Update generated code

manifest.json

@@ -1,6 +1,6 @@
 {
     "variables": {
-        "${LATEST}": "3.356.24"
+        "${LATEST}": "3.356.25"
     },
     "endpoints": "https://raw.githubusercontent.com/aws/aws-sdk-php/${LATEST}/src/data/endpoints.json",
     "services": {

src/Service/Kms/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## NOT RELEASED
 
+### Changed
+
+- AWS enhancement: Documentation updates.
+
 ## 1.10.0
 
 ### Added

src/Service/Kms/src/Input/CreateKeyRequest.php

@@ -70,7 +70,9 @@ final class CreateKeyRequest extends Input
     /**
      * Determines the cryptographic operations [^1] for which you can use the KMS key. The default value is
      * `ENCRYPT_DECRYPT`. This parameter is optional when you are creating a symmetric encryption KMS key; otherwise, it is
-     * required. You can't change the `KeyUsage` value after the KMS key is created.
+     * required. You can't change the `KeyUsage` [^2] value after the KMS key is created. Each KMS key can have only one key
+     * usage. This follows key usage best practices according to NIST SP 800-57 Recommendations for Key Management [^3],
+     * section 5.2, Key usage.
      *
      * Select only one valid value.
      *
@@ -84,6 +86,8 @@ final class CreateKeyRequest extends Input
      *   `KEY_AGREEMENT`.
      *
      * [^1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
+     * [^2]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#key-usage
+     * [^3]: https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final
      *
      * @var KeyUsageType::*|null
      */

src/Service/Kms/src/Input/DecryptRequest.php

@@ -93,23 +93,24 @@ final class DecryptRequest extends Input
     private $encryptionAlgorithm;
 
     /**
-     * A signed attestation document [^1] from an Amazon Web Services Nitro enclave and the encryption algorithm to use with
-     * the enclave's public key. The only valid encryption algorithm is `RSAES_OAEP_SHA_256`.
+     * A signed attestation document [^1] from an Amazon Web Services Nitro enclave or NitroTPM, and the encryption
+     * algorithm to use with the public key in the attestation document. The only valid encryption algorithm is
+     * `RSAES_OAEP_SHA_256`.
      *
-     * This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this parameter,
-     * use the Amazon Web Services Nitro Enclaves SDK [^2] or any Amazon Web Services SDK.
+     * This parameter supports the Amazon Web Services Nitro Enclaves SDK [^2] or any Amazon Web Services SDK for Amazon Web
+     * Services Nitro Enclaves. It supports any Amazon Web Services SDK for Amazon Web Services NitroTPM.
      *
      * When you use this parameter, instead of returning the plaintext data, KMS encrypts the plaintext data with the public
      * key in the attestation document, and returns the resulting ciphertext in the `CiphertextForRecipient` field in the
-     * response. This ciphertext can be decrypted only with the private key in the enclave. The `Plaintext` field in the
-     * response is null or empty.
+     * response. This ciphertext can be decrypted only with the private key in the attested environment. The `Plaintext`
+     * field in the response is null or empty.
      *
-     * For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services
-     * Nitro Enclaves uses KMS [^3] in the *Key Management Service Developer Guide*.
+     * For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services
+     * NitroTPM, see Cryptographic attestation support in KMS [^3] in the *Key Management Service Developer Guide*.
      *
      * [^1]: https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-concepts.html#term-attestdoc
      * [^2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
-     * [^3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+     * [^3]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
      *
      * @var RecipientInfo|null
      */

src/Service/Kms/src/Input/GenerateDataKeyRequest.php

@@ -91,24 +91,25 @@ final class GenerateDataKeyRequest extends Input
     private $grantTokens;
 
