/*
* Copyright 2012-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with
* the License. A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
* CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
* and limitations under the License.
*/
package com.amazonaws.services.kms;
import javax.annotation.Generated;
import com.amazonaws.*;
import com.amazonaws.regions.*;
import com.amazonaws.services.kms.model.*;
/**
* Interface for accessing KMS.
* <p>
* <b>Note:</b> Do not directly implement this interface, new methods are added to it regularly. Extend from
* {@link com.amazonaws.services.kms.AbstractAWSKMS} instead.
* </p>
* <p>
* <fullname>AWS Key Management Service</fullname>
* <p>
* AWS Key Management Service (AWS KMS) is an encryption and key management web service. This guide describes the AWS
* KMS operations that you can call programmatically. For general information about AWS KMS, see the <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/">AWS Key Management Service Developer Guide</a>.
* </p>
* <note>
* <p>
* AWS provides SDKs that consist of libraries and sample code for various programming languages and platforms (Java,
* Ruby, .Net, iOS, Android, etc.). The SDKs provide a convenient way to create programmatic access to AWS KMS and other
* AWS services. For example, the SDKs take care of tasks such as signing requests (see below), managing errors, and
* retrying requests automatically. For more information about the AWS SDKs, including how to download and install them,
* see <a href="http://aws.amazon.com/tools/">Tools for Amazon Web Services</a>.
* </p>
* </note>
* <p>
* We recommend that you use the AWS SDKs to make programmatic API calls to AWS KMS.
* </p>
* <p>
* Clients must support TLS (Transport Layer Security) 1.0. We recommend TLS 1.2. Clients must also support cipher
* suites with Perfect Forward Secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral
* Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later support these modes.
* </p>
* <p>
* <b>Signing Requests</b>
* </p>
* <p>
* Requests must be signed by using an access key ID and a secret access key. We strongly recommend that you <i>do
* not</i> use your AWS account (root) access key ID and secret key for everyday work with AWS KMS. Instead, use the
* access key ID and secret access key for an IAM user, or you can use the AWS Security Token Service to generate
* temporary security credentials that you can use to sign requests.
* </p>
* <p>
* All AWS KMS operations require <a
* href="http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html">Signature Version 4</a>.
* </p>
* <p>
* <b>Logging API Requests</b>
* </p>
* <p>
* AWS KMS supports AWS CloudTrail, a service that logs AWS API calls and related events for your AWS account and
* delivers them to an Amazon S3 bucket that you specify. By using the information collected by CloudTrail, you can
* determine what requests were made to AWS KMS, who made the request, when it was made, and so on. To learn more about
* CloudTrail, including how to turn it on and find your log files, see the <a
* href="http://docs.aws.amazon.com/awscloudtrail/latest/userguide/">AWS CloudTrail User Guide</a>.
* </p>
* <p>
* <b>Additional Resources</b>
* </p>
* <p>
* For more information about credentials and request signing, see the following:
* </p>
* <ul>
* <li>
* <p>
* <a href="http://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html">AWS Security Credentials</a> -
* This topic provides general information about the types of credentials used for accessing AWS.
* </p>
* </li>
* <li>
* <p>
* <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html">Temporary Security Credentials</a>
* - This section of the <i>IAM User Guide</i> describes how to create and use temporary security credentials.
* </p>
* </li>
* <li>
* <p>
* <a href="http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html">Signature Version 4 Signing
* Process</a> - This set of topics walks you through the process of signing a request using an access key ID and a
* secret access key.
* </p>
* </li>
* </ul>
* <p>
* <b>Commonly Used APIs</b>
* </p>
* <p>
* Of the APIs discussed in this guide, the following will prove the most useful for most applications. You will likely
* perform actions other than these, such as creating keys and assigning policies, by using the console.
* </p>
* <ul>
* <li>
* <p>
* <a>Encrypt</a>
* </p>
* </li>
* <li>
* <p>
* <a>Decrypt</a>
* </p>
* </li>
* <li>
* <p>
* <a>GenerateDataKey</a>
* </p>
* </li>
* <li>
* <p>
* <a>GenerateDataKeyWithoutPlaintext</a>
* </p>
* </li>
* </ul>
*/
@Generated("com.amazonaws:aws-java-sdk-code-generator")
public interface AWSKMS {
/**
* The region metadata service name for computing region endpoints. You can use this value to retrieve metadata
* (such as supported regions) of the service.
*
* @see RegionUtils#getRegionsForService(String)
*/
String ENDPOINT_PREFIX = "kms";
/**
* Overrides the default endpoint for this client ("https://kms.us-east-1.amazonaws.com/"). Callers can use this
* method to control which AWS region they want to work with.
* <p>
* Callers can pass in just the endpoint (ex: "kms.us-east-1.amazonaws.com/") or a full URL, including the protocol
* (ex: "https://kms.us-east-1.amazonaws.com/"). If the protocol is not specified here, the default protocol from
* this client's {@link ClientConfiguration} will be used, which by default is HTTPS.
