feat(client-kms): Support for on-demand rotation of AWS KMS Multi-Region keys with imported key material

Author: awstools

clients/client-kms/src/commands/DeleteImportedKeyMaterialCommand.ts

@@ -34,6 +34,20 @@ export interface DeleteImportedKeyMaterialCommandOutput extends DeleteImportedKe
  *          <p>When the specified KMS key is in the <code>PendingDeletion</code> state, this operation
  *       does not change the KMS key's state. Otherwise, it changes the KMS key's state to
  *         <code>PendingImport</code>.</p>
+ *          <p class="title">
+ *             <b>Considerations for multi-Region symmetric encryption keys</b>
+ *          </p>
+ *          <ul>
+ *             <li>
+ *                <p>When you delete the key material of a primary Region key that is in
+ *             <code>PENDING_ROTATION</code> or <code>PENDING_MULTI_REGION_IMPORT_AND_ROTATION</code>state,
+ *             you'll also be deleting the key materials for the replica Region keys.</p>
+ *             </li>
+ *             <li>
+ *                <p>If you delete any key material of a replica Region key, the primary Region key and
+ *           other replica Region keys remain unchanged.</p>
+ *             </li>
+ *          </ul>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *          <p>

clients/client-kms/src/commands/ImportKeyMaterialCommand.ts

@@ -34,9 +34,28 @@ export interface ImportKeyMaterialCommandOutput extends ImportKeyMaterialRespons
  *       generate and import your own key material. For more information about importing key material,
  *       see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key
  *         material</a>.</p>
- *          <p>For asymmetric, HMAC and multi-Region keys, you cannot change the key material after the
- *       initial import. You can import multiple key materials into single-Region, symmetric encryption
- *       keys and rotate the key material on demand using <code>RotateKeyOnDemand</code>.</p>
+ *          <p>For asymmetric and HMAC keys, you cannot change the key material after the initial import.
+ *       You can import multiple key materials into symmetric encryption keys and rotate the key
+ *       material on demand using <code>RotateKeyOnDemand</code>.</p>
+ *          <p>You can import new key materials into multi-Region symmetric encryption keys. To do so, you must
+ *       import the new key material into the primary Region key. Then you can import the same key
+ *       materials into the replica Region keys. You cannot directly import new key material into
+ *       the replica Region keys.</p>
+ *          <p>To import new key material for a multi-Region symmetric key, you’ll need to complete the
+ *       following:</p>
+ *          <ol>
+ *             <li>
+ *                <p>Call <code>ImportKeyMaterial</code> on the primary Region key with the
+ *             <code>ImportType</code>set to <code>NEW_KEY_MATERIAL</code>.</p>
+ *             </li>
+ *             <li>
+ *                <p>Call <code>ImportKeyMaterial</code> on the replica Region key with the
+ *             <code>ImportType</code> set to <code>EXISTING_KEY_MATERIAL</code> using the same key
+ *             material imported to the primary Region key. You must do this for every replica
+ *             Region key before you can perform the <a>RotateKeyOnDemand</a> operation
+ *             on the primary Region key.</p>
+ *             </li>
+ *          </ol>
  *          <p>After you import key material, you can <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-import-key-material.html#reimport-key-material">reimport
  *         the same key material</a> into that KMS key or, if the key supports on-demand rotation,
  *       import new key material. You can use the <code>ImportType</code> parameter to indicate whether
@@ -68,15 +87,15 @@ export interface ImportKeyMaterialCommandOutput extends ImportKeyMaterialRespons
  *           your key material.</p>
  *             </li>
  *          </ul>
- *          <p> Then, in an <code>ImportKeyMaterial</code> request, you submit your encrypted key
+ *          <p>Then, in an <code>ImportKeyMaterial</code> request, you submit your encrypted key
  *       material and import token. When calling this operation, you must specify the following
  *       values:</p>
  *          <ul>
  *             <li>
  *                <p>The key ID or key ARN of the KMS key to associate with the imported key material. Its
  *             <code>Origin</code> must be <code>EXTERNAL</code> and its <code>KeyState</code> must be
- *             <code>PendingImport</code>. You cannot perform this operation on a KMS key in a
- *           <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html">custom key store</a>, or on a KMS key in a different Amazon Web Services account. To get the
+ *             <code>PendingImport</code> or <code>Enabled</code>. You cannot perform this operation on
+ *             a KMS key in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html">custom key store</a>, or on a KMS key in a different Amazon Web Services account. To get the
  *             <code>Origin</code> and <code>KeyState</code> of a KMS key, call <a>DescribeKey</a>.</p>
  *             </li>
  *             <li>
@@ -96,12 +115,11 @@ export interface ImportKeyMaterialCommandOutput extends ImportKeyMaterialRespons
  *           time you reimport, you can eliminate or reset the expiration time.</p>
  *             </li>
  *          </ul>
- *          <p>When this operation is successful, the key state of the KMS key changes from
- *         <code>PendingImport</code> to <code>Enabled</code>, and you can use the KMS key in
- *       cryptographic operations. For single-Region, symmetric encryption keys, you will need to
- *       import all of the key materials associated with the KMS key to change its state to
- *         <code>Enabled</code>. Use the <code>ListKeyRotations</code> operation to list the ID and
- *       import state of each key material associated with a KMS key.</p>
+ *          <p>When this operation is successful, the state of the KMS key changes to <code>Enabled</code>,
+ *       and you can use the KMS key in cryptographic operations. For symmetric encryption keys, you will
+ *       need to import all of the key materials associated with the KMS key to change its state to
+ *       <code>Enabled</code>. Use the <code>ListKeyRotations</code> operation to list the ID and import
+ *       state of each key material associated with a KMS key.</p>
  *          <p>If this operation fails, use the exception to help determine the problem. If the error is
  *       related to the key material, the import token, or wrapping key, use <a>GetParametersForImport</a> to get a new public key and import token for the KMS key
  *       and repeat the import procedure. For help, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-conceptual.html">Create a KMS key with imported key

