeyUsage value of a CMK, use the DescribeKey operation. The caller must have kms:Sign permission on the CMK.
Use the Message parameter to specify the message or message digest to sign. You can submit messages of up to 4096 bytes. To sign a larger message, generate a hash digest of the message, and then provide the hash digest in the Message parameter. To indicate whether the message is a full message or a digest, use the MessageType parameter.
Choose a signing algorithm that is compatible with the CMK.
When signing a message, be sure to record the CMK and the signing algorithm. This information is required to verify the signature.
To verify the signature that this operation generates, use the Verify operation. Or use the GetPublicKey operation to download the public key and then use the public key to verify the signature outside of AWS KMS.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Cross-account use: Yes. To perform this operation with a CMK in a different AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.
Required permissions: kms:Sign (key policy)
Related operations: Verify
", + "TagResource": "Adds or edits tags on a customer managed CMK.
Each tag consists of a tag key and a tag value, both of which are case-sensitive strings. The tag value can be an empty (null) string.
To add a tag, specify a new tag key and a tag value. To edit a tag, specify an existing tag key and a new tag value.
You can use this operation to tag a customer managed CMK, but you cannot tag an AWS managed CMK, an AWS owned CMK, or an alias.
For general information about tags, including the format and syntax, see Tagging AWS resources in the Amazon Web Services General Reference. For information about using tags in AWS KMS, see Tagging keys.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.
Required permissions: kms:TagResource (key policy)
Related operations
", + "UntagResource": "Deletes tags from a customer managed CMK. To delete a tag, specify the tag key and the CMK.
When it succeeds, the UntagResource operation doesn't return any output. Also, if the specified tag key isn't found on the CMK, it doesn't throw an exception or return a response. To confirm that the operation worked, use the ListResourceTags operation.
For general information about tags, including the format and syntax, see Tagging AWS resources in the Amazon Web Services General Reference. For information about using tags in AWS KMS, see Tagging keys.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.
Required permissions: kms:UntagResource (key policy)
Related operations
", + "UpdateAlias": "Associates an existing AWS KMS alias with a different customer master key (CMK). Each alias is associated with only one CMK at a time, although a CMK can have multiple aliases. The alias and the CMK must be in the same AWS account and region.
The current and new CMK must be the same type (both symmetric or both asymmetric), and they must have the same key usage (ENCRYPT_DECRYPT or SIGN_VERIFY). This restriction prevents errors in code that uses aliases. If you must assign an alias to a different type of CMK, use DeleteAlias to delete the old alias and CreateAlias to create a new alias.
You cannot use UpdateAlias to change an alias name. To change an alias name, use DeleteAlias to delete the old alias and CreateAlias to create a new alias.
Because an alias is not a property of a CMK, you can create, update, and delete the aliases of a CMK without affecting the CMK. Also, aliases do not appear in the response from the DescribeKey operation. To get the aliases of all CMKs in the account, use the ListAliases operation.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.
Required permissions
kms:UpdateAlias on the alias (IAM policy).
kms:UpdateAlias on the current CMK (key policy).
kms:UpdateAlias on the new CMK (key policy).
For details, see Controlling access to aliases in the AWS Key Management Service Developer Guide.
Related operations:
", + "UpdateCustomKeyStore": "Changes the properties of a custom key store. Use the CustomKeyStoreId parameter to identify the custom key store you want to edit. Use the remaining parameters to change the properties of the custom key store.
You can only update a custom key store that is disconnected. To disconnect the custom key store, use DisconnectCustomKeyStore. To reconnect the custom key store after the update completes, use ConnectCustomKeyStore. To find the connection state of a custom key store, use the DescribeCustomKeyStores operation.
Use the parameters of UpdateCustomKeyStore to edit your keystore settings.
Use the NewCustomKeyStoreName parameter to change the friendly name of the custom key store to the value that you specify.
Use the KeyStorePassword parameter tell AWS KMS the current password of the kmsuser crypto user (CU) in the associated AWS CloudHSM cluster. You can use this parameter to fix connection failures that occur when AWS KMS cannot log into the associated cluster because the kmsuser password has changed. This value does not change the password in the AWS CloudHSM cluster.
Use the CloudHsmClusterId parameter to associate the custom key store with a different, but related, AWS CloudHSM cluster. You can use this parameter to repair a custom key store if its AWS CloudHSM cluster becomes corrupted or is deleted, or when you need to create or restore a cluster from a backup.
If the operation succeeds, it returns a JSON object with no properties.
This operation is part of the Custom Key Store feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the isolation and control of a single-tenant key store.
Cross-account use: No. You cannot perform this operation on a custom key store in a different AWS account.
Required permissions: kms:UpdateCustomKeyStore (IAM policy)
Related operations:
Updates the description of a customer master key (CMK). To see the description of a CMK, use DescribeKey.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Cross-account use: No. You cannot perform this operation on a CMK in a different AWS account.
Required permissions: kms:UpdateKeyDescription (key policy)
Related operations
", + "Verify": "Verifies a digital signature that was generated by the Sign operation.
Verification confirms that an authorized user signed the message with the specified CMK and signing algorithm, and the message hasn't changed since it was signed. If the signature is verified, the value of the SignatureValid field in the response is True. If the signature verification fails, the Verify operation fails with an KMSInvalidSignatureException exception.
A digital signature is generated by using the private key in an asymmetric CMK. The signature is verified by using the public key in the same asymmetric CMK. For information about symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer Guide.
To verify a digital signature, you can use the Verify operation. Specify the same asymmetric CMK, message, and signing algorithm that were used to produce the signature.
You can also verify the digital signature by using the public key of the CMK outside of AWS KMS. Use the GetPublicKey operation to download the public key in the asymmetric CMK and then use the public key to verify the signature outside of AWS KMS. The advantage of using the Verify operation is that it is performed within AWS KMS. As a result, it's easy to call, the operation is performed within the FIPS boundary, it is logged in AWS CloudTrail, and you can use key policy and IAM policy to determine who is authorized to use the CMK to verify signatures.
The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.
Cross-account use: Yes. To perform this operation with a CMK in a different AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.
Required permissions: kms:Verify (key policy)
Related operations: Sign
" }, "shapes": { "AWSAccountIdType": { @@ -78,7 +78,7 @@ "base": null, "refs": { "AliasListEntry$AliasName": "String that contains the alias. This value begins with alias/.
Specifies the alias name. This value must begin with alias/ followed by a name, such as alias/ExampleAlias. The alias name cannot begin with alias/aws/. The alias/aws/ prefix is reserved for AWS managed CMKs.
Specifies the alias name. This value must begin with alias/ followed by a name, such as alias/ExampleAlias.
The AliasName value must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). The alias name cannot begin with alias/aws/. The alias/aws/ prefix is reserved for AWS managed CMKs.
The alias to be deleted. The alias name must begin with alias/ followed by the alias name, such as alias/ExampleAlias.
Identifies the alias that is changing its CMK. This value must begin with alias/ followed by the alias name, such as alias/ExampleAlias. You cannot use UpdateAlias to change the alias name.
Date and time that the alias was most recently created in the account and Region. Formatted as Unix time.
", + "AliasListEntry$LastUpdatedDate": "Date and time that the alias was most recently associated with a CMK in the account and Region. Formatted as Unix time.
", "CustomKeyStoresListEntry$CreationDate": "The date and time when the custom key store was created.
", "GetParametersForImportResponse$ParametersValidTo": "The time at which the import token and public key are no longer valid. After this time, you cannot use them to make an ImportKeyMaterial request and you must send another GetParametersForImport request to get new ones.
The date and time when the grant was created.
", @@ -621,9 +623,9 @@ } }, "GrantConstraints": { - "base": "Use this structure to allow cryptographic operations in the grant only when the operation request includes the specified encryption context.
AWS KMS applies the grant constraints only to cryptographic operations that support an encryption context, that is, all cryptographic operations with a symmetric CMK. Grant constraints are not applied to operations that do not support an encryption context, such as cryptographic operations with asymmetric CMKs and management operations, such as DescribeKey or ScheduleKeyDeletion.
In a cryptographic operation, the encryption context in the decryption operation must be an exact, case-sensitive match for the keys and values in the encryption context of the encryption operation. Only the order of the pairs can vary.
However, in a grant constraint, the key in each key-value pair is not case sensitive, but the value is case sensitive.
To avoid confusion, do not use multiple encryption context pairs that differ only by case. To require a fully case-sensitive encryption context, use the kms:EncryptionContext: and kms:EncryptionContextKeys conditions in an IAM or key policy. For details, see kms:EncryptionContext: in the AWS Key Management Service Developer Guide .
Use this structure to allow cryptographic operations in the grant only when the operation request includes the specified encryption context.
AWS KMS applies the grant constraints only to cryptographic operations that support an encryption context, that is, all cryptographic operations with a symmetric CMK. Grant constraints are not applied to operations that do not support an encryption context, such as cryptographic operations with asymmetric CMKs and management operations, such as DescribeKey or RetireGrant.
In a cryptographic operation, the encryption context in the decryption operation must be an exact, case-sensitive match for the keys and values in the encryption context of the encryption operation. Only the order of the pairs can vary.
However, in a grant constraint, the key in each key-value pair is not case sensitive, but the value is case sensitive.
To avoid confusion, do not use multiple encryption context pairs that differ only by case. To require a fully case-sensitive encryption context, use the kms:EncryptionContext: and kms:EncryptionContextKeys conditions in an IAM or key policy. For details, see kms:EncryptionContext: in the AWS Key Management Service Developer Guide .
Allows a cryptographic operation only when the encryption context matches or includes the encryption context specified in this structure. For more information about encryption context, see Encryption Context in the AWS Key Management Service Developer Guide .
", + "CreateGrantRequest$Constraints": "Allows a cryptographic operation only when the encryption context matches or includes the encryption context specified in this structure. For more information about encryption context, see Encryption Context in the AWS Key Management Service Developer Guide .
Grant constraints are not applied to operations that do not support an encryption context, such as cryptographic operations with asymmetric CMKs and management operations, such as DescribeKey or RetireGrant.
", "GrantListEntry$Constraints": "A list of key-value pairs that must be present in the encryption context of certain subsequent operations that the grant allows.
" } }, @@ -651,7 +653,7 @@ "GrantNameType": { "base": null, "refs": { - "CreateGrantRequest$Name": "A friendly name for identifying the grant. Use this value to prevent the unintended creation of duplicate grants when retrying this request.
When this value is absent, all CreateGrant requests result in a new grant with a unique GrantId even if all the supplied parameters are identical. This can result in unintended duplicates when you retry the CreateGrant request.
When this value is present, you can retry a CreateGrant request with identical parameters; if the grant already exists, the original GrantId is returned without creating a new grant. Note that the returned grant token is unique with every CreateGrant request, even when a duplicate GrantId is returned. All grant tokens obtained in this way can be used interchangeably.
A friendly name for the grant. Use this value to prevent the unintended creation of duplicate grants when retrying this request.
When this value is absent, all CreateGrant requests result in a new grant with a unique GrantId even if all the supplied parameters are identical. This can result in unintended duplicates when you retry the CreateGrant request.
When this value is present, you can retry a CreateGrant request with identical parameters; if the grant already exists, the original GrantId is returned without creating a new grant. Note that the returned grant token is unique with every CreateGrant request, even when a duplicate GrantId is returned. All grant tokens for the same grant ID can be used interchangeably.
The friendly name that identifies the grant. If a name was provided in the CreateGrant request, that name is returned. Otherwise this value is null.
" } }, @@ -776,24 +778,24 @@ "KeyIdType": { "base": null, "refs": { - "AliasListEntry$TargetKeyId": "String that contains the key identifier referred to by the alias.
", + "AliasListEntry$TargetKeyId": "String that contains the key identifier of the CMK associated with the alias.
", "CancelKeyDeletionRequest$KeyId": "The unique identifier for the customer master key (CMK) for which to cancel deletion.
Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
", "CancelKeyDeletionResponse$KeyId": "The Amazon Resource Name (key ARN) of the CMK whose deletion is canceled.
", - "CreateAliasRequest$TargetKeyId": "Identifies the CMK to which the alias refers. Specify the key ID or the Amazon Resource Name (ARN) of the CMK. You cannot specify another alias. For help finding the key ID and ARN, see Finding the Key ID and ARN in the AWS Key Management Service Developer Guide.
", + "CreateAliasRequest$TargetKeyId": "Associates the alias with the specified customer managed CMK. The CMK must be in the same AWS Region.
A valid CMK ID is required. If you supply a null or empty string value, this operation returns an error.
For help finding the key ID and ARN, see Finding the Key ID and ARN in the AWS Key Management Service Developer Guide.
Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
", "CreateGrantRequest$KeyId": "The unique identifier for the customer master key (CMK) that the grant applies to.
Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a different AWS account, you must use the key ARN.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
", - "DecryptRequest$KeyId": "Specifies the customer master key (CMK) that AWS KMS will use to decrypt the ciphertext. Enter a key ID of the CMK that was used to encrypt the ciphertext.
If you specify a KeyId value, the Decrypt operation succeeds only if the specified CMK was used to encrypt the ciphertext.
This parameter is required only when the ciphertext was encrypted under an asymmetric CMK. Otherwise, AWS KMS uses the metadata that it adds to the ciphertext blob to determine which CMK was used to encrypt the ciphertext. However, you can use this parameter to ensure that a particular CMK (of any kind) is used to decrypt the ciphertext.
To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with \"alias/\".
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Alias name: alias/ExampleAlias
Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.
", + "DecryptRequest$KeyId": "Specifies the customer master key (CMK) that AWS KMS uses to decrypt the ciphertext. Enter a key ID of the CMK that was used to encrypt the ciphertext.
This parameter is required only when the ciphertext was encrypted under an asymmetric CMK. If you used a symmetric CMK, AWS KMS can get the CMK from metadata that it adds to the symmetric ciphertext blob. However, it is always recommended as a best practice. This practice ensures that you use the CMK that you intend.
To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with \"alias/\". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Alias name: alias/ExampleAlias
Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.
", "DecryptResponse$KeyId": "The Amazon Resource Name (key ARN) of the CMK that was used to decrypt the ciphertext.
", "DeleteImportedKeyMaterialRequest$KeyId": "Identifies the CMK from which you are deleting imported key material. The Origin of the CMK must be EXTERNAL.
Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
", "DescribeKeyRequest$KeyId": "Describes the specified customer master key (CMK).
If you specify a predefined AWS alias (an AWS alias with no key ID), KMS associates the alias with an AWS managed CMK and returns its KeyId and Arn in the response.
To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with \"alias/\". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Alias name: alias/ExampleAlias
Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.
", "DisableKeyRequest$KeyId": "A unique identifier for the customer master key (CMK).
Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
", - "DisableKeyRotationRequest$KeyId": "Identifies a symmetric customer master key (CMK). You cannot enable automatic rotation of asymmetric CMKs, CMKs with imported key material, or CMKs in a custom key store.
Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
", + "DisableKeyRotationRequest$KeyId": "Identifies a symmetric customer master key (CMK). You cannot enable or disable automatic rotation of asymmetric CMKs, CMKs with imported key material, or CMKs in a custom key store.
Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
", "EnableKeyRequest$KeyId": "A unique identifier for the customer master key (CMK).
Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
", "EnableKeyRotationRequest$KeyId": "Identifies a symmetric customer master key (CMK). You cannot enable automatic rotation of asymmetric CMKs, CMKs with imported key material, or CMKs in a custom key store.
Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
", "EncryptRequest$KeyId": "A unique identifier for the customer master key (CMK).
To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with \"alias/\". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Alias name: alias/ExampleAlias
Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.
", "EncryptResponse$KeyId": "The Amazon Resource Name (key ARN) of the CMK that was used to encrypt the plaintext.
", "GenerateDataKeyPairRequest$KeyId": "Specifies the symmetric CMK that encrypts the private key in the data key pair. You cannot specify an asymmetric CMK or a CMK in a custom key store. To get the type and origin of your CMK, use the DescribeKey operation.
To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with \"alias/\". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Alias name: alias/ExampleAlias
Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.
", "GenerateDataKeyPairResponse$KeyId": "The Amazon Resource Name (key ARN) of the CMK that encrypted the private key.
", - "GenerateDataKeyPairWithoutPlaintextRequest$KeyId": "Specifies the CMK that encrypts the private key in the data key pair. You must specify a symmetric CMK. You cannot use an asymmetric CMK or a CMK in a custom key store. To get the type and origin of your CMK, use the DescribeKey operation.
To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with \"alias/\".
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Alias name: alias/ExampleAlias
Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.
", + "GenerateDataKeyPairWithoutPlaintextRequest$KeyId": "Specifies the CMK that encrypts the private key in the data key pair. You must specify a symmetric CMK. You cannot use an asymmetric CMK or a CMK in a custom key store. To get the type and origin of your CMK, use the DescribeKey operation.
To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with \"alias/\". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Alias name: alias/ExampleAlias
Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.
", "GenerateDataKeyPairWithoutPlaintextResponse$KeyId": "The Amazon Resource Name (key ARN) of the CMK that encrypted the private key.
", "GenerateDataKeyRequest$KeyId": "Identifies the symmetric CMK that encrypts the data key.
To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with \"alias/\". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Alias name: alias/ExampleAlias
Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.
", "GenerateDataKeyResponse$KeyId": "The Amazon Resource Name (key ARN) of the CMK that encrypted the data key.
", @@ -809,12 +811,12 @@ "ImportKeyMaterialRequest$KeyId": "The identifier of the symmetric CMK that receives the imported key material. The CMK's Origin must be EXTERNAL. This must be the same CMK specified in the KeyID parameter of the corresponding GetParametersForImport request.
Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
", "KeyListEntry$KeyId": "Unique identifier of the key.
", "KeyMetadata$KeyId": "The globally unique identifier for the CMK.
", - "ListAliasesRequest$KeyId": "Lists only aliases that refer to the specified CMK. The value of this parameter can be the ID or Amazon Resource Name (ARN) of a CMK in the caller's account and region. You cannot use an alias name or alias ARN in this value.
This parameter is optional. If you omit it, ListAliases returns all aliases in the account and region.
Lists only aliases that are associated with the specified CMK. Enter a CMK in your AWS account.
This parameter is optional. If you omit it, ListAliases returns all aliases in the account and Region.
Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
", "ListGrantsRequest$KeyId": "A unique identifier for the customer master key (CMK).
Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a different AWS account, you must use the key ARN.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
", "ListKeyPoliciesRequest$KeyId": "A unique identifier for the customer master key (CMK).
Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
", "ListResourceTagsRequest$KeyId": "A unique identifier for the customer master key (CMK).
Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
", "PutKeyPolicyRequest$KeyId": "A unique identifier for the customer master key (CMK).
Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
", - "ReEncryptRequest$SourceKeyId": "A unique identifier for the CMK that is used to decrypt the ciphertext before it reencrypts it using the destination CMK.
This parameter is required only when the ciphertext was encrypted under an asymmetric CMK. Otherwise, AWS KMS uses the metadata that it adds to the ciphertext blob to determine which CMK was used to encrypt the ciphertext. However, you can use this parameter to ensure that a particular CMK (of any kind) is used to decrypt the ciphertext before it is reencrypted.
If you specify a KeyId value, the decrypt part of the ReEncrypt operation succeeds only if the specified CMK was used to encrypt the ciphertext.
To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with \"alias/\".
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Alias name: alias/ExampleAlias
Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.
", + "ReEncryptRequest$SourceKeyId": "Specifies the customer master key (CMK) that AWS KMS will use to decrypt the ciphertext before it is re-encrypted. Enter a key ID of the CMK that was used to encrypt the ciphertext.
This parameter is required only when the ciphertext was encrypted under an asymmetric CMK. If you used a symmetric CMK, AWS KMS can get the CMK from metadata that it adds to the symmetric ciphertext blob. However, it is always recommended as a best practice. This practice ensures that you use the CMK that you intend.
To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with \"alias/\". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Alias name: alias/ExampleAlias
Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.
", "ReEncryptRequest$DestinationKeyId": "A unique identifier for the CMK that is used to reencrypt the data. Specify a symmetric or asymmetric CMK with a KeyUsage value of ENCRYPT_DECRYPT. To find the KeyUsage value of a CMK, use the DescribeKey operation.
To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with \"alias/\". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Alias name: alias/ExampleAlias
Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.
", "ReEncryptResponse$SourceKeyId": "Unique identifier of the CMK used to originally encrypt the data.
", "ReEncryptResponse$KeyId": "The Amazon Resource Name (key ARN) of the CMK that was used to reencrypt the data.
", @@ -824,9 +826,9 @@ "ScheduleKeyDeletionResponse$KeyId": "The Amazon Resource Name (key ARN) of the CMK whose deletion is scheduled.
", "SignRequest$KeyId": "Identifies an asymmetric CMK. AWS KMS uses the private key in the asymmetric CMK to sign the message. The KeyUsage type of the CMK must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation.
To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with \"alias/\". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Alias name: alias/ExampleAlias
Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.
", "SignResponse$KeyId": "The Amazon Resource Name (key ARN) of the asymmetric CMK that was used to sign the message.
", - "TagResourceRequest$KeyId": "A unique identifier for the CMK you are tagging.
Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
", - "UntagResourceRequest$KeyId": "A unique identifier for the CMK from which you are removing tags.
Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
", - "UpdateAliasRequest$TargetKeyId": "Identifies the CMK to associate with the alias. When the update operation completes, the alias will point to this CMK.
The CMK must be in the same AWS account and Region as the alias. Also, the new target CMK must be the same type as the current target CMK (both symmetric or both asymmetric) and they must have the same key usage.
Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
To verify that the alias is mapped to the correct CMK, use ListAliases.
", + "TagResourceRequest$KeyId": "Identifies a customer managed CMK in the account and Region.
Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
", + "UntagResourceRequest$KeyId": "Identifies the CMK from which you are removing tags.
Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
", + "UpdateAliasRequest$TargetKeyId": "Identifies the customer managed CMK to associate with the alias. You don't have permission to associate an alias with an AWS managed CMK.
The CMK must be in the same AWS account and Region as the alias. Also, the new target CMK must be the same type as the current target CMK (both symmetric or both asymmetric) and they must have the same key usage.
Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
To verify that the alias is mapped to the correct CMK, use ListAliases.
", "UpdateKeyDescriptionRequest$KeyId": "A unique identifier for the customer master key (CMK).
Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
", "VerifyRequest$KeyId": "Identifies the asymmetric CMK that will be used to verify the signature. This must be the same CMK that was used to generate the signature. If you specify a different CMK, the signature verification fails.
To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with \"alias/\". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.
For example:
Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Alias name: alias/ExampleAlias
Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.
", "VerifyResponse$KeyId": "The Amazon Resource Name (key ARN) of the asymmetric CMK that was used to verify the signature.
" @@ -1041,7 +1043,7 @@ "PolicyType": { "base": null, "refs": { - "CreateKeyRequest$Policy": "The key policy to attach to the CMK.
If you provide a key policy, it must meet the following criteria:
If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy must allow the principal that is making the CreateKey request to make a subsequent PutKeyPolicy request on the CMK. This reduces the risk that the CMK becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section of the AWS Key Management Service Developer Guide .
Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS. For more information, see Changes that I make are not always immediately visible in the AWS Identity and Access Management User Guide.
If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK. For more information, see Default Key Policy in the AWS Key Management Service Developer Guide.
The key policy size quota is 32 kilobytes (32768 bytes).
", + "CreateKeyRequest$Policy": "The key policy to attach to the CMK.
If you provide a key policy, it must meet the following criteria:
If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy must allow the principal that is making the CreateKey request to make a subsequent PutKeyPolicy request on the CMK. This reduces the risk that the CMK becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section of the AWS Key Management Service Developer Guide .
Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS. For more information, see Changes that I make are not always immediately visible in the AWS Identity and Access Management User Guide.
If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK. For more information, see Default Key Policy in the AWS Key Management Service Developer Guide.
The key policy size quota is 32 kilobytes (32768 bytes).
For help writing and formatting a JSON policy document, see the IAM JSON Policy Reference in the IAM User Guide .
", "GetKeyPolicyResponse$Policy": "A key policy document in JSON format.
", "PutKeyPolicyRequest$Policy": "The key policy to attach to the CMK.
The key policy must meet the following criteria:
If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy must allow the principal that is making the PutKeyPolicy request to make a subsequent PutKeyPolicy request on the CMK. This reduces the risk that the CMK becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section of the AWS Key Management Service Developer Guide.
Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS. For more information, see Changes that I make are not always immediately visible in the AWS Identity and Access Management User Guide.
The key policy cannot exceed 32 kilobytes (32768 bytes). For more information, see Resource Quotas in the AWS Key Management Service Developer Guide.
" } @@ -1054,7 +1056,7 @@ "GrantListEntry$GranteePrincipal": "The identity that gets the permissions in the grant.
The GranteePrincipal field in the ListGrants response usually contains the user or role designated as the grantee principal in the grant. However, when the grantee principal in the grant is an AWS service, the GranteePrincipal field contains the service principal, which might represent several different grantee principals.
The principal that can retire the grant.
", "GrantListEntry$IssuingAccount": "The AWS account under which the grant was issued.
", - "ListRetirableGrantsRequest$RetiringPrincipal": "The retiring principal for which to list grants.
To specify the retiring principal, use the Amazon Resource Name (ARN) of an AWS principal. Valid AWS principals include AWS accounts (root), IAM users, federated users, and assumed role users. For examples of the ARN syntax for specifying a principal, see AWS Identity and Access Management (IAM) in the Example ARNs section of the Amazon Web Services General Reference.
" + "ListRetirableGrantsRequest$RetiringPrincipal": "The retiring principal for which to list grants. Enter a principal in your AWS account.
To specify the retiring principal, use the Amazon Resource Name (ARN) of an AWS principal. Valid AWS principals include AWS accounts (root), IAM users, federated users, and assumed role users. For examples of the ARN syntax for specifying a principal, see AWS Identity and Access Management (IAM) in the Example ARNs section of the Amazon Web Services General Reference.
" } }, "PublicKeyType": { @@ -1154,9 +1156,9 @@ "TagList": { "base": null, "refs": { - "CreateKeyRequest$Tags": "One or more tags. Each tag consists of a tag key and a tag value. Both the tag key and the tag value are required, but the tag value can be an empty (null) string.
When you add tags to an AWS resource, AWS generates a cost allocation report with usage and costs aggregated by tags. For information about adding, changing, deleting and listing tags for CMKs, see Tagging Keys.
Use this parameter to tag the CMK when it is created. To add tags to an existing CMK, use the TagResource operation.
", + "CreateKeyRequest$Tags": "One or more tags. Each tag consists of a tag key and a tag value. Both the tag key and the tag value are required, but the tag value can be an empty (null) string.
When you add tags to an AWS resource, AWS generates a cost allocation report with usage and costs aggregated by tags. For information about adding, changing, deleting and listing tags for CMKs, see Tagging Keys.
Use this parameter to tag the CMK when it is created. To add tags to an existing CMK, use the TagResource operation.
To use this parameter, you must have kms:TagResource permission in an IAM policy.
", "ListResourceTagsResponse$Tags": "A list of tags. Each tag consists of a tag key and a tag value.
", - "TagResourceRequest$Tags": "One or more tags. Each tag consists of a tag key and a tag value.
" + "TagResourceRequest$Tags": "One or more tags.
Each tag consists of a tag key and a tag value. The tag value can be an empty (null) string.
You cannot have more than one tag on a CMK with the same tag key. If you specify an existing tag key with a different tag value, AWS KMS replaces the current tag value with the specified one.
" } }, "TagResourceRequest": { diff --git a/models/apis/kms/2014-11-01/examples-1.json b/models/apis/kms/2014-11-01/examples-1.json index b0a17a5bec..101313f4b0 100644 --- a/models/apis/kms/2014-11-01/examples-1.json +++ b/models/apis/kms/2014-11-01/examples-1.json @@ -109,7 +109,8 @@ "Decrypt": [ { "input": { - "CiphertextBlob": "Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service.
", "operations": { + "ActivateKeySigningKey": "Activates a key signing key (KSK) so that it can be used for signing by DNSSEC. This operation changes the KSK status to ACTIVE.
Associates an Amazon VPC with a private hosted zone.
To perform the association, the VPC and the private hosted zone must already exist. You can't convert a public hosted zone into a private hosted zone.
If you want to associate a VPC that was created by using one AWS account with a private hosted zone that was created by using a different account, the AWS account that created the private hosted zone must first submit a CreateVPCAssociationAuthorization request. Then the account that created the VPC must submit an AssociateVPCWithHostedZone request.
Creates, changes, or deletes a resource record set, which contains authoritative DNS information for a specified domain name or subdomain name. For example, you can use ChangeResourceRecordSets to create a resource record set that routes traffic for test.example.com to a web server that has an IP address of 192.0.2.44.
Deleting Resource Record Sets
To delete a resource record set, you must specify all the same values that you specified when you created it.
Change Batches and Transactional Changes
The request body must include a document with a ChangeResourceRecordSetsRequest element. The request body contains a list of change items, known as a change batch. Change batches are considered transactional changes. Route 53 validates the changes in the request and then either makes all or none of the changes in the change batch request. This ensures that DNS routing isn't adversely affected by partial changes to the resource record sets in a hosted zone.
For example, suppose a change batch request contains two changes: it deletes the CNAME resource record set for www.example.com and creates an alias resource record set for www.example.com. If validation for both records succeeds, Route 53 deletes the first resource record set and creates the second resource record set in a single operation. If validation for either the DELETE or the CREATE action fails, then the request is canceled, and the original CNAME record continues to exist.
If you try to delete the same resource record set more than once in a single change batch, Route 53 returns an InvalidChangeBatch error.
Traffic Flow
To create resource record sets for complex routing configurations, use either the traffic flow visual editor in the Route 53 console or the API actions for traffic policies and traffic policy instances. Save the configuration as a traffic policy, then associate the traffic policy with one or more domain names (such as example.com) or subdomain names (such as www.example.com), in the same hosted zone or in multiple hosted zones. You can roll back the updates if the new configuration isn't performing as expected. For more information, see Using Traffic Flow to Route DNS Traffic in the Amazon Route 53 Developer Guide.
Create, Delete, and Upsert
Use ChangeResourceRecordsSetsRequest to perform the following actions:
CREATE: Creates a resource record set that has the specified values.
DELETE: Deletes an existing resource record set that has the specified values.
UPSERT: If a resource record set does not already exist, AWS creates it. If a resource set does exist, Route 53 updates it with the values in the request.
Syntaxes for Creating, Updating, and Deleting Resource Record Sets
The syntax for a request depends on the type of resource record set that you want to create, delete, or update, such as weighted, alias, or failover. The XML elements in your request must appear in the order listed in the syntax.
For an example for each type of resource record set, see \"Examples.\"
Don't refer to the syntax in the \"Parameter Syntax\" section, which includes all of the elements for every kind of resource record set that you can create, delete, or update by using ChangeResourceRecordSets.
Change Propagation to Route 53 DNS Servers
When you submit a ChangeResourceRecordSets request, Route 53 propagates your changes to all of the Route 53 authoritative DNS servers. While your changes are propagating, GetChange returns a status of PENDING. When propagation is complete, GetChange returns a status of INSYNC. Changes generally propagate to all Route 53 name servers within 60 seconds. For more information, see GetChange.
Limits on ChangeResourceRecordSets Requests
For information about the limits on a ChangeResourceRecordSets request, see Limits in the Amazon Route 53 Developer Guide.
Adds, edits, or deletes tags for a health check or a hosted zone.
For information about using tags for cost allocation, see Using Cost Allocation Tags in the AWS Billing and Cost Management User Guide.
", "CreateHealthCheck": "Creates a new health check.
For information about adding health checks to resource record sets, see HealthCheckId in ChangeResourceRecordSets.
ELB Load Balancers
If you're registering EC2 instances with an Elastic Load Balancing (ELB) load balancer, do not create Amazon Route 53 health checks for the EC2 instances. When you register an EC2 instance with a load balancer, you configure settings for an ELB health check, which performs a similar function to a Route 53 health check.
Private Hosted Zones
You can associate health checks with failover resource record sets in a private hosted zone. Note the following:
Route 53 health checkers are outside the VPC. To check the health of an endpoint within a VPC by IP address, you must assign a public IP address to the instance in the VPC.
You can configure a health checker to check the health of an external resource that the instance relies on, such as a database server.
You can create a CloudWatch metric, associate an alarm with the metric, and then create a health check that is based on the state of the alarm. For example, you might create a CloudWatch metric that checks the status of the Amazon EC2 StatusCheckFailed metric, add an alarm to the metric, and then create a health check that is based on the state of the alarm. For information about creating CloudWatch metrics and alarms by using the CloudWatch console, see the Amazon CloudWatch User Guide.
