API version 2014-11-01 of the Amazon Key Management Service SDK configuration.

The request was rejected because the marker that specifies where pagination should next begin is not valid.

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS key in the /Key Management Service Developer Guide/ .

The request was rejected for one of the following reasons:

• The KeyUsage value of the KMS key is incompatible with the API operation.
• The encryption algorithm or signing algorithm specified for the operation is incompatible with the type of key material in the KMS key (KeySpec).

For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage must be SIGN_VERIFY. To find the KeyUsage of a KMS key, use the DescribeKey operation.

To find the encryption or signing algorithms supported for a particular KMS key, use the DescribeKey operation.

The request was rejected because the specified policy is not syntactically or semantically correct.

The request was rejected because the specified custom key store name is already assigned to another custom key store in the account. Try again with a custom key store name that is unique in the account.

The request was rejected because a specified parameter is not supported or a specified resource is not valid for this operation.

The request was rejected because the specified KMS key is not enabled.

The request was rejected because the specified KMS key was not available. You can retry the request.

The request was rejected because the key material in the request is, expired, invalid, or is not the same key material that was previously imported into this KMS key.

The request was rejected because an internal exception occurred. The request can be retried.

The request was rejected because one or more tags are not valid.

The request was rejected because the custom key store contains KMS keys. After verifying that you do not need to use the KMS keys, use the ScheduleKeyDeletion operation to delete the KMS keys. After they are deleted, you can delete the custom key store.

The request was rejected because the provided import token is invalid or is associated with a different KMS key.

The request was rejected because the specified CloudHSM cluster has a different cluster certificate than the original cluster. You cannot use the operation to specify an unrelated cluster.

Specify a cluster that shares a backup history with the original cluster. This includes clusters that were created from a backup of the current cluster, and clusters that were created from the same backup that produced the current cluster.

Clusters that share a backup history have the same cluster certificate. To view the cluster certificate of a cluster, use the DescribeClusters operation.

The request was rejected because the trust anchor certificate in the request is not the trust anchor certificate for the specified CloudHSM cluster.

When you initialize the cluster, you create the trust anchor certificate and save it in the customerCA.crt file.

The request was rejected because the associated CloudHSM cluster did not meet the configuration requirements for a custom key store.

• The cluster must be configured with private subnets in at least two different Availability Zones in the Region.
• The security group for the cluster (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound rules that allow TCP traffic on ports 2223-2225. The Source in the inbound rules and the Destination in the outbound rules must match the security group ID. These rules are set by default when you create the cluster. Do not delete or change them. To get information about a particular security group, use the DescribeSecurityGroups operation.

• The cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the CloudHSM CreateHsm operation.

  For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, the CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the ConnectCustomKeyStore operation, the CloudHSM must contain at least one active HSM.

For information about the requirements for an CloudHSM cluster that is associated with a custom key store, see Assemble the Prerequisites in the Key Management Service Developer Guide. For information about creating a private subnet for an CloudHSM cluster, see Create a Private Subnet in the CloudHSM User Guide. For information about cluster security groups, see Configure a Default Security Group in the /CloudHSM User Guide/ .

The request was rejected because the CloudHSM cluster that is associated with the custom key store is not active. Initialize and activate the cluster and try the command again. For detailed instructions, see Getting Started in the CloudHSM User Guide.

The request was rejected because KMS cannot find the CloudHSM cluster with the specified cluster ID. Retry the request with a different cluster ID.

The request was rejected because the specified entity or resource could not be found.

The request was rejected because the signature verification failed. Signature verification fails when it cannot confirm that signature was produced by signing the specified message with the specified KMS key and signing algorithm.

The request was rejected because the specified alias name is not valid.

The request was rejected because KMS cannot find a custom key store with the specified key store name or ID.

The request was rejected because of the ConnectionState of the custom key store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores operation.

This exception is thrown under the following conditions:

• You requested the CreateKey or GenerateRandom operation in a custom key store that is not connected. These operations are valid only when the custom key store ConnectionState is CONNECTED.
• You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key store that is not disconnected. This operation is valid only when the custom key store ConnectionState is DISCONNECTED.
• You requested the ConnectCustomKeyStore operation on a custom key store with a ConnectionState of DISCONNECTING or FAILED. This operation is valid for all other ConnectionState values.

The request was rejected because the specified GrantId is not valid.

The request was rejected because the specified grant token is not valid.