* <p>
* For more information on using AWS regions with the AWS SDK for Java, and a complete list of all available
* endpoints for all AWS services, see: <a
* href="http://developer.amazonwebservices.com/connect/entry.jspa?externalID=3912">
* http://developer.amazonwebservices.com/connect/entry.jspa?externalID=3912</a>
* <p>
* <b>This method is not threadsafe. An endpoint should be configured when the client is created and before any
* service requests are made. Changing it afterwards creates inevitable race conditions for any service requests in
* transit or retrying.</b>
*
* @param endpoint
* The endpoint (ex: "kms.us-east-1.amazonaws.com/") or a full URL, including the protocol (ex:
* "https://kms.us-east-1.amazonaws.com/") of the region specific AWS endpoint this client will communicate
* with.
* @deprecated use {@link AwsClientBuilder#setEndpointConfiguration(AwsClientBuilder.EndpointConfiguration)} for
* example:
* {@code builder.setEndpointConfiguration(new EndpointConfiguration(endpoint, signingRegion));}
*/
@Deprecated
void setEndpoint(String endpoint);
/**
* An alternative to {@link AWSKMS#setEndpoint(String)}, sets the regional endpoint for this client's service calls.
* Callers can use this method to control which AWS region they want to work with.
* <p>
* By default, all service endpoints in all regions use the https protocol. To use http instead, specify it in the
* {@link ClientConfiguration} supplied at construction.
* <p>
* <b>This method is not threadsafe. A region should be configured when the client is created and before any service
* requests are made. Changing it afterwards creates inevitable race conditions for any service requests in transit
* or retrying.</b>
*
* @param region
* The region this client will communicate with. See {@link Region#getRegion(com.amazonaws.regions.Regions)}
* for accessing a given region. Must not be null and must be a region where the service is available.
*
* @see Region#getRegion(com.amazonaws.regions.Regions)
* @see Region#createClient(Class, com.amazonaws.auth.AWSCredentialsProvider, ClientConfiguration)
* @see Region#isServiceSupported(String)
* @deprecated use {@link AwsClientBuilder#setRegion(String)}
*/
@Deprecated
void setRegion(Region region);
/**
* <p>
* Cancels the deletion of a customer master key (CMK). When this operation is successful, the CMK is set to the
* <code>Disabled</code> state. To enable a CMK, use <a>EnableKey</a>.
* </p>
* <p>
* For more information about scheduling and canceling deletion of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html">Deleting Customer Master Keys</a>
* in the <i>AWS Key Management Service Developer Guide</i>.
* </p>
*
* @param cancelKeyDeletionRequest
* @return Result of the CancelKeyDeletion operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @sample AWSKMS.CancelKeyDeletion
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletion" target="_top">AWS API
* Documentation</a>
*/
CancelKeyDeletionResult cancelKeyDeletion(CancelKeyDeletionRequest cancelKeyDeletionRequest);
/**
* <p>
* Creates a display name for a customer master key. An alias can be used to identify a key and should be unique.
* The console enforces a one-to-one mapping between the alias and a key. An alias name can contain only
* alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). An alias must start with the word
* "alias" followed by a forward slash (alias/). An alias that begins with "aws" after the forward slash
* (alias/aws...) is reserved by Amazon Web Services (AWS).
* </p>
* <p>
* The alias and the key it is mapped to must be in the same AWS account and the same region.
* </p>
* <p>
* To map an alias to a different key, call <a>UpdateAlias</a>.
* </p>
*
* @param createAliasRequest
* @return Result of the CreateAlias operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws AlreadyExistsException
* The request was rejected because it attempted to create a resource that already exists.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidAliasNameException
* The request was rejected because the specified alias name is not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws LimitExceededException
* The request was rejected because a limit was exceeded. For more information, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Limits</a> in the <i>AWS Key
* Management Service Developer Guide</i>.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @sample AWSKMS.CreateAlias
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateAlias" target="_top">AWS API
* Documentation</a>
*/
CreateAliasResult createAlias(CreateAliasRequest createAliasRequest);
/**
* <p>
* Adds a grant to a key to specify who can use the key and under what conditions. Grants are alternate permission
* mechanisms to key policies.
* </p>
* <p>
* For more information about grants, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants</a> in the <i>AWS Key Management
* Service Developer Guide</i>.
* </p>
*
* @param createGrantRequest
* @return Result of the CreateGrant operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified CMK is not enabled.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws LimitExceededException
* The request was rejected because a limit was exceeded. For more information, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Limits</a> in the <i>AWS Key
* Management Service Developer Guide</i>.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @sample AWSKMS.CreateGrant
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrant" target="_top">AWS API
* Documentation</a>
*/
CreateGrantResult createGrant(CreateGrantRequest createGrantRequest);
/**
* <p>
* Creates a customer master key (CMK).