clients/client-kms/src/commands/ListKeyRotationsCommand.ts

@@ -99,7 +99,7 @@ export interface ListKeyRotationsCommandOutput extends ListKeyRotationsResponse,
  * //       KeyMaterialId: "STRING_VALUE",
  * //       KeyMaterialDescription: "STRING_VALUE",
  * //       ImportState: "IMPORTED" || "PENDING_IMPORT",
- * //       KeyMaterialState: "NON_CURRENT" || "CURRENT" || "PENDING_ROTATION",
+ * //       KeyMaterialState: "NON_CURRENT" || "CURRENT" || "PENDING_ROTATION" || "PENDING_MULTI_REGION_IMPORT_AND_ROTATION",
  * //       ExpirationModel: "KEY_MATERIAL_EXPIRES" || "KEY_MATERIAL_DOES_NOT_EXPIRE",
  * //       ValidTo: new Date("TIMESTAMP"),
  * //       RotationDate: new Date("TIMESTAMP"),

clients/client-kms/src/commands/RotateKeyOnDemandCommand.ts

@@ -46,15 +46,14 @@ export interface RotateKeyOnDemandCommandOutput extends RotateKeyOnDemandRespons
  *       on-demand rotations were performed. You can monitor rotation of the key material for your KMS
  *       keys in CloudTrail and Amazon CloudWatch.</p>
  *          <p>On-demand key rotation is supported only on symmetric encryption KMS keys. You cannot
- *       perform on-demand rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, multi-Region KMS
- *       keys with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key
- *         material</a>, or KMS keys in a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html">custom key store</a>. When you initiate on-demand key
- *       rotation on a symmetric encryption KMS key with imported key material, you must have already
- *       imported <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-import-key-material.html">new key material</a> and that
+ *       perform on-demand rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, or KMS keys in a
+ *       <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html">custom key store</a>. When you initiate on-demand key rotation on a symmetric encryption KMS key
+ *       with imported key material, you must have already imported <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-import-key-material.html">new key material</a> and that
  *       key material's state should be <code>PENDING_ROTATION</code>. Use the
  *         <code>ListKeyRotations</code> operation to check the state of all key materials associated
- *       with a KMS key. To perform on-demand rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#multi-region-rotate">multi-Region keys</a>, invoke
- *       the on-demand rotation on the primary key.</p>
+ *       with a KMS key. To perform on-demand rotation of a set of related <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#multi-region-rotate">multi-Region keys</a>, import
+ *         new key material in the primary Region key, import the same key material in each replica
+ *         Region key, and invoke the on-demand rotation on the primary Region key.</p>
  *          <p>You cannot initiate on-demand rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-key">Amazon Web Services managed KMS keys</a>. KMS
  *       always rotates the key material of Amazon Web Services managed keys every year. Rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-key">Amazon Web Services owned KMS
  *         keys</a> is managed by the Amazon Web Services service that owns the key.</p>