The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.

The system timed out while trying to fulfill the request. The request can be retried.

The request was rejected because the specified import token is expired. Use GetParametersForImport to get a new import token and public key, use the new public key to encrypt the key material, and then try the request again.

From the Decrypt or ReEncrypt operation, the request was rejected because the specified ciphertext, or additional authenticated data incorporated into the ciphertext, such as the encryption context, is corrupted, missing, or otherwise invalid.

From the ImportKeyMaterial operation, the request was rejected because KMS could not decrypt the encrypted (wrapped) key material.

The request was rejected because the specified CloudHSM cluster is already associated with a custom key store or it shares a backup history with a cluster that is associated with a custom key store. Each custom key store must be associated with a different CloudHSM cluster.

Clusters that share a backup history have the same cluster certificate. To view the cluster certificate of a cluster, use the DescribeClusters operation.

The request was rejected because the specified KMS key cannot decrypt the data. The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request must identify the same KMS key that was used to encrypt the ciphertext.

The request was rejected because it attempted to create a resource that already exists.

The request was rejected because a quota was exceeded. For more information, see Quotas in the Key Management Service Developer Guide.

See: newEncrypt smart constructor.

Create a value of Encrypt with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:encryptionContext:Encrypt', encrypt_encryptionContext - Specifies the encryption context that will be used to encrypt the data. An encryption context is valid only for cryptographic operations with a symmetric KMS key. The standard asymmetric encryption algorithms that KMS uses do not support an encryption context.

An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric KMS key, but it is highly recommended.

For more information, see Encryption Context in the Key Management Service Developer Guide.

$sel:grantTokens:Encrypt', encrypt_grantTokens - A list of grant tokens.

Use a grant token when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. For more information, see Grant token and Using a grant token in the Key Management Service Developer Guide.

$sel:encryptionAlgorithm:Encrypt', encrypt_encryptionAlgorithm - Specifies the encryption algorithm that KMS will use to encrypt the plaintext message. The algorithm must be compatible with the KMS key that you specify.

This parameter is required only for asymmetric KMS keys. The default value, SYMMETRIC_DEFAULT, is the algorithm used for symmetric KMS keys. If you are using an asymmetric KMS key, we recommend RSAES_OAEP_SHA_256.

$sel:keyId:Encrypt', encrypt_keyId - Identifies the KMS key to use in the encryption operation.

To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a KMS key in a different Amazon Web Services account, you must use the key ARN or alias ARN.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
• Alias name: alias/ExampleAlias
• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

$sel:plaintext:Encrypt', encrypt_plaintext - Data to be encrypted.-- -- Note: This Lens automatically encodes and decodes Base64 data. -- The underlying isomorphism will encode to Base64 representation during -- serialisation, and decode from Base64 representation during deserialisation. -- This Lens accepts and returns only raw unencoded data.

See: newEncryptResponse smart constructor.

Create a value of EncryptResponse with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:keyId:Encrypt', encryptResponse_keyId - The Amazon Resource Name (key ARN) of the KMS key that was used to encrypt the plaintext.

$sel:encryptionAlgorithm:Encrypt', encryptResponse_encryptionAlgorithm - The encryption algorithm that was used to encrypt the plaintext.

$sel:ciphertextBlob:EncryptResponse', encryptResponse_ciphertextBlob - The encrypted plaintext. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.-- -- Note: This Lens automatically encodes and decodes Base64 data. -- The underlying isomorphism will encode to Base64 representation during -- serialisation, and decode from Base64 representation during deserialisation. -- This Lens accepts and returns only raw unencoded data.

$sel:httpStatus:EncryptResponse', encryptResponse_httpStatus - The response's http status code.

See: newCreateCustomKeyStore smart constructor.

Create a value of CreateCustomKeyStore with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:customKeyStoreName:CreateCustomKeyStore', createCustomKeyStore_customKeyStoreName - Specifies a friendly name for the custom key store. The name must be unique in your Amazon Web Services account.

$sel:cloudHsmClusterId:CreateCustomKeyStore', createCustomKeyStore_cloudHsmClusterId - Identifies the CloudHSM cluster for the custom key store. Enter the cluster ID of any active CloudHSM cluster that is not already associated with a custom key store. To find the cluster ID, use the DescribeClusters operation.