* </p>
* <p>
* You can use a CMK to encrypt small amounts of data (4 KiB or less) directly, but CMKs are more commonly used to
* encrypt data encryption keys (DEKs), which are used to encrypt raw data. For more information about DEKs and the
* difference between CMKs and DEKs, see the following:
* </p>
* <ul>
* <li>
* <p>
* The <a>GenerateDataKey</a> operation
* </p>
* </li>
* <li>
* <p>
* <a href="http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html">AWS Key Management Service
* Concepts</a> in the <i>AWS Key Management Service Developer Guide</i>
* </p>
* </li>
* </ul>
*
* @param createKeyRequest
* @return Result of the CreateKey operation returned by the service.
* @throws MalformedPolicyDocumentException
* The request was rejected because the specified policy is not syntactically or semantically correct.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws LimitExceededException
* The request was rejected because a limit was exceeded. For more information, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Limits</a> in the <i>AWS Key
* Management Service Developer Guide</i>.
* @throws TagException
* The request was rejected because one or more tags are not valid.
* @sample AWSKMS.CreateKey
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey" target="_top">AWS API
* Documentation</a>
*/
CreateKeyResult createKey(CreateKeyRequest createKeyRequest);
/**
* Simplified method form for invoking the CreateKey operation.
*
* @see #createKey(CreateKeyRequest)
*/
CreateKeyResult createKey();
/**
* <p>
* Decrypts ciphertext. Ciphertext is plaintext that has been previously encrypted by using any of the following
* functions:
* </p>
* <ul>
* <li>
* <p>
* <a>GenerateDataKey</a>
* </p>
* </li>
* <li>
* <p>
* <a>GenerateDataKeyWithoutPlaintext</a>
* </p>
* </li>
* <li>
* <p>
* <a>Encrypt</a>
* </p>
* </li>
* </ul>
* <p>
* Note that if a caller has been granted access permissions to all keys (through, for example, IAM user policies
* that grant <code>Decrypt</code> permission on all resources), then ciphertext encrypted by using keys in other
* accounts where the key grants access to the caller can be decrypted. To remedy this, we recommend that you do not
* grant <code>Decrypt</code> access in an IAM user policy. Instead grant <code>Decrypt</code> access only in key
* policies. If you must grant <code>Decrypt</code> access in an IAM user policy, you should scope the resource to
* specific keys or to specific trusted accounts.
* </p>
*
* @param decryptRequest
* @return Result of the Decrypt operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified CMK is not enabled.
* @throws InvalidCiphertextException
* The request was rejected because the specified ciphertext has been corrupted or is otherwise invalid.
* @throws KeyUnavailableException
* The request was rejected because the specified CMK was not available. The request can be retried.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @sample AWSKMS.Decrypt
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt" target="_top">AWS API
* Documentation</a>
*/
DecryptResult decrypt(DecryptRequest decryptRequest);
/**
* <p>
* Deletes the specified alias. To map an alias to a different key, call <a>UpdateAlias</a>.
* </p>
*
* @param deleteAliasRequest
* @return Result of the DeleteAlias operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @sample AWSKMS.DeleteAlias
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteAlias" target="_top">AWS API
* Documentation</a>
*/
DeleteAliasResult deleteAlias(DeleteAliasRequest deleteAliasRequest);
/**
* <p>
* Deletes key material that you previously imported and makes the specified customer master key (CMK) unusable. For
* more information about importing key material into AWS KMS, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in the
* <i>AWS Key Management Service Developer Guide</i>.
* </p>
* <p>
* When the specified CMK is in the <code>PendingDeletion</code> state, this operation does not change the CMK's
* state. Otherwise, it changes the CMK's state to <code>PendingImport</code>.
* </p>
* <p>
* After you delete key material, you can use <a>ImportKeyMaterial</a> to reimport the same key material into the
* CMK.
* </p>
*
* @param deleteImportedKeyMaterialRequest
* @return Result of the DeleteImportedKeyMaterial operation returned by the service.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @sample AWSKMS.DeleteImportedKeyMaterial
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteImportedKeyMaterial" target="_top">AWS
* API Documentation</a>
*/
DeleteImportedKeyMaterialResult deleteImportedKeyMaterial(DeleteImportedKeyMaterialRequest deleteImportedKeyMaterialRequest);
/**
* <p>
* Provides detailed information about the specified customer master key.
* </p>
*
* @param describeKeyRequest
* @return Result of the DescribeKey operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @sample AWSKMS.DescribeKey
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey" target="_top">AWS API
* Documentation</a>
*/
DescribeKeyResult describeKey(DescribeKeyRequest describeKeyRequest);
/**
* <p>
* Sets the state of a customer master key (CMK) to disabled, thereby preventing its use for cryptographic
* operations. For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects the Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* </p>
*
* @param disableKeyRequest
* @return Result of the DisableKey operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @sample AWSKMS.DisableKey
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKey" target="_top">AWS API
* Documentation</a>
*/
DisableKeyResult disableKey(DisableKeyRequest disableKeyRequest);
/**
* <p>
* Disables rotation of the specified key.