     /**
-     * A signed attestation document [^1] from an Amazon Web Services Nitro enclave and the encryption algorithm to use with
-     * the enclave's public key. The only valid encryption algorithm is `RSAES_OAEP_SHA_256`.
+     * A signed attestation document [^1] from an Amazon Web Services Nitro enclave or NitroTPM, and the encryption
+     * algorithm to use with the public key in the attestation document. The only valid encryption algorithm is
+     * `RSAES_OAEP_SHA_256`.
      *
-     * This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this parameter,
-     * use the Amazon Web Services Nitro Enclaves SDK [^2] or any Amazon Web Services SDK.
+     * This parameter supports the Amazon Web Services Nitro Enclaves SDK [^2] or any Amazon Web Services SDK for Amazon Web
+     * Services Nitro Enclaves. It supports any Amazon Web Services SDK for Amazon Web Services NitroTPM.
      *
      * When you use this parameter, instead of returning the plaintext data key, KMS encrypts the plaintext data key under
      * the public key in the attestation document, and returns the resulting ciphertext in the `CiphertextForRecipient`
      * field in the response. This ciphertext can be decrypted only with the private key in the enclave. The
      * `CiphertextBlob` field in the response contains a copy of the data key encrypted under the KMS key specified by the
      * `KeyId` parameter. The `Plaintext` field in the response is null or empty.
      *
-     * For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services
-     * Nitro Enclaves uses KMS [^3] in the *Key Management Service Developer Guide*.
+     * For information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services
+     * NitroTPM, see Cryptographic attestation support in KMS [^3] in the *Key Management Service Developer Guide*.
      *
      * [^1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
      * [^2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
-     * [^3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+     * [^3]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
      *
      * @var RecipientInfo|null
      */

src/Service/Kms/src/KmsClient.php

@@ -392,12 +392,13 @@ public function createKey($input = []): CreateKeyResponse
      * particular KMS keys or particular trusted accounts. For details, see Best practices for IAM policies [^4] in the *Key
      * Management Service Developer Guide*.
      *
-     * `Decrypt` also supports Amazon Web Services Nitro Enclaves [^5], which provide an isolated compute environment in
-     * Amazon EC2. To call `Decrypt` for a Nitro enclave, use the Amazon Web Services Nitro Enclaves SDK [^6] or any Amazon
-     * Web Services SDK. Use the `Recipient` parameter to provide the attestation document for the enclave. Instead of the
-     * plaintext data, the response includes the plaintext data encrypted with the public key from the attestation document
-     * (`CiphertextForRecipient`). For information about the interaction between KMS and Amazon Web Services Nitro Enclaves,
-     * see How Amazon Web Services Nitro Enclaves uses KMS [^7] in the *Key Management Service Developer Guide*.
+     * `Decrypt` also supports Amazon Web Services Nitro Enclaves [^5] and NitroTPM, which provide attested environments in
+     * Amazon EC2. To call `Decrypt` for a Nitro enclave or NitroTPM, use the Amazon Web Services Nitro Enclaves SDK [^6] or
+     * any Amazon Web Services SDK. Use the `Recipient` parameter to provide the attestation document for the attested
+     * environment. Instead of the plaintext data, the response includes the plaintext data encrypted with the public key
+     * from the attestation document (`CiphertextForRecipient`). For information about the interaction between KMS and
+     * Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see Cryptographic attestation support in KMS [^7]
+     * in the *Key Management Service Developer Guide*.
      *
      * The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS
      * keys [^8] in the *Key Management Service Developer Guide*.
@@ -423,7 +424,7 @@ public function createKey($input = []): CreateKeyResponse
      * [^4]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policies-best-practices
      * [^5]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html
      * [^6]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
-     * [^7]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+     * [^7]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
      * [^8]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
      * [^9]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
      * [^10]: https://docs.aws.amazon.com/kms/latest/developerguide/accessing-kms.html#programming-eventual-consistency
@@ -614,13 +615,13 @@ public function encrypt($input): EncryptResponse
      * information, see Encryption Context [^1] in the *Key Management Service Developer Guide*.
      *
      * `GenerateDataKey` also supports Amazon Web Services Nitro Enclaves [^2], which provide an isolated compute
-     * environment in Amazon EC2. To call `GenerateDataKey` for an Amazon Web Services Nitro enclave, use the Amazon Web
-     * Services Nitro Enclaves SDK [^3] or any Amazon Web Services SDK. Use the `Recipient` parameter to provide the
-     * attestation document for the enclave. `GenerateDataKey` returns a copy of the data key encrypted under the specified
-     * KMS key, as usual. But instead of a plaintext copy of the data key, the response includes a copy of the data key
-     * encrypted under the public key from the attestation document (`CiphertextForRecipient`). For information about the
-     * interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS
-     * [^4] in the *Key Management Service Developer Guide*..
+     * environment in Amazon EC2. To call `GenerateDataKey` for an Amazon Web Services Nitro enclave or NitroTPM, use the
+     * Amazon Web Services Nitro Enclaves SDK [^3] or any Amazon Web Services SDK. Use the `Recipient` parameter to provide
+     * the attestation document for the attested environment. `GenerateDataKey` returns a copy of the data key encrypted
+     * under the specified KMS key, as usual. But instead of a plaintext copy of the data key, the response includes a copy
+     * of the data key encrypted under the public key from the attestation document (`CiphertextForRecipient`). For
+     * information about the interaction between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM,
+     * see Cryptographic attestation support in KMS [^4] in the *Key Management Service Developer Guide*.
      *
      * The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS
      * keys [^5] in the *Key Management Service Developer Guide*.
@@ -663,7 +664,7 @@ public function encrypt($input): EncryptResponse
      * [^1]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
      * [^2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html
      * [^3]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
-     * [^4]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+     * [^4]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
      * [^5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
      * [^6]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
      * [^7]: https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/