Creates a new public or private hosted zone. You create records in a public hosted zone to define how you want to route traffic on the internet for a domain, such as example.com, and its subdomains (apex.example.com, acme.example.com). You create records in a private hosted zone to define how you want to route traffic for a domain and its subdomains within one or more Amazon Virtual Private Clouds (Amazon VPCs).
You can't convert a public hosted zone to a private hosted zone or vice versa. Instead, you must create a new hosted zone with the same name and create new resource record sets.
For more information about charges for hosted zones, see Amazon Route 53 Pricing.
Note the following:
You can't create a hosted zone for a top-level domain (TLD) such as .com.
For public hosted zones, Route 53 automatically creates a default SOA record and four NS records for the zone. For more information about SOA and NS records, see NS and SOA Records that Route 53 Creates for a Hosted Zone in the Amazon Route 53 Developer Guide.
If you want to use the same name servers for multiple public hosted zones, you can optionally associate a reusable delegation set with the hosted zone. See the DelegationSetId element.
If your domain is registered with a registrar other than Route 53, you must update the name servers with your registrar to make Route 53 the DNS service for the domain. For more information, see Migrating DNS Service for an Existing Domain to Amazon Route 53 in the Amazon Route 53 Developer Guide.
When you submit a CreateHostedZone request, the initial status of the hosted zone is PENDING. For public hosted zones, this means that the NS and SOA records are not yet available on all Route 53 DNS servers. When the NS and SOA records are available, the status of the zone changes to INSYNC.
Creates a new key signing key (KSK) associated with a hosted zone. You can only have two KSKs per hosted zone.
", "CreateQueryLoggingConfig": "Creates a configuration for DNS query logging. After you create a query logging configuration, Amazon Route 53 begins to publish log data to an Amazon CloudWatch Logs log group.
DNS query logs contain information about the queries that Route 53 receives for a specified public hosted zone, such as the following:
Route 53 edge location that responded to the DNS query
Domain or subdomain that was requested
DNS record type, such as A or AAAA
DNS response code, such as NoError or ServFail
Before you create a query logging configuration, perform the following operations.
If you create a query logging configuration using the Route 53 console, Route 53 performs these operations automatically.
Create a CloudWatch Logs log group, and make note of the ARN, which you specify when you create a query logging configuration. Note the following:
You must create the log group in the us-east-1 region.
You must use the same AWS account to create the log group and the hosted zone that you want to configure query logging for.
When you create log groups for query logging, we recommend that you use a consistent prefix, for example:
/aws/route53/hosted zone name
In the next step, you'll create a resource policy, which controls access to one or more log groups and the associated AWS resources, such as Route 53 hosted zones. There's a limit on the number of resource policies that you can create, so we recommend that you use a consistent prefix so you can use the same resource policy for all the log groups that you create for query logging.
Create a CloudWatch Logs resource policy, and give it the permissions that Route 53 needs to create log streams and to send query logs to log streams. For the value of Resource, specify the ARN for the log group that you created in the previous step. To use the same resource policy for all the CloudWatch Logs log groups that you created for query logging configurations, replace the hosted zone name with *, for example:
arn:aws:logs:us-east-1:123412341234:log-group:/aws/route53/*
You can't use the CloudWatch console to create or edit a resource policy. You must use the CloudWatch API, one of the AWS SDKs, or the AWS CLI.
When Route 53 finishes creating the configuration for DNS query logging, it does the following:
Creates a log stream for an edge location the first time that the edge location responds to DNS queries for the specified hosted zone. That log stream is used to log all queries that Route 53 responds to for that edge location.
Begins to send query logs to the applicable log stream.
The name of each log stream is in the following format:
hosted zone ID/edge location code
The edge location code is a three-letter code and an arbitrarily assigned number, for example, DFW3. The three-letter code typically corresponds with the International Air Transport Association airport code for an airport near the edge location. (These abbreviations might change in the future.) For a list of edge locations, see \"The Route 53 Global Network\" on the Route 53 Product Details page.
Query logs contain only the queries that DNS resolvers forward to Route 53. If a DNS resolver has already cached the response to a query (such as the IP address for a load balancer for example.com), the resolver will continue to return the cached response. It doesn't forward another query to Route 53 until the TTL for the corresponding resource record set expires. Depending on how many DNS queries are submitted for a resource record set, and depending on the TTL for that resource record set, query logs might contain information about only one query out of every several thousand queries that are submitted to DNS. For more information about how DNS works, see Routing Internet Traffic to Your Website or Web Application in the Amazon Route 53 Developer Guide.
For a list of the values in each query log and the format of each value, see Logging DNS Queries in the Amazon Route 53 Developer Guide.
For information about charges for query logs, see Amazon CloudWatch Pricing.
If you want Route 53 to stop sending query logs to CloudWatch Logs, delete the query logging configuration. For more information, see DeleteQueryLoggingConfig.
Creates a delegation set (a group of four name servers) that can be reused by multiple hosted zones that were created by the same AWS account.
You can also create a reusable delegation set that uses the four name servers that are associated with an existing hosted zone. Specify the hosted zone ID in the CreateReusableDelegationSet request.
You can't associate a reusable delegation set with a private hosted zone.
For information about using a reusable delegation set to configure white label name servers, see Configuring White Label Name Servers.
The process for migrating existing hosted zones to use a reusable delegation set is comparable to the process for configuring white label name servers. You need to perform the following steps:
Create a reusable delegation set.
Recreate hosted zones, and reduce the TTL to 60 seconds or less.
Recreate resource record sets in the new hosted zones.
Change the registrar's name servers to use the name servers for the new hosted zones.
Monitor traffic for the website or application.
Change TTLs back to their original values.
If you want to migrate existing hosted zones to use a reusable delegation set, the existing hosted zones can't use any of the name servers that are assigned to the reusable delegation set. If one or more hosted zones do use one or more name servers that are assigned to the reusable delegation set, you can do one of the following:
For small numbers of hosted zones—up to a few hundred—it's relatively easy to create reusable delegation sets until you get one that has four name servers that don't overlap with any of the name servers in your hosted zones.
For larger numbers of hosted zones, the easiest solution is to use more than one reusable delegation set.
For larger numbers of hosted zones, you can also migrate hosted zones that have overlapping name servers to hosted zones that don't have overlapping name servers, then migrate the hosted zones again to use the reusable delegation set.
Creates a traffic policy, which you use to create multiple DNS resource record sets for one domain name (such as example.com) or one subdomain name (such as www.example.com).
", "CreateTrafficPolicyInstance": "Creates resource record sets in a specified hosted zone based on the settings in a specified traffic policy version. In addition, CreateTrafficPolicyInstance associates the resource record sets with a specified domain name (such as example.com) or subdomain name (such as www.example.com). Amazon Route 53 responds to DNS queries for the domain or subdomain name by using the resource record sets that CreateTrafficPolicyInstance created.
Creates a new version of an existing traffic policy. When you create a new version of a traffic policy, you specify the ID of the traffic policy that you want to update and a JSON-formatted document that describes the new version. You use traffic policies to create multiple DNS resource record sets for one domain name (such as example.com) or one subdomain name (such as www.example.com). You can create a maximum of 1000 versions of a traffic policy. If you reach the limit and need to create another version, you'll need to start a new traffic policy.
", "CreateVPCAssociationAuthorization": "Authorizes the AWS account that created a specified VPC to submit an AssociateVPCWithHostedZone request to associate the VPC with a specified hosted zone that was created by a different account. To submit a CreateVPCAssociationAuthorization request, you must use the account that created the hosted zone. After you authorize the association, use the account that created the VPC to submit an AssociateVPCWithHostedZone request.
If you want to associate multiple VPCs that you created by using one account with a hosted zone that you created by using a different account, you must submit one authorization request for each VPC.
Deactivates a key signing key (KSK) so that it will not be used for signing by DNSSEC. This operation changes the KSK status to INACTIVE.
Deletes a health check.
Amazon Route 53 does not prevent you from deleting a health check even if the health check is associated with one or more resource record sets. If you delete a health check and you don't update the associated resource record sets, the future status of the health check can't be predicted and may change. This will affect the routing of DNS queries for your DNS failover configuration. For more information, see Replacing and Deleting Health Checks in the Amazon Route 53 Developer Guide.
If you're using AWS Cloud Map and you configured Cloud Map to create a Route 53 health check when you register an instance, you can't use the Route 53 DeleteHealthCheck command to delete the health check. The health check is deleted automatically when you deregister the instance; there can be a delay of several hours before the health check is deleted from Route 53.
Deletes a hosted zone.
If the hosted zone was created by another service, such as AWS Cloud Map, see Deleting Public Hosted Zones That Were Created by Another Service in the Amazon Route 53 Developer Guide for information about how to delete it. (The process is the same for public and private hosted zones that were created by another service.)
If you want to keep your domain registration but you want to stop routing internet traffic to your website or web application, we recommend that you delete resource record sets in the hosted zone instead of deleting the hosted zone.
If you delete a hosted zone, you can't undelete it. You must create a new hosted zone and update the name servers for your domain registration, which can require up to 48 hours to take effect. (If you delegated responsibility for a subdomain to a hosted zone and you delete the child hosted zone, you must update the name servers in the parent hosted zone.) In addition, if you delete a hosted zone, someone could hijack the domain and route traffic to their own resources using your domain name.
If you want to avoid the monthly charge for the hosted zone, you can transfer DNS service for the domain to a free DNS service. When you transfer DNS service, you have to update the name servers for the domain registration. If the domain is registered with Route 53, see UpdateDomainNameservers for information about how to replace Route 53 name servers with name servers for the new DNS service. If the domain is registered with another registrar, use the method provided by the registrar to update name servers for the domain registration. For more information, perform an internet search on \"free DNS service.\"
You can delete a hosted zone only if it contains only the default SOA record and NS resource record sets. If the hosted zone contains other resource record sets, you must delete them before you can delete the hosted zone. If you try to delete a hosted zone that contains other resource record sets, the request fails, and Route 53 returns a HostedZoneNotEmpty error. For information about deleting records from your hosted zone, see ChangeResourceRecordSets.
To verify that the hosted zone has been deleted, do one of the following:
Use the GetHostedZone action to request information about the hosted zone.
Use the ListHostedZones action to get a list of the hosted zones associated with the current AWS account.
Deletes a key signing key (KSK). Before you can delete a KSK, you must deactivate it. The KSK must be deactived before you can delete it regardless of whether the hosted zone is enabled for DNSSEC signing.
", "DeleteQueryLoggingConfig": "Deletes a configuration for DNS query logging. If you delete a configuration, Amazon Route 53 stops sending query logs to CloudWatch Logs. Route 53 doesn't delete any logs that are already in CloudWatch Logs.
For more information about DNS query logs, see CreateQueryLoggingConfig.
", "DeleteReusableDelegationSet": "Deletes a reusable delegation set.
You can delete a reusable delegation set only if it isn't associated with any hosted zones.
To verify that the reusable delegation set is not associated with any hosted zones, submit a GetReusableDelegationSet request and specify the ID of the reusable delegation set that you want to delete.
", "DeleteTrafficPolicy": "Deletes a traffic policy.
When you delete a traffic policy, Route 53 sets a flag on the policy to indicate that it has been deleted. However, Route 53 never fully deletes the traffic policy. Note the following:
Deleted traffic policies aren't listed if you run ListTrafficPolicies.
There's no way to get a list of deleted policies.
If you retain the ID of the policy, you can get information about the policy, including the traffic policy document, by running GetTrafficPolicy.
Deletes a traffic policy instance and all of the resource record sets that Amazon Route 53 created when you created the instance.
In the Route 53 console, traffic policy instances are known as policy records.
Removes authorization to submit an AssociateVPCWithHostedZone request to associate a specified VPC with a hosted zone that was created by a different account. You must use the account that created the hosted zone to submit a DeleteVPCAssociationAuthorization request.
Sending this request only prevents the AWS account that created the VPC from associating the VPC with the Amazon Route 53 hosted zone in the future. If the VPC is already associated with the hosted zone, DeleteVPCAssociationAuthorization won't disassociate the VPC from the hosted zone. If you want to delete an existing association, use DisassociateVPCFromHostedZone.
Disables DNSSEC signing in a specific hosted zone. This action does not deactivate any key signing keys (KSKs) that are active in the hosted zone.
", "DisassociateVPCFromHostedZone": "Disassociates an Amazon Virtual Private Cloud (Amazon VPC) from an Amazon Route 53 private hosted zone. Note the following:
You can't disassociate the last Amazon VPC from a private hosted zone.
You can't convert a private hosted zone into a public hosted zone.
You can submit a DisassociateVPCFromHostedZone request using either the account that created the hosted zone or the account that created the Amazon VPC.
Some services, such as AWS Cloud Map and Amazon Elastic File System (Amazon EFS) automatically create hosted zones and associate VPCs with the hosted zones. A service can create a hosted zone using your account or using its own account. You can disassociate a VPC from a hosted zone only if the service created the hosted zone using your account.
When you run DisassociateVPCFromHostedZone, if the hosted zone has a value for OwningAccount, you can use DisassociateVPCFromHostedZone. If the hosted zone has a value for OwningService, you can't use DisassociateVPCFromHostedZone.
Enables DNSSEC signing in a specific hosted zone.
", "GetAccountLimit": "Gets the specified limit for the current account, for example, the maximum number of health checks that you can create using the account.
For the default limit, see Limits in the Amazon Route 53 Developer Guide. To request a higher limit, open a case.
You can also view account limits in AWS Trusted Advisor. Sign in to the AWS Management Console and open the Trusted Advisor console at https://console.aws.amazon.com/trustedadvisor/. Then choose Service limits in the navigation pane.
Returns the current status of a change batch request. The status is one of the following values:
PENDING indicates that the changes in this request have not propagated to all Amazon Route 53 DNS servers. This is the initial status of all change batch requests.
INSYNC indicates that the changes have propagated to all Route 53 DNS servers.
GetCheckerIpRanges still works, but we recommend that you download ip-ranges.json, which includes IP address ranges for all AWS services. For more information, see IP Address Ranges of Amazon Route 53 Servers in the Amazon Route 53 Developer Guide.
Returns information about DNSSEC for a specific hosted zone, including the key signing keys (KSKs) and zone signing keys (ZSKs) in the hosted zone.
", "GetGeoLocation": "Gets information about whether a specified geographic location is supported for Amazon Route 53 geolocation resource record sets.
Use the following syntax to determine whether a continent is supported for geolocation:
GET /2013-04-01/geolocation?continentcode=two-letter abbreviation for a continent
Use the following syntax to determine whether a country is supported for geolocation:
GET /2013-04-01/geolocation?countrycode=two-character country code
Use the following syntax to determine whether a subdivision of a country is supported for geolocation:
GET /2013-04-01/geolocation?countrycode=two-character country code&subdivisioncode=subdivision code
Gets information about a specified health check.
", "GetHealthCheckCount": "Retrieves the number of health checks that are associated with the current AWS account.
", @@ -80,6 +87,16 @@ "GetAccountLimitRequest$Type": "The limit that you want to get. Valid values include the following:
MAX_HEALTH_CHECKS_BY_OWNER: The maximum number of health checks that you can create using the current account.
MAX_HOSTED_ZONES_BY_OWNER: The maximum number of hosted zones that you can create using the current account.
MAX_REUSABLE_DELEGATION_SETS_BY_OWNER: The maximum number of reusable delegation sets that you can create using the current account.
MAX_TRAFFIC_POLICIES_BY_OWNER: The maximum number of traffic policies that you can create using the current account.
MAX_TRAFFIC_POLICY_INSTANCES_BY_OWNER: The maximum number of traffic policy instances that you can create using the current account. (Traffic policy instances are referred to as traffic flow policy records in the Amazon Route 53 console.)
A complex type that identifies the CloudWatch alarm that you want Amazon Route 53 health checkers to use to determine whether the specified health check is healthy.
", "refs": { @@ -142,11 +159,17 @@ "ChangeInfo": { "base": "A complex type that describes change information about changes made to your hosted zone.
", "refs": { + "ActivateKeySigningKeyResponse$ChangeInfo": null, "AssociateVPCWithHostedZoneResponse$ChangeInfo": "A complex type that describes the changes made to your hosted zone.
", "ChangeResourceRecordSetsResponse$ChangeInfo": "A complex type that contains information about changes made to your hosted zone.
This element contains an ID that you use when performing a GetChange action to get detailed information about the change.
", "CreateHostedZoneResponse$ChangeInfo": "A complex type that contains information about the CreateHostedZone request.
A complex type that contains the ID, the status, and the date and time of a request to delete a hosted zone.
", + "DeleteKeySigningKeyResponse$ChangeInfo": null, + "DisableHostedZoneDNSSECResponse$ChangeInfo": null, "DisassociateVPCFromHostedZoneResponse$ChangeInfo": "A complex type that describes the changes made to the specified private hosted zone.
", + "EnableHostedZoneDNSSECResponse$ChangeInfo": null, "GetChangeResponse$ChangeInfo": "A complex type that contains information about the specified change batch.
" } }, @@ -255,6 +278,16 @@ "refs": { } }, + "CreateKeySigningKeyRequest": { + "base": null, + "refs": { + } + }, + "CreateKeySigningKeyResponse": { + "base": null, + "refs": { + } + }, "CreateQueryLoggingConfigRequest": { "base": null, "refs": { @@ -347,6 +380,27 @@ "TestDNSAnswerResponse$ResponseCode": "A code that indicates whether the request is valid or not. The most common response code is NOERROR, meaning that the request is valid. If the response is not valid, Amazon Route 53 returns a response code that describes the error. For a list of possible response codes, see DNS RCODES on the IANA website.
The hosted zone doesn't have any DNSSEC resources.
", + "refs": { + } + }, + "DNSSECStatus": { + "base": "A string repesenting the status of DNSSEC signing.
", + "refs": { + "GetDNSSECResponse$Status": "A string repesenting the status of DNSSEC.
" + } + }, + "DeactivateKeySigningKeyRequest": { + "base": null, + "refs": { + } + }, + "DeactivateKeySigningKeyResponse": { + "base": null, + "refs": { + } + }, "DelegationSet": { "base": "A complex type that lists the name servers in a delegation set, as well as the CallerReference and the ID for the delegation set.
For the metric that the CloudWatch alarm is associated with, a complex type that contains information about the dimensions for the metric. For information, see Amazon CloudWatch Namespaces, Dimensions, and Metrics Reference in the Amazon CloudWatch User Guide.
" } }, + "DisableHostedZoneDNSSECRequest": { + "base": null, + "refs": { + } + }, + "DisableHostedZoneDNSSECResponse": { + "base": null, + "refs": { + } + }, "Disabled": { "base": null, "refs": { @@ -506,6 +580,16 @@ "refs": { } }, + "EnableHostedZoneDNSSECRequest": { + "base": null, + "refs": { + } + }, + "EnableHostedZoneDNSSECResponse": { + "base": null, + "refs": { + } + }, "EnableSNI": { "base": null, "refs": { @@ -516,64 +600,76 @@ "ErrorMessage": { "base": null, "refs": { - "ConcurrentModification$message": "Descriptive message for the error response.
", + "ConcurrentModification$message": "", "ConflictingDomainExists$message": null, - "ConflictingTypes$message": "Descriptive message for the error response.
", - "DelegationSetAlreadyCreated$message": "Descriptive message for the error response.
", - "DelegationSetAlreadyReusable$message": "Descriptive message for the error response.
", - "DelegationSetInUse$message": "Descriptive message for the error response.
", - "DelegationSetNotAvailable$message": "Descriptive message for the error response.
", - "DelegationSetNotReusable$message": "Descriptive message for the error response.
", + "ConflictingTypes$message": "", + "DNSSECNotFound$message": null, + "DelegationSetAlreadyCreated$message": "", + "DelegationSetAlreadyReusable$message": "", + "DelegationSetInUse$message": "", + "DelegationSetNotAvailable$message": "", + "DelegationSetNotReusable$message": "", "ErrorMessages$member": null, - "HealthCheckAlreadyExists$message": "Descriptive message for the error response.
", - "HealthCheckInUse$message": "Descriptive message for the error response.
", + "HealthCheckAlreadyExists$message": "", + "HealthCheckInUse$message": "", "HealthCheckVersionMismatch$message": null, - "HostedZoneAlreadyExists$message": "Descriptive message for the error response.
", - "HostedZoneNotEmpty$message": "Descriptive message for the error response.
", - "HostedZoneNotFound$message": "Descriptive message for the error response.
", - "HostedZoneNotPrivate$message": "Descriptive message for the error response.
", + "HostedZoneAlreadyExists$message": "", + "HostedZoneNotEmpty$message": "", + "HostedZoneNotFound$message": "", + "HostedZoneNotPrivate$message": "", + "HostedZonePartiallyDelegated$message": null, "IncompatibleVersion$message": null, "InsufficientCloudWatchLogsResourcePolicy$message": null, - "InvalidArgument$message": "Descriptive message for the error response.
", + "InvalidArgument$message": "", "InvalidChangeBatch$message": null, - "InvalidDomainName$message": "Descriptive message for the error response.
", - "InvalidInput$message": "Descriptive message for the error response.
", + "InvalidDomainName$message": "", + "InvalidInput$message": "", + "InvalidKMSArn$message": null, + "InvalidKeySigningKeyName$message": null, + "InvalidKeySigningKeyStatus$message": null, "InvalidPaginationToken$message": null, - "InvalidTrafficPolicyDocument$message": "Descriptive message for the error response.
", - "InvalidVPCId$message": "Descriptive message for the error response.
", - "LastVPCAssociation$message": "Descriptive message for the error response.
", - "LimitsExceeded$message": "Descriptive message for the error response.
", + "InvalidSigningStatus$message": null, + "InvalidTrafficPolicyDocument$message": "", + "InvalidVPCId$message": "", + "KeySigningKeyAlreadyExists$message": null, + "KeySigningKeyInParentDSRecord$message": null, + "KeySigningKeyInUse$message": null, + "KeySigningKeyWithActiveStatusNotFound$message": null, + "LastVPCAssociation$message": "", + "LimitsExceeded$message": "", "NoSuchChange$message": null, "NoSuchCloudWatchLogsLogGroup$message": null, - "NoSuchDelegationSet$message": "Descriptive message for the error response.
", - "NoSuchGeoLocation$message": "Descriptive message for the error response.
", - "NoSuchHealthCheck$message": "Descriptive message for the error response.
", - "NoSuchHostedZone$message": "Descriptive message for the error response.
", + "NoSuchDelegationSet$message": "", + "NoSuchGeoLocation$message": "", + "NoSuchHealthCheck$message": "", + "NoSuchHostedZone$message": "", + "NoSuchKeySigningKey$message": null, "NoSuchQueryLoggingConfig$message": null, - "NoSuchTrafficPolicy$message": "Descriptive message for the error response.
", - "NoSuchTrafficPolicyInstance$message": "Descriptive message for the error response.
", - "NotAuthorizedException$message": "Descriptive message for the error response.
", + "NoSuchTrafficPolicy$message": "", + "NoSuchTrafficPolicyInstance$message": "", + "NotAuthorizedException$message": "", "PriorRequestNotComplete$message": null, - "PublicZoneVPCAssociation$message": "Descriptive message for the error response.
", + "PublicZoneVPCAssociation$message": "", "QueryLoggingConfigAlreadyExists$message": null, "ThrottlingException$message": null, "TooManyHealthChecks$message": null, - "TooManyHostedZones$message": "Descriptive message for the error response.
", - "TooManyTrafficPolicies$message": "Descriptive message for the error response.
", - "TooManyTrafficPolicyInstances$message": "Descriptive message for the error response.
", - "TooManyTrafficPolicyVersionsForCurrentPolicy$message": "Descriptive message for the error response.
", - "TooManyVPCAssociationAuthorizations$message": "Descriptive message for the error response.
", - "TrafficPolicyAlreadyExists$message": "Descriptive message for the error response.
", - "TrafficPolicyInUse$message": "Descriptive message for the error response.
", - "TrafficPolicyInstanceAlreadyExists$message": "Descriptive message for the error response.
", - "VPCAssociationAuthorizationNotFound$message": "Descriptive message for the error response.
", - "VPCAssociationNotFound$message": "Descriptive message for the error response.
" + "TooManyHostedZones$message": "", + "TooManyKeySigningKeys$message": null, + "TooManyTrafficPolicies$message": "", + "TooManyTrafficPolicyInstances$message": "", + "TooManyTrafficPolicyVersionsForCurrentPolicy$message": "", + "TooManyVPCAssociationAuthorizations$message": "", + "TrafficPolicyAlreadyExists$message": "", + "TrafficPolicyInUse$message": "", + "TrafficPolicyInstanceAlreadyExists$message": "", + "VPCAssociationAuthorizationNotFound$message": "", + "VPCAssociationNotFound$message": "The specified VPC or hosted zone weren't found.
" } }, "ErrorMessages": { "base": null, "refs": { - "InvalidChangeBatch$messages": "Descriptive message for the error response.
" + "InvalidChangeBatch$messages": "" } }, "EvaluationPeriods": { @@ -693,6 +789,16 @@ "refs": { } }, + "GetDNSSECRequest": { + "base": null, + "refs": { + } + }, + "GetDNSSECResponse": { + "base": null, + "refs": { + } + }, "GetGeoLocationRequest": { "base": "A request for information about whether a specified geographic location is supported for Amazon Route 53 geolocation resource record sets.
", "refs": { @@ -1010,6 +1116,11 @@ "HostedZoneOwner$OwningService": "If an AWS service uses its own account to create a hosted zone and associate the specified VPC with that hosted zone, OwningService contains an abbreviation that identifies the service. For example, if Amazon Elastic File System (Amazon EFS) created a hosted zone and associated a VPC with the hosted zone, the value of OwningService is efs.amazonaws.com.
The hosted zone nameservers don't match the parent nameservers. The hosted zone and parent must have the same nameservers.
", + "refs": { + } + }, "HostedZoneRRSetCount": { "base": null, "refs": { @@ -1069,7 +1180,7 @@ } }, "InvalidArgument": { - "base": "Parameter name is invalid.
", + "base": "Parameter name is not valid.
", "refs": { } }, @@ -1088,13 +1199,33 @@ "refs": { } }, + "InvalidKMSArn": { + "base": "The KeyManagementServiceArn that you specified isn't valid to use with DNSSEC signing.
", + "refs": { + } + }, + "InvalidKeySigningKeyName": { + "base": "The key signing key (KSK) name that you specified isn't a valid name.
", + "refs": { + } + }, + "InvalidKeySigningKeyStatus": { + "base": "The key signing key (KSK) status isn't valid or another KSK has the status INTERNAL_FAILURE.
The value that you specified to get the second or subsequent page of results is invalid.
", "refs": { } }, + "InvalidSigningStatus": { + "base": "Your hosted zone status isn't valid for this operation. In the hosted zone, change the status to enable DNSSEC or disable DNSSEC.
The format of the traffic policy document that you specified in the Document element is invalid.
The format of the traffic policy document that you specified in the Document element is not valid.
A value that indicates whether this is a private hosted zone.
" } }, + "KeySigningKey": { + "base": "A key signing key (KSK) is a complex type that represents a public/private key pair. The private key is used to generate a digital signature for the zone signing key (ZSK). The public key is stored in the DNS and is used to authenticate the ZSK. A KSK is always associated with a hosted zone; it cannot exist by itself.
", + "refs": { + "CreateKeySigningKeyResponse$KeySigningKey": "The key signing key (KSK) that the request creates.
", + "KeySigningKeys$member": null + } + }, + "KeySigningKeyAlreadyExists": { + "base": "You've already created a key signing key (KSK) with this name or with the same customer managed key (CMK) ARN.
", + "refs": { + } + }, + "KeySigningKeyInParentDSRecord": { + "base": "The key signing key (KSK) is specified in a parent DS record.
", + "refs": { + } + }, + "KeySigningKeyInUse": { + "base": "The key signing key (KSK) that you specified can't be deactivated because it's the only KSK for a currently-enabled DNSSEC. Disable DNSSEC signing, or add or enable another KSK.
", + "refs": { + } + }, + "KeySigningKeyWithActiveStatusNotFound": { + "base": "A key signing key (KSK) with ACTIVE status wasn't found.
The key signing keys (KSKs) in your account.
" + } + }, "LastVPCAssociation": { "base": "The VPC that you're trying to disassociate from the private hosted zone is the last VPC that is associated with the hosted zone. Amazon Route 53 doesn't support disassociating the last VPC from a hosted zone.
", "refs": { @@ -1368,6 +1532,11 @@ "refs": { } }, + "NoSuchKeySigningKey": { + "base": "The specified key signing key (KSK) doesn't exist.
", + "refs": { + } + }, "NoSuchQueryLoggingConfig": { "base": "There is no DNS query logging configuration with the specified ID.
", "refs": { @@ -1387,6 +1556,7 @@ "base": null, "refs": { "CreateHostedZoneRequest$CallerReference": "A unique string that identifies the request and that allows failed CreateHostedZone requests to be retried without the risk of executing the operation twice. You must use a unique CallerReference string every time you submit a CreateHostedZone request. CallerReference can be any unique string, for example, a date/time stamp.
A unique string that identifies the request.
", "CreateReusableDelegationSetRequest$CallerReference": "A unique string that identifies the request, and that allows you to retry failed CreateReusableDelegationSet requests without the risk of executing the operation twice. You must use a unique CallerReference string every time you submit a CreateReusableDelegationSet request. CallerReference can be any unique string, for example a date/time stamp.
The value that you specified for CallerReference when you created the reusable delegation set.
The value that you specified for CallerReference when you created the hosted zone.
A unique string used to identify a hosted zone.
", "AliasTarget$HostedZoneId": "Alias resource records sets only: The value used depends on where you want to route traffic:
Specify the hosted zone ID for your API. You can get the applicable value using the AWS CLI command get-domain-names:
For regional APIs, specify the value of regionalHostedZoneId.
For edge-optimized APIs, specify the value of distributionHostedZoneId.
Specify the hosted zone ID for your interface endpoint. You can get the value of HostedZoneId using the AWS CLI command describe-vpc-endpoints.
Specify Z2FDTNDATAQYW2.
Alias resource record sets for CloudFront can't be created in a private zone.
Specify the hosted zone ID for the region that you created the environment in. The environment must have a regionalized subdomain. For a list of regions and the corresponding hosted zone IDs, see AWS Elastic Beanstalk in the \"AWS Service Endpoints\" chapter of the Amazon Web Services General Reference.
Specify the value of the hosted zone ID for the load balancer. Use the following methods to get the hosted zone ID:
Service Endpoints table in the \"Elastic Load Balancing Endpoints and Quotas\" topic in the Amazon Web Services General Reference: Use the value that corresponds with the region that you created your load balancer in. Note that there are separate columns for Application and Classic Load Balancers and for Network Load Balancers.
AWS Management Console: Go to the Amazon EC2 page, choose Load Balancers in the navigation pane, select the load balancer, and get the value of the Hosted zone field on the Description tab.
Elastic Load Balancing API: Use DescribeLoadBalancers to get the applicable value. For more information, see the applicable guide:
Classic Load Balancers: Use DescribeLoadBalancers to get the value of CanonicalHostedZoneNameId.
Application and Network Load Balancers: Use DescribeLoadBalancers to get the value of CanonicalHostedZoneId.
AWS CLI: Use describe-load-balancers to get the applicable value. For more information, see the applicable guide:
Classic Load Balancers: Use describe-load-balancers to get the value of CanonicalHostedZoneNameId.
Application and Network Load Balancers: Use describe-load-balancers to get the value of CanonicalHostedZoneId.
Specify Z2BJ6XQ5FK7U4H.
Specify the hosted zone ID for the region that you created the bucket in. For more information about valid values, see the table Amazon S3 Website Endpoints in the Amazon Web Services General Reference.
Specify the hosted zone ID of your hosted zone. (An alias resource record set can't reference a resource record set in a different hosted zone.)
The ID of the private hosted zone that you want to associate an Amazon VPC with.
Note that you can't associate a VPC with a hosted zone that doesn't have an existing VPC association.
", "ChangeInfo$Id": "The ID of the request.
", "ChangeResourceRecordSetsRequest$HostedZoneId": "The ID of the hosted zone that contains the resource record sets that you want to change.
", "CreateHostedZoneRequest$DelegationSetId": "If you want to associate a reusable delegation set with this hosted zone, the ID that Amazon Route 53 assigned to the reusable delegation set when you created it. For more information about reusable delegation sets, see CreateReusableDelegationSet.