* </p>
*
* @param disableKeyRotationRequest
* @return Result of the DisableKeyRotation operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified CMK is not enabled.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @sample AWSKMS.DisableKeyRotation
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotation" target="_top">AWS API
* Documentation</a>
*/
DisableKeyRotationResult disableKeyRotation(DisableKeyRotationRequest disableKeyRotationRequest);
/**
* <p>
* Marks a key as enabled, thereby permitting its use.
* </p>
*
* @param enableKeyRequest
* @return Result of the EnableKey operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws LimitExceededException
* The request was rejected because a limit was exceeded. For more information, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Limits</a> in the <i>AWS Key
* Management Service Developer Guide</i>.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @sample AWSKMS.EnableKey
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKey" target="_top">AWS API
* Documentation</a>
*/
EnableKeyResult enableKey(EnableKeyRequest enableKeyRequest);
/**
* <p>
* Enables rotation of the specified customer master key.
* </p>
*
* @param enableKeyRotationRequest
* @return Result of the EnableKeyRotation operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified CMK is not enabled.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @sample AWSKMS.EnableKeyRotation
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotation" target="_top">AWS API
* Documentation</a>
*/
EnableKeyRotationResult enableKeyRotation(EnableKeyRotationRequest enableKeyRotationRequest);
/**
* <p>
* Encrypts plaintext into ciphertext by using a customer master key. The <code>Encrypt</code> function has two
* primary use cases:
* </p>
* <ul>
* <li>
* <p>
* You can encrypt up to 4 KB of arbitrary data such as an RSA key, a database password, or other sensitive customer
* information.
* </p>
* </li>
* <li>
* <p>
* If you are moving encrypted data from one region to another, you can use this API to encrypt in the new region
* the plaintext data key that was used to encrypt the data in the original region. This provides you with an
* encrypted copy of the data key that can be decrypted in the new region and used there to decrypt the encrypted
* data.
* </p>
* </li>
* </ul>
* <p>
* Unless you are moving encrypted data from one region to another, you don't use this function to encrypt a
* generated data key within a region. You retrieve data keys already encrypted by calling the
* <a>GenerateDataKey</a> or <a>GenerateDataKeyWithoutPlaintext</a> function. Data keys don't need to be encrypted
* again by calling <code>Encrypt</code>.
* </p>
* <p>
* If you want to encrypt data locally in your application, you can use the <code>GenerateDataKey</code> function to
* return a plaintext data encryption key and a copy of the key encrypted under the customer master key (CMK) of
* your choosing.
* </p>
*
* @param encryptRequest
* @return Result of the Encrypt operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified CMK is not enabled.
* @throws KeyUnavailableException
* The request was rejected because the specified CMK was not available. The request can be retried.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidKeyUsageException
* The request was rejected because the specified <code>KeySpec</code> value is not valid.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @sample AWSKMS.Encrypt
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Encrypt" target="_top">AWS API
* Documentation</a>
*/
EncryptResult encrypt(EncryptRequest encryptRequest);
/**
* <p>
* Returns a data encryption key that you can use in your application to encrypt data locally.
* </p>
* <p>
* You must specify the customer master key (CMK) under which to generate the data key. You must also specify the
* length of the data key using either the <code>KeySpec</code> or <code>NumberOfBytes</code> field. You must
* specify one field or the other, but not both. For common key lengths (128-bit and 256-bit symmetric keys), we
* recommend that you use <code>KeySpec</code>.
* </p>
* <p>
* This operation returns a plaintext copy of the data key in the <code>Plaintext</code> field of the response, and
* an encrypted copy of the data key in the <code>CiphertextBlob</code> field. The data key is encrypted under the
* CMK specified in the <code>KeyId</code> field of the request.
* </p>
* <p>
* We recommend that you use the following pattern to encrypt data locally in your application:
* </p>
* <ol>
* <li>
* <p>
* Use this operation (<code>GenerateDataKey</code>) to retrieve a data encryption key.
* </p>
* </li>
* <li>
* <p>
* Use the plaintext data encryption key (returned in the <code>Plaintext</code> field of the response) to encrypt
* data locally, then erase the plaintext data key from memory.
* </p>
* </li>
* <li>
* <p>
* Store the encrypted data key (returned in the <code>CiphertextBlob</code> field of the response) alongside the
* locally encrypted data.
* </p>
* </li>
* </ol>
* <p>
* To decrypt data locally:
* </p>
* <ol>
* <li>
* <p>
* Use the <a>Decrypt</a> operation to decrypt the encrypted data key into a plaintext copy of the data key.
* </p>
* </li>
* <li>
* <p>
* Use the plaintext data key to decrypt data locally, then erase the plaintext data key from memory.
* </p>
* </li>
* </ol>
* <p>
* To return only an encrypted copy of the data key, use <a>GenerateDataKeyWithoutPlaintext</a>. To return a random
* byte string that is cryptographically secure, use <a>GenerateRandom</a>.
* </p>
* <p>
* If you use the optional <code>EncryptionContext</code> field, you must store at least enough information to be
* able to reconstruct the full encryption context when you later send the ciphertext to the <a>Decrypt</a>
* operation. It is a good practice to choose an encryption context that you can reconstruct on the fly to better
* secure the ciphertext. For more information, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html">Encryption Context</a> in the
* <i>AWS Key Management Service Developer Guide</i>.