src/Service/Kms/src/Result/DecryptResponse.php

@@ -35,14 +35,15 @@ class DecryptResponse extends Result
     private $encryptionAlgorithm;
 
     /**
-     * The plaintext data encrypted with the public key in the attestation document.
+     * The plaintext data encrypted with the public key from the attestation document. This ciphertext can be decrypted only
+     * by using a private key from the attested environment.
      *
      * This field is included in the response only when the `Recipient` parameter in the request includes a valid
-     * attestation document from an Amazon Web Services Nitro enclave. For information about the interaction between KMS and
-     * Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS [^1] in the *Key Management
-     * Service Developer Guide*.
+     * attestation document from an Amazon Web Services Nitro enclave or NitroTPM. For information about the interaction
+     * between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see Cryptographic attestation
+     * support in KMS [^1] in the *Key Management Service Developer Guide*.
      *
-     * [^1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+     * [^1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
      *
      * @var string|null
      */

src/Service/Kms/src/Result/GenerateDataKeyResponse.php

@@ -36,15 +36,15 @@ class GenerateDataKeyResponse extends Result
     private $keyId;
 
     /**
-     * The plaintext data key encrypted with the public key from the Nitro enclave. This ciphertext can be decrypted only by
-     * using a private key in the Nitro enclave.
+     * The plaintext data key encrypted with the public key from the attestation document. This ciphertext can be decrypted
+     * only by using a private key from the attested environment.
      *
      * This field is included in the response only when the `Recipient` parameter in the request includes a valid
-     * attestation document from an Amazon Web Services Nitro enclave. For information about the interaction between KMS and
-     * Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS [^1] in the *Key Management
-     * Service Developer Guide*.
+     * attestation document from an Amazon Web Services Nitro enclave or NitroTPM. For information about the interaction
+     * between KMS and Amazon Web Services Nitro Enclaves or Amazon Web Services NitroTPM, see Cryptographic attestation
+     * support in KMS [^1] in the *Key Management Service Developer Guide*.
      *
-     * [^1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+     * [^1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
      *
      * @var string|null
      */

src/Service/Kms/src/ValueObject/RecipientInfo.php

@@ -8,24 +8,26 @@
 /**
  * Contains information about the party that receives the response from the API operation.
  *
- * This data type is designed to support Amazon Web Services Nitro Enclaves, which lets you create an isolated compute
- * environment in Amazon EC2. For information about the interaction between KMS and Amazon Web Services Nitro Enclaves,
- * see How Amazon Web Services Nitro Enclaves uses KMS [^1] in the *Key Management Service Developer Guide*.
+ * This data type is designed to support Amazon Web Services Nitro Enclaves and Amazon Web Services NitroTPM, which lets
+ * you create an attested environment in Amazon EC2. For information about the interaction between KMS and Amazon Web
+ * Services Nitro Enclaves or Amazon Web Services NitroTPM, see Cryptographic attestation support in KMS [^1] in the
+ * *Key Management Service Developer Guide*.
  *
- * [^1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+ * [^1]: https://docs.aws.amazon.com/kms/latest/developerguide/cryptographic-attestation.html
  */
 final class RecipientInfo
 {
     /**
-     * The encryption algorithm that KMS should use with the public key for an Amazon Web Services Nitro Enclave to encrypt
-     * plaintext values for the response. The only valid value is `RSAES_OAEP_SHA_256`.
+     * The encryption algorithm that KMS should use with the public key for an Amazon Web Services Nitro Enclave or NitroTPM
+     * to encrypt plaintext values for the response. The only valid value is `RSAES_OAEP_SHA_256`.
      *
      * @var KeyEncryptionMechanism::*|null
      */
     private $keyEncryptionAlgorithm;
 
     /**
-     * The attestation document for an Amazon Web Services Nitro Enclave. This document includes the enclave's public key.
+     * The attestation document for an Amazon Web Services Nitro Enclave or a NitroTPM. This document includes the enclave's
+     * public key.
      *
      * @var string|null
      */