", + "CreateKeySigningKeyRequest$HostedZoneId": "The unique string (ID) used to identify a hosted zone.
", "CreateQueryLoggingConfigRequest$HostedZoneId": "The ID of the hosted zone that you want to log queries for. You can log queries only for public hosted zones.
", "CreateReusableDelegationSetRequest$HostedZoneId": "If you want to mark the delegation set for an existing hosted zone as reusable, the ID for that hosted zone.
", "CreateTrafficPolicyInstanceRequest$HostedZoneId": "The ID of the hosted zone that you want Amazon Route 53 to create resource record sets in by using the configuration in a traffic policy.
", "CreateVPCAssociationAuthorizationRequest$HostedZoneId": "The ID of the private hosted zone that you want to authorize associating a VPC with.
", "CreateVPCAssociationAuthorizationResponse$HostedZoneId": "The ID of the hosted zone that you authorized associating a VPC with.
", + "DeactivateKeySigningKeyRequest$HostedZoneId": "A unique string used to identify a hosted zone.
", "DelegationSet$Id": "The ID that Amazon Route 53 assigns to a reusable delegation set.
", "DeleteHostedZoneRequest$Id": "The ID of the hosted zone you want to delete.
", + "DeleteKeySigningKeyRequest$HostedZoneId": "A unique string used to identify a hosted zone.
", "DeleteReusableDelegationSetRequest$Id": "The ID of the reusable delegation set that you want to delete.
", "DeleteVPCAssociationAuthorizationRequest$HostedZoneId": "When removing authorization to associate a VPC that was created by one AWS account with a hosted zone that was created with a different AWS account, the ID of the hosted zone.
", + "DisableHostedZoneDNSSECRequest$HostedZoneId": "A unique string used to identify a hosted zone.
", "DisassociateVPCFromHostedZoneRequest$HostedZoneId": "The ID of the private hosted zone that you want to disassociate a VPC from.
", + "EnableHostedZoneDNSSECRequest$HostedZoneId": "A unique string used to identify a hosted zone.
", "GetChangeRequest$Id": "The ID of the change batch request. The value that you specify here is the value that ChangeResourceRecordSets returned in the Id element when you submitted the request.
A unique string used to identify a hosted zone.
", "GetHostedZoneLimitRequest$HostedZoneId": "The ID of the hosted zone that you want to get a limit for.
", "GetHostedZoneRequest$Id": "The ID of the hosted zone that you want to get information about.
", "GetReusableDelegationSetLimitRequest$DelegationSetId": "The ID of the delegation set that you want to get the limit for.
", @@ -1708,6 +1885,7 @@ "refs": { "CreateHealthCheckResponse$Location": "The unique URL representing the new health check.
", "CreateHostedZoneResponse$Location": "The unique URL representing the new hosted zone.
", + "CreateKeySigningKeyResponse$Location": "The unique URL representing the new key signing key (KSK).
", "CreateQueryLoggingConfigResponse$Location": "The unique URL representing the new query logging configuration.
", "CreateReusableDelegationSetResponse$Location": "The unique URL representing the new reusable delegation set.
", "CreateTrafficPolicyInstanceResponse$Location": "A unique URL that represents a new traffic policy instance.
", @@ -1735,12 +1913,69 @@ "UpdateHealthCheckRequest$SearchString": "If the value of Type is HTTP_STR_MATCH or HTTPS_STR_MATCH, the string that you want Amazon Route 53 to search for in the response body from the specified resource. If the string appears in the response body, Route 53 considers the resource healthy. (You can't change the value of Type when you update a health check.)
Indicates your hosted zone signging status: SIGNING, NOT_SIGNING, or INTERNAL_FAILURE. If the status is INTERNAL_FAILURE, see StatusMessage for information about steps that you can take to correct the problem.
A status INTERNAL_FAILURE means there was an error during a request. Before you can continue to work with DNSSEC signing, including working with key signing keys (KSKs), you must correct the problem by enabling or disabling DNSSEC signing for the hosted zone.
If the health check or hosted zone was created by another service, the service that created the resource. When a resource is created by another service, you can't edit or delete it using Amazon Route 53.
" } }, + "SigningKeyInteger": { + "base": null, + "refs": { + "KeySigningKey$Flag": "An integer that specifies how the key is used. For key signing key (KSK), this value is always 257.
", + "KeySigningKey$SigningAlgorithmType": "An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
", + "KeySigningKey$DigestAlgorithmType": "An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
" + } + }, + "SigningKeyName": { + "base": null, + "refs": { + "ActivateKeySigningKeyRequest$Name": "An alphanumeric string used to identify a key signing key (KSK).
", + "CreateKeySigningKeyRequest$Name": "An alphanumeric string used to identify a key signing key (KSK). Name must be unique for each key signing key in the same hosted zone.
An alphanumeric string used to identify a key signing key (KSK).
", + "DeleteKeySigningKeyRequest$Name": "An alphanumeric string used to identify a key signing key (KSK).
", + "KeySigningKey$Name": "An alphanumeric string used to identify a key signing key (KSK). Name must be unique for each key signing key in the same hosted zone.
A string specifying the initial status of the key signing key (KSK). You can set the value to ACTIVE or INACTIVE.
A string that represents the current key signing key (KSK) status.
Status can have one of the following values:
The KSK is being used for signing.
The KSK is not being used for signing.
There is an error in the KSK that requires you to take action to resolve.
There was an error during a request. Before you can continue to work with DNSSEC signing, including actions that involve this KSK, you must correct the problem. For example, you may need to activate or deactivate the KSK.
The status message provided for the following DNSSEC signing status: INTERNAL_FAILURE. The status message includes information about what the problem might be and steps that you can take to correct the issue.
The status message provided for the following key signing key (KSK) statuses: ACTION_NEEDED or INTERNAL_FAILURE. The status message includes information about what the problem might be and steps that you can take to correct the issue.
The Amazon resource name (ARN) for a customer managed key (CMK) in AWS Key Management Service (KMS). The KeyManagementServiceArn must be unique for each key signing key (KSK) in a single hosted zone. To see an example of KeyManagementServiceArn that grants the correct permissions for DNSSEC, scroll down to Example.
You must configure the CMK as follows:
Enabled
ECC_NIST_P256
Sign and verify
The key policy must give permission for the following actions:
DescribeKey
GetPublicKey
Sign
The key policy must also include the Amazon Route 53 service in the principal for your account. Specify the following:
\"Service\": \"api-service.dnssec.route53.aws.internal\"
For more information about working with CMK in KMS, see AWS Key Management Service concepts.
", + "KeySigningKey$KmsArn": "The Amazon resource name (ARN) used to identify the customer managed key (CMK) in AWS Key Management Service (KMS). The KmsArn must be unique for each key signing key (KSK) in a single hosted zone.
You must configure the CMK as follows:
Enabled
ECC_NIST_P256
Sign and verify
The key policy must give permission for the following actions:
DescribeKey
GetPublicKey
Sign
The key policy must also include the Amazon Route 53 service in the principal for your account. Specify the following:
\"Service\": \"api-service.dnssec.route53.aws.internal\"
For more information about working with the customer managed key (CMK) in KMS, see AWS Key Management Service concepts.
", + "KeySigningKey$SigningAlgorithmMnemonic": "A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
", + "KeySigningKey$DigestAlgorithmMnemonic": "A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
", + "KeySigningKey$DigestValue": "A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
", + "KeySigningKey$PublicKey": "The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
", + "KeySigningKey$DSRecord": "A string that represents a delegation signer (DS) record.
", + "KeySigningKey$DNSKEYRecord": "A string that represents a DNSKEY record.
" + } + }, + "SigningKeyTag": { + "base": null, + "refs": { + "KeySigningKey$KeyTag": "An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
" + } + }, "Statistic": { "base": null, "refs": { @@ -1855,6 +2090,8 @@ "base": null, "refs": { "ChangeInfo$SubmittedAt": "The date and time that the change request was submitted in ISO 8601 format and Coordinated Universal Time (UTC). For example, the value 2017-03-27T17:48:16.751Z represents March 27, 2017 at 17:48:16.751 UTC.
The date when the key signing key (KSK) was created.
", + "KeySigningKey$LastModifiedDate": "The last time that the key signing key (KSK) was changed.
", "StatusReport$CheckedTime": "The date and time that the health checker performed the health check in ISO 8601 format and Coordinated Universal Time (UTC). For example, the value 2017-03-27T17:48:16.751Z represents March 27, 2017 at 17:48:16.751 UTC.
You've reached the limit for the number of key signing keys (KSKs). Remove at least one KSK, and then try again.
", + "refs": { + } + }, "TooManyTrafficPolicies": { "base": "This traffic policy can't be created because the current account has reached the limit on the number of traffic policies.
For information about default limits, see Limits in the Amazon Route 53 Developer Guide.
To get the current limit for an account, see GetAccountLimit.
To request a higher limit, create a case with the AWS Support Center.
", "refs": { diff --git a/models/apis/route53resolver/2018-04-01/api-2.json b/models/apis/route53resolver/2018-04-01/api-2.json index d4b360e4da..c374924c0c 100644 --- a/models/apis/route53resolver/2018-04-01/api-2.json +++ b/models/apis/route53resolver/2018-04-01/api-2.json @@ -223,6 +223,23 @@ {"shape":"ThrottlingException"} ] }, + "GetResolverDnssecConfig":{ + "name":"GetResolverDnssecConfig", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"GetResolverDnssecConfigRequest"}, + "output":{"shape":"GetResolverDnssecConfigResponse"}, + "errors":[ + {"shape":"InvalidParameterException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"InvalidRequestException"}, + {"shape":"InternalServiceErrorException"}, + {"shape":"ThrottlingException"}, + {"shape":"AccessDeniedException"} + ] + }, "GetResolverEndpoint":{ "name":"GetResolverEndpoint", "http":{ @@ -332,6 +349,23 @@ {"shape":"InternalServiceErrorException"} ] }, + "ListResolverDnssecConfigs":{ + "name":"ListResolverDnssecConfigs", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"ListResolverDnssecConfigsRequest"}, + "output":{"shape":"ListResolverDnssecConfigsResponse"}, + "errors":[ + {"shape":"InvalidNextTokenException"}, + {"shape":"InvalidParameterException"}, + {"shape":"InvalidRequestException"}, + {"shape":"InternalServiceErrorException"}, + {"shape":"ThrottlingException"}, + {"shape":"AccessDeniedException"} + ] + }, "ListResolverEndpointIpAddresses":{ "name":"ListResolverEndpointIpAddresses", "http":{ @@ -513,6 +547,23 @@ {"shape":"ThrottlingException"} ] }, + "UpdateResolverDnssecConfig":{ + "name":"UpdateResolverDnssecConfig", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"UpdateResolverDnssecConfigRequest"}, + "output":{"shape":"UpdateResolverDnssecConfigResponse"}, + "errors":[ + {"shape":"InvalidParameterException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"InvalidRequestException"}, + {"shape":"InternalServiceErrorException"}, + {"shape":"ThrottlingException"}, + {"shape":"AccessDeniedException"} + ] + }, "UpdateResolverEndpoint":{ "name":"UpdateResolverEndpoint", "http":{ @@ -838,6 +889,19 @@ "type":"list", "member":{"shape":"Filter"} }, + "GetResolverDnssecConfigRequest":{ + "type":"structure", + "required":["ResourceId"], + "members":{ + "ResourceId":{"shape":"ResourceId"} + } + }, + "GetResolverDnssecConfigResponse":{ + "type":"structure", + "members":{ + "ResolverDNSSECConfig":{"shape":"ResolverDnssecConfig"} + } + }, "GetResolverEndpointRequest":{ "type":"structure", "required":["ResolverEndpointId"], @@ -1052,6 +1116,30 @@ }, "exception":true }, + "ListResolverDnssecConfigsRequest":{ + "type":"structure", + "members":{ + "MaxResults":{ + "shape":"MaxResults", + "box":true + }, + "NextToken":{ + "shape":"NextToken", + "box":true + }, + "Filters":{ + "shape":"Filters", + "box":true + } + } + }, + "ListResolverDnssecConfigsResponse":{ + "type":"structure", + "members":{ + "NextToken":{"shape":"NextToken"}, + "ResolverDnssecConfigs":{"shape":"ResolverDnssecConfigList"} + } + }, "ListResolverEndpointIpAddressesRequest":{ "type":"structure", "required":["ResolverEndpointId"], @@ -1269,6 +1357,28 @@ "ReturnValue":{"shape":"Boolean"} } }, + "ResolverDNSSECValidationStatus":{ + "type":"string", + "enum":[ + "ENABLING", + "ENABLED", + "DISABLING", + "DISABLED" + ] + }, + "ResolverDnssecConfig":{ + "type":"structure", + "members":{ + "Id":{"shape":"ResourceId"}, + "OwnerId":{"shape":"AccountId"}, + "ResourceId":{"shape":"ResourceId"}, + "ValidationStatus":{"shape":"ResolverDNSSECValidationStatus"} + } + }, + "ResolverDnssecConfigList":{ + "type":"list", + "member":{"shape":"ResolverDnssecConfig"} + }, "ResolverEndpoint":{ "type":"structure", "members":{ @@ -1628,6 +1738,23 @@ "members":{ } }, + "UpdateResolverDnssecConfigRequest":{ + "type":"structure", + "required":[ + "ResourceId", + "Validation" + ], + "members":{ + "ResourceId":{"shape":"ResourceId"}, + "Validation":{"shape":"Validation"} + } + }, + "UpdateResolverDnssecConfigResponse":{ + "type":"structure", + "members":{ + "ResolverDNSSECConfig":{"shape":"ResolverDnssecConfig"} + } + }, "UpdateResolverEndpointRequest":{ "type":"structure", "required":["ResolverEndpointId"], @@ -1661,6 +1788,13 @@ "members":{ "ResolverRule":{"shape":"ResolverRule"} } + }, + "Validation":{ + "type":"string", + "enum":[ + "ENABLE", + "DISABLE" + ] } } } diff --git a/models/apis/route53resolver/2018-04-01/docs-2.json b/models/apis/route53resolver/2018-04-01/docs-2.json index a9ae43bb32..d13d75cc2d 100644 --- a/models/apis/route53resolver/2018-04-01/docs-2.json +++ b/models/apis/route53resolver/2018-04-01/docs-2.json @@ -14,13 +14,15 @@ "DisassociateResolverEndpointIpAddress": "Removes IP addresses from an inbound or an outbound Resolver endpoint. If you want to remove more than one IP address, submit one DisassociateResolverEndpointIpAddress request for each IP address.
To add an IP address to an endpoint, see AssociateResolverEndpointIpAddress.
", "DisassociateResolverQueryLogConfig": "Disassociates a VPC from a query logging configuration.
Before you can delete a query logging configuration, you must first disassociate all VPCs from the configuration. If you used Resource Access Manager (RAM) to share a query logging configuration with other accounts, VPCs can be disassociated from the configuration in the following ways:
The accounts that you shared the configuration with can disassociate VPCs from the configuration.
You can stop sharing the configuration.
Removes the association between a specified Resolver rule and a specified VPC.
If you disassociate a Resolver rule from a VPC, Resolver stops forwarding DNS queries for the domain name that you specified in the Resolver rule.
Gets DNSSEC validation information for a specified resource.
", "GetResolverEndpoint": "Gets information about a specified Resolver endpoint, such as whether it's an inbound or an outbound Resolver endpoint, and the current status of the endpoint.
", "GetResolverQueryLogConfig": "Gets information about a specified Resolver query logging configuration, such as the number of VPCs that the configuration is logging queries for and the location that logs are sent to.
", "GetResolverQueryLogConfigAssociation": "Gets information about a specified association between a Resolver query logging configuration and an Amazon VPC. When you associate a VPC with a query logging configuration, Resolver logs DNS queries that originate in that VPC.
", "GetResolverQueryLogConfigPolicy": "Gets information about a query logging policy. A query logging policy specifies the Resolver query logging operations and resources that you want to allow another AWS account to be able to use.
", "GetResolverRule": "Gets information about a specified Resolver rule, such as the domain name that the rule forwards DNS queries for and the ID of the outbound Resolver endpoint that the rule is associated with.
", "GetResolverRuleAssociation": "Gets information about an association between a specified Resolver rule and a VPC. You associate a Resolver rule and a VPC using AssociateResolverRule.
", - "GetResolverRulePolicy": "Gets information about a Resolver rule policy. A Resolver rule policy specifies the Resolver operations and resources that you want to allow another AWS account to be able to use.
", + "GetResolverRulePolicy": "Gets information about the Resolver rule policy for a specified rule. A Resolver rule policy includes the rule that you want to share with another account, the account that you want to share the rule with, and the Resolver operations that you want to allow the account to use.
", + "ListResolverDnssecConfigs": "Lists the configurations for DNSSEC validation that are associated with the current AWS account.
", "ListResolverEndpointIpAddresses": "Gets the IP addresses for a specified Resolver endpoint.
", "ListResolverEndpoints": "Lists all the Resolver endpoints that were created using the current AWS account.
", "ListResolverQueryLogConfigAssociations": "Lists information about associations between Amazon VPCs and query logging configurations.
", @@ -29,9 +31,10 @@ "ListResolverRules": "Lists the Resolver rules that were created using the current AWS account.
", "ListTagsForResource": "Lists the tags that you associated with the specified resource.
", "PutResolverQueryLogConfigPolicy": "Specifies an AWS account that you want to share a query logging configuration with, the query logging configuration that you want to share, and the operations that you want the account to be able to perform on the configuration.
", - "PutResolverRulePolicy": "Specifies an AWS account that you want to share rules with, the Resolver rules that you want to share, and the operations that you want the account to be able to perform on those rules.
", + "PutResolverRulePolicy": "Specifies an AWS rule that you want to share with another account, the account that you want to share the rule with, and the operations that you want the account to be able to perform on the rule.
", "TagResource": "Adds one or more tags to a specified resource.
", "UntagResource": "Removes one or more tags from a specified resource.
", + "UpdateResolverDnssecConfig": "Updates an existing DNSSEC validation configuration. If there is no existing DNSSEC validation configuration, one is created.
", "UpdateResolverEndpoint": "Updates the name of an inbound or an outbound Resolver endpoint.
", "UpdateResolverRule": "Updates settings for a specified Resolver rule. ResolverRuleId is required, and all other parameters are optional. If you don't specify a parameter, it retains its current value.
The owner account ID of the virtual private cloud (VPC) for a configuration for DNSSEC validation.
", "ResolverQueryLogConfig$OwnerId": "The AWS account ID for the account that created the query logging configuration.
", "ResolverRule$OwnerId": "When a rule is shared with another AWS account, the account ID of the account that the rule is shared with.
" } @@ -52,10 +56,10 @@ "base": null, "refs": { "GetResolverQueryLogConfigPolicyRequest$Arn": "The ARN of the query logging configuration that you want to get the query logging policy for.
", - "GetResolverRulePolicyRequest$Arn": "The ID of the Resolver rule policy that you want to get information about.
", + "GetResolverRulePolicyRequest$Arn": "The ID of the Resolver rule that you want to get the Resolver rule policy for.
", "ListTagsForResourceRequest$ResourceArn": "The Amazon Resource Name (ARN) for the resource that you want to list tags for.
", "PutResolverQueryLogConfigPolicyRequest$Arn": "The Amazon Resource Name (ARN) of the account that you want to share rules with.
", - "PutResolverRulePolicyRequest$Arn": "The Amazon Resource Name (ARN) of the account that you want to share rules with.
", + "PutResolverRulePolicyRequest$Arn": "The Amazon Resource Name (ARN) of the rule that you want to share with another account.
", "ResolverEndpoint$Arn": "The ARN (Amazon Resource Name) for the Resolver endpoint.
", "ResolverQueryLogConfig$Arn": "The ARN for the query logging configuration.
", "ResolverRule$Arn": "The ARN (Amazon Resource Name) for the Resolver rule specified by Id.
For Resolver list operations (ListResolverEndpoints, ListResolverRules, ListResolverRuleAssociations, ListResolverQueryLogConfigs, and ListResolverQueryLogConfigAssociations), an optional specification to return a subset of objects.
To filter objects, such as Resolver endpoints or Resolver rules, you specify Name and Values. For example, to list only inbound Resolver endpoints, specify Direction for Name and specify INBOUND for Values.
For Resolver list operations (ListResolverEndpoints, ListResolverRules, ListResolverRuleAssociations, ListResolverQueryLogConfigs, ListResolverQueryLogConfigAssociations), and ListResolverDnssecConfigs), an optional specification to return a subset of objects.
To filter objects, such as Resolver endpoints or Resolver rules, you specify Name and Values. For example, to list only inbound Resolver endpoints, specify Direction for Name and specify INBOUND for Values.
The name of the parameter that you want to use to filter objects.
The valid values for Name depend on the action that you're including the filter in, ListResolverEndpoints, ListResolverRules, ListResolverRuleAssociations, ListResolverQueryLogConfigs, or ListResolverQueryLogConfigAssociations.
In early versions of Resolver, values for Name were listed as uppercase, with underscore (_) delimiters. For example, CreatorRequestId was originally listed as CREATOR_REQUEST_ID. Uppercase values for Name are still supported.
ListResolverEndpoints
Valid values for Name include the following:
CreatorRequestId: The value that you specified when you created the Resolver endpoint.
Direction: Whether you want to return inbound or outbound Resolver endpoints. If you specify DIRECTION for Name, specify INBOUND or OUTBOUND for Values.
HostVpcId: The ID of the VPC that inbound DNS queries pass through on the way from your network to your VPCs in a region, or the VPC that outbound queries pass through on the way from your VPCs to your network. In a CreateResolverEndpoint request, SubnetId indirectly identifies the VPC. In a GetResolverEndpoint request, the VPC ID for a Resolver endpoint is returned in the HostVPCId element.
IpAddressCount: The number of IP addresses that you have associated with the Resolver endpoint.
Name: The name of the Resolver endpoint.
SecurityGroupIds: The IDs of the VPC security groups that you specified when you created the Resolver endpoint.
Status: The status of the Resolver endpoint. If you specify Status for Name, specify one of the following status codes for Values: CREATING, OPERATIONAL, UPDATING, AUTO_RECOVERING, ACTION_NEEDED, or DELETING. For more information, see Status in ResolverEndpoint.
ListResolverRules
Valid values for Name include the following:
CreatorRequestId: The value that you specified when you created the Resolver rule.
DomainName: The domain name for which Resolver is forwarding DNS queries to your network. In the value that you specify for Values, include a trailing dot (.) after the domain name. For example, if the domain name is example.com, specify the following value. Note the \".\" after com:
example.com.
Name: The name of the Resolver rule.
ResolverEndpointId: The ID of the Resolver endpoint that the Resolver rule is associated with.
You can filter on the Resolver endpoint only for rules that have a value of FORWARD for RuleType.
Status: The status of the Resolver rule. If you specify Status for Name, specify one of the following status codes for Values: COMPLETE, DELETING, UPDATING, or FAILED.
Type: The type of the Resolver rule. If you specify TYPE for Name, specify FORWARD or SYSTEM for Values.
ListResolverRuleAssociations
Valid values for Name include the following:
Name: The name of the Resolver rule association.
ResolverRuleId: The ID of the Resolver rule that is associated with one or more VPCs.
Status: The status of the Resolver rule association. If you specify Status for Name, specify one of the following status codes for Values: CREATING, COMPLETE, DELETING, or FAILED.
VPCId: The ID of the VPC that the Resolver rule is associated with.
ListResolverQueryLogConfigs
Valid values for Name include the following:
Arn: The ARN for the query logging configuration.
AssociationCount: The number of VPCs that are associated with the query logging configuration.
CreationTime: The date and time that the query logging configuration was created, in Unix time format and Coordinated Universal Time (UTC).
CreatorRequestId: A unique string that identifies the request that created the query logging configuration.
Destination: The AWS service that you want to forward query logs to. Valid values include the following:
S3
CloudWatchLogs
KinesisFirehose
DestinationArn: The ARN of the location that Resolver is sending query logs to. This value can be the ARN for an S3 bucket, a CloudWatch Logs log group, or a Kinesis Data Firehose delivery stream.
Id: The ID of the query logging configuration
Name: The name of the query logging configuration
OwnerId: The AWS account ID for the account that created the query logging configuration.
ShareStatus: An indication of whether the query logging configuration is shared with other AWS accounts, or was shared with the current account by another AWS account. Valid values include: NOT_SHARED, SHARED_WITH_ME, or SHARED_BY_ME.
Status: The status of the query logging configuration. If you specify Status for Name, specify the applicable status code for Values: CREATING, CREATED, DELETING, or FAILED. For more information, see Status.
ListResolverQueryLogConfigAssociations
Valid values for Name include the following:
CreationTime: The date and time that the VPC was associated with the query logging configuration, in Unix time format and Coordinated Universal Time (UTC).
Error: If the value of Status is FAILED, specify the cause: DESTINATION_NOT_FOUND or ACCESS_DENIED.
Id: The ID of the query logging association.
ResolverQueryLogConfigId: The ID of the query logging configuration that a VPC is associated with.
ResourceId: The ID of the Amazon VPC that is associated with the query logging configuration.
Status: The status of the query logging association. If you specify Status for Name, specify the applicable status code for Values: CREATING, CREATED, DELETING, or FAILED. For more information, see Status.
The name of the parameter that you want to use to filter objects.
The valid values for Name depend on the action that you're including the filter in, ListResolverEndpoints, ListResolverRules, ListResolverRuleAssociations, ListResolverQueryLogConfigs, or ListResolverQueryLogConfigAssociations.
In early versions of Resolver, values for Name were listed as uppercase, with underscore (_) delimiters. For example, CreatorRequestId was originally listed as CREATOR_REQUEST_ID. Uppercase values for Name are still supported.
ListResolverEndpoints
Valid values for Name include the following:
CreatorRequestId: The value that you specified when you created the Resolver endpoint.
Direction: Whether you want to return inbound or outbound Resolver endpoints. If you specify DIRECTION for Name, specify INBOUND or OUTBOUND for Values.
HostVpcId: The ID of the VPC that inbound DNS queries pass through on the way from your network to your VPCs in a region, or the VPC that outbound queries pass through on the way from your VPCs to your network. In a CreateResolverEndpoint request, SubnetId indirectly identifies the VPC. In a GetResolverEndpoint request, the VPC ID for a Resolver endpoint is returned in the HostVPCId element.
IpAddressCount: The number of IP addresses that you have associated with the Resolver endpoint.
Name: The name of the Resolver endpoint.
SecurityGroupIds: The IDs of the VPC security groups that you specified when you created the Resolver endpoint.
Status: The status of the Resolver endpoint. If you specify Status for Name, specify one of the following status codes for Values: CREATING, OPERATIONAL, UPDATING, AUTO_RECOVERING, ACTION_NEEDED, or DELETING. For more information, see Status in ResolverEndpoint.
ListResolverRules
Valid values for Name include the following:
CreatorRequestId: The value that you specified when you created the Resolver rule.
DomainName: The domain name for which Resolver is forwarding DNS queries to your network. In the value that you specify for Values, include a trailing dot (.) after the domain name. For example, if the domain name is example.com, specify the following value. Note the \".\" after com:
example.com.
Name: The name of the Resolver rule.
ResolverEndpointId: The ID of the Resolver endpoint that the Resolver rule is associated with.
You can filter on the Resolver endpoint only for rules that have a value of FORWARD for RuleType.
Status: The status of the Resolver rule. If you specify Status for Name, specify one of the following status codes for Values: COMPLETE, DELETING, UPDATING, or FAILED.
Type: The type of the Resolver rule. If you specify TYPE for Name, specify FORWARD or SYSTEM for Values.
ListResolverRuleAssociations
Valid values for Name include the following:
Name: The name of the Resolver rule association.
ResolverRuleId: The ID of the Resolver rule that is associated with one or more VPCs.
Status: The status of the Resolver rule association. If you specify Status for Name, specify one of the following status codes for Values: CREATING, COMPLETE, DELETING, or FAILED.
VPCId: The ID of the VPC that the Resolver rule is associated with.
ListResolverQueryLogConfigs
Valid values for Name include the following:
Arn: The ARN for the query logging configuration.
AssociationCount: The number of VPCs that are associated with the query logging configuration.
CreationTime: The date and time that the query logging configuration was created, in Unix time format and Coordinated Universal Time (UTC).
CreatorRequestId: A unique string that identifies the request that created the query logging configuration.
Destination: The AWS service that you want to forward query logs to. Valid values include the following:
S3
CloudWatchLogs
KinesisFirehose
DestinationArn: The ARN of the location that Resolver is sending query logs to. This value can be the ARN for an S3 bucket, a CloudWatch Logs log group, or a Kinesis Data Firehose delivery stream.
Id: The ID of the query logging configuration
Name: The name of the query logging configuration
OwnerId: The AWS account ID for the account that created the query logging configuration.
ShareStatus: An indication of whether the query logging configuration is shared with other AWS accounts, or was shared with the current account by another AWS account. Valid values include: NOT_SHARED, SHARED_WITH_ME, or SHARED_BY_ME.
Status: The status of the query logging configuration. If you specify Status for Name, specify the applicable status code for Values: CREATING, CREATED, DELETING, or FAILED. For more information, see Status.
ListResolverQueryLogConfigAssociations
Valid values for Name include the following:
CreationTime: The date and time that the VPC was associated with the query logging configuration, in Unix time format and Coordinated Universal Time (UTC).
Error: If the value of Status is FAILED, specify the cause: DESTINATION_NOT_FOUND or ACCESS_DENIED.
Id: The ID of the query logging association.
ResolverQueryLogConfigId: The ID of the query logging configuration that a VPC is associated with.
ResourceId: The ID of the Amazon VPC that is associated with the query logging configuration.
Status: The status of the query logging association. If you specify Status for Name, specify the applicable status code for Values: CREATING, CREATED, DELETING, or FAILED. For more information, see Status.
An optional specification to return a subset of objects.
", "ListResolverEndpointsRequest$Filters": "An optional specification to return a subset of Resolver endpoints, such as all inbound Resolver endpoints.
If you submit a second or subsequent ListResolverEndpoints request and specify the NextToken parameter, you must use the same values for Filters, if any, as in the previous request.
An optional specification to return a subset of query logging associations.
If you submit a second or subsequent ListResolverQueryLogConfigAssociations request and specify the NextToken parameter, you must use the same values for Filters, if any, as in the previous request.
An optional specification to return a subset of query logging configurations.
If you submit a second or subsequent ListResolverQueryLogConfigs request and specify the NextToken parameter, you must use the same values for Filters, if any, as in the previous request.
An optional specification to return a subset of Resolver rules, such as all Resolver rules that are associated with the same Resolver endpoint.
If you submit a second or subsequent ListResolverRules request and specify the NextToken parameter, you must use the same values for Filters, if any, as in the previous request.
Optional: An integer that specifies the maximum number of DNSSEC configuration results that you want Amazon Route 53 to return. If you don't specify a value for MaxResults, Route 53 returns up to 100 configuration per page.
The maximum number of IP addresses that you want to return in the response to a ListResolverEndpointIpAddresses request. If you don't specify a value for MaxResults, Resolver returns up to 100 IP addresses.
The value that you specified for MaxResults in the request.
The maximum number of Resolver endpoints that you want to return in the response to a ListResolverEndpoints request. If you don't specify a value for MaxResults, Resolver returns up to 100 Resolver endpoints.
(Optional) If the current AWS account has more than MaxResults DNSSEC configurations, use NextToken to get the second and subsequent pages of results.
For the first ListResolverDnssecConfigs request, omit this value.
For the second and subsequent requests, get the value of NextToken from the previous response and specify that value for NextToken in the request.
If a response includes the last of the DNSSEC configurations that are associated with the current AWS account, NextToken doesn't appear in the response.
If a response doesn't include the last of the configurations, you can get more configurations by submitting another ListResolverDnssecConfigs request. Get the value of NextToken that Amazon Route 53 returned in the previous response and include it in NextToken in the next request.
For the first ListResolverEndpointIpAddresses request, omit this value.
If the specified Resolver endpoint has more than MaxResults IP addresses, you can submit another ListResolverEndpointIpAddresses request to get the next group of IP addresses. In the next request, specify the value of NextToken from the previous response.
If the specified endpoint has more than MaxResults IP addresses, you can submit another ListResolverEndpointIpAddresses request to get the next group of IP addresses. In the next request, specify the value of NextToken from the previous response.
For the first ListResolverEndpoints request, omit this value.