$sel:trustAnchorCertificate:CreateCustomKeyStore', createCustomKeyStore_trustAnchorCertificate - Enter the content of the trust anchor certificate for the cluster. This is the content of the customerCA.crt file that you created when you initialized the cluster.

$sel:keyStorePassword:CreateCustomKeyStore', createCustomKeyStore_keyStorePassword - Enter the password of the kmsuser crypto user (CU) account in the specified CloudHSM cluster. KMS logs into the cluster as this user to manage key material on your behalf.

The password must be a string of 7 to 32 characters. Its value is case sensitive.

This parameter tells KMS the kmsuser account password; it does not change the password in the CloudHSM cluster.

See: newCreateCustomKeyStoreResponse smart constructor.

Create a value of CreateCustomKeyStoreResponse with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:customKeyStoreId:CreateCustomKeyStoreResponse', createCustomKeyStoreResponse_customKeyStoreId - A unique identifier for the new custom key store.

$sel:httpStatus:CreateCustomKeyStoreResponse', createCustomKeyStoreResponse_httpStatus - The response's http status code.

See: newListGrants smart constructor.

Create a value of ListGrants with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:grantId:ListGrants', listGrants_grantId - Returns only the grant with the specified grant ID. The grant ID uniquely identifies the grant.

$sel:granteePrincipal:ListGrants', listGrants_granteePrincipal - Returns only grants where the specified principal is the grantee principal for the grant.

$sel:marker:ListGrants', listGrants_marker - Use this parameter in a subsequent request after you receive a response with truncated results. Set it to the value of NextMarker from the truncated response you just received.

$sel:limit:ListGrants', listGrants_limit - Use this parameter to specify the maximum number of items to return. When this value is present, KMS does not return more than the specified number of items, but it might return fewer.

This value is optional. If you include a value, it must be between 1 and 100, inclusive. If you do not include a value, it defaults to 50.

$sel:keyId:ListGrants', listGrants_keyId - Returns only grants for the specified KMS key. This parameter is required.

Specify the key ID or key ARN of the KMS key. To specify a KMS key in a different Amazon Web Services account, you must use the key ARN.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.

See: newListGrantsResponse smart constructor.

Create a value of ListGrantsResponse with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:truncated:ListGrantsResponse', listGrantsResponse_truncated - A flag that indicates whether there are more items in the list. When this value is true, the list in this response is truncated. To get more items, pass the value of the NextMarker element in thisresponse to the Marker parameter in a subsequent request.

$sel:grants:ListGrantsResponse', listGrantsResponse_grants - A list of grants.

$sel:nextMarker:ListGrantsResponse', listGrantsResponse_nextMarker - When Truncated is true, this element is present and contains the value to use for the Marker parameter in a subsequent request.

See: newDisableKeyRotation smart constructor.

Create a value of DisableKeyRotation with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:keyId:DisableKeyRotation', disableKeyRotation_keyId - Identifies a symmetric KMS key. You cannot enable or disable automatic rotation of asymmetric KMS keys, KMS keys with imported key material, or KMS keys in a custom key store.

Specify the key ID or key ARN of the KMS key.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.

See: newDisableKeyRotationResponse smart constructor.

Create a value of DisableKeyRotationResponse with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

See: newVerify smart constructor.

Create a value of Verify with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:messageType:Verify', verify_messageType - Tells KMS whether the value of the Message parameter is a message or message digest. The default value, RAW, indicates a message. To indicate a message digest, enter DIGEST.

Use the DIGEST value only when the value of the Message parameter is a message digest. If you use the DIGEST value with a raw message, the security of the verification operation can be compromised.

$sel:grantTokens:Verify', verify_grantTokens - A list of grant tokens.

Use a grant token when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. For more information, see Grant token and Using a grant token in the Key Management Service Developer Guide.

$sel:keyId:Verify', verify_keyId - Identifies the asymmetric KMS key that will be used to verify the signature. This must be the same KMS key that was used to generate the signature. If you specify a different KMS key, the signature verification fails.

To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a KMS key in a different Amazon Web Services account, you must use the key ARN or alias ARN.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
• Alias name: alias/ExampleAlias
• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

$sel:message:Verify', verify_message - Specifies the message that was signed. You can submit a raw message of up to 4096 bytes, or a hash digest of the message. If you submit a digest, use the MessageType parameter with a value of DIGEST.