* </p>
*
* @param generateDataKeyRequest
* @return Result of the GenerateDataKey operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified CMK is not enabled.
* @throws KeyUnavailableException
* The request was rejected because the specified CMK was not available. The request can be retried.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidKeyUsageException
* The request was rejected because the specified <code>KeySpec</code> value is not valid.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @sample AWSKMS.GenerateDataKey
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKey" target="_top">AWS API
* Documentation</a>
*/
GenerateDataKeyResult generateDataKey(GenerateDataKeyRequest generateDataKeyRequest);
/**
* <p>
* Returns a data encryption key encrypted under a customer master key (CMK). This operation is identical to
* <a>GenerateDataKey</a> but returns only the encrypted copy of the data key.
* </p>
* <p>
* This operation is useful in a system that has multiple components with different degrees of trust. For example,
* consider a system that stores encrypted data in containers. Each container stores the encrypted data and an
* encrypted copy of the data key. One component of the system, called the <i>control plane</i>, creates new
* containers. When it creates a new container, it uses this operation (<code>GenerateDataKeyWithoutPlaintext</code>
* ) to get an encrypted data key and then stores it in the container. Later, a different component of the system,
* called the <i>data plane</i>, puts encrypted data into the containers. To do this, it passes the encrypted data
* key to the <a>Decrypt</a> operation, then uses the returned plaintext data key to encrypt data, and finally
* stores the encrypted data in the container. In this system, the control plane never sees the plaintext data key.
* </p>
*
* @param generateDataKeyWithoutPlaintextRequest
* @return Result of the GenerateDataKeyWithoutPlaintext operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified CMK is not enabled.
* @throws KeyUnavailableException
* The request was rejected because the specified CMK was not available. The request can be retried.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidKeyUsageException
* The request was rejected because the specified <code>KeySpec</code> value is not valid.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @sample AWSKMS.GenerateDataKeyWithoutPlaintext
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintext"
* target="_top">AWS API Documentation</a>
*/
GenerateDataKeyWithoutPlaintextResult generateDataKeyWithoutPlaintext(GenerateDataKeyWithoutPlaintextRequest generateDataKeyWithoutPlaintextRequest);
/**
* <p>
* Returns a random byte string that is cryptographically secure.
* </p>
* <p>
* For more information about entropy and random number generation, see the <a
* href="https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf">AWS Key Management Service
* Cryptographic Details</a> whitepaper.
* </p>
*
* @param generateRandomRequest
* @return Result of the GenerateRandom operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @sample AWSKMS.GenerateRandom
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandom" target="_top">AWS API
* Documentation</a>
*/
GenerateRandomResult generateRandom(GenerateRandomRequest generateRandomRequest);
/**
* Simplified method form for invoking the GenerateRandom operation.
*
* @see #generateRandom(GenerateRandomRequest)
*/
GenerateRandomResult generateRandom();
/**
* <p>
* Retrieves a policy attached to the specified key.
* </p>
*
* @param getKeyPolicyRequest
* @return Result of the GetKeyPolicy operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @sample AWSKMS.GetKeyPolicy
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicy" target="_top">AWS API
* Documentation</a>
*/
GetKeyPolicyResult getKeyPolicy(GetKeyPolicyRequest getKeyPolicyRequest);
/**
* <p>
* Retrieves a Boolean value that indicates whether key rotation is enabled for the specified key.
* </p>
*
* @param getKeyRotationStatusRequest
* @return Result of the GetKeyRotationStatus operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @sample AWSKMS.GetKeyRotationStatus
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyRotationStatus" target="_top">AWS API
* Documentation</a>
*/
GetKeyRotationStatusResult getKeyRotationStatus(GetKeyRotationStatusRequest getKeyRotationStatusRequest);
/**
* <p>
* Returns the items you need in order to import key material into AWS KMS from your existing key management
* infrastructure. For more information about importing key material into AWS KMS, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in the
* <i>AWS Key Management Service Developer Guide</i>.
* </p>
* <p>
* You must specify the key ID of the customer master key (CMK) into which you will import key material. This CMK's
* <code>Origin</code> must be <code>EXTERNAL</code>. You must also specify the wrapping algorithm and type of
* wrapping key (public key) that you will use to encrypt the key material.
* </p>
* <p>
* This operation returns a public key and an import token. Use the public key to encrypt the key material. Store
* the import token to send with a subsequent <a>ImportKeyMaterial</a> request. The public key and import token from
* the same response must be used together. These items are valid for 24 hours, after which they cannot be used for
* a subsequent <a>ImportKeyMaterial</a> request. To retrieve new ones, send another
* <code>GetParametersForImport</code> request.