clients/client-kms/src/models/enums.ts

@@ -427,6 +427,7 @@ export type IncludeKeyMaterial = (typeof IncludeKeyMaterial)[keyof typeof Includ
 export const KeyMaterialState = {
   CURRENT: "CURRENT",
   NON_CURRENT: "NON_CURRENT",
+  PENDING_MULTI_REGION_IMPORT_AND_ROTATION: "PENDING_MULTI_REGION_IMPORT_AND_ROTATION",
   PENDING_ROTATION: "PENDING_ROTATION",
 } as const;
 /**

clients/client-kms/src/models/models_0.ts

@@ -1292,11 +1292,10 @@ export interface KeyMetadata {
 
   /**
    * <p>Identifies the current key material. This value is present for symmetric encryption keys
-   *       with <code>AWS_KMS</code> origin and single-Region, symmetric encryption keys with
-   *         <code>EXTERNAL</code> origin. These KMS keys support automatic or on-demand key rotation and
-   *       can have multiple key materials associated with them. KMS uses the current key material for
-   *       both encryption and decryption, and the non-current key material for decryption operations
-   *       only.</p>
+   *       with <code>AWS_KMS</code> or <code>EXTERNAL</code> origin. These KMS keys support automatic
+   *       or on-demand key rotation and can have multiple key materials associated with them. KMS uses
+   *       the current key material for both encryption and decryption, and the non-current key material
+   *       for decryption operations only.</p>
    * @public
    */
   CurrentKeyMaterialId?: string | undefined;
@@ -3511,6 +3510,10 @@ export interface ImportKeyMaterialRequest {
    *       parameter defaults to <code>NEW_KEY_MATERIAL</code>. After the first key material is imported,
    *       if this parameter is omitted then the parameter defaults to
    *       <code>EXISTING_KEY_MATERIAL</code>.</p>
+   *          <p>For multi-Region keys, you must first import new key material into
+   * the primary Region key. You should use the <code>NEW_KEY_MATERIAL</code> import type when importing key
+   * material into the primary Region key. Then, you can import the same key material into the replica Region
+   * key. The import type for the replica Region key should be <code>EXISTING_KEY_MATERIAL</code>.</p>
    * @public
    */
   ImportType?: ImportType | undefined;
@@ -3897,14 +3900,20 @@ export interface RotationsListEntry {
   ImportState?: ImportState | undefined;
 
   /**
-   * <p>There are three possible values for this field: <code>CURRENT</code>,
-   *         <code>NON_CURRENT</code> and <code>PENDING_ROTATION</code>. KMS uses <code>CURRENT</code>
+   * <p>There are four possible values for this field: <code>CURRENT</code>,
+   *         <code>NON_CURRENT</code>, <code>PENDING_MULTI_REGION_IMPORT_AND_ROTATION</code> and
+   *         <code>PENDING_ROTATION</code>. KMS uses <code>CURRENT</code>
    *       key material for both encryption and decryption and <code>NON_CURRENT</code> key material only
    *       for decryption. <code>PENDING_ROTATION</code> identifies key material that has been imported
-   *       for on-demand key rotation but the rotation hasn't completed. Key material in
-   *         <code>PENDING_ROTATION</code> is not permanently associated with the KMS key. You can delete
-   *       this key material and import different key material in its place. The
-   *         <code>PENDING_ROTATION</code> value is only used in symmetric encryption keys with imported
+   *       for on-demand key rotation but the rotation hasn't completed. The key material state
+   *       <code>PENDING_MULTI_REGION_IMPORT_AND_ROTATION</code> is unique to multi-region,
+   *       symmetric encryption keys with imported key material. It indicates key material that has
+   *       been imported into the primary Region key but not all of the replica Region keys. When this key material
+   *       is imported in to all of the replica Region keys, the key material state will change to
+   *       <code>PENDING_ROTATION</code>. Key material in <code>PENDING_MULTI_REGION_IMPORT_AND_ROTATION</code>
+   *       or <code>PENDING_ROTATION</code> state is not permanently associated with the KMS key. You can delete
+   *       this key material and import different key material in its place. The <code>PENDING_MULTI_REGION_IMPORT_AND_ROTATION</code>
+   *       and <code>PENDING_ROTATION</code> values are only used in symmetric encryption keys with imported
    *       key material. The other values, <code>CURRENT</code> and <code>NON_CURRENT</code>, are used
    *       for all KMS keys that support automatic or on-demand key rotation.</p>
    * @public