If the message specified here is different from the message that was signed, the signature verification fails. A message and its hash digest are considered to be the same message.-- -- Note: This Lens automatically encodes and decodes Base64 data. -- The underlying isomorphism will encode to Base64 representation during -- serialisation, and decode from Base64 representation during deserialisation. -- This Lens accepts and returns only raw unencoded data.

$sel:signature:Verify', verify_signature - The signature that the Sign operation generated.-- -- Note: This Lens automatically encodes and decodes Base64 data. -- The underlying isomorphism will encode to Base64 representation during -- serialisation, and decode from Base64 representation during deserialisation. -- This Lens accepts and returns only raw unencoded data.

$sel:signingAlgorithm:Verify', verify_signingAlgorithm - The signing algorithm that was used to sign the message. If you submit a different algorithm, the signature verification fails.

See: newVerifyResponse smart constructor.

Create a value of VerifyResponse with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:signingAlgorithm:Verify', verifyResponse_signingAlgorithm - The signing algorithm that was used to verify the signature.

$sel:signatureValid:VerifyResponse', verifyResponse_signatureValid - A Boolean value that indicates whether the signature was verified. A value of True indicates that the Signature was produced by signing the Message with the specified KeyID and SigningAlgorithm. If the signature is not verified, the Verify operation fails with a KMSInvalidSignatureException exception.

$sel:keyId:Verify', verifyResponse_keyId - The Amazon Resource Name (key ARN) of the asymmetric KMS key that was used to verify the signature.

$sel:httpStatus:VerifyResponse', verifyResponse_httpStatus - The response's http status code.

See: newGenerateDataKeyWithoutPlaintext smart constructor.

Create a value of GenerateDataKeyWithoutPlaintext with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:keySpec:GenerateDataKeyWithoutPlaintext', generateDataKeyWithoutPlaintext_keySpec - The length of the data key. Use AES_128 to generate a 128-bit symmetric key, or AES_256 to generate a 256-bit symmetric key.

$sel:encryptionContext:GenerateDataKeyWithoutPlaintext', generateDataKeyWithoutPlaintext_encryptionContext - Specifies the encryption context that will be used when encrypting the data key.

An encryption context is a collection of non-secret key-value pairs that represents additional authenticated data. When you use an encryption context to encrypt data, you must specify the same (an exact case-sensitive match) encryption context to decrypt the data. An encryption context is optional when encrypting with a symmetric KMS key, but it is highly recommended.

For more information, see Encryption Context in the Key Management Service Developer Guide.

$sel:numberOfBytes:GenerateDataKeyWithoutPlaintext', generateDataKeyWithoutPlaintext_numberOfBytes - The length of the data key in bytes. For example, use the value 64 to generate a 512-bit data key (64 bytes is 512 bits). For common key lengths (128-bit and 256-bit symmetric keys), we recommend that you use the KeySpec field instead of this one.

$sel:grantTokens:GenerateDataKeyWithoutPlaintext', generateDataKeyWithoutPlaintext_grantTokens - A list of grant tokens.

Use a grant token when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. For more information, see Grant token and Using a grant token in the Key Management Service Developer Guide.

$sel:keyId:GenerateDataKeyWithoutPlaintext', generateDataKeyWithoutPlaintext_keyId - The identifier of the symmetric KMS key that encrypts the data key.

To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a KMS key in a different Amazon Web Services account, you must use the key ARN or alias ARN.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
• Alias name: alias/ExampleAlias
• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

See: newGenerateDataKeyWithoutPlaintextResponse smart constructor.

Create a value of GenerateDataKeyWithoutPlaintextResponse with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:keyId:GenerateDataKeyWithoutPlaintext', generateDataKeyWithoutPlaintextResponse_keyId - The Amazon Resource Name (key ARN) of the KMS key that encrypted the data key.

$sel:ciphertextBlob:GenerateDataKeyWithoutPlaintextResponse', generateDataKeyWithoutPlaintextResponse_ciphertextBlob - The encrypted data key. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.-- -- Note: This Lens automatically encodes and decodes Base64 data. -- The underlying isomorphism will encode to Base64 representation during -- serialisation, and decode from Base64 representation during deserialisation. -- This Lens accepts and returns only raw unencoded data.

$sel:httpStatus:GenerateDataKeyWithoutPlaintextResponse', generateDataKeyWithoutPlaintextResponse_httpStatus - The response's http status code.

See: newUpdateCustomKeyStore smart constructor.