* </p>
*
* @param getParametersForImportRequest
* @return Result of the GetParametersForImport operation returned by the service.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @sample AWSKMS.GetParametersForImport
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImport" target="_top">AWS API
* Documentation</a>
*/
GetParametersForImportResult getParametersForImport(GetParametersForImportRequest getParametersForImportRequest);
/**
* <p>
* Imports key material into an AWS KMS customer master key (CMK) from your existing key management infrastructure.
* For more information about importing key material into AWS KMS, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in the
* <i>AWS Key Management Service Developer Guide</i>.
* </p>
* <p>
* You must specify the key ID of the CMK to import the key material into. This CMK's <code>Origin</code> must be
* <code>EXTERNAL</code>. You must also send an import token and the encrypted key material. Send the import token
* that you received in the same <a>GetParametersForImport</a> response that contained the public key that you used
* to encrypt the key material. You must also specify whether the key material expires and if so, when. When the key
* material expires, AWS KMS deletes the key material and the CMK becomes unusable. To use the CMK again, you can
* reimport the same key material. If you set an expiration date, you can change it only by reimporting the same key
* material and specifying a new expiration date.
* </p>
* <p>
* When this operation is successful, the specified CMK's key state changes to <code>Enabled</code>, and you can use
* the CMK.
* </p>
* <p>
* After you successfully import key material into a CMK, you can reimport the same key material into that CMK, but
* you cannot import different key material.
* </p>
*
* @param importKeyMaterialRequest
* @return Result of the ImportKeyMaterial operation returned by the service.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @throws InvalidCiphertextException
* The request was rejected because the specified ciphertext has been corrupted or is otherwise invalid.
* @throws IncorrectKeyMaterialException
* The request was rejected because the provided key material is invalid or is not the same key material
* that was previously imported into this customer master key (CMK).
* @throws ExpiredImportTokenException
* The request was rejected because the provided import token is expired. Use <a>GetParametersForImport</a>
* to retrieve a new import token and public key, use the new public key to encrypt the key material, and
* then try the request again.
* @throws InvalidImportTokenException
* The request was rejected because the provided import token is invalid or is associated with a different
* customer master key (CMK).
* @sample AWSKMS.ImportKeyMaterial
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterial" target="_top">AWS API
* Documentation</a>
*/
ImportKeyMaterialResult importKeyMaterial(ImportKeyMaterialRequest importKeyMaterialRequest);
/**
* <p>
* Lists all of the key aliases in the account.
* </p>
*
* @param listAliasesRequest
* @return Result of the ListAliases operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidMarkerException
* The request was rejected because the marker that specifies where pagination should next begin is not
* valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @sample AWSKMS.ListAliases
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliases" target="_top">AWS API
* Documentation</a>
*/
ListAliasesResult listAliases(ListAliasesRequest listAliasesRequest);
/**
* Simplified method form for invoking the ListAliases operation.
*
* @see #listAliases(ListAliasesRequest)
*/
ListAliasesResult listAliases();
/**
* <p>
* List the grants for a specified key.
* </p>
*
* @param listGrantsRequest
* @return Result of the ListGrants operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidMarkerException
* The request was rejected because the marker that specifies where pagination should next begin is not
* valid.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @sample AWSKMS.ListGrants
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrants" target="_top">AWS API
* Documentation</a>
*/
ListGrantsResult listGrants(ListGrantsRequest listGrantsRequest);
/**
* <p>
* Retrieves a list of policies attached to a key.
* </p>
*
* @param listKeyPoliciesRequest
* @return Result of the ListKeyPolicies operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @sample AWSKMS.ListKeyPolicies
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPolicies" target="_top">AWS API
* Documentation</a>
*/
ListKeyPoliciesResult listKeyPolicies(ListKeyPoliciesRequest listKeyPoliciesRequest);
/**
* <p>
* Lists the customer master keys.
* </p>
*
* @param listKeysRequest
* @return Result of the ListKeys operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws InvalidMarkerException
* The request was rejected because the marker that specifies where pagination should next begin is not
* valid.
* @sample AWSKMS.ListKeys
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeys" target="_top">AWS API
* Documentation</a>
*/
ListKeysResult listKeys(ListKeysRequest listKeysRequest);
/**
* Simplified method form for invoking the ListKeys operation.
*
* @see #listKeys(ListKeysRequest)
*/
ListKeysResult listKeys();
/**
* <p>
* Returns a list of all tags for the specified customer master key (CMK).
* </p>
*
* @param listResourceTagsRequest
* @return Result of the ListResourceTags operation returned by the service.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws InvalidMarkerException
* The request was rejected because the marker that specifies where pagination should next begin is not
* valid.
* @sample AWSKMS.ListResourceTags
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTags" target="_top">AWS API
* Documentation</a>
*/
ListResourceTagsResult listResourceTags(ListResourceTagsRequest listResourceTagsRequest);
/**
* <p>
* Returns a list of all grants for which the grant's <code>RetiringPrincipal</code> matches the one specified.
* </p>
* <p>
* A typical use is to list all grants that you are able to retire. To retire a grant, use <a>RetireGrant</a>.