If you have more than MaxResults Resolver endpoints, you can submit another ListResolverEndpoints request to get the next group of Resolver endpoints. In the next request, specify the value of NextToken from the previous response.
The validation status for a DNSSEC configuration. The status can be one of the following:
ENABLING: DNSSEC validation is being enabled but is not complete.
ENABLED: DNSSEC validation is enabled.
DISABLING: DNSSEC validation is being disabled but is not complete.
DISABLED DNSSEC validation is disabled.
A complex type that contains information about a configuration for DNSSEC validation.
", + "refs": { + "GetResolverDnssecConfigResponse$ResolverDNSSECConfig": "The information about a configuration for DNSSEC validation.
", + "ResolverDnssecConfigList$member": null, + "UpdateResolverDnssecConfigResponse$ResolverDNSSECConfig": "A complex type that contains settings for the specified DNSSEC configuration.
" + } + }, + "ResolverDnssecConfigList": { + "base": null, + "refs": { + "ListResolverDnssecConfigsResponse$ResolverDnssecConfigs": "An array that contains one ResolverDnssecConfig element for each configuration for DNSSEC validation that is associated with the current AWS account.
" + } + }, "ResolverEndpoint": { "base": "In the response to a CreateResolverEndpoint, DeleteResolverEndpoint, GetResolverEndpoint, ListResolverEndpoints, or UpdateResolverEndpoint request, a complex type that contains settings for an existing inbound or outbound Resolver endpoint.
", "refs": { @@ -712,8 +760,8 @@ "ResolverRulePolicy": { "base": null, "refs": { - "GetResolverRulePolicyResponse$ResolverRulePolicy": "Information about the Resolver rule policy that you specified in a GetResolverRulePolicy request.
An AWS Identity and Access Management policy statement that lists the rules that you want to share with another AWS account and the operations that you want the account to be able to perform. You can specify the following operations in the Actions section of the statement:
route53resolver:GetResolverRule
route53resolver:AssociateResolverRule
route53resolver:DisassociateResolverRule
route53resolver:ListResolverRules
route53resolver:ListResolverRuleAssociations
In the Resource section of the statement, you specify the ARNs for the rules that you want to share with the account that you specified in Arn.
The Resolver rule policy for the rule that you specified in a GetResolverRulePolicy request.
An AWS Identity and Access Management policy statement that lists the rules that you want to share with another AWS account and the operations that you want the account to be able to perform. You can specify the following operations in the Action section of the statement:
route53resolver:GetResolverRule
route53resolver:AssociateResolverRule
route53resolver:DisassociateResolverRule
route53resolver:ListResolverRules
route53resolver:ListResolverRuleAssociations
In the Resource section of the statement, specify the ARN for the rule that you want to share with another account. Specify the same ARN that you specified in Arn.
The ID of the Amazon VPC that you want to disassociate from a specified query logging configuration.
", "DisassociateResolverRuleRequest$VPCId": "The ID of the VPC that you want to disassociate the Resolver rule from.
", "DisassociateResolverRuleRequest$ResolverRuleId": "The ID of the Resolver rule that you want to disassociate from the specified VPC.
", + "GetResolverDnssecConfigRequest$ResourceId": "The ID of the virtual private cloud (VPC) for the DNSSEC validation status.
", "GetResolverEndpointRequest$ResolverEndpointId": "The ID of the Resolver endpoint that you want to get information about.
", "GetResolverQueryLogConfigAssociationRequest$ResolverQueryLogConfigAssociationId": "The ID of the Resolver query logging configuration association that you want to get information about.
", "GetResolverQueryLogConfigRequest$ResolverQueryLogConfigId": "The ID of the Resolver query logging configuration that you want to get information about.
", @@ -758,6 +807,8 @@ "IpAddressResponse$IpId": "The ID of one IP address.
", "IpAddressUpdate$IpId": "Only when removing an IP address from a Resolver endpoint: The ID of the IP address that you want to remove. To get this ID, use GetResolverEndpoint.
", "ListResolverEndpointIpAddressesRequest$ResolverEndpointId": "The ID of the Resolver endpoint that you want to get IP addresses for.
", + "ResolverDnssecConfig$Id": "The ID for a configuration for DNSSEC validation.
", + "ResolverDnssecConfig$ResourceId": "The ID of the virtual private cloud (VPC) that you're configuring the DNSSEC validation status for.
", "ResolverEndpoint$Id": "The ID of the Resolver endpoint.
", "ResolverEndpoint$HostVPCId": "The ID of the VPC that you want to create the Resolver endpoint in.
", "ResolverQueryLogConfig$Id": "The ID for the query logging configuration.
", @@ -771,6 +822,7 @@ "ResolverRuleAssociation$VPCId": "The ID of the VPC that you associated the Resolver rule with.
", "ResolverRuleConfig$ResolverEndpointId": "The ID of the new outbound Resolver endpoint that you want to use to route DNS queries to the IP addresses that you specify in TargetIps.
The ID of the virtual private cloud (VPC) that you're updating the DNSSEC validation status for.
", "UpdateResolverEndpointRequest$ResolverEndpointId": "The ID of the Resolver endpoint that you want to update.
", "UpdateResolverRuleRequest$ResolverRuleId": "The ID of the Resolver rule that you want to update.
" } @@ -951,6 +1003,16 @@ "refs": { } }, + "UpdateResolverDnssecConfigRequest": { + "base": null, + "refs": { + } + }, + "UpdateResolverDnssecConfigResponse": { + "base": null, + "refs": { + } + }, "UpdateResolverEndpointRequest": { "base": null, "refs": { @@ -970,6 +1032,12 @@ "base": null, "refs": { } + }, + "Validation": { + "base": null, + "refs": { + "UpdateResolverDnssecConfigRequest$Validation": "The new value that you are specifying for DNSSEC validation for the VPC. The value can be ENABLE or DISABLE. Be aware that it can take time for a validation status change to be completed.
Copies the specified source product to the specified target product or a new product.
You can copy a product to the same account or another account. You can copy a product to the same region or another region.
This operation is performed asynchronously. To track the progress of the operation, use DescribeCopyProductStatus.
", "CreateConstraint": "Creates a constraint.
A delegated admin is authorized to invoke this command.
", "CreatePortfolio": "Creates a portfolio.
A delegated admin is authorized to invoke this command.
", - "CreatePortfolioShare": "Shares the specified portfolio with the specified account or organization node. Shares to an organization node can only be created by the management account of an organization or by a delegated administrator. You can share portfolios to an organization, an organizational unit, or a specific account.
Note that if a delegated admin is de-registered, they can no longer create portfolio shares.
AWSOrganizationsAccess must be enabled in order to create a portfolio share to an organization node.
You can't share a shared resource. This includes portfolios that contain a shared product.
", - "CreateProduct": "Creates a product.
A delegated admin is authorized to invoke this command.
", + "CreatePortfolioShare": "Shares the specified portfolio with the specified account or organization node. Shares to an organization node can only be created by the management account of an organization or by a delegated administrator. You can share portfolios to an organization, an organizational unit, or a specific account.
Note that if a delegated admin is de-registered, they can no longer create portfolio shares.
AWSOrganizationsAccess must be enabled in order to create a portfolio share to an organization node.
You can't share a shared resource, including portfolios that contain a shared product.
If the portfolio share with the specified account or organization node already exists, this action will have no effect and will not return an error. To update an existing share, you must use the UpdatePortfolioShare API instead.
Creates a product.
A delegated admin is authorized to invoke this command.
The user or role that performs this operation must have the cloudformation:GetTemplate IAM policy permission. This policy permission is required when using the ImportFromPhysicalId template source in the information data section.
Creates a plan. A plan includes the list of resources to be created (when provisioning a new product) or modified (when updating a provisioned product) when the plan is executed.
You can create one plan per provisioned product. To create a plan for an existing provisioned product, the product status must be AVAILBLE or TAINTED.
To view the resource changes in the change set, use DescribeProvisionedProductPlan. To create or modify the provisioned product, use ExecuteProvisionedProductPlan.
", - "CreateProvisioningArtifact": "Creates a provisioning artifact (also known as a version) for the specified product.
You cannot create a provisioning artifact for a product that was shared with you.
", + "CreateProvisioningArtifact": "Creates a provisioning artifact (also known as a version) for the specified product.
You cannot create a provisioning artifact for a product that was shared with you.
The user or role that performs this operation must have the cloudformation:GetTemplate IAM policy permission. This policy permission is required when using the ImportFromPhysicalId template source in the information data section.
Creates a self-service action.
", "CreateTagOption": "Creates a TagOption.
", "DeleteConstraint": "Deletes the specified constraint.
A delegated admin is authorized to invoke this command.
", @@ -31,6 +31,7 @@ "DescribeCopyProductStatus": "Gets the status of the specified copy product operation.
", "DescribePortfolio": "Gets information about the specified portfolio.
A delegated admin is authorized to invoke this command.
", "DescribePortfolioShareStatus": "Gets the status of the specified portfolio share operation. This API can only be called by the management account in the organization or by a delegated admin.
", + "DescribePortfolioShares": "Returns a summary of each of the portfolio shares that were created for the specified portfolio.
You can use this API to determine which accounts or organizational nodes this portfolio have been shared, whether the recipient entity has imported the share, and whether TagOptions are included with the share.
The PortfolioId and Type parameters are both required.
Gets information about the specified product.
", "DescribeProductAsAdmin": "Gets information about the specified product. This operation is run with administrator access.
", "DescribeProductView": "Gets information about the specified product.
", @@ -53,7 +54,7 @@ "ExecuteProvisionedProductServiceAction": "Executes a self-service action against a provisioned product.
", "GetAWSOrganizationsAccessStatus": "Get the Access Status for AWS Organization portfolio share feature. This API can only be called by the management account in the organization or by a delegated admin.
", "GetProvisionedProductOutputs": "This API takes either a ProvisonedProductId or a ProvisionedProductName, along with a list of one or more output keys, and responds with the key/value pairs of those outputs.
Requests the import of a resource as a Service Catalog provisioned product that is associated to a Service Catalog product and provisioning artifact. Once imported all supported Service Catalog governance actions are supported on the provisioned product.
Resource import only supports CloudFormation stack ARNs. CloudFormation StackSets and non-root nested stacks are not supported.
The CloudFormation stack must have one of the following statuses to be imported: CREATE_COMPLETE, UPDATE_COMPLETE, UPDATE_ROLLBACK_COMPLETE, IMPORT_COMPLETE, IMPORT_ROLLBACK_COMPLETE.
Import of the resource requires that the CloudFormation stack template matches the associated Service Catalog product provisioning artifact.
", + "ImportAsProvisionedProduct": "Requests the import of a resource as a Service Catalog provisioned product that is associated to a Service Catalog product and provisioning artifact. Once imported, all supported Service Catalog governance actions are supported on the provisioned product.
Resource import only supports CloudFormation stack ARNs. CloudFormation StackSets and non-root nested stacks are not supported.
The CloudFormation stack must have one of the following statuses to be imported: CREATE_COMPLETE, UPDATE_COMPLETE, UPDATE_ROLLBACK_COMPLETE, IMPORT_COMPLETE, IMPORT_ROLLBACK_COMPLETE.
Import of the resource requires that the CloudFormation stack template matches the associated Service Catalog product provisioning artifact.
The user or role that performs this operation must have the cloudformation:GetTemplate and cloudformation:DescribeStacks IAM policy permissions.
Lists all portfolios for which sharing was accepted by this account.
", "ListBudgetsForResource": "Lists all the budgets associated to the specified resource.
", "ListConstraintsForPortfolio": "Lists the constraints for the specified portfolio and product.
", @@ -81,6 +82,7 @@ "TerminateProvisionedProduct": "Terminates the specified provisioned product.
This operation does not delete any records associated with the provisioned product.
You can check the status of this request using DescribeRecord.
", "UpdateConstraint": "Updates the specified constraint.
", "UpdatePortfolio": "Updates the specified portfolio.
You cannot update a product that was shared with you.
", + "UpdatePortfolioShare": "Updates the specified portfolio share. You can use this API to enable or disable TagOptions sharing for an existing portfolio share.
The portfolio share cannot be updated if the CreatePortfolioShare operation is IN_PROGRESS, as the share is not available to recipient entities. In this case, you must wait for the portfolio share to be COMPLETED.
You must provide the accountId or organization node in the input, but not both.
If the portfolio is shared to both an external account and an organization node, and both shares need to be updated, you must invoke UpdatePortfolioShare separately for each share type.
This API cannot be used for removing the portfolio share. You must use DeletePortfolioShare API for that action.
Updates the specified product.
", "UpdateProvisionedProduct": "Requests updates to the configuration of the specified provisioned product.
If there are tags associated with the object, they cannot be updated or added. Depending on the specific updates requested, this operation can update with no interruption, with some interruption, or replace the provisioned product entirely.
You can check the status of this request using DescribeRecord.
", "UpdateProvisionedProductProperties": "Requests updates to the properties of the specified provisioned product.
", @@ -158,6 +160,7 @@ "TerminateProvisionedProductInput$AcceptLanguage": "The language code.
en - English (default)
jp - Japanese
zh - Chinese
The language code.
en - English (default)
jp - Japanese
zh - Chinese
The language code.
en - English (default)
jp - Japanese
zh - Chinese
The language code.
en - English (default)
jp - Japanese
zh - Chinese
The language code.
en - English (default)
jp - Japanese
zh - Chinese
The language code.
en - English (default)
jp - Japanese
zh - Chinese
The language code.
en - English (default)
jp - Japanese
zh - Chinese
The name of the AWS account that the stack instance is associated with.
", "StackSetAccounts$member": null, - "SuccessfulShares$member": null + "SuccessfulShares$member": null, + "UpdatePortfolioShareInput$AccountId": "The AWS Account Id of the recipient account. This field is required when updating an external account to account type share.
" } }, "AccountIds": { @@ -324,6 +328,14 @@ "refs": { } }, + "Boolean": { + "base": null, + "refs": { + "CreatePortfolioShareInput$ShareTagOptions": "Enables or disables TagOptions sharing when creating the portfolio share. If this flag is not provided, TagOptions sharing is disabled.
Indicates whether the shared portfolio is imported by the recipient account. If the recipient is in an organization node, the share is automatically imported, and the field is always set to true.
", + "PortfolioShareDetail$ShareTagOptions": "Indicates whether TagOptions sharing is enabled or disabled for the portfolio share.
" + } + }, "BudgetDetail": { "base": "Information about a budget.
", "refs": { @@ -683,6 +695,23 @@ "refs": { } }, + "DescribePortfolioShareType": { + "base": null, + "refs": { + "DescribePortfolioSharesInput$Type": "The type of portfolio share to summarize. This field acts as a filter on the type of portfolio share, which can be one of the following:
1. ACCOUNT - Represents an external account to account share.
2. ORGANIZATION - Represents a share to an organization. This share is available to every account in the organization.
3. ORGANIZATIONAL_UNIT - Represents a share to an organizational unit.
4. ORGANIZATION_MEMBER_ACCOUNT - Represents a share to an account in the organization.
The type of the portfolio share.
" + } + }, + "DescribePortfolioSharesInput": { + "base": null, + "refs": { + } + }, + "DescribePortfolioSharesOutput": { + "base": null, + "refs": { + } + }, "DescribeProductAsAdminInput": { "base": null, "refs": { @@ -1052,7 +1081,9 @@ "DescribePortfolioShareStatusInput$PortfolioShareToken": "The token for the portfolio share operation. This token is returned either by CreatePortfolioShare or by DeletePortfolioShare.
", "DescribePortfolioShareStatusOutput$PortfolioShareToken": "The token for the portfolio share operation. For example, share-6v24abcdefghi.
The portfolio identifier.
", + "DescribePortfolioSharesInput$PortfolioId": "The unique identifier of the portfolio for which shares will be retrieved.
", "DescribeProductAsAdminInput$Id": "The product identifier.
", + "DescribeProductAsAdminInput$SourcePortfolioId": "The unique identifier of the shared portfolio that the specified product is associated with.
You can provide this parameter to retrieve the shared TagOptions associated with the product. If this parameter is provided and if TagOptions sharing is enabled in the portfolio share, the API returns both local and shared TagOptions associated with the product. Otherwise only local TagOptions will be returned.
", "DescribeProductInput$Id": "The product identifier.
", "DescribeProductViewInput$Id": "The product view identifier.
", "DescribeProvisionedProductInput$Id": "The provisioned product identifier. You must provide the name or ID, but not both.
If you do not provide a name or ID, or you provide both name and ID, an InvalidParametersException will occur.
The identifier of the provisioning artifact. For example, pa-4abcdjnxjj6ne.
The identifier of the provisioned product.
", "PortfolioDetail$Id": "The portfolio identifier.
", + "PortfolioShareDetail$PrincipalId": "The identifier of the recipient entity that received the portfolio share. The recipient entities can be one of the following:
1. An external account.
2. An organziation member account.
3. An organzational unit (OU).
4. The organization itself. (This shares with every account in the organization).
", "ProductViewSummary$Id": "The product view identifier.
", "ProductViewSummary$ProductId": "The product identifier.
", "ProvisionProductInput$ProductId": "The product identifier. You must provide the name or ID, but not both.
", @@ -1140,6 +1172,8 @@ "TerminateProvisionedProductInput$ProvisionedProductId": "The identifier of the provisioned product. You cannot specify both ProvisionedProductName and ProvisionedProductId.
The identifier of the constraint.
", "UpdatePortfolioInput$Id": "The portfolio identifier.
", + "UpdatePortfolioShareInput$PortfolioId": "The unique identifier of the portfolio for which the share will be updated.
", + "UpdatePortfolioShareOutput$PortfolioShareToken": "The token that tracks the status of the UpdatePortfolioShare operation for external account to account or organizational type sharing.
The product identifier.
", "UpdateProvisionedProductInput$ProvisionedProductId": "The identifier of the provisioned product. You must provide the name or ID, but not both.
", "UpdateProvisionedProductInput$ProductId": "The identifier of the product. You must provide the name or ID, but not both.
", @@ -1478,6 +1512,12 @@ "ProvisionedProductPlanDetails$NotificationArns": "Passed to CloudFormation. The SNS topic ARNs to which to publish stack-related events.
" } }, + "NullableBoolean": { + "base": null, + "refs": { + "UpdatePortfolioShareInput$ShareTagOptions": "A flag to enable or disable TagOptions sharing for the portfolio share. If this field is not provided, the current state of TagOptions sharing on the portfolio share will not be modified.
" + } + }, "OperationNotSupportedException": { "base": "The operation is not supported.
", "refs": { @@ -1488,7 +1528,8 @@ "refs": { "CreatePortfolioShareInput$OrganizationNode": "The organization node to whom you are going to share. If OrganizationNode is passed in, PortfolioShare will be created for the node an ListOrganizationPortfolioAccessd its children (when applies), and a PortfolioShareToken will be returned in the output in order for the administrator to monitor the status of the PortfolioShare creation process.
The organization node to whom you are going to stop sharing.
", - "OrganizationNodes$member": null + "OrganizationNodes$member": null, + "UpdatePortfolioShareInput$OrganizationNode": null } }, "OrganizationNodeType": { @@ -1536,6 +1577,12 @@ "RecordOutput$OutputValue": "The output value.
" } }, + "Owner": { + "base": null, + "refs": { + "TagOptionDetail$Owner": "The AWS account Id of the owner account that created the TagOption.
" + } + }, "PageSize": { "base": null, "refs": { @@ -1566,12 +1613,15 @@ "PageSizeMax100": { "base": null, "refs": { + "DescribePortfolioSharesInput$PageSize": "The maximum number of items to return with this call.
", "ListPortfolioAccessInput$PageSize": "The maximum number of items to return with this call.
" } }, "PageToken": { "base": null, "refs": { + "DescribePortfolioSharesInput$PageToken": "The page token for the next set of results. To retrieve the first set of results, use null.
", + "DescribePortfolioSharesOutput$NextPageToken": "The page token to use to retrieve the next set of results. If there are no additional results, this value is null.
", "DescribeProvisionedProductPlanInput$PageToken": "The page token for the next set of results. To retrieve the first set of results, use null.
", "DescribeProvisionedProductPlanOutput$NextPageToken": "The page token to use to retrieve the next set of results. If there are no additional results, this value is null.
", "DescribeRecordInput$PageToken": "The page token for the next set of results. To retrieve the first set of results, use null.
", @@ -1712,6 +1762,18 @@ "LaunchPathSummary$Name": "The name of the portfolio to which the user was assigned.
" } }, + "PortfolioShareDetail": { + "base": "Information about the portfolio share.
", + "refs": { + "PortfolioShareDetails$member": null + } + }, + "PortfolioShareDetails": { + "base": null, + "refs": { + "DescribePortfolioSharesOutput$PortfolioShareDetails": "Summaries about each of the portfolio shares.
" + } + }, "PortfolioShareType": { "base": null, "refs": { @@ -2136,9 +2198,9 @@ "ProvisioningArtifactInfo": { "base": null, "refs": { - "CreateProvisioningArtifactOutput$Info": "The URL of the CloudFormation template in Amazon S3, in JSON format.
", + "CreateProvisioningArtifactOutput$Info": "Specify the template source with one of the following options, but not both. Keys accepted: [ LoadTemplateFromURL, ImportFromPhysicalId ].
The URL of the CloudFormation template in Amazon S3, in JSON format.
LoadTemplateFromURL
Use the URL of the CloudFormation template in Amazon S3 in JSON format.
ImportFromPhysicalId
Use the physical id of the resource that contains the template; currently supports CloudFormation stack ARN.
", "DescribeProvisioningArtifactOutput$Info": "The URL of the CloudFormation template in Amazon S3.
", - "ProvisioningArtifactProperties$Info": "The URL of the CloudFormation template in Amazon S3. Specify the URL in JSON format as follows:
\"LoadTemplateFromURL\": \"https://s3.amazonaws.com/cf-templates-ozkq9d3hgiq2-us-east-1/...\"
Specify the template source with one of the following options, but not both. Keys accepted: [ LoadTemplateFromURL, ImportFromPhysicalId ]
The URL of the CloudFormation template in Amazon S3. Specify the URL in JSON format as follows:
\"LoadTemplateFromURL\": \"https://s3.amazonaws.com/cf-templates-ozkq9d3hgiq2-us-east-1/...\"
ImportFromPhysicalId: The physical id of the resource that contains the template. Currently only supports CloudFormation stack arn. Specify the physical id in JSON format as follows: ImportFromPhysicalId: “arn:aws:cloudformation:[us-east-1]:[accountId]:stack/[StackName]/[resourceId]
The metadata for the provisioning artifact. This is used with AWS Marketplace products.
", "UpdateProvisioningArtifactOutput$Info": "The URL of the CloudFormation template in Amazon S3.
" } @@ -2210,8 +2272,8 @@ "ProvisioningArtifactProperties": { "base": "Information about a provisioning artifact (also known as a version) for a product.
", "refs": { - "CreateProductInput$ProvisioningArtifactParameters": "The configuration of the provisioning artifact. The info field accepts ImportFromPhysicalID.
The configuration for the provisioning artifact. The info field accepts ImportFromPhysicalID.
The configuration of the provisioning artifact.
", + "CreateProvisioningArtifactInput$Parameters": "The configuration for the provisioning artifact.
" } }, "ProvisioningArtifactPropertyName": { @@ -2277,7 +2339,7 @@ } }, "ProvisioningPreferences": { - "base": "The user-defined preferences that will be applied when updating a provisioned product. Not all preferences are applicable to all provisioned product types.
", + "base": "The user-defined preferences that will be applied when updating a provisioned product. Not all preferences are applicable to all provisioned product type
One or more AWS accounts that will have access to the provisioned product.
Applicable only to a CFN_STACKSET provisioned product type.
The AWS accounts specified should be within the list of accounts in the STACKSET constraint. To get the list of accounts in the STACKSET constraint, use the DescribeProvisioningParameters operation.
If no values are specified, the default value is all accounts from the STACKSET constraint.
An object that contains information about the provisioning preferences for a stack set.
" } @@ -2504,7 +2566,7 @@ "RetainPhysicalResources": { "base": null, "refs": { - "TerminateProvisionedProductInput$RetainPhysicalResources": "When this boolean parameter is set to true, the TerminateProvisionedProduct API deletes the Service Catalog provisioned product. However, it does not remove the CloudFormation stack, stack set, or the underlying resources of the deleted provisioned product. The default value is false.
" + "TerminateProvisionedProductInput$RetainPhysicalResources": "When this boolean parameter is set to true, the TerminateProvisionedProduct API deletes the Service Catalog provisioned product. However, it does not remove the CloudFormation stack, stack set, or the underlying resources of the deleted provisioned product. The default value is false.
Status of the portfolio share operation.
" + "DescribePortfolioShareStatusOutput$Status": "Status of the portfolio share operation.
", + "UpdatePortfolioShareOutput$Status": "The status of UpdatePortfolioShare operation. You can also obtain the operation status using DescribePortfolioShareStatus API.
One or more AWS accounts where stack instances are deployed from the stack set. These accounts can be scoped in ProvisioningPreferences$StackSetAccounts and UpdateProvisioningPreferences$StackSetAccounts.
Applicable only to a CFN_STACKSET provisioned product type.
One or more AWS accounts that will have access to the provisioned product.
Applicable only to a CFN_STACKSET provisioned product type.
The AWS accounts specified should be within the list of accounts in the STACKSET constraint. To get the list of accounts in the STACKSET constraint, use the DescribeProvisioningParameters operation.
If no values are specified, the default value is all accounts from the STACKSET constraint.
One or more AWS accounts where the provisioned product will be available.
Applicable only to a CFN_STACKSET provisioned product type.
The specified accounts should be within the list of accounts from the STACKSET constraint. To get the list of accounts in the STACKSET constraint, use the DescribeProvisioningParameters operation.
If no values are specified, the default value is all acounts from the STACKSET constraint.
One or more AWS accounts that will have access to the provisioned product.
Applicable only to a CFN_STACKSET provisioned product type.
The AWS accounts specified should be within the list of accounts in the STACKSET constraint. To get the list of accounts in the STACKSET constraint, use the DescribeProvisioningParameters operation.
If no values are specified, the default value is all accounts from the STACKSET constraint.
The contact URL for product support.
", + "CreateProductInput$SupportUrl": "The contact URL for product support.
^https?:\\/\\// / is the pattern used to validate SupportUrl.
The URL information to obtain support for this Product.
", "UpdateProductInput$SupportUrl": "The updated support URL for the product.
" } @@ -2999,6 +3062,16 @@ "refs": { } }, + "UpdatePortfolioShareInput": { + "base": null, + "refs": { + } + }, + "UpdatePortfolioShareOutput": { + "base": null, + "refs": { + } + }, "UpdateProductInput": { "base": null, "refs": { diff --git a/models/apis/servicecatalog/2015-12-10/paginators-1.json b/models/apis/servicecatalog/2015-12-10/paginators-1.json index 1ce142e023..f62592efd3 100644 --- a/models/apis/servicecatalog/2015-12-10/paginators-1.json +++ b/models/apis/servicecatalog/2015-12-10/paginators-1.json @@ -1,5 +1,10 @@ { "pagination": { + "DescribePortfolioShares": { + "input_token": "PageToken", + "output_token": "NextPageToken", + "limit_key": "PageSize" + }, "GetProvisionedProductOutputs": { "input_token": "PageToken", "output_token": "NextPageToken", diff --git a/models/apis/sqs/2012-11-05/api-2.json b/models/apis/sqs/2012-11-05/api-2.json index 472f042182..54b129a840 100644 --- a/models/apis/sqs/2012-11-05/api-2.json +++ b/models/apis/sqs/2012-11-05/api-2.json @@ -857,7 +857,9 @@ "FifoQueue", "ContentBasedDeduplication", "KmsMasterKeyId", - "KmsDataKeyReusePeriodSeconds" + "KmsDataKeyReusePeriodSeconds", + "DeduplicationScope", + "FifoThroughputLimit" ] }, "QueueDeletedRecently":{ diff --git a/models/apis/sqs/2012-11-05/docs-2.json b/models/apis/sqs/2012-11-05/docs-2.json index 56609e2dc8..2700277307 100644 --- a/models/apis/sqs/2012-11-05/docs-2.json +++ b/models/apis/sqs/2012-11-05/docs-2.json @@ -2,26 +2,26 @@ "version": "2.0", "service": "Welcome to the Amazon Simple Queue Service API Reference.
Amazon Simple Queue Service (Amazon SQS) is a reliable, highly-scalable hosted queue for storing messages as they travel between applications or microservices. Amazon SQS moves data between distributed application components and helps you decouple these components.
For information on the permissions you need to use this API, see Identity and access management in the Amazon Simple Queue Service Developer Guide.
You can use AWS SDKs to access Amazon SQS using your favorite programming language. The SDKs perform tasks such as the following automatically:
Cryptographically sign your service requests
Retry requests
Handle error responses
Additional Information
Amazon Simple Queue Service Developer Guide
Amazon Web Services General Reference
Adds a permission to a queue for a specific principal. This allows sharing access to the queue.
When you create a queue, you have full control access rights for the queue. Only you, the owner of the queue, can grant or deny permissions to the queue. For more information about these permissions, see Allow Developers to Write Messages to a Shared Queue in the Amazon Simple Queue Service Developer Guide.
AddPermission generates a policy for you. You can use SetQueueAttributes to upload your policy. For more information, see Using Custom Policies with the Amazon SQS Access Policy Language in the Amazon Simple Queue Service Developer Guide.
An Amazon SQS policy can have a maximum of 7 actions.
To remove the ability to change queue permissions, you must deny permission to the AddPermission, RemovePermission, and SetQueueAttributes actions in your IAM policy.
Some actions take lists of parameters. These lists are specified using the param.n notation. Values of n are integers starting from 1. For example, a parameter list with two elements looks like this:
&AttributeName.1=first
&AttributeName.2=second
Cross-account permissions don't apply to this action. For more information, see Grant Cross-Account Permissions to a Role and a User Name in the Amazon Simple Queue Service Developer Guide.
Adds a permission to a queue for a specific principal. This allows sharing access to the queue.
When you create a queue, you have full control access rights for the queue. Only you, the owner of the queue, can grant or deny permissions to the queue. For more information about these permissions, see Allow Developers to Write Messages to a Shared Queue in the Amazon Simple Queue Service Developer Guide.
AddPermission generates a policy for you. You can use SetQueueAttributes to upload your policy. For more information, see Using Custom Policies with the Amazon SQS Access Policy Language in the Amazon Simple Queue Service Developer Guide.
An Amazon SQS policy can have a maximum of 7 actions.
To remove the ability to change queue permissions, you must deny permission to the AddPermission, RemovePermission, and SetQueueAttributes actions in your IAM policy.
Some actions take lists of parameters. These lists are specified using the param.n notation. Values of n are integers starting from 1. For example, a parameter list with two elements looks like this:
&AttributeName.1=first
&AttributeName.2=second
Cross-account permissions don't apply to this action. For more information, see Grant cross-account permissions to a role and a user name in the Amazon Simple Queue Service Developer Guide.
Changes the visibility timeout of a specified message in a queue to a new value. The default visibility timeout for a message is 30 seconds. The minimum is 0 seconds. The maximum is 12 hours. For more information, see Visibility Timeout in the Amazon Simple Queue Service Developer Guide.
For example, you have a message with a visibility timeout of 5 minutes. After 3 minutes, you call ChangeMessageVisibility with a timeout of 10 minutes. You can continue to call ChangeMessageVisibility to extend the visibility timeout to the maximum allowed time. If you try to extend the visibility timeout beyond the maximum, your request is rejected.
An Amazon SQS message has three basic states:
Sent to a queue by a producer.
Received from the queue by a consumer.
Deleted from the queue.
A message is considered to be stored after it is sent to a queue by a producer, but not yet received from the queue by a consumer (that is, between states 1 and 2). There is no limit to the number of stored messages. A message is considered to be in flight after it is received from a queue by a consumer, but not yet deleted from the queue (that is, between states 2 and 3). There is a limit to the number of inflight messages.
Limits that apply to inflight messages are unrelated to the unlimited number of stored messages.
For most standard queues (depending on queue traffic and message backlog), there can be a maximum of approximately 120,000 inflight messages (received from a queue by a consumer, but not yet deleted from the queue). If you reach this limit, Amazon SQS returns the OverLimit error message. To avoid reaching the limit, you should delete messages from the queue after they're processed. You can also increase the number of queues you use to process your messages. To request a limit increase, file a support request.