* </p>
*
* @param listRetirableGrantsRequest
* @return Result of the ListRetirableGrants operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidMarkerException
* The request was rejected because the marker that specifies where pagination should next begin is not
* valid.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @sample AWSKMS.ListRetirableGrants
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrants" target="_top">AWS API
* Documentation</a>
*/
ListRetirableGrantsResult listRetirableGrants(ListRetirableGrantsRequest listRetirableGrantsRequest);
/**
* <p>
* Attaches a key policy to the specified customer master key (CMK).
* </p>
* <p>
* For more information about key policies, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html">Key Policies</a> in the <i>AWS Key
* Management Service Developer Guide</i>.
* </p>
*
* @param putKeyPolicyRequest
* @return Result of the PutKeyPolicy operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws MalformedPolicyDocumentException
* The request was rejected because the specified policy is not syntactically or semantically correct.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws LimitExceededException
* The request was rejected because a limit was exceeded. For more information, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Limits</a> in the <i>AWS Key
* Management Service Developer Guide</i>.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @sample AWSKMS.PutKeyPolicy
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicy" target="_top">AWS API
* Documentation</a>
*/
PutKeyPolicyResult putKeyPolicy(PutKeyPolicyRequest putKeyPolicyRequest);
/**
* <p>
* Encrypts data on the server side with a new customer master key (CMK) without exposing the plaintext of the data
* on the client side. The data is first decrypted and then reencrypted. You can also use this operation to change
* the encryption context of a ciphertext.
* </p>
* <p>
* Unlike other operations, <code>ReEncrypt</code> is authorized twice, once as <code>ReEncryptFrom</code> on the
* source CMK and once as <code>ReEncryptTo</code> on the destination CMK. We recommend that you include the
* <code>"kms:ReEncrypt*"</code> permission in your <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html">key policies</a> to permit
* reencryption from or to the CMK. This permission is automatically included in the key policy when you create a
* CMK through the console, but you must include it manually when you create a CMK programmatically or when you set
* a key policy with the <a>PutKeyPolicy</a> operation.
* </p>
*
* @param reEncryptRequest
* @return Result of the ReEncrypt operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified CMK is not enabled.
* @throws InvalidCiphertextException
* The request was rejected because the specified ciphertext has been corrupted or is otherwise invalid.
* @throws KeyUnavailableException
* The request was rejected because the specified CMK was not available. The request can be retried.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidKeyUsageException
* The request was rejected because the specified <code>KeySpec</code> value is not valid.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @sample AWSKMS.ReEncrypt
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncrypt" target="_top">AWS API
* Documentation</a>
*/
ReEncryptResult reEncrypt(ReEncryptRequest reEncryptRequest);
/**
* <p>
* Retires a grant. To clean up, you can retire a grant when you're done using it. You should revoke a grant when
* you intend to actively deny operations that depend on it. The following are permitted to call this API:
* </p>
* <ul>
* <li>
* <p>
* The AWS account (root user) under which the grant was created
* </p>
* </li>
* <li>
* <p>
* The <code>RetiringPrincipal</code>, if present in the grant
* </p>
* </li>
* <li>
* <p>
* The <code>GranteePrincipal</code>, if <code>RetireGrant</code> is an operation specified in the grant
* </p>
* </li>
* </ul>
* <p>
* You must identify the grant to retire by its grant token or by a combination of the grant ID and the Amazon
* Resource Name (ARN) of the customer master key (CMK). A grant token is a unique variable-length base64-encoded
* string. A grant ID is a 64 character unique identifier of a grant. The <a>CreateGrant</a> operation returns both.
* </p>
*
* @param retireGrantRequest
* @return Result of the RetireGrant operation returned by the service.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws InvalidGrantIdException
* The request was rejected because the specified <code>GrantId</code> is not valid.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @sample AWSKMS.RetireGrant
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrant" target="_top">AWS API
* Documentation</a>
*/
RetireGrantResult retireGrant(RetireGrantRequest retireGrantRequest);
/**
* Simplified method form for invoking the RetireGrant operation.
*
* @see #retireGrant(RetireGrantRequest)
*/
RetireGrantResult retireGrant();
/**
* <p>
* Revokes a grant. You can revoke a grant to actively deny operations that depend on it.
* </p>
*
* @param revokeGrantRequest
* @return Result of the RevokeGrant operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws InvalidGrantIdException
* The request was rejected because the specified <code>GrantId</code> is not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @sample AWSKMS.RevokeGrant
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrant" target="_top">AWS API
* Documentation</a>
*/
RevokeGrantResult revokeGrant(RevokeGrantRequest revokeGrantRequest);
/**
* <p>
* Schedules the deletion of a customer master key (CMK). You may provide a waiting period, specified in days,
* before deletion occurs. If you do not provide a waiting period, the default period of 30 days is used. When this
* operation is successful, the state of the CMK changes to <code>PendingDeletion</code>. Before the waiting period
* ends, you can use <a>CancelKeyDeletion</a> to cancel the deletion of the CMK. After the waiting period ends, AWS
* KMS deletes the CMK and all AWS KMS data associated with it, including all aliases that refer to it.
* </p>
* <important>
* <p>
* Deleting a CMK is a destructive and potentially dangerous operation. When a CMK is deleted, all data that was
* encrypted under the CMK is rendered unrecoverable. To restrict the use of a CMK without deleting it, use
* <a>DisableKey</a>.
* </p>
* </important>
* <p>
* For more information about scheduling a CMK for deletion, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html">Deleting Customer Master Keys</a>
* in the <i>AWS Key Management Service Developer Guide</i>.
* </p>
*
* @param scheduleKeyDeletionRequest
* @return Result of the ScheduleKeyDeletion operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @sample AWSKMS.ScheduleKeyDeletion
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletion" target="_top">AWS API
* Documentation</a>
*/
ScheduleKeyDeletionResult scheduleKeyDeletion(ScheduleKeyDeletionRequest scheduleKeyDeletionRequest);
/**
* <p>
* Adds or overwrites one or more tags for the specified customer master key (CMK).
* </p>
* <p>
* Each tag consists of a tag key and a tag value. Tag keys and tag values are both required, but tag values can be
* empty (null) strings.
* </p>
* <p>
* You cannot use the same tag key more than once per CMK. For example, consider a CMK with one tag whose tag key is
* <code>Purpose</code> and tag value is <code>Test</code>. If you send a <code>TagResource</code> request for this
* CMK with a tag key of <code>Purpose</code> and a tag value of <code>Prod</code>, it does not create a second tag.
* Instead, the original tag is overwritten with the new tag value.
* </p>
*
* @param tagResourceRequest
* @return Result of the TagResource operation returned by the service.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @throws LimitExceededException
* The request was rejected because a limit was exceeded. For more information, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Limits</a> in the <i>AWS Key
* Management Service Developer Guide</i>.
* @throws TagException
* The request was rejected because one or more tags are not valid.
* @sample AWSKMS.TagResource
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/TagResource" target="_top">AWS API
* Documentation</a>
*/
TagResourceResult tagResource(TagResourceRequest tagResourceRequest);
/**
* <p>
* Removes the specified tag or tags from the specified customer master key (CMK).
* </p>
* <p>
* To remove a tag, you specify the tag key for each tag to remove. You do not specify the tag value. To overwrite
* the tag value for an existing tag, use <a>TagResource</a>.
* </p>
*
* @param untagResourceRequest
* @return Result of the UntagResource operation returned by the service.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @throws TagException
* The request was rejected because one or more tags are not valid.
* @sample AWSKMS.UntagResource
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UntagResource" target="_top">AWS API
* Documentation</a>
*/
UntagResourceResult untagResource(UntagResourceRequest untagResourceRequest);
/**
* <p>
* Updates an alias to map it to a different key.
* </p>
* <p>
* An alias is not a property of a key. Therefore, an alias can be mapped to and unmapped from an existing key
* without changing the properties of the key.
* </p>
* <p>
* An alias name can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). An
* alias must start with the word "alias" followed by a forward slash (alias/). An alias that begins with "aws"
* after the forward slash (alias/aws...) is reserved by Amazon Web Services (AWS).
* </p>
* <p>
* The alias and the key it is mapped to must be in the same AWS account and the same region.
* </p>
*
* @param updateAliasRequest
* @return Result of the UpdateAlias operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @sample AWSKMS.UpdateAlias
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateAlias" target="_top">AWS API
* Documentation</a>
*/
UpdateAliasResult updateAlias(UpdateAliasRequest updateAliasRequest);
/**
* <p>
* Updates the description of a customer master key (CMK).
* </p>
*
* @param updateKeyDescriptionRequest
* @return Result of the UpdateKeyDescription operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.</p>
* <p>
* For more information about how key state affects the use of a CMK, see <a
* href="http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">How Key State Affects Use of a
* Customer Master Key</a> in the <i>AWS Key Management Service Developer Guide</i>.
* @sample AWSKMS.UpdateKeyDescription
* @see <a href="http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescription" target="_top">AWS API
* Documentation</a>
*/
UpdateKeyDescriptionResult updateKeyDescription(UpdateKeyDescriptionRequest updateKeyDescriptionRequest);
/**
* Shuts down this client object, releasing any resources that might be held open. This is an optional method, and
* callers are not expected to call it, but can if they want to explicitly release any open resources. Once a client
* has been shutdown, it should not be used to make any more requests.
*/
void shutdown();
/**
* Returns additional metadata for a previously executed successful request, typically used for debugging issues
* where a service isn't acting as expected. This data isn't considered part of the result data returned by an
* operation, so it's available through this separate, diagnostic interface.
* <p>
* Response metadata is only cached for a limited period of time, so if you need to access this extra diagnostic
* information for an executed request, you should use this method to retrieve it as soon as possible after
* executing a request.
*
* @param request
* The originally executed request.
*
* @return The response metadata for the specified request, or null if none is available.
*/
ResponseMetadata getCachedResponseMetadata(AmazonWebServiceRequest request);
}