For FIFO queues, there can be a maximum of 20,000 inflight messages (received from a queue by a consumer, but not yet deleted from the queue). If you reach this limit, Amazon SQS returns no error messages.
If you attempt to set the VisibilityTimeout to a value greater than the maximum time left, Amazon SQS returns an error. Amazon SQS doesn't automatically recalculate and increase the timeout to the maximum remaining time.
Unlike with a queue, when you change the visibility timeout for a specific message the timeout value is applied immediately but isn't saved in memory for that message. If you don't delete a message after it is received, the visibility timeout for the message reverts to the original timeout value (not to the value you set using the ChangeMessageVisibility action) the next time the message is received.
Changes the visibility timeout of multiple messages. This is a batch version of ChangeMessageVisibility. The result of the action on each message is reported individually in the response. You can send up to 10 ChangeMessageVisibility requests with each ChangeMessageVisibilityBatch action.
Because the batch request can result in a combination of successful and unsuccessful actions, you should check for batch errors even when the call returns an HTTP status code of 200.
Some actions take lists of parameters. These lists are specified using the param.n notation. Values of n are integers starting from 1. For example, a parameter list with two elements looks like this:
&AttributeName.1=first
&AttributeName.2=second
Creates a new standard or FIFO queue. You can pass one or more attributes in the request. Keep the following in mind:
If you don't specify the FifoQueue attribute, Amazon SQS creates a standard queue.
You can't change the queue type after you create it and you can't convert an existing standard queue into a FIFO queue. You must either create a new FIFO queue for your application or delete your existing standard queue and recreate it as a FIFO queue. For more information, see Moving From a Standard Queue to a FIFO Queue in the Amazon Simple Queue Service Developer Guide.
If you don't provide a value for an attribute, the queue is created with the default value for the attribute.
If you delete a queue, you must wait at least 60 seconds before creating a queue with the same name.
To successfully create a new queue, you must provide a queue name that adheres to the limits related to queues and is unique within the scope of your queues.
After you create a queue, you must wait at least one second after the queue is created to be able to use the queue.
To get the queue URL, use the GetQueueUrl action. GetQueueUrl requires only the QueueName parameter. be aware of existing queue names:
If you provide the name of an existing queue along with the exact names and values of all the queue's attributes, CreateQueue returns the queue URL for the existing queue.
If the queue name, attribute names, or attribute values don't match an existing queue, CreateQueue returns an error.
Some actions take lists of parameters. These lists are specified using the param.n notation. Values of n are integers starting from 1. For example, a parameter list with two elements looks like this:
&AttributeName.1=first
&AttributeName.2=second
Cross-account permissions don't apply to this action. For more information, see Grant Cross-Account Permissions to a Role and a User Name in the Amazon Simple Queue Service Developer Guide.
Creates a new standard or FIFO queue. You can pass one or more attributes in the request. Keep the following in mind:
If you don't specify the FifoQueue attribute, Amazon SQS creates a standard queue.
You can't change the queue type after you create it and you can't convert an existing standard queue into a FIFO queue. You must either create a new FIFO queue for your application or delete your existing standard queue and recreate it as a FIFO queue. For more information, see Moving From a Standard Queue to a FIFO Queue in the Amazon Simple Queue Service Developer Guide.
If you don't provide a value for an attribute, the queue is created with the default value for the attribute.
If you delete a queue, you must wait at least 60 seconds before creating a queue with the same name.
To successfully create a new queue, you must provide a queue name that adheres to the limits related to queues and is unique within the scope of your queues.
After you create a queue, you must wait at least one second after the queue is created to be able to use the queue.
To get the queue URL, use the GetQueueUrl action. GetQueueUrl requires only the QueueName parameter. be aware of existing queue names:
If you provide the name of an existing queue along with the exact names and values of all the queue's attributes, CreateQueue returns the queue URL for the existing queue.
If the queue name, attribute names, or attribute values don't match an existing queue, CreateQueue returns an error.
Some actions take lists of parameters. These lists are specified using the param.n notation. Values of n are integers starting from 1. For example, a parameter list with two elements looks like this:
&AttributeName.1=first
&AttributeName.2=second
Cross-account permissions don't apply to this action. For more information, see Grant cross-account permissions to a role and a user name in the Amazon Simple Queue Service Developer Guide.
Deletes the specified message from the specified queue. To select the message to delete, use the ReceiptHandle of the message (not the MessageId which you receive when you send the message). Amazon SQS can delete a message from a queue even if a visibility timeout setting causes the message to be locked by another consumer. Amazon SQS automatically deletes messages left in a queue longer than the retention period configured for the queue.
The ReceiptHandle is associated with a specific instance of receiving a message. If you receive a message more than once, the ReceiptHandle is different each time you receive a message. When you use the DeleteMessage action, you must provide the most recently received ReceiptHandle for the message (otherwise, the request succeeds, but the message might not be deleted).
For standard queues, it is possible to receive a message even after you delete it. This might happen on rare occasions if one of the servers which stores a copy of the message is unavailable when you send the request to delete the message. The copy remains on the server and might be returned to you during a subsequent receive request. You should ensure that your application is idempotent, so that receiving a message more than once does not cause issues.
Deletes up to ten messages from the specified queue. This is a batch version of DeleteMessage. The result of the action on each message is reported individually in the response.
Because the batch request can result in a combination of successful and unsuccessful actions, you should check for batch errors even when the call returns an HTTP status code of 200.
Some actions take lists of parameters. These lists are specified using the param.n notation. Values of n are integers starting from 1. For example, a parameter list with two elements looks like this:
&AttributeName.1=first
&AttributeName.2=second
Deletes the queue specified by the QueueUrl, regardless of the queue's contents.
Be careful with the DeleteQueue action: When you delete a queue, any messages in the queue are no longer available.
When you delete a queue, the deletion process takes up to 60 seconds. Requests you send involving that queue during the 60 seconds might succeed. For example, a SendMessage request might succeed, but after 60 seconds the queue and the message you sent no longer exist.
When you delete a queue, you must wait at least 60 seconds before creating a queue with the same name.
Cross-account permissions don't apply to this action. For more information, see Grant Cross-Account Permissions to a Role and a User Name in the Amazon Simple Queue Service Developer Guide.
Deletes the queue specified by the QueueUrl, regardless of the queue's contents.
Be careful with the DeleteQueue action: When you delete a queue, any messages in the queue are no longer available.
When you delete a queue, the deletion process takes up to 60 seconds. Requests you send involving that queue during the 60 seconds might succeed. For example, a SendMessage request might succeed, but after 60 seconds the queue and the message you sent no longer exist.
When you delete a queue, you must wait at least 60 seconds before creating a queue with the same name.
Cross-account permissions don't apply to this action. For more information, see Grant cross-account permissions to a role and a user name in the Amazon Simple Queue Service Developer Guide.
Gets attributes for the specified queue.
To determine whether a queue is FIFO, you can check whether QueueName ends with the .fifo suffix.
Returns the URL of an existing Amazon SQS queue.
To access a queue that belongs to another AWS account, use the QueueOwnerAWSAccountId parameter to specify the account ID of the queue's owner. The queue's owner must grant you permission to access the queue. For more information about shared queue access, see AddPermission or see Allow Developers to Write Messages to a Shared Queue in the Amazon Simple Queue Service Developer Guide.
Returns a list of your queues that have the RedrivePolicy queue attribute configured with a dead-letter queue.
The ListDeadLetterSourceQueues methods supports pagination. Set parameter MaxResults in the request to specify the maximum number of results to be returned in the response. If you do not set MaxResults, the response includes a maximum of 1,000 results. If you set MaxResults and there are additional results to display, the response includes a value for NextToken. Use NextToken as a parameter in your next request to ListDeadLetterSourceQueues to receive the next page of results.
For more information about using dead-letter queues, see Using Amazon SQS Dead-Letter Queues in the Amazon Simple Queue Service Developer Guide.
", - "ListQueueTags": "List all cost allocation tags added to the specified Amazon SQS queue. For an overview, see Tagging Your Amazon SQS Queues in the Amazon Simple Queue Service Developer Guide.
Cross-account permissions don't apply to this action. For more information, see Grant Cross-Account Permissions to a Role and a User Name in the Amazon Simple Queue Service Developer Guide.
Returns a list of your queues in the current region. The response includes a maximum of 1,000 results. If you specify a value for the optional QueueNamePrefix parameter, only queues with a name that begins with the specified value are returned.
The listQueues methods supports pagination. Set parameter MaxResults in the request to specify the maximum number of results to be returned in the response. If you do not set MaxResults, the response includes a maximum of 1,000 results. If you set MaxResults and there are additional results to display, the response includes a value for NextToken. Use NextToken as a parameter in your next request to listQueues to receive the next page of results.
Cross-account permissions don't apply to this action. For more information, see Grant Cross-Account Permissions to a Role and a User Name in the Amazon Simple Queue Service Developer Guide.
List all cost allocation tags added to the specified Amazon SQS queue. For an overview, see Tagging Your Amazon SQS Queues in the Amazon Simple Queue Service Developer Guide.
Cross-account permissions don't apply to this action. For more information, see Grant cross-account permissions to a role and a user name in the Amazon Simple Queue Service Developer Guide.
Returns a list of your queues in the current region. The response includes a maximum of 1,000 results. If you specify a value for the optional QueueNamePrefix parameter, only queues with a name that begins with the specified value are returned.
The listQueues methods supports pagination. Set parameter MaxResults in the request to specify the maximum number of results to be returned in the response. If you do not set MaxResults, the response includes a maximum of 1,000 results. If you set MaxResults and there are additional results to display, the response includes a value for NextToken. Use NextToken as a parameter in your next request to listQueues to receive the next page of results.
Cross-account permissions don't apply to this action. For more information, see Grant cross-account permissions to a role and a user name in the Amazon Simple Queue Service Developer Guide.
Deletes the messages in a queue specified by the QueueURL parameter.
When you use the PurgeQueue action, you can't retrieve any messages deleted from a queue.
The message deletion process takes up to 60 seconds. We recommend waiting for 60 seconds regardless of your queue's size.
Messages sent to the queue before you call PurgeQueue might be received but are deleted within the next minute.
Messages sent to the queue after you call PurgeQueue might be deleted while the queue is being purged.
Retrieves one or more messages (up to 10), from the specified queue. Using the WaitTimeSeconds parameter enables long-poll support. For more information, see Amazon SQS Long Polling in the Amazon Simple Queue Service Developer Guide.
Short poll is the default behavior where a weighted random set of machines is sampled on a ReceiveMessage call. Thus, only the messages on the sampled machines are returned. If the number of messages in the queue is small (fewer than 1,000), you most likely get fewer messages than you requested per ReceiveMessage call. If the number of messages in the queue is extremely small, you might not receive any messages in a particular ReceiveMessage response. If this happens, repeat the request.
For each message returned, the response includes the following:
The message body.
An MD5 digest of the message body. For information about MD5, see RFC1321.
The MessageId you received when you sent the message to the queue.
The receipt handle.
The message attributes.
An MD5 digest of the message attributes.
The receipt handle is the identifier you must provide when deleting the message. For more information, see Queue and Message Identifiers in the Amazon Simple Queue Service Developer Guide.
You can provide the VisibilityTimeout parameter in your request. The parameter is applied to the messages that Amazon SQS returns in the response. If you don't include the parameter, the overall visibility timeout for the queue is used for the returned messages. For more information, see Visibility Timeout in the Amazon Simple Queue Service Developer Guide.
A message that isn't deleted or a message whose visibility isn't extended before the visibility timeout expires counts as a failed receive. Depending on the configuration of the queue, the message might be sent to the dead-letter queue.
In the future, new attributes might be added. If you write code that calls this action, we recommend that you structure your code so that it can handle new attributes gracefully.
Revokes any permissions in the queue policy that matches the specified Label parameter.
Only the owner of a queue can remove permissions from it.
Cross-account permissions don't apply to this action. For more information, see Grant Cross-Account Permissions to a Role and a User Name in the Amazon Simple Queue Service Developer Guide.
To remove the ability to change queue permissions, you must deny permission to the AddPermission, RemovePermission, and SetQueueAttributes actions in your IAM policy.
Revokes any permissions in the queue policy that matches the specified Label parameter.
Only the owner of a queue can remove permissions from it.
Cross-account permissions don't apply to this action. For more information, see Grant cross-account permissions to a role and a user name in the Amazon Simple Queue Service Developer Guide.
To remove the ability to change queue permissions, you must deny permission to the AddPermission, RemovePermission, and SetQueueAttributes actions in your IAM policy.
Delivers a message to the specified queue.
A message can include only XML, JSON, and unformatted text. The following Unicode characters are allowed:
#x9 | #xA | #xD | #x20 to #xD7FF | #xE000 to #xFFFD | #x10000 to #x10FFFF
Any characters not included in this list will be rejected. For more information, see the W3C specification for characters.
Delivers up to ten messages to the specified queue. This is a batch version of SendMessage. For a FIFO queue, multiple messages within a single batch are enqueued in the order they are sent.
The result of sending each message is reported individually in the response. Because the batch request can result in a combination of successful and unsuccessful actions, you should check for batch errors even when the call returns an HTTP status code of 200.
The maximum allowed individual message size and the maximum total payload size (the sum of the individual lengths of all of the batched messages) are both 256 KB (262,144 bytes).
A message can include only XML, JSON, and unformatted text. The following Unicode characters are allowed:
#x9 | #xA | #xD | #x20 to #xD7FF | #xE000 to #xFFFD | #x10000 to #x10FFFF
Any characters not included in this list will be rejected. For more information, see the W3C specification for characters.
If you don't specify the DelaySeconds parameter for an entry, Amazon SQS uses the default value for the queue.
Some actions take lists of parameters. These lists are specified using the param.n notation. Values of n are integers starting from 1. For example, a parameter list with two elements looks like this:
&AttributeName.1=first
&AttributeName.2=second
Sets the value of one or more queue attributes. When you change a queue's attributes, the change can take up to 60 seconds for most of the attributes to propagate throughout the Amazon SQS system. Changes made to the MessageRetentionPeriod attribute can take up to 15 minutes.
In the future, new attributes might be added. If you write code that calls this action, we recommend that you structure your code so that it can handle new attributes gracefully.
Cross-account permissions don't apply to this action. For more information, see Grant Cross-Account Permissions to a Role and a User Name in the Amazon Simple Queue Service Developer Guide.
To remove the ability to change queue permissions, you must deny permission to the AddPermission, RemovePermission, and SetQueueAttributes actions in your IAM policy.
Add cost allocation tags to the specified Amazon SQS queue. For an overview, see Tagging Your Amazon SQS Queues in the Amazon Simple Queue Service Developer Guide.
When you use queue tags, keep the following guidelines in mind:
Adding more than 50 tags to a queue isn't recommended.
Tags don't have any semantic meaning. Amazon SQS interprets tags as character strings.
Tags are case-sensitive.
A new tag with a key identical to that of an existing tag overwrites the existing tag.
For a full list of tag restrictions, see Limits Related to Queues in the Amazon Simple Queue Service Developer Guide.
Cross-account permissions don't apply to this action. For more information, see Grant Cross-Account Permissions to a Role and a User Name in the Amazon Simple Queue Service Developer Guide.
Remove cost allocation tags from the specified Amazon SQS queue. For an overview, see Tagging Your Amazon SQS Queues in the Amazon Simple Queue Service Developer Guide.
Cross-account permissions don't apply to this action. For more information, see Grant Cross-Account Permissions to a Role and a User Name in the Amazon Simple Queue Service Developer Guide.
Sets the value of one or more queue attributes. When you change a queue's attributes, the change can take up to 60 seconds for most of the attributes to propagate throughout the Amazon SQS system. Changes made to the MessageRetentionPeriod attribute can take up to 15 minutes.
In the future, new attributes might be added. If you write code that calls this action, we recommend that you structure your code so that it can handle new attributes gracefully.
Cross-account permissions don't apply to this action. For more information, see Grant cross-account permissions to a role and a user name in the Amazon Simple Queue Service Developer Guide.
To remove the ability to change queue permissions, you must deny permission to the AddPermission, RemovePermission, and SetQueueAttributes actions in your IAM policy.
Add cost allocation tags to the specified Amazon SQS queue. For an overview, see Tagging Your Amazon SQS Queues in the Amazon Simple Queue Service Developer Guide.
When you use queue tags, keep the following guidelines in mind:
Adding more than 50 tags to a queue isn't recommended.
Tags don't have any semantic meaning. Amazon SQS interprets tags as character strings.
Tags are case-sensitive.
A new tag with a key identical to that of an existing tag overwrites the existing tag.
For a full list of tag restrictions, see Limits Related to Queues in the Amazon Simple Queue Service Developer Guide.
Cross-account permissions don't apply to this action. For more information, see Grant cross-account permissions to a role and a user name in the Amazon Simple Queue Service Developer Guide.
Remove cost allocation tags from the specified Amazon SQS queue. For an overview, see Tagging Your Amazon SQS Queues in the Amazon Simple Queue Service Developer Guide.
Cross-account permissions don't apply to this action. For more information, see Grant cross-account permissions to a role and a user name in the Amazon Simple Queue Service Developer Guide.
A list of attributes for which to retrieve information.
In the future, new attributes might be added. If you write code that calls this action, we recommend that you structure your code so that it can handle new attributes gracefully.
The following attributes are supported:
The ApproximateNumberOfMessagesDelayed, ApproximateNumberOfMessagesNotVisible, and ApproximateNumberOfMessagesVisible metrics may not achieve consistency until at least 1 minute after the producers stop sending messages. This period is required for the queue metadata to reach eventual consistency.
All – Returns all values.
ApproximateNumberOfMessages – Returns the approximate number of messages available for retrieval from the queue.
ApproximateNumberOfMessagesDelayed – Returns the approximate number of messages in the queue that are delayed and not available for reading immediately. This can happen when the queue is configured as a delay queue or when a message has been sent with a delay parameter.
ApproximateNumberOfMessagesNotVisible – Returns the approximate number of messages that are in flight. Messages are considered to be in flight if they have been sent to a client but have not yet been deleted or have not yet reached the end of their visibility window.
CreatedTimestamp – Returns the time when the queue was created in seconds (epoch time).
DelaySeconds – Returns the default delay on the queue in seconds.
LastModifiedTimestamp – Returns the time when the queue was last changed in seconds (epoch time).
MaximumMessageSize – Returns the limit of how many bytes a message can contain before Amazon SQS rejects it.
MessageRetentionPeriod – Returns the length of time, in seconds, for which Amazon SQS retains a message.
Policy – Returns the policy of the queue.
QueueArn – Returns the Amazon resource name (ARN) of the queue.
ReceiveMessageWaitTimeSeconds – Returns the length of time, in seconds, for which the ReceiveMessage action waits for a message to arrive.
RedrivePolicy – The string that includes the parameters for the dead-letter queue functionality of the source queue as a JSON object. For more information about the redrive policy and dead-letter queues, see Using Amazon SQS Dead-Letter Queues in the Amazon Simple Queue Service Developer Guide.
deadLetterTargetArn – The Amazon Resource Name (ARN) of the dead-letter queue to which Amazon SQS moves messages after the value of maxReceiveCount is exceeded.
maxReceiveCount – The number of times a message is delivered to the source queue before being moved to the dead-letter queue. When the ReceiveCount for a message exceeds the maxReceiveCount for a queue, Amazon SQS moves the message to the dead-letter-queue.
VisibilityTimeout – Returns the visibility timeout for the queue. For more information about the visibility timeout, see Visibility Timeout in the Amazon Simple Queue Service Developer Guide.
The following attributes apply only to server-side-encryption:
KmsMasterKeyId – Returns the ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK. For more information, see Key Terms.
KmsDataKeyReusePeriodSeconds – Returns the length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. For more information, see How Does the Data Key Reuse Period Work?.
The following attributes apply only to FIFO (first-in-first-out) queues:
FifoQueue – Returns whether the queue is FIFO. For more information, see FIFO Queue Logic in the Amazon Simple Queue Service Developer Guide.
To determine whether a queue is FIFO, you can check whether QueueName ends with the .fifo suffix.
ContentBasedDeduplication – Returns whether content-based deduplication is enabled for the queue. For more information, see Exactly-Once Processing in the Amazon Simple Queue Service Developer Guide.
A list of attributes for which to retrieve information.
In the future, new attributes might be added. If you write code that calls this action, we recommend that you structure your code so that it can handle new attributes gracefully.
The following attributes are supported:
The ApproximateNumberOfMessagesDelayed, ApproximateNumberOfMessagesNotVisible, and ApproximateNumberOfMessagesVisible metrics may not achieve consistency until at least 1 minute after the producers stop sending messages. This period is required for the queue metadata to reach eventual consistency.
All – Returns all values.
ApproximateNumberOfMessages – Returns the approximate number of messages available for retrieval from the queue.
ApproximateNumberOfMessagesDelayed – Returns the approximate number of messages in the queue that are delayed and not available for reading immediately. This can happen when the queue is configured as a delay queue or when a message has been sent with a delay parameter.
ApproximateNumberOfMessagesNotVisible – Returns the approximate number of messages that are in flight. Messages are considered to be in flight if they have been sent to a client but have not yet been deleted or have not yet reached the end of their visibility window.
CreatedTimestamp – Returns the time when the queue was created in seconds (epoch time).
DelaySeconds – Returns the default delay on the queue in seconds.
LastModifiedTimestamp – Returns the time when the queue was last changed in seconds (epoch time).
MaximumMessageSize – Returns the limit of how many bytes a message can contain before Amazon SQS rejects it.
MessageRetentionPeriod – Returns the length of time, in seconds, for which Amazon SQS retains a message.
Policy – Returns the policy of the queue.
QueueArn – Returns the Amazon resource name (ARN) of the queue.
ReceiveMessageWaitTimeSeconds – Returns the length of time, in seconds, for which the ReceiveMessage action waits for a message to arrive.
RedrivePolicy – The string that includes the parameters for the dead-letter queue functionality of the source queue as a JSON object. For more information about the redrive policy and dead-letter queues, see Using Amazon SQS Dead-Letter Queues in the Amazon Simple Queue Service Developer Guide.
deadLetterTargetArn – The Amazon Resource Name (ARN) of the dead-letter queue to which Amazon SQS moves messages after the value of maxReceiveCount is exceeded.
maxReceiveCount – The number of times a message is delivered to the source queue before being moved to the dead-letter queue. When the ReceiveCount for a message exceeds the maxReceiveCount for a queue, Amazon SQS moves the message to the dead-letter-queue.
VisibilityTimeout – Returns the visibility timeout for the queue. For more information about the visibility timeout, see Visibility Timeout in the Amazon Simple Queue Service Developer Guide.
The following attributes apply only to server-side-encryption:
KmsMasterKeyId – Returns the ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK. For more information, see Key Terms.
KmsDataKeyReusePeriodSeconds – Returns the length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. For more information, see How Does the Data Key Reuse Period Work?.
The following attributes apply only to FIFO (first-in-first-out) queues:
FifoQueue – Returns information about whether the queue is FIFO. For more information, see FIFO Queue Logic in the Amazon Simple Queue Service Developer Guide.
To determine whether a queue is FIFO, you can check whether QueueName ends with the .fifo suffix.
ContentBasedDeduplication – Returns whether content-based deduplication is enabled for the queue. For more information, see Exactly-Once Processing in the Amazon Simple Queue Service Developer Guide.
Preview: High throughput for FIFO queues
High throughput for Amazon SQS FIFO queues is in preview release and is subject to change. This feature provides a high number of transactions per second (TPS) for messages in FIFO queues. For information on throughput quotas, see Quotas related to messages in the Amazon Simple Queue Service Developer Guide.
This preview includes two new attributes:
DeduplicationScope – Specifies whether message deduplication occurs at the message group or queue level. Valid values are messageGroup and queue.
FifoThroughputLimit – Specifies whether the FIFO queue throughput quota applies to the entire queue or per message group. Valid values are perQueue and perMessageGroupId. The perMessageGroupId value is allowed only when the value for DeduplicationScope is messageGroup.
To enable high throughput for FIFO queues, do the following:
Set DeduplicationScope to messageGroup.
Set FifoThroughputLimit to perMessageGroupId.
If you set these attributes to anything other than the values shown for enabling high throughput, standard throughput is in effect and deduplication occurs as specified.
This preview is available in the following AWS Regions:
US East (Ohio); us-east-2
US East (N. Virginia); us-east-1
US West (Oregon); us-west-2
Europe (Ireland); eu-west-1
For more information about high throughput for FIFO queues, see Preview: High throughput for FIFO queues in the Amazon Simple Queue Service Developer Guide.
", "ReceiveMessageRequest$AttributeNames": "A list of attributes that need to be returned along with each message. These attributes include:
All – Returns all values.
ApproximateFirstReceiveTimestamp – Returns the time the message was first received from the queue (epoch time in milliseconds).
ApproximateReceiveCount – Returns the number of times a message has been received across all queues but not deleted.
AWSTraceHeader – Returns the AWS X-Ray trace header string.
SenderId
For an IAM user, returns the IAM user ID, for example ABCDEFGHI1JKLMNOPQ23R.
For an IAM role, returns the IAM role ID, for example ABCDE1F2GH3I4JK5LMNOP:i-a123b456.
SentTimestamp – Returns the time the message was sent to the queue (epoch time in milliseconds).
MessageDeduplicationId – Returns the value provided by the producer that calls the SendMessage action.
MessageGroupId – Returns the value provided by the producer that calls the SendMessage action. Messages with the same MessageGroupId are returned in sequence.
SequenceNumber – Returns the value provided by Amazon SQS.
A map of attributes with their corresponding values.
The following lists the names, descriptions, and values of the special request parameters that the CreateQueue action uses:
DelaySeconds – The length of time, in seconds, for which the delivery of all messages in the queue is delayed. Valid values: An integer from 0 to 900 seconds (15 minutes). Default: 0.
MaximumMessageSize – The limit of how many bytes a message can contain before Amazon SQS rejects it. Valid values: An integer from 1,024 bytes (1 KiB) to 262,144 bytes (256 KiB). Default: 262,144 (256 KiB).
MessageRetentionPeriod – The length of time, in seconds, for which Amazon SQS retains a message. Valid values: An integer from 60 seconds (1 minute) to 1,209,600 seconds (14 days). Default: 345,600 (4 days).
Policy – The queue's policy. A valid AWS policy. For more information about policy structure, see Overview of AWS IAM Policies in the Amazon IAM User Guide.
ReceiveMessageWaitTimeSeconds – The length of time, in seconds, for which a ReceiveMessage action waits for a message to arrive. Valid values: An integer from 0 to 20 (seconds). Default: 0.
RedrivePolicy – The string that includes the parameters for the dead-letter queue functionality of the source queue as a JSON object. For more information about the redrive policy and dead-letter queues, see Using Amazon SQS Dead-Letter Queues in the Amazon Simple Queue Service Developer Guide.
deadLetterTargetArn – The Amazon Resource Name (ARN) of the dead-letter queue to which Amazon SQS moves messages after the value of maxReceiveCount is exceeded.
maxReceiveCount – The number of times a message is delivered to the source queue before being moved to the dead-letter queue. When the ReceiveCount for a message exceeds the maxReceiveCount for a queue, Amazon SQS moves the message to the dead-letter-queue.
The dead-letter queue of a FIFO queue must also be a FIFO queue. Similarly, the dead-letter queue of a standard queue must also be a standard queue.
VisibilityTimeout – The visibility timeout for the queue, in seconds. Valid values: An integer from 0 to 43,200 (12 hours). Default: 30. For more information about the visibility timeout, see Visibility Timeout in the Amazon Simple Queue Service Developer Guide.
The following attributes apply only to server-side-encryption:
KmsMasterKeyId – The ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK. For more information, see Key Terms. While the alias of the AWS-managed CMK for Amazon SQS is always alias/aws/sqs, the alias of a custom CMK can, for example, be alias/MyAlias . For more examples, see KeyId in the AWS Key Management Service API Reference.
KmsDataKeyReusePeriodSeconds – The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. An integer representing seconds, between 60 seconds (1 minute) and 86,400 seconds (24 hours). Default: 300 (5 minutes). A shorter time period provides better security but results in more calls to KMS which might incur charges after Free Tier. For more information, see How Does the Data Key Reuse Period Work?.
The following attributes apply only to FIFO (first-in-first-out) queues:
FifoQueue – Designates a queue as FIFO. Valid values: true, false. If you don't specify the FifoQueue attribute, Amazon SQS creates a standard queue. You can provide this attribute only during queue creation. You can't change it for an existing queue. When you set this attribute, you must also provide the MessageGroupId for your messages explicitly.
For more information, see FIFO Queue Logic in the Amazon Simple Queue Service Developer Guide.
ContentBasedDeduplication – Enables content-based deduplication. Valid values: true, false. For more information, see Exactly-Once Processing in the Amazon Simple Queue Service Developer Guide.
Every message must have a unique MessageDeduplicationId,
You may provide a MessageDeduplicationId explicitly.
If you aren't able to provide a MessageDeduplicationId and you enable ContentBasedDeduplication for your queue, Amazon SQS uses a SHA-256 hash to generate the MessageDeduplicationId using the body of the message (but not the attributes of the message).
If you don't provide a MessageDeduplicationId and the queue doesn't have ContentBasedDeduplication set, the action fails with an error.
If the queue has ContentBasedDeduplication set, your MessageDeduplicationId overrides the generated one.
When ContentBasedDeduplication is in effect, messages with identical content sent within the deduplication interval are treated as duplicates and only one copy of the message is delivered.
If you send one message with ContentBasedDeduplication enabled and then another message with a MessageDeduplicationId that is the same as the one generated for the first MessageDeduplicationId, the two messages are treated as duplicates and only one copy of the message is delivered.
A map of attributes with their corresponding values.
The following lists the names, descriptions, and values of the special request parameters that the CreateQueue action uses:
DelaySeconds – The length of time, in seconds, for which the delivery of all messages in the queue is delayed. Valid values: An integer from 0 to 900 seconds (15 minutes). Default: 0.
MaximumMessageSize – The limit of how many bytes a message can contain before Amazon SQS rejects it. Valid values: An integer from 1,024 bytes (1 KiB) to 262,144 bytes (256 KiB). Default: 262,144 (256 KiB).
MessageRetentionPeriod – The length of time, in seconds, for which Amazon SQS retains a message. Valid values: An integer from 60 seconds (1 minute) to 1,209,600 seconds (14 days). Default: 345,600 (4 days).
Policy – The queue's policy. A valid AWS policy. For more information about policy structure, see Overview of AWS IAM Policies in the Amazon IAM User Guide.
ReceiveMessageWaitTimeSeconds – The length of time, in seconds, for which a ReceiveMessage action waits for a message to arrive. Valid values: An integer from 0 to 20 (seconds). Default: 0.
RedrivePolicy – The string that includes the parameters for the dead-letter queue functionality of the source queue as a JSON object. For more information about the redrive policy and dead-letter queues, see Using Amazon SQS Dead-Letter Queues in the Amazon Simple Queue Service Developer Guide.
deadLetterTargetArn – The Amazon Resource Name (ARN) of the dead-letter queue to which Amazon SQS moves messages after the value of maxReceiveCount is exceeded.
maxReceiveCount – The number of times a message is delivered to the source queue before being moved to the dead-letter queue. When the ReceiveCount for a message exceeds the maxReceiveCount for a queue, Amazon SQS moves the message to the dead-letter-queue.
The dead-letter queue of a FIFO queue must also be a FIFO queue. Similarly, the dead-letter queue of a standard queue must also be a standard queue.
VisibilityTimeout – The visibility timeout for the queue, in seconds. Valid values: An integer from 0 to 43,200 (12 hours). Default: 30. For more information about the visibility timeout, see Visibility Timeout in the Amazon Simple Queue Service Developer Guide.
The following attributes apply only to server-side-encryption:
KmsMasterKeyId – The ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK. For more information, see Key Terms. While the alias of the AWS-managed CMK for Amazon SQS is always alias/aws/sqs, the alias of a custom CMK can, for example, be alias/MyAlias . For more examples, see KeyId in the AWS Key Management Service API Reference.
KmsDataKeyReusePeriodSeconds – The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. An integer representing seconds, between 60 seconds (1 minute) and 86,400 seconds (24 hours). Default: 300 (5 minutes). A shorter time period provides better security but results in more calls to KMS which might incur charges after Free Tier. For more information, see How Does the Data Key Reuse Period Work?.
The following attributes apply only to FIFO (first-in-first-out) queues:
FifoQueue – Designates a queue as FIFO. Valid values are true and false. If you don't specify the FifoQueue attribute, Amazon SQS creates a standard queue. You can provide this attribute only during queue creation. You can't change it for an existing queue. When you set this attribute, you must also provide the MessageGroupId for your messages explicitly.
For more information, see FIFO Queue Logic in the Amazon Simple Queue Service Developer Guide.
ContentBasedDeduplication – Enables content-based deduplication. Valid values are true and false. For more information, see Exactly-Once Processing in the Amazon Simple Queue Service Developer Guide. Note the following:
Every message must have a unique MessageDeduplicationId.
You may provide a MessageDeduplicationId explicitly.
If you aren't able to provide a MessageDeduplicationId and you enable ContentBasedDeduplication for your queue, Amazon SQS uses a SHA-256 hash to generate the MessageDeduplicationId using the body of the message (but not the attributes of the message).
If you don't provide a MessageDeduplicationId and the queue doesn't have ContentBasedDeduplication set, the action fails with an error.
If the queue has ContentBasedDeduplication set, your MessageDeduplicationId overrides the generated one.
When ContentBasedDeduplication is in effect, messages with identical content sent within the deduplication interval are treated as duplicates and only one copy of the message is delivered.
If you send one message with ContentBasedDeduplication enabled and then another message with a MessageDeduplicationId that is the same as the one generated for the first MessageDeduplicationId, the two messages are treated as duplicates and only one copy of the message is delivered.
Preview: High throughput for FIFO queues
High throughput for Amazon SQS FIFO queues is in preview release and is subject to change. This feature provides a high number of transactions per second (TPS) for messages in FIFO queues. For information on throughput quotas, see Quotas related to messages in the Amazon Simple Queue Service Developer Guide.
This preview includes two new attributes:
DeduplicationScope – Specifies whether message deduplication occurs at the message group or queue level. Valid values are messageGroup and queue.
FifoThroughputLimit – Specifies whether the FIFO queue throughput quota applies to the entire queue or per message group. Valid values are perQueue and perMessageGroupId. The perMessageGroupId value is allowed only when the value for DeduplicationScope is messageGroup.
To enable high throughput for FIFO queues, do the following:
Set DeduplicationScope to messageGroup.
Set FifoThroughputLimit to perMessageGroupId.
If you set these attributes to anything other than the values shown for enabling high throughput, standard throughput is in effect and deduplication occurs as specified.
This preview is available in the following AWS Regions:
US East (Ohio); us-east-2
US East (N. Virginia); us-east-1
US West (Oregon); us-west-2
Europe (Ireland); eu-west-1
For more information about high throughput for FIFO queues, see Preview: High throughput for FIFO queues in the Amazon Simple Queue Service Developer Guide.
", "GetQueueAttributesResult$Attributes": "A map of attributes to their respective values.
", - "SetQueueAttributesRequest$Attributes": "A map of attributes to set.
The following lists the names, descriptions, and values of the special request parameters that the SetQueueAttributes action uses:
DelaySeconds – The length of time, in seconds, for which the delivery of all messages in the queue is delayed. Valid values: An integer from 0 to 900 (15 minutes). Default: 0.
MaximumMessageSize – The limit of how many bytes a message can contain before Amazon SQS rejects it. Valid values: An integer from 1,024 bytes (1 KiB) up to 262,144 bytes (256 KiB). Default: 262,144 (256 KiB).
MessageRetentionPeriod – The length of time, in seconds, for which Amazon SQS retains a message. Valid values: An integer representing seconds, from 60 (1 minute) to 1,209,600 (14 days). Default: 345,600 (4 days).
Policy – The queue's policy. A valid AWS policy. For more information about policy structure, see Overview of AWS IAM Policies in the Amazon IAM User Guide.
ReceiveMessageWaitTimeSeconds – The length of time, in seconds, for which a ReceiveMessage action waits for a message to arrive. Valid values: An integer from 0 to 20 (seconds). Default: 0.
RedrivePolicy – The string that includes the parameters for the dead-letter queue functionality of the source queue as a JSON object. For more information about the redrive policy and dead-letter queues, see Using Amazon SQS Dead-Letter Queues in the Amazon Simple Queue Service Developer Guide.
deadLetterTargetArn – The Amazon Resource Name (ARN) of the dead-letter queue to which Amazon SQS moves messages after the value of maxReceiveCount is exceeded.
maxReceiveCount – The number of times a message is delivered to the source queue before being moved to the dead-letter queue. When the ReceiveCount for a message exceeds the maxReceiveCount for a queue, Amazon SQS moves the message to the dead-letter-queue.
The dead-letter queue of a FIFO queue must also be a FIFO queue. Similarly, the dead-letter queue of a standard queue must also be a standard queue.
VisibilityTimeout – The visibility timeout for the queue, in seconds. Valid values: An integer from 0 to 43,200 (12 hours). Default: 30. For more information about the visibility timeout, see Visibility Timeout in the Amazon Simple Queue Service Developer Guide.
The following attributes apply only to server-side-encryption:
KmsMasterKeyId – The ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK. For more information, see Key Terms. While the alias of the AWS-managed CMK for Amazon SQS is always alias/aws/sqs, the alias of a custom CMK can, for example, be alias/MyAlias . For more examples, see KeyId in the AWS Key Management Service API Reference.
KmsDataKeyReusePeriodSeconds – The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. An integer representing seconds, between 60 seconds (1 minute) and 86,400 seconds (24 hours). Default: 300 (5 minutes). A shorter time period provides better security but results in more calls to KMS which might incur charges after Free Tier. For more information, see How Does the Data Key Reuse Period Work?.
The following attribute applies only to FIFO (first-in-first-out) queues:
ContentBasedDeduplication – Enables content-based deduplication. For more information, see Exactly-Once Processing in the Amazon Simple Queue Service Developer Guide.
Every message must have a unique MessageDeduplicationId,
You may provide a MessageDeduplicationId explicitly.
If you aren't able to provide a MessageDeduplicationId and you enable ContentBasedDeduplication for your queue, Amazon SQS uses a SHA-256 hash to generate the MessageDeduplicationId using the body of the message (but not the attributes of the message).
If you don't provide a MessageDeduplicationId and the queue doesn't have ContentBasedDeduplication set, the action fails with an error.
If the queue has ContentBasedDeduplication set, your MessageDeduplicationId overrides the generated one.
When ContentBasedDeduplication is in effect, messages with identical content sent within the deduplication interval are treated as duplicates and only one copy of the message is delivered.
If you send one message with ContentBasedDeduplication enabled and then another message with a MessageDeduplicationId that is the same as the one generated for the first MessageDeduplicationId, the two messages are treated as duplicates and only one copy of the message is delivered.
A map of attributes to set.
The following lists the names, descriptions, and values of the special request parameters that the SetQueueAttributes action uses:
DelaySeconds – The length of time, in seconds, for which the delivery of all messages in the queue is delayed. Valid values: An integer from 0 to 900 (15 minutes). Default: 0.
MaximumMessageSize – The limit of how many bytes a message can contain before Amazon SQS rejects it. Valid values: An integer from 1,024 bytes (1 KiB) up to 262,144 bytes (256 KiB). Default: 262,144 (256 KiB).
MessageRetentionPeriod – The length of time, in seconds, for which Amazon SQS retains a message. Valid values: An integer representing seconds, from 60 (1 minute) to 1,209,600 (14 days). Default: 345,600 (4 days).
Policy – The queue's policy. A valid AWS policy. For more information about policy structure, see Overview of AWS IAM Policies in the Amazon IAM User Guide.
ReceiveMessageWaitTimeSeconds – The length of time, in seconds, for which a ReceiveMessage action waits for a message to arrive. Valid values: An integer from 0 to 20 (seconds). Default: 0.
RedrivePolicy – The string that includes the parameters for the dead-letter queue functionality of the source queue as a JSON object. For more information about the redrive policy and dead-letter queues, see Using Amazon SQS Dead-Letter Queues in the Amazon Simple Queue Service Developer Guide.
deadLetterTargetArn – The Amazon Resource Name (ARN) of the dead-letter queue to which Amazon SQS moves messages after the value of maxReceiveCount is exceeded.
maxReceiveCount – The number of times a message is delivered to the source queue before being moved to the dead-letter queue. When the ReceiveCount for a message exceeds the maxReceiveCount for a queue, Amazon SQS moves the message to the dead-letter-queue.
The dead-letter queue of a FIFO queue must also be a FIFO queue. Similarly, the dead-letter queue of a standard queue must also be a standard queue.
VisibilityTimeout – The visibility timeout for the queue, in seconds. Valid values: An integer from 0 to 43,200 (12 hours). Default: 30. For more information about the visibility timeout, see Visibility Timeout in the Amazon Simple Queue Service Developer Guide.
The following attributes apply only to server-side-encryption:
KmsMasterKeyId – The ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK. For more information, see Key Terms. While the alias of the AWS-managed CMK for Amazon SQS is always alias/aws/sqs, the alias of a custom CMK can, for example, be alias/MyAlias . For more examples, see KeyId in the AWS Key Management Service API Reference.
KmsDataKeyReusePeriodSeconds – The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. An integer representing seconds, between 60 seconds (1 minute) and 86,400 seconds (24 hours). Default: 300 (5 minutes). A shorter time period provides better security but results in more calls to KMS which might incur charges after Free Tier. For more information, see How Does the Data Key Reuse Period Work?.
The following attribute applies only to FIFO (first-in-first-out) queues:
ContentBasedDeduplication – Enables content-based deduplication. For more information, see Exactly-Once Processing in the Amazon Simple Queue Service Developer Guide. Note the following:
Every message must have a unique MessageDeduplicationId.
You may provide a MessageDeduplicationId explicitly.
If you aren't able to provide a MessageDeduplicationId and you enable ContentBasedDeduplication for your queue, Amazon SQS uses a SHA-256 hash to generate the MessageDeduplicationId using the body of the message (but not the attributes of the message).
If you don't provide a MessageDeduplicationId and the queue doesn't have ContentBasedDeduplication set, the action fails with an error.
If the queue has ContentBasedDeduplication set, your MessageDeduplicationId overrides the generated one.
When ContentBasedDeduplication is in effect, messages with identical content sent within the deduplication interval are treated as duplicates and only one copy of the message is delivered.
If you send one message with ContentBasedDeduplication enabled and then another message with a MessageDeduplicationId that is the same as the one generated for the first MessageDeduplicationId, the two messages are treated as duplicates and only one copy of the message is delivered.
Preview: High throughput for FIFO queues
High throughput for Amazon SQS FIFO queues is in preview release and is subject to change. This feature provides a high number of transactions per second (TPS) for messages in FIFO queues. For information on throughput quotas, see Quotas related to messages in the Amazon Simple Queue Service Developer Guide.
This preview includes two new attributes:
DeduplicationScope – Specifies whether message deduplication occurs at the message group or queue level. Valid values are messageGroup and queue.
FifoThroughputLimit – Specifies whether the FIFO queue throughput quota applies to the entire queue or per message group. Valid values are perQueue and perMessageGroupId. The perMessageGroupId value is allowed only when the value for DeduplicationScope is messageGroup.
To enable high throughput for FIFO queues, do the following:
Set DeduplicationScope to messageGroup.
Set FifoThroughputLimit to perMessageGroupId.
If you set these attributes to anything other than the values shown for enabling high throughput, standard throughput is in effect and deduplication occurs as specified.
This preview is available in the following AWS Regions:
US East (Ohio); us-east-2
US East (N. Virginia); us-east-1
US West (Oregon); us-west-2
Europe (Ireland); eu-west-1
For more information about high throughput for FIFO queues, see Preview: High throughput for FIFO queues in the Amazon Simple Queue Service Developer Guide.
" } }, "QueueAttributeName": { @@ -574,7 +574,7 @@ "TagMap": { "base": null, "refs": { - "CreateQueueRequest$tags": "Add cost allocation tags to the specified Amazon SQS queue. For an overview, see Tagging Your Amazon SQS Queues in the Amazon Simple Queue Service Developer Guide.
When you use queue tags, keep the following guidelines in mind:
Adding more than 50 tags to a queue isn't recommended.
Tags don't have any semantic meaning. Amazon SQS interprets tags as character strings.
Tags are case-sensitive.
A new tag with a key identical to that of an existing tag overwrites the existing tag.
For a full list of tag restrictions, see Limits Related to Queues in the Amazon Simple Queue Service Developer Guide.
To be able to tag a queue on creation, you must have the sqs:CreateQueue and sqs:TagQueue permissions.
Cross-account permissions don't apply to this action. For more information, see Grant Cross-Account Permissions to a Role and a User Name in the Amazon Simple Queue Service Developer Guide.
Add cost allocation tags to the specified Amazon SQS queue. For an overview, see Tagging Your Amazon SQS Queues in the Amazon Simple Queue Service Developer Guide.
When you use queue tags, keep the following guidelines in mind:
Adding more than 50 tags to a queue isn't recommended.
Tags don't have any semantic meaning. Amazon SQS interprets tags as character strings.
Tags are case-sensitive.
A new tag with a key identical to that of an existing tag overwrites the existing tag.
For a full list of tag restrictions, see Limits Related to Queues in the Amazon Simple Queue Service Developer Guide.
To be able to tag a queue on creation, you must have the sqs:CreateQueue and sqs:TagQueue permissions.
Cross-account permissions don't apply to this action. For more information, see Grant cross-account permissions to a role and a user name in the Amazon Simple Queue Service Developer Guide.
The list of all tags added to the specified queue.
", "TagQueueRequest$Tags": "The list of tags to be added to the specified queue.
" } diff --git a/models/endpoints/endpoints.json b/models/endpoints/endpoints.json index 1771c86b7d..afef4b477b 100644 --- a/models/endpoints/endpoints.json +++ b/models/endpoints/endpoints.json @@ -714,6 +714,30 @@ "eu-west-1" : { }, "eu-west-2" : { }, "eu-west-3" : { }, + "fips-us-east-1" : { + "credentialScope" : { + "region" : "us-east-1" + }, + "hostname" : "athena-fips.us-east-1.amazonaws.com" + }, + "fips-us-east-2" : { + "credentialScope" : { + "region" : "us-east-2" + }, + "hostname" : "athena-fips.us-east-2.amazonaws.com" + }, + "fips-us-west-1" : { + "credentialScope" : { + "region" : "us-west-1" + }, + "hostname" : "athena-fips.us-west-1.amazonaws.com" + }, + "fips-us-west-2" : { + "credentialScope" : { + "region" : "us-west-2" + }, + "hostname" : "athena-fips.us-west-2.amazonaws.com" + }, "me-south-1" : { }, "sa-east-1" : { }, "us-east-1" : { }, @@ -9283,6 +9307,11 @@ } } }, + "secretsmanager" : { + "endpoints" : { + "us-iso-east-1" : { } + } + }, "snowball" : { "endpoints" : { "us-iso-east-1" : { } diff --git a/service/configservice/api.go b/service/configservice/api.go index 8c05a4146b..a844295b83 100644 --- a/service/configservice/api.go +++ b/service/configservice/api.go @@ -3067,10 +3067,6 @@ func (c *ConfigService) DescribeOrganizationConfigRuleStatusesRequest(input *Des // // Provides organization config rule deployment status for an organization. // -// Only a master account and a delegated administrator account can call this -// API. When calling this API with a delegated administrator, you must ensure -// AWS Organizations ListDelegatedAdministrator permissions are added. -// // The status is not considered successful until organization config rule is // successfully deployed in all the member accounts with an exception of excluded // accounts. @@ -3174,10 +3170,6 @@ func (c *ConfigService) DescribeOrganizationConfigRulesRequest(input *DescribeOr // // Returns a list of organization config rules. // -// Only a master account and a delegated administrator account can call this -// API. When calling this API with a delegated administrator, you must ensure -// AWS Organizations ListDelegatedAdministrator permissions are added. -// // When you specify the limit and the next token, you receive a paginated response. // Limit and next token are not applicable if you specify organization config // rule names. It is only applicable, when you request all the organization @@ -3277,10 +3269,6 @@ func (c *ConfigService) DescribeOrganizationConformancePackStatusesRequest(input // // Provides organization conformance pack deployment status for an organization. // -// Only a master account and a delegated administrator account can call this -// API. When calling this API with a delegated administrator, you must ensure -// AWS Organizations ListDelegatedAdministrator permissions are added. -// // The status is not considered successful until organization conformance pack // is successfully deployed in all the member accounts with an exception of // excluded accounts. @@ -3388,10 +3376,6 @@ func (c *ConfigService) DescribeOrganizationConformancePacksRequest(input *Descr // // Returns a list of organization conformance packs. // -// Only a master account and a delegated administrator account can call this -// API. When calling this API with a delegated administrator, you must ensure -// AWS Organizations ListDelegatedAdministrator permissions are added. -// // When you specify the limit and the next token, you receive a paginated response. // // Limit and next token are not applicable if you specify organization conformance @@ -5051,10 +5035,6 @@ func (c *ConfigService) GetOrganizationConfigRuleDetailedStatusRequest(input *Ge // Returns detailed status for each member account within an organization for // a given organization config rule. // -// Only a master account and a delegated administrator account can call this -// API. When calling this API with a delegated administrator, you must ensure -// AWS Organizations ListDelegatedAdministrator permissions are added. -// // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. @@ -5150,10 +5130,6 @@ func (c *ConfigService) GetOrganizationConformancePackDetailedStatusRequest(inpu // Returns detailed status for each member account within an organization for // a given organization conformance pack. // -// Only a master account and a delegated administrator account can call this -// API. When calling this API with a delegated administrator, you must ensure -// AWS Organizations ListDelegatedAdministrator permissions are added. -// // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. @@ -6471,6 +6447,89 @@ func (c *ConfigService) PutEvaluationsWithContext(ctx aws.Context, input *PutEva return out, req.Send() } +const opPutExternalEvaluation = "PutExternalEvaluation" + +// PutExternalEvaluationRequest generates a "aws/request.Request" representing the +// client's request for the PutExternalEvaluation operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See PutExternalEvaluation for more information on using the PutExternalEvaluation +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the PutExternalEvaluationRequest method. +// req, resp := client.PutExternalEvaluationRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/config-2014-11-12/PutExternalEvaluation +func (c *ConfigService) PutExternalEvaluationRequest(input *PutExternalEvaluationInput) (req *request.Request, output *PutExternalEvaluationOutput) { + op := &request.Operation{ + Name: opPutExternalEvaluation, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &PutExternalEvaluationInput{} + } + + output = &PutExternalEvaluationOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// PutExternalEvaluation API operation for AWS Config. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Config's +// API operation PutExternalEvaluation for usage and error information. +// +// Returned Error Types: +// * NoSuchConfigRuleException +// One or more AWS Config rules in the request are invalid. Verify that the +// rule names are correct and try again. +// +// * InvalidParameterValueException +// One or more of the specified parameters are invalid. Verify that your parameters +// are valid and try again. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/config-2014-11-12/PutExternalEvaluation +func (c *ConfigService) PutExternalEvaluation(input *PutExternalEvaluationInput) (*PutExternalEvaluationOutput, error) { + req, out := c.PutExternalEvaluationRequest(input) + return out, req.Send() +} + +// PutExternalEvaluationWithContext is the same as PutExternalEvaluation with the addition of +// the ability to pass a context and additional request options. +// +// See PutExternalEvaluation for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *ConfigService) PutExternalEvaluationWithContext(ctx aws.Context, input *PutExternalEvaluationInput, opts ...request.Option) (*PutExternalEvaluationOutput, error) { + req, out := c.PutExternalEvaluationRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opPutOrganizationConfigRule = "PutOrganizationConfigRule" // PutOrganizationConfigRuleRequest generates a "aws/request.Request" representing the @@ -6874,6 +6933,10 @@ func (c *ConfigService) PutRemediationConfigurationsRequest(input *PutRemediatio // If you make backward incompatible changes to the SSM document, you must call // this again to ensure the remediations can run. // +// This API does not support adding remediation configurations for service-linked +// AWS Config Rules such as Organization Config rules, the rules deployed by +// conformance packs, and rules deployed by AWS Security Hub. +// // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. @@ -6970,7 +7033,7 @@ func (c *ConfigService) PutRemediationExceptionsRequest(input *PutRemediationExc // PutRemediationExceptions API operation for AWS Config. // // A remediation exception is when a specific resource is no longer considered -// for auto-remediation. This API adds a new exception or updates an exisiting +// for auto-remediation. This API adds a new exception or updates an existing // exception for a specific resource with a specific AWS Config rule. // // AWS Config generates a remediation exception when a problem occurs executing @@ -9865,7 +9928,7 @@ type ConfigurationItem struct { // The 12-digit AWS account ID associated with the resource. AccountId *string `locationName:"accountId" type:"string"` - // accoun + // Amazon Resource Name (ARN) associated with the resource. Arn *string `locationName:"arn" type:"string"` // The Availability Zone associated with the resource. @@ -10312,11 +10375,14 @@ type ConformancePackDetail struct { // AWS service that created the conformance pack. CreatedBy *string `min:"1" type:"string"` - // Conformance pack template that is used to create a pack. The delivery bucket - // name should start with awsconfigconforms. For example: "Resource": "arn:aws:s3:::your_bucket_name/*". + // Amazon S3 bucket where AWS Config stores conformance pack templates. + // + // This field is optional. DeliveryS3Bucket *string `type:"string"` // The prefix for the Amazon S3 bucket. + // + // This field is optional. DeliveryS3KeyPrefix *string `type:"string"` // Last time when conformation pack update was requested. @@ -14097,6 +14163,95 @@ func (s *ExecutionControls) SetSsmControls(v *SsmControls) *ExecutionControls { return s } +type ExternalEvaluation struct { + _ struct{} `type:"structure"` + + Annotation *string `min:"1" type:"string"` + + // ComplianceResourceId is a required field + ComplianceResourceId *string `min:"1" type:"string" required:"true"` + + // ComplianceResourceType is a required field + ComplianceResourceType *string `min:"1" type:"string" required:"true"` + + // ComplianceType is a required field + ComplianceType *string `type:"string" required:"true" enum:"ComplianceType"` + + // OrderingTimestamp is a required field + OrderingTimestamp *time.Time `type:"timestamp" required:"true"` +} + +// String returns the string representation +func (s ExternalEvaluation) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ExternalEvaluation) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ExternalEvaluation) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ExternalEvaluation"} + if s.Annotation != nil && len(*s.Annotation) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Annotation", 1)) + } + if s.ComplianceResourceId == nil { + invalidParams.Add(request.NewErrParamRequired("ComplianceResourceId")) + } + if s.ComplianceResourceId != nil && len(*s.ComplianceResourceId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("ComplianceResourceId", 1)) + } + if s.ComplianceResourceType == nil { + invalidParams.Add(request.NewErrParamRequired("ComplianceResourceType")) + } + if s.ComplianceResourceType != nil && len(*s.ComplianceResourceType) < 1 { + invalidParams.Add(request.NewErrParamMinLen("ComplianceResourceType", 1)) + } + if s.ComplianceType == nil { + invalidParams.Add(request.NewErrParamRequired("ComplianceType")) + } + if s.OrderingTimestamp == nil { + invalidParams.Add(request.NewErrParamRequired("OrderingTimestamp")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAnnotation sets the Annotation field's value. +func (s *ExternalEvaluation) SetAnnotation(v string) *ExternalEvaluation { + s.Annotation = &v + return s +} + +// SetComplianceResourceId sets the ComplianceResourceId field's value. +func (s *ExternalEvaluation) SetComplianceResourceId(v string) *ExternalEvaluation { + s.ComplianceResourceId = &v + return s +} + +// SetComplianceResourceType sets the ComplianceResourceType field's value. +func (s *ExternalEvaluation) SetComplianceResourceType(v string) *ExternalEvaluation { + s.ComplianceResourceType = &v + return s +} + +// SetComplianceType sets the ComplianceType field's value. +func (s *ExternalEvaluation) SetComplianceType(v string) *ExternalEvaluation { + s.ComplianceType = &v + return s +} + +// SetOrderingTimestamp sets the OrderingTimestamp field's value. +func (s *ExternalEvaluation) SetOrderingTimestamp(v time.Time) *ExternalEvaluation { + s.OrderingTimestamp = &v + return s +} + // List of each of the failed delete remediation exceptions with specific reasons. type FailedDeleteRemediationExceptionsBatch struct { _ struct{} `type:"structure"` @@ -16678,9 +16833,9 @@ type ListAggregateDiscoveredResourcesInput struct { // Filters the results based on the ResourceFilters object. Filters *ResourceFilters `type:"structure"` - // The maximum number of resource identifiers returned on each page. The default - // is 100. You cannot specify a number greater than 100. If you specify 0, AWS - // Config uses the default. + // The maximum number of resource identifiers returned on each page. You cannot + // specify a number greater than 100. If you specify 0, AWS Config uses the + // default. Limit *int64 `type:"integer"` // The nextToken string returned on a previous page that you use to get the @@ -18835,11 +18990,14 @@ type OrganizationConformancePack struct { // A list of ConformancePackInputParameter objects. ConformancePackInputParameters []*ConformancePackInputParameter `type:"list"` - // Location of an Amazon S3 bucket where AWS Config can deliver evaluation results - // and conformance pack template that is used to create a pack. + // Amazon S3 bucket where AWS Config stores conformance pack templates. + // + // This field is optional. DeliveryS3Bucket *string `type:"string"` // Any folder structure you want to add to an Amazon S3 bucket. + // + // This field is optional. DeliveryS3KeyPrefix *string `type:"string"` // A comma-separated list of accounts excluded from organization conformance @@ -19990,10 +20148,14 @@ type PutConformancePackInput struct { // ConformancePackName is a required field ConformancePackName *string `min:"1" type:"string" required:"true"` - // AWS Config stores intermediate files while processing conformance pack template. + // Amazon S3 bucket where AWS Config stores conformance pack templates. + // + // This field is optional. DeliveryS3Bucket *string `type:"string"` // The prefix for the Amazon S3 bucket. + // + // This field is optional. DeliveryS3KeyPrefix *string `type:"string"` // A string containing full conformance pack template body. Structure containing @@ -20270,6 +20432,76 @@ func (s *PutEvaluationsOutput) SetFailedEvaluations(v []*Evaluation) *PutEvaluat return s } +type PutExternalEvaluationInput struct { + _ struct{} `type:"structure"` + + // ConfigRuleName is a required field + ConfigRuleName *string `min:"1" type:"string" required:"true"` + + // ExternalEvaluation is a required field + ExternalEvaluation *ExternalEvaluation `type:"structure" required:"true"` +} + +// String returns the string representation +func (s PutExternalEvaluationInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s PutExternalEvaluationInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *PutExternalEvaluationInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "PutExternalEvaluationInput"} + if s.ConfigRuleName == nil { + invalidParams.Add(request.NewErrParamRequired("ConfigRuleName")) + } + if s.ConfigRuleName != nil && len(*s.ConfigRuleName) < 1 { + invalidParams.Add(request.NewErrParamMinLen("ConfigRuleName", 1)) + } + if s.ExternalEvaluation == nil { + invalidParams.Add(request.NewErrParamRequired("ExternalEvaluation")) + } + if s.ExternalEvaluation != nil { + if err := s.ExternalEvaluation.Validate(); err != nil { + invalidParams.AddNested("ExternalEvaluation", err.(request.ErrInvalidParams)) + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetConfigRuleName sets the ConfigRuleName field's value. +func (s *PutExternalEvaluationInput) SetConfigRuleName(v string) *PutExternalEvaluationInput { + s.ConfigRuleName = &v + return s +} + +// SetExternalEvaluation sets the ExternalEvaluation field's value. +func (s *PutExternalEvaluationInput) SetExternalEvaluation(v *ExternalEvaluation) *PutExternalEvaluationInput { + s.ExternalEvaluation = v + return s +} + +type PutExternalEvaluationOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s PutExternalEvaluationOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s PutExternalEvaluationOutput) GoString() string { + return s.String() +} + type PutOrganizationConfigRuleInput struct { _ struct{} `type:"structure"` @@ -20378,15 +20610,14 @@ type PutOrganizationConformancePackInput struct { // A list of ConformancePackInputParameter objects. ConformancePackInputParameters []*ConformancePackInputParameter `type:"list"` - // Location of an Amazon S3 bucket where AWS Config can deliver evaluation results. - // AWS Config stores intermediate files while processing conformance pack template. + // Amazon S3 bucket where AWS Config stores conformance pack templates. // - // The delivery bucket name should start with awsconfigconforms. For example: - // "Resource": "arn:aws:s3:::your_bucket_name/*". For more information, see - // Permissions for cross account bucket access (https://docs.aws.amazon.com/config/latest/developerguide/conformance-pack-organization-apis.html). + // This field is optional. DeliveryS3Bucket *string `type:"string"` // The prefix for the Amazon S3 bucket. + // + // This field is optional. DeliveryS3KeyPrefix *string `type:"string"` // A list of AWS accounts to be excluded from an organization conformance pack @@ -21100,7 +21331,7 @@ type RemediationConfiguration struct { // The maximum number of failed attempts for auto-remediation. If you do not // select a number, the default is 5. // - // For example, if you specify MaximumAutomaticAttempts as 5 with RetryAttemptsSeconds + // For example, if you specify MaximumAutomaticAttempts as 5 with RetryAttemptSeconds // as 50 seconds, AWS Config will put a RemediationException on your behalf // for the failing resource after the 5th failed attempt within 50 seconds. MaximumAutomaticAttempts *int64 `min:"1" type:"integer"` @@ -21114,7 +21345,7 @@ type RemediationConfiguration struct { // Maximum time in seconds that AWS Config runs auto-remediation. If you do // not select a number, the default is 60 seconds. // - // For example, if you specify RetryAttemptsSeconds as 50 seconds and MaximumAutomaticAttempts + // For example, if you specify RetryAttemptSeconds as 50 seconds and MaximumAutomaticAttempts // as 5, AWS Config will run auto-remediations 5 times within 50 seconds before // throwing an exception. RetryAttemptSeconds *int64 `min:"1" type:"long"` diff --git a/service/configservice/configserviceiface/interface.go b/service/configservice/configserviceiface/interface.go index e299b33180..dfdeeaaab7 100644 --- a/service/configservice/configserviceiface/interface.go +++ b/service/configservice/configserviceiface/interface.go @@ -329,6 +329,10 @@ type ConfigServiceAPI interface { PutEvaluationsWithContext(aws.Context, *configservice.PutEvaluationsInput, ...request.Option) (*configservice.PutEvaluationsOutput, error) PutEvaluationsRequest(*configservice.PutEvaluationsInput) (*request.Request, *configservice.PutEvaluationsOutput) + PutExternalEvaluation(*configservice.PutExternalEvaluationInput) (*configservice.PutExternalEvaluationOutput, error) + PutExternalEvaluationWithContext(aws.Context, *configservice.PutExternalEvaluationInput, ...request.Option) (*configservice.PutExternalEvaluationOutput, error) + PutExternalEvaluationRequest(*configservice.PutExternalEvaluationInput) (*request.Request, *configservice.PutExternalEvaluationOutput) + PutOrganizationConfigRule(*configservice.PutOrganizationConfigRuleInput) (*configservice.PutOrganizationConfigRuleOutput, error) PutOrganizationConfigRuleWithContext(aws.Context, *configservice.PutOrganizationConfigRuleInput, ...request.Option) (*configservice.PutOrganizationConfigRuleOutput, error) PutOrganizationConfigRuleRequest(*configservice.PutOrganizationConfigRuleInput) (*request.Request, *configservice.PutOrganizationConfigRuleOutput) diff --git a/service/dlm/api.go b/service/dlm/api.go index 8062b5e9cd..f1a22ce39d 100644 --- a/service/dlm/api.go +++ b/service/dlm/api.go @@ -707,6 +707,69 @@ func (c *DLM) UpdateLifecyclePolicyWithContext(ctx aws.Context, input *UpdateLif return out, req.Send() } +// Specifies an action for an event-based policy. +type Action struct { + _ struct{} `type:"structure"` + + // The rule for copying shared snapshots across Regions. + // + // CrossRegionCopy is a required field + CrossRegionCopy []*CrossRegionCopyAction `type:"list" required:"true"` + + // A descriptive name for the action. + // + // Name is a required field + Name *string `type:"string" required:"true"` +} + +// String returns the string representation +func (s Action) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s Action) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *Action) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "Action"} + if s.CrossRegionCopy == nil { + invalidParams.Add(request.NewErrParamRequired("CrossRegionCopy")) + } + if s.Name == nil { + invalidParams.Add(request.NewErrParamRequired("Name")) + } + if s.CrossRegionCopy != nil { + for i, v := range s.CrossRegionCopy { + if v == nil { + continue + } + if err := v.Validate(); err != nil { + invalidParams.AddNested(fmt.Sprintf("%s[%v]", "CrossRegionCopy", i), err.(request.ErrInvalidParams)) + } + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCrossRegionCopy sets the CrossRegionCopy field's value. +func (s *Action) SetCrossRegionCopy(v []*CrossRegionCopyAction) *Action { + s.CrossRegionCopy = v + return s +} + +// SetName sets the Name field's value. +func (s *Action) SetName(v string) *Action { + s.Name = &v + return s +} + type CreateLifecyclePolicyInput struct { _ struct{} `type:"structure"` @@ -906,6 +969,78 @@ func (s *CreateRule) SetTimes(v []*string) *CreateRule { return s } +// Specifies a rule for copying shared snapshots across Regions. +type CrossRegionCopyAction struct { + _ struct{} `type:"structure"` + + // The encryption settings for the copied snapshot. + // + // EncryptionConfiguration is a required field + EncryptionConfiguration *EncryptionConfiguration `type:"structure" required:"true"` + + // Specifies the retention rule for cross-Region snapshot copies. + RetainRule *CrossRegionCopyRetainRule `type:"structure"` + + // The target Region. + // + // Target is a required field + Target *string `type:"string" required:"true"` +} + +// String returns the string representation +func (s CrossRegionCopyAction) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CrossRegionCopyAction) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *CrossRegionCopyAction) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "CrossRegionCopyAction"} + if s.EncryptionConfiguration == nil { + invalidParams.Add(request.NewErrParamRequired("EncryptionConfiguration")) + } + if s.Target == nil { + invalidParams.Add(request.NewErrParamRequired("Target")) + } + if s.EncryptionConfiguration != nil { + if err := s.EncryptionConfiguration.Validate(); err != nil { + invalidParams.AddNested("EncryptionConfiguration", err.(request.ErrInvalidParams)) + } + } + if s.RetainRule != nil { + if err := s.RetainRule.Validate(); err != nil { + invalidParams.AddNested("RetainRule", err.(request.ErrInvalidParams)) + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetEncryptionConfiguration sets the EncryptionConfiguration field's value. +func (s *CrossRegionCopyAction) SetEncryptionConfiguration(v *EncryptionConfiguration) *CrossRegionCopyAction { + s.EncryptionConfiguration = v + return s +} + +// SetRetainRule sets the RetainRule field's value. +func (s *CrossRegionCopyAction) SetRetainRule(v *CrossRegionCopyRetainRule) *CrossRegionCopyAction { + s.RetainRule = v + return s +} + +// SetTarget sets the Target field's value. +func (s *CrossRegionCopyAction) SetTarget(v string) *CrossRegionCopyAction { + s.Target = &v + return s +} + // Specifies the retention rule for cross-Region snapshot copies. type CrossRegionCopyRetainRule struct { _ struct{} `type:"structure"` @@ -1098,6 +1233,190 @@ func (s DeleteLifecyclePolicyOutput) GoString() string { return s.String() } +// Specifies the encryption settings for shared snapshots that are copied across +// Regions. +type EncryptionConfiguration struct { + _ struct{} `type:"structure"` + + // The Amazon Resource Name (ARN) of the AWS KMS customer master key (CMK) to + // use for EBS encryption. If this parameter is not specified, your AWS managed + // CMK for EBS is used. + CmkArn *string `type:"string"` + + // To encrypt a copy of an unencrypted snapshot when encryption by default is + // not enabled, enable encryption using this parameter. Copies of encrypted + // snapshots are encrypted, even if this parameter is false or when encryption + // by default is not enabled. + // + // Encrypted is a required field + Encrypted *bool `type:"boolean" required:"true"` +} + +// String returns the string representation +func (s EncryptionConfiguration) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s EncryptionConfiguration) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *EncryptionConfiguration) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "EncryptionConfiguration"} + if s.Encrypted == nil { + invalidParams.Add(request.NewErrParamRequired("Encrypted")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCmkArn sets the CmkArn field's value. +func (s *EncryptionConfiguration) SetCmkArn(v string) *EncryptionConfiguration { + s.CmkArn = &v + return s +} + +// SetEncrypted sets the Encrypted field's value. +func (s *EncryptionConfiguration) SetEncrypted(v bool) *EncryptionConfiguration { + s.Encrypted = &v + return s +} + +// Specifies an event that triggers an event-based policy. +type EventParameters struct { + _ struct{} `type:"structure"` + + // The snapshot description that can trigger the policy. The description pattern + // is specified using a regular expression. The policy runs only if a snapshot + // with a description that matches the specified pattern is shared with your + // account. + // + // For example, specifying ^.*Created for policy: policy-1234567890abcdef0.*$ + // configures the policy to run only if snapshots created by policy policy-1234567890abcdef0 + // are shared with your account. + // + // DescriptionRegex is a required field + DescriptionRegex *string `type:"string" required:"true"` + + // The type of event. Currently, only snapshot sharing events are supported. + // + // EventType is a required field + EventType *string `type:"string" required:"true" enum:"EventTypeValues"` + + // The IDs of the AWS accounts that can trigger policy by sharing snapshots + // with your account. The policy only runs if one of the specified AWS accounts + // shares a snapshot with your account. + // + // SnapshotOwner is a required field + SnapshotOwner []*string `type:"list" required:"true"` +} + +// String returns the string representation +func (s EventParameters) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s EventParameters) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *EventParameters) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "EventParameters"} + if s.DescriptionRegex == nil { + invalidParams.Add(request.NewErrParamRequired("DescriptionRegex")) + } + if s.EventType == nil { + invalidParams.Add(request.NewErrParamRequired("EventType")) + } + if s.SnapshotOwner == nil { + invalidParams.Add(request.NewErrParamRequired("SnapshotOwner")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDescriptionRegex sets the DescriptionRegex field's value. +func (s *EventParameters) SetDescriptionRegex(v string) *EventParameters { + s.DescriptionRegex = &v + return s +} + +// SetEventType sets the EventType field's value. +func (s *EventParameters) SetEventType(v string) *EventParameters { + s.EventType = &v + return s +} + +// SetSnapshotOwner sets the SnapshotOwner field's value. +func (s *EventParameters) SetSnapshotOwner(v []*string) *EventParameters { + s.SnapshotOwner = v + return s +} + +// Specifies an event that triggers an event-based policy. +type EventSource struct { + _ struct{} `type:"structure"` + + // Information about the event. + Parameters *EventParameters `type:"structure"` + + // The source of the event. Currently only managed AWS CloudWatch Events rules + // are supported. + // + // Type is a required field + Type *string `type:"string" required:"true" enum:"EventSourceValues"` +} + +// String returns the string representation +func (s EventSource) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s EventSource) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *EventSource) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "EventSource"} + if s.Type == nil { + invalidParams.Add(request.NewErrParamRequired("Type")) + } + if s.Parameters != nil { + if err := s.Parameters.Validate(); err != nil { + invalidParams.AddNested("Parameters", err.(request.ErrInvalidParams)) + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetParameters sets the Parameters field's value. +func (s *EventSource) SetParameters(v *EventParameters) *EventSource { + s.Parameters = v + return s +} + +// SetType sets the Type field's value. +func (s *EventSource) SetType(v string) *EventSource { + s.Type = &v + return s +} + // Specifies a rule for enabling fast snapshot restore. You can enable fast // snapshot restore based on either a count or a time interval. type FastRestoreRule struct { @@ -1772,7 +2091,7 @@ type Parameters struct { // Applies to AMI lifecycle policies only. Indicates whether targeted instances // are rebooted when the lifecycle policy runs. true indicates that targeted // instances are not rebooted when the policy runs. false indicates that target - // instances are rebooted when the policy runs. The default is true (instance + // instances are rebooted when the policy runs. The default is true (instances // are not rebooted). NoReboot *bool `type:"boolean"` } @@ -1803,24 +2122,55 @@ func (s *Parameters) SetNoReboot(v bool) *Parameters { type PolicyDetails struct { _ struct{} `type:"structure"` - // A set of optional parameters for the policy. + // The actions to be performed when the event-based policy is triggered. You + // can specify only one action per policy. + // + // This parameter is required for event-based policies only. If you are creating + // a snapshot or AMI policy, omit this parameter. + Actions []*Action `min:"1" type:"list"` + + // The event that triggers the event-based policy. + // + // This parameter is required for event-based policies only. If you are creating + // a snapshot or AMI policy, omit this parameter. + EventSource *EventSource `type:"structure"` + + // A set of optional parameters for snapshot and AMI lifecycle policies. + // + // This parameter is required for snapshot and AMI policies only. If you are + // creating an event-based policy, omit this parameter. Parameters *Parameters `type:"structure"` // The valid target resource types and actions a policy can manage. Specify // EBS_SNAPSHOT_MANAGEMENT to create a lifecycle policy that manages the lifecycle // of Amazon EBS snapshots. Specify IMAGE_MANAGEMENT to create a lifecycle policy - // that manages the lifecycle of EBS-backed AMIs. The default is EBS_SNAPSHOT_MANAGEMENT. + // that manages the lifecycle of EBS-backed AMIs. Specify EVENT_BASED_POLICY + // to create an event-based policy that performs specific actions when a defined + // event occurs in your AWS account. + // + // The default is EBS_SNAPSHOT_MANAGEMENT. PolicyType *string `type:"string" enum:"PolicyTypeValues"` - // The resource type. Use VOLUME to create snapshots of individual volumes or - // use INSTANCE to create multi-volume snapshots from the volumes for an instance. + // The target resource type for snapshot and AMI lifecycle policies. Use VOLUME + // to create snapshots of individual volumes or use INSTANCE to create multi-volume + // snapshots from the volumes for an instance. + // + // This parameter is required for snapshot and AMI policies only. If you are + // creating an event-based policy, omit this parameter. ResourceTypes []*string `min:"1" type:"list"` - // The schedules of policy-defined actions. A policy can have up to four schedules - // - one mandatory schedule and up to three optional schedules. + // The schedules of policy-defined actions for snapshot and AMI lifecycle policies. + // A policy can have up to four schedules—one mandatory schedule and up to + // three optional schedules. + // + // This parameter is required for snapshot and AMI policies only. If you are + // creating an event-based policy, omit this parameter. Schedules []*Schedule `min:"1" type:"list"` // The single tag that identifies targeted resources for this policy. + // + // This parameter is required for snapshot and AMI policies only. If you are + // creating an event-based policy, omit this parameter. TargetTags []*Tag `min:"1" type:"list"` } @@ -1837,6 +2187,9 @@ func (s PolicyDetails) GoString() string { // Validate inspects the fields of the type to determine if they are valid. func (s *PolicyDetails) Validate() error { invalidParams := request.ErrInvalidParams{Context: "PolicyDetails"} + if s.Actions != nil && len(s.Actions) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Actions", 1)) + } if s.ResourceTypes != nil && len(s.ResourceTypes) < 1 { invalidParams.Add(request.NewErrParamMinLen("ResourceTypes", 1)) } @@ -1846,6 +2199,21 @@ func (s *PolicyDetails) Validate() error { if s.TargetTags != nil && len(s.TargetTags) < 1 { invalidParams.Add(request.NewErrParamMinLen("TargetTags", 1)) } + if s.Actions != nil { + for i, v := range s.Actions { + if v == nil { + continue + } + if err := v.Validate(); err != nil { + invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Actions", i), err.(request.ErrInvalidParams)) + } + } + } + if s.EventSource != nil { + if err := s.EventSource.Validate(); err != nil { + invalidParams.AddNested("EventSource", err.(request.ErrInvalidParams)) + } + } if s.Schedules != nil { for i, v := range s.Schedules { if v == nil { @@ -1873,6 +2241,18 @@ func (s *PolicyDetails) Validate() error { return nil } +// SetActions sets the Actions field's value. +func (s *PolicyDetails) SetActions(v []*Action) *PolicyDetails { + s.Actions = v + return s +} + +// SetEventSource sets the EventSource field's value. +func (s *PolicyDetails) SetEventSource(v *EventSource) *PolicyDetails { + s.EventSource = v + return s +} + // SetParameters sets the Parameters field's value. func (s *PolicyDetails) SetParameters(v *Parameters) *PolicyDetails { s.Parameters = v @@ -2027,7 +2407,7 @@ func (s *RetainRule) SetIntervalUnit(v string) *RetainRule { return s } -// Specifies a backup schedule. +// Specifies a backup schedule for a snapshot or AMI lifecycle policy. type Schedule struct { _ struct{} `type:"structure"` @@ -2050,6 +2430,9 @@ type Schedule struct { // The retention rule. RetainRule *RetainRule `type:"structure"` + // The rule for sharing snapshots with other AWS accounts. + ShareRules []*ShareRule `type:"list"` + // The tags to apply to policy-created resources. These user-defined tags are // in addition to the AWS-added lifecycle tags. TagsToAdd []*Tag `type:"list"` @@ -2099,6 +2482,16 @@ func (s *Schedule) Validate() error { invalidParams.AddNested("RetainRule", err.(request.ErrInvalidParams)) } } + if s.ShareRules != nil { + for i, v := range s.ShareRules { + if v == nil { + continue + } + if err := v.Validate(); err != nil { + invalidParams.AddNested(fmt.Sprintf("%s[%v]", "ShareRules", i), err.(request.ErrInvalidParams)) + } + } + } if s.TagsToAdd != nil { for i, v := range s.TagsToAdd { if v == nil { @@ -2162,6 +2555,12 @@ func (s *Schedule) SetRetainRule(v *RetainRule) *Schedule { return s } +// SetShareRules sets the ShareRules field's value. +func (s *Schedule) SetShareRules(v []*ShareRule) *Schedule { + s.ShareRules = v + return s +} + // SetTagsToAdd sets the TagsToAdd field's value. func (s *Schedule) SetTagsToAdd(v []*Tag) *Schedule { s.TagsToAdd = v @@ -2174,6 +2573,70 @@ func (s *Schedule) SetVariableTags(v []*Tag) *Schedule { return s } +// Specifies a rule for sharing snapshots across AWS accounts. +type ShareRule struct { + _ struct{} `type:"structure"` + + // The IDs of the AWS accounts with which to share the snapshots. + // + // TargetAccounts is a required field + TargetAccounts []*string `min:"1" type:"list" required:"true"` + + // The period after which snapshots that are shared with other AWS accounts + // are automatically unshared. + UnshareInterval *int64 `min:"1" type:"integer"` + + // The unit of time for the automatic unsharing interval. + UnshareIntervalUnit *string `type:"string" enum:"RetentionIntervalUnitValues"` +} + +// String returns the string representation +func (s ShareRule) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ShareRule) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ShareRule) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ShareRule"} + if s.TargetAccounts == nil { + invalidParams.Add(request.NewErrParamRequired("TargetAccounts")) + } + if s.TargetAccounts != nil && len(s.TargetAccounts) < 1 { + invalidParams.Add(request.NewErrParamMinLen("TargetAccounts", 1)) + } + if s.UnshareInterval != nil && *s.UnshareInterval < 1 { + invalidParams.Add(request.NewErrParamMinValue("UnshareInterval", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetTargetAccounts sets the TargetAccounts field's value. +func (s *ShareRule) SetTargetAccounts(v []*string) *ShareRule { + s.TargetAccounts = v + return s +} + +// SetUnshareInterval sets the UnshareInterval field's value. +func (s *ShareRule) SetUnshareInterval(v int64) *ShareRule { + s.UnshareInterval = &v + return s +} + +// SetUnshareIntervalUnit sets the UnshareIntervalUnit field's value. +func (s *ShareRule) SetUnshareIntervalUnit(v string) *ShareRule { + s.UnshareIntervalUnit = &v + return s +} + // Specifies a tag for a resource. type Tag struct { _ struct{} `type:"structure"` @@ -2469,6 +2932,30 @@ func (s UpdateLifecyclePolicyOutput) GoString() string { return s.String() } +const ( + // EventSourceValuesManagedCwe is a EventSourceValues enum value + EventSourceValuesManagedCwe = "MANAGED_CWE" +) + +// EventSourceValues_Values returns all elements of the EventSourceValues enum +func EventSourceValues_Values() []string { + return []string{ + EventSourceValuesManagedCwe, + } +} + +const ( + // EventTypeValuesShareSnapshot is a EventTypeValues enum value + EventTypeValuesShareSnapshot = "shareSnapshot" +) + +// EventTypeValues_Values returns all elements of the EventTypeValues enum +func EventTypeValues_Values() []string { + return []string{ + EventTypeValuesShareSnapshot, + } +} + const ( // GettablePolicyStateValuesEnabled is a GettablePolicyStateValues enum value GettablePolicyStateValuesEnabled = "ENABLED" @@ -2507,6 +2994,9 @@ const ( // PolicyTypeValuesImageManagement is a PolicyTypeValues enum value PolicyTypeValuesImageManagement = "IMAGE_MANAGEMENT" + + // PolicyTypeValuesEventBasedPolicy is a PolicyTypeValues enum value + PolicyTypeValuesEventBasedPolicy = "EVENT_BASED_POLICY" ) // PolicyTypeValues_Values returns all elements of the PolicyTypeValues enum @@ -2514,6 +3004,7 @@ func PolicyTypeValues_Values() []string { return []string{ PolicyTypeValuesEbsSnapshotManagement, PolicyTypeValuesImageManagement, + PolicyTypeValuesEventBasedPolicy, } } diff --git a/service/ec2/api.go b/service/ec2/api.go index a3bff97b6e..e5f8bd426e 100644 --- a/service/ec2/api.go +++ b/service/ec2/api.go @@ -123712,6 +123712,30 @@ const ( // InstanceTypeC6gd16xlarge is a InstanceType enum value InstanceTypeC6gd16xlarge = "c6gd.16xlarge" + // InstanceTypeC6gnMedium is a InstanceType enum value + InstanceTypeC6gnMedium = "c6gn.medium" + + // InstanceTypeC6gnLarge is a InstanceType enum value + InstanceTypeC6gnLarge = "c6gn.large" + + // InstanceTypeC6gnXlarge is a InstanceType enum value + InstanceTypeC6gnXlarge = "c6gn.xlarge" + + // InstanceTypeC6gn2xlarge is a InstanceType enum value + InstanceTypeC6gn2xlarge = "c6gn.2xlarge" + + // InstanceTypeC6gn4xlarge is a InstanceType enum value + InstanceTypeC6gn4xlarge = "c6gn.4xlarge" + + // InstanceTypeC6gn8xlarge is a InstanceType enum value + InstanceTypeC6gn8xlarge = "c6gn.8xlarge" + + // InstanceTypeC6gn12xlarge is a InstanceType enum value + InstanceTypeC6gn12xlarge = "c6gn.12xlarge" + + // InstanceTypeC6gn16xlarge is a InstanceType enum value + InstanceTypeC6gn16xlarge = "c6gn.16xlarge" + // InstanceTypeCc14xlarge is a InstanceType enum value InstanceTypeCc14xlarge = "cc1.4xlarge" @@ -124421,6 +124445,14 @@ func InstanceType_Values() []string { InstanceTypeC6gd8xlarge, InstanceTypeC6gd12xlarge, InstanceTypeC6gd16xlarge, + InstanceTypeC6gnMedium, + InstanceTypeC6gnLarge, + InstanceTypeC6gnXlarge, + InstanceTypeC6gn2xlarge, + InstanceTypeC6gn4xlarge, + InstanceTypeC6gn8xlarge, + InstanceTypeC6gn12xlarge, + InstanceTypeC6gn16xlarge, InstanceTypeCc14xlarge, InstanceTypeCc28xlarge, InstanceTypeG22xlarge, diff --git a/service/imagebuilder/api.go b/service/imagebuilder/api.go index 34775d297a..6074830866 100644 --- a/service/imagebuilder/api.go +++ b/service/imagebuilder/api.go @@ -233,6 +233,121 @@ func (c *Imagebuilder) CreateComponentWithContext(ctx aws.Context, input *Create return out, req.Send() } +const opCreateContainerRecipe = "CreateContainerRecipe" + +// CreateContainerRecipeRequest generates a "aws/request.Request" representing the +// client's request for the CreateContainerRecipe operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See CreateContainerRecipe for more information on using the CreateContainerRecipe +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the CreateContainerRecipeRequest method. +// req, resp := client.CreateContainerRecipeRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/CreateContainerRecipe +func (c *Imagebuilder) CreateContainerRecipeRequest(input *CreateContainerRecipeInput) (req *request.Request, output *CreateContainerRecipeOutput) { + op := &request.Operation{ + Name: opCreateContainerRecipe, + HTTPMethod: "PUT", + HTTPPath: "/CreateContainerRecipe", + } + + if input == nil { + input = &CreateContainerRecipeInput{} + } + + output = &CreateContainerRecipeOutput{} + req = c.newRequest(op, input, output) + return +} + +// CreateContainerRecipe API operation for EC2 Image Builder. +// +// Creates a new container recipe. Container recipes define how images are configured, +// tested, and assessed. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for EC2 Image Builder's +// API operation CreateContainerRecipe for usage and error information. +// +// Returned Error Types: +// * ServiceException +// This exception is thrown when the service encounters an unrecoverable exception. +// +// * ClientException +// These errors are usually caused by a client action, such as using an action +// or resource on behalf of a user that doesn't have permissions to use the +// action or resource, or specifying an invalid resource identifier. +// +// * ServiceUnavailableException +// The service is unable to process your request at this time. +// +// * InvalidRequestException +// You have made a request for an action that is not supported by the service. +// +// * IdempotentParameterMismatchException +// You have specified a client token for an operation using parameter values +// that differ from a previous request that used the same client token. +// +// * ForbiddenException +// You are not authorized to perform the requested operation. +// +// * CallRateLimitExceededException +// You have exceeded the permitted request rate for the specific operation. +// +// * InvalidVersionNumberException +// Your version number is out of bounds or does not follow the required syntax. +// +// * ResourceInUseException +// The resource that you are trying to operate on is currently in use. Review +// the message details and retry later. +// +// * ResourceAlreadyExistsException +// The resource that you are trying to create already exists. +// +// * ServiceQuotaExceededException +// You have exceeded the number of permitted resources or operations for this +// service. For service quotas, see EC2 Image Builder endpoints and quotas (https://docs.aws.amazon.com/general/latest/gr/imagebuilder.html#limits_imagebuilder). +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/CreateContainerRecipe +func (c *Imagebuilder) CreateContainerRecipe(input *CreateContainerRecipeInput) (*CreateContainerRecipeOutput, error) { + req, out := c.CreateContainerRecipeRequest(input) + return out, req.Send() +} + +// CreateContainerRecipeWithContext is the same as CreateContainerRecipe with the addition of +// the ability to pass a context and additional request options. +// +// See CreateContainerRecipe for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *Imagebuilder) CreateContainerRecipeWithContext(ctx aws.Context, input *CreateContainerRecipeInput, opts ...request.Option) (*CreateContainerRecipeOutput, error) { + req, out := c.CreateContainerRecipeRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opCreateDistributionConfiguration = "CreateDistributionConfiguration" // CreateDistributionConfigurationRequest generates a "aws/request.Request" representing the @@ -897,6 +1012,106 @@ func (c *Imagebuilder) DeleteComponentWithContext(ctx aws.Context, input *Delete return out, req.Send() } +const opDeleteContainerRecipe = "DeleteContainerRecipe" + +// DeleteContainerRecipeRequest generates a "aws/request.Request" representing the +// client's request for the DeleteContainerRecipe operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DeleteContainerRecipe for more information on using the DeleteContainerRecipe +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DeleteContainerRecipeRequest method. +// req, resp := client.DeleteContainerRecipeRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/DeleteContainerRecipe +func (c *Imagebuilder) DeleteContainerRecipeRequest(input *DeleteContainerRecipeInput) (req *request.Request, output *DeleteContainerRecipeOutput) { + op := &request.Operation{ + Name: opDeleteContainerRecipe, + HTTPMethod: "DELETE", + HTTPPath: "/DeleteContainerRecipe", + } + + if input == nil { + input = &DeleteContainerRecipeInput{} + } + + output = &DeleteContainerRecipeOutput{} + req = c.newRequest(op, input, output) + return +} + +// DeleteContainerRecipe API operation for EC2 Image Builder. +// +// Deletes a container recipe. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for EC2 Image Builder's +// API operation DeleteContainerRecipe for usage and error information. +// +// Returned Error Types: +// * ServiceException +// This exception is thrown when the service encounters an unrecoverable exception. +// +// * ClientException +// These errors are usually caused by a client action, such as using an action +// or resource on behalf of a user that doesn't have permissions to use the +// action or resource, or specifying an invalid resource identifier. +// +// * ServiceUnavailableException +// The service is unable to process your request at this time. +// +// * InvalidRequestException +// You have made a request for an action that is not supported by the service. +// +// * ForbiddenException +// You are not authorized to perform the requested operation. +// +// * CallRateLimitExceededException +// You have exceeded the permitted request rate for the specific operation. +// +// * ResourceDependencyException +// You have attempted to mutate or delete a resource with a dependency that +// prohibits this action. See the error message for more details. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/DeleteContainerRecipe +func (c *Imagebuilder) DeleteContainerRecipe(input *DeleteContainerRecipeInput) (*DeleteContainerRecipeOutput, error) { + req, out := c.DeleteContainerRecipeRequest(input) + return out, req.Send() +} + +// DeleteContainerRecipeWithContext is the same as DeleteContainerRecipe with the addition of +// the ability to pass a context and additional request options. +// +// See DeleteContainerRecipe for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *Imagebuilder) DeleteContainerRecipeWithContext(ctx aws.Context, input *DeleteContainerRecipeInput, opts ...request.Option) (*DeleteContainerRecipeOutput, error) { + req, out := c.DeleteContainerRecipeRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opDeleteDistributionConfiguration = "DeleteDistributionConfiguration" // DeleteDistributionConfigurationRequest generates a "aws/request.Request" representing the @@ -1587,58 +1802,58 @@ func (c *Imagebuilder) GetComponentPolicyWithContext(ctx aws.Context, input *Get return out, req.Send() } -const opGetDistributionConfiguration = "GetDistributionConfiguration" +const opGetContainerRecipe = "GetContainerRecipe" -// GetDistributionConfigurationRequest generates a "aws/request.Request" representing the -// client's request for the GetDistributionConfiguration operation. The "output" return +// GetContainerRecipeRequest generates a "aws/request.Request" representing the +// client's request for the GetContainerRecipe operation. The "output" return // value will be populated with the request's response once the request completes // successfully. // // Use "Send" method on the returned Request to send the API call to the service. // the "output" return value is not valid until after Send returns without error. // -// See GetDistributionConfiguration for more information on using the GetDistributionConfiguration +// See GetContainerRecipe for more information on using the GetContainerRecipe // API call, and error handling. // // This method is useful when you want to inject custom logic or configuration // into the SDK's request lifecycle. Such as custom headers, or retry logic. // // -// // Example sending a request using the GetDistributionConfigurationRequest method. -// req, resp := client.GetDistributionConfigurationRequest(params) +// // Example sending a request using the GetContainerRecipeRequest method. +// req, resp := client.GetContainerRecipeRequest(params) // // err := req.Send() // if err == nil { // resp is now filled // fmt.Println(resp) // } // -// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/GetDistributionConfiguration -func (c *Imagebuilder) GetDistributionConfigurationRequest(input *GetDistributionConfigurationInput) (req *request.Request, output *GetDistributionConfigurationOutput) { +// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/GetContainerRecipe +func (c *Imagebuilder) GetContainerRecipeRequest(input *GetContainerRecipeInput) (req *request.Request, output *GetContainerRecipeOutput) { op := &request.Operation{ - Name: opGetDistributionConfiguration, + Name: opGetContainerRecipe, HTTPMethod: "GET", - HTTPPath: "/GetDistributionConfiguration", + HTTPPath: "/GetContainerRecipe", } if input == nil { - input = &GetDistributionConfigurationInput{} + input = &GetContainerRecipeInput{} } - output = &GetDistributionConfigurationOutput{} + output = &GetContainerRecipeOutput{} req = c.newRequest(op, input, output) return } -// GetDistributionConfiguration API operation for EC2 Image Builder. +// GetContainerRecipe API operation for EC2 Image Builder. // -// Gets a distribution configuration. +// Retrieves a container recipe. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. // // See the AWS API reference guide for EC2 Image Builder's -// API operation GetDistributionConfiguration for usage and error information. +// API operation GetContainerRecipe for usage and error information. // // Returned Error Types: // * ServiceException @@ -1661,176 +1876,174 @@ func (c *Imagebuilder) GetDistributionConfigurationRequest(input *GetDistributio // * CallRateLimitExceededException // You have exceeded the permitted request rate for the specific operation. // -// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/GetDistributionConfiguration -func (c *Imagebuilder) GetDistributionConfiguration(input *GetDistributionConfigurationInput) (*GetDistributionConfigurationOutput, error) { - req, out := c.GetDistributionConfigurationRequest(input) +// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/GetContainerRecipe +func (c *Imagebuilder) GetContainerRecipe(input *GetContainerRecipeInput) (*GetContainerRecipeOutput, error) { + req, out := c.GetContainerRecipeRequest(input) return out, req.Send() } -// GetDistributionConfigurationWithContext is the same as GetDistributionConfiguration with the addition of +// GetContainerRecipeWithContext is the same as GetContainerRecipe with the addition of // the ability to pass a context and additional request options. // -// See GetDistributionConfiguration for details on how to use this API operation. +// See GetContainerRecipe for details on how to use this API operation. // // The context must be non-nil and will be used for request cancellation. If // the context is nil a panic will occur. In the future the SDK may create // sub-contexts for http.Requests. See https://golang.org/pkg/context/ // for more information on using Contexts. -func (c *Imagebuilder) GetDistributionConfigurationWithContext(ctx aws.Context, input *GetDistributionConfigurationInput, opts ...request.Option) (*GetDistributionConfigurationOutput, error) { - req, out := c.GetDistributionConfigurationRequest(input) +func (c *Imagebuilder) GetContainerRecipeWithContext(ctx aws.Context, input *GetContainerRecipeInput, opts ...request.Option) (*GetContainerRecipeOutput, error) { + req, out := c.GetContainerRecipeRequest(input) req.SetContext(ctx) req.ApplyOptions(opts...) return out, req.Send() } -const opGetImage = "GetImage" +const opGetContainerRecipePolicy = "GetContainerRecipePolicy" -// GetImageRequest generates a "aws/request.Request" representing the -// client's request for the GetImage operation. The "output" return +// GetContainerRecipePolicyRequest generates a "aws/request.Request" representing the +// client's request for the GetContainerRecipePolicy operation. The "output" return // value will be populated with the request's response once the request completes // successfully. // // Use "Send" method on the returned Request to send the API call to the service. // the "output" return value is not valid until after Send returns without error. // -// See GetImage for more information on using the GetImage +// See GetContainerRecipePolicy for more information on using the GetContainerRecipePolicy // API call, and error handling. // // This method is useful when you want to inject custom logic or configuration // into the SDK's request lifecycle. Such as custom headers, or retry logic. // // -// // Example sending a request using the GetImageRequest method. -// req, resp := client.GetImageRequest(params) +// // Example sending a request using the GetContainerRecipePolicyRequest method. +// req, resp := client.GetContainerRecipePolicyRequest(params) // // err := req.Send() // if err == nil { // resp is now filled // fmt.Println(resp) // } // -// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/GetImage -func (c *Imagebuilder) GetImageRequest(input *GetImageInput) (req *request.Request, output *GetImageOutput) { +// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/GetContainerRecipePolicy +func (c *Imagebuilder) GetContainerRecipePolicyRequest(input *GetContainerRecipePolicyInput) (req *request.Request, output *GetContainerRecipePolicyOutput) { op := &request.Operation{ - Name: opGetImage, + Name: opGetContainerRecipePolicy, HTTPMethod: "GET", - HTTPPath: "/GetImage", + HTTPPath: "/GetContainerRecipePolicy", } if input == nil { - input = &GetImageInput{} + input = &GetContainerRecipePolicyInput{} } - output = &GetImageOutput{} + output = &GetContainerRecipePolicyOutput{} req = c.newRequest(op, input, output) return } -// GetImage API operation for EC2 Image Builder. +// GetContainerRecipePolicy API operation for EC2 Image Builder. // -// Gets an image. +// Retrieves the policy for a container recipe. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. // // See the AWS API reference guide for EC2 Image Builder's -// API operation GetImage for usage and error information. +// API operation GetContainerRecipePolicy for usage and error information. // // Returned Error Types: // * ServiceException // This exception is thrown when the service encounters an unrecoverable exception. // -// * ClientException -// These errors are usually caused by a client action, such as using an action -// or resource on behalf of a user that doesn't have permissions to use the -// action or resource, or specifying an invalid resource identifier. -// // * ServiceUnavailableException // The service is unable to process your request at this time. // // * InvalidRequestException // You have made a request for an action that is not supported by the service. // +// * ResourceNotFoundException +// At least one of the resources referenced by your request does not exist. +// // * ForbiddenException // You are not authorized to perform the requested operation. // // * CallRateLimitExceededException // You have exceeded the permitted request rate for the specific operation. // -// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/GetImage -func (c *Imagebuilder) GetImage(input *GetImageInput) (*GetImageOutput, error) { - req, out := c.GetImageRequest(input) +// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/GetContainerRecipePolicy +func (c *Imagebuilder) GetContainerRecipePolicy(input *GetContainerRecipePolicyInput) (*GetContainerRecipePolicyOutput, error) { + req, out := c.GetContainerRecipePolicyRequest(input) return out, req.Send() } -// GetImageWithContext is the same as GetImage with the addition of +// GetContainerRecipePolicyWithContext is the same as GetContainerRecipePolicy with the addition of // the ability to pass a context and additional request options. // -// See GetImage for details on how to use this API operation. +// See GetContainerRecipePolicy for details on how to use this API operation. // // The context must be non-nil and will be used for request cancellation. If // the context is nil a panic will occur. In the future the SDK may create // sub-contexts for http.Requests. See https://golang.org/pkg/context/ // for more information on using Contexts. -func (c *Imagebuilder) GetImageWithContext(ctx aws.Context, input *GetImageInput, opts ...request.Option) (*GetImageOutput, error) { - req, out := c.GetImageRequest(input) +func (c *Imagebuilder) GetContainerRecipePolicyWithContext(ctx aws.Context, input *GetContainerRecipePolicyInput, opts ...request.Option) (*GetContainerRecipePolicyOutput, error) { + req, out := c.GetContainerRecipePolicyRequest(input) req.SetContext(ctx) req.ApplyOptions(opts...) return out, req.Send() } -const opGetImagePipeline = "GetImagePipeline" +const opGetDistributionConfiguration = "GetDistributionConfiguration" -// GetImagePipelineRequest generates a "aws/request.Request" representing the -// client's request for the GetImagePipeline operation. The "output" return +// GetDistributionConfigurationRequest generates a "aws/request.Request" representing the +// client's request for the GetDistributionConfiguration operation. The "output" return // value will be populated with the request's response once the request completes // successfully. // // Use "Send" method on the returned Request to send the API call to the service. // the "output" return value is not valid until after Send returns without error. // -// See GetImagePipeline for more information on using the GetImagePipeline +// See GetDistributionConfiguration for more information on using the GetDistributionConfiguration // API call, and error handling. // // This method is useful when you want to inject custom logic or configuration // into the SDK's request lifecycle. Such as custom headers, or retry logic. // // -// // Example sending a request using the GetImagePipelineRequest method. -// req, resp := client.GetImagePipelineRequest(params) +// // Example sending a request using the GetDistributionConfigurationRequest method. +// req, resp := client.GetDistributionConfigurationRequest(params) // // err := req.Send() // if err == nil { // resp is now filled // fmt.Println(resp) // } // -// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/GetImagePipeline -func (c *Imagebuilder) GetImagePipelineRequest(input *GetImagePipelineInput) (req *request.Request, output *GetImagePipelineOutput) { +// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/GetDistributionConfiguration +func (c *Imagebuilder) GetDistributionConfigurationRequest(input *GetDistributionConfigurationInput) (req *request.Request, output *GetDistributionConfigurationOutput) { op := &request.Operation{ - Name: opGetImagePipeline, + Name: opGetDistributionConfiguration, HTTPMethod: "GET", - HTTPPath: "/GetImagePipeline", + HTTPPath: "/GetDistributionConfiguration", } if input == nil { - input = &GetImagePipelineInput{} + input = &GetDistributionConfigurationInput{} } - output = &GetImagePipelineOutput{} + output = &GetDistributionConfigurationOutput{} req = c.newRequest(op, input, output) return } -// GetImagePipeline API operation for EC2 Image Builder. +// GetDistributionConfiguration API operation for EC2 Image Builder. // -// Gets an image pipeline. +// Gets a distribution configuration. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. // // See the AWS API reference guide for EC2 Image Builder's -// API operation GetImagePipeline for usage and error information. +// API operation GetDistributionConfiguration for usage and error information. // // Returned Error Types: // * ServiceException @@ -1853,9 +2066,201 @@ func (c *Imagebuilder) GetImagePipelineRequest(input *GetImagePipelineInput) (re // * CallRateLimitExceededException // You have exceeded the permitted request rate for the specific operation. // -// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/GetImagePipeline -func (c *Imagebuilder) GetImagePipeline(input *GetImagePipelineInput) (*GetImagePipelineOutput, error) { - req, out := c.GetImagePipelineRequest(input) +// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/GetDistributionConfiguration +func (c *Imagebuilder) GetDistributionConfiguration(input *GetDistributionConfigurationInput) (*GetDistributionConfigurationOutput, error) { + req, out := c.GetDistributionConfigurationRequest(input) + return out, req.Send() +} + +// GetDistributionConfigurationWithContext is the same as GetDistributionConfiguration with the addition of +// the ability to pass a context and additional request options. +// +// See GetDistributionConfiguration for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *Imagebuilder) GetDistributionConfigurationWithContext(ctx aws.Context, input *GetDistributionConfigurationInput, opts ...request.Option) (*GetDistributionConfigurationOutput, error) { + req, out := c.GetDistributionConfigurationRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opGetImage = "GetImage" + +// GetImageRequest generates a "aws/request.Request" representing the +// client's request for the GetImage operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See GetImage for more information on using the GetImage +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the GetImageRequest method. +// req, resp := client.GetImageRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/GetImage +func (c *Imagebuilder) GetImageRequest(input *GetImageInput) (req *request.Request, output *GetImageOutput) { + op := &request.Operation{ + Name: opGetImage, + HTTPMethod: "GET", + HTTPPath: "/GetImage", + } + + if input == nil { + input = &GetImageInput{} + } + + output = &GetImageOutput{} + req = c.newRequest(op, input, output) + return +} + +// GetImage API operation for EC2 Image Builder. +// +// Gets an image. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for EC2 Image Builder's +// API operation GetImage for usage and error information. +// +// Returned Error Types: +// * ServiceException +// This exception is thrown when the service encounters an unrecoverable exception. +// +// * ClientException +// These errors are usually caused by a client action, such as using an action +// or resource on behalf of a user that doesn't have permissions to use the +// action or resource, or specifying an invalid resource identifier. +// +// * ServiceUnavailableException +// The service is unable to process your request at this time. +// +// * InvalidRequestException +// You have made a request for an action that is not supported by the service. +// +// * ForbiddenException +// You are not authorized to perform the requested operation. +// +// * CallRateLimitExceededException +// You have exceeded the permitted request rate for the specific operation. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/GetImage +func (c *Imagebuilder) GetImage(input *GetImageInput) (*GetImageOutput, error) { + req, out := c.GetImageRequest(input) + return out, req.Send() +} + +// GetImageWithContext is the same as GetImage with the addition of +// the ability to pass a context and additional request options. +// +// See GetImage for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *Imagebuilder) GetImageWithContext(ctx aws.Context, input *GetImageInput, opts ...request.Option) (*GetImageOutput, error) { + req, out := c.GetImageRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opGetImagePipeline = "GetImagePipeline" + +// GetImagePipelineRequest generates a "aws/request.Request" representing the +// client's request for the GetImagePipeline operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See GetImagePipeline for more information on using the GetImagePipeline +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the GetImagePipelineRequest method. +// req, resp := client.GetImagePipelineRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/GetImagePipeline +func (c *Imagebuilder) GetImagePipelineRequest(input *GetImagePipelineInput) (req *request.Request, output *GetImagePipelineOutput) { + op := &request.Operation{ + Name: opGetImagePipeline, + HTTPMethod: "GET", + HTTPPath: "/GetImagePipeline", + } + + if input == nil { + input = &GetImagePipelineInput{} + } + + output = &GetImagePipelineOutput{} + req = c.newRequest(op, input, output) + return +} + +// GetImagePipeline API operation for EC2 Image Builder. +// +// Gets an image pipeline. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for EC2 Image Builder's +// API operation GetImagePipeline for usage and error information. +// +// Returned Error Types: +// * ServiceException +// This exception is thrown when the service encounters an unrecoverable exception. +// +// * ClientException +// These errors are usually caused by a client action, such as using an action +// or resource on behalf of a user that doesn't have permissions to use the +// action or resource, or specifying an invalid resource identifier. +// +// * ServiceUnavailableException +// The service is unable to process your request at this time. +// +// * InvalidRequestException +// You have made a request for an action that is not supported by the service. +// +// * ForbiddenException +// You are not authorized to perform the requested operation. +// +// * CallRateLimitExceededException +// You have exceeded the permitted request rate for the specific operation. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/GetImagePipeline +func (c *Imagebuilder) GetImagePipeline(input *GetImagePipelineInput) (*GetImagePipelineOutput, error) { + req, out := c.GetImagePipelineRequest(input) return out, req.Send() } @@ -2680,37 +3085,37 @@ func (c *Imagebuilder) ListComponentsPagesWithContext(ctx aws.Context, input *Li return p.Err() } -const opListDistributionConfigurations = "ListDistributionConfigurations" +const opListContainerRecipes = "ListContainerRecipes" -// ListDistributionConfigurationsRequest generates a "aws/request.Request" representing the -// client's request for the ListDistributionConfigurations operation. The "output" return +// ListContainerRecipesRequest generates a "aws/request.Request" representing the +// client's request for the ListContainerRecipes operation. The "output" return // value will be populated with the request's response once the request completes // successfully. // // Use "Send" method on the returned Request to send the API call to the service. // the "output" return value is not valid until after Send returns without error. // -// See ListDistributionConfigurations for more information on using the ListDistributionConfigurations +// See ListContainerRecipes for more information on using the ListContainerRecipes // API call, and error handling. // // This method is useful when you want to inject custom logic or configuration // into the SDK's request lifecycle. Such as custom headers, or retry logic. // // -// // Example sending a request using the ListDistributionConfigurationsRequest method. -// req, resp := client.ListDistributionConfigurationsRequest(params) +// // Example sending a request using the ListContainerRecipesRequest method. +// req, resp := client.ListContainerRecipesRequest(params) // // err := req.Send() // if err == nil { // resp is now filled // fmt.Println(resp) // } // -// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/ListDistributionConfigurations -func (c *Imagebuilder) ListDistributionConfigurationsRequest(input *ListDistributionConfigurationsInput) (req *request.Request, output *ListDistributionConfigurationsOutput) { +// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/ListContainerRecipes +func (c *Imagebuilder) ListContainerRecipesRequest(input *ListContainerRecipesInput) (req *request.Request, output *ListContainerRecipesOutput) { op := &request.Operation{ - Name: opListDistributionConfigurations, + Name: opListContainerRecipes, HTTPMethod: "POST", - HTTPPath: "/ListDistributionConfigurations", + HTTPPath: "/ListContainerRecipes", Paginator: &request.Paginator{ InputTokens: []string{"nextToken"}, OutputTokens: []string{"nextToken"}, @@ -2720,24 +3125,24 @@ func (c *Imagebuilder) ListDistributionConfigurationsRequest(input *ListDistribu } if input == nil { - input = &ListDistributionConfigurationsInput{} + input = &ListContainerRecipesInput{} } - output = &ListDistributionConfigurationsOutput{} + output = &ListContainerRecipesOutput{} req = c.newRequest(op, input, output) return } -// ListDistributionConfigurations API operation for EC2 Image Builder. +// ListContainerRecipes API operation for EC2 Image Builder. // -// Returns a list of distribution configurations. +// Returns a list of container recipes. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. // // See the AWS API reference guide for EC2 Image Builder's -// API operation ListDistributionConfigurations for usage and error information. +// API operation ListContainerRecipes for usage and error information. // // Returned Error Types: // * ServiceException @@ -2763,65 +3168,65 @@ func (c *Imagebuilder) ListDistributionConfigurationsRequest(input *ListDistribu // * CallRateLimitExceededException // You have exceeded the permitted request rate for the specific operation. // -// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/ListDistributionConfigurations -func (c *Imagebuilder) ListDistributionConfigurations(input *ListDistributionConfigurationsInput) (*ListDistributionConfigurationsOutput, error) { - req, out := c.ListDistributionConfigurationsRequest(input) +// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/ListContainerRecipes +func (c *Imagebuilder) ListContainerRecipes(input *ListContainerRecipesInput) (*ListContainerRecipesOutput, error) { + req, out := c.ListContainerRecipesRequest(input) return out, req.Send() } -// ListDistributionConfigurationsWithContext is the same as ListDistributionConfigurations with the addition of +// ListContainerRecipesWithContext is the same as ListContainerRecipes with the addition of // the ability to pass a context and additional request options. // -// See ListDistributionConfigurations for details on how to use this API operation. +// See ListContainerRecipes for details on how to use this API operation. // // The context must be non-nil and will be used for request cancellation. If // the context is nil a panic will occur. In the future the SDK may create // sub-contexts for http.Requests. See https://golang.org/pkg/context/ // for more information on using Contexts. -func (c *Imagebuilder) ListDistributionConfigurationsWithContext(ctx aws.Context, input *ListDistributionConfigurationsInput, opts ...request.Option) (*ListDistributionConfigurationsOutput, error) { - req, out := c.ListDistributionConfigurationsRequest(input) +func (c *Imagebuilder) ListContainerRecipesWithContext(ctx aws.Context, input *ListContainerRecipesInput, opts ...request.Option) (*ListContainerRecipesOutput, error) { + req, out := c.ListContainerRecipesRequest(input) req.SetContext(ctx) req.ApplyOptions(opts...) return out, req.Send() } -// ListDistributionConfigurationsPages iterates over the pages of a ListDistributionConfigurations operation, +// ListContainerRecipesPages iterates over the pages of a ListContainerRecipes operation, // calling the "fn" function with the response data for each page. To stop // iterating, return false from the fn function. // -// See ListDistributionConfigurations method for more information on how to use this operation. +// See ListContainerRecipes method for more information on how to use this operation. // // Note: This operation can generate multiple requests to a service. // -// // Example iterating over at most 3 pages of a ListDistributionConfigurations operation. +// // Example iterating over at most 3 pages of a ListContainerRecipes operation. // pageNum := 0 -// err := client.ListDistributionConfigurationsPages(params, -// func(page *imagebuilder.ListDistributionConfigurationsOutput, lastPage bool) bool { +// err := client.ListContainerRecipesPages(params, +// func(page *imagebuilder.ListContainerRecipesOutput, lastPage bool) bool { // pageNum++ // fmt.Println(page) // return pageNum <= 3 // }) // -func (c *Imagebuilder) ListDistributionConfigurationsPages(input *ListDistributionConfigurationsInput, fn func(*ListDistributionConfigurationsOutput, bool) bool) error { - return c.ListDistributionConfigurationsPagesWithContext(aws.BackgroundContext(), input, fn) +func (c *Imagebuilder) ListContainerRecipesPages(input *ListContainerRecipesInput, fn func(*ListContainerRecipesOutput, bool) bool) error { + return c.ListContainerRecipesPagesWithContext(aws.BackgroundContext(), input, fn) } -// ListDistributionConfigurationsPagesWithContext same as ListDistributionConfigurationsPages except +// ListContainerRecipesPagesWithContext same as ListContainerRecipesPages except // it takes a Context and allows setting request options on the pages. // // The context must be non-nil and will be used for request cancellation. If // the context is nil a panic will occur. In the future the SDK may create // sub-contexts for http.Requests. See https://golang.org/pkg/context/ // for more information on using Contexts. -func (c *Imagebuilder) ListDistributionConfigurationsPagesWithContext(ctx aws.Context, input *ListDistributionConfigurationsInput, fn func(*ListDistributionConfigurationsOutput, bool) bool, opts ...request.Option) error { +func (c *Imagebuilder) ListContainerRecipesPagesWithContext(ctx aws.Context, input *ListContainerRecipesInput, fn func(*ListContainerRecipesOutput, bool) bool, opts ...request.Option) error { p := request.Pagination{ NewRequest: func() (*request.Request, error) { - var inCpy *ListDistributionConfigurationsInput + var inCpy *ListContainerRecipesInput if input != nil { tmp := *input inCpy = &tmp } - req, _ := c.ListDistributionConfigurationsRequest(inCpy) + req, _ := c.ListContainerRecipesRequest(inCpy) req.SetContext(ctx) req.ApplyOptions(opts...) return req, nil @@ -2829,7 +3234,7 @@ func (c *Imagebuilder) ListDistributionConfigurationsPagesWithContext(ctx aws.Co } for p.Next() { - if !fn(p.Page().(*ListDistributionConfigurationsOutput), !p.HasNextPage()) { + if !fn(p.Page().(*ListContainerRecipesOutput), !p.HasNextPage()) { break } } @@ -2837,37 +3242,37 @@ func (c *Imagebuilder) ListDistributionConfigurationsPagesWithContext(ctx aws.Co return p.Err() } -const opListImageBuildVersions = "ListImageBuildVersions" +const opListDistributionConfigurations = "ListDistributionConfigurations" -// ListImageBuildVersionsRequest generates a "aws/request.Request" representing the -// client's request for the ListImageBuildVersions operation. The "output" return +// ListDistributionConfigurationsRequest generates a "aws/request.Request" representing the +// client's request for the ListDistributionConfigurations operation. The "output" return // value will be populated with the request's response once the request completes // successfully. // // Use "Send" method on the returned Request to send the API call to the service. // the "output" return value is not valid until after Send returns without error. // -// See ListImageBuildVersions for more information on using the ListImageBuildVersions +// See ListDistributionConfigurations for more information on using the ListDistributionConfigurations // API call, and error handling. // // This method is useful when you want to inject custom logic or configuration // into the SDK's request lifecycle. Such as custom headers, or retry logic. // // -// // Example sending a request using the ListImageBuildVersionsRequest method. -// req, resp := client.ListImageBuildVersionsRequest(params) +// // Example sending a request using the ListDistributionConfigurationsRequest method. +// req, resp := client.ListDistributionConfigurationsRequest(params) // // err := req.Send() // if err == nil { // resp is now filled // fmt.Println(resp) // } // -// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/ListImageBuildVersions -func (c *Imagebuilder) ListImageBuildVersionsRequest(input *ListImageBuildVersionsInput) (req *request.Request, output *ListImageBuildVersionsOutput) { +// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/ListDistributionConfigurations +func (c *Imagebuilder) ListDistributionConfigurationsRequest(input *ListDistributionConfigurationsInput) (req *request.Request, output *ListDistributionConfigurationsOutput) { op := &request.Operation{ - Name: opListImageBuildVersions, + Name: opListDistributionConfigurations, HTTPMethod: "POST", - HTTPPath: "/ListImageBuildVersions", + HTTPPath: "/ListDistributionConfigurations", Paginator: &request.Paginator{ InputTokens: []string{"nextToken"}, OutputTokens: []string{"nextToken"}, @@ -2877,17 +3282,174 @@ func (c *Imagebuilder) ListImageBuildVersionsRequest(input *ListImageBuildVersio } if input == nil { - input = &ListImageBuildVersionsInput{} + input = &ListDistributionConfigurationsInput{} } - output = &ListImageBuildVersionsOutput{} + output = &ListDistributionConfigurationsOutput{} req = c.newRequest(op, input, output) return } -// ListImageBuildVersions API operation for EC2 Image Builder. +// ListDistributionConfigurations API operation for EC2 Image Builder. // -// Returns a list of image build versions. +// Returns a list of distribution configurations. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for EC2 Image Builder's +// API operation ListDistributionConfigurations for usage and error information. +// +// Returned Error Types: +// * ServiceException +// This exception is thrown when the service encounters an unrecoverable exception. +// +// * ClientException +// These errors are usually caused by a client action, such as using an action +// or resource on behalf of a user that doesn't have permissions to use the +// action or resource, or specifying an invalid resource identifier. +// +// * ServiceUnavailableException +// The service is unable to process your request at this time. +// +// * InvalidRequestException +// You have made a request for an action that is not supported by the service. +// +// * InvalidPaginationTokenException +// You have provided an invalid pagination token in your request. +// +// * ForbiddenException +// You are not authorized to perform the requested operation. +// +// * CallRateLimitExceededException +// You have exceeded the permitted request rate for the specific operation. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/ListDistributionConfigurations +func (c *Imagebuilder) ListDistributionConfigurations(input *ListDistributionConfigurationsInput) (*ListDistributionConfigurationsOutput, error) { + req, out := c.ListDistributionConfigurationsRequest(input) + return out, req.Send() +} + +// ListDistributionConfigurationsWithContext is the same as ListDistributionConfigurations with the addition of +// the ability to pass a context and additional request options. +// +// See ListDistributionConfigurations for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *Imagebuilder) ListDistributionConfigurationsWithContext(ctx aws.Context, input *ListDistributionConfigurationsInput, opts ...request.Option) (*ListDistributionConfigurationsOutput, error) { + req, out := c.ListDistributionConfigurationsRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +// ListDistributionConfigurationsPages iterates over the pages of a ListDistributionConfigurations operation, +// calling the "fn" function with the response data for each page. To stop +// iterating, return false from the fn function. +// +// See ListDistributionConfigurations method for more information on how to use this operation. +// +// Note: This operation can generate multiple requests to a service. +// +// // Example iterating over at most 3 pages of a ListDistributionConfigurations operation. +// pageNum := 0 +// err := client.ListDistributionConfigurationsPages(params, +// func(page *imagebuilder.ListDistributionConfigurationsOutput, lastPage bool) bool { +// pageNum++ +// fmt.Println(page) +// return pageNum <= 3 +// }) +// +func (c *Imagebuilder) ListDistributionConfigurationsPages(input *ListDistributionConfigurationsInput, fn func(*ListDistributionConfigurationsOutput, bool) bool) error { + return c.ListDistributionConfigurationsPagesWithContext(aws.BackgroundContext(), input, fn) +} + +// ListDistributionConfigurationsPagesWithContext same as ListDistributionConfigurationsPages except +// it takes a Context and allows setting request options on the pages. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *Imagebuilder) ListDistributionConfigurationsPagesWithContext(ctx aws.Context, input *ListDistributionConfigurationsInput, fn func(*ListDistributionConfigurationsOutput, bool) bool, opts ...request.Option) error { + p := request.Pagination{ + NewRequest: func() (*request.Request, error) { + var inCpy *ListDistributionConfigurationsInput + if input != nil { + tmp := *input + inCpy = &tmp + } + req, _ := c.ListDistributionConfigurationsRequest(inCpy) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return req, nil + }, + } + + for p.Next() { + if !fn(p.Page().(*ListDistributionConfigurationsOutput), !p.HasNextPage()) { + break + } + } + + return p.Err() +} + +const opListImageBuildVersions = "ListImageBuildVersions" + +// ListImageBuildVersionsRequest generates a "aws/request.Request" representing the +// client's request for the ListImageBuildVersions operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ListImageBuildVersions for more information on using the ListImageBuildVersions +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ListImageBuildVersionsRequest method. +// req, resp := client.ListImageBuildVersionsRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/ListImageBuildVersions +func (c *Imagebuilder) ListImageBuildVersionsRequest(input *ListImageBuildVersionsInput) (req *request.Request, output *ListImageBuildVersionsOutput) { + op := &request.Operation{ + Name: opListImageBuildVersions, + HTTPMethod: "POST", + HTTPPath: "/ListImageBuildVersions", + Paginator: &request.Paginator{ + InputTokens: []string{"nextToken"}, + OutputTokens: []string{"nextToken"}, + LimitToken: "maxResults", + TruncationToken: "", + }, + } + + if input == nil { + input = &ListImageBuildVersionsInput{} + } + + output = &ListImageBuildVersionsOutput{} + req = c.newRequest(op, input, output) + return +} + +// ListImageBuildVersions API operation for EC2 Image Builder. +// +// Returns a list of image build versions. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -3975,6 +4537,113 @@ func (c *Imagebuilder) PutComponentPolicyWithContext(ctx aws.Context, input *Put return out, req.Send() } +const opPutContainerRecipePolicy = "PutContainerRecipePolicy" + +// PutContainerRecipePolicyRequest generates a "aws/request.Request" representing the +// client's request for the PutContainerRecipePolicy operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See PutContainerRecipePolicy for more information on using the PutContainerRecipePolicy +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the PutContainerRecipePolicyRequest method. +// req, resp := client.PutContainerRecipePolicyRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/PutContainerRecipePolicy +func (c *Imagebuilder) PutContainerRecipePolicyRequest(input *PutContainerRecipePolicyInput) (req *request.Request, output *PutContainerRecipePolicyOutput) { + op := &request.Operation{ + Name: opPutContainerRecipePolicy, + HTTPMethod: "PUT", + HTTPPath: "/PutContainerRecipePolicy", + } + + if input == nil { + input = &PutContainerRecipePolicyInput{} + } + + output = &PutContainerRecipePolicyOutput{} + req = c.newRequest(op, input, output) + return +} + +// PutContainerRecipePolicy API operation for EC2 Image Builder. +// +// Applies a policy to a container image. We recommend that you call the RAM +// API CreateResourceShare (https://docs.aws.amazon.com/ram/latest/APIReference/API_CreateResourceShare.html) +// to share resources. If you call the Image Builder API PutContainerImagePolicy, +// you must also call the RAM API PromoteResourceShareCreatedFromPolicy (https://docs.aws.amazon.com/ram/latest/APIReference/API_PromoteResourceShareCreatedFromPolicy.html) +// in order for the resource to be visible to all principals with whom the resource +// is shared. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for EC2 Image Builder's +// API operation PutContainerRecipePolicy for usage and error information. +// +// Returned Error Types: +// * ServiceException +// This exception is thrown when the service encounters an unrecoverable exception. +// +// * ClientException +// These errors are usually caused by a client action, such as using an action +// or resource on behalf of a user that doesn't have permissions to use the +// action or resource, or specifying an invalid resource identifier. +// +// * ServiceUnavailableException +// The service is unable to process your request at this time. +// +// * InvalidRequestException +// You have made a request for an action that is not supported by the service. +// +// * InvalidParameterValueException +// The value that you provided for the specified parameter is invalid. +// +// * ResourceNotFoundException +// At least one of the resources referenced by your request does not exist. +// +// * ForbiddenException +// You are not authorized to perform the requested operation. +// +// * CallRateLimitExceededException +// You have exceeded the permitted request rate for the specific operation. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/imagebuilder-2019-12-02/PutContainerRecipePolicy +func (c *Imagebuilder) PutContainerRecipePolicy(input *PutContainerRecipePolicyInput) (*PutContainerRecipePolicyOutput, error) { + req, out := c.PutContainerRecipePolicyRequest(input) + return out, req.Send() +} + +// PutContainerRecipePolicyWithContext is the same as PutContainerRecipePolicy with the addition of +// the ability to pass a context and additional request options. +// +// See PutContainerRecipePolicy for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *Imagebuilder) PutContainerRecipePolicyWithContext(ctx aws.Context, input *PutContainerRecipePolicyInput, opts ...request.Option) (*PutContainerRecipePolicyOutput, error) { + req, out := c.PutContainerRecipePolicyRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opPutImagePolicy = "PutImagePolicy" // PutImagePolicyRequest generates a "aws/request.Request" representing the @@ -5563,20 +6232,371 @@ func (s *ComponentVersion) SetVersion(v string) *ComponentVersion { return s } -type CreateComponentInput struct { +// A container encapsulates the runtime environment for an application. +type Container struct { _ struct{} `type:"structure"` - // The change description of the component. Describes what change has been made - // in this version, or what makes this version different from other versions - // of this component. - ChangeDescription *string `locationName:"changeDescription" min:"1" type:"string"` + // A list of URIs for containers created in the context Region. + ImageUris []*string `locationName:"imageUris" type:"list"` - // The idempotency token of the component. - ClientToken *string `locationName:"clientToken" min:"1" type:"string" idempotencyToken:"true"` + // Containers and container images are Region-specific. This is the Region context + // for the container. + Region *string `locationName:"region" min:"1" type:"string"` +} - // The data of the component. Used to specify the data inline. Either data or - // uri can be used to specify the data within the component. - Data *string `locationName:"data" min:"1" type:"string"` +// String returns the string representation +func (s Container) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s Container) GoString() string { + return s.String() +} + +// SetImageUris sets the ImageUris field's value. +func (s *Container) SetImageUris(v []*string) *Container { + s.ImageUris = v + return s +} + +// SetRegion sets the Region field's value. +func (s *Container) SetRegion(v string) *Container { + s.Region = &v + return s +} + +// Container distribution settings for encryption, licensing, and sharing in +// a specific Region. +type ContainerDistributionConfiguration struct { + _ struct{} `type:"structure"` + + // Tags that are attached to the container distribution configuration. + ContainerTags []*string `locationName:"containerTags" type:"list"` + + // The description of the container distribution configuration. + Description *string `locationName:"description" min:"1" type:"string"` + + // The destination repository for the container distribution configuration. + // + // TargetRepository is a required field + TargetRepository *TargetContainerRepository `locationName:"targetRepository" type:"structure" required:"true"` +} + +// String returns the string representation +func (s ContainerDistributionConfiguration) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ContainerDistributionConfiguration) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ContainerDistributionConfiguration) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ContainerDistributionConfiguration"} + if s.Description != nil && len(*s.Description) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Description", 1)) + } + if s.TargetRepository == nil { + invalidParams.Add(request.NewErrParamRequired("TargetRepository")) + } + if s.TargetRepository != nil { + if err := s.TargetRepository.Validate(); err != nil { + invalidParams.AddNested("TargetRepository", err.(request.ErrInvalidParams)) + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetContainerTags sets the ContainerTags field's value. +func (s *ContainerDistributionConfiguration) SetContainerTags(v []*string) *ContainerDistributionConfiguration { + s.ContainerTags = v + return s +} + +// SetDescription sets the Description field's value. +func (s *ContainerDistributionConfiguration) SetDescription(v string) *ContainerDistributionConfiguration { + s.Description = &v + return s +} + +// SetTargetRepository sets the TargetRepository field's value. +func (s *ContainerDistributionConfiguration) SetTargetRepository(v *TargetContainerRepository) *ContainerDistributionConfiguration { + s.TargetRepository = v + return s +} + +// A container recipe. +type ContainerRecipe struct { + _ struct{} `type:"structure"` + + // The Amazon Resource Name (ARN) of the container recipe. + Arn *string `locationName:"arn" type:"string"` + + // Components for build and test that are included in the container recipe. + Components []*ComponentConfiguration `locationName:"components" min:"1" type:"list"` + + // Specifies the type of container, such as Docker. + ContainerType *string `locationName:"containerType" type:"string" enum:"ContainerType"` + + // The date when this container recipe was created. + DateCreated *string `locationName:"dateCreated" type:"string"` + + // The description of the container recipe. + Description *string `locationName:"description" min:"1" type:"string"` + + // Dockerfiles are text documents that are used to build Docker containers, + // and ensure that they contain all of the elements required by the application + // running inside. The template data consists of contextual variables where + // Image Builder places build information or scripts, based on your container + // image recipe. + DockerfileTemplateData *string `locationName:"dockerfileTemplateData" type:"string"` + + // A flag that indicates if the target container is encrypted. + Encrypted *bool `locationName:"encrypted" type:"boolean"` + + // Identifies which KMS key is used to encrypt the container image for distribution + // to the target Region. + KmsKeyId *string `locationName:"kmsKeyId" min:"1" type:"string"` + + // The name of the container recipe. + Name *string `locationName:"name" type:"string"` + + // The owner of the container recipe. + Owner *string `locationName:"owner" min:"1" type:"string"` + + // The source image for the container recipe. + ParentImage *string `locationName:"parentImage" min:"1" type:"string"` + + // The system platform for the container, such as Windows or Linux. + Platform *string `locationName:"platform" type:"string" enum:"Platform"` + + // Tags that are attached to the container recipe. + Tags map[string]*string `locationName:"tags" min:"1" type:"map"` + + // The destination repository for the container image. + TargetRepository *TargetContainerRepository `locationName:"targetRepository" type:"structure"` + + // The semantic version of the container